tv Key Capitol Hill Hearings CSPAN October 28, 2014 10:30am-12:31pm EDT
10:30 am
sectors? absolutely. that is due to every win in this room. >> excellent. kelly, if i may, you, the liability protection topic related to framework is related to be relatively hot, if you will, within industry and legal circles. you noted earlier this month, at a conference, that the affirmative use after framework would reduce a company's legal exposure in in the event of a damaging cyberattack. did i capture your thinking correctly? >> what i was talking about, i think a couple of panelists referred to this as well, is audit firms working with the framework and developing something that could be audited to. . .
10:31 am
better shape of a potential lawsuit and if you didn't do something like that. and i think having something like the framework, which isn't a prescriptive rulebook, but it's a much more flexible document that is tailored to individual companies makes it a better vehicle to achieve that kind of protection than the
10:32 am
something that is more prescriptive, set in stone, concrete and difficult to be adapted to individual circumstances. >> let me ask a follow-up on that. the idea of the framework is that it meets you where you are. if you are at a certain level and you are looking at the various aspects of the framework that you are looking at doing. as a smaller business and justice seeking generically that lack the resources to really fund against the nationstate. are they at least in the context of liability is there any kind of distinction to say i've done my best but i can't go toe to toe with the nationstate.
10:33 am
>> i think the framework is a good vehicle for doing that. it is adaptive, it's not one-size-fits-all so it would be a more usable vehicle so that is one of the challenges we face as an economy and as a country where there would be huge resources directed at an individual small company and that could be a big challenge for the small company. that's just the reality. on the other hand if you are a smaller company, you are less likely than j.p. morgan chase to be a target. you are less likely to have huge damages when you go out to buy a cyber insurance it's not going to cost you as much. so i think there are normal mark -- mechanisms where on the one
10:34 am
hand it may not have resources to put up the defenses of j.p. morgan chase or wells fargo. but on the other hand, in many respects the risks are smaller. >> do you want to pick up on that? >> i would add in the same spirit that they present a risk to the larger companies when they are not protected in the framework to your place to help secure them so that the adversaries don't use the smaller companies and resources to then get into the larger companies. >> david, go ahead. >> we talk about supply chain and all of that. it's a good vehicle for conversation and it is a distinguishing characteristic when we look at suppliers but we also have a responsibility that we are starting to put in the contracts to say it's not enough
10:35 am
for you to tell me this is what we do like many other things we are going to come in and make sure that you are following it as well and so from a -- what you were saying in the industry we had interns around a lot of property and all that and there's all these standards you have to follow if you are going to get a policy and if you -- your evaluation turns but the rates are or if you are eligible i could see over time using the framework and other mechanisms into the insurance industry is very bright and understand risk and how to manage it and i think they will be playing the framework on how to establish if you are able to get insurance. >> aig has already been working to help them develop products they consulted the private sector. >> do you have anything on that point that you want to weigh in
10:36 am
on? >> maybe just a couple of points to add on to that they are at risk of course i think when we think about the framework and i've used this term before as of many others we are talking about getting the tackling and the basics down and the more you do that the more you change the economic incentives and i don't think anybody expects the business to go toe to toe with the ability assuming that they might be that again if they raise the cost of doing business in the perspective that is a good thing and if that happens across the large pool that add to the institutions of the effects of that i think could be significant. >> and you mentioned the small businesses. a few months back the department issued a request for feedback on
10:37 am
small businesses and cyber and i render i was at a meeting carrying around a binder and as many of us probably would what did you find, what was the feedback? were asking small to medium businesses what is it that you would like to do with the framework or want to do to help the market drive better cybersecurity? is it ending ten things or give us things that department should look at a doing in the future to help you hope the market drive this into a lot of the response was good commentary but my first impression was the size of the binder. there was also technologies i've learned this over the past year the truth is we are bringing
10:38 am
bringing science to the science back and looking at everything. those responses were very helpful in that they told us it would be to build into a lot of and a lot of technologies that are out there i can also say we are very willing as a team to look at the new technologies so that what we do in this type of response and mitigation is aimed at software technology is that where it's going because that is where the adversary will be. so they guided what we saw the industry would be willing to do and it was also very early on in my tenure so i would go back and see where the framework is and that is a good point but we were very happy with the turnout and still push this point that we are committed to the partnerships. we have a program called critical infrastructure security
10:39 am
partnership that brings income and a big bonus you can tell but the actual scientists and technologists talk about the actual competitive boundaries and using all of that and looking at what we can do to use the framework again i can't say this enough to bring the cybersecurity conversation to one of culture and cyber risk investment, board room investment and making sure that this is something that drives the company forward so that the markets can make this more secure. >> information sharing that is the chambers number one cyber legislative goal in the sense that we've passed legislation in the house with great help from lawmakers like michael rogers, troopers are, others and their staff in the senate right now. you will catch us working hard if you can get legislation done in the senate and we will maybe find out more later this afternoon to get the bill across
10:40 am
the finish line. it's going to be tough but what we hear is businesses want to be active, be able to share in a protected manner give information about the threats and the tax base, get that information. we kind of look at it as a neighborhood program for cyber. how can we get that done? i think if anything are there aspects of the legislation that you think the congress can more or less pick up and run with now i think that you have a collection of bills some of which cleared up the committee and we were ready with a package of bills hopefully we can move that. anybody want to pick up on the topic of information sharing? >> i'm going to go find krysta
10:41 am
turner and bring him up because i'm not going to put you on the spot, really. one of the things i always look at as we talked about removing barriers, but i always liked the ^-caret rather than the stick area i'd like to see the opportunity to create incentives and then the other issue is how to do this just mechanically without exposing proprietary methods and tactics which are intellectual property of a private organization. we really do want to make the information available, but that is a monetized commodity that we so and one of the challenges we got is how to maintain that advantage and find all of the infrastructure that's necessary to collect this information without exposing methods and tactics which we rely on. it's a challenging situation. again i come back to the
10:42 am
voluntary incentive rather than mandate and regulation and generally speaking that's where we like to see things go. >> sean or were dated on the information sharing front that's something important to you all anything you want to add on that point? >> i think it is just critically important we don't face some of the same competitive pressures that some of the companies face but it's part of the critical infrastructure. in order to adequately protect and recover, we need to know as soon as possible where the information sources come from and we need to know the threats before they become threats to. >> are you getting the threat information that you think you need? what are you hearing from your colleagues and business partners? >> i think that it's an issue with partnership we've gotten a lot better at sharing
10:43 am
information and i think what our government partners with our government partners we've also gotten better and i think that we are still willing to grow collectively as partners but as i commented i seen a huge increase in the level of information sharing and i know everyone is trying to do that and sometimes it is just finding the right mechanisms to be able to do that in a way that doesn't offset or reveal any information that we don't want to reveal. >> one thing that is worth noting if you look at the models whether it is in the energy sector, financial services sector certainly the administration perspective we are supportive of comprehensive legislation to try to help with information sharing that there are plenty of examples where the information sharing channels are already working and i think that they are good examples of what can be done even without legislation.
