you had to explain in terms of this risk communication challenge that we all have, the differences between the 21-day incubation period and a graph that says, 42 days. how would you explain that to the general public? >> it is not a fair question.

well, i think the data i showed, especially that curve, pretty clearly demonstrates that that we can identify the vast majority but not all cases within 21 days. so when we're talking about declaring a country free of disease, then twice that, 42 days is the criteria that w.h.o. issues. and i think intuitively you can run the graph out there and you can see there are no new cases at the far end. so it seems to me that that's, that additional safety precaution is clear? no? obviously not. >> one more response, yes. >> what would you say to that second little hunt when you looked at your very nice geometric distribution, round-about 14 days, it looks

like there was a small second peak? and i wonder, if an alert reporter were to ask you, does that suggest that the time point one should be later and that the true doubling is to take care of unexpected, unrecognized second outbreaks? or is it really the doubling of the that, you know? >> that's a good observation and i think you need to just keep in mind that this is real, real data from the field. and the accuracy of the observations you don't always know exactly when you were exposed. just as dan said with the clinicians that became infected themselves. i think there will be inherently, using real data, some variability and some assumptions that we just have to take into account. >> thank you. next question?

>> good morning. nihs. dr. leduc, actually started to present some of dr. bausch's work and i hope dan could comment a little further what he did and was able to accomplish in the sampling both in terms of human ses men's and in terms of the environment and a little bit, a little bit more for the group is, what is the research concerning some of the understanding of viability in various fluids beyond, i have seen, some evidence saying a blood sample may have it viable for up to 30 days, et cetera. and, some comment about aerosols, if there is information regarding aerosols. thank you. >> okay. just that. that study we did in gulu, after things calmed down a little bit and we were kind of able to get patient care and public health response in reasonable order, we just went around, and took, it was convenience samples.

whatever sample we could get from a patient that was illustrative. i think the conclusions from that basically the virus is where we thought it would be from very sick people. unless somebody was really sick, that we could get it out of numerous different fluids. semen is of course that one we know that virus persistence is there, two or three months afterwards. the breast milk, latest we found a viable virus was eight days after, onset of illness. so it may be longer. we didn't necessarily have the fluids from people at every time point. an experiment that desperately need to be done is similar thing but much more prospective. we were taking samples where we could on the fly. we really need to get in there and into an isolation ward and say, let's take samples from flood, urines, sweat, vomit, everything we can from day one and every day or every other day and look at excretion of this

virus along those lines. that is not technically particularly complicated of the we can do it. we need to set that up to get that done. that would be very illustrative. what we have, for example, much is made about virus in sweat but one of only two studies where the virus was found in sweat, we found it in a very sick patient with ebola and the postmortem studies were found in sweat gland and those are sick people and inappropriate extrapolations since we can find it in sweat with those people that died it in ebola, the sweat is on the bolling ball or the chair in the subway or new york whatever it is which is not necessarily true. on the environmental sides it may not be completely illustrative because that was a very clean morgue when we did it. things were under control. if we had taken environmental samples in the very unclean wards, worst case scenarios that showed, we might find more virus around but that just kind of

stands to reason. aerosol, much has been made about aerosol. you know it's hard to, it kind of, just depends how you view the data. i think very clear that most people get infected from direct contact with blood and bodily fluids but in any study you will have 15% of the people or some small percentage who say no, i didn't have that sort of correct contact. some say 15% had aerosol spread or aerosol transmission. some will say they didn't recognize the direct contact with blood and bodily fluids. i can say one thing and people can say another thing, but if i say show data to back up your opinion is just not there so at that is why we're all there. >> one more comment. >> said 20% of the recent "new england journal of medicine" paper patients coughed and 20% of ebola patients cuffed. there is at least one case report of a likely airborne

transmission and one of the lessons from sars was that of super spreaders. we still don't know whether it is the geometry of the airway tract or the liquidity of breathing across membranes that actually generates aerosols. so it is not that there isn't a reasonable scientific hypothesis to be asked. it's, you know, the reasonable question and warrants protection. >> and i wanted to follow up that point that dr. hodgson made with dr. leduc, you sort of dropped this interesting concept of these many transmissions that have occurred with 14,000 patients and the viral behavior. i thought you intimated that the viral behavior in terms of transmission may have changed. did i misinterpret you? >> no. my point was that we don't know. we don't have any data.

we know this virus has been in human-to-human transmission for a very long type, longer than ever occurred in any previous known outbreak. we do know rna viruses adapt to their hosts. those are scientific facts. we don't have the detailed observations that would allow us to associate any genetic change that may or may not have happened because number one, we don't have current genetic information on the viruses themselves and number two, we don't have the detailed epidemiological background to put observations in the real world with the molecular analysis of the strain. i think we just don't know. >> okay. i'm going to move to the next question. >> i'm from the office of science and technology policy and listening to what, all the comments about specimens and about the availability of

material to look at these important research questions, i'm asking the panel who might thebe able to facilitate sharing of specimens and access to virus samples so that the world can make use of this material for research to inform the governments of syria, sierra leone, guinea and liberia to develop better clinical management practices and research? >> does anybody know how, the answer too that, how that is being done? >> if there isn't, shouldn't we thinking about creating one? >> dr. leduc, do you have that? >> i go back to the analogous analogies with the sars outbreak and at that time, both cdc and w.h.o. led a very aggressive

effort to make sure that the virus was available to the international scientific community for analysis and that, that went very well. i know, i was at c-c then and i and dr. kisak spent a lot of time packing up strains of sars to share with others. so that, that worked very well. i don't know what the problems are now but i suspect it starts with the countries who have ownership of the material. it is more complex than. that i don't really have any answers. >> okay. i'm going to move to the next question. >> donna gallagher, ums medical school. thank you all for your work and your presentations. i wanted to also thank dr. bausch for bringing us back to the reality of the fact that it is in west africa and the bulk of the disease is in west africa. i've spent a good part back and

forth for seven years in liberia and i can tell you that about 10 of our health team members died of ebola because of lack of personal protective equipment. not because they didn't don it or doff it or do anything with it. they didn't have it. one of my concerns listening this morning we've had a few cases in the united states, and at this point every hospital in the united states has bought personal protection equipment they probably will never need. which has made the pipeline to west africa dry up. we're about to send several teams to work on ebola in liberia and we're having trouble finding enough personal protective equipment to get there. so i wanted to just add that to our discussion because we do need to think about where we really need this equipment and make sure it gets there.

the second thing i was thinking about is, all this information is wonderful research and i wonder how it will translate to places like dr. bausch showed you and places where i spent time n we're lucky to get bleach sometimes. if we could translate how we could safely dispose of waste, equipment, bodies, on a much more simplified level because it is unlikely that we're going to have a lot of incinerators or a lost autoclaves in the next five or six years cropping up in places like liberia and i'm sure in guinea and sierra leone. it is same thing. so, i would be interested to hear how you think we can rapidly, because it is urgent, translate some of the information you eloquently presented in immediate way to the countries that are suffering right now. >> just reminder that today's workshop we are really focused on the situation in the u.s. but i think you raised an important point which is the impact of

preparedness efforts in the u.s. on the global supply chains for personal protect sieve equipment and other things so i'm wondering if there is any comment on that. i don't know if we should delve into how we should be controlling the outbreak in africa because we haven't been composed to do that but -- >> first of all, thank thank yor all of your work in liberia. i think the point you're raising to me is the relationship between u.s. and west africa in terms of the global supply chain of supplies. if you have every hospital in the united states prepared to take care of ebola patients, you're exactly right, the supply chain is going to dry up where you actually need it. so that's one of the logistical issues that think this workshop needs to discuss. how can we make sure that the ppe protection, for u.s. health care workers is proportionate, one, to prevalence of incidents and requirements?

