attacked, the other 10% may not, but they have been attacked. and that virtually almost every big american company today has been attacked. the question is how serious and by whom and how much. and i think it's fair to estimate that the cost to the economy and to business is estimated in the trillions of dollars. so it is very serious. we started on this with a different bill, and we put that bill together. it went to the floor, and it got 56 votes. we needed 60 votes. it only got one republican vote. so the key was to go back and do a bipartisan bill. and that's, essentially, what the vice chairman and i have done, ann. we've put together a bipartisan bill. it was put out by the committee by a vote of 12-3, and it awaits

action on the floor of the senate. there are a couple of groups that don't like this or don't like that. we've been prepared and look forward to receiving your comments. the staff has received them. david granus is here today, our staff director, and jack from the minority side as well. and so to we are open, but we do not want to produce manager that cannot get -- something that cannot get a vote. what we have done is an entire voluntary system. it essentially are moves -- essentially moves to let companies do three things; to monitor their networks, to identify cyber indicators, to use countermeasures to protect against cyber threats and, third, to share and receive information with each other and with federal, state and local

government. companies who use the authorities to monitor and share information are provided full liability protection for doing so as long as they do so with the bill, within the bill's parameters. and those parameters are pretty clearly spelled out. the bill has a number of protections to make sure personal information is protected and to make sure that government doesn't use information for any purpose other than cybersecurity. and finally, the bill requires the director of national intelligence to put in place a process of sharing information on cyber threats in the government's hands with the private sector. so we believe we have a good bill. we are thankful for the support that your organization has provided. we understand the financial services network supports it, the telecoms support it, but let

me say one thing, we will not have a bill. i have tried to get this bill on the floor and so far have not had success. until communities like yourself take a good look at it, agree with it, come forward and say do it and do it now, the stakes are too big to let this languish any longer. there thank you. >> senator chambliss. >> well, again, ann, thank you very much for having us here today, and thanks to the chamber on two accounts. number one, what i have found as i have been around the country and literally around the world, but around country and around my state and i talk about cybersecurity, until six or eight months ago if i was at a rotary club and i said, guys, the most important thing we've got to deal with is cybersecurity, everybody's eyes would glaze over. this is not what i, as a lawyer,

refer to as a road wreck case. you can't see what's happening out there, you can't really feel it except that now people are starting to understand that this is serious, that it has huge financial consequences not just to the economy of the united states, but to me personally. so what you're doing today is helping educate people about this, and i am very thankful for that. secondly, the support of the chamber is key. i ran into the former dni just last thursday. we had a cybersecurity conference in augusta, georgia, and former director mike mcconnell was there, and we were talking about the bill, and he said, sax, where does the chamber stand? i said, the chamber is absolutely, fully behind us. he said, great. i think your chances just improved significantly. so to all of you, thanks for your willingness to let us have a chance to dialogue with you on this. i want to echo what diane said.

number one, you're going to think this is the mutual admiration society, and it is. she and i have had a great working relationship, and it's proof that democrats and republicans can check their political hats at the door every now and then and to what's in the best interest of the country. diane and i have done that on a number of issues when it comes to national security. and i am so glad to have her in the foxhole when we're fighting these battles, whether it's in the airwaves or on the ground. and she's been a great leader and a great friend in the process. as diane said, we had a cybersecurity bill on floor of the senate a couple of years ago. there were competing factions that didn't allow that bill to generate more than 56 votes. and what she and i did after that, we were involved in the process, but actually we were kind of fighting each other on the bill. but we both knew the importance

of the issue. so when that bill went down, she and i sat down together and said, look, this is foolish. we know how important the issue is, we've got to come up with a bill that's bipartisan, that you and i can agree on and that we can get a majority of our committee to agree on. it's not easy, as she said, in these times on capitol hill seeing bipartisanship is somewhat of an anomaly. but diane and i slugged it out. we did make the right kind of compromises on positions without compromising our principles the come together on this bill. it received a 12-3 vote coming out of committee. you don't see many 12-3 votes coming out of any committee on the senate side these days. that was going into the election, too, by the way. what my priorities in this bill were was, number one, to make sure that we had a bill that was going to provide john and our

other law enforcement and our government agencies the tools that nay need to make tour -- that they need to make sure that they're able to detect intrusions onto any system, be it public or private, and to make sure that they had the ability to share that information both from a public to private standpoint as well as a private to private standpoint. because if we don't do that, we're not accomplishing anything. and we wanted to do that in a voluntary system. if we mandate to the private sector you will do in this this way, there's always going to be pushback from the private sector. and with the level of trust that exists today between the public sector and the private sector, we knew that our chances of success long term were not going to be very good. so what we did was go to your companies, go to private sector and say, okay, we want your

ideas. we want you to start, help us start on the ground floor, and let's build this building called a cybersecurity bill. and we did that. and we have been able to incorporate good ideas from public sector, good ideas from the private sector, and i think we accomplished what we set out to do from a voluntary system. secondly, it's imperative that we incorporate strong privacy measures in this bill. we simply can't allow someone's personal information to be shared on a wholesale basis. we agreed on that, and we think we've come up with good language to insure that that does not happen. thirdly, it's important that we put language in this bill that allows flexibility. this is not a short-term project from our standpoint. this is long term. and with the way that the technology changes in the world of cyber on virtually an hourly