10:44 am
certainly information and alice's centers and financial services sector, we have one that is extremely active, innovative, well-funded that is a testament to the industry's commitment. i think in other sectors using people starting to move in that direction and i think that's very positive. the other thing that we've done in collaboration with our administration and colleagues is try to have a very concentrated effort to get the androgens community to think carefully about not just how to share information through classified channels with people that have security clearances in the industry but how to declassify important information to the industry can protect themselves and take that into the systems and i think the dhs has been a leader helping us get that information out. so certainly it's something we look forward to and something that helps with information
10:45 am
sharing and helps protect privacy and gives both sides of that but at the same time there's lots we can do even without legislation into so we would really encourage people to continue to push on the information sharing mechanisms that we do have so that we can continue to make progress while we also try to work with congress. >> i would support all of the thoughts on the existing as well as consider it very hard time for companies to share information in the u.s. government and in the global markets. there is also never been a more urgent time to share the information. the adversary does it. having spent most of my career in the private sector i understand that they see a lot in many cases which differently than the government, so the concept of putting the puzzle pieces together is incredibly
10:46 am
important and i think that with our partners we play a key role in that and we have become a statutory privacy officer in the u.s. government so we are a civilian agency charged with the situation awareness and they mentioned it is a priority and the situation a situation where this calls up the executive order. our buddy to put those puzzle pieces together from what we see coming into the government and what we see in the private sector hinges on that trust and our ability to work together without anyone feeling like they are going to get her to speak of mechanisms in place already. and that means if you share information with us, we have mechanisms to keep it quiet even in the department and we actually just retrained or front office secretary level 100 handle this kind of information to protect those identities and further we would support what we call the narrowly targeted liability protection. so that says be very careful
10:47 am
enough you're not sharing things that shouldn't get shared but let's also add a conversation about what can be shared is that we can move with the adversary and i think that line is very important. we need whatever help it takes to get the private sector piece into the government. that is a puzzle piece that sometimes we miss. but the other piece does it so that the full extent of the civil liberties are preserved. >> it is the main legislative item that we are going to get it done this year. next cheer i think will be more difficult with certain players that are very active in this space. i think what we hear from our members is that in order to act, share, received, they've got to have that safeguard in place or else they feel like there's going to be a boomerang back to them that would be less than positive. i think that we have a potential opportunity at least this year
10:48 am
to maybe get some things done. if anything all we are looking for no one of the reasons we talk about this is that we want to just have that bill to have a shot. and if there is an opportunity we would like to try to get that done. let me ask about the enhanced cybersecurity program for critical infrastructure that's part of the -- part of something that was mentioned in terms of bilateral sharing. how do you make that more scalable and i think things like the information sharing legislation that would provide safeguards would help foster that some more. we utilize the framework and i don't think that it's written in
10:49 am
the legislative text but i think that it will help with the behavioral shift. so anyway, just sitting on the enhanced cybersecurity service program, how do you scale that? and >> enhanced cybersecurity is our ability to protect private industry with classified information. ten years ago, five years ago this is unheard of and we found that it's actually an amount of service and it's a way of using our classified indicators to actually prevent the private sector, private industry. so the way that is scalable is that those have a lot of customers and those managed security providers also have been the ability and this is the way it works to see the bad guys or the events coming into those that they protect and clearly that and it makes more intelligence and they get to compete with others that are pushing out. but i think that the main thing here is a little bit different
10:50 am
than the eye think information sharing discussion is that this is the way of the future and we have looked at rolling out for managed providers because of the scalability because classified information is difficult to manage. it's expensive and hard to use. we are still looking at things like if you had one events that created a lot of noise and we didn't see it versus one events that could have been distracted and we did see it how do you make the business case for the expense of agenda government enabling classified indicators to protect the private sector. making the bitter classified information and really recognizing a wealth of information in the private sector in the open source. so this is just one piece. i think that bcs got a lot of attention because it takes a lot to roll it out, but i think that
10:51 am
it's the beginning of two things. one is the new type of service and the exploration of the business case of the classified information. >> thank you. one of the aspects of the executive order. that's one of his priority priorities trying to look at the different rules. i'm interested in the business palace scott how are you looking at that issue.
10:52 am
you've got the framework and the maturity model and you are doing a lot. how are you looking at that issue quick >> we are probably the only critical infrastructure that has mandatory cybersecurity standards as you mentioned. i don't see anything in the framework in conflict with those, i just think they bought together with each other. in the absence i guess of this column kind of federal standards framework may be even legislation there is always a potential for the states to take it up on their own and for states to have their own individual standards and operating across several jurisdictions that could create conflicts. we think about where the conflicts may occur and have
10:53 am
more concern i will say at the state level than we are conflicting them the conflicts within the federal. >> what is the action on the framework? >> it's been very positive. it's not kind of a prescriptive set of standards and it allows us to demonstrate that we are being prudent and if we are ever challenged by the framework we would say here is something that harmonizing the framework what does that look like?
10:54 am
>> other institutions take a look at the guidelines and take a look at the opportunities to the variety of different conflict in terms into terminologies associated with information security and to the framework so we can have greater clarity during an exam and get to look at the institution through the lens of the framework even if it is a map in the standards we use so we are working in the sector as well as with certain agencies to look at opportunities to provide some guidance on that. let's say they are using the framework they would like to get credit for the kind of information security cyber regulations that they are encumbered with so that they are not having to deal with multiple tasks if you go when you feel
10:55 am
like they are leaning more into compliance. >> up until about seven months ago i was sitting on the other side of this and the general counsel and the framework had just been released and believe it's a bold watching it from this perspective would be a tremendous benefit to the financial services being regulated because sometimes there is a lack of transparency in terms of what you are being held to as a standard when you are a regulated industry and a framework that is being used is something that's a little more objective and something everyone can look to and talk about as a basic standard. and i think it's also that we at the department of commerce have been talking to the
10:56 am
representatives from the countries around the world about the framework and trying to engage them and i think there is a panel on this in a few minutes to engage them to think about the framework as something to work within their countries and from a global regulated industry perspective that would be a tremendous benefit. >> let me ask about that determines. it is a topic we talk about here. it's not an easy one. we have been looking at a state department international security advisory board report that came out this summer and i think that we reference this in some of the comments in the materials. they look at things like cooperating on cyber crime as a first step.
10:57 am
the situational awareness there is more to the combating theft. the office of the general recommendations i was wondering if we think about it in a continuum between the passivity to aggressiveness, businesses using the framework, sharing information with government vice versa and moving away from the passivity somewhere in the middle might be what say against the chinese hackers and on the other end of the continuum, less attractive. you might have frustrated enterprises. we are more about the commerce and conflict. on the other hand, you might have the congress wanting to do something in response to the attacks and they would legislate
10:58 am
the programs or give authorities to the agents and the departments department that would hinder the training investment. how do we start making some progress on that front, i just opened that up. moving towards a more active defense response of defense, then moving into the truly authentic and proactive disruption of that bad actors. one of the things i would like to see is a very measured approach and i think that there is enough value in moving from catching the software technology and managing much more than active dhs continuous diagnostics mitigation monitoring. those sort of active defenses i think are sufficient for right
10:59 am
now. right now the potential for harm and we talked about this at breakfast inadvertently having collateral damage to someone if you do go on offense and working in the collateral damage to someone that's been compromised so rather than hitting the bad actors reading the proxy and it really hasn't been sorted out so i would advocate a very go slow approach as well as this idea that there's a sufficient benefit missing from the passive defense to the active defense that we can accomplish quite a bit just getting to that middle ground on the spectrum. >> we want to try to prevent some of the posters and entities >> i think the planes are well-made as the global institutions are doing business and where some of the attacks
11:00 am
may be coming for him even if you can have that high level of fidelity and attributing the attacks that understands the authorities and the certain activities that may be considered more active and how that might actually work and with the private sector role is. i think this is a conversation that needs to be done very carefully. >> to pick up on a plaintiff has made a few moments ago, changing the algorithm on the cost, i think that it remains true that the most are attacks of opportunities. there are software programs so if you have a server that is not directly connected you are not going to be the target of that opportunity. it remains true that many of the incidents even the high-profile
11:01 am
ones start with a spear phishing campaign and the e-mail that should have been clicked on and some of the simple things that they can do training their employees and knowing what they are, going to default security measures instead of those security measures can make a big difference. and i think from that perspective changing the cost and for any given firm, making sure that there are targets of opportunity that you deny the simple opportunity to attack you. >> any thoughts? >> from our perspective, all of these conversations go into building resilience. using the framework of engaging the partnerships and collaboration. but i like to refer to as telling the profit model on this opportunistic sense that your adversaries have. all of that goes into making it less worth it for the adversaries but even more
11:02 am
important making us recently and because even if that were to work we would still get attacked and something would happen. it would keep me up on the attacks versus some of the more noisy attacks and as we build through the framework through this exchange of information and intelligence looking at how we make and build systems from the bottom up and hire the best and brightest people and change the culture of the security to ignore infrastructure rounds] and at that point, i think that the opportunity goes away. and your profit model does away. that is our goal. >> david and ben kelly. >> we are very much focused on defense. i think that if you think about what we are on the critical infrastructure, those attacks are likely to come from actors that are interested in the terrorist motivation or
11:03 am
something like that and we know what our capabilities are and strengths and it's not to be taking on organizations like that that we are focused on defending our perimeter doing what we can to understand before the attacks and how we can do that as far as reaching reaching out of that to that isn't something that we are focused on. >> as someone that is involved in this building to the plaintiff, building to the plaintiff that we have an active defense which i think is a great term is very complicated and hard and is going to require a lot of effort all of us are engaged in but to take it to another stab to turn it into an authentic enterprise is that a whole level of complexity for which there is no roadmap that we would have to look at and the people that have to look at the very carefully before they enter an age -- engaged in depth.