and we don't choke off this global supply chain to other countries that are really in great need as you point out. i think that logistical question is as important a research question as some of these other very logical issues that we're discussing. >> we're trying to focus on the u.s. but there is definitely no way to not bring this back to west africa whether you're interested in american health or west african point. that point, thank you for making that. it is very difficult in all public health the sweet spot of the operation without panic and without people going overboard and so now you're hearing on the radio that every hospital in the united states has to have their own, you know, ebola treatment unit. it is not realistic but every hospital needs to be prepared. so that is the big struggle that we're having thousand. how do we find that right place for preparation in the united

states without overpreparation that not only is diverting our energies but diverting resources from where they really are most needed in west africa? lastly i want to say i think we also need to be very careful that we don't get the solutions to be so high-tech that we price ourselves out of it and also just you know, make them so logistically difficult that we can't implement them where they're most needed. if we look in west africa, our major problem is not environmental contamination. we don't have people that, that have come and we say, well, we think they were infected from virus that has seeped into the groundwater and those sorts of things. so i think that we need to toke discuss on personal interaction is where the money is and we need to focus on. >> next question. >> i feel a little bit of personality here. i'm the director of environmental health and safety and providing support to the scd

unit at emory university and biosafety. i'm also the co-chair bio mention risk standardwer kicking off next weeks i was on the bio management team last six years. i'm in addition to a global director of a non-profit who works in africa set up nigeria, worked with nigeria setting up their response to the ebola team. so one of the concerns, first of all, as a bio risk management geek, i have to say seeing this panel up here is phenomenal. it is very exciting to see the efforts and enthusiasm, looking at some of the science and technology going into it. former life i used to do pharmaceutical research. so i've seen a lot of this science and technology which was

alluded to i believe by dr. howard with regard to potent compound handling and everything. there is one group not at the table is the usda. if we look at our containment facilities for large animal research you do see a lot of this type of technology with personal protective equipment working around large animals that are in containment. that's a piece of the puzzle and it is and part of the team that needs to be brought to the table as well. the africa issue, it is not just africa but a lot of our developing countries. if we look at our developing countries, we spent tremendous amount of resources, billions and billions dollars for security. and global health security from the standpoint of containing from a bioterrorism standpoint what we failed our global health security agenda that on international health. when we look at, just these issues that we're dealing with. dealing with of looking at, do

we have the capacity to, you know, identify, contain, respond to a potential outbreak. whether or not it is a terrorist attack or whether it's a natural born outbreak. we really need to start looking at. that i commend those who are in the front lines. as a biosafety professional it is an honor to be able to provide support to you and in, whether it is here in the united states or not, but one of the concerns that i have as we're developing some of these technologies and everything is just what was voiced earlier, how we have been related to developing countries. because they are not obtainable -- [inaudible] the other area, i would say is from a bio risk management standpoint, we need to do a better job of risk assessment. you know the guidelines that came out from cdc, our health care facilities what i'm finding a lot of times they will see those as law.

it is not no room for risk assessment. i talk to the guys right across the street as they were developing them and everything. we need to have, these are guidelines. we need to be able to teach our staff and our faculty and our students as they're growing in their skillsets how you do a risk assessment and how you equate that to the work place and how when all of sudden when the ppe line that you have depended upon dries up what are you going to do next? and have those contingency plans in place. and then there was also something, that was interesting throughout our experiences with non-hierarchy of, and i don't remember which one of panelists indicated that but thats with key component to success of our scdu unit. if our physician said to -- nurse said to physician said to

stop, they needed to stop. that wasn't necessarily one of the things thought of very postively. the success of our story that anybody could stop a given situation at anytime. anybody could question. the decisions whether or not we scaled up or scaled down in ppe was a team effort. and so i commend, i commend this panel for what you're doing and looking forward. and then also i ask, how are you going to start rolling this out to not only health care facilities but our research because the lack of ppe, my concern going to impact our research facilities here in the united states as well as abroad. >> okay. that was about six questions but i'm going to put them, summarize to the panel one at a time. i think starting with that first point is, whether there is something to be learned from the practices that have been developed in the laboratories of large animal laboratories and i know dr. peters, that you have

been involved with outbreaks involving primates or large animals. and there are, some of you also have worked with animals even though we don't have usda at the table. is there any comment on that particular issue? >> well we know horses and goats are resistant to ebola because they have used them for -- [inaudible]. i think expert here on setting up diagnostics on the ground is tom. >> very large prime mate -- >> very true. yeah, quite large. not the largest but certainly large. any other comment on that? if not, i thought also the issue about use of risk assessment as opposed to protocols and if there are more, if there may be more a adaptive ways of doing

preparedness and developing responses in medical facilities as opposed to simply nolling -- following guidelines. i think that was the question? >> dr. hodgson and i are discussing who will take the risk assessment question. certainly it is a fundamental activity in occupational safety and health to assess the risk and often times a lot of our clinical infectious disease colleagues aren't quite as familiar but it is a fundamental principle. and it does, i think, have an important role to play here when we're talking about equipment needs because you may be creating an inefficient situation if you're not assessing the risk properly. and i think, you know, your comment about the health secure, i just wanted to add, to punctuate that. as i said at beginning i think this workshop is about ebola but larger issues we are talking about, and i certainly hope the iom and nrc take this up, we're really talking about

international health security. there are lots of different hemorraghic viruses. dr. peters talked about one in bolivia. marburg viruses. there is a lot of very serious issues out there with internationalization of travel and business, et cetera. we'll be facing another workshop but it will have a different name. it won't be ebola. it will be some other infectious disease. so i think it is important we continue these discussions. >> yes. >> just a little more detail. risk communication, risk analysis, i mean identifying hazard and degree of the hazard. using humans as a surrogate. at what temperature, at what subjective feeling of illness people actually start shedding the virus? you know is it, 99.4, 100.4, 101.4. those are fundamental questions where we don't know the answer yet. we're giving guidance. hazard assessment, risk analysis. at which point do we know what kind of ppe to use?

we could study that in formal way. unless the people that will have to act on that are involved thinking through the questions and the guidance they will not be comfortable with the answers. involving health care workers in the process strikes me as important. >> thank you. >> for the last one i'm going to pick off off that comment what has to do with one of what the presenters called a non-hierachical team based approaches. i know this has been a major concern of the institute of medicine for quite some time in the provision of higher quality health care delivery than need to have changes and how members of health care teams interact around safety, around patient safety as well as around their own personal safety. and if there are further comments from the panel on that. >> well, the overlap of employee and patient safety has been in the air since i think the first

joint conference of niosh, veterans health administration, administration,arc and osha in 1998 which paul o'neill did the keynote address and talked about that. as we get to ebola where the source and recipient are the same, for many on diseases it is not as much of an issue but clearly this is the poster-child for the overlap of patient and employee safety. and seeing pictures in liberia of those beds and tents, was humbling. as we think about the luxury of how we deal with patient safety here. clearly a huge, huge issue. >> next question? >> thank you. michael strom, university of minnesota. i think if did a poll to everybody in this room they

probably agree 15 to 20 weeks ago none of us would believe we're here at a meeting like this talking about a situation like this. in some ways lack of creative imagination are with maybe we could have and should have and we all will go back and wonder why we didn't think of this possibility raise as very important question where we move forward with this? when you look at history of ebola in the human species, there have been 24 documented transmission situations, 20 communitywide outbreaks, 2400 cases. most generation of ebola in zaire, 17 potentially sudan. many way this virus hardly pinged the human species we're making processes extrapolating the situation. some said the virus didn't change and africa changed. all about urbanization and lack of health infrastructure and poor response time. one of the things we're missing on right now asking ourself that

really hard question again like we could have asked ourselves weeks ago is there any difference in this potential virus? whether it is example of higher level of viremia. gene owe typically we have limited data or no data, would that begin to change some of possible conclusions we had about past outbreaks? we had that with other infectious disease where we have higher level of vie ream i can't you -- viremias or bacteria, but the rate of transmission is different, the dynamics is different in that regard. it would be interesting for this meeting, clearly we're making assumptions about all the previous outbreaks being the model for this outbreak and surely in the general trends of epidemiologic transmission it is but the question is, could it have changed and not just the fact it is crowding, that lack of medical services et cetera, that this is for example, higher viral loads that would result in different levels of transmission we've seen in past outbreaks.

