>> although it may be difficult, y, having fleets of freight vehicles that are essentially robotically operated raises a whole host of security questions about who has access to that data and that information. that's part of the spectrum upon which companies are going to be competing, is to offer greater security to make sure those sorts of trade secrets don't get out. it deserves more consideration than i'm giving it here. >> we have this gentleman at the front, please? >> hi, i'm tom curry, a reporter with congressional quarterly roll call. i talked to the head of the

contra cost california transportation authority last week. they have the new test track for the mercedes autonomous vehicle that's going to be located in their county x he said one of the things -- and he said one of the things in the future, benefits that he sees is that these vehicles could benefit to the county, that these vehicles could go out and detect potholes and immediately transmit the data back to the contra costa or any transportation authority so that there'd be be a fleet of vehicles that would be communicating information in realtime so that they could maintain the transportation system better. i just wonder ored from mr. scribner and mr. o'toole what's your view of that and the cost, also, of transmitting all this data back to a county transportation authority. >> well, i don't see anything wrong, if he wants to get that

information, for him to design an app and upload it to apple and android, and then people can volunteer to download it. if they're driving on a road that's unusually bumpy, the apple would detect the vibration and transmit the information to the road authority that there's a serious problem with the roads. there's no reason why it has to be mandated or why it has to be applicable only to driverless vehicles. >> yeah, i agree. i agree with that. but sort of going from there i think it is really valuable, particularly in the context of automated vehicles, to have our roads in very good condition particularly if they're solely sensor-based, you know, these aren't things that can -- vehicles presumably, at least initially, won't be communicating a lot of data between each other and certainly not with infrastructure. so that would be great. i don't think a mandate would be needed, but certainly, yeah, i think that's a very good use of

that technology. >> sorry. saw this gentleman's hand up earlier. >> thank you. lawrence gasman. i'm interested in the time frames for. earlier on randal o'toole put up a slide that showed the different types of intelligence a car could have, and i think that came from some government agency. but i'm particularly interested in the advanced ones, type iii and type iv, because you've got cars that can park themselves now. it's fascinating, but it doesn't seem like a huge issue. when you saw dogs putting themselves in the car and taking themselves to the vet, that raises a number of issues. it seems to me it's going to be quite a few years before you start seeing that in any, you know, outside of california, i guess, is what i'm thinking. what sort of time frame do you think those type iii, type

ivs, and from a regulatory side, how long do we have to get this right? >> well, it depends on who you ask. toyota's saying we're not going to focus on this at all, but then you have companies -- google is still saying 2017 presumably level iii or level iv, that's still a goal. nissan is saying 2020, presumably level iii, possibly level iv. and then continental is also saying 2025. so it could be sooner rather than later, and, you know, it really does, you know, we need -- we don't necessarily need special regulations for this, but it just goes to show that regulators are going to be well behind this technology developing, assuming these optimistic industry forecasts are true. >> about 200 experts in the field were surveyed on this question at a conference last summer, and the median answer was that google driverless car,

the car that has a steering wheel but the car can take over pretty much completely in almost all conditions will be available by 2020. the pod car that doesn't have the steering wheel or any way of the driver controlling it other than start and stop will be available by 2030. i would go further and say by 2040 we'll start talking about closing roads to human-driven cars because they're too dangerous. >> and then quickly, i think there's an important distinction to be made between highway and non-highway veaks. certain things -- vehicles. certain things that are happening, namely city mobile ii in the e.u. where they're focusing on these low-speed, geographically-restricted sort of almost paratransit vehicles. those you could perhaps see earlier. they would be, you know, deployed on college campuses, retirement communities, places like that where you don't need to meet these stringent, say,

nhtsa guidelines. but, so there's the potential for that too, happening before we actually see the highway vehicles. >> this gentleman in the front. >> hi. thank you. dave -- [inaudible] retired. and i was wondering about insurance implications, especially during the transition period when you've got a mix of automated and manual vehicles. has anybody looked into that? are there any insights? >> the interesting thing is that insurance companies are some of the biggest backers of self-driving cars because they figure it's going to significantly reduce problems and accidents. one concept i've heard is that instead of when you buy a driverless car, instead of buying an insurance policy for the car, the auto company will buy the insurance policy, and that'll just be included in the price of your car. so if there's any liability

involved, then the auto company will have its own insurance to deal with it. it won't have to deal with, you know, extended lawsuits and so forth. >> way at the back, the woman in the back, please. >> hi, sharon bovat, voice of the moderate. quick question, the glow nas issue, that was the russian monitoring system that they wanted to build. that was lucky quashed, i believe, last december. now, if people in foreign governments have access to the navigation and then you have the driverless cars and companies like nissan own auto vance which is putin's car company, theoretically, they could drive one of our nuclear scientists off a cliff. we start thinking about this technology and security, we don't now -- we do not now have the monitoring stations which would be the russians having that access. but this tech, i think, with

foreign companies. any concerns or comments? >> so the concern about intelligent vehicle technology and driverless car technology being hacked is already very much evident. there have been demonstrations in realtime about how attacks can be perpetrated. it's not something we should take lightly. it's not something, however, we should live in complete fear and dread of. we need to find solutions of these products, we need to figure out how to make these systems as secure as possible so that that sort of hacking, for whatever reason, is avoided whenever possible. i will say this, that we have to do this relative to the historical baseline we're operating on. a world where over 33,000 people are already dying behind the wheel because of human error, will there be hacking that potentially results in someone resulting in an accident or even a death? potentially, yes. i'm not here to say no. but we have to understand that in that world of more intelligent vehicle technology, it may be that we have tens of

thousands of people's lives being saved with that potential of it being hacked at the same time. we're going to have to try to make that balance. and i know that sounds crude and overly utilitarian, but i think we have to take it against that historical baseline. >> one of the reasons i oppose a mandatory v2v or v2 -- vehicle to vehicle communications is that a mandatory system is going to be a lot easier to hack. and it's going to be a lot harder to defend against because the government that mandated the system will probably not be as interested, motivated to defend, whereas if you have a competitive system out there with different companies, each offering their own software packages and other people offering apps and so on and so forth, they're all going to have a competitive reason to keep their systems from being hacked. and it's going to be harder for a hacker to attack, to have a widespread attack. you can attack one particular app or one particular software system, but you won't be able to

attack everybody's at the same time. >> this gentleman on the left. >> good afternoon. my name's todd wiggins, freelance journalist in d.c. i often think of that movie that was popular sometime ago called i robot because there's a lot of technologies that were sort of promoted in this movie. and so is i was wondering -- and so is i was wondering, are we, the americans, most likely to debut this type of driverless car, or is it more likely that south koreans would be likely to debut? because often they seem to be ahead of us when it comes to mobile phone technology where they're using items that we aren't really necessarily using just yet. they may be often turns out to be the test ground for those, for technology. so are they ahead of us on this? >> i think the united states is

actually uniquely positioned to be one of the first places to have these available, well, in widespread testing which we're already seeing some early testing on public roads, but also availability. and one reason is we're not party, the united states is not party to the vienna road convention which has some definitions that may restrict certain testing and operations in other countries. most countries are party to that. so that's actually really interesting, and they're actually working on updating the vienna convention to basically allow for more availability in the future. but it has proven to be a problem. i know that a bunch of -- this is being led by a number of german parts and auto manufacturers right now, and they're very well aware of this. as it stands right now, i think the u.s. is in a pretty good position. >> there will be extra points, you can never put minority report into the next question.

[laughter] i want the gentleman in the middle, red shirt? thank you. >> well, it's a great movie, so there's that. my name's luke. mark, good to see you. i work for tax analyst now, and two of my colleagues there actually ride motorcycles regularly to and from work, and i'm wondering how motorcycles and people who enjoy them would fit into a driverless car future. >> i thought about including a motorcycle video in my show because andrew from google has developed a driverless motorcycle. it's a little bit like a segway. it manages to balance itself, so they can fit in just fine. and that was actually andrew's first entry when the darpa was still running the grand challenges, it was an autonomous motorcycle, and it had been, you know, he tells the story there was a new yorker article about

how they're ready to go, and he messes something up at the last minute, and it falls over. so, you know, that was, that was the sort of -- can you could look at it as the genesis of the google self-driving car, was the self-driving motorcycle. >> gentleman on the right here please. >> david sobelson, washington d.c. i have two questions. this is a very appropriate day to have this panel, because this is the birthday of elwood haines, one of the early pioneers of the automobile, whose first gas-powered driving automobile is in the smithsonian. elwood haines also was the first to get involved in an automobile accident. so i would ask the panel to talk a little bit more about how they see the common law of personal injury evolving with self-driving cars. and my second question is if, in

fact, people who have time while they're commuting to read and to do work and to watch movies are going to be interested in commuting longer, why hasn't that already happened? because people already have that opportunity. so those are my two questions, the evolution of personal injury law and why we haven't seen an increase in commuting time already. >> would you like to take -- >> i'll say something briefly on the first one. i already mentioned the evolution of products liability and, of course, personal injury law could go alongside that, and i think it will. there will be very interesting cases and controversies involving sort of hybrid situations where someone in the sort of vehicle that randal described that is fully autonomous and may be insured by the service provider is in an accident with some human that's driving, like me, an old muscle car and is still that dumb bag