11:04 am
>> i want to thank all of the panelists. you have an open invitation when we go to capitol hill. meanwhile i just want to thank you for taking the time to the sponsors. american express, pepco, thank them and make sure to stop and see them and say hello. we can't do these events without their support. so, let's give these folks a round of applause. thanks for joining us. thank you. [applause] >> thinks everybody. you've heard a lot of good information about the cyber framework, the department of homeland security voluntary program as well as a host of other things and i just want to point out that in the handout that you received there is a
11:05 am
whole list of resources where you can find more information and links to both the frameworks so please check that out and thank you again to the panelists. appreciate your time this morning. we are going to take it break until 11:15 and then come back and talk about the global cyber security policy. thank you. >> [inaudible conversations]
11:06 am
[inaudible conversations] >> as you heard about a ten minute break in this cyber security summit told by the u.s. chamber of commerce. up next we expect a discussion on global approaches to cyber security policy that will include a look at partnerships and innovation. a number of european and diplomatic intelligence and cyber security officials will take part. it starts in about ten minutes. this afternoon, discussions on sharing cyber threat information, combating cyber threats to national security and a look at whether congress will approve cybersecurity legislation this year. that's all ahead. this entire event is expected to finish about four eastern this
11:07 am
afternoon. political candidates continue efforts to get out the vote as we wind down the season to the midterm elections. we are showing as many debates as we possibly can. over 100 so far, along with a number of other political events. a look now at the race in iowa. we spoke with reporters to get the latest. >> postcoital go now to iowa where jennifer jacobs is on the phone, chief political reporter for "the des moines register" or to talk about the iowa senate race. another closely watched race for the control of the senate. jennifer jacobs, let's just begin with the status of that. what is the poll showing, still a tossup? >> guest: yes it is definitely a tossup. there are so many polls coming up i think we will see when every day until election day. but of course the poll on sunday showed speedy levin is up and it's -- speedy earnst is up.
11:08 am
>> host: you are referring to jonie earnst over the democrats bruce brailey. this is also being seen as one of the more colorful races for senate, partly to do with their personal stories and things that have happened. i want to show the viewers a couple of their ads and we'll talk about them on the other side. >> they left the gate opened with over a walk. >> last time we did that we almost got sued. remember when we were chilling down by bruce braley's lake? he threatened to sue us. >> not very neighborly. >> it's not very iowa. >> bruce braley isn't very iowa. we need tort reform not a guy that makes a federal case out of
11:09 am
chickens. >> it's a mess, dirty, noisy and it stinks. not this, i'm talking about the one in washington. too many typical politicians, hawking, wasting and full of -- let's just say bad ideas. it's time to stop spending money that we don't have and balance the budget. i am joni ernst many to stop spending money we don't have and balance the budget. >> host: pigs and chickens how is this playing out in iowa? >> guest: they roll their eyes at all the farm animal talk and the stereotype that i know from some people, but you know if you are a democrat, you see both joni ernst have references and if you are a democrat and you see those bruce braley, i'm sorry, the other way around. if you are liberal and as either
11:10 am
republican ads into fewer democratic it gets on your nerves. but they tell me that these negative campaigns work. we have so many negative political ads that iowans are likely to believe the negative ads and voter he adds that are defective and that's why they are all over. >> host: what other issues are playing out in this election? are the the voters talking about in iowa? >> guest: he's talking up social security, abortion, the minimum wage. joni ernst is talking about what she calls the iowa way that has to do with the economy, strengthen the economy. we have a balanced budget. she says we have been removing legislation, so she calls us the
11:11 am
iowa way. those are kind of the two issues. bruce braley the democrats tend to look at the reproductive right into that sort of thing. ernst is more of the military in the middle east and economic issues. so those are the ones the candidates are bringing up. >> host: i want to show a couple of bad for bruce braley and then we can talk about those as well. >> this isn't about joni ernst for me. it's about who will be best for iowa. iowa has lost tens of thousands of manufacturing jobs yet joni ernst wants to keep giving tax breaks to companies that shift jobs overseas. i say it has to stop. we need to eliminate the tax breaks to outsource the jobs and cut taxes for companies that hire american workers. huge corporations don't need a senator, you do. i am bruce braley and i approved this message.
11:12 am
the joni ernst is so extreme she risks retirement on the stock market, ending minimum benefit. bruce braley stop to those trying to privatize social security. he will protect social security for all of us. the democratic campaign committee is responsible for the content of this advertising. >> host: jennifer let's take that last ad buy that democratic campaign committee. airing that with one week to go what does that tell you? >> guest: the negative ads always say that they are worried whenever you see the positive ads it tells you that they are pretty confident in that they are worried for sure. the national democratic party and the senate majority is probably spending the most and
11:13 am
then there is the amount of spending on the republican side, too. but ernst has been the biggest target of the ads in iowa more so than the democrats bruce braley. >> host: iowa could be electing the first female to congress by voting for joni ernst. but is she connecting with those in iowa? >> guest: not as many as she would like to. she plays better with those in iowa than she does with women, but i know that the campaign has been trying to work on that. they definitely do have a force of women that promote her on a regular basis including the lieutenant governor that a republican and promotes her quite regularly. >> host: you talk about the outside money coming from democrats. where is that coming from?
11:14 am
>> guest: there is the money coming in and of those those are the big ones and the national republicans based on the gop side. >> host: so with a week to go what will you be watching for? >> guest: i will be watching to see if they keep playing up at the social issues and if they believe that is what is going to get people off the couch in the next couple of weeks and we will be watching to see if there are any mistakes or if the candidates can make it through and get to the end. >> host: jennifer jacobs, you can follow her on the website, desmoinesregister.com. appreciate your time. we have been showing a summit on cybersecurity. coming up next, the panel on global approaches to cyber security policy will include a look at partnerships and innovation and we expect to hear from the diplomatic and intelligence into cybersecurity
11:15 am
officials just a moment or two of a as a 15 minute break wraps up in a moment or two. more in the coverage here is a look at the race for the senate in louisiana. >> at a capitol news bureau reporter for the advocates to talk about the senate race between democrat incumbent mary landrieu and bill cassidy but republican. there is also the independent candidate who's running as well and then you have several other candidates on the ballot. so, the louisiana senate race according to the latest university poll today is headed for the runoff. do you agree? >> guest: that's what it looks like right now and that is the game plan that they are taking. even though she's not the incumbent but he is very much running the incumbent race.
11:16 am
the next debate is tomorrow night one of only two debates, so he's participating in leading up to this. it's going to be very interesting. >> host: i misspoke before. there is nine candidates total. what's going on with the incumbent senator? >> it's what we call the jungle primary. so everyone actually next week is a primary but they go onto december to 50%. it looks like senator landrieu will get the vote most likely from the polls are showing that nobody is going to have enough to crack into that 50% plus one vote so it looks look a runoff and it's very interesting how the campaign has been going. we have had tons -- you can't
11:17 am
watch tv without getting bombarded by the campaign ads. and you know, it's really interesting a lot of it is senator landrieu being a democrat and a lot of it is president murdoch obama. that's what we are seeing a lot off is the campaigning on the record. >> host: has that been impacting her ability to get over that 15% or is it her record as a senator? >> guest: certainly obama. every campaign event. you would think barack obama would be on the ballot with the way that it's being campaigned in the chastity campaign. last night there was a debate that cassidy didn't participate and that it was between senator
11:18 am
landrieu and time and time again it came up as mentioning barack obama and the affordable care act and all of that. >> host: the former president bill president bill clinton was in louisiana yesterday for senator landrieu asking for the voters to get out and vote. will that work in the closing weeks? sorry i misspoke. >> know it was last monday that the bill clinton was in town. it's the second event he has been at. the first was a more private fundraiser in new orleans and baton rouge. rsvp on her side it was open to the media and it was packed. it was about a thousand people, probably a little more than that they've been pulling out the stops of weeks before that.