gary will be covering some of this afternoon but i guess i would ask the panel for implications of that? because are we making a mistake by expecting this to be exactly like the past outbreaks just with more people? >> and anyone want to tackle that one? >> i can come in i guess. certainly valid questions. my butted feeling the seeds of this are more related to the social and cultural factors and logistics of west africa and people going back and forth and all that. but i think we definitely need to be open to scientific inquiry and we have some of the beginning data but it just takes a long time to generate it, longer than we like. we have some sequence data of course but that doesn't really tell us what we need to know. we need to put that into cell culture, need it in non-human primates and different manifestations and different viral loads and i think those studies, i can't quote

researchers, i think those things are being done in various laboratories in the united states and elsewhere. it just takes time to kind of get those. of course it takes time to generate all those data. if you think about just getting samples and all the logistics of import permits and getting somewhere where you do those type of experiments it is a slower process than when we like it to be but it is a valid question we need to be attuned to. >> dr. peters. >> i wouldn't be surprised if we didn't get an answer in the u.s. because in africa you're so pressured for time, there are some people, so many different ways you can get ebola. but you plop somebody down in the middle of des moines and you may find out whether there is aerosol transmission that has evolved over a period of time. >> thank you. >> thank you. >> two at mic. i think we have just enough time

to take these last two questions. so next question. my name is robert mcfarland. director of communicable disease and control and prevention for los angeles county of public health. chair the infectious disease infection control committee of national association of city and county health officials. about dr. bausch, realities on the ground in west africa, perhaps domestic research area we could put priority, ways we more systematically improve recruitment as well as mobilization of health care workers, both public health and clinical to help in west africa? thank you. >> okay. agreed and open to any ideas you have to try to increase the numbers. >> last question. >> i'm bob harrison. california department of public health. . .

not necessarily now. i think that would be a hard list to do it next week when the hospitals are in the midst of figuring out how to purchase the appropriate, but sometime relatively soon why all the memories are fresh because we getting the questions at the state level about what exactly to buy and i wish -- i would

like to know how people are using it and with the experience of the workers are. so this model of the participatory research to help the public health at the local and state and federal levels understand what we can learn six months or a year from now. >> i will take this one. over the last two or three weeks who has had a guideline to the committee on -- team that came out of the day before yesterday. they are i think hopeful. we did do some surveillance from health-care workers coming back from west africa and what they liked and disliked in order to inform those guidelines. they are valuable but they suffer from what we desperately need and we need evidence base and so we came down to one

person saying i think you need this and that. people could express what they liked but when we said it was necessary they said it was all opinion. >> one last question and i don't know if everybody knows because the select agent regulates experiments on this virus and basically they respond fast and i think i want to put it out there that if i want to start doing something new that will take me two years >> in the rocky mountain labs. >> comment on that it's probably

true there were a lot of regulations that govern the ability to even initiate research in this area and something to be aware of. >> election night on c-span2 people have booktv in primetime with eric schmidt how google works. one of the races we've been following as the race

a series of discussions on cybersecurity from the vote in washington, d.c. hosted by the u.s. chamber of commerce first we will hear from michael cybersecurity coordinator michael daniel on the challenges of protecting cyberspace. then in about 20 minutes industry experts and government officials focus on protecting public and private cyber networks and then in a little over an hour global approaches to cyber security cybersecurity policy, partnerships and innovation all coming up today here on c-span2. [applause] >> thank you. good morning everyone it is a pleasure to be here at the chamber for the third annual cyber security summit. for those of you that have been forced to hear me talk before i've tried to throw in a few new things to my speech so that it

won't be totally boring for you. thank you for that very kind introduction. but i do want to talk a little bit today about why cybersecurity is such a hard problem and about why we are still talking about some aspects 20 years on and how we are trying to think about that to design our policies to shift, to adapt some of those key hard problems. when you take a step back from the purely technical standpoint it isn't obvious why cybersecurity is a really hard problem. at its root most of the time the bad guys are getting in through a vulnerability that we know about and we know how to fix. so that means the enemy is penetrating the networks and the whole that we are well aware of it we even have a patch to go over and yet we don't do it. so what's the deal. why is this such a hard problem

the issue is that cybersecurity isn't just a technical problem. it's far more than that because of what cyberspace has become to us. cybersecurity has strong aspects but it's more than that and it is an economic and business problem and it's a human psychology and behavioral problem created a political problem and it is a physics problem all rolled into one. so when you combine all those factors together that's why cybersecurity is a hard problem and so difficult for us to solve and difficult for us to tackle. and i want to draw out what those problems are and talk about what we are doing to address them. the first problem i will talk about is the business and economic aspect of cybersecurity i don't think that we understand the economics of cybersecurity very well. and i come to that conclusion because of what i said. we have solutions that we know

are out there. the technical solutions that exist if we can't get people to actually implement them. we have been talking about cyber hygiene information sharing, identity management, literally for decades now. and she worthy adversary tactic involved in cyberspace and the malicious behavior is going to the same weaknesses continue to not like we don't understand the facts at this point is we need to do more on education and outreach and talk to more and more larger and larger portions of our society that certainly the numerous news reports on cyber breaches from target to home depot have helped raise awareness and it's in everyone's interest to be good of cybersecurity is not likely think i want to have the poorest cybersecurity on my network so the conclusion has to be that we

don't really fully understand the economics and incentives that surround cybersecurity. we haven't have been confronted the problems in terms of how people actually work on the internet. to confront those problems in terms of human behavior and motivation and until we confront them as a business problem and economics problem and a psychology problem as well as a technical problem we are going to continue to flail at the issue. another problem that i mentioned his politics and then actually stems from the success of the internet and cyberspace ironically. it is the vast expanse of the impact of cyberspace and the fact that it touches everyone and pretty soon it's going to touch everything and it is changing how people think about it. when the internet was first built mac article infrastructure wasn't connected to it and didn't rely on it. nobody cared about privacy calls

because people didn't live their lives online. users shouldn't worry about the undermining security, the underlining security of the code only that it worked. governments didn't understand the internet or see why they should care about it. so they set up to be governed in a decentralized function outside of the government-based structures and didn't incorporate a strong security. governments are making up for the fact that they need to care about what happens on the internet and how it works for all sorts of reasons both good and bad. companies are waking up to the second citizens are waking up to the fact. as a result what used to be decided on a purely technological basis by technology experts that an informal agreement on service providers.

now if it's the focus of the highly political process. so the management of security is now harder and given how important the internet and cyberspace has become to everyone and everything that isn't likely to change anytime soon and we need to take that into account as we build our policies. last, the third hard problem that i would identify for you stems from the structure of cyberspace itself. and as we think about how we work to build the cyber defenses the physics and math of cyberspace played a very large role. traditionally we took about how cyberspace is borderless and how there are no boundaries. it's both a strength because it

allows to drive commerce and the value of the problem because it allows the great freedom of movement. the servers and the points touch the borders and they are building the internet of things. so it isn't the borders and boundaries but what it lacks is an interior. when you think about everyone lives and operates at the border and touches the edge or the border in some way. and in reality into the physics of cyber security how we organize ourselves as a society to protect ourselves and cyberspace.

if everyone lives right at the border in cyberspace, then it isn't possible to assign orders security to just one group or element of our society. as a result of means of protecting cyberspace by its very fundamental nature is a mission that has to be shared by all. that reality makes organizing for cybersecurity incredibly complex because it requires us to do cooperation across the boundaries that we have in the physical world made by design difficult to bridge both inside the government, within the government agencies and among the government agencies but also because the government and private sector and within the private sector. so if these are the problems, economics, psychology, politics, physics what are we doing to actually address them.

at one level we have to address some of the technical issues i mentioned because cybersecurity requires a very strong technical foundation and know-how. so one of the things we've been trying to do is powering the remarks for the cyber education but we have been trying to take that to the next level. we have over the last couple of months. the program with the java driven training initiative and what that is designed to look at how we really begin to drive to fill the gaps in our technical work force. but not just our technical workforce. the the workforce across the board. all the different aspects of cybersecurity professionals that we need so that we can generate the kind of staff that we need to do the cybersecurity mission that's not only the government has the private sector has as

well. the financial systems, the law, business management and the like. it's up to the universities are beginning to interact with giving the computer science departments to collaborate with the business schools to produce graduates with applied skills and the cyberspace problems and manage the risks in the business world. we will begin to address the problem by supporting the scholarship programs and supporting an effort to do all the heat map of where the jobs are and partner with businesses and others to develop more cybersecurity centers of excellence across the country at various universities to increase the workforce we have available to us. we are working to address the

business economics and psychology issues of cybersecurity. and that is where the framework and one of the core document that's been talked about and that others he will talk about today come in handy because the framework. and they operate in the real gold and world and address the cybersecurity as part of their business. the national institute of standards and technologies lead the effort but it's one that they convened and coalesce the best ideas out of the industry about how to approach cybersecurity not just as a technical problem but as a business and economics problem. if you open it up and try to learn how to run your firewall you will be disappointed because that isn't what the free market is so it's not how you think of cybersecurity as an issue.