of bones. we'll work these things out. certainly, we have a very he tissues society -- litigious society. ultimately, it will lead to a lot of these innovate isers being sued early on and keeping from developing this technology. that does concern me greatly. but i don't know what we should do to stop that outside of changing the user pay law. good luck with that. but the reality is i'm pretty confident that personal injury law will work itself out over time, and hopefully there'll be a lot fewer personal injuries. >> one thing is unlike an ignition problem or something like that or a sticky accelerator pedal, the driverless cars record everything that's happening around them all the time. so if they're involved in an accident, they will have excellent 360-degree recordings of what happened prior to the accident, and it'll be fairly

easy to determine who was at fault in the accident. if the manufacturer of the driverless car is at fault, they will pay up and update their software x. if they weren't at fault, then it'll be fairly easy to prove it. so that will, i think, take care of a lot of the litigation and liability problems. >> yeah. i'll agree with both adam and randal. one interesting situation -- yeah, i think we should, basically, let the law evolve. we'll deal with any of these potential problems when they arise. but one, you know, taking adam's example a step further would be what happens if you're in a nhtsa level iii automated vehicle, and you collide with a nhtsa level iv, how do you start then sort of breaking that out and assigning liability to various or parties? it's going to be interesting. but it's something i think the courts, hopefully, will be well prepared to deal with. that's the best option we have now as opposed to preemptive,

prescriptive regulation and sort of crystal ball kind of statutory changes. i think buck do a -- i think you can do a lot more harm doing that as opposed to just waiting and seeing. >> and when people ask two questions, i always forget the second question. >> the second question was if driverless cars -- [inaudible] to work and realize and watch movies, why isn't it already happening when people can already do that. >> people who commute by transmit tend into spend twice as lock commuting -- as long commuting as people who commute by car. that's according to census data. so it is already happening. >> we have this question from the front, please. >> my name is, my name is gabriel roth. thank you for a very interesting presentation.

i understand that every self-driving car has to know where it is at any time. is it necessary for others to know where the car is? in other words, my question is do self-driving cars have to be tracked which is what i think i understood mr. thierer to say? >> [inaudible] >> i'm not sure i understand the question, do they have to be tracked? i mean, they're going to to be connected, and, you know, there are ways that they will be tracked in that sense, but maybe mark or randal, you have an answer to that? >> i think the way that -- at least what they're telling us publicly, the way the current manufacturers envision this, they want to focus on developing sensor technology, so there will be a gps receiver so the car will know where it is relative to other things, but that's what the sensors are there doing. so in terms of them being

tracks, i don't, i don't think you'll, you know, you'll be able to pull up a screen and see where all the other cars in the vicinity are, but they're going to, you know, a self-driving car is going the know where another car is. i don't think it would necessarily know where another self-driving car is. i don't think that's necessary. >> tracking is not a part of the technology that is being developed by any of the companies that i know about. >> question at the back. >> hi, my name's kathleen shannon, i'm from the university of virginia law school. i had a question about the accident avoidance algorithms and if there's any indication from any of the companies about the approach to this. is it going to be, you know, every car for itself that for accident avoidance you're going to protect just that car, or is it going to try and, you know, reduce injury to both cars if

they're communicating, or i don't know if there's anything -- >> so that's a great question. as someone who studied philosophy in the old days, there are so-called charlie problem that comes up in ethical philosophy about two trolleys heading at each other, what do you do? and you have all sorts of life and death scenarios being debated right now with regards to driverless car technology and how to create more so-called ethical algorithms. do you have two driverless cars hit each other? what if one can go off a bridge and the other hits a pack of kids, what do you do? these are hard questions. nobody will want to debate these questions, but we'll have to. and hopefully over time we come up with better and better answers to avoid that. no matter how thorn think those ethical dilemmas -- thorny those ethical dilemmas are, i am fairly confident those technologies will help us avoid

more accidents that we're going to probably make the worst of all decisions, hit the other car, the hit the kids and go over the bridge at the same time. again, i'm fairly bullish, but i can tell you in this has resulted in some very heated debates if you look at recent debates in "wired," patrick lynn, evan, myself, others engaged in this, and they are legitimate questions. there's a whole volume out there called robotic ethics that was published recently where these questions are debated. >> mark, did you want to -- >> yeah, i agree with adam. i think the main problem we have right now is that we have people driving cars. so, and whether or not they can, you know, i think they're the ones who are causing the accidents. not to say that, you know, we should take it away from them. but i think this technology, they're all engineering it -- at least what they're telling us -- these are going to be very, very

cautious. chances are they already would have pulled over and stopped by the time they get to that point. i mean, they really are trying to avoid even getting to these questions, these ethical dilemmas. but as you said, it is a really interesting question. i think in the future it's something that developers are going to be working on. >> we have a question from the gentleman on the left. >> i'm michael -- [inaudible] washington, d.c. also. this is a little bit different here. i'm a regular cycler. i use this capital bike share thing. and most of us realize the advantage of cycling is sort of the asynchronous nature. most of us don't actually know about traffic lights and signs and stuff like that. so my question is for something like an autonomous motorcycle, i

don't see this for a vehicle, is there any likelihood that they would have more flexible rules in the sense of you definitely can get places a lot quicker if you're allowed to sort of drive between cars or -- in other words, i'm trying to take this thing maybe ten years beyond after it's been introduced. but is there a chance? because you can go, i mean, anytime during rush hour you can go by bicycle anywhere near the white house and get from one end to the other in no time, but there is no vehicle sort of the president with all of the flashing lights that can go anywhere in less than a half hour. >> well, lane splitting, as you describe it, isn't currently illegal everywhere. in california you can lane split with a motorcycle, but when it comes to an autonomous motorcycle, it's kind of taking the fun out of it all. i don't see there being a huge market for those, but, yeah, that's, i mean, that's an interesting question. what you can do, i mean, maybe

if some people do want that, you would talk about legalizing lane splitting, going between cars. i guess that's -- yeah. >> well, i can see in the long run that things like stop signs and possibly even traffic lights, speed limits, things like that are going to be redundant. the car is going to look and see what kind of road it's on and figure out what's a safe travel speed for itself. and the need to have a law -yar- defining that safe travel speed is not going to be there anymore. but that's going to be an evolutionary thing. >> you would say this is a ways -- when we have, basically, we're approaching 100% automated fleet. >> yeah. >> can we take the question here, please? >> thank you. chris moody from yahoo! news. you've touched on this just a second ago, of course, but if i

wanted to drive faster and i'm in a big hurry, can i tell -- are the companies making options in the car where i could drive faster? if i wanted to save gas, i could drive slower. also the implications for city, municipal revenue where police now get a lot of their revenue i from tickets. this'll be a big problem, right? there's a sharp reduction if everyone is driving a speed limit or there's no mechanism where the police can get revenue from those speeding tickets. also if they pull over a driverless car with dogs in it, then what happens? [laughter] >> so are we worried about bored policemen who can no longer -- [laughter] >> well, there are cities that do depend on revenue, ticket revenue for a lot of their revenue, and that's something that they're going to have to deal with. they're going to have to figure out an alternative source of revenue. it's just like 70% -- somebody at a conference recently said 90%. i looked, about 70 percent of organ transplants come from auto

accidents. so should we ban driverless cars so we can continue to have a supply of organs for transplanting? i don't think so. we're going to have to figure out other technologies and other solutions to that. >> you know, one thing i should mention really quick i didn't mention during my remarks is we can't have this conversation in a vacuum just in terms of talking about vehicles. you have to think about other types of technologies that can satisfy a lot of the demands that we have today that we use vehicles for. i spend a lot of my time writing about commercial drone technologies. a lot of the things we just spend a few minutes grabbing in a car each day, whether it be groceries or whatever else, there's a question in the future can things be delivered via flying robot? and that might, in and of itself, undermine the need to have more time in a car, autonomous vehicle or not. and a lot of the things that my children might use a robotic car for today, to be their little chauffer and take them around, they could just have them dropped off with their drones.