11:19 am
john mccain was in town for bill cassidy so it is growing a lot of attention. i guess we will see how much attention it got right now early voting today is the last day. it is up a bit from, not as much as the presidential but about 200,000 people have voted at this point so we will see how the names are drawing out of being a nationally watched race it has more attention this year. >> host: how much money has been spent on this race, and also what are the key demographic voters to watch for? >> guest: the last time i looked it was the most expensive race in the country millions of
11:20 am
dollars. right now it is hard to even track is because there are different groups running the ads on tv trying to figure out who the groups are. but really the last poll that came out of that you mentioned earlier, 14% undecided three of us with finding out who are the voters and how much do these ads that are streaming in their rhetoric against the president actually matter to them. >> host: elizabeth with the advocate. appreciate your time. >> guest: thanks for having me on. we are live in washington, d.c. at the u.s. chamber of commerce summit on cybersecurity. up next we expect a panel on global approaches to cyber security policy. this is live coverage on c-span2
11:21 am
>> okay. once again, welcome back to the u.s. chamber of commerce third annual cyber security summit. we've got a great panel for you. i'm going to turn things over to adam a senior information technology policy advisor and he's going to run the panel on the global issues and international issues surrounding cybersecurity policy. and then after that, we are going to take a little break and i will tell you more about that and transition into lunch. while you are sitting there thinking, please write down any questions you have for the keynote speaker admiral rogers. we will do a q-and-a with him appear so if you want to write it down and bring it up to me, feel free to do so and we will take care of that during the q&a. with that let me tell you that adam has been leading the framework development and partnership process for nist. we are very happy to have him here today. thank you, adam. >> thank you for having me here today. so this panel is going to cover some international issues. the title is the international
11:22 am
dynamic global approaches, cyber security policy, partnerships and innovation. so those are all topics we would like to cover. how do we develop policies that are protective of the industry but also think about the global dynamic and how do we keep the policies that also encourage innovation and efficiency and economic prosperity. so, joining me today, we have tom dukes from the department of state, frank from oracle, angela from microsoft, ursula from european parliament, barones from pauline jones and the minister state security counterterrorism at the home office in the uk government, and then hyan song. i'm going to take a similar approach that matt did with the panel and i'm going to ask each of the panelists going from left
11:23 am
to right to say a few words about themselves and their background and the role and the organization and then specifically how it relates to cybersecurity and the international aspects. start with you. >> i'm tom dukes the deputy security at the state department and part of a relative in the new office stood up at the same time basically as the white house put out the international strategy for cyberspace. our office was created to eventually have a core of cyber diplomats and policymakers that would both help develop and execute a u.s. priorities and strategies into diplomatic engagements across the full range of cyber issues. we are talking everything from cybersecurity to internet freedom and economic development, cybercrime come international security and internet governance. and we have a -- we have grown from a group of five of us and now we are basically up to 20 people and the focus on a wide
11:24 am
range of things but particularly for this panel on helping spread the message on the importance of creating a culture of cyber security around the world this is something that was highlighted in the president's international strategy and it really is a focus for the the states on recognizing and carrying out the responsibility to secure the critical infrastructure that is used for ict fiber. we do a lot of things in the furtherance of that but that i can come back to you later but there is a robust international diplomatic effort the u.s. state department believes in cooperation with industry, civil society and the partners to try to create the right kind of environment and things like the nst framework or the products that we are trying to help the rest of the world see the benefit of adopting and incorporating.
11:25 am
>> i handle the cybersecurity policy and a few other issues at oracle and the government affairs office and i focused not just on the u.s. but a lot of international markets for the simple reason i'm sure everyone in the world knows how global the cybersecurity is but from the perspective of the company like oracle where do we call a commercial global off-the-shelf technology company meaning that the database of the servers and the cloud solutions that we so have the same solutions that we so to the government agency of the u.s., the german bank, the japanese carmaker. you know, we build them and then we so than globally. so having the cybersecurity cybersecurity policies, requirements, mandates, you name it that are eight different from country to country and from public to private sector.
11:26 am
it's something where we bring a lot of innovation to a love of the rnd and with a huge return from the security perspective people can precisely sort of leverage that economy of scale around the world. so when we look at the framework fact that that it is international precisely but also the nature of the content is based on international standards and best practices is just the right approach not just the business model model but also
11:27 am
how the cybersecurity is best managed. >> thinks. angela? >> like my colleagues i would like to say thank you to the chamber for hosting us and everybody in the audience for joining this panel. my name is angela and i'm the director of the cybersecurity policy strategy at microsoft. in that role, i need across a variety of issues and critical infrastructure supply-chain risk management all the way up to international security and stability issues. at microsoft we run our cybersecurity policy work out of engineering so that we can actually bridge the security expertise and experience that we have and help them manifest in the policy environment really taking the demonstrable practices that have demonstrable results help them manifest than in the policy environment. prior to the work i led to the
11:28 am
developing and emerging markets, and in that that role i traveled quite frequently to asia and europe and talked quite a bit of critical infrastructure and cyber security issues. one of the things and one of the reasons we think the framework is important is that it is an example of leveraging public-private partnerships to help create policies that can be applicable and useful in this environment and other ones and that is what i will be talking about today. >> let's go now to ursula. >> i am an officer at the european parliament washington, d.c. das office. our washington, d.c. office is the only office established by the parliament outside of the eu. i would like to thank first commerce for inviting me to speak at this panel. i would like to say a few words about the european parliament
11:29 am
for those that might not be aware of what our organization is. our organization as a legislator for the european union. we legislate together with the council, which are the representatives of the government of our member states. and i think that our legislative role when compared to the u.s. system could be compared to the house of representatives. the committee and the parliament which has the jurisdiction over cybersecurity is the internal market committee. it's because achieving the high level of cybersecurity is important to the conclusion of what we call the digital single market. ..
