declared their intent to cause maximum harm and are actively seeking to acquire the capability. and that's where each day i feel that all of us working together need to do more and faster working with our private partners so that we're not having a, as the 9/11 commission recently put out that we're not having a moment post, a post-9/11 like moment where we all saw that coming and we didn't take sufficient action ahead of time. ..

mike rogers said we haven't seen the terrorist attack that we haven't talked about it for 15 years now. there's lots of reasons for that. but there's a lot of vulnerabilities, and actually have a major impact not in the u.s. but also around the world for not finishing touches for the united states and the private sector is part of that. >> you know, in dod my job is to worry about the big cyberattack him cyberattack, but i also worry sometimes when they do things that impact the centers of gravity for the u.s., which is the i.t. industry in silicon

valley and cybersecurity we need to think a lot about that. it makes it even harder because you want to make sure you are not hurting the economy and one of the great centers of gravity. >> okay, thank you so much eric, john and chris. we will have our next panel soon. [applause] thinks anna and thanks to the department of defense, carla and the department of defense birthday. i want to encourage -- we've had great comments and questions coming off twitter. defend them in to wash post-cyberand i also want to say that all of the speakers today are going to be accepted in the special section of the paper that will come out next week. it's a special security section with articles and excerpts from what you hear. they will also be online at "washington post".com. up next i want to welcome david

show who helps lead the newspaper's coverage. we are going to switcher. they been talking about government people. now it. now we want to hear from people the private sector about the security. i will leave it to you, david. >> my name is david chow, editor here at the "washington post." today we wanted to talk about something similar to the first panel, but more in the private sector. anything with a computer is a target for hackers today. your thermostat, your car, your pacemaker. dick cheney was worried about it, probably still is, but jail, spam, power grids, gas pipelines. how do we protect this vast infrastructure of things we depend on today?

that is the question we are asking ourselves today. fortunately we still have three terrific experts to guide us through this world. let me introduce them to you briefly. security analyst tiffany rad is sitting right to my left. one of her claims to fame is a few years ago she demonstrated a jail door could be open remotely and we will hear more about that shortly. andy bockman is a senior cyberand entity strategist at idaho national lab. he is sitting at the far end. he was security before ibm's global utility business advisor and energy security at trued off group. mike mcallen is a supervisory special agent in the fbi cybersecurity division. he was part of the cybersecurity came back outside chinese military leaders stealing trade secrets and investigated a russian crime rate is still $100 million in banks around the world to everyone needs to

behave with mike in the room. so let me just dive in. we have about 25 minutes, which is in a ton of time. we will pose a couple questions, but if any of you have questions you'd like to ask him if you make up for an alice in there, polling questions on twitter. do i get to her two or three questions for now. first tiffany, let me start with you. give us the lay of the land. what has been hacked today and whether favre is quite maybe you can give us some of your previous work. >> my work is your preference in 2011 for the team of four appeared of four. one was an excellent writer that we had on our team. we did about two weeks of research and we found some vulnerabilities in 2011. we've made some change since then regarding how much is connected through programmable controllers, data system, the chennai part of critical infrastructure. one of the things they took from

the research and what we were able to show the community was there's a lot that can be done by changing the security training and also having an avenue affiliated at the fbi were independent security researchers can go to places they want to do disclosures, especially in regards to different types of technologies the government has been vulnerabilities researchers may find. >> tell me a little bit about the carter, all the rage at some of the conferences this summer. >> this summer two of the biggest security conferences in the u.s. for a lot of independent security researchers and companies go to share the types of work they found. the important part about it is they are there to share it. as the ones who aren't in some ways giving public presentations. but if you see that black devcon and it's probably early been done by other groups. that type of conferences and for the government and for industry

to see what is the standard for security vulnerabilities and exploits. now one of the very popular topics still is the natural control system. a lab was set up at dusk on this year, where people can tinker with industrial control systems. there was nothing nefarious about they were doing, the teaching people how to design more secure product and also but it's possible at this time and that is one of the reasons these conferences are excellent for people to private industry and government to attend. >> speaking about the value to improving security overall, one of the motivating factors is its government and other forces and industry urging particular type of product to security breaker, capability in the product and it doesn't happen, the nice people at lack hacked in.com carry that

onto stage and show you how to access that and do naughty things to it. it's about form of advertising for the come any so it's had its weaknesses demonstrated and appears to imagine their own product. >> just to follow-up on that little bit. the likelihood of an attack on the power grid, for example. describe a little bit of what is being done at iowa national guard to stimulate. >> share. to the first point, what is it like for what is involved for people thinking about going after critical energy, critical electric infrastructure. for the layperson you see elements of i.t. ec windows operating systems, but the communication protocols and the types of processors and

audit memory and the segmentation is often wholly different. for a standard i.t. hacker, it would be a very strange landscape requiring a lot of special knowledge. another aspect about would-be attackers on the electric grid and usually in shorthand has to say someone can take down the electric grid, the u.s. created. but the grid is not all one thing. it's many different pieces designed to be resilient in the face of natural areas. it's not as simple. it's not nearly as simple as saying one very intelligent hacker can come in and take control of things. there's a lot of layers of protection. even before computers came to the floor to serve the process on idaho national lab, this is one of the dozen or so department of energy national labs. we focus on energy security

matters and because we are way in the desert and idaho with the huge test range on the we don't just model what happens on the electric grid. you can do it in real time on a great scale system and see what is actually happening from a cyberattack point of view. >> how exposing your viewer the systems that control these networks? what are the weaknesses? who knows them and who is targeting them in your view? >> we look at a couple different factors. could the targeting before a particular company? backing up for a second, we have to decide whether something happened. are we looking at insiders? are we looking at a contractor and then even within that, as we see this targeting, how can we

share the information more? we are involved in a different outreach programs, which also break sectors. we work a lot with dhs in their models for the critical infrastructure and how we share the information. we are also learning a lot ourselves. we talk about the training mayor, city center number of agents they are. but we also have the expertise or ics and they may be around the country, but we have facilities to share the information. back to the targeting in particular, we've gotten a lot better at sharing information, even when it's across nature. a couple years ago we had a predicate of the financial sector. we brought in a lot of the largest financial entities and gave them essentially clearance for a day. >> the clobbering going after the bank? >> right. in order to share the information that would help them in real time. so we're getting a better academia information out in a controlled structure to set or

is coming to partners within the sector or outside. contractors have a lot of knowledge they can share. so with a couple different platforms that do share the information and the key being real-time information be enacted on proactively. >> i see. there's probably companies out there say they get more help from the government. the missouri dope into many of you that this partnership could come together and better ways than it has now to help companies out there facing a. >> again, you will hear me speak to idaho in the blood system and the department of energy in general. the job of the labs is to be different, different than what's available, anywhere from three to five years out in front. so the labs look at the current state-of-the-art was available for security protection that you can purchase products and

services and to imagine both of the threats, the evolution of the threat and ways to exploit logical capabilities so that they can do the r&d to get some ahead, cynicism ultimately that stuff can be transferred into the private sector to significantly advance and push forward and stay ahead of the threat as much as possible or at least keep out. >> sorry, i want to jump in for a second. you are out there talking to utility companies. what is their biggest concerns? what are they working -- what are they up against? >> i would say first of all the number people describe for utilities in the united states is somewhere between 3,540,000. we think of them is one thing, and electric utility, but they range from fortune 10 company that had the most sophisticated and capable security folks in the world all the way down to