we don't know how the butterfly effects will unfold because of this technology plus other technologies that can satisfy the demands we have. >> okay. we have five minutes, so unless there's one question in the middle, right there. thank you. >> josh marciano with international technology and trade associates. my question is with drone technology and commercial drones one of biggest impediments is sense and avoid technology, i feel like sense and avoid would be able develop with autonomous vehicles as well. so i was curious if you'd seen any collaboration between the auto industry and the aviation industry to develop this technology. >> no, i haven't. the question is regard to sense and avoid protocols and technologies with regards to drones versus autonomous vehicle technology. i don't see a lot of overlap and collaboration, but, of course, keep in mind the faa has such a

stranglehold on any commercial innovation with sort of a completely precautionary-based approach, mother may i is the name of the game with regards to any sort of aerial innovation in this country. i think, luckily, we're seeing a somewhat more flexible approach with regards to vehicle technologies. i hope the faa comes to mimic that and actually does better in the future. we'll have to see, but as far as i know right now, no, not a lot of that happening. >> i have spoken to a gentleman who was working for a parts supplier, they were designing some of the sensor technologies, and they're interested in both the automotive and the aviation markets. so i think there's at least, there are always some companies at least considering that. but as sort of adam said, you know, i worry about nhtsa, but faa makes nhtsa look like this permissionless innovation that adam's talking about, yeah. the right-of-way rules, the scene avoidance of the right-of-way rules at faa right now give the faa the authority

to shut down anything it wants. and until those are resolved, yeah, a big problem. >> aerial drones is kind of a headline grabber, but the reality is once autonomous vehicles are out there and able to deliver goods to people, i think the desire to use aerial drones is going to decline since the wait problems -- weight problems are going to be significant, and it's just going to be easier to use a ground vehicle. >> that brings the q&a session to a close. what remains is lunch, and you are all invited. so if you could, please make your way to the left up the spiral staircase into the george yeager conference center. lunch will be served. the restrooms are to your right on that corridor. keep a lookout for the yellow wall. all that is left for me is to thank our panelist, randal to cool, mark scribner and adam thierer. please join me in thanking them. [applause]

>> the 2015 c-span student cam video competition is underway. the three branches and you showing how a policy, law or action by the executive, legislative or judicial branch of the federal government has affected you or your community. there's 200 cash prizes for students and teachers totaling $100,000. for the list of rules and how to get started, go to studentcam.org. >> c-span2, providing live coverage of the u.s. senate floor proceedings and key public policy events. and every weekend, booktv. now for 15 years the only television network devoted to nonfiction books and authors. c-span2, created by the cable tv industry and brought to you as a public service by your local cable or satellite provider. watch us in hd, like us on facebook and follow us on twitter.

>> and we're live at the u.s. chamber of commerce here in washington this morning. the group is holding its annual cybersecurity summit. a series of panels will be getting under way shortly conducted with industry experts as well as government officials. michael daniel is the white house cybersecurity coordinator, and he'll deliver the morning's keynote address. this is live coverage, expect it to start in just a moment. [inaudible conversations]

[inaudible conversations] [inaudible conversations]

[inaudible conversations] [inaudible conversations]

[inaudible conversations] >> live coverage of the annual cybersecurity summit hosted by the u.s. chamber of commerce, should get under way in just a moment. industry experts and government officials will hold a series of panels in this daylong conference. again, it should start in just a moment. while we wait, our coverage of campaign 2014 continues as the days wind down to election day next week. one of the races we've been watching, and we've shown you a number -- over a hundred debates during this campaign season -- one of the races we've been

watching is the senate race in kansas, and we spoke with a reporter this morning who gave us the latest on that race. >> host: campaign 2014, eight days until the election. let's take a look at the kansas senate race. we're joined by steve who is the political correspondent for the kansas city star. steve, thanks for joining us this morning. looking at the race twine in-- between incumbent pat roberts and the independent, greg orman. where do things stand eight days out? >> guest: it's still, obviously, a very, very close race out here, bill. the latest polls we're looking at here suggest that orman might have a lead of a point or two but, obviously, that is within the margin of error in these polls out here. but a very, very tight race here, no question about it. >> host: last week the pat roberts campaign bringing in the big guns, bringing in mitt romney. what else -- who else has come in to campaign for the senator?

>> guest: well, at this point, bill, about half the u.s. senate has been out here to campaign for pat roberts. he's had john mccain here, rand paul, ted cruz, just one senator after another, tom coburn from oklahoma has been here for him. today as you just mentioned, mitt romney will be in town. he'll be here in a kansas city area suburb just on the kansas side. and i think he'll draw a pretty good crowd. mitt romney is still, obviously, a big name in american politics, and that's why senator roberts is bringing him out here. so it'll be fun to see what happens. >> host: what's the get out the vote effort been like for the roberts campaign and the orman campaign? he's an independent, so who does he rely on? the democratic party's not there for him necessarily to do the get out the vote campaign. >> guest: well, that's one of the big questions that surrounds this campaign as we head down

towards election day, who does greg orman count on to get the vote out. he doesn't have very much of a get out the vote effort, at least in the traditional sense that we judge these things now in american politics. as you point out, he's an independent. the democrats are reluctant to help him on that front. they don't want to be caught helping greg orman and further tie orman to the democratic party. that's been one of the main arguments throughout the campaign from the roberts side, which is that orman is a liberal democrat, he's a democrat who's been hiding behind the cloak of being an independent candidate. so they really want to avoid, you know, that kind of association. so orman -- >> cybersecurity and education and outreach campaign as well as today's event, and also a big thank you to exelon, microsoft, pepco and "the wall street journal" for supporting us today. and also to the american gas association, the edison electric

institute, hid and oracle. thank you so much for your generous support. i think we've got an interesting program for you here today. we'll hear from the white house, the departments of justice, homeland security and commerce as well as senators feinstein and chambliss, and we've got terrific panels on the cybersecurity framework, global approaches to cybersecurity policy as well as an interesting cross-sector panel discussion this afternoon. and, of course, our keynote luncheon speaker is admiral rogers, the cyber commander and also head of the nsa. it's fitting that we're here today as october marks the 3 -- 11th international cybersecurity awareness month. at the u.s. chamber of commerce, we have a national security task force chaired by former homeland security secretary tom ridge. the task force is made up of

chamber members of all sectors and sizes, and it's been focused on homeland and cybersecurity for over a decade now. if you're interested in learning more, please let me know, and we'll get you signed up. i thought i'd set the stage and give everyone context as to why we're here today, and then i'll go ahead and introduce our first speaker. we all know that computers have changed tremendously over the years. what once filled an entire room can now be found on your phone or tablet, and the people who are using computers and phones have changed as well. my 3-year-old niece is far more adept at using the iphone than my mother is. and in 1994, the internet was the next big thing in technology. hot enough that "time" magazine did a cover story on it, but also so unfamiliar they had to begin the story by explaining exactly what the bear net was. since its founding the worldwide web has touched the lives of billions of people around the world, and it's fundamentally changed how we connect with others; the nature of our work,

how we discover and share news and new ideas and how we even entertain ourselves. and, of course, with all these advancements there also comes a downside. a day doesn't go by where we don't hear about a data breach or cyber intrusion. bad actors are using the internet to steal or manipulate data or, even worse, deny service or damage infrastructure through a cyber attack which could very possible lead to harmful effects on our economy, the livelihood and safety of our citizens and even our national security. the chamber wants to make sure that the fruits of free enterprise aren't wiped away with the click of a mouse. even with its downsides, the internet has surpassed newspapers as the primary way americans and folks around the globe get their news. it's estimated by next year internet users will total some four billion users or nearly 60% of the earth's population. advertisers now look to social likes to enhance their brand's visibility, and even the astronauts aboard or the

international space station regularly tweeted live from space to a global audience. and with all the public sharing of so much personal information via social media sites, obviously, concerns over privacy issues have arisen. this is the world we live in today. clearly, computers do more than simply compute. to raise awareness around the myriad of cybersecurity issues facing the business community, the chamber launched a major cybersecurity education and awareness campaign that we're calling improving today, protecting tomorrow. the purpose of the campaign is to educate, to inform and to inspire businesses of all sizes. the campaign will also help shape the outcomes of legislative, regulatory and public/private partnerships that are most pressing to businesses. this year we've held round tables around the country with the white house, homeland security, the fbi, the secret service and our members. we've been to chicago, austin, everett, washington, and phoenix. and we're going to continue this

cyber education outreach campaign into next year as well. if your interested in joining us and getting involved, there's a brochure at your seats. please let me know. if you haven't already heard about the cybersecurity framework, you're in for a treat, you will to do. it has a number of industry-vetted actions that businesses can take to assess and improve their state of cybersecurity. the chamber's urging all sizes of businesses to adopt the fundamental internet security practices laid out in this framework. the framework is a great first step, but we know still more needs to be done. we still need cybersecurity information-sharing legislation. companies need more actionable and up-to-the-minute cyber threat data. we know that information sharing between the government and business needs to dramatically improve so that businesses can better protect their data and systems. and businesses also need protections, including limited

liability provisions so that they are protected against frivolous lawsuits. that is why the chamber continues to push the senate to pass senate bill 2588, the cybersecurity information-sharing act. you'll hear more about that later this afternoon with senators chambliss and feinstein. and you can read more about our efforts in the handout that we gave to you this morning. so with that backdrop, it is my real pleasure to introduce our first speaker, howard schmidt. he's a true cyber expert. howard's resumé reflects his experience in both the private sector, law enforcement and government and in the field of cybersecurity he's really done it all. he's currently a partner at ridge smith cyber. he's a former cyber adviser to presidents obama and george w. bush. he was also the chief security officer at microsoft and the chief information security officer at e bay. e bay. and as -- ebay. and as i said, howard now serves as a partner at ridge schmidt