11:30 am
11:31 am
but also the adviser to national grid which is a adviser in uk which has, in this country, to your we get into the issues of national resilience. it's very important and enough the lights go out, nothing happens. i'm also -- cyber city challenge which is a charitable organization which does receive certain amount of government support which is engaged in encouraging young people to go into cybersecurity as a career. we took a lot of our initial inspiration from this country. the other end of the educational sphere i'm a member of the engineering and physical sciences and research council which is one council of the group of uk research councils to
11:32 am
allocate money for centrally important research activity in the uk and a certain that has gone into cyber and into the creation of training courses to increase what certainly we regard in uk as being a really serious skills gap we possess in this area. and, finally, just one other thing which i've gotten involved in on a personal basis. uk is very london focused and one of the things we need to do is spread the message around the rest of the country. happen to come from yorkshire and, indeed, the single largest help the database in the world is also being the nhs rock your seed there. but it provides the most extranet opportunity for the development in an important area based on analytics. one of the things, as the city
11:33 am
underpins this activity in creates frankly new industry that we do cybersecurity by design and that we, from the outset create a system which is multidisciplinary, and were all the contributors actually are on the same base, talking the same language on cyber. >> my name is haiyan song. some of you asked what this splunk do, just a quick introduction. splunk focuses on machine data, focus on getting value and accessibility usability out of data. a simpler way for me to explain that concept is everybody knows google is a company, is also a verb people use to go find information on the internet, and
11:34 am
this blog is also a company. it can be used as a word to also go find information in machine data. machine data otherwise that's generated from your devices and applications, from network of servers and so on and so forth. i think with this crowd is easy to understand the value that machine data and logs bring into security visibility and risk management, and that so we are set out to do. and one of the things i think the framework has brought to the industry is common language will be can explain the approach and methodology and we can blame how the solutions we develop fit into the framework. so with that context, what we do is really give you the ability to help protect the monitoring all the aspects you have, and most importantly we shine in the areas of helping you protect
11:35 am
novelties. and i know -- the accessibility of the date information so you can practically reduce been on a tiny to respond to incidents. and from all perspectives its global for multiple reasons. the threat landscape is global and it's not having borders or boundaries. they are coming from all different angles. and the customers we serve our very global as well. they have multinational sort of after mistakes, and we facilitate the implementation of the security program in a way that we also need to support the regulations and requirements from a different region, like europe has certainly more strict regulations on privacy. and so in a way what we do truly has a global nature, and we work
11:36 am
with a lot of customers as an ecosystem we work with partners as well because they bring a lot of insight and intelligence into the battle that we have against adversaries, and we truly believe it takes a village to do this. our role is to better facilitate that system coming together to do a good job, getting the visibility, and tie that with the understanding of how it relates to your business, your vision of the agency, that's a whole risk based approach and something we believe in. >> great. i think as another look level study question i would be interested to hear panelists reactions to what they think the international reaction to the framework has been, not only in the eight months since the final framework was released but also throughout the development of
11:37 am
framework. is their general international awareness of the framework and similar policy, similar public-private partnerships? do we have a sense of what the initial reaction has been? i will start with angela. >> certainly. i do think there's a fairly high degree of awareness of the framework on a national basis. as i said earlier, i spend time going out and meeting with the government customers and enterprise customers in different places around the world. most recently have been to india, korea and japan, and each one of those environments, both enterprises, critical infrastructures, small businesses, innovators and the government policymakers are unaware of the framework. i think there is, there are some misperceptions, things were people may not necessarily really understand what the framework is. and i wanted to highlight two of
11:38 am
those they think are really relevant for having this conversation here one is the discussion of who develops the framework, right? there's a lot in the united states industry led that in some people call the framework the nist cybersecurity framework. so internationally there's some confusion about, well, how is this develop? is this a government thing or an industry think? and in each case many of those questions actually are concerned because the other into the wasn't involved. one of the things i like to highlight is it wasn't even just a traditional public-private partnership that was used to develop this, that he truly only stakeholder approach. you had government entities from the u.s. u.s. private sector from the u.s. u.s. government and industry from other countries engaged. yet some of the hacker and security to nearly involve. and even civil society because of the privacy component. i think that's one of the misperceptions, and the other
11:39 am
one that i think is really important is people tend to confuse the general risk management approach of the framework from the implementing mechanism that have been outlined in the executive order. one of the things i try to do is make sure those are clearly differentiated from each other. in the risk management approach, the are controlled based approach and outcomes based approach. we taken outcomes based approach has more demonstrable results to the ecosystem and that's what the framework does. on the implementing mechanism side there's a voluntary implementing mechanism and then regulatory implementing mechanism. i think it's important to separate those two because it is unrealistic to expect that every country around the world is going to take the same kind of approach to implementing mechanism. they have different market drivers, different ownership models. it in the risk management approach to the degree to which we can foster more outcome based risk management, that creates,
11:40 am
raises the boat of security and privacy across the board and also helps create that environment that frank mention of being able to work across geographic boundaries. >> thank you. anything to? >> just quickly. i think i would agree with pretty much everything angel just said. very strong interest in the framework without it was developed and the content of the framework. also a lot of misunderstanding of both actually. they look at -- it's a government agency so the framework it's a regulator in terms of its a revelatory mandate. and so spent a lot of effort put in by a lot of people, nist and a lot of companies to dispel those myths. but you understand so that how you're running against regulatory political and policy cultures that are just very different. just have a natural tendency in
11:41 am
the u.s. to put more trust and have more experience with public-private partnerships. there isn't a kind of comfort level and experience in a lot of foreign countries, which is unfortunate because really obviously the security policy is one where these public-private partnerships are most apt to be effective. >> great. urszula, you may want to give us some perspectives on what you were seeing in the eu and also how that relates to our policies here in the u.s.? >> sure. the eu is, we decided to regulate certain things at the eu level and actually the important thing is to highlight that the regulation that we have launched, it is not yet
11:42 am
complete. they were probably consultations prior to this, and actually over 66% of stakeholders were in favor of certain type of security matters being regulated, and over i think over 84% of the respondents were in favor of those matters being regulated at the eu level. so i think there was a very different culture in the eu in general in terms of regulation. that's the first important thing to highlight. so we have two main instruments of the cybersecurity strategy which we put in place in 2013, and the first one is a proposal for the nist directive come at this directive is right now being debated between the european parliament and the council. so the european parliament has adopted its position already, and we are now going through negotiations.
11:43 am
and then there is, there is a public-private platform, the nist platform. so they're two separate things, like angela, you mentioned it's important to differentiate between the two approaches, and they have also very different scope. the nist directive which is by definition the directive is a legal act which is addressed to the member states, not directly to the stakeholders but to the member states. it receives certain obligations on member states like obligation to establish national authorities to stop the competence, computer teams that would react to the incident. it also establishes the obligation of cooperation between the member states which is a very important and needed thing because to remember that we are working here with 28
11:44 am
different systems. it also establishes certain obligations on the market operator. now, the definition of the market operator also needs to be understood at the beginning of the, the commission proposed from the executive branch proposal. this definition comprised both the internet enabler, public administrations, and critical infrastructure operators. the parliament is now proposing to limit the definition of the market operator, enhance the number of entities to whom they directly will apply to the critical infrastructure and public administrator, administrations. so those market operators which will eventually find a way to the final text of the directive say, they will be obliged to
11:45 am
report certain cybersecurity incidents. now again, the parliament has proposed a number of safeguards to make sure that the scope of reporting is clear and that there is no insecurity amongst market operators as to what needs to be reported. and it is the nis platform which like it mentioned is public-private platform for discussions and for developing those voluntary centers. it has been a lot of participation across sectors. we have over 200 organizations which are participating in -- it's called actually network and information security platform. so we have different participation from the member states, from the research and academia, from the industry.
11:46 am
the platform is currently working on its first set of guidelines. we will have another meeting towards the end of november, and the platform is also a good forum for the international stakeholders to get involved. so also the u.s. stakeholders. >> great. thanks, urszula, and i'm pleased to say we have representatives from the european commission at our workshop in tampa the next couple of days, and also looking at doing a targeted meeting in brussels to talk about similarities between the nis platform approach and the approach we're developing here in the cybersecurity framework. you want to talk about about what you're seeing in the uk? i will say the uk because it is unique in their the only other country that hosted a workshop for us when we are develop the framework, and i'm happy to say that provided commerce that the process and actually will also be participating in tampa this week. could you give us a sense of what some of the priorities are
11:47 am
and what you're looking at in terms of these global cybersecurity policies? >> what was the level of awareness of the framework, there certainly is in the uk. not least because of the multinational nature of the companies, particularly across uk-u.s. and so we are aware and interested in higher policies -- how our policy going to develop your. one of our preoccupations as a trading nation is trying to ensure that isn't the divide -- divergent so companies face the prospect of not only different but possibly conflicting regulatory and policy. so we do follow and, indeed, i think we talk to each other rather closely about that. the battle in uk has been going for some time, and it follows a national security strategy in
11:48 am
being risk-based. we have not gone for regulatory approach. we don't want regulatory approach to the government i'm sure a unit is in favor on all of the whole state. the whole approach is being very much emphasis on public-private partnership with -- [inaudible] so if i look at the framework and then i compare it with what has happened in the uk, though the written material is sort of differently presented, the issues are essentially the same. you can take to documents, issues by the uk which is advice to companies, none of this i might say is mandatory. it's heavily incentivized and why? because there's a second option which is cyber central and that
11:49 am
takes you through the various stages. identified in the framework. and we are making the essential mandatory for doing business with government. so a minimum platform is being set on performance. the issues that we now face i think are more having put in place a framework, actually getting it implement it. that's a big job. that's the big job around the country. i think the level of awareness in the uk has increased very visibly, but it is not yet total. i disagree i have to confess with one thing that was said at the last panel. i don't myself believe that the likelihood of attack is related to the size of the corporation the most -- much more likely return to the size of your assets in which offer to attack.