it's deeply rooted and taking the risk management approach into the framework recognizes no organization can or will spend unlimited amounts on cybersecurity. instead it enables the business to make decisions about how to prioritize and optimize cybersecurity in light of the risks that they face. it also provides a common lexicon and vocabulary to talk about cybersecurity and it provides a common foundation for communication between businesses , between businesses and their suppliers and between the business and the government. so, to that end it really provides a new way forward to talk about cybersecurity and communicate and deal with it in a new way. that is where the framework will go. the great strength of the framework and its great success will be when the businesses and others figure out ways to use the framework that we never even

dreamed of when we built it and to me that is where we are driving to work today. there are two ways we are trying to address these problems, the political problems and the physics problems we are trying to address them through information sharing efforts. many of us in the room that have dealt with these a long time are almost sick of talking about information sharing. i've seen some information familiar faces out there but it's one that we must address because we have to move more information both among the companies and between the companies and government and from the government back to the private sector. we've started to see some traction in the formulation of efforts like these models coming out of the dhs and providing a technical foundation for information sharing. but we have to continue to do more and that is where the administration is very focused on. earlier this year the department of justice and federal trade commission issued guidance

indicating that antitrust laws shouldn't be a very year to cybersecurity information sharing between the companies. this was a big step but there was the scope of the work we have to do in the problem. but there's more we need to do and we are continuing to look at the options are in the administration and we also continue to support the passage of cybersecurity information sharing legislation in congress. we have the chance to hear from senator feinstein and senator chandler's we are working with them to try to get that kind of legislation over the finish line another area to address some of the psychology and business and economic aspects is in the consumer financial protection space. with over 100 million americans following that come over the last year and millions suffering from credit card and fraud identity we know we need to take some steps to make more secure

technologies available to secure the transactions and safeguard the sensitive data. two weeks ago the president signed an executive order directing the government to lead by example securing transactions and sensitive data. the new initiative will provide consumers more tools to secure their financial future by the victims of identity theft and the payment security as a customer and provider and accelerating through the transition for the stronger security technologies in the development of the next generation payment security tools. while there is no silver bullet to guarantee the data security the executive order includes securing the other cards with microchips in lieu of the magnetic strips and those available on in the standard and the consumer cards. the president is calling off the coders to join the administration and a number of corporations in driving the economy towards a more secure standards to safeguard the

consumer finances and reduce the changes of becoming victims of identity theft. we also announced the white house summit on cybersecurity consumer protection which will happen later this year for partnerships in innovation. we will bring together major takeovers on the consumer financial protection issues to discuss how all members of the financial system can work together to further protect american consumers and their financial data now and in the future. another thing howard mentioned as well as the national strategy for entities in cyberspace. in a nutshell this is the administration to kill the password that in a primary security method. we simply have to kill off the password. it's a terrible form of security and we've been unable to move past it for many years. so again this comes back to obviously there are plenty of technical solutions to do this but it hasn't been able to be

cracked as the issues that are not the technical ones at the liability issues, the networking issues and other things. so the goal that we set up was to tackle both part of the problem and found pilot efforts to get over those non-technical to proliferate more across the ecosystem. and i'm excited to report that very soon we will have many of those starting to come to fruition and i think that we will start to see over the next six months to a year the technologies roll out across much of the market and become much more widely available. and i see the instant of a great example of the way that we can make cyberspace inherently secure working for the various partnerships. projects the industry and the government have piloted under the state are starting to show results and now we are positioned to build on that momentum as we push to accelerate progress on the identity, credential and access

management and the federal government. over the last six months we've dealt with all sorts of issues from heart bleeds to shale shock 2-inch versions across various departments and agencies so one of the things we are very focused on in my office is interesting to cybersecurity's across all the different parts of the federal enterprise. and we are working very hard to promote the concept that cybersecurity is not just as in a corporation cybersecurity is not just an extra center but is the core in being able to execute a federal agency mission and then cybersecurity is a mission and a polar conscious department of defense and homeland security but for the department of the interior for the department of housing and urban development, for health and human services and every kind of agency that you can imagine. cybersecurity is core to the missions of the agencies across the federal government in order

for them to be able to do their mission. so as i mentioned at the top, cybersecurity is an inherently hard problem. for at least the reasons i cited and probably more. but as a community we have made some progress over the last few years and started efforts that can alter the cyber landscape in a fundamental way. we started to do things like the framework and that framework and be indistinct and start to address cybersecurity as a business problem and address the underlying psychological human behavior issues that are present in cybersecurity. we are starting to realize we have to build the partnerships in the political issues of cybersecurity's after work together to address the physics that make cybersecurity so hard. so with the staff being considered one of the apocalypse , i am at the root an optimist. i do belief that we can tackle these problems and make

cyberspace safer for all of us. of course in cybersecurity there is no such thing as done so we still need to continue focusing on making progress and that is what i'm looking forward to doing over the next year working with all of you to make cyberspace inherently more secure. thank you very much. [applause] i think ann is think and has indicated i have time to take a few questions. so i'm happy to do so. i have stunned everyone to silence. thank you very much. [applause] coming up and about half an hour on the companion network c-span

a discussion on efforts to create an hiv vaccine posted by the center for strategic and international studies and we will be hearing from the representatives of the groups working on a vaccine as well as anthony fauci because of the allergy and infectious diseases. but as of 2:00 eastern on c-span and tonight campaign 2014 e. election coverage starting at eight eastern can watch who wins and loses and winds up in controls congress and engage kent with congress and engage in c-span and follow the results and we will be taking your phone calls and you can send a message that c-span or facebook.com/c-span. on facebook we've been asking the question do you vote. why or why not. thomas writes yes on 64 and i haven't missed voting since i turned 21. it's my duty. and yes we are based on the right to vote and many died to give the right and i go to honor them and have a voice in the process. see what others are saying and

share your thoughts on facebook.com --. >> i'm calling on a debate i saw between bruce and john yoo regarding the declaration of war and the war powers act. it was quite interesting to watch the debate and it also demonstrated some of the attitude of the neocon proposition that the beginning of any war the president had ultimate hearsay ability to go to war. stupid student i would like to commend c-span2 for airing the information from the writers on

grief and the military. it was excellent information that gave the level of interaction and dynamics and nuances and the reality for instance that post traumatic stress disorder can climb up and can be resolved if you continue to try various interventions. >> i think american history tv on c-span is one of the best programs available. i wish we could do it more than once a week. >> continue to let us know what you think that the programs. (202)626-3400 or e-mail comments@c-span.org or c-span

comments. join the conversation, like us on facebook and join us on twitter. >> back to the chamber of commerce cyber security summit for the panel on the progress that's been made trying to protect public and private cyber networks. this is about an hour. >> welcome back to the third annual cyber security summit. next we have a great panel for you. matthew is on my staff at the national security and manages the cybersecurity work and work groups and he is going to moderate the panel. take it away. >> i hope to lead the working group. before i turn to the panelists to give a one or two minute overview on how cybersecurity fits into your professional

lives, i thought i would just kind of play now for the folks dealing and others that are relatively new we use two words in part for the framework process it starts a process or helps a business start a cybersecurity program if they haven't been involved in that space or for many of the folks in the room and others helps them improve what they are already doing. and either way it is very important. we want that framework to remain flexible and dynamic. the other thing is you notice we have three panels. and a lot of more of cyber generally but we also have an international panel that will follow and the key with that is we want other governments around the world to consider using it. we've got an effort here in the u.s. but that's not enough what we want to do is have other governments look at the framework and use it because we

have companies here based in the u.s. but many of the companies operate globally. the standards and best practices that are embodied in the framework of your industry supported, they transcend borders and for the companies that are operating in one or more countries it's cost-effective, cybersecurity and the third panel we will have a second discussion to talk about dealing with the challenges and opportunities so just a quick snapshot of why the panel is what it is and where it's at. so thank you. if i may, you've got individuals with american express and last

week at the department of homeland security, the dhs and then of course with the department of commerce as many aware it was the assisted group that has been very involved. they helped coordinate the process for producing the framework. so, if i may, let me start off with a general awareness question or i guess i should say let me turn to you if i could and did a self injure. >> as chris mentioned earlier this morning, dell is actually transforming to offer a series of solutions for our clients

both public sector as well as private sector having to do with security and cybersecurity and that gets to the identification that we would love to see the death of the passwords and we would love to be able to help our public sector and private sector clients with that and we work on a whole variety of policy issues as well as technology issues in the cybersecurity space. everything from the supply chain integrity to the devices that are on your desk or in your pocket all the way back to the security intrusion prevention detection of our secure works division. so, broad technology spectrum for cybersecurity. >> excellent. >> shone with american express areas i do want to thank the chamber for putting this on. it's a pleasure to be here on the panel with everybody.