cyber. howard brings his talents in business, defense, intelligence, law enforcement, privacy, academia with a distinguished career spanning over 40 years. he also brings to bear over 26 years of military service. thank you for all that you do, howard, thank you for being here this morning. please give a warm welcome to howard schmidt. [applause] >> thank you. thank you, anne, for that kind introduction and to all of you for attending, and more broadly, thank you to the chamber for your continued support of the cybersecurity and the things that we're doing. i think back every time i'm in this room here, i think back to about 1996, '97 time frame when president clinton had put together the president's commission for critical

infrastructure protection. ultimately resulting in presidential decision directive number 63. and the core of that is much of what anne had mentioned about private/public partnerships. immediately when that was released, the chamber pulled together all its great members, as many people as they could sort of round up in the government that knew anything about this at the time, and working with some of the sponsors that very similar to what we see today and had one of the first cyber summits. and the room was nowhere near as large. the attendance was nowhere near as great, and i think the expertise and discussions were much more junior than what we have today. so it's wonderful that they continue to do that. the other thing i want to reflect on relative to the chamber is the support they've given us for many of the initiatives both in private sector and the government, and

specifically i want to thank the chamber for when we release the national strategy for trusted identities in cyberspace or the nstic, the huge outpouring that we had from the private sector with the leadership of the u.s. chamber. i remember the three of us were up here at the time from the white house and talked about it, gene sperling, former ambassador or to china who was my former governor, gary locke, and it was an interesting day because it really, i think, put a mark at least in the d.c. area that many of these problems we're dealing with, many of the things can be solved, but often times can be solved by private sector. and it's interesting when you put together all the pieces of this, you look at the military, the law enforcement, the private sector, the executive branch of

the government, the congressional piece of it which may not move as fast as i think we all would like to see it, at least we have the same direction, we have the same function of saying we really need to do something. on a personal note, a number of months back my home in seattle, a pipe separated and flooded much of the house. and i haven't been back in to be able to move back in, but in doing so, my wife got one of her biggest wishes; to get rid of all that stuff i've accumulated over the years, all the binders, all the briefings, all the old hardware and drives and stuff that we had that contained a lot of this stuff. and in doing so, of course, very selectively i found a report from 1998. it was a report by rand corporation in joint with the chamber and a lot of other organizations look at critical infrastructure protection. particularly looking at it from a perspective of how do we do

this? it was a clarion call, if you would, for a private/public partnership. and it was very clear at the time. the government gave information to the private sector, private sector shared information with the government, and more importantly, that private sector share information amongst themselves. particularly on threats, vulnerabilities and best practices. here we are almost 20 years later, we're having the same discussion. we have to really refine the things that we're doing. now, i deal a fair amount with financial services, international energy companies, and i see on a day-to-day basis not just incremental, but great leaps moving forward on securing their systems. they're working with the government task forces, you know, the energy sector capability -- the capability maturity model that we started a few years back.

these companies are not taking this lightly. there are certain things that anne suggested that we need the government to do. we need to have good legislation that protects the companies from sharing that information, because there's a lot of people out there -- particularly in a lot of the offices that say, well, we're not sure if you can do this. or if you share information with the government and some issue becomes of it and litigation starts out of it, you may be on the hook. you may not have the same level of expertise to fight the case for you. you're going to have to hire outside counsel, have to do these things, and as a consequence it's just not worth it. but now some of the boardrooms that i'm sitting in and some of the meetings i'm having with some of the chairmen, tom and i do on a regular basis, the discussion has changed. it's not we can't do it, it's how do we do it.

how do we make sure that we support what the government's efforts are without inferring additional regulation on us? some of the sectors we work with are so heavily regulated, it's difficult to actually do the things that they need to do. and that's what we're working at now. and that's what i think all of you with the chamber and the sponsors here should be talking about today. we're going to hear from great speakers. michael, a panel later on today on some of these things. but at the end of it when all the speechifying, as john brennan used to call it all the time, when that is done, we've got to go to work. we've got the strategies, the strategies going back to 2003 with the national strategy to secure cyberspace, the international strategy, the nstic, n.i.c.e., the national -- the international strategy for cyberspace. and by the way, note it's not

about securing cyberspace, it's what cyberspace generally will do to us. and then sort of closing to once again thank the executive branch. when all the retail things that we've seen in the news recently about intrusions and breaches and sort of we're looking at this whole system that we operate, there was a lot going on. there continues to be a lot going on. and i don't know how many else in the audience in the recent weeks got that little card in the mail that says, by the way, just as a precaution, we're replacing your credit card. got mine the other day, and it had chip technology built into it. so we're making progress. and when the president called for secure buying for the government, we in private sector are moving that direction as well. no longer are we going to be part of a system that depends on

user id and pass within words to do all the work that we need -- passwords that we need to do. it's not easy, it's not cheap, but if we continue to admire be the problem and not put the pieces together that say here is the strategies we're looking at from the government perspective, from the private sector perspective, from the research and development community, if we're not taking those strategies and executing on 'em, next year we're going to have having a discussion at this conference again about the things that we should be doing. the time for strategy and looking at the problem is long gone. that 1998 report that i've mentioned a few moments ago, it could have been written yesterday. so we need to execute on the plans that we have. we need to actually do the collaboration and figure out ways to make it better. we're on a path to do that. i think everyone in this room is committed to do that. i think the people from the government are here to commit to that.

and i think if we each do that, we each do our part to secure our part of cyberspace, next year when we have this meeting, it'll be about all the things that we've been able to accomplish not only to better security, but also to improve the business and economic environment globally. because when it comes down to it, that's what keeps the machine running. so with that, i thank you once again for your attendance. anne and chamber, i thank you for inviting us, and i look forward to the rest of the deliberations. thank you very much. [applause] >> great. thank you, howard, as always, and is we're thrilled that we still get to work with you in your new capacity at ridge schmidt cyber. my pleasure now to turn the podium over to chris turner, head of north american government affairs at dell. as you know, dell is one of our

big sponsors of our entire cybersecurity education and outreach campaign, so we're very pleased to have him here today. chris turner, thank you. [applause] >> good morning, etch. good morning, everyone. on behalf of dell, i'd like to thank the chamber for the opportunity to introduce one of the most prominent leaders in cybersecurity here in washington. but before i do that, i want to thank all of the public officials and private sector folks that have been working in collaboration for the past several years to make the achievements and gains that we have had in cybersecurity. since the release of framework, dell and others have been participating in various public meetings to facilitate discussions around the strengths and weaknesses of the framework to help improve it and drive it forward. why? why was dell, of all companies, sitting down at that table?

in the past few years, dell has made acquisitions, strategic acquisitions to offer a cadre of solutions in the, to federal and private sector customers including dell secure works, dell sonic wall and dell federal services. in short, dude, you're no longer getting a dell, dude, you're getting end-to-end solutions in cybersecurity and services. and as we continue to identify evolving threats and take steps to mitigate these threats, we have to work under a flexible framework that supports cybersecurity outcomes that we can all agree upon. and, actually, it is michael daniel that has been the biggest partner in making that happen for us and for the other companies in the room. and it is with great pleasure that i get to introduce him today. michael daniel's a special assistant to the president and the cybersecurity coordinator. he has successfully managed one of the most valuable accomplishments in cybersecurity policy, working with several folks in this room to execute

and develop the nist cybersecurity framework. as a cybersecurity coordinator, mr. daniel leads the interagency development of national security strategy and policy and oversees the agency's implementations of those policies. before that for 17 years he was working over at omb, so he knows where all of the bodies are buried which is what makes him perfect, absolutely perfect for this current job. he's a princeton man, he's a harvard man. besides just cybersecurity policy, he actually is a practitioner of karate which means he can defend both cyber and physical. [laughter] please do not mess with him. please join me in welcoming mr. michael daniel, special assistant to the president. [applause] >> thank you. good morning, everyone. it's a pleasure to be here at the chamber for the third annual cybersecurity summit.