11:50 am
consequently smes are in this gang in a big way, and some of them are the most intimate parts of our industrial and commercial strategy. they need protection. we have as a country paid particular attention to enabling affordable security to become available. so quite a lot has gone into the practical implementation of how you get affordable security, and the security service that offers advice at the center, at the center, however, of the whole system actually is information sharing. i know you might want to talk about that perhaps in more detail, but we regard that as being absolutely crucial element in the whole gang. we want increasingly to see the private sector own that. we have less inhibiting.
11:51 am
but we have a more stringent privacy background in the uk than in the u.s. can we have a less inhibiting competitive competition law framework. so it's perfectly possible in uk to share information both between companies and with governments, without falling foul of competition law. and we do a very much able to overcome some of the problems that there are here, but we regard that as being absolutely crucial and we have now put the information sharing partnership inside the uk first which is the mechanism for detection response to and recovery from incidents so we tried great a one-stop shopping. i would say that we have got the stage of creating quite a lot of structures that we need. are they working perfectly at?
11:52 am
no. are the extensive enough? have we found the trick of being able to cascade down the information down the system fast enough? we are getting there but we are not there currently. but we are i think, i would say that we've gone from awareness to the degree of national a mobilization but i would wanted such a how far we've got but i think we're getting there to the perception in the country but that's the really important this is enabled to one last thing i would say is, you can tell there's a lot of difference to what i said and what others have said. the uk has to be and i think part of one of those members states who wanted to see the initial scope of the regulation of a directive contract. we can live with the scope now, particularly as it concerns our national infrastructure where we do regard to a certain degree of military standard as necessary.
11:53 am
where we are in disagreement, remain in disagreement, the whole question of the nature and that is a breach reporting which is also an active this is issue. clearly, really the extent to which people and shareholders and particularly private individuals have the need to know and a right to know when the data has been breached. everybody not oppose it, but we are concerned about not requiring breach reporting so early in an incident that actually inhibits and hampers initial recovery. >> thanks, pauline. we talked a little bit of hurt a little bit about some of the complexities, concerns of legal regimes and cultures and regulatory approaches. tom, you have to manage all of this. so when you provide advice to countries about smart cybersecurity policies, or when
11:54 am
you're communicating to this country about what our policies are, what are the lessons learned, and what are you hearing from across the indices about what other governments are doing in this area? >> thanks for that. the question covers a lot of ground to al-qaeda focus in on a few things. -- so were you look at where the rest of the world is in tackling these issues, you've got about roughly 25 or 30 countries which have gotten to the same place the u.s. as in terms of we started really focus on what we did in starting in 2009 with a comprehensive cybersecurity post review that can lead to a number of things including the international synergy in 2011. u.s. went through this very involved process of getting our arms around not just cybersecurity but the full range of issues and then taking steps to put together a policy that addressed both government needs, domestic, international role of
11:55 am
industry and civil society as well. that's carried through and furthered thing such as the president's executive order which led to the development of the framework. so what we see is there is a small group of the most developed countries that have essentially taken a lot of steps, including say what the european union has been doing, to tackle this. there are probably 25 or so developing countries that are fairly deep in the process of developing national strategies. and most of these are free much focused on cybersecurity qaeda protecting critical infrastructure, given with cybercrime threats. but then you most of the rest of the world that is really, almost other countries recognize the need for a strategy the need for developing national approaches, they just haven't really been able to get out of the box and start meaningfully developing the strategies. that's where things like a cybersecurity strategy is useful
11:56 am
because it provides something that we can offer to other governments, you know, regional groupings around the world like the african union or the organization of american states or aussie on as an example of how they can go about doing this. one thing we do see increasing across our embassies is a real growing interest why essentially every country that we have diplomatic relationships with in discussing cybercom particularly cyprus crime and subsidy cooperation. i just came from a dialogue with the bangladeshi government a few minutes before this, and it was yet the latest example, say this week, every time we have a bilateral discussion with another country now, whether it's political military affairs, security, economic development, it is a desire to talk about the role of cybersecurity, i.t. developer. so there's a huge interest out
11:57 am
there. one of the things we've done in the department is we focus a lot on our internal capacity building. so training our diplomats to be able to engage on these issues and to understand, particularly with a focus on the economic development aspect of this fact taking the right approach, the approach that we think is right, to abdicate in terms of cybersecurity is really going to be a critical step that needs to be taken to get you to the point that you can really benefit from all the economic and social benefits that we believe flow from really embracing digital society, really getting cities about leveraging the internet to carry out sort of future developments. those are some of things we are doing. i will say one thing that we have to keep in mind that is just around of where we are in the united states, some might say the european union we have a comprehensive approach to this, decide it's a framework helps in
11:58 am
a lot of in a lot of ways but it answers one piece of this but without comprehensive legislation that addresses a whole host of issues, information sharing, liability. there are just, ma we don't have a complete system yet. and so we like to point to what we have. it would be great if we had a much more comprehensive approach in place so that we could help countries kind of learn from our whole issue expense. we often, not at all an apologetic way, but with a smile to the countries look, there are certain things we think you've learned from that we have done in our experience. there's certain things that we would like you to much to look at social like the framework, but the u.s. has a unique experience of getting where we got. with a very large, complicated government structure. we always caution others, don't try to copy as too much, you can certainly learn from what we've
11:59 am
learned. and going to the process of developing a real comprehensive national strategy that includes significant input from industry and civil society usually just the foundation of what has to be done. government isn't able to go through that, then they'll inevitably get to these harder steps of tackling these more specific issues on cybersecurity and other cyber policy issues. >> that's great. so we talked a little bit about kind of government-to-government conversations, and also developing policies that are informed by industry and put and documents like the framework. so as we think about kind of moving forward and next steps, what are the right forms to be added to these conversations? where should these conversations take place between government-to-government? whether industry to government and where are those forms were truly robust industry to industry conversation that should be taking place what we
12:00 pm
toppled it about international standards. that's one form. you guys think about the right ways to continue dialogue. where should we be looking? i will start -- spent when you ask a question like that, it's also to know where not to start. i would say don't start there. don't start with the i.t. the i.t. has a lot of strength. they have an impressive legacy of hope and to develop infrastructure around the world. but i don't think that, that technology issues either strength or i think in fact it's pretty far outside of their motive expertise and where they would build the contribute
12:01 pm
effectively both foreign policy and technical perspective. also institutionally because it is, while there is participation it is largely a government for him. that also is i think something that will hold them back. and, finally, i think they would be duplicating and therefore weakening and distracting away from other international fora that are addressing that issue. so that's what i would say. i guess it depends on what aspect of cyber we are talking about. if you're talking about product assurance, that are some including the recognition arrangement where the issues addressed and addressed will at the international level. if you're talking about broadly cyber risk management which is what the framework does, or
12:02 pm
addresses, then it depends on what will happen with the framework over time. whether it's an effort continues to be coordinated and nurtured by nist or whether sort of take a life of its own with a new sort of institutional house. >> do you have any thoughts on the? >> i don't is going to kick that to angela. but certainly company, the thought i would have on that is, is as i said, the framework is inherently, even though it was sort of developed as a result of an executive order from the government of the united states, from the president and executive order from the president, and sort of coordinated by government agencies, nist, it is inherently an international
12:03 pm
effort. the substance of the framework is international. and so finding sort of a house of the framework that enables it to continue to be that both in its substance and in its use, that continues the international i think is absolutely essential, central. >> i don't think i can think of better concluding thoughts than that, so thanks a lot, franck, thanks to the participants today. and thanks again to the chamber. i think of only missed one of their awareness events. so let's keep them going and thanks for hosting us. >> thank you to pay less. appreciate your time. [applause] -- thank you to the panelists. what we are going to do is take a 15 minute break. what i would suggest is a departure things on your chairs, the kidding folks who come in and through the mail and then you can go next door for a live and we will rejoin at 12:15 for