basis, not a daily basis, we want to make sure that ten years from now that there's flexibility in the legislative language that allows the public sector and the private sector to make the necessary changes to adjust to what technology comes forward in the intervening time frame. and then lastly, i'll say that, again, another key aspect of this if it's going to work is to insure that there is liability protection given to the private sector. we think we've done that in the right way, and we think that the private sector, those folks who are involved in it as well as, i hope, as diane said, i hope all of you will read the bill. i think when you do, you'll be like the folks in the private sector that we had involved in it, and you'll have some comfort in knowing that in the corporate boardroom people are going to say, wow, if we share this information with our competitor,

we're going to have protection, and we're going to be able to do this in a way that lets us put the right kind of countermeasures in place without the fear of liability from outside sources. so i'm pleased about this bill. obviously, diane has a lot more up nuance on -- influence on senator reid than i do, but i have implored him that if there is one piece of legislation that needs to be concluded between now and the end of the year, this is it. if we don't to it this year, i fear that it'll be at least another year before it rises back to the level that it is now. and if we wait another year, we are really risking the economy of the united states, in my opinion. so i'm very hopeful that when we get back here in a couple of weeks, that senator reid is going to agree with us, we'll have this bill on the floor, we'll slug it out. diane and i are are joined at

the hip on this. we're going to be together, and if somebody's got an amendment that makes the bull better, we're okay. if it's a bill that just tries to send a political message of some sort, then we're going to work to beat it back. but i do hope we get the bill on the floor and we see the senate work in the way that the senate historically has worked to provide good legislation. thank you. >> thank you, senator. i think you're saying all the things we like to hear; liability protection, flexibility. i'll tell you that admiral rogers was here for lunch, the cyber commander, nsa direct canner. he's very big on the information-sharing bill as well. he doesn't want personal identifiable information. he doesn't want to get into those privacy issues. so i think that information sharing, we talked earlier, this is something we've been talking about for a decade or so now, and i guess, i have to ask -- not to put you on the spot, but

what are our chances with this bill in the lame duck session? do you think we have a chance? >> well, i do think we have a chance. i think it depends on people in this room and a lot of rooms like it throughout america. i look back three years, and both saxby and i sat down with the chamber then when you had some concerns about the bill. and it was really useful. i think i went to three or four big meetings, and i really came to understand what those concerns were. i think those have been remedied in this bill. this bill isn't the sun, the moon and the stars. it isn't a regulatory guideline how-to. it's a voluntary bill. it allows the voluntary sharing of information with each other or the government with immunity from lawsuits, essentially. and i think that's critical. it's a first step bill. it's the first thing we need to do. now, here's my worry, saxby.

if we don't get this bill passed now with your retiring, i think you're right. we're going to have all the arguments we've already had and disposed of but with a new cast of characters, and companies are going to continue to get hit. so you and i, because of what we see, share a big sense of alacrity that we need to get this thing done. we really need others to stand up and say, yes, we're in support with this. we opposed the last bill, we're for this bill. let's get to it, let's pass it. >> and one other thing too, i think, ann, that gives us the potential to get this bill done, the white house came out with their executive order virtually a year ago. i was, frankly, very apprehensive when they said they were going to issue an executive order because i didn't know what it was going to say even though they had talked with both of us about it in advance. but, frankly, the lay of the

land that was put forward many that executive -- in that executive order is very positive in concert with what we've done in our bill. and some standards are being set by nist, and nist is incorporating the private sector into their discussions. that is good, and there are some other things that are being done there that i think lays the groundwork to some of the, to solving some of the objections that were in the lieberman-collins bill. and we focused on information sharing which is the guts of it, obviously. if you don't have information sharing, it's not going to work. but i think that the white house needs to be commended for laying out the executive order the way they have, and i've commended nist publicly, and i'll continue to do so about the job that they're doing. doing. >> we at the chamber certainly agree with you. we have michael daniel, the white house cyber coordinate

this morning when he first came out with executive order he was here at the chamber a couple of times which is unheard of to shop around an executive order like that. i think the extent they went to get to that, not buy-in but situational awareness from the private sector on the executive order was very helpful. i will tie you that the nist cyber friend to something the chamber fully supports. we're doing, socializing with small communes has country so we agree with you that the cybercrime and executive order was a step in the right direction. >> i think, ann, if i may, i think if we can get this up on the floor i believe we can pass it. you can't pass a bill that is a bipartisan, and this one is anything we can. and both saxby and i were closely with admiral rogers, the house chair, the vice chairman. and mike has said we are ready to go. if you get a bill, we will sit

down, get it conference and we'll get it done right away. so you really don't wait, want to wait until the legislative bodies change on this. because then you got to go back to your dot and start all over again. that means in -- inordinate delay. i would hope we can get people to stand up, saxby and ann, and come forward and say you've got to do this and do it now. we are happy to make the bill language available. i think it is already. and are staffs are here. they're happy to sit down with you, or we can as well, but we really need the help to get it passed. >> and i will just say both of your us kids have been -- staffs have been terrific to work with. let's take a few questions from the floor. we are having a very hard time seeing you out there with these bright lights. so please wait for a microphone to come to you. tried to get to chamber members