for those of you who have been forced to hear me talk before, i've tried to throw in a few new things into my speech so that it won't be totally boring for you. thank you for that very kind introduction. but i do want to talk a little bit today about why cybersecurity is such a hard problem. about why, as howard said, we're still talking about some aspects of it 20 years on. and how we're trying to think about that inside the u.s. government and design our policies to shift, to adapt, to address some of those key hard problems. when you actually take a step back and think about it, from a bure purely technical standpoint it's not obvious why cybersecurity is a really hard problem. at its root most of the time the bad guys are getting in through a vulnerability that we know about and we know how to fix. so that means that the enemy is penetrating our networks through a hole we're quite well aware of, and we even have a patch to

go over it. and yet we don't do it. so what's the deal? why is this such a hard problem? and from my point of view, i think the issue is that cybersecurity is not really just a technical problem. it's far more than that because of what cyberspace has become to us. in fact, cybersecurity is, it does have technical aspects to it, very strong technical aspects to it, but it's more than that. it's also an economics problem and a business problem, a human psychology and behavior problem, a political problem, and it's a physics problem all rolled into one. and so when you combine all of those factors together, that's why cybersecurity is such a hard problem and so difficult for us to solve and so difficult for us to tackle. and i want to draw out a few of what those hard problems are and then talk about what we're doing to address them. and the first hard problem i'll talk about is really the business and economics aspect of cybersecurity. i don't think we really actually

understand the economics of cybersecurity very well. and i come to that conclusion because of what i just said. we have solutions that we know are out there, the technical solutions that exist, but yet we can't get people to actually implement them. we've been talking about cyber hygiene, information sharing, identity management literally for decades now. and, sure, the adversaries' tactics evolve in cyberspace, and the impact of malicious behavior is growing as we hook more and more things up to the internet. but the same fundamental weaknesses continue. so, and it's not like we don't even actually collectively understand these facts at this point. yes, we need to do more on education and outreach and talk to more and more -- larger and larger portions of our society. but, certainly, the numerous news reports on cyber breaches from target to home depot and other companies have really helped to raise awareness. ..

impact of cyberspace, the fact that it touches everyone and pretty soon is going to touch everything and is changing how people think about it.

when the internet was first built critical infrastructure wasn't connected to it and didn't rely on it. nobody really cared about privacy protocols because people didn't live their lives online. users didn't worry about the underlying security, the underlying security of the code, only that it worked. governments didn't understand the internet, didn't use it much and didn't see why they should care about. nobody cared that the technologists that the internet was governed in lylely decentralized function without side government based structures and didn't uncorporate strong security. now everyone cares about these things, at least to some degree. governments wake up to the fact they need to care what happens on the internet and how it works for all sorts of reasons both good and bad. companies are waking up to this fact and citizens are waking up to this fact. so as a result, what rused to be able to be decided on purely

technological basis by technology experts or by informal agreements among service providers and major companies in the space is now the focus of a highly political process and that means the decisions that once were easy in terms of internet governance and management of security are now much harder and given how important the internet and cyberspace has become to everyone and everything, that isn't likely to change anytime soon and we need to take that into account as we build our policies. then lastly the third hard problem that i would identify for you stems from the struck turf cyberspace itself. and as we think about how we worked to build our cyber defenses and how we counter the threats inside cyberspace the physics and math of cyberspace play a very large role. now traditionally somebody like me would stand up here and talk to you about how cyberspace is borderless. how there are no, there are no

boundaries and how information flows freely across the entire globe and that's true. and it is both a strength because it allows for, that's what drives commerce and drives the much of the value that comes from the internet. and it is also a problem because it allows malicious actors great freedom of movement but i think this argument is not entirely correct. there are borders and boundaries everywhere in cyberspace. everywhere that networks and routers and servers and peering points touch, there are borders. and we are creating more and more borders as we build the internet of things much. so i would submit to you, that what cyberspace lacks is not borders and boundaries. what it lacks is an interior. there is no inside to a network when you think about it. everyone lives and operates right at the border and touches an edge or goarder -- border

some way. that reality in cyberspace has profound implications how we organize ourselves as a society to protect ourselves in cyberspace. in the physical world we assigned the mission of border security to the federal government. but if everyone lives right at the bored in cyberspace then it is not possible to assign border security to just one group or element of our society. as a result, it means that protecting cyberspace by its very fundamental nature is a mission that has to be shared by all. and that reality makes organizing for cybersecurity incredibly complex because it requires us to do cooperation across boundaries that we have in the physical world made by design difficult to bridge. both within government agencies and among government agencies. also between the government around the private sector and within the private sector. so if these are the problems,

economics, psychology politics, physics, what are we doing to actually address them? at one level we have to address the technical issues that cybersecurity requires strong technical foundation and know how. one of the things we have been trying to do is something howard mentioned in his opening remarks which is the national initiative for cyber education. we've been trying to take that to the next level. we have, over the last couple of months we have linked up the nice, this is washington everything has to have acronym. the nice program with the president's jobs training initiative. that is looking to begin how to drive to fill the gaps in our technical workforce. not just our technical workforce. the workforce across the board, all different kinds of aspects

of cybersecurity professionals we need so we can actually generate the kinds of staff that we need to do the cybersecurity mission that not only the government has but the private sector has as well so that you generate the knowledge on the technical side but also financial systems, law, business management and the like. so, universities are beginning to react by developing the blended degree programs, by getting computer science department tosco elaborate with the business school to produce graduates with applied skills to solve cyber-based problems and manage risks in the business world but that's not enough. the cyber workforce is projected to grow larger. we're stuck in a posture where we're stealing workers from one another. what we're trying to do is begin to address the problem by supporting scholarship programs, but supporting an effort to draw up a heat map where the cybersecurity jobs are and to partner with business and others to develop more cybersecurity

centers of excellence across the country at various universities to really increase the workforce we have available to us. we are also working to move to address the business, economics and psychology issues of cybersecurity. and that is really where the framework, one of the core documents that has been talked about, that ann talked about and others will talk about today comes in because the framework really is industry's document. the core thing about the framework is it is built from how industry has to think about and operate in the real world and address cybersecurity as part of their business. the national institutes of standards and technology led the effort but it was really one they convened and really coalesced the best ideas out of industry about how to approach cybersecurity, not just as a technical program, but as a business and economics problem. the great strength of the framework in my view is the fact that it is not in fact a

cookbook. if you open it up and read it to run your firewall, you will be sadly disappoint 9 because that is not what the framework is. the framework is how you think about cybersecurity as an issue. it is deeply rooted in how businesses actually have to manage risk. in taking a risk management approach, the framework recognizes that no organization can or will spend unlimited amounts of money on cybersecurity. instead it enable as business to make decisions how to prioritize and optimize cybersecurity in light of the risks that they face. it also provides a common lexicon, a common vocabulary to talk about cybersecurity. it provides a common foundation for communication between businesses, between businesses and their suppliers and between the business and the government. so to that end it really provides a new way for us to tale talk about cybersecurity and communicate it and deal with it in a new way and i think that is where the framework will go. i have often said that the other

great strength of the framework and its great success will when businesses and others figure out ways to use the framework that we never even dreamed of when we built it and to me that's where we're driving towards today. of course there are other ways that we're trying to address some of these problems. the political problems and the physics problems. we're trying to address them through information-sharing efforts. many of us in the room that have dealt with these issues for a long time are almost sick of talking about information-sharing. i see some familiar faces out there but it is still one we must clearly address because we really have to move more information both among companies and between companies and the government and from the government back to the private sector. we've started to see some real traction in the formulation of efforts like the sticks and taxi models coming out of dhs and providing a technical foundation for information-sharing but we have to continue to do more and

that is where the administration is very much focused on. earlier this year the department of justice and the federal trade commission issued guidance indicating that antitrust law should not be a barrier to helps narrow the scope of work we have to do to crack this problem but there is still more we need to do and we're continuing to look at what the options are within the administration to support information-sharing and we continue to support the passage of cybersecurity information-sharing legislation in congress and i hope that you will have a chance to hear that from senators feinstein and chambliss later today, that we're working very closely with them to try to get that kind of legislation over the finish line. another area that we're working on to address some these psychology and business and economics aspects of this is really in the consumer financial protection space. with over 100 million americans falling victim to data breaches

over the last year, and millions suffering from credit card and fraud identity crimes, we knew we needed to take some steps to make stronger, more secure technologies available to secure transactions and safeguard sensitive data. two weeks ago the president sign ad new executive order, directing the government to lead by example in securing transactions and sensitive data. the new buy secure initiative will provide consumers with more tools to secure their financial future and assisting victims of identity theft and accelerating the transition to stronger security technologies in the development of next generation payment security tools. while there is no silver bullet to guaranty this data security the executive order implements enhanced security measures including securing credit, debit, other payment cards with microchips in lieu of simple magnetic strips and pins available on standard consumer

atm cards and the president is calling on all stakeholders to join the administration and number of major corporations in driving the economy towards more secure standards to safeguard consumers finances and reduce the chances of becoming victims of identity theft. we also announced the white house summit on cybersecurity and consumer protection which will happen later this year to promote partnerships and innovation. the summit will bring together major stakeholders on consumer financial protection issues to discuss how all members of the financial system can work together to further protect american consumers and their financial data, now and in the future. another big area we've been working on is something howard mentioned as well which is the national strategy for trusted identities in cyberspace. in a nutshell this is administration's effort to kill the password dead as primary security method. if we're serious about improving the cybersecurity we simply have to kill off the password. it's a terrible form of security yet we've been unable to move

past it for over 30 years. so, again this comes back to obviously there are plenty of technical solutions out there to do this but what hasn't been able to be cracked is the issues not the technical ones, the liability issues, the networking issues and other things. so the goal that we set up with this to tackle those parts of problem and really fund private efforts to get over those non-technical humps to enable the technology to proliferate more across the ecosystem and i'm excited to report that very soon we will have many of those, the pilots are starting to come to fruition and i think we will start to see the over the next six months to a year some of those technologies start to roll out across much of the market and become much more widely available. i see it as a great example of the way we can make cyberspace inherently more secure working through strong public/private partnerships, projects that the