12:04 pm
12:05 pm
>> so a 15 minute break now as they set up for the luncheon speaker this afternoon, the chamber of commerce others agree summit will continue at the time with remarks from the executive vice president and cio of america expressed. you will talk about information sharing. coming up later this afternoon there will be panels and discussions on combating cyber threats to national security and to look at whether congress will approve subsidy legislation this year. it's all coming up later today. while this break continues and they get ready for lunch remarks now from keynote speaker michael dennis go special assistant to the president and cybersecurity for nader to the white house. this is from earlier today. >> thank you. good morning, everyone. it's a pleasure to be at the chamber for the third and cybersecurity summit. for those of you who've been forced to me talk before, tried to throw in a few new things into my speech so that they will be totally boring for you. thank you for the very kind
12:06 pm
introduction. but i do want to talk a little bit today about why cyprus is such a hard problem. about why as howard said we're still talking about some aspects of it 20 years on. and how we're trying to think about that inside u.s. government and design our policies to shift to adapt to address some of those key hard problems. when you actually take a step back and think about it, from a purely technical standpoint, it's not obvious why cybersecurity is a really hard problem. at its root most of the time the bad guys are getting in the reform of the that we know about and we know how to fix. so that means that the enemy is penetrate our networks through a hole that we're quite well aware of and we even have a patch to go over. and yet we don't do it. so what's the deal? why is this such a hard problem? from my point of you i think the issue is that cybersecurity is not really just a technical
12:07 pm
problem. it's far more than that. because of cyberspace has becoe to us. in fact, cybersecurity, it does have definite aspects to it, very strong technical aspects to it but it's more than that. it's also an economics problem and a business problem. it's a human psychology and behavior problem. it's a political problem, and it's a physics problem all rolled into one. so when you combine all of those factors together, that's why cybersecurity such a hard problem and is so difficult for us to solve. and so difficult for us to tackle. i want to draw out a few of what those heart problems or and then talk about what we are doing to address them. first hard problem i will talk about is really the business and economics aspect of cybersecurity. i don't think we actually understand the economics of cybersecurity very well. i come to tha the conclusion bee of what i just said. we have solutions that we know are out there, the technical solutions that exist began we
12:08 pm
can get people to actually implement them. we have been talking about cyber hygiene information sharing, identity management, literally for decades now. and sure, the adversary tactics evolve in cyberspace and impact of malicious behavior is growing as we hope more and more things up to the internet. but the same fundamental weaknesses continue. so and it's not like we don't even click to understand these facts at this point. yes, we need to do more on education and outreach and talk to more and more, larger and larger portion of our society, but certainly the numerous news reports on cyber breaches from target to home depot and other companies several helped to raise awareness. and it's clear in everyone's interest to be good at subsidy. it's not like any of us sit around and think i would want to have poorest subsidy on my network. so the logical conclusion has to be that we don't really fully understand the economics and
12:09 pm
incentives that surround cybersecurity. we haven't confronted the problems in terms of how people actually work on the internet, how companies actually have to behave. and until we actually confront those problems in terms of human behavior and motivation, until we actually confront them as a business problem, as an economics problem, as a psychology problem as well as a technical problem, we are going to continue to flail at the issue. another heart problem that he mentioned is politics. that actually stems from the success of the internet and cyberspace ironically. the vast expanse and impact of cyberspace, effective touches everyone and pretty soon he's going to touch everything, and this change how people think about it. when the internet was first built, criddle ever structure wasn't connected to it and didn't rely on. nobody really cared about privacy protocols because people didn't live their lives online.
12:10 pm
users didn't work about the underlying security, the underlying security of the code, only that it worked. governments didn't understand internet, didn't use it much and didn't see why they should care about it. so nobody particularly cared that the technologists said cared that the technologist set up the internet to be governed in a highly decentralized function outside of government based structures, and didn't incorporate strong security. but not everyone cares about these things, at least to some degree. governments are waking up to the fact that they really need to care about what happens on the internet and how it works. for all sorts of reasons oath good and bad. companies are waking up to this fact and citizens are waking up to this fact. so as a result, what used to be able to be decided on a purely technological basis by technology experts, or brought in from agreements among service providers and major companies in the space, is now the focus of a highly political process.
12:11 pm
and that means the decisions that once were easy in terms of internet governance and management of security are now much harder, and given how important the internet and cyberspace has become to everyone and everything, that isn't likely to change anytime soon. we need to take that into account as we build our policies. then lastly, the third hard problem that i would identify for you stems from the structure of cyberspace itself. and as we think about how we work to build our cyber defenses and how we counted the threats in cyberspace, the physics and math of cyberspace plays a very large role. traditionally somebody like them like me with debian talk to but how cyberspace is borderless. how there are no boundaries and how information flows freely across the entire globe, and that's true, and it's both a strength because it allows,
12:12 pm
that's what drives commerce and drives much of the value that comes from the internet. and it's also a problem because it allows malicious actors great freedom of movement. i think this argument is not entirely correct. there are borders and boundaries everywhere in cyberspace but everywhere that networks and routers and are in doing points touch, there are borders. we are treating more and more borders as we build internet. so i would submit to you that what cyberspace lacks is not borders and boundaries. but what it lacks is an interior. there is no inside to a network when you think about it. everyone lives and operates right at the border and touches an edge or border in some way. and that really, that physics of cyberspace has some profound implications for how we organize ourselves as a society to protect ourselves in cyberspace. in the physical world we have assigned the mission of border security to the federal
12:13 pm
government. but if everyone lives right at the border in cyberspace, then it's not possible to assign border security to just one group or element of our society. as a result it means that protecting cyberspace by its very fundamental nature is a mission that has to be shared by all. and that reality makes organizing for cybersecurity incredibly complex because it requires us to do cooperation across boundaries that we have in the physical world made by design difficult to bridge. both inside the government, within government agencies and among government agencies, but also between the government and the private sector, and within the private sector. so if these are the problems, economics, psychology, politics, physics, what are we doing to actually address them? at one level we get to address
12:14 pm
some of the technical issues that i mentioned. cybersecurity definitely requires a very strong technical foundation and know-how. one of the things we've been trying to do is something that power to mention in his opening remarks from each is a national initiative for cyber education. we have been trying to take it to the next level. we have come over the last couple of months we have linked up the knife -- this is washington. everything has to be an acronym for the knife program was the president -- what that is designed to do is we'll look at how we will begin to drive to fill the gaps in our technical workforce. but not just a technical workforce to the workforce across the board, all of the different kinds of aspects of cybersecurity professionals that we need. so that we can actually generate the kinds of stephanie to do the savage commission that know the government has but the private sector has as well. so generate the knowledge in the
12:15 pm
technical side but also financial systems, law, business management and the like. so universities are beginning to react by developing the blended degree program by getting computer science departments to clever with the business school to produce graduates with applied skills to solve cyber-based problems and manage risk in the business world. but that's not enough. the cyber workforce is projected to grow larger and we're stuck in a posture where we are just stealing workers from another. so what we're trying to do is actually begin to address that problem by supporting scholarship programs, by supporting an effort to draw up a heat map of where the sub is good jobs are, and to partner with businesses and others to develop more cyprus beauty centers of excellence across the country at various universities to increase the workforce that we have available to us. we are also working to move to address the business, economics,
12:16 pm
and psychology issues of cybersecurity, and that is where the framework, one of the core documents has been talked about, buthat others will talk about today comes in. because the framework really is industries document. the core thing about the framework is it is built from the industry has to think about and operate in the real world editors cybersecurity as part of their business. the national institutes of standards and technology led the effort, but it was really one that they contained invalid coalesced the best ideas out of industry about how to approach cybersecurity, not just as a technical problem but as a business and economic problem. the great strength of the framework in my view is the fact that it is not, in fact, the cookbook. if you open it up and try to read and learn how to run your firewall you will be sadly disappointed because that's not what the framework is. the framework is really how you think about cybersecurity as an issue.