first, if you make. >> cory bennett with a hill but to discuss a lot of the ways that -- high, over. i could get the bill passed in the lame-duck session. what pressures on the things that might be a someone blog and might prevent from getting passed in this upcoming session. >> let me be candid. there were essentially two categories of people who have concerns. one trial lawyers. we think we've worked that out, and that there aren't problems are now, cross my fingers. the other is the privacy community, which is a big, broad nerdy. and i think we made another six changes that we've agreed to, but, you know, it's always more more more. now, we i think if the bill comes to the floor and, obviously, we have a set time and a number of amendments, we

are willing to take amendments and do them on the floor. so that shouldn't stop it. but those are really the two groups that we have concerns about. and i think one of them will be settled, and with respect to the privacy community, you know, what i've heard is we want the old bill. well, the old bill, not exactly -- got exactly one republican vote on the floor. that's not a good message if you want to passed something. so you have to find a way to work together to get it done, and we believe we have done that. >> that wasn't my vote. this one will get my vote. [laughter] >> other questions, comments? over here. >> this morning coordinator michael daniel start but how he's working very closely with

you on legislation but where is the white house stand on the bill today? do you think they are supported enough? >> well, i can quickly state as the chairman. what we have done is kept the white house advised. the staff has done this. they sat down. they have worked with the white house, and i think, in less there's something that's new that i don't know about, there's been a relatively close working relationship. >> this is, it's not been a one-sided conversation. i've had direct conversation with the president, even rode with him in a golf cart one day and we talked about in the golf cart as we were trying to focus on our game. we were more importantly focus on cybersecurity that day. but we face any number of conversations with the white house on it, and i'm not about

to speak for them, but we have taken their original concerns into consideration and we know that the president has got to sign whatever bill comes out. and we are going to continue to dialogue. i'm hoping that by the time we get back and assume senator reid says yes, this is something we need to do, that the white house will come out and be a strong advocate with those. is it a perfect bill? i mean, all of us know, particularly those of you have been around the senate for a long time, nothing is ever perfect. and that's the way you get those and the way you get things done is to craft something that while it can always be improved, and as dianne said, this is the first step. who knows where we're going to be a year from now, but if we do nothing, shame on us. and i know the white house feels strongly about that aspect of

it. >> and for those of you that may not be so in the we just we are, we are talking of 2588, cybersecurity information sharing act of 2014. a little summary that we put together, this represents a workable compromise among any stakeholders. it also safeguard privacy as you discussed. protect civil liberties because there is the role of civilian intelligence agencies and desensitizes sharing with a narrow liability protection. it would also help businesses achieve timely and actionable situational awareness, information sharing and real-time. so i just want to point out you have this in your folder. we've got 1 16 organizations alg with u.s. chamber of commerce now in support of this bill so very supportive. we have a question over here, matthew spent matthew with each other. senators, i wanted to thank you for your work on the bill and the work of your staff members have done a very big a job in

terms of working with us on aspects of the bill. one thing that might not be well-known is the bill does mandate that this is sharing information with government have to remove personal information -- they have to remove pii. the bill says you must remove pii. i think it's when the eldest of the. we didn't originally agree with. primarily because we thought that small and midsize businesses that are not as sophisticated in terms of doing the removal might say instead of sharing the i'm going to sit this one out. we recognized that is a big issue and that one element of the bill that we find the messenger to compromise our ground. you might be interested to know we have been meeting with many offices in the senate to try to educate them about the bill. it is our number one cyber legislative priority. so i wanted to just think and say yes, ev do have a chance and

women opportunity to pass the bill on the floor, please urge senator reid, put it on the floor. we think the bill deserves at least a shot at the. anyway, thank you. >> one thing we did to address early on privacy concerns is with regard to the definition of cyber indicator threats. and we narrowed the definition of it, and the focus is on really that serious issues of cyber threats. it's not able to be expanded from a privacy standpoint into non-cyber issues, which i understand from a privacy standpoint. so that was another big compromise that we came together on. dianne with me again. -- whipped. that's the way things get done. i empathize with the rational

and the reasoning behind it. that's why we were able to make the changes that we are able to make on both sides. thank you for your input. when the chamber has input, you speak for a myriad of sectors of the economy as well as individual businesses, and that's critically important to us. >> thank you very much. >> he gave you a little inside information. didn't have to do that. >> any last questions, comments? one back there. >> to what extent is the debate of surveillance in the lame-duck going to put into the ability to pass this bill. you know, i've heard both that it is necessary to this bill would also be a death knell for

this bill because they don't want them to get inextricably linked. how do you plan to navigate that in the lame-duck? >> well, i'll kick that off. you're talking about the fisa reform bill and how does it relate to the potential for discussion and debate on this bill. the thing about fisa reform is that we don't need between now and then the end of the year. we've got a bill. that bill expires the middle of next year. we do know who's going to control congress, but this has been a vigorous debate as to the changes that need to be made in fisa, and i think there's a lot of accord on that. but that's not something that urgently needs to be done between now and the end o end oe year, simply because we have laws on the books today that deal with that issue. cyber we don't. and there should not be any connection between the two, and