industry and government have piloted under nstic and now we're in position to build on momentum and west accelerate progress on identity and access management within the federal government. final i would be remiss if i didn't mention the federal government's own house. obviously over the last six months we dealt with all shorts of issues to "heartbleed," shell shock, to intrusions across vary with us departments and agencies. so one of the things we're very focused on within my office is improving the cybersecurity across all the different parts of the federal enterprise. we're working very hard to promote that the concept that cybersecurity is not in a corporation, cybersecurity is not just an extra cost center but is core and fundamental being able to execute a federal agency's mission and that in fact cybersecurity is a mission enabler, not just for the department of defense and the department of homeland security but for the department of the interior, for the department of housing and urban development, for health and human services

and every kind of agency you can imagine inside of the government. cybersecurity is now core to all of the missions of all the agencies across the federal got in order for them to be able to do their mission. so as i mentioned at the top, cybersecurity is an inherently hard problem. for at least the reasons i cited and probably more. but, as a community we have indeed made progress, particularly over last few years and started efforts i think can alter the cyber landscape is fundamental ways. we started to do things like the framework and nstic. started cybersecurity as business problem and underlying psychological and human behavior issues present in cybersecurity. we're starting to realize we have to build partnerships to address political issues of cybersecurity and to work together to address the physics and math that make cybersecurity so hard. so despite often within the national security staff being

considered one of the four horsemen of apocalypse i have am at root an optimist. i do believe we can tackle these problems and make cyberspace safer for all of us. of course in cybersecurity there is no such thing as done, right? there is only better. so we still need to continue focusing on making progress. that is what i'm looking forward to doing over next year and working with all of you to make cyberspace more inherently secure. thank you very much. [applause] i think ann indicated i do have time to take a few questions, so i'm happy to do. stunned everyone into complete silence. >> i guess you're off the hook, michael. >> thank you very much. [applause]

>> thank you, michael daniel. i want to tell folks that michael has come to pretty much everyone of our cybersecurity roundtables or sent his team. we appreciate that the partnership. it has been great. ever since the president's executive order has been put out amazing how we work closely with the white house and department of homeland security and nist and the i appreciate that. what we'll do now, take a quick ten-minute break. if you get recaffeinated and we'll get our panel up here and get them all miced and we'll be back in ten minutes. thank you.

[inaudible conversations]. >> finishing up with the first two speaksers in this day long sum submit of cybersecurity

hosted by the u.s. claim before commerce. as you heard a short break to last ten minutes. we'll have more live coverage after that break. while we wait, more from our campaign 2014 coverage now with a look at the latest in the race for senate in kansas. >> back to campaign 2014, eight days until the election. take a look at the kansas senate race. we're joined by steve kraske, the political correspondent for "the kansas city star." steve, thanks for joining us this morning on the race between incumbent pat roberts and independent greg orman. where do things stand eight days out? >> guest: still obviously a very, very close race out here, bill. the latest polls we're looking at here suggest orman might have a lead of a point or two but obviously, that is within the margin of error in these polls out here but a very, very tight race here, there is no question about it.

>> host: last week the pat roberts campaign bringing in the big guns, bringing in mitt romney, what else, who else has come in to campaign for the senator? >> guest: at this point, bill, about half theer u.s. senate has been out here to campaign for pat roberts.mpai he has had john mccain here, rand paul, ted cruz. just one senator after another. tom coburn from oklahoma has been here for him. today as you just mentioned mitt romney will be in town. he will be here in a kansas city area suburb just on the kansas side. i think he will draw a pretty good crowd. mitt romney still obviously a big name in american politics and that's why senator robertsli is bringing him out here. so it will be fun to see what happens. >> host: what is the get out the vote effort been like for the roberts campaign and the orman campaign? he is an independent. so who does he rely on? the democratic party is not

there for him necessarily to doh the get-out-the-vote campaign. >> guest: that is one of the big questions that surrounds this campaign as we head down towards election day, who does greg orman count on to get the vote out? he doesn't have very much get out of vote effort at least in the traditional sense that we judge these things now ine american politics. as you point out, he is an independent. the democrats are reluctant to help him on that front. they don't want to be caught helping greg orman and further tie orman to the democratic party. that has been one of the main arguments throughout the campaign from the roberts side which is that orman is a libera. democrat. he is a democrat who has been hiding behind the cloak of being an independent candidate. so they really want to avoid thatca kind of association. so orman is from what we can tell anyway pretty much on his own when it comes to getting the vote out. you wonder, how that will affect

him. roberts will have the advantage of having a long, establisheded republican machine behind r him. very well-known for his get-out-the-vote apparatus that helped sam brownback so much four years ago. very well should help him again this time around. so, roberts will be able to bank on that kind of support. orman doesn't have that kind of machine behind him. you wonder how that affects final vote on election day. >> host: you not only have election eight days away. you haves world series going on there, coming back to kansas city. is there any interference? is that a distraction in terms of things like getting airtime for tv spots, political ads and things like that? >> guest: if you watch the world series out here anyway you're seeing lots of ads for orman. lots ofre ads for roberts. i don't think there has been anr impact there at all. we have noticed though, some

research that has been done that suggests that if you have a successful home team in any sport, that tend to favor incumbents going forward to election day. how big of a factor that is i doubt but there is research out there that suggestion there is that kind of tide going into election day host host we'll find out one one of those pieces. >> guest: yes we will. >> host: steve crase from "the kansas city star" and following all the senate race action in kansas. host. >> guest: thanks for having me, bill. >> we'll have more from the 2014 campaign coverage. we look at a live picture from the u.s. chamber of commerce as they host a day-long summit on cybersecurity. up next a panel discussion on progress in developing a cybersecurity framework. officials from dell and american express are among speakers. it is expected to start in just

a few moments as they take a quick coffee break.

[inaudible conversations]. [inaudible conversations] >> again we're waiting for the next discussion in our coverage of an annual cybersecurity summit hosted by the u.s. claim before commerce. right now a look at candidates

in the race for new hampshire senate. here's a portion of their recent debate. >> when the president does something right i will support him. when he doesn't do something right i make sure he him know that. that is huge difference to be independent senator. i voted with my party and other side about 50% of my entire career. that being said as independent senator i can do that. so when we work together, with the president on an insider trading bill, my bill worked forward. we got it done. i worked with democrats to bring them over and we were at the signing ceremony, high 6 hire a hero veterans bill, ability to give veterans jobs and get a little bit after tax credit. the arlington cemetery bill, worked with a democrat to make sure our heroes were buried properly. one person in one grave. three people in another grave. body parts in a mulch pile. i think senator shaheen voted to it. if you want gridlock, send

senator shaheen. if you want an independent problem solver and ability to work with both sides as you mosby partisan senator in the united states senate. i'm your guy. >> you want to respond. >> my opponent talks a lot about that survey but what he won't tell you is that why the koch brothers are spending 2.$6 million in new hampshire to support his campaign. i don't think it is because they think he will go down to washington and support small businesses. i think it is because they know he is going to go to washington, he will continue to support subsidies to the big oil companies, the five biggest oil companies last year made over $90 billion and he wants to give them over $20 billion in subsidies. i don't think that is good for new hampshire. >> once again she is distorting a bill that not only senator ayotte voted against and democrats voted against. if you want to talk about money, we're both raising money the same way. she has her groups. we have our groups. they're doing whatever they want. i'm scott brown and approved

that message. i have no control over any other messages. that being said, we have an opportunity because the people of new hampshire are smarter. they are very sophisticated being first in the country presidential they understand that senator shaheen not held town halls. they understand when she went to washington she changed and not focusing on small business. has a zero rating with respect, i have been down there fighting for small businesses. that is why i have an "a" rating with national federation and also the united states chamber of commerce. >> quick response. >> well again, the national federation of independent businesses has some members here and i appreciate what those members do. but the fact is, like his support in so many other ways, in this campaign, they are funded by the koch brothers. we need somebody in washington who will really support our small business. that is what i've done my whole career. that is what i will continue to do. >> you can see the entire debate on our website, c-span.org.

it is one over 100 debates we've been showing you this campaign season for the control of congress. waiting for start of the next discussion as the u.s. chamber of commerce holds the annual cybersecurity summit here in washington. it will continue after this brief break. [inaudible conversations].