12:17 pm
it's deeply rooted in how businesses actually have to manage risk. and then taking a risk management approach, the framework recognize that no organization can or will spend unlimited amounts of money on cybersecurity. instead it enables a business to make decisions about how to prioritize and optimize cybersecurity in light of the risks that they take. it also provides a common lexicon, a common vocabulary to talk about cybersecurity. it provides a common foundation for communication between businesses, between businesses and their suppliers, and between the business and government. so to that end it really provide any way for us to actually talk about cybersecurity and communicate it and deal with it in a new way, and i think that is where the framework will go. i have often said that the of the great strength of the framework and its great success will be when businesses and others figure out ways to use the framework that we never even dreamed of when we build it. and to me tha that's where we ae driving towards today.
12:18 pm
>> of course there other ways were trying to address some of these problems. the political problem and the physics problems. were trying to address them through information sharing efforts. many of us in the realm that have dealt with these issues were longtime are almost sick of talking but information sharing. i see some familiar faces out there. but it is one we still must be addressed because we really do have to move more information both among companies and between companies and the government and from the government back to the private sector. we have started to see some real traction in the formulation of some efforts like the sticks and taxi models coming out of dhs, and providing a technical foundation for information sharing. but we have to continue to do more, and that is where the administration is very much focused on. earlier this you the department of justice and the federal trade commission issued a guidance indicating that antitrust law should not be a barrier to
12:19 pm
cybersecurity information sharing between companies. this is a big step that helps narrow the scope of work we have to do to crack this problem. out there still more we need to do and we're continuing to look at what the options are within the administration to support information sharing and we continue to support the passage of cybersecurity information sharing legislation in congress. and i hope that you'll have a chance to hear that from senators feinstein and chambliss listed, that we are working very closely with them to try to do that kind of legislation over the finish line. another area that we're working on to address some of these psychology and business and economics aspects of this is really in the consumer financial protection space. with over 100 million americans falling victim to data breaches over the last year, and millions suffering from credit card and fraud identity crime, we knew we need to take some steps to make stronger, more secure technologies available to secure
12:20 pm
transactions and safeguard sensitive data. so two weeks ago the president signed an executive order directing the government to lead by example in securing transactions and sensitive data. the new bio securing initiative will provide consumers with more tools to secure the financial future, by assisting victims of identity theft, improving to the government's payments security as a customer and provide, and accelerating the transition to some security technologies in the development of next-generation in security tools. while there's no super bowl it to guarantee this data security can the executive order implements enhanced security measures including securing credit, debit end of the payment cards with microchips in lieu of simple magnetic strips, and pins and such as those of you on standard consumer atm cards. the president is calling on all stakeholders to join the administration in a number of major corporations in driving the economy towards a more secure standards to safeguard consumer finances, and reduce the chances of becoming victims of identity theft.
12:21 pm
we also announced the white house summit on cybersecurity and consumer protection which will happen later this year to promote partnerships and innovation to the summit will bring together major stakeholders on consumer financial protection issues to discuss all members of our financial system can work together to further protect american consumers and their financial data, now and in the future. another big area that we've been working on to something that howard mention as well, which is a national strategy for trusted identities in cyberspace. in a nutshell this is the administration's effort to kill the password dead as a primary security method. if we are serious about improving our cybersecurity, we simply have to kill off the password. it's a terrible form of security and yet we've been unable to move past it for over 30 years. so again this comes back to obviously there are plenty technical solutions out there to do this, but what has been able to be cracked is the issues that
12:22 pm
are not the technical ones, the liability issues, the networking issues and other things. so the goal that we set up with nccic was to tackle those parts of the problem and to really find some other efforts to get over that, get over those non-technical homes to enable the technology to proliferate more across the ecosystem. i'm excited to report that very soon we will have many of those, pilots are certain to come to fruition any think we'll start to see over the next six months to figure some of those technologies really start to roll out across which the market and become much more widely available. and i see it as a great example of where the commit cyberspace in nearly more secure working through very strong public-private partnerships, projects that industry and government have piloted under the nstic are really starting to show results in our position to build on that momentum as we push to accelerate progress on identity, credentials and access management within the federal government. finally, i would be remiss if i
12:23 pm
didn't mention the federal government's own house. obviously, over the last six months we have dealt with all sorts of issues from heart bleed to shell shocked to intrusions across race departments and agencies. one of the things we are very focused on within my office is improving the cybersecurity across all of the different parts of the federal enterprise. we are working very hard to promote that the concept that cybersecurity is not just as any corporation, cybersecurity is not just an extra cost center but is core and fundamental to being able to execute a federal agency's mission. and that in fact subsidy is a mission enabler, not just for the department of defense and departmendepartment of homelandy but for the department of the interior, for the department of housing and urban development, for health and human services, and every kind of agency that you can imagine inside the government. cybersecurity is now core court all the missions of the agencies across the federal government in order for them to be able to do their mission.
12:24 pm
so as i mentioned at the top, cybersecurity is an inherently hard problem. for at least the reasons i cited and probably more. but as a team unity we have indeed made progress, particularly over the last few years and started efforts i think and alter the cyber landscape in some fundamental ways. we started to do things like the framework and the nstic, started his cybersecurity as a business problem and address the underlying psychological and human behavior issues that are present in cybersecurity. we are starting to realize we have to build partnerships to address the political issues of cybersecurity, and to work together to address the physics and math that makes cybersecurity so hard. so despite often with international city staff being considered one of the four horsemen of the apocalypse, i actually am at root an optimist. i do believe that we can actually tackle these problems and make cyberspace safer for all of us.
12:25 pm
of course in cybersecurity there is no such thing as done, right? there is only but. we still need to continue focusing on making progress and that is what i'm looking forward to doing over the next year and working with all of you commit cyberspace inherently more secure. thank you very much. [applause] >> i think trent is indicated i do have some time to take a few questions, so i'm happy to do so. -- ann indicated. stunned everyone into complete silence. but i guess you're off the hook, michael. >> thank you very much. [applause] >> and those comments from this morning, and we are live now for more from the chamber of commerce cyber cities and. this is the third year there
12:26 pm
holding the summit. up next, attendees expected from mark gordon, executive vice president and cfo american express and we'll talk about information sharing. later this afternoon, adding cyber threats to national security. also look at whether congress will approve cybersecurity legislation this year. wthis is expected to get started here in just a few seconds. [inaudible conversations] [inaudible conversations]
12:27 pm
12:28 pm
so, mark, thank you very much. >> thank you very much. i want to just start by thanking you and the chamber. your proactive leadership on this topic i think is second to none and i think you're doing a great service for the global community in what you're doing. what i, what i want to do is very briefly provide a private
12:29 pm
sector view on the environment, the importance of information sharing in particular and the obstacles that we face and a little bit of a call to action before introducing admiral rogers. so let me start with something that everyone here obviously well-understands. the range of attacks we experience in the private sector is really unprecedented and getting worse by the day. the volume and sophistication of attacks is only showing signs of acceleration. and every published success simply encourages new entrants and bolder moves. threat actors from social activists, cyber criminals, nation states, tear one and tear two, with a -- tier one and tier two. financial and property theft and financial crime and what i'm concerned about over time is destructive intent. and cyber criminal activities in particular have simply exploded.
12:30 pm
while one at a time, they impact individuals, they impact companies collectively, they represent i feel potential threat to the country if they continue to build the way they're building and in particular if they become more orchestrated. imagine the top 10 retailers attacked at the same moment. the top 10 financial services companies attacked at the same moment. and impact on the confidence in our economy. and especially if the capabilities that today are pointed towards financial criminal activity turn toward destructive intent. that is a very sobering concern for us. now we each in the private sector have a range of controls and capabilities in terms of cyber protection and continue to invest. i estimate we spend more than $2 billion in the use across the financial sector in cyberdefenses to protecting the perimeter to protecting data
39 Views
IN COLLECTIONS
CSPAN2 Television Archive Television Archive News Search ServiceUploaded by TV Archive on