i certainly hope that's not the debate we get into, or not the position that we get into when we get back into session. >> let me say this. you've hit on something, because i've heard this in roundabout ways, that fisa reform has to come first. and if i understand the current status, the house has passed a bill which was are difficult for the house to pass a bill. we have passed a bill on certain fisa reforms that went out of our committee i think 11-4. the president has a distinct view on this, and that is that he supports the house passed bill, and senator leahy, the chairman of the judiciary committee, is putting together a fisa bill that would essentially echo the house bill with a few

changes in it. one having to do with the public advocate/amicus, and also with a couple of other things. here is the big problem, and the problem is how do we get something done there ask the the vice chairman has said quite correctly, well, this doesn't really need to come up until next year, but that's a long time to wait, and my concern is that we do need to do something there. i don't think it's necessary to put the fisa bill first. our bill is ready to go. it can pass the senate. i think at the very least it would show that we can pass something, we can get it conferenced, we can get it back before the senate for a final vote, and we can get it to the president. so we can do this with not a great deal of debate, probably

with a joint rule between the two sides that there be a couple of hours for debate and a limited number of amendments and then get it passed and then conference it so we could get something done. and i very much hope that that will happen. >> we hope so too. we have time for one more question out there, if there's anyone out there. i can't see. >> calm group today. >> there's one here in the middle. >> hi, my name is jason -- [inaudible] from senator mark kirk's office, and i wanted to ask you, senator chambliss, who will hold the banner for information sharing in the next congress for republicans? is who has that kind of institutional knowledge of working with the chamber, but also these issues when you leave of the senate? >> well, most senior person in line to me is senator burr. he will, i'm sure, be the next

republican to either be chairman or vice chairman. behind him is senator risch, and we've got senator coats, senator rubio, senator collins. we're losing senator coburn. so there's a lot of republican experience that'll be coming back, and i'm confident that whoever it is is going to work diligently with dianne to move something. but as we both alluded to earlier, we've got lots of new members off the intel committee that are coming back and trying to -- or coming in and trying to educate those folks about the issue itself, plus there are a lot of members that simply look to dianne, to me and other senior members of the committee to, basically, have some

security in from the standpoint of knowing a complex issue, having worked on a complex issue. they're willing to go with us. and we've got a lot of folks who are going to be coming in that are not going to be in that a position. so that's why i think and, obviously, dianne agrees with me, that it's going to be a long time if we don't get it done by the end end of this year. hope that answers your question. >> thank you. and i think that's one of the things that we want to work with you on, that educating of the new members. and we're happy to continue to do that. i want to thank you both for coming here today. thank you for all the work you've done on this bill. it's a terrific bill. again, we enjoy working with you and your staff, thank you very much. and the chamber's going to continue to push for this bill, so -- >> good. >> thanks. >> thank you. [applause] .. [applause] >> [inaudible

>> throughout campaign 2014 c-span has brought you more than 130 candidate debates from across the country in races that will determine control of the next congress tonight watch c-span live election night coverage to see who wins, who loses, and which party will control the house and senate. coverage begins at 8:00 p.m. eastern with results and analysis. you will see candid victory and concessions be sent the dow speeches throughout the night and into the morning.

we want to hear from you, calls, facebook comments, and tweet. campaign 2014 election night coverage on c-span. >> the 2015 c-span student camera video competition is under way, open to all middle and high school students to create a documentary on the theme, the three branches and you, showing white policy, law, or action by one of the three branches of the federal government has affected you or your community. there are 200 cash prizes were students and teachers to lead $100,000. for a list of rules and how to get started to the website. >> the u.s. chamber of commerce cybersecurity summit concluded with a session on information sharing and cooperation between private sector industries facing cyber threats. this is about one hour. >> okay. i can welce

>> again, welcome back. this is our final panel for the day for the cybersecurity summit. this is our third annual. thank you for coming and sticking with us. this is a great panel. we wanted to get a cross sector discussion going. their is a workshop -- actually, it is more than a workshop, a big conference in tampa that folks are flying down for. so thank you for sticking around and being on this panel. i appreciate your expertise and support. i want to introduce christopher furlow, the president average global. both he and governor ridge have been terrific friends and partners. as i mentioned earlier, first secretary of the homeland security department , governor, the current chairman of the chamber of national security task force. he will moderate our next panel on sector cooperation, interdependency, and challenges. thanks. >> well, thank you. i think congratulations need to go to let and in that

chamber team. if you think about it, it is pretty remarkable. we had the nation's almost entire group of cyber leaders in the room that we have the upper to the to engage with spirited has been a great day. i am not sure it is always great to be the last panel of the day after lunch when folks are ready to go home, but hopefully we make it interesting for you. we have talked about a lot of macro level issues throughout the morning and afternoon. we hope to get a little more granular in terms of how the various sectors are dealing with server security challenges, cyber resiliency at a much more granular level. today we are fortunate that we have a group of folks who are from what many people would call the most critical of the critical infrastructure sectors, those sectors which derive most of the concern when you look at whether it be from our law enforcement community, intelligence

community, and certainly from miti professionals. now it is becoming a lot more of an issue across the business community. folks that understand the threat. now we need to talk about very much, as john carlin had said, how do we figure out how to do something about these challenges? today we hope to get into a discussion about what is being done already and where we can go into the future. joining me on today's panel, we have william erny, douglas johnson, christopher boyer, and dennis gilbert. what i would like to do to start off the discussion today is have each of you just briefly explain kind of your roles and responsibilities because i think it will help us set the stage in terms of the type of issues you are working and will guide our conversation as we kick things off.

>> sure. hi. i'm william erny with the american security council here in washington. and i am a senior director within our regulatory affairs department. and my primary role with acc is to advocate on behalf of the industry. cybersecurity is one of the issues under my advocacy portfolio. but i also play an integral role within acc. i look across the organization, and i ensure that we have got coordinated efforts within acc and to make sure that we are responding to member needs. so, in that regard, my interface with a lot of different elements within acc, including our kim itc program that some of you may be familiar with. but that is our group of see i know members that engage directly on cyber secure -- cybersecurity issues.

the. >> i'm doug johnson, senior vice president of payments and cyber security policy, and so i run of the various committees that cross those platforms either from eight cybersecurity, business resiliency, even business security standpoint. also in charge of the regulatory and legislative relationships across those platforms as well. i also serve as the vice chairman of the financial social sector coordinating council and on the board. so obviously a lot of interaction with the other associations within the financial sector in those two capacities. of course, we are very much driving all of our to be a part of the information sharing apparatus that we have. >> my name is christopher boyer. my role within at&t largely

is to serve as an interface between our chief security office and network operation teams, public policy issues in washington, so i serve as a representative for the company before congress, the white house, a variety of agencies. a big chunk of what i have done over the last year or so is spend time working on the in is t, actively developed -- actively involved in the development of the framework and served in a variety of capacities at the fcc, working on a variety of cyber issues. i also served on the internet security and privacy advisory board, so i spend a lot of my time dealing with various securities and technical issues on cybersecurity throughout d.c. >> good afternoon. i'm dennis gilbert, the director of information and cyber security at the exxon corporation. we are one of the largest energy and utility companies here in the united states. a report directly to our chief security officer who is responsible for both visible security and cyber

security within our 25,000 employees corporation. within that room, i am responsible for both the information technology environment as well as the operational technology aspects to of the cyber assets. we have within our team a complete cybersecurity operations center that includes monitoring intel, digital forensics and an instant response team. we also have an architecture engineering, security engineering team, visibility in alice's management team, so we have a complete suite of in-house capabilities in addition to things that we contract for. >> thank you very much. again, the title of this panel discussion is "strengthening cybersecurity together: sector cooperation, interdependencies, and challenges" i think it would be wise to start the discussion first on into dependencies, the things that often create challenges so that we can then move on

to discuss how we are arriving at some solutions today. and dennis, i think i will start with you. from the electric sector standpoint, you know, because of a greedy, in particular, is where there is much concern. so many of the other sectors are completely reliant upon the grid sector. do you think particularly given what we see on the hill where we cannot get a bill, even though a lot of the public officials we heard from today said, let's get a bill through. we just heard senator feinstein, chambliss, the intel committee chair and vice chair say that we need a bill. do you think there is enough of an understanding among our policy leadership in terms of the interdependence is that exist, particularly as we look at it things like the internet, everything that has to be driven off your sector, all plug in in one way or another. >> i have to admit, i think sometimes people take for granted that when they plug in or turn on the heat or

anything else that power is there, ubiquitous, and they do not understand the second or third level order of affects sometimes and that we are subjective to cyber attacks as well as the banking industry and telecommunications industry and retail companies. and so you the truth, it is a little bit of a challenge within our sector because we have a complete suite of challenges we must face. it is not just our operational assets. it is an entire suite within the itn network. we have to look at the motivations, whether it's getting into our billing systems for financial gain, whether it is trying to, you know, stealing intellectual property to improve their capabilities overseas through our personal information. so in that regard with our other sector critical information sharing, a sharing perspective, of the

way as see it now. i have been with axle on for about four months after spending years with the department of defense. at one level we get a lot of information. i mean, we get it from the fbi, a variety of sources. we are still looking for the knowledge and the inside from all of that information that comes in, but i think the two elements we need to continue to focus on is timeliness and, if i had my wish list out there it would be one definitive single source that would actually put that information in. a lot of times we get it in command it trickles down and we have to then reconcile data with the differences. at the same time, that means i have one or two analysts looking at the information verses actually looking at our networks making sure that we have everything covered and there is no threat. >> christopher furlow, from the communications sector standpoint, we, as a nation, have done pretty good at

responding to natural disasters, having the ability to be resilient. putting towers back up as the case may be, those type of things in relation to natural disaster. are we prepared for a potential cyber attacks where it may be a long time before the power grid, for example, goes back up to enable? >> we invested. [inaudible conversations] >> to deal with major cyber incidents, our standard course of business. so we actively acknowledge there is the potential and we do have plans in place to deal with them as they might come up. from a sector interdependency perspective, you know, i think it is pretty common knowledge their interdependence is between the sectors, particularly energy and

commerce, and financial services, calms nit, and we talk about that quite a bit. the communications sector. a lot of questions about sector into dependency. recently had a series of meetings with the energy sector. in fact, a couple of weeks ago actually spoke of the energy sector coordinating council meeting, and we have done some work on how the two sectors can work together to be better reached -- better prepared. there still are issues when they're is a physical attack for both calls and energy keeping things up and running from how we can better work together to deal with those. think those conversations are happening i think it is pretty well understood in the industry that it is something that needs to be dealt with. a lot of active conversation is happening in the industry side to deal with these issues. >> there has been a lot of focus on the financial-services sector as of late due to some high, high profile breezes. but taking a quick step

back, you know, when the financial services is hit, whether it be a banking institution, what have you, it is not just about an atm machine not working. talk about some of the interdependence these, when an attack is made on a financial services entity, what that means for other sectors. >> well, it means something essentially because we are the keeper of those accounts i think that is one of the reasons why we take cyber security so seriously. unfortunately or fortunately we have been tested quite a bit over the course of the last few years, and i think one of the things that that has demonstrated is that the information sharing environment that we have is pretty darn effective. i think you saw lot of different media reports, for instance, about the most recent breach of j.p. morgan chase, and one of the reasons why essentially that

when no further and the media actually had to retract statements saying that it did go further and it created essentially breaches of other institutions is because the bank that was actually breached was very good ed immediately sharing directors associated with that breached other institutions, and that is what is so vitally important every sector have that kind of apparatus. i think that is what we are going to see more of going for wrote -- forward to more maturity within other sectors that are also experiencing impacts, but because regardless of where the breach occurs it will impact financial-services. it is going to impact financial services to the extent of availability. it will impact financial-services to the extent that there is a retail breach which specifically impact financial-services customer accounts. and so i think again that is going back to my initial statement what we recognize

is first and foremost, really having that environment protected. when you have the chemistry council you think, yes, there are entered dependencies between the three of us, but into dependency with chemistry. well, i tell you, during the east coast power outage, before the east coast power -- power outage we were very fixated on telecommunications. then we found out that if you do not have electricity, there is not really much you can do about redundancy. but then what we found out during the blackout is if you don't have h-2 well your servers will fry, and so it does not matter whether not you have generators and enter dependencies that you never even think about. and i think testing is where you are able to really accomplish some great learning, and that is one thing that i think you will see over the course of the next year, more effective testing across sectors as opposed to the way we tend

to do it in silos were electric or financial services or telecom will do testing within their own environment. that needs to be cross sector to be effective. >> and just from the conversation thus far we have seen a cascading effect the interdependency -- interdepencies that we are exposed to. let's talk about your sector in particular, your supply chain, the folks within your supply chain on whom you are dependent and how that plays out into the broader discussion. >> absolutely. you know, the chemical supply chain, we consider that to be sort of an integral part of what we do in the business of chemistry so, for instance, within the acc, and we have partnership groups that deal with issues like transportation of chemicals and warehousing and storage and distribution

it is funny, when i talked to people about the chemical sector and i don't the spine is exactly what we're really talking about, i think different people have different ideas, but i guess the point to take, is that we are unique in a lot of ways -- excuse me. we are unique in a lot of ways because of diversity in our sector. the chemical sector is not one particular type of product or service that we are providing, so while we may not be sort of the major antar dependency, we touched a lot of people and a lot of different ways as we start to discuss here. we can impact the health care industry. we provide medical oxygen and things of that nature. we support the other aspects of chemical and oil and gas production through the use of nitrogen that is used

within the processes, and then clean water, you know, the availability of chlorine to use in our water disinfecting and waste water treatment facilities is absolutely critical. so we are unique in a lot of ways, and we may not be, say, at the top of that critical infrastructure list of about we touch so many different people across the supply chain across our economy that we are, in fact, a very important part of the american economy. >> of one to transition. we clearly see the a dependencies that exist in dealing with the particular cyber threat, i would like to get your perspectives from each of your sectors on information sharing and what that means for you, because i think it has been clear through the session we have had today that information sharing for one group or

company or sector may be completely different for another. so, dennis, let's start with you from the electric sector. you know, those things that you need from your sectors perspective to effectively manage cyber risk. >> well, let me back up just a second on that. at some point we talk about differences. and we do have threat sharing set up by these verticals, if you will, and you just, once again, we referred to the next line, electric, which is only one of the type of energy generation and distribution utilities that we have, nuclear, gas, fossil fuel, wind, solar. if you break that down, there are different organizations and aspects for each one of those, and we also have a trading floor obviously we have interest within the financial service spectrum.

the response for our physical or cyber incidents that we come across without telecommunications partners. so affecting telecommunications and how that affects our networking and our i t infrastructure as it works over the i t portion and from a chemical perspective, too. i am sure we have quite a few chemicals that are used in a lot of hard different generation prospects. and so that is a long way of saying, they're sharing that we have in particular is good, but if you have an organization responsible for cyber security across an entire corporation from the information technology are aspects to the operational aspects and you add executive transportation, whether the fleet or aircraft or things like that, a platform, i tea aspects on those, it is a lot of different sources of information coming, and a lot of times it is the same threat. an actor with a different motivation coming after a

different asset with a different outcome the your expecting to have. that is where i'll lose a little bit to some of the interdependence is that i have with the other sectors. from a financial perspective and not just after the energy grid. and so really it is the challenge of getting around this type of aspects, bringing the men and working across the organization. timeliness and definitive, and i think if i was going to increase my wish list one of the areas we talked about -- and i think i am even -- admiral rogers talked about the evidence, we talk about information sharing, we focus on indicators, the threat, those types of things, some of them reacted, sometimes proactive, but another valuable thing is trying to move left of these activities. i would like to see increased opportunities in the future. get the bill signed, good for step, move forward, lessons learned, best practices, prototyping

results, the department of defense, they spend billions of dollars in science and technology that would be relevant to all of our capabilities and things to deployed to prevent or detect these from happening. i think that would be one of the next steps. i don't know if he is here today are not, but i read a couple of his articles to, david garrick, engineering of the cyber threat, the aspect of actually increasing from working our workforce, training and education, investing in security and engineering. >> information sharing, the com sector has been actively involved for a long time. there are entities out there like the national cyber security center for coordination that we participate in. we literally have people on the floor, coasting and work on information sharing,

communication and sharing and analysis center that actively shares information today within the communications community, but also across sector sharing that goes on periodically. we participate in a variety of third-party information sharing groups outside of government, at heart groups have popped up to deal with different types of cyber threats, a third-party, paid and resources that you can purchase information from. so there is a wide variety of information sharing going on now. it would be better if it was a little more coordinated, but that is some of what we have been trying to work on, but it is an active thing. in terms of the type of information that would be shared, our focus, and i think the admiral spoke about this earlier, it is technical information, really -- depending upon how you define it is not necessarily personal information. we're talking about things like ip addresses, the port number, date, time stamp, technical information that would help us look at our

networks and say, if we saw -- the way we do a lot of our network detection is we look at the network and say, what does it look like on a given day in a normal state of affairs? if there is some sort of anomaly can it be attributed to a cyber threat? we try to look at things like the ip address, source, destination, the technical information to see if it is something the stands out as an anomaly. and that is really how we look for threats, it's not about people's e-mails and that type of information. now, in terms of how information sharing can be improved, i think it was already talked about today. you know, we have long supported the legislation. we think that clearing up the legal framework around cyber security in particular would go a long way to enabling new capabilities in the room of information sharing. but just as important is the actual authorization part, talking about explicitly authorizing things like cyber threat monitoring and countermeasures for taking action to stop the threat.

a lot of what we do today is covered under exceptions for network security, and we would like to move it away from being exception based behavior to be something that is encouraged behavior. definitively congress is saying these are activities we would like to do so that we have clarity in the law around actually performing cyber security. >> we will come back to that particularly from a legal and regulatory perspective as we move. but the financial services has been around since pre nine / 11, recognized as one of the most sophisticated from an information sharing perspective. what specifically is done to encourage information sharing among dismembers, and what is the relationship like with your government partners? >> well, their relationship is an incredibly strong. part of that is because of

the fact that we are co located with law enforcement as well as vhs. it is huge. it builds a trust network, essentially, between individuals. we are not known to it some of those individuals and financial services and move them a desk over because of those relationships. so that is jus few. that is, i think, first and foremost. what that has done is enable us to take information and make it more accessible as well because one of the things that i think it's accomplished is the financial services operator can tell the folks on the government side whether the information has meaning and what meaning it does have and what actionable result could come out of providing that information, what is the to do list? not just have a nice day but what you can do a secede within a particular threat

is huge. admiral rogers, i think, made an excellent point when he was talking about data verses intel. think we have a problem, a nice problem to have to some degree, and that is, we are now faced with having so much data within the threat environment that it is hard to come through all that data to really make determinations of what part of your environment is impacted by a particular threat and then what you should be doing associated with that. so we recognize that. and something you may be familiar with, a couple of protocols, one is essentially html for threat information. you can think of it that way. it allows you to tag information and much more easily determine what part of your environment is being affected. the other part is essentially what it sounds like, the method by which the information can go from a-b, can go from the fs to a

financial institution, and if the financial institution has tagged the information appropriately, essentially it can read computer to computer the information. that is something which is a significant initiative within the financial services industry. it will migrate to other industries as well and is becoming the standard. i think that it just makes sense. having some ability to sit there and talk to each other machine to machine to the greatest extent possible so that we can spend more time doing analytics and mitigation and less time essentially trying to figure out what part of the threat impacts our environment. in terms of our level of maturity that is one of the most hopeful signs over the last three years. when you have information or get information from an institution, you have so much information that you actually have to figure out

ways to automated more effectively and also work more closely with the governmental partners and building products out of the bureau, for instance, the fbi alleges that have been coming out associated with financial services co-authored by the industry. and so that gives it much more flavor in terms of making understandable and actionable. >> and from a chemical sector standpoint, do you feel like you get actionable cyber threat information through your sector relationships and with your business to government relationships? >> what he said. [laughter] >> so that is a good question because it is something that we are currently dealing with right now. i mentioned earlier acc has a program called cam itc.

it is the acronym for the chemical information technology center, and it is a program established specifically for folks within the chemical industry that have a particular interest in cyrus' security. like i mentioned, we have a ci go round table activity that brings all of the cio goes together within the chemical industry to share information, things of that nature. they are currently piloting a chemical. and that began in the later -- the latter part of 2013 and continues today. we are working very closely with the vhs, and one of the issues that they are really trying to wrestle down to the ground this how to reach separate the wheat from the chaff and how to get specific, actionable information into the hands of folks in need to know

this. it has been a challenge to be able to do that effectively. i think we started out in a place where it was a data overload. and what happens is the start losing folks. you are getting all of this data, all of this information, and it is hard to cut really kind of keep somebody's interest whenever you are just getting hit by a fire hose kind of thing, so i think we are making some progress in that area. we are certainly not there yet. we look at middle of next year, middle of 2015 where we will have a solid plan in place to broadly it stand that up and use it across the energy sector. >> you each come from sectors which are highly regulated. that adds another layer of complexity. early in our discussions this afternoon, we get down,

federal regulations to deal with, the state level, particularly those of you would utility commissions. so let the explore that a little bit. the multiple layers, a multilayer regulatory environment, how does that impact you from a cyber security standpoint in terms of protecting your network? >> one of the examples we could probably use for the energy sector at large is, you know, the efforts that have been underway over the last five or six years now to increase the reliability of the great based upon some incidents in the past. the critical information protect program in place operating based on right now version three of that which is an entire program that we need to go through to protect cyber assets. moving quickly, we have version five to one bank is

starting to dry on that, and they have to employment that foley by 2016. so that is driving the entire industry. it expands the scope from some of the original offer its -- efforts, its starts to look at opening up the eyes and aperture of what is a cyber asset, looking at the internet of things, not assuming that things out there and our air gap to. you know, now that we are putting more things into the environment, we are doing a lot of things from an efficiency perspective, the energy industry is exploring more addressable types of components that you can do remote access to, even wireless access points sometimes as some of these different sub sections to increase reliability and decrease cost and provide a better service and reliability. so all of those are layered on top of some of the normal

aspects we're looking at. the industry has really focused for a long time on a culture of safety, safety first because, you know, these high-voltage areas, there have been injuries and death and also some fatalities. and so they really have implicated a culture of safety across the entire energy sector from top to bottom. when you add these and start to comply with, we shift a little bit in an organization trying to get a culture of compliance. because the activities really do have to comply with the regulation. this ever security guys sometimes across the industry are running to catch up because we like to go, a, it's not just safety, its security, physical and server security. from a compliance perspective the flag that folks are waving is that compliance does not equal security. you can be very compliance

and follow through, but if you do not have a culture of security, cyber security, you really don't see the bigger picture, the different threats, the cascading effect, second level order affects from access management to a patch management and this type of asset. so it really adds that level of complexity. trying to shift -- not even shift, and from a culture of safety to a culture of server security and trying to raise from a heads down compliance perspective. one of the other aspects is for some of these across the industry for single regulatory bodies you actually are levied a fine if he self report. if you find something yourself and report it, then you are still find or given other remedial activity instead of being congratulated for going through your process of finding something, fixing it, sharing lessons learned in best practices and sank a was make sure we have processes in place of that

does not happen again. it is one of those aspects wino we would have conversations with folks, including -- are what say name names, but people who are in other aspects where this was originally started, and it was one of the aspects that they really did not want to be implemented in some of these regulatory bodies, but it is an artifact right now that we have to deal with, and it does, you know, affects the performance from a security and compliance perspective. >> it is interesting, as we look at things such as the transition to the smart grid, which is hopefully leading us to more efficiencies, better services out of our homes and we look at from a, sector standpoint where you guys are delivering these mobile devices that folks want to make their lives easier, more convenient, more efficient, we tend to open up whole new set of all abilities which is complicating to you from a regulatory standpoint. on the one hand you have the

regulators your wanting to hold the line. we are finding all of these new uses for new devices and efforts for making lives more efficient. of course one of the challenges you are specifically seeing from the communications sector through most of the work that we do and the com sector around regulatory standards done through the fcc, the communications security reliability council , and is actually a voluntary set of standards. so this is, just to give you a little bit of background, a successful organization. and that started in the early 2000's, ran through about 2006. there were multiple sessions that identified server security practices at the time. it was the successor organization started in 2009 and we are currently in the fourth iteration. we have taken a series of best practice have first update the previously identified cyber security standards. back in 2011 there was a

working group that put together cyber security best practices and found about 3907 different cyber practices. now we are currently undergoing a process to update or to basically conform. i am currently its share of the wireline effort. we have been trying to pull together applying the risk management. some most of it is done. currently is a voluntary process, not regulatory oriented. we would like to see it remain that way. obviously the idea of having regulation at the federal level and by all 50 states and potentially internationally is a daunting thing