>> okay. welcome book to the chamber's third annual cybersecurity summit. up next we have a great panel for you. matthew eggers on my staff at the national security department, he manages our cybersecurity work and our cyber work group and he is going to monitor this panel. take it away, matthew. >> thank you, anna. i'm matthew eggers with the chamber's cybersecurity group. before i turn to our panelists to give a one to two minute overview how cybersecurity fits into your professional lives, i thought i would point out norfolks maybe viewing and others in the audience who are

relatively new, we use two words at least in part for the framework process. it start as process or helps a business start a cybersecurity program if they haven't been involved in that space or for many of the folks in this room and others helps them improve what they're already doing and either way, it is very important. we want that framework to remain flexible and dynamic. the other thing is, you will notice, we've got three panels. the first panel is about the framework and a little more about cyber generally. we've got an international panel that will follow. the key with that is, we want other governmentings around the world to look at the framework and consider using it. we've got an effort here in the u.s. but that is just not enough. what we want to do is have other governments look at the framework and use it because we've got companies here that are based in the u.s. but many of our companies operate

globally. the standards and best practices that are embodied in the framework, they're industry supported. they transcend borders. for companies that are operating in one or more countries, it is cost effective, it is smart security to try to look at it that way. and then lastly, the third panel, we'll have a cross sector discussion that allows businesses to talk about the framework. some interdependencies they're dealing with, some of the challenges, some of the opportunities they could be dealing with. a quick snapshot why this panel is where it is and why it fits within the day. so thank you. if i may, so i've got paul crisman to my left with dell. you've got individuals. to his left, sean franklin with american express. following sean we've got amais guarranty with the department of

treasury. after her, we have dr. phyllis shneck with the department of homeland security, dhs. david glass go with pepsico holdings, inc. and kelly with the department of commerce and many of you are aware itser? group within nist has been very involved. they helped coordinate the process for producing the framework. so if i may, let me start off with a, kind of a general awareness question. or i guess i should say, let me turn to you, paul, if i could and have you kind of give yourself intro. >> sure, thanks matthew. paul crisman with dell software as chris turner mentioned earlier this morning dell is transforming to offer a series of solutions for our clients, both public sector as well as private sector clients having to do with security and

cybersecurity and that gets to everything from true factor authentication which we would love to see the death of passwords. we were love to help our public sector and private sector clients with. that we work on a whole variety of policy issues as well as technology issues in the cybersecurity space, everything from supply chain integrity to the devices that are on your desk or in your pocket, all the way back into the security intrusion prevention, detection much our secure works division. so a broad technology spectrum for cybersecurity from dell. >> excellent. sean. >> sean franklin with american express. i do want to thank matt and the chamber for putting this on. it is a pleasure to be here especially on a panel with everybody. i'm responsible for cyber intelligence at american express. i guess my playground is the identifier, and protect categories.

also responsible for our partnerships and relationship activities associated with information security to try to advance our objectives around securing the economic transaction life cycle as well as information security objectives in general. so we've been a big proponent of the framework, continue to support the ongoing improvement efforts as well. >> great. thank you for having me and, glad to be here. at treasury i run our financial institutions group and within that we have a critical infrastructure protection office which is where we focus our cybersecurity efforts. our efforts in the critical infrastructure area are to really act as a fulcrum between three groups, the administration broadly and our partners with dhs and intelligence community, with the regulatory community as you're mostly aware. the financial regulators are independent of the president so we have a coordinating group with those bodies. and then we also are a point of

interchange with the financial services sector and governing bodies that they have, both on information sharing, on best practices and also to help get input on policy development process for cybersecurity and critical infrastructure issues. >> good morning. i want to echo thanks to matthew, to the chamber and audience. there is very bright light in my eyes i know there is one out there and thank you for taking your time. at dhs we're charged with response to mitigation cyber threat across government, across industry, across academia. my role as undersecretary for cybersecurity communications is a program director there. is quiz at the end. i look at our programs that protect not only government agencies but our industry stakeholders, critical infrastructure and small to medium, many of which represented by the chamber. chamber is helpful to us as we roll out our machine to machine program, how computers protect computers very quickly real time

but also how we build the partnerships between government, industry, people to people. so you know who you're going to call. working across dhs. charged with our vision for cybersecuritys so across our u.s. coast guard, secret service, homeland security investigations, tsa and office with the cio as you imagine number of attacks that come into dhs.gov. my top three priorities not technical, but about building trust with the community, with stakeholders, private sector industry and around the world with our communications. that will be the foundation how we bet an adversary, faster, richer, has no lawyers. they do whatever they want to us and we're changing that. my second priority is he enhancing situational awareness. that is where the framework comes in. the wonderful set of best practices crafted by many of you and with nist. it is our job at dhs to roll that out and we'll talk about that, but enable, especially small to medium businesses to better secure the networks and take this conversation about

cybersecurity to the boardroom. that kind of combines if you look at situational awareness, comparing information we get to partnerships and machines. then that third priority is rolling that out to all of you making sure we communicate that through the framework and through best practices. >> thanks. >> i'm david velasquez from pepsi holdings. we serve 2 1/2 million customers in the mid-atlantic area including the nation's capital. this building along with other important buildings in the dc. all the security of our grid is very important to us, especially cybersecurity has always been important to us. i've been down here for five years and i think over the last five years have seen a real increased emphasis, appreciate the partnership with our government partners as well as we continue to increase i say security of the grid going forward. framework is very important to us as well as doe maturity model.

both giving us framework to look at it but also as we're regulated not just from the federal government but also from state governments. it also gives us kind of a single, if you will, pattern or framework to follow so we don't get caught between different requirements and different states to have to deal with that. so continuing progress around the framework, continuing to work with government around information sharing and all that is very important to us going forward. >> excellent. thanks, dave. >> kelly. >> i would like to thank the chamber and all of you for participating in this event because at the department of commerce and nist which coordinated development of a framework, one of our primary objectives is increasing awareness about the framework and we believe the more awareness there is in the private sector and government about the framework, more up take will be and better our cybersecurity defenses will be throughout the country.

to that end, in, at the end of this week, nist is putting on a sim bose yum, conference, in tampa, meeting with a lot of private sector security developers and just potential users of the framework. it serves beyond awareness one of the other principles we believe is important around the framework, it is dynamic and it is changing. we are continuously listening to the private sector to develop ideas on best practices, how to implement the framework more effectively and these kind of dialogues like we have here today are very important to that objective. >> let's do this. some of topics we like to hit, framework awareness, liability protection issues, information sharing as ann mentioned is a big priority of the chamber's. as time permits we like to talk a little bit about deterrents and so forth. let me start with a relatively

easy one and we'll get a little bit more difficult. so how have been the public/private interactions since the framework has been launched earlier this year including awareness. that is one of the things we put priority on going out to visit local chambers? what is the sense for folks? how are your interactions with either peers in the private sector, in government, what has been the reaction? maybe paul, start with you. >> reaction has been outstanding. the conversations that we've been having with a very, very wide spectrum of industries shows the applicability, general applicable of the framework and the diversity of the organizational sizes grasping at concepts embedded in the framework really shows it is not just for large organizations. i think the way i look at the up

take or the awareness, it really goes to three cs. it goes to conferences, it goes to coalitions, of like-minded folks and also gets the collaboration. we were having a conversation earlier this morning about industries that are regulated, have an opportunity to collaborate perhaps a little bit more rather than compete. so i think that the framework up take and interactions really focused on collaboration and coalitions maybe of smaller organizations that don't have the resources or capabilities of a larger, either a public or private institution. but those coalitions are looking at the framework as a way of quickly reaching common ground. so we're seeing good up take from a wide variety of industries, different organizational sizes, different mission objectives. from that perspective the robust framework i think will serve well. >> i think we find, certainly with our own members in our

cyber working group and as we've been out we find are companies coming to say that this is something they can use internally and with their suppliers and we encourage that. let me ask maybe,amias, dr. shneck, phyllis, what is your per secondspeculative of government? >> we had tremendously positive feedback from the financial services sector. that is real credit to process used to develop it, even before the framework came out there was lots of consultation and with the release of the framework it is very clear it was both voluntary, broadly applicable and meant to be taylored to individual organization. also strong message that the framework is a living document. when you put those things together, the reception has been very positive generically. within the financial services sector we have huge range

between different types of businesses. we have very, very large banks, broker-dealers, insurance companies but we have banks that are essentially small businesses and they certainly are constantly reminding us how diverse the industry is. i think framework is pretty effective with dealing with that. one of our key messages going out to the groups remind people that cybersecurity doesn't have to be that complicated. if you have a small organization, if you have a simple i.t. infrastructure, then, you can approach cybersecurity with a lower degree of tech call complexity. the other message we're sending a lot, getting people engaged with their vendors, with their counterparties, with chair suppliers, to make sure there is dialogue using the framework as a basis for the conversation. are you protecting me when

you're delivering i.t. services? are you delivering are the framework? are you using the framework? i think those dialogues are well-received at all stages of our industry and financial services sector. and then the last thing which i think is very positive is seeing specific efforts on translation. so how do we translate this specifically into the financial services sector? how do we translate this specifically into an auditable standard and we've seen in the financial services sector a project led by industry with the auditing firms to try to develop an auditable version of framework. i think that is tremendously positive when you see industry banning together and translating into specific requirements they see as best practices. >> i was going to ask, you have the dhs, the cq program. >> stole my thunder. i was going to mention the other three cs, critical infrastructure, cybersecurity