i guess my playground is the identifier to protect the categories and also responsible for the partnerships and relationship activities associated with information security and our objectives among securing the economic transaction lifecycle as well as information security object is in general and continue to support the ongoing improvement efforts as well. >> thank you for being here. i run the financial institutions group and we have a critical infrastructure protection office which is where we focus our cyber security efforts. our efforts in the critical infrastructure area are to act as a fulcrum between the three groups, the administration and our partners at the dhs and also the intelligence community and the regulatory community as the mostly are aware the financial regulators are independent of the president and so we have a

coordinating group with those bodies and then we are a plaintiff the interchange in the financial sector and the governing bodies that they have both put on information sharing and on the best practices and also to help get input on the policy development process for the civil and criminal issues. >> good morning i want to echo the thanks in the audience thank you all for taking your time. the dhs works hard across the government and academia so my role is as the undersecretary for cybersecurity can indication with the national protection and perkins director. there is a quiz on that at the end of the plate look at his or programs that protect not only the government agencies but the industry stakeholders in the critical infrastructure and small to medium. many which are represented by the chambers of the chambers

have been very helpful to us as we are not only from the machine to machine program and how they could protect the computers very quickly, but also how we built those partnerships between the government industry, people people to people, so you know who you are going to call. and then working across the dhs and also church in church and it is necessary security across the u.s. coast guard with the secret service come home and security investigations and certainly the office that you can imagine the number of attacks that would come into the dhs .gov. my top three priorities are all about building trust. with your community and stay coders and private sector industry. it's faster than a richer and has no lawyers. we are enhancing our situational awareness and that is where the framework comes in to this wonderful set of practices that are crafted by many of you and it's our job to roll that out and talk about that and enable

especially the small to medium businesses to take this conversation about the cybersecurity to the board room. if you look at the situational awareness conveying the information that we get to the partnerships and the machines and a third priority is rolling that out again sure that we can communicate the framework and best practices. >> we serve about 2 million customers in atlantic area covering of the nation's capital. so, this building as well as a lot of other important buildings in dc. so all of this activity is very important for us especially cybersecurity has always been important to us. i have been down here for five years and i think that over the last five years have seen an increased emphasis and appreciate the partnership with our government partners and i will say the security of the great going forward.

the framework has been very important to us and as well as the maturity model that's giving us a framework to look at but also as we regulate not just from the federal government but also from the state governments it gives us a single pattern or framework to follow so that we don't get caught between the different requirements into states that have to deal with that. so continuing progress around the framework and continuing to work at the government around information sharing and all that is important to us going forward. >> iowa like to think that chamber and all of you for participating in this event because as the department of commerce, and which coordinated the development of the framework of our primary one of our primary objectives is increasing awareness about the framework and we believe the more awareness there is in the private sector and in the government about the framework,

the more the uptake will be into the better our cybersecurity defenses will be throughout the country. at the end of the week we are putting on his pension conference in tampa meeting with with the love of private sector security developers and just potential users of the framework. it also serves the on awareness of the other principles we believe is important around the framework that it's dynamic and changing and we are continuously listening to the private sector to develop ideas on best practices, how to implement the framework more effectively and these kind of dialogs like we have today are very important to that objective. >> some of the topics we want to hit or framework awareness, information sharing is a big priority i think that it's also time to talk a little bit about

the turns so let's start with a repeatedly easy one and then more difficult. how has been the public-private interactions since the framework has been launched earlier this year including awareness? that's one of the things we put a priority on his visiting local chambers. how are your interactions with those in the private sector and government, what's been the reaction? >> the conversations that we have been having with a very wide spectrum of industries shows the general applicability of the framework and the diversity of the sizes that are grasping the concepts that it's

not just for large organizations the way that i look at the uptake uptake or the awareness it really goes to the three c's, conferences, coalitions of like-minded folks and then it also gives the collaboration. to collaborate more than compete so i think the framework of take and interactions that focused on the collaboration and coalitions may be of smaller organizations that don't have the resources or capabilities of a larger public or private institution because coalitions are looking at the framework as a way of quickly reaching the common ground. so, we are seeing eight out of take from a wide variety of industries and different organizational sizes and different mission objectives and from that perspective, the robust aspect of the framework

is going to serve while. >> what we found with our cyber working group and the sound of the companies coming to say this is something they can use and with the ask what has your reaction then we've had a prospective government. >> we have had feedback from the financial services sector and i think that it's a credit to the process that was used to develop the framework before it came out. there was lots of consultations and with the framework it's very clear that it was both voluntary, applicable and meant to be tailored to the individual organization did a strong message that it is a living document. i think that when you put those things together at the reception has been very positive generically.

within the financial services sector specifically we have a huge range of different types of businesses. we have very large banks, broker dealer insurance companies and also banks that are small businesses area and they certainly are constantly reminding us how dangerous the industry is, and i think the framework has been pretty effective in dealing with that but one of the messages going out to the groups is to remind people cybersecurity doesn't have to be that complicated. if you have a small organization, if you have a simple it infrastructure, then you can approach cybersecurity with a lower degree of technical complexity. the other message that we have been sending a lot is starting to get people engaged in their vendors, getting people engaged with their counterparties and their vendors and their suppliers to make sure that there is a dialogue around using

the framework as the basis for a conversation. are you using the framework and can you help me was the framework i think that the blogs have been very well received at all stages of our industry in the financial services sector and the last thing i think it's very is very positive as you've seen specific translation. so how do we translate this specifically into the financial sector were how do we translate this specifically to an audit standard and we've seen this in the financial sector of the projects if it industry with the auditing firms to try to develop a version of the framework. i think that is tremendously positive when you see the industry banding together and translating into specific requirements as they see as best practices. >> i was going to ask you have a cq program. you want to talk a little bit about that? >> you stole my thunder.

i was good to talk about the infrastructure, cyber community, the wintry program. and that is a lot of work for saying that we are committed at the dhs to our partnership with visitors of all sizes of government and state and local and i would also thank christina wherever you are for your work on this. but as we look at that, the program is designed to reach all of those so it reaches the companies that supplied a supply the large companies. most of them have thousands of people that have discovered. the large companies are resilient and when we look at who supplies the companies that is the smaller ones that can take the framework that's been absolutely transformational. one of the reasons for that is that this was developed by scientists. it wasn't just a document of people thinking what would we do. it was actual scientists that know the products and got together and made something that we be leave was using to help drive the market. to let the market tries better security, go out and build better, faster, cheaper stuff,

but the country in the lead but at the same time, to secure the company said in the past didn't have a budget or didn't take the cyber risk consequence of patient so not the viruses and worms that you get protected after a printer but the actual discussion of where the cybersecurity said in the company and take it to the board room to mitigate that as you would any other piece of the corporate risk and the framework has been a catalyst to have that conversation. the example that i use, i've spent a lot of time on the west coast talking to start of -- some of the startup companies and the state and local governments and one of the things we asked is if you are going to the $25 million into the round biography with you not protect the intellectual property. you ask if they have a claim and we should ask if the firewalls were any information that you have this project and we have some guidelines on how to do that and so we have been using this program to each companies of all sizes, to take the conversation to the board room

and make it out of the viruses and worms that make cybersecurity part of our culture. howard schmidt said 14 years ago, and i'm not that old but somebody might be, we are all since then we are all that. howard said 14 years ago because a culture of security and i think the framework is taking us there. >> that's something that a small come amid or large-size business can utilize. the cq program that's something any business could utilize. >> the program itself is a way to take the principles and the framework and roll that out or present them so we provide for example the critical infrastructure reviews and resources on the website. we are taking everything we have in the government into giving it to anyone that will take it with instructions on how to use it and then what we are asking people to do is to solve measure. one of the challenges is that it is hard to get the quantitative metrics on exactly how many are

using the framework because we have the dhs don't ask you to report back to us that would defeat the purpose of providing the resources so as we look at other ways to quantify the good benefits of the framework, we are looking at how the companies are using it, but not asking the companies necessarily to report back to us. >> i want to ask that the critical infrastructure which is part of the executive order. so before i do, the things that you have been utilizing like the framework for quite a while. >> if i could just comment primarily on the collaboration aspect, first i think the framework has been very valuable to us internally. it's helped us build on what we do already and helped us in the framework for putting it into categories and understanding it at all it and both of the languages over the linkages to the suppliers which i think is sometimes a something that is up and coming where we need to focus on the supply chain as well when we think about cybersecurity not just in the four walls of everything that we use in a supply to us.

but in our industry may be because we are regulated in the collaboration becomes a little bit easier. collaboration is also essential why don't know how many folks realize the system is operated as a single grid every every thing east of the rockies is tied together. so it is impossible for us when we think about the event of anything physical cybersecurity to think about it in isolation so we are very much involved in our partners in the country in the industry and government to think about cybersecurity in that broad of a sense. and the electric utility industry is a part of the critical infrastructure. we have stood up what is called the electricity subsector were donating council as a part counsel as a part of the framework of the different sectors and councils and that much is involved in the different government agencies and it's really the point at which things come together at the highest level to comprise the ceos and executives from

public powers and a regional transitions that operate the grid as well as all of the government agencies and the senior level for the policy discussions to the current discussions about information sharing using tools and technologies and sharing about and also in an instant also having those lines of communication very open. and it isn't just something we set up its something it's something that gets discussed regularly. it's something among ourselves and governed around what happened. >> the reactions generally on the frame of awareness has a question about the liability that we will come back. >> one of the things about the awareness that is changing is the framework is a great facilitator of dialogue where it enables technology to talk to

generalists who are on the board or a ceo in a develop plans around cybersecurity. but i also think there's going to be a bottom-up acceleration of awareness about cybersecurity issues and hopefully the framework as well which as you see the customers it is really the market speaking in the private sector where the most sophisticated customers are the business-to-business type of relationships are interrogating who they are buying from and who they are integrating with. what are your cybersecurity measures, that is a very important come increasingly very important whether an institutional sophisticated buyer is going to buy from your company. but it is also penetrating at of the consumer retail level. where the surveys about the awareness of cybersecurity and whether someone would buy something online from one

company or another is dependent on cybersecurity measures. and i think that we've will see various consumer groups starting to measure the companies on the basis of the cybersecurity defenses. so, i think that the awareness is going to go way up about cybersecurity coming it accordingly to the framework and why it is so important that we have a dynamic working successful way of dealing with these issues like the framework when the awareness, not just talk down but bottoms up sports to have been in the private sector. >> on the liability issue you are using the framework you are looking at as a tool. how are you looking at it more generally with business partners and so forth?

>> we recognize the viability to the discussion again to speak a common link which to get closer to the concept of the shared assessment. the overhead potentially is minimized and in terms of how we operate the vendors we use a common assessment and the framework evidently provides the opportunity to do that. but in an organization of our sites like many others with a significant size, you have got long-standing processes to defend against and and they get to very complex and pretty intimate. so it is one of those moments where trying to make sure that we can add up to the concept of the framework of the existing process is something that will take time however the recognition of having to buy more can actually start to talk about the importance of security and use the framework is a decision point in the discussion but i think it's been very helpful. >> if you find business partners

are allegedly receptive to those conversations about using risk management tools like the framework are they receptive? you would have seen things like the h1n1. they say we have a pandemic plan. we would like you to because we would like to rely on you and vice versa. how has the receptivity been? >> i think it's good. the recognition of the framework is extraordinarily high. the value proposition of being able to be assessed against a single structure of a single taxonomy i think is high as well. and what that assessment ends up being is able to be sure across other perspectives and partners as well. and again, there is a big cost savings there if it is done effectively. but again that is part of the journey of knowing how to adapt the framework and a number of different business purposes related to cyber.

>> was iacs people are proud of their work and i think that the framework gives them an opportunity to explain what it and other organizations whether it's in the legal it is in the legal side of things and risk mitigation they are very proud of what they've done. but it gives them a way of describing it. i think of it as a rosetta stone and other disciplines. i think that the idea of being able to evaluate a supplier and to be doubletime make a business decision on who you want to do business with a think is going to become more can two and iso certification for a manufacturing facility. i think that you're going to be able to get to that good level of housekeeping seal of approval and i think that it's going to mean something. when people make this as decisions on who their partners are based on the ability to come to a like agreement on cybersecurity for information security and information

sharing, all those things are going to improve the business interactions. but i think people are very proud of what they've done. they should be proud, and i think it gives an opportunity to stand up and say look what we did. it's really good. >> one question i've been interested in and the executive order, the critical infrastructure greatest risk how should we think about them being engaged from your perspective are they getting the resources that you think that they need to counter at least in our minds some of the war advanced and sophisticated threats and are you comfortable with how the partnerships are? i understand they have been engaged. what does that look like? >> so, the -- when we look at

cybersecurity, we look at how the office in cybersecurity communications look most closely with the office of infrastructure protection and that is to make sure the expertise and everything on cyber is used to inform everything that we do in cyber and vice versa because they are inextricably linked. the first and foremost the philosophy is critical infrastructure are one and the same so we are protecting not just the network. on the partnerships again we are committed to making that collaboration exceed. and i am that old. we've been at this for 20 years and we've had this conversation at different stages in the collaboration and critical infrastructure. and you ask the question do they have all the resources. so you are including the big companies, small companies, municipalities. so, know the resources are not that they're especially in many of the state and locals and that can be scary. succumb as we look at that we can use the framework to inform some of the folks that either set aside the resources or how we use the risk-based

consequence analysis and that is in the budget numbers where somebody somebody inexperienced looks at the shop and says this hyper goes there. i want to take a step back and look at the cybersecurity. it has been a cost center for many years and probably still is that it is a cost center that is now because of the framework and the collaboration and knowledge it is being used as something to drive out the corporate investment is used and i would say the framework takes it one step further for the market differentiator. so those that are better protected are those to do business. when you look at the large providers especially surrounded by the treasury and the energy sector, the absolute leaders and how we protect because we have the understanding. the others have not been as quick to they are seeing that very quickly and i think that you were helping to drive the discussion and the framework is helping to drive it. am i comfortable that everybody is researched and safe? no. do i believe that we are all owned, yes but are we on the

right path of the next 20 years towards breezily and the reason we have collaboration and working together across the sectors absolutely and that is due to everyone in this room. .. framework is related to be relatively hot, if you will, within industry and legal circles. you noted earlier this month, at a conference, that the affirmative use after framework would reduce a company's legal exposure in in the event of a damaging cyberattack. did i capture your thinking correctly? >> what i was talking about, i think a couple of panelists referred to this as well, is audit firms working with the framework and developing something that could be audited to. . .

and what it becomes, it's not as if there's legislation declaring a safe harbor that if something happens which inevitably it will in everybody's company, and there are losses instead of having no defense with respect to what you've done, you after the fact of all sorts of evidence that you were diligent. everyone from the board to the cio acted reasonably, tried to follow best practices and adopted best practices. and when you're able to do that you're going to be in much better shape, vis-à-vis a potential lawsuit than if you didn't do something like that. and i think having something like a framework which isn't a prescriptive rulebook but is it much more flexible document that is tailored to individual companies makes it a better

vehicle to achieve that kind of protection than something that is more prescriptive, set in stone, concrete and difficult to be adapted to individual circumstances. >> thank you. let me ask a follow on that. the idea behind the framework is a kind of nietzsche where you are. the you are at a certain level and you're looking at your grace aspects of the framework and what you're looking into doing, i feel like smaller business, i'm just speaking small business generically, that might lacked the resources to really find against some of, maybe a nationstate or a circuit. are they at least in the context of liability, is there any kind of distinction there? what if they say hey, i've done my best but i can't go toe to

toe with them? >> i think the framework is a good vehicle for doing that. as you said it is adaptive. it's not one size fits all so it would be a more usable vehicle for a small entity, but i think that is one of the challenges we face as an economy, as the country where there could be huge resources directed at an individual small company, and that could be a big challenge for a smaller company. i think that's just the reality. on the other hand, if you're a smaller company, you are less likely than jpmorgan chase to be a target. you are less likely to have huge damages. when you go out to buy cyber insurance is not going to cost you as much. so i think there are normal

mechanisms in market economy where smaller players in the private sector, on the one hand may not have the resources to put up the defenses of a jpmorgan chase or a wells fargo, but on the other hand, in many respects the risks are smaller. >> do you want to pick up on that? >> i fully agree and add in the same spirit those smaller companies present the risk to those larger companies when they're not protected. i think the framework to your point helps secure them so that the adversaries don't use these smaller companies to then get into the larger companies and get to the the bigger business. >> david, go ahead. >> we talk about supply chain and all that. part of it is it is good vehicle for conversation and it is the distinguishing characteristic when we look at suppliers but i think we have a responsibility that we are starting to put on

the contracts to be able to say it's not enough for you to tell me that this is what you do. like many of the things that come in and make sure that you are following as well. and from, building on what you're saying from the insurance industry, we have insurance around a lot of machinery, robert and all that and there's all these standards that showed a fall if you're going to get a policy. your evaluation based on the standards it really what determines what your rates are or if you're eligible for insurance at all. i can see over time using a framework and other mechanisms, the insurance industry is very bright. they understand risks and how to manage it. i think they will be applying framework and other things as well to help establish what your rates are and if you're able to get insurance. >> in fact aig has only been working with nist on the framework to help them develop products they can sell to the private sector.

>> sean or paul, do you guys have anything on that point you want to weigh in on? >> maybe just a couple of points just to add on to what fellas had mentioned. i think we think about the framework and application of the framework i've used this term before as have many others, talking to getting the blocking and tackling right from cybersecurity perspective, getting the basics down. the more you do that, the more you change economic incentives. i don't even expect a small or midsize business to go toe to toe with the midstate capability and a something might be. again if they raise the cost of business, that's a good thing. if that happens across a large pool of small and midsize business is basically one not service to large institutions, the aggregate effect i think would be significant. >> phyllis, you mentioned small businesses. a few months back the department issued a request for feedback on

small businesses and cyber, and i remember i was at a meeting and you said, you're carrying around a binder with all the comments you had gotten, as many of us probably would, go through them. what did you find? what were the feedback? >> first and foremost a little backgrounder we issued a request from mission shortly after they came to the department asking small to medium businesses what is it future like to do with the framework or can do or want to do to help the market drive better cybersecurity? isn't inventing things? give us ideas for what is that we as a department should look at doing in the future to help you help the market drive us. a lot of the response we got back was good commentary. my first impression was the size of the binder. we had a lot of responses to it was also some technologies, whether companies have been, were looking at them. i think a lot of this is looking at if the government may buy

something, everybody gets interested in. the truth is we bring science back. we are looking at everything. we want to use subsidy to drive innovation in your companies. innovation in both policy and technology. so those responses were very helpful. it does so people would be interested to build et cetera and a lot of technologies that are out there. i can say i am, we are willing as he came to look at the new technologies so that what we do in cyber response and mitigation is aimed not where technology is but where it's going. that's where the adversary will be. as far as those of sponsors, they guided what we thought industry were going to do. it was early on in my tenure so i would go back probably nine arguments ago and look at those again and see where we are now with with the framework is. it's a good point. i may go do that now that you say that. we were happy with the turnout and still push this point that we are committed to the partnership. we have a program called

critical infrastructure secure the cybersecurity partnership that brings end and a big on this you can tell, i'm a techie but the actual scientists and technologists talk about the actual science competitive boundaries as using all of that you what we can do to use the framework again, i can't say this enough, bring the cybersecurity conversation to one of culture and cyber risk, investment, boardroom investment not just the i.t. suite, and making sure this is something that drives our companies forward to you the market can make this more secure. >> information sharing. that is the chambers number one cyber legislative goal in the sense that we passed some legislation in the house with great help from lawmakers like michael rogers, others and their staff in the senate right now you'll catch is working hard if you can get legislation done in the senate and will maybe find a more later this afternoon,

ticket the bill across the finish line but it's going to be tough but what we hear is businesses want to be active, be able to share in a protected manner, give information about threats and attacks that they see, get that information to we kind of look at it as a neighborhood watch program for cyber. how can we get that done? i think if anything, are the aspects of the legislation that you think the congress can more or less pick up and run with now? i think that you've got a collection of bills, some of which have cleared the senate committee, sent homeland senate security homeland i should say. hopefully we can do that. does anybody want to pick up on the topic of information sharing?

poll or sean, what does it mean to you? >> i'm going to go find chris turner was a pretty for and bring him up because i'm not going to put you on the spot, chris, really. i think one of the things that always look at is we talk about removing barriers but i always like the carrot rather than the state. i would like to see the opportunity to create incentives. if any of the issues how to do this just mechanically how to do this without exposing proprietary methods and tactics which are intellectual property of a hybrid organization. we really do want to make information of visible but it is a monetized commodity that we sell. one of the challenge challengest is how to maintain that advantage and fund all of the infrastructure that's necessary to collect this information without exposing methods and tactics, which we rely on. it's a challenging situation.

again i come back to voluntary incentives rather than mandate and regulation. and generally speaking that's where we would like to see things go. >> anybody else? sean or david, on the information sharing front. that's something that's important to you all. anything you want to add on that point? >> i think it's critically important for us. we don't pay some of the same competitive pressures that some of the companies face, but that's part of the critical infrastructure we need come in order to adequately protect, defend, recover, we need to know as soon as possible whether the information sources coming from, what is happening before they become threats. >> are you guys getting the threat information that you think you need? what do you hear from your colleagues and your business partners? >> i think it's an issue where

in partnership with companies with gotten a lot better at sharing information. i think with our government partners we've also gotten better. i think we still have room to grow both as an industry and also collectively as partners, that as i commented earlier i've been here for five years and i've seen a huge increase in the level of information sharing. and i know everyone is trying to do that. and sometimes it's just finding the right mechanisms to be able to do that in a way that doesn't i will say reveal information we don't want to reveal. >> i think one thing that is worth noting, if you look at the energy sector of the finest services sector, certainly from an industry perspective we are supportive of comprehensive legislation to try to help with information sharing, but there are plenty of examples where those information sharing channels are already working and i think they are good examples of what can be done even without

legislation. certainly the information sharing and analysis centers that, think financial services sector, we've got extremely active, innovative well-funded, that's a testament really to the industry's commitment. i think in other sectors you have seen people starting to move in that direction, and i think that's very positive. the other thing that we have done in collaboration with our administration and intelligence community colleagues is try to have a very concentrated effort to get the intelligence community to think carefully about not just out of sheer information to classify channels with people have sector declares an industry that have to be classified important information so that an industry can protect themselves, take that into the system. i think dhs has been a real leader in helping us get that information out. i think legislation is important

and certainly something that we look forward to, something that helps with information should, helps protect privacy and gives both sides of that. but at the same time there's lots we can do even without legislation. we would encourage people to continue to push on the information sharing mechanisms that we do have today so that we can continue to make progress while but also try to work with congress to make progress. >> i would support o all of ami' thoughts on existing as well as consider right now is probably a very hard time for companies to share information with an government, especially in the global markets. there's also never been a more urgent time for us to share information to the adversary does the having spent most my great in the private sector, i understand private sector sees a lot in many cases much more, much differently than

government. so the concept of putting those puzzle pieces together is incredibly important. and i think that with our partners, dhs plays a key role in that and we have the own statutory privacy officer in the u.s. government. so we are a civilian agency charged with situational awareness limits. the situation awareness that is called an executive order, s.b. 21 to our ability to put the also pieces together from what we see coming into the government and what you see and the private sector hinges on some of that trust and also on the ability for us to share information together without anybody getting like they're going to get hurt. we have mechanisms in place already. if you share information with us, we have mechanisms to keep it quiet even within the department. we read train our front office, secretary level come on how to handle that kind of information to protect those identities of our partners. wwe would support with the

ministers will go narrowly targeted liability protection. so that says be very careful in that you're not sharing tea i i think they should not get share but let's have a conversation about what can be shared so that we can with the alacrity of the adversary and i think that line is very, very important. we do need whatever help it takes to get the private sector peace into the government. that is a puzzle piece that sometimes we miss. the other piece is do it so the bulletin of our privacy and civil liberties are reserved -- preserved. >> it's the main legislative items we're going to try to get done this year. it's doable. next year i think it would more difficult with certain players that are very active in this space. i think what we hear from our members is that in order to out, chair, receive they've got to have that safeguard in place or else they feel like there's going to be a boomerang back to them that would be less than positive. i think that we've got a

potential opportunity, at least this year, to maybe get some things done. hopefully if anything, all we are looking for, one of the reasons why we talk about this is want to just have that they'll, just have a shot. if there's an opportunity we would like to try to get that done. let me ask about the enhanced cybersecurity program for critical infrastructure that's part of something that was mentioned in terms of bilateral sharing. how do you make that more scalable? and i think things like the information sharing legislation that would provide safeguards would help foster that maybe some more. it might, lease we think, legislation related information sharing what kind of put wind in the sails of folks that are utilizing the framework.

i don't think it's written in any legislative text i think it will help with the behavioral shift. so anyway just taking on the enhanced cybersecurity service program, how do you scale that? >> so in its subsidy services is our ability to protect private in -- with private information or 10 years ago provided ago this is unheard of and we found a way that it's actually an amount of service. it's a way of our using classic indicators to actually prevent, protect private sector, private industry. the way that is scalable is those providers have a lot of customers, right? those providers also have been a building as this is the way it works to see the bad guys or the events come into those they protect and collate that enable intelligence and they get to can

be with others that are pushing out. i think the main thing here a little bit different than i think information sharing discussion is that this is the way of the future. we have looked at rolling it out to magic provides because of scalability, because classified information is difficult to manage. it's expensive. it's hardly use but when it works it really works. we are still looking, and as my technical geeky mind works i like to look at things such as the if you had one event that created a lot of noise and we didn't see it versus one event that could've been absent a destructive and we did see it, how do you make the business case for the expense of again the government enabling classified indicators to protect private sector? how do we close this? combined with efforts to the point about making declassify information every recognizing the wealth of information in the private sector and in the open-source. so this is just one piece. i think d.c. has got a lot of

attention because it does take a lot to roll that out. i think it's the beginning of two things. one is a new type of service and the exploration of the business case of classified information. >> thank you. i'd like to stay on the topic but i want to move onto harmonizing sight of regulation. one of the aspects of executive order, and i know michael daniel when he was in everett, washington, at our workshop there mentioned that that's one of his priorities is trying to look at the different rules, regulations and so forth businesses are dealing with, kind of compare them with the framework and see how things can be streamlined. in terms of incentives and regulation, how is that process going? or it should say, and i'm interested in our business panel spot, do you guys have asks in those areas? how are you look at tha the iss?

david, i might start with you. for, -- ferc, framework, maturity model. how are you looking at that issue? >> i think were probably the only critical infrastructure that is mandatory cybersecurity standards through as you mentioned north american electrical liability corporation which is funded the regular commission. i don't see anything in the framework that in some way conflicts with those. i think they just kind of build together with each other. i think the biggest conflicts that we are concerned that this effect we are also regulated at the state levels. and in the absence i guess of strong kind of federal standards framework, maybe even legislation, there's always the potential for states to take a to point out and for states to their own individual standards. and operating across several jurisdictions, that could create

conflicts. we think about where the conflicts may occur, more concerned at the state level than we are conflicting with kind of, then conflicts within the federal sphere as well. >> what is your reaction to the state regulations be? i think it's been very positive. it provides again flexibility. it allows us to demonstrate to them that we are being prudent. and if we were ever challenged i the state i think would look to the framework and say here is something that by following it we're doing everything that is prudent to protect our assets, to protect our infrastructure. >> the financial services sector and their agencies and departments still have information security rules and rags. how is the sector doing with harmonize those with the framework? what does that look like? >> i would say one is for us and

other like institutions within the sector taking a look at guidelines and take a look at opportunities to maybe clarify our harmonized variety of different potentially conflicting terms and terminologies associate with information security. all the mapping back to the from a leaking of greater clarity and the regulators can during an exam begin to look at institution through the lens of the framework, even if it's a map to these additional guidelines and standards that they use. so we are working within the sector as well as with certain agencies to take a look at opportunities to provide some guidance on that. >> the reason i bring up his we hear from members that say let's they're using the framework they would like to more or less get credit for the kind of information security oversight regulations that they are encumbered with so that they're not having to do multiple tasks,

if you will, and finds himself in a situation where they feel like they are leaning more into compliance rather than management. >> up until about seven months ago i was sitting on the other side of this with general counsel of a global financial institution, and the framework had just been released. and the way it's evolved, kind of watched it from this perspective now, would be a tremendous benefit to financial services firm in regulated because sometimes there's a little black of transparency in terms of what you are being held to as a standard when you are regulated industry. were as the framework of this being used is something that's a little more objective and something everyone can look to him talk about as a basic standard. and i think it's also important that we at the department of commerce have been talking to

the representatives of the countries around the world about the framework and trying to engage them at and i think there's a panel on this in a few minutes, to engage them to think about the framework as something to work within the countries, and from a global regulated industry perspective, that would be a tremendous benefit. >> let me ask you about deterrence. it is a topic we think about here. it's not an easy one. we have been looking at a state department international security advisory board report that came out this summer, july, and i think we reference it in some of our comments found in your materials. they look at things like cooperate on cybercrime as a first step, global consensus on the rules of the road.

enhancing government situational awareness. there's more. i guess the thinking, they offer some general recommendations and i was wondering if, we think about in a continuum between relative passively to aggressiveness, right? businesses using -- using from her, sharing information with government and vice versa, moving away from passively, somewhere in the middle might be, let's say, the fbi and the chinese hackers but on the other end of the continuum, probably less attractive you might have frustrated enterprises wanting to attack. more about commerce, most of the conflict here. on the other hand, you might have congress wanting to do something in response to unremitting attacks, and they

would legislate a program or program argument authorities to agencies and departments that would hinder trading investment. how do we start making some progress on the deterrence defensive front? i just opened that up. anybody? >> i think your position is a spectrum from what i call passive defense and moving towards a more active defense, a responsive defense and then moving into truly authentic proactive disruption of bad actors. one of the things i would like to see is a very measured approach, and i think there's enough value in moving from passive defense, perimeter protection simply catching -- patching software and technology and managing the things that much more active approach to defense, dhs continuous diagnostics and mitigation or monitoring the those sorts of active defenses, i think there

sufficient for right now. right now i think the potential for inadvertent harm, and we talked a little bit about this this morning at breakfast, inadvertently having collateral damage to someone if you do go on offense, the collateral damage to some of whose been compromised so rather than hitting the bat after your hitting the proxy for the bad actors. with the liability is for that sort of activity really has been sorted out yet. so i would advocate a very go slow approach as well as this idea there's sufficient benefit in moving from passive defense to active defense that we can accomplish quite a bit just getting to that middle ground on the spectrum. >> i think want to try to push back a bit so the more aggressive postures that they may find itself in a position of wanting. sean, any thoughts for you, deterrence? >> i think the points are well made. again, as global institutions

are doing business in markets were some the attacks may be coming from, even if you can have that high level of fidelity and to to getting attacks. i think the law of unintended consequences is it something that needs to be fought -- thought through very carefully to understand authorities and certain entities conduct certain types of activities that may be considered more active and how that might actually work and what the private sector's role is. i think this is a conversation that needs to be done very carefully. >> i think just to pick up on think just to pick up on a point shot me a few moments ago which is the changing the algorithm on cost. i think it remains true that most cyber incidents are attacks of opportunities. there are software programs that scan the web to find servers that are directly connected. so if you have a server that is not directly connected you are not going to be a target of that opportunity. it