100% co-op with a security person who also doubles as a maintenance person, save a person. depending where they are in that spectrum, the challenges they face in what they bring to bear, how much help they need from external sources varies widely. i would say one important point would be to know think of all utility like any other asset intensive industry, someone never less than heavy equipment and machinery. transportation, oil, water and gas, et cetera that's having an historic cultural divide between i.t. types of standard cybersystems we've talked about here up until now i meant ot operational technology. it is getting the utilities to put their efforts not just in the i.t. side, the d.o.t., industrial control systems. they go back many years before they were connected and coming

around to the ultimate question of this marker a driving interconnection of so many systems that were created in an internet era is the number one thing many of them are facing and working on. >> i want to hear from mike on public or the partnerships. just a quick follow-up. what do you think the cost of upgrading the utility company? >> i'm going to be very quick. it ranges massively. if you think of the answer about the size they have, the amount of assets they are responsible for, i won't even hazard a guess. sorry. >> anything you wanted to add? >> i'm sharing information quite sure. we at the national cyberinvestigators joint task force, which a number of intelligence partners coming to you just share intelligence and that could be different levels

of classification. , part of the unit in pittsburgh, pennsylvania with industry partners co-located with our cyberdivision unit. i can lock down the halls and talked to a number different folks from large financial institutions, large retailers and industry experts write down the road from carnegie mellon's so we can see we have the facility available to us available to s. two fbi personnel see the threats coming in real time. i keep saying about going back to the real-time information sharing of the indicators we see and it should be within the sector, but sometimes across the sectors so we have to be aware the telecommunications act or will tell as it affects the power grid or another entity. receive up at the telecommunications act your even preemptive notification. i think that trusted sharing

relationship and the overgaard program as well as dhs and experts like ctc and u.s. cert is helpful for us to get the big picture. but the facilities to share that real-time is a trust relationship that builds over a couple of years. >> idol, with the trust relationship between private companies and security researchers. when it comes to private companies, if they come across research that opposes vulnerabilities, there is legislation proposed, actually since 2012 to get the company several protection. so if they were to go to the u.s. government didn't say we found these vulnerabilities, the trust relationship between the private companies and government would be established so they feel comfortable saying they found that in doing research. the buy to let them know the government we found these vulnerabilities without whoever

the vendor is the government may be using, getting upset about vulnerabilities or how it will sound. this information sharing is quite important because getting people to come forward with information they have that they can still protect i.t. as they come forward is very important in some legislation pending, this part of it was significant for private industry. >> tiffany, let me ask you, how do consumer expectations about service, reliability plan to the security slows and is reluctant. how does that all play in your view? >> there's always a trade-off between security and convenience. and we bring our own device to work type of thing, there are former abilities exploited in someone's home and bring it right into the corporate network. the convenience versus security is always going to exist. when it comes to that trade-off,

but i suggested on a university professor teaching at a science department i teach my students to think like hackers. we are graduating students where they write code and consider security implications of every line of code they write. how secure is the stuff you are producing? and the students graduate and go in the workforce to work for all of you in private industry, they are designing is more secure. we think of this as changing through the graduates we have in the united states, taking jobs in the u.s. the convenience, maybe they'll raise their hand and you think there's a different way we can do this that make it better and more secure. >> i just want to say when we speak about the developments, whether commercial or industrial side of new capabilities of paramount interest is a concept called securer for security by

design, dhea you have legacy equipment and some of the power systems to 18, 30, 40 years old and you do what you can to isolate and protect from threats. but if you build something new coming of the tremendous opportunity, cell phone, et cetera. you don't want security to dominate the functional requirements otherwise nobody can come up nobody will use it or sell it. but if there can be a little bit, a security voice at the table when you design discussions and a decision to go one way or another to make security down the road demonstrably better or much tougher. it's nice to get the security person in the early design and development decisions on matters power. >> to make it a question from the audience here. >> i've a question question from bob, our general manager. i want to hear more about it, too. you were talking about how you are teaching you what are some

of the eyebrow raising things you see from students or people at defcon, black cat, your cells, your cells hacked in to you could open us up. can you talk about the eyebrow raising things? >> we didn't hack into the jail. this is one of things the balance of the research is certainly not cross the line between research that may be controversial in that way. but it was a proof of concept we never released. one of the things to look at the university and defcon is how the interconnectedness is coming so fast in the computing power is increasing so greatly. the amount of devices we have with us and carry with us today and drive home in these cars that are mostly computers, not as much mechanical anymore. the research community really is trying to catch up with less access than we trying to find vulnerabilities to let the companies and government know about these problems that could

be quite critical. >> i guess what are some of the proof of concepts that have been? transportation. >> that's been a big ones risk our security research, presenting black cat and death, but the past two years. transportation research, not just consumer vehicles, there are people looking at how these at how these systems have no works and how they are connected to the internet another thing. >> one thing we hear a lot and are covering this in the business section is we have this criticism that companies are running ahead, putting out products majorly convenient to consumers, but running ahead of computer protocol that should be in there. do you see that turned and let me throw it open to any of you if you feel that is one of the risks of developing your. >> in the electric set or, in the power sector, though

certainly the case until a few years ago. this is a going to be an all-black or i wipe type of response. the more the electric utilities and their constituents, their stakeholders include security language and security requirements when they are buying some new capabilities, the more pushes the industry or force the industry into adding capability to products. basically built the business case for a product manager who otherwise might have thought it was a good idea, but could justify in terms of adding capability. more people can more people cannot afford all the way down to the consumer and citizen level. is this iphone more secure than the android and tell me a little bit about it. what was an important filling a project before his something they need to pay attention to. >> and as mentioned before was

bring your own device to work, that would be a more significant problem for us. but with that, when i want to stifle innovation or creativity or products out there that help with remote conductivity, let's say. it's kind of a balancing of that. i go back to share in the vulnerabilities, working with different entities that these products out there and other avenues like working with companies to quickly thwart any nonlawyer attached to a global half, let's say. so we're definitely more proactive in that respect. we also have to stay on the cutting-edge of what is the newest technology and how will that work within a business environment? who want to make sure we are not doing anything to stifle that. the con activity or productivity. >> you also have to have the rational approach to security. i think some of the misnomer, but that really means is enough or have something ironclad and

bulletproof. if someone really once again and in your targeted, they are going to find a way in. one of the things we encourages mitigating the risk. it has created rings of security when someone does for each one for others that exist. the research in 2007 with the industrial control systems and energy sector, for not telling people to read about your equipment because it's now insecure. training and educating your employees for whoever works for you who is in control of these systems goes pretty far actually. so when you have employees that have many devices they bring in to work with them, having them be aware of the vulnerabilities that they exist in these particular device is is very important. so it's a rational approach that if they're going to get and they can, do you need to mitigate the risk and training does a lot for that actually. >> along those lines, the idea

in this example are the phrases bandied about in the critical infrastructure sector quite a bit in the last two years and that is resilient, speaks to the fact and it is the fact that whatever your organization is, whatever assistance you have, no matter how well protected you think you have protected everything, you were being breached. there are ways to determine people that can get in and start to have some influence on your systems are in your data. you know that's the case then you probably time to not pretend that everybody is kept to efficiently by systems and rather imagine how you are going to respond. do you want to be flat-footed when a significant attack happens or do you want to authority role-played it and called out what everyone is in the situations you can do the best possible job.

resiliency is the idea that you are taking a hit, taking some level of damage, that you are prepared for it and you know what your actions are at that point to keep us going as best he can during the incident, clean up after the incident, after whatever it is that happened and is that happen and learns how to get through training, whatever happened, whatever understanding you can get from that occurrence, get that backs your employees and system so you are better for the next time. >> one topic in the remaining time is what to tackle. we have been reporting that apple and google made significant changes to their new operating systems. basically to keep almost anyone out of this incredibly advanced phones we are carrying around, tablets, smartphones has been criticized attorney general holder and head of the fbi. how much did what apple and google, what they are saying they're going to do, how much

would that hurt ongoing investigations and some of the work you did? is this going too far in terms of the balance between security? 's >> certainly want to be respectful of people's privacy rights. obviously that is a move on their part to protect the privacy of individuals. we give up so much information, especially with a lot of the ads they want to get into her contact and look at a lot of information. i know our department of justice in particular is having discussions. how do we subpoena or execute a search warrant for this information? what information can we get? i'm not sure exactly where those discussions are, but we still love to work with the companies and what kind of information can we gather in a criminal or

national security type investigation and what are the means to do that? through search warrants and back to the basic question of what is available? what are you capturing that we could do as we run into this problem before an international scale. we have a number of countries that don't keep data for very long. not a problem we are fully unprepared for. we work with our international law enforcement partners, so it means in some cases we have to get to the information quicker. so i believe we will adapt to it. >> was a damaging blow though, do you think why >> i am unsure at this point. >> that is all the time we have. it was only a short, brief session. if any of you have follow-up questions, please corner our panelists who would be happy to talk to you after this. i believe we have a short break coming up, but can we thank our

panelists? [applause] >> our campaign 2014 coverage continues tonight with the nebraska governors debate between jack cassel brock and keep brigades.

>> candidates for california's 52nd congressional district met last week for debate in san diego. democratic incumbent scott peters is being challenged by san diego councilman, coral subset and in what is being called a tossup debate. here is part of the debate. >> you get all the special interest to look at this big know, thousands of pages long and would crowd out the issues that people agree on. here is an issue that i think everybody agrees on.

we need to secure the border. we need to secure the border first. we need to put the resources in the attention and accountability behind securing our nation's border, not only so we can prevent an immigration system where people get to run to the front of the line, but also for national security issues. who knows who is able to crossing our border in terms of terrorist groups may want to harm the american people. border security is a protocol prerequisite. instead of focusing on something democrats, republicans and independents nationally and here in san diego, latino support a secure border. democrats support a secure border, independents and republicans. members of congress want to put poison pills in these bills. they become dozens of pages from any point fingers at each other. we have to focus on issues where we see great unity in the country, securing the border for should be a single subject bill and i think you get bipartisan

support if we focus on the areas of agreement. >> this is the magic of mr. demaio trying to confuse the issue. part of it is securing the border by the way. they want to build a fence and virtually double the side of the border patrol. republicans and democrats agreed on this compromise. we can't get about as the speaker of the house, mr. boehner won't even put it up for it though. this is something i wish everyone agrees. the u.s. chamber of commerce and the unit community, and i'll agree and we also know that the harvard business analyst says this is one of the most important things we can do and how important i would be to san diego. all we need is a speaker to put this before we have an immigration reform. >> does try >> does part of the debate held

last week in san diego between candidates for california's 52nd congressional district. see the entire debate and a 10 online at c-span.org. now back to the "washington post" annual cybersecurity summit with representatives to the public and private sectors on what is done to prevent cyberattacks. you hear remarks from a homeland security deputy secretary on cybersecurity collaboration between the government and private industry. this is an hour and 20 minutes. [inaudible conversations] [inaudible conversations]

>> thanks for joining us. i'm a technology reporter for the "washington post" and i am joined by eric friedberg, the executive chairman of throws friedberg, a global investigations intelligence and risk services firm based in new york and washington and other places. he had 20 years of government and private sector experience in cybercrime. prior to his tenure, he was an assistant u.s. attorney. and if his office calling, for the assistant u.s. attorney for 11 years at the u.s. attorney's office for the eastern district of new york where he served as the late cybercrime prosecutor. i'm also joined by philip writing her -- writing sure, who was in 2009 in 2011 the deputy undersecretary for the national protection and programs director

at the department of homeland security. he has also served as the chief information security officer come the chief trustworthy infrastructure strategies at microsoft company as well. thank you so much for joining us in this panel as we look at how companies are being affect it. i wanted to quickly run down a list of what is happening in just the last few days that did not make the headlines, but really has become the norm. here are some of the companies advised of security data breaches. supervalu crummy grocery chain, jimmie johnson sandwiched chop gene, american family care 2500 patients with our data potentially at risk. shufflers, a cowboy boot and western wear chain in the midwest and southwest. the point of this is to say many of the biggest companies get the headlines and we hear them talk a lot about like target and home

depot and bank of america and a general feeling of panic in the feeling of concern that consumers get, but there are countless other examples of data breaches that have been in companies that run the daemon in terms of size and industry. want to talk about the whole ecosystem. what is the whole system in the sector. we will start out by asking you what is going on? is the problem getting worse? a security actually becoming a bigger problem for companies now? where is sort of the state of security in corporate america? >> so, when straus friedberg is responding to these kinds of attacks, what we see as the problem getting worse and the problem is getting worse in part because the scope of the attacks have gotten enormous. companies are intrusion for 100,

200, 300, 500 servers are being compromised, possibly for a small attack, possibly for a large attack in terms of the amount of information taken out of the network, but the scope of the machines affected is so enormous that the cost is rising into the five, 10, $20 million range just in terms of hard costs and then there can be reputational cause they run into the hundreds of millions of dollars. from that perspective, it is very hard for companies to dance to prepare themselves for that level of attack. >> i would love to talk as the going gets further into the conversation about what that means for a small company if you are hit in now way except in those kind of costs. philip, what right now in your mind currently is the biggest problem or issue when it comes to corporate security? >> welcome of the biggest problem is that should the

biggest problems with infrastructure security and that is the underlying paradigm and that doesn't mean every attack succeeds. it means over a period of time someone devoting enough resources given the size of the attack service areas and underlying vulnerabilities have infrastructure will be able to do that. so as a result of that, you see the series of breaches more and more reports of breaches. that is breaches that doesn't deal with the loss of intellectual property and other things that often take place, which leads to what eric was talking about. the problem is in fact getting worse. the defenders are getting better. the defense curve is going up, but the attacker but going up more steeply because they are good at sharing information. they are getting better. there are more of them and more

information available and valuable online. so we are looking for the point when the kurds come together again, but we haven't hit the moment yet and we may not see it for a considerable period of time depending what happens. >> eric, any thoughts on what you think is the biggest problem? >> i think phil is enough phil is it not phil is enough to look the way. it is a cat and mouse game were companies are often playing catch-up. and so, i get back to the issue of what can they do is you have to infuse your corporate governance around these issues. top management has to own cybersecurity threat and put the budget behind it, put the right people behind it, the technology behind it to establish a corporate culture of security. and so, that is a big challenge because often that involves substantial change management. if for example any company, the sales function has been predominate because you are a

sales organization and is one of the panelists previously said, security equals one over convenience, since in proportionately to convenience. sales culture might try a convenience oriented solutions at the cost of better security. upper management has to take those rains and drive security from the top. so the good news is one of the things that corporations can do to become a better, security byron meant is to excel at something within their control, which is corporate governance around cyber. if you don't have that, bad security. if you have it coming off a better chance. >> so let's put on the hat of a top manager. do they need to know who is attacking? if you are a company in the u.s., so you are this western wear country, but sort of backup and talk about who is attacking

actually? can you give us a framework on which of these attackers want from u.s. companies and who are they? area. >> sure, there's four basic buckets. state-sponsored agents typically want intellectual property, research and development formula is, industrial know-how. there are russian -- not just russian, but working as crime groups for financial information. they want to wire transfer money out. they were to move money, steal money or the still credit cards and then there are activists, politically organized groups for state-sponsored or looking to cause embarrassment, data destruction, data corruption and then there's corrupter negligent insiders and those are the four pockets. if you're a corporate victim, it very much matters in advance what your threat profile is because for example, if you are

a food to a a food can be fired sure, it's unlikely a state-sponsored agent will come after you to steal intellectual property. you have to prioritize your spend so you can prioritize your security spend unless you know what your threat profile is. so one of the chief things to do in the governance situation is to figure out your likely threats and how do you align your security spend, which isn't unlimited with those threats? >> and you piggyback on a little bit? do you think it matters who might be attacking you as a company depending what industry you're in. >> well, who is attacking you can be important particularly if it drives indicators you would use to look for to stop an attack. as a general matter in terms of prevention, thinking about what the threats are, scott tourney at microsoft did a paper

recently that used a similar taxonomy. i might give a slightly different type which is not conflicting. think about it as attackers may come after you because of what you know or what you've got appeared your valuable sources of data, anything they could take from you, which might be credit card data, intellectual property, prerace content, any of those things. they might come after you because of the wire. not that they want to take something, but because they want to take it down for political or other purpose. this is something becoming more apparent. they may take you down not because of what you know or who you are, but who you know. so it might be a very third-party to someone else they actually want access to. so you might be a means to an end and you see this more regularly. end-users are taken down not because hackers want to data on their computer.

they just want access to the computer to use it for all purposes. so there is a broad spectrum of attackers and you have to manage for risk and figure out which you want to protecting your most valuable assets. >> so, why are companies struggling? what is going on quiet is not why they are struggling is exactly what we talked about before. this is harder and harder to do. it takes a lot of resources. you need corporate governance, i think most boards get it now. they didn't before, to help ramp up the level of attention. it turns out it's a difficult area to make progress. it can be very difficult to deploy them. a lot of technologies don't scale well. that means if you can't solve a problem completely with technology companies got to have the right people. it is a people problem in iraq

enough of those people. they're really hard to get. many in the space of the pentagon for a while, our biggest job is to find the good people or friends have been steal them. [laughter] resources a big issue. we will have questions amended by e-mail and social media. let's take a first one. >> just building on this question that came in through e-mail about the centigrade scale of partnership between the government and industries? is a global, local, based on factors come across sectors, will that help companies and corporations? >> area, do you want to take this first? >> most companies try to build local relationships with cyberregions at either fbi or secret service said that they have in their infinite response plan that there is a breach and they know who to reach out to and get them right away.

the main challenges for rss critical incident responders is what corporations need for law enforcement, not on day 20. none of the 40 or not on day 60, but what we need on day one for day two is a set of indicators of compromise, the ip addresses, hash values, filenames that law enforcement and intelligence community note are associated with this type of attack on this sector of industry and there's a real strain going on right now in the speed of which private responders are able to get that information from the government. >> let's get a little check out. today, the company is getting the information? is on day 20, deified generally quite what can a company expected a quiet

>> the problem is it is body. nobody takes the wrong view about whether or not the information that will provide and therefore can't be provided. if all that stuff lined up, you get good indicators, which you can then search the network and it speeds your response. but if you don't get the right circumstances, the information is quite delayed. >> should answer the question of little bit more probably come you deep global partnerships. you want to be a friend to everybody you can. what you really want you want indicators to increase security right now. it's actually, it's not just what we are human relationships

that are human relationships in addition what we want them to work faster can work fast enough. and they work on internet speed, because the attackers is tighter than ours. a new zero day, we will be able to do things like protect critical infrastructure to the degree we need to. >> one thing that is happening is in order to deal with that lack of information from the government, private groups have wrapped up such as the asset side and now there is a growing group of retail organizations trying to form and so see iso and head of cyberfrom various financial institutions booktrade on an immediate phone call indicators of compromise.

let's say you are bang and you have been attacked in on day one, you can get from bank be to have the same attack a week and a half ago for a month ago, useful information that gets transmitted immediately. then you turn around within your network and you say those have been indicators has led me to the fact that i have these 20 machines compromised and now you are up to the races with forensics. that's the way it should work and i think that's the way government wants it to work in certainly the executive order for the government to respond in that fashion. >> , they grew out of government and were supported by the establishment of private error supported by government and the original idea came from president clinton's executive order back in 1997. that is how what this is.

back then there was a single that gratuitous death. they have played in a favorable role. >> does this coordination, does this touch on smaller companies though? are you involved in the sword as cooperations? >> for example, i've never worked for a financial services company, but i believe it has a tiered membership structure and it's actually quite inexpensive for smaller companies to participate. if they participate, they get full access to the data shared. so those channels are available. the problem for smaller company would have is what are they going to do at the information? at the very difficult problem. >> philip, you mentioned the role the government has played in the squid mating body. what policies could and should be put in place. what could government do to help

with the threat of cybersecurity. >> briefings the government needs. the government needs to really ensure that particularly critical infrastructure, the right requirements are met and it doesn't mean massive new regulation, but of the strong right incentives to get especially critical infrastructure to invest the right amount of security in different places. it is to continue to work on the problem. to increase the talent they got. you can hire enough people in this space. >> are they overseas? >> people are trained all over the place. we are training far fewer people in the united states than are some other countries. this goes back to what the director was talking about. we need fundamentally more secure infrastructure. we've gotten really good at the

infrastructure. but that infrastructure is still standing and that's got to be changed over time. otherwise it's all just a bunch of band-aids. >> area, if you had a wish list, what would it include? >> i think they have made very good progress at the beginning to build public-private relationships and there needs to be more consistency across the platform when we talk about threat information sharing. private industry is very hungry for threat information and the white house has clearly indicated that the executive order that it is a mandate the information should he shared and moving down the road, it would be a positive effect. >> let's take another question from e-mail or social media. >> this one came from twitter actually. as a company you are assuming

you'll be breached. but does that mean for insurers and if you are needing a government standard, you know, and impose standard, what does it mean for assurance? >> i think assurance is a hard problem. people have been talking about cyberinsurance since 1995. if you watch the earlier panels come you saw john parlin and chris painter talk about the factors that actuarial data that would enable you to effectively judge what is effective. i think insurance can be important, but we need much more security science, more data about what is happening. and enable to drive the additional security everyone wants. >> i see this play out quite regularly there is usually a claim under cyberinsurance policy. so the cyberinsurance policies are working.

the claims are being submitted here to insurance companies paying now. the problem still is referring to is the underwriting industry doesn't know how to handle the entire wall of risk. and so they are underwriting a fairly small portion of the market right now is they don't have underwriting standards as more data comes in. it was developed those underwriting standards and a broader set of insurance, especially with consequential harm will be available. >> we are unfortunately running out of time. one last question. what are two or three things you recommend practically for a company to do right when you go into the office with top management? >> increasing the cybergovernance, second inning is investing people are specialized skills relating to cyberresponse. the third game is be careful about the intrusion that there's

many products out there. and those are the top three things. >> i will repeat one of them. if nothing else, get the right person or people. to find solutions that scale. it's difficult to approach this problem in scale and so you need to get something that will allow you to address the security of enterprise about increasing complexity. >> ray. thank you so much eric and philip for joining us today am i talking about but aside from the perspective of somebody who understands a hacker interest to consult with companies that have to be best protected. please join me in thanking man. [applause] >> you will continue talking about the consumer. it seems like every day you open the paper and welcome our next

cyberpanel. but every day we opened the paper and a few million, so we have assembled piece from all over the united states to talk about what it means. that happened before she came in. a cyberwarrior thing there. thank you for other people sending in comments online, watching online. now we are going to continue -- i will introduce the panel in a second, but what does this mean when you see big companies speed hack in our credit card stolen. next to me is jane hall loot, president and chief executive officer of the council on cybersecurity. and before that, she was a huge deal at the department of homeland security or actually,

she was deputy secretary there, things are coming, jane. after janus brian dodge, executive vice president at the retail industry leaders association. but that assess the nation all of the big players in retail from wal-mart. so thanks for coming. and then we have the managing partner of urban security on a security firm in chicago and she is the one who goes in an undercover's vulnerabilities and a company. so you people like aaron brown. and then we have alan ritchie, executive vice president, chief legal officer and also the chief enterprise officer for visa and she is responsible for the compliance audit and risk teams of the used credit card company. so, let's start. what does it mean when we keep -- first of all, who is paying when i see that home depot got 56 million cars for some other company. what is the damage? i don't quite get the

significance. >> i can start. i don't work for home depot. what is happening is basically we are experiencing firsthand now in a public setting what comes this has been asked areas deemed were a dozen years or more. there is no company that hasn't been intruded, that has not had to deal with it. but in the past, i think most companies have dealt with it is kind of the price of doing business for a new sense and those times have changed. in 1995, there were 16 million of us online. today they are our 3 billion people online on the planet, 3 billion people online. so these acts are more public and more consequential. >> so you represent the retail association. what is the consequence of these breaches quite >> jane has been a good job of setting context for the issue because it is a huge challenge, enormous challenge. either criminals or sophisticated and dedicated to

trying to infiltrate the system. it is not unique to anyone industry. in terms of what the impact is, it is obviously an enormous brand risk to the businesses that are happen if alterations occur and the costs ultimately something shared between all the players when you are talking about card counterfeit, fraudulent charges as it is related to card issues, it is shared between merchants, banks and institutions across the institution, which is why we have argued that the solution to these problems is one where all of those players work together. ..

their is a reason why people want those numbers. it is easy for them to use right now, and there is a black market for solely on the distribution of critical reformation. therefore vast amounts of use from just criminals all the way to foreign entities. and so emigrants -- irregardless of people are going about getting is, we are wiping on the doormat in a lot of cases perry companies have scaled and the last 20 years a gigantic amount. what has now scaled is infrastructure and technology and education.

so we have not really formulated our route to help create the secure corporate environment from retail to corporations that are trying to protect intellectual property. the only difference is the credit card ever mention, payment information, modernization. security numbers and all these other data base that we are storing. we just have not quite found the black market. >> and how does that work? you go in and turn it around and then you use the internet to sell them again? and then somebody buys them and buys a pair of $200 shoes? ami, tell me how it actually plays out. >> there are far better experts on the black market than i am. and not even going to touch that right now. [laughter] >> this is second-hand information. there are sites that are primarily house in eastern europe for credit card

information and data card information, car numbers, fully equipped cards, cards with pans, the whole 9 yards are available. they sell for different prices depending on the brand and whether it is an excellent or standard card, depending upon whether the pen is provided, depending on whether they give you enough information. i mean, it is all quite out in the open. although i do not recommend looking for them and going on them because like other underground sites, if you are not known within that community they might ostensibly come back get you. i do not recommend going and looking for them, but it is an open and notorious market credit card information myself from anything him to three or $4 to $34 or even upwards to 100 if the information portfolio with sandy. >> if you spend millions to get a hundred dollars for each one that makes money. >> absolutely right. but to come back to your first question in terms of who pays and what happens

when the speech might occur, the first thing this will everyone needs to be clear that year in the u.s. it is never the consumer or very rarely the consumer that suffers any financial loss because we have a liability policy. your bank will take the charges off if they are authorized. number one, eight is not the consumer. has to do with within the industry will play. the second thing i want to say it is, as soon as one of these breaches are identified, and often by the banks themselves are law-enforcement, it is difficult for the breeze entity to detected itself. once it is identified, this huge machinery goes into place where the panama branch such as ourselves and our competitors is the information about the account that might have gone through that environment. we get that out to your bank says consumers so you know that your bank as that information and can either

moderate or count with special scoring because they know what has been exposed to protect you for fraud or reissue your account to put it later there is provision for sharing. so that is my answer to your first question. >> the consumers in the end -- i mean, it is right in terms of liability, but ultimately consumers to bear the cost of the positions of the marketplace. that is what we're another, all of these companies that are represented by branch organizations, will of the market for a reason. they're in the market to make money. this will be a cost transfer ultimately to the consumer. i want to come back to the basic theory of the caseload there are plenty of bad things that are happening in cyberspace, but they're happening in the space of a capacity's act. we know what to do for basic cyber hygiene previous not doing it.

pick your numbers. experts -- i am not a technologist, but i hang around those who are pre basic hygiene will prevent 80 to 90 percent of all known attacks. do you know what is connected to your network? do you know what is running are trying to run your next to the network? tuna who has administrative permissions to change bypasses or overwrite your configuration? do you have an automated system in place like the continuous diagnostic mitigation that allows you to be elected vulnerabilities and they happen and take appropriate remedial action? in those top five of that 20 critical security controls equals gb three. >> $0.6 of every hundred dollars. >> in terms of the cost. in terms of cost, less than

$0.6 for every hundred dollars which is why it i believe that it has been treated to a large extent up until now, business as usual , starting last christmas because of the prominence of the bridges that occurred at that time of year and affecting so many people. it has become more a question of trust and confidence in the system which is created a kind of unanimity as have existed before. at least let's say a consensus. we need to move forward in the payment system to take of all mobile data out of the system. we have the means to do that, at least to take it out of the merchant environment. because it is such a complex and extensive environmental will take some time. moving forward on the chip rollout and moving forward with some solutions for the internet shopping and the mobile shopping that you

saw, for example, with the recent announcement from apple which uses balkanization technology provided by the payment system. all those things take the data out. >> let's take one at a time. it is just shocking. almost everyone shops and puts their car on line. the future of online consumer activity, how will it be more secure? what do you think of the app system? >> let me break it apart. i have no doubt that it would improve the system and hopefully we will see more of that, but there is no silver bullet. the layers of security in the elements of important aspects. we talked about the card information showing up on the black market and being mark to the monetized. we need to make sure that if a criminal court to get a hold of the information it would be useful. >> saudi you do that? >> that is part of the technology that we talked about. merchants have argued that

those cars should be issued with pin number so that you have authentication of the car and the person with the card. that's the organization which is an underpinning of the play is also a very terrific long-term solution that would instead of transmitting information related cities in the cards you transmit something else that is intercepted could not be monetized or soul or lead to fraud. >> i want to come to the point that bryan made. i didn't mean to represent control as the be all in all . nothing can solve the problem to 100 percent, but because you are going to get at some point in your lifetime does that mean you're not going to wash hands? because you are going to be in a traffic accident is that mean you do not buckle your seat belt? this is basic preventive hygiene and you talk a lot. how about a consumer.

what are they supposed to do to protect their identity? >> you know, the things and we have, secure passwords and how your computer will generate, but we are not always on that computer generating them. we do not keep them on our key chain. the kind of innovation being described is the future. in fact and they are the present for us who have access to certain systems. would you share your toothbrush? don't share your password. let's use common sense. you know who is getting on your network at home. the attention. security. >> consumers. it is a shocking thing in today's world, the sharing of your personnel information. and so if you wanted you couldn't really know my birthday and a mother's maiden name and where i went ties school, my favorite teacher, all of those things

they ask you. being used in your password. so in case you want to know, my password is not 0316, but they pretty but i have met a lot of people who use that, not that one, but the round. that is surprisingly easy for the criminals to fish and find from new auto get from you on social networks. i did not think it would be with their trouble, but it is. watch out for over sharing. >> i wanted said to that because i think it is about real world to say the careful what you share. it all depends upon the security network. i don't do that. guess what, wives, friends, family, kids, they are. our system does not help because we have so much

public domain information. for a long time i never shared my address. guess what, there's a lot of public informational around real estate sales and purchases that is just a public. i am not the type of person that will say that everything needs to be private, but we need to do personal from a consumer's standpoint understand what is important to us and what we are willing to share and lori and not permitted we're talking about passwords. pass words correctly, no one is making complex passwords directly. i can guarantee everyone is wrong, there's not a single person using a unique password on everything mail i into. >> but if you're not a technologist this is all the voodoo that you do. and both of us who are not technologists wanted the the most important thing that we can do first.

>> lock your door. that is what i say. we are talking about apple play. >> you think you will be played. >> don't put those words in my mouth. i think these of little privets to start turning this big titanic that we have. >> pivot toward taking a little bit of the risk of the environment. that is a card presence transaction. of that strips the chip as the same reformation. >> but if is stolen that is why it is supposedly more secure. >> right. a little computer on the card that generates a one

time use code. without that, of which is different for every transaction, you cannot complete this transaction. unless you have the computer itself, the chip, you cannot complete a transaction with the rest of that information we need to add the solution for the online environment. >> when you drive a car or passenger or pedestrian he have seven responsibilities. literally trillions a lot of other fans actions. what expectations should we give to manufacturers? why don't we get systems shipped with the security configurations would stop? why do we have to figure this out for ourselves? >> the retailer and the consumer.

>> i think that there are three basic questions that are most interesting when it comes to cyber security. how do we architect systems we can trust from components that we cannot? number two, how do we ensure the integrity of deprivation and identity in an open internet? we talk about privacy. data integrity is a big problem, don't care if you know it. i care if you can change. how do we insure the integrity of our information and identity in an open and not pleasant to and what will the role of government be as we distribute responsibility? an industry that is taking ever more responsibility for trying to get ahead of the curve. what we are facing is a lack of a conversation. we have an industry fighting the security problem. you said this but did not need in this way.

there are no silver bullets. think it is the medical community in the public safety committee did not take that attitude. let's prevent what we can. reduce the noise level and allow complex companies to focus precious resources on those advanced and persistent threats, but we're not even making it harder now. >> why does europe have a stronger credit card system that we do? we have lagged behind. why is that? >> we have asked that same question for our long time. >> i want to regular hours of the solutions you were talking about, we need to be working with government, working between industries to which is something that we have done after many years and doing battle over a variety of things and perhaps one we will go back and forth on now the

services industry came together to figure out other ways it's really work together because we represent the full length of the payment ecosystem from the card networks to the small banks. these near term solution is that exist. tell canalization coming next generation. there's no solution to that protect the networks for all transactions and places. so we can try to address the near term solutions. they have argued the person holding the card actually owns that card. that is an important aspect. and as a long-term view. >> supporting both though those. >> what we are moving toward is a chip, but not japan pen. we're moving toward the krajina into position. >> you ask the question of

european the answer is this to europe started to chip rollout probably more than a decade, more like 15 years ago in response to a particular problem but they were having. the problem was the highly elevated fraud rate, and it was driven in part by the fact that here in the u.s. we had an efficient and reliable telecommunications system. as a result of all of our tree acted by transactions online through secured channels to the bank, every single one. your starbucks coffee goes your bank for authorization in a millisecond and goes back and read it is getting authorized by an automated system. in europe the systems were not as reliable, and they were unable to use that on-line authorization was predicted analytics to analyze is suspicious transactions, so they were not using the solutions.

as a result from other rates were here. they decided that because of the inability to bring everything online they were going to use an offline solution, something like a chip that could function in a conversation between your car in the terminal without needing to go back to the bank. that was the origin it chopped from 18 basis points down to below six. reduce by two-thirds. so that was why. why should we invest and disrupt the market which is the most highly outfitted payment card market in the world. more expensive, less benefits. that is what the u.s. did not too late. now we are. visa led the way and thought that we should. we put out a road map. we have more consensus not a

silver bullet. they have come over to the side of using the predictive analytics. they're better able to telecommunications. >> predicted analytics. >> between europe and the states. >> now being somewhat of a magnet, you are seeing them higher. >> if the company el sources all of its credit-card processing are they required to be compliant?

>> i think the questioner is retiring to compliance with the data security standard. absolutely yes. people will do sensible things when they know why. and so, you know, we have always tried to treat the public as an asset. introduce education. we are the last generation that remembers what life was like before we were on line.

none of us negotiated our morning without interfacing of line and some white. we might as well -- does anyone here not to on-line payments? 93% of the belgian economy, consumer economy is on line. so random. there is not an enterprise in the united states that delivers value that does not rely on the internet and connective the and some white. we have tremendous reliance. we ought to do basic hygiene to low or too far lower the noise level of the threats so that we can focus on advanced and persistent threats. >> this strikes me as odd that you put your credit card number and your security code.

but the. >> i want to build off of a point. japan rolled out and fraud costs has been brought down. i think building off of this point, in europe you have seen from my grade online. they harden the systems around security. now it has moved online. and so we need to develop stronger solutions. what you are describing is under acceptable. wrigley to evolve beyond the. >> what would it look like? >> nobody knows exactly because this is a free market and we have to it please the consumer. a couple of things happening right now. there is mobile. apple pay, other type of solutions. so those solutions allow you to transact in the mobile or

online environment. so that is never one. you will see more of a proliferation. that is a solution that is both mobile and online. in a mobile environment, of course, the idea that you can just with your fingerprint or entering your code enable an application, a payment application that can be used face-to-face using chip technology that may be a little too technical for this conversation or a application on your phone or a device so that you have a payment application that securely transmits the application without doing anything. a very simple. >> it is inconvenient.

>> i think that we need to embrace the innovation. we need to make sure that it is preserved. a lot of competition for the technologies. with the prospect for some of these technologies, you want to make sure that there are players developing something new and trying to hold everybody else accountable. >> as shareholders and consumers would need to start assisting and as for the performance record of companies on basic hygiene. we just had a tremendous breach. do we have an automated system? we need to start insisting on a higher standard in enterprise security standard. >> what do you tell them about -- jennifer lawrence famously did not like it when her new furrows went around the world. so what should consumers do?

>> we all do not need to touch the stove what is hot to know that you get burned. sensible practices, but investigate where you're storing your information. so where is a bad place to store it? endo want to go to you. >> it is a great question. again, going back to what i said about a personal risk assessment. understand what will damage just. jennifer lawrence and all of these celebrities, what are you doing taking these pictures and a mobile device to begin with much less putting it somewhere aside from monopole reuter clauses? is not just that kind of formation. it is all this information. seven to ten years ago, still storing their tax return information in these clouds storage areas or on

line computers that have no security. >> what would damage you if it were public? >> again, when it coast of the non-aligned we have the right to expect that companies and enterprises with whom we share our data are taking the basic measures that we know present 90 percent of the stuff that is happening right now. if they're not doing it we ought to insist that they do. >> we have to wrap it up. >> talking about consumers. you are protected financially. i would suggest one other thing that you can do is sign up for a large from your bank. you can be in control with alerts from your card. you will see it yourself and can be the one. >> it is an alert that tells you that you don't buy this.

>> you can say it however you want. any transaction over $25 outside the united states or on line. d'agata text and then the male. >> really? $50 for a hot start? that is interesting. >> of level of commitment to read it builds upon the process these. >> basically the political infrastructure taking lessons from that to make sure we're hurting our systems in every way that we can. >> thank you very much. the alerts. the okay. i want to thank the panel and then i want to welcome to this stage the final discussion of the day.

very lucky to have david hoffman. foreign editor, former moscow bureau chief from a contributing writer and editor. also he won a pulitzer for a book that he wrote, and he will be interviewing a representative from the department of homeland security. >> where do you want me? >> it is a pleasure to be here. that will tell you a secret no one is sold to yet today. the old days when i first came to the post this is where they printed the newspaper. the giant press room was

filled with a fine around and people waiting on the streets to get the newspaper here we are in the digital age. welcome. i would like to introduce 000. a native of cuba became to the united states when he was one-year-old and made his way to los angeles, earned an undergraduate degree from the university of california berkeley, a law degree from loyola. after that he rose to become assistant u.s. attorney for the central district of california. and really being part of california that includes los angeles of a lot of other places. all lawyer in did 2009 was appointed by the president as director of the united states citizenship and immigration services. he was sworn in as deputy secretary of fall when security december 23rd of

last year. welcome. we know you have been office less than a year, but you know everything. we're here to extract some of that information. thank you for joining us. >> thank you for having me. it has been a discouraging kern the morning. while you were awake we heard from a lot of people. here is just a little bit of what they said. the chairman of the house intelligence committee warned us that the actions being taken from outside attacks on our networks are not necessarily aimed at the government. it is not the government we are worried about. it is the 85 percent of the networks in the hands of the private sector. they will not be ready in. and for a lot of those businessmen at argus is just barely above water. someone else said here earlier, the defenders are

getting better, but the attacker curve is war steep. the offense is winning. somebody else describes the infrastructure on the internet as really just a bunch of painting. the chairman said when asked about offensive attacks most of the offensive talk is from the private sector, businessmen he said, i've had enough. and he pointed out to us that covers as told the private sector euro. but think a lot of people wondering, what is the government doing in this time of cs? consumers, business,

everybody, even congress feels that there is a crisis. what are you doing about it? >> let me say that i did not describe to a school of pessimism. by that, i do not mean to belittle the magnitude of the threat of in terms of its gravity and its frequency. i think everyone understands that cyber security is a field of growth. with respect to the security of the government and with respect to the security of the private sector. i would take the law nor necessarily as a cause for concern but a call to action . because as my great predecessor spoke, there is a distribution of responsibility, i would posit, zero were different

then distribution, shared responsibility. while attackers are, in fact , becoming more and more sophisticated combat our prevention capabilities are growing in sophistication. detection capabilities are growing and sophistication. our response and mediation can abilities are escalating as well. as cyber threat is real, and i think that it will be a growth industry. we in the government specifically in the department of homeland security have a number of tools and resources to deploy to protect the environment. we have seen some of those tools deployed admirably and effectively. for example, the heart lead situation of a couple of months ago. we worked closely, use the capabilities to work closely with the private sector, whether it is in the business of sharing information, whether it is

in the business of deploying our expert teams, our u.s. teams to a particular company or sector and to propose mitigation steps. >> mr. secretary, you said in june that there was a need for this legislation that would help companies and the government work more closely. or read about the problem of liability, and yet congress has been stalled on this for a long while. the last few days. the lame-duck session, the chairman said there is a narrow window. this legislation has been passed. can the administration do this on its own? >> i am hopeful of the legislation will pass.

the secretary has been a strong proponent of the need for the legislation and rode a compelling piece last week to that effect. in the absence of legislation we are not without resources and opportunity to do more in this space, to better collaborate in the private sector. as i heard the prior panel's be, there are fundamental things that we can duke improve our cyber hygiene s strategic investments we could a function of

consumers not taking it seriously enough. i think that the consumer, the public in general and number of individuals around the country. >> 56 million. i think that they will understand the concern, whether they're taking the most rudimentary steps to mitigate the realization of the concerns. how often the people actually change the password putting that aside this is an area where the fixes are

accessible. there's a great deal of debate within the private sector. for example liability protection. that might be a more controversial aspect of the legislation. >> there has been a lot of talk here today about the threat. and earlier panel, what keeps you up at night, what is at the top of your threat list and cyber security? >> i would say i don't look at the threat and we don't look at the threat as a monolithic one.

it is singular in identity. there is the threat of the, what i will describe as the traditional hacker that is outs for commercial advantage over purely destructive effect. and that it that there is the threat from state action, state-sponsored action from the intelligence gathering of security perspective. what keeps me up and nighter both. >> were really worries you? this things that touch us every day. >> absolutely.

our role is to assist the private sector as support the private sector and work with the private sector in protecting his security. we do not have the tools to alone guard of the dot com. i think that is an important point, but we have seen distributed denial of services. there is i think -- i hope everyone and understands that our country's critical infrastructure is increasingly intertwined with our server security and the energy sector, for example, is very well aware of this at the forefront how inextricably intertwined

those two are that is our greatest concern. >> the top of the list. >> you mentioned tools. suppose congress said to you, we will give you a wish list, what is at the top? >> i think the department of homeland security responsibility within the government is well-defined. the codification of those would be well received. the governing statutory scheme in this area is something that needs to be updated. it is quite antiquated. the national security for work, to have that, five would be greatly advantageous to us. our ability to hire and retain and recruit cyber talents, on one hand we have

a difficult time competing with the private sector because of the financial realities i would respectfully submit our mission is an extraordinary want, but our ability to identify and recruits are some of the things that we include. >> unless the first question >> what sort of pale level does al qaeda just need to back. >> i would say something. the pay level is probably not going to compete with the private sector companies. is the opportunity for

growth. more importantly i think it is the ability to recruit particular talent quickly. i think that is one of this things. our high -- are hiring protocols are labyrinthian. >> i am going to hand the microphone over here. >> thank you for the opportunity. i am with the office of government relations which in turn is part of a coalition of dozens and dozens of tech companies combustible reorganizations and think tanks in washington, all of 01 oppose the server security information sharing act because we believe and have details on multiple occasions why it too severely compromised privacy of the the fourth amendment.

comment on that, chairman rogers acknowledged that is that opposition is to treating the stalling the bill in the senate. if we need a bill accomplishes the import server security objectives and we certainly agree that there are some, and that is the case in the bill is stuck, how do we resolve that? >> let me say a couple points to weigh five make. appreciate the question the province of homeland security is not alone but relatively unique in having privacy and a dedicated privacy rights officer. not only committed to these cyber rihanna and the very critical privacy issues that are implicated, but quite frankly the privacy issues arabic in the birth of the work the week before. so we very well understand the privacy sensitivities with respect to the bill and

on a more mackerel basis. we upper right now on a voluntary system, the provision of integration. >> the voluntary of information in the following ways. we are able to assist the provider of information in addressing the vulnerability or exploitation that the volunteer has suffered. and so we can assist in actually repeating and preventing in the future further exportations or vulnerabilities. number two, the more volunteers that we have the greater a perspective we have of the security landscape and the greater ability we have to make systemic recommendations and

proposals to the private sector with which we interact. and so we encourage cooperation the environment of compulsion. >> more questions. >> and as one more. >> as well the one that came in from the mail. >> academia, national lands, the private sector will know where you're headed and what is needed in the future. >> so we are actually right now working out of plan. i don't know if i would call a road map as much as a strategic plan a division for the future. that is a shared plan, a plan of collaboration. >> mr. secretary, i know

that you are searching desperately to hire skilled people. we are also told that u.s. cyber tremendous competing. they want ten at 6,000 people. i just wondered always seems to a lot of people that offensive ciba programs are racing ahead. on the offensive side their is a lot of worry about inadequacy. what do you think about the perception? >> i would respectfully disagree with that contention. i think that both are moving forward. we specialize on the defensive, not on the offense. our ability to recruit talent is, i think, best exhibited by the fact that we brought on board an outstanding leader in several security from the private sector. we intend to draw additional talent just like her.

this is a parody of the secretary. visited georgia tech to recruit the best and the brightest in cyber talent. i have seen first in the capabilities of the defensive side with our team, a rapid response team that has been enlisted to assist in the defense posture and the protection of the space. the u.s. is situation. i have also seen it deployed in the financial services sector and others. so i did not think that the defensive capabilities of the united states government to assist the private sector protect itself should be underestimated or

understated. >> just a follow-up to that, the defensive capability, have you had any national level cyber exercises? >> we have had within the department tabletop exercises which are important, to insure that all of our response and protocol measures, our best practices, and we identify room for improvement. >> you can be more specific than that. >> i don't know that i should be. but with respect to a broader tabletop exercise i don't know the answer quite frankly. >> you know, the former director of the nsa said the other day, it is impossible for the united states government to have an adult conversation with the american people about server security because there is

too much secrecy. i think a lot of people feel that we need to have that conversation. people need to know before there is an attack. do we need more openness? >> it is interesting. from my vantage point, i see the conversations of we are having across the country. whether my answers satisfy those of you who are quite probative, i will leave it for you to judge. we have conversations of the country with respect to cyber security. we meet with industry. we me with citizen groups. we me with privacy advocates and so the dialogue is an ongoing one. sergeant not know really to

what mr. hayden was referring when he speaks to a lack of openness and too much secrecy. >> their is a feeling that sometimes the threats we face have not been fully revealed, people don't understand what could happen in a cyber attack and are shocked at some of the things you read about. hell is it possible that 56 million credit cards that home depot, al is it possible that if you are on alert that people abroad can steal 56 million credit cards? >> that is a distinct point that is a little bit discreet. the success of an attack is not a measure of whether we're communicating openly

and effectively, nor is it to acquire franklin, the measure necessarily a whether we're being vigilant, and this goes to my take, to your first point, the point of doom and gloom. and that do not need to embrace it, but i want to address it directly. our sophistication his extraordinary, and that sophistication is evolving, improving every day, as is the sophistication of those who wished to do us harm, whether it is through commercial advantage or otherwise. the fact that an attack is successful does not necessarily speak to a deficiency but rather the need to be ever vigilant and to raise the bar of cyber hygiene across the board.

i will share with you that in working with the private sector we have, for example, observed varying levels of cyber hygiene amongst very significant corporate entities. some are much more events that others. and what it is incumbent upon us to do in the federal government is to proselytize and proselytize with our partners and our counterparts in the private sector about the need to elevate cyber hygiene. where it is going to be -- as a a former practicing lawyer where i think it will be interesting to watch the marketplace is on the development of a standard of care. when a consumer of bins and

has attracted the the companies aren't there reason of a breach of that company's server security will what is the responsibility, the liability of that company for the breach? did what is the standard of care to which should have at here? what is the reasonable standard of care? did comply with that standard of care? did not? i think those types of questions, i think, comprises her at least one aspect. >> he seemed to be saying that we should not take what we have heard today, the worst, most serious breaches in our history, the idea that part of the private-sector is unprepared , we should not take that as some sign of worry about performance?

>> you asked me what keeps me at the night. it presupposes that i am up tonight and unable to sleep because of something in the cyber rome, which is true. i do not mean to diminish the fact that there is cause for worry. i mean to say that there is cause for action, and that is what i suggest we take away. i am a member of this company. when is the last time this company's growth this server security system? pending days in a tabletop exercise and a lot to determine whether the security safeguards are adequate to address the most basic threat, and more sophisticated threat, and a really elegant exploitation?

>> on that note i think we era of time. >> i think that there is an appetite for dialogue, and i appreciate you coming. thank you. i want to say that all of our conversations will be on line soon. an october 8 there will be a six page section devoted to the cedras security including much of the conversation we had today. the day before veterans say we will have a conversation about veterans. the returning veterans with a committee of whom are doing interesting things in the community. the ceo of starbucks has written a book with one of the "washington post" reporters call love of country. thank you. we will see you next time.

[applause] ♪ [inaudible conversations] [inaudible conversations] >> our campaign 2014 coverage continues with the nebraska governor's debate. recent polling less this race has solid republican live at 8:00 p.m. eastern here on c-span2. we head south.

it is the first and only debate between the two candid it's, and they will meet in still water. 8:00 eastern over on c-span. >> tomorrow we look at the latina agenda. then the american conservative union discusses the aclu role in the midterm elections. and after that charles nelson the recent report of health insurance, poverty, and income levels. phone calls, facebook comments, tweets. >> earlier this week candid it's vertexes government for

a debate in dallas. >> it is incredibly important that we start with the compassion and support that they deserve. that is what i had done as attorney general. ..

a woman has five months to make a very difficult decision. moderator: thank you very much. senator davis. >> senator davis coming catapulted on this issue at their filibuster against abortion restriction. you recently told the editorial board that you might not have filibustered if the legislation only banned abortion after 20 weeks and allowances for rape and. what were you except? >> i have always believed a woman guided by her faith and family and doctor to make it very difficult decisions for them ounce. i do not believe that the government should intrude and not most