community and voluntary program. we're committed at dhs with partnership with business of all sizes, with government and state and local. i would thank christina where you are in the bright light for a lot of your work on this but as we look at the program that program is designed to reach all of those t reaches companies that supply large companies. most of the large companies have thousands of people dedicated to security. they have this covered. everyone is owned by the large companies are resilient. when we look at who supplies the large companies, smaller ones take the framework that has been transformational. one of the reasons for that to his point, this thing was developed by scientists. it wasn't just a document of people thinking what would we do? it was actual scientists that know the field and products, got together with policymakers got something we believe help drive the market. let the market drive better security. build faster, cheaper stuff. put our country in the lead on that. at the same time, secure these companies that in the past, either didn't have the budget or

didn't take the cyber risk consequence equation, so not viruses and worms that get together after you buy a printer but the actual discussion where cybersecurity fit in the company, in our role, and take it to the boardroom, mitigate that as you would any other corporate piece of risk and framework is catalyst to have the conversation. the example i used is my boss undersecretary spalding, and i spent a lot of time on west coast talking to startup companies, venture capitalists and state and local governments. one of the things we ask venture capitalists if you're going to put $25 million into a round, why on earth would you not protect intellectual property. we ask firewalls if any information you have is protected so we have guidelines. we're using the c-cube voluntary program to reach companies of all sizes, take the conversation to the boardroom, make it not about viruses and worms and make

cybersecurity part of our culture. howard schmidt said 14 years ago, i'm not that old but somebody might be we're all 12 years since then. we're all that old. howard said 14 years ago, make this culture of security and i think this framework is taking us there. >> just quick, summary point on cq program. something a small, mid, or larger size business could utilize. the c-cube program that is something any size business could utilize? >> absolutely. program take as way of principles and framework to roll them out or present them. we provide for example, critical infrastructure reviews. resources on the website. we're talking everything we have in government and giving it to anyone who will take it with instructions, how to use it and what we're asking people to do is self-measure. i think one of the challenges with that candidly, hard to get quantitative metrics how many entities using framework. we at dhs don't ask you to

report back to us. that would defeat the purpose of providing resources. as we look at other ways to quantify the good benefits of the framework we're looking how companies are using it but not ask companies to necessarily report back to us. i think nuance is important. >> ask about critical infrastructure and creative risk part of executive order. before i do that david, you guys at pepco, you've been using tools like the framework for quite a while. >> if i could comment primarily on the collaboration aspect but first i think the framework is very valuable to us internally. it helped us build on what we do already, help us give a framework for putting it in categories and understanding it and also language to speak to our suppliers i think sometimes up-and-coming we need to focus on supply chain on cybersecurity. not just within the four walls but everything used to supply to

us in our industry because we're regulated collaboration comes a little easier. collaboration is always essential. i don't know how many people realize electric system is single grid. everything east of the rockies is tied together. impossible to think about events of anything, physical attacks, cybersecurity to think about it in isolation. we're very, very much involved with partners across the entire country both industry and government to think about cybersecurity in that broad sense. the utility, electric utility industry is part of the critical infrastructure. we stood up the electricity, subcourt nating council, framework of different sectors, councils. and that very much is involved with different government agencies and is really the point at which things come together at highest level. it is cop prized of ceos, executives from public power, some of the regional

transmission organizations that operate the grid as well as all government agencies. a place at that senior level for both policy discussions and current discussions around information sharing using tools in an incident having lines ever communication very open. it is not just something that is set up. it is something that gets discussed. something that meets regularly both want industry and with government. it is something where we actually practice not just amongst ourselves but with government around, what would happen if something happened to us. >> i want to ask sean his stuff but kelly, reaction on framework awareness, then i have a question about liability. we'll come back to that. >> one of the things about awareness i think is changing, framework is great facilitator of dialogues at boardroom level. it enables technologists to talk to generalists who are on the board or a ceo and develop plans

around cyber kurt -- cybersecurity. but i think there is bottom up acceleration about awareness of cybersecurity issues and hopefully framework as well. you see customers, really the market speaking in the private sector, where the most sophisticated customers, the business-to-business relationships are integrating who they're buying from and working with and cybersecurity measures. that is increasingly very important test whether an institutional sophisticated buyer will buy from your company. it is penetrating at consumer retail level where the surveys about the awareness of cybersecurity and whether someone would buy something online from one company or another, is dependent on cybersecurity measures. i think we'll see various

consumers groups starting to measure companies on the basis of their cybersecurity defenses. i think awareness will go way up about cybersecurity and accordingly the framework and why it is so important that we have a dynamic working successful way ever dealing with issues like the framework when the awareness, not just top down, but bottoms-up starts to happen in the private sector. >> come back to you on the liability issue but sean, you guys were with us in chicago and phoenix. you guys are, using the framework. you guys are looking at it as a useful tool. how are you guys looking at it more generally with business partners and so forth? >> so we recognize the viability of the framework to drive the discussion with your suppliers.

again, if you speak common language, if you get, closer to this concept of shared assessment, it maybes it. the overhead potentially spin mizeed in terms how we evaluate our vendors. common assessment framework definitely provide opportunity to do that and others in an organization of our size like many other fis of any significant size, you have longstanding processes to evaluate your vendors that get pretty complex and pretty intimate. it is one of the moments to try to make sure adapt comment of existing processes that will take time. the recognition of having dialogue to talk about the importance ever security and use framework as a decision point in that discussion was very helpful. >> do you find business partners are relatively receptive to the

conversations about, i'm using risk management tools like framework? you would have seen us doing things like h1n1? we have pandemic plan or we like you to because we rely on you and vice versa. how has receptivity been? >> i think receptive is good. framework is extraordinarily high. value proposition of being assessed against a single structure, single taxonomy i think is high as well. if what that assessment end up being, ends with up partners as well, there is big cost saving if it is done effectively. that's part of the journey knowing how to adapt the framework to a number of business purposes related to cyber. >> what do you guys here? >> what i see is people are proud of their work and think the framework gives them an

opportunity to explain what i.t. and also other organizations whether it is in the legal side of things and risk mitigation side of things. they're very proud of what they have done. they should be proud. but gives them a way of describing it. i think of it as rosetta stone. gives them a way of translating between other disciplines. i think the idea of being able to evaluate a supplier, to be able to make a business decision on who you want to do business with, i think it is going to become more akin to an ice sew certification for a manufacturing facility. i think you will be able to get to the level of good housekeeping seal of approval. and i think it will really mean something. when people make business decisions who their partners are, based on ability to come to a like agreement on cybersecurity for information security, information assurance, all those things are going to improve the business

interactions. i think people are very proud of what they have done. i think they should be proud and i think it gives in some respects it gives techies opportunity to stand up to say say, look what we did, look what we did. it es very good. >> one question i'm very much interested in. so executive order on cybersecurity and i think doctor that neck question go to you. the infrastructure greatest risk, how should we think about how they're being engaged? from your perspective, are they getting resources that you think that they need to counter, at least in our minds, some of the more advanced sophisticated threats? are you comfortable with that are those participates are? i understand that they have been engaged. what does that look like? >> that is about eight questions. i will try to cover some of that. >> sure. >> so the, when we look at cybersecurity we look at how the office of cybersecurity

communications works with most closely with the office of infrastructure protection. that makes sure expertise in everything non-cyber is used to inform everything we do in cyber and vice versa because they are inextricably linked. first first and foremost our philosophy of critical infrastructure and cyber are interlinked. it is way to protect society, not just a network. we're committed to making that collaboration succeed. i realize, i am that old, we've been at this 20 years. we've had this conversation at different stages about collaboration and critical infrastructure and you ask a key question, quote, do they have all the resources? when you say they, big companies, small companies, state and local municipalities, so you say no. resources are not there especially in state and locals and that is candidly scary. with that we look at the framework to inform some folks that either set aside resources or how we use risk based consequence analysis and not just raw budget numbers where somebody inexperienced looks at

i.t. shop and says cyber goes there. i want to step back to look how we look at cybersecurity. it was a cost center for many years. probably still is. but actually a cost center because of framework and collaboration and awareness being used as something to drive how corporate investment is used, to protect the company. i would say the framework takes it one further for critical infrastructure. it could be market differentiator. those companies better protected are better with whom to do business. you look at large providers especially energy and financial sector, absolute leaders how we protect because you have understanding. other sectors have not been as quick and seeing that quickly. you are helping drive that discussion. i think framework is helping drive it. am i comfortable that everybody is fully resourced and safe? heck no. do i think we're on the right path for the first time in 20 years toward resilience and collaboration working across

sectors? absolutely. that is due to every win in this room. >> excellent. kelly, if i may, you, the liability protection topic related to framework is related to be relatively hot, if you will, within industry and legal circles. you noted earlier this month, at a conference, that the affirmative use after framework would reduce a company's legal exposure in in the event of a damaging cyberattack. did i capture your thinking correctly? >> what i was talking about, i think a couple of panelists referred to this as well, is audit firms working with the framework and developing something that could be audited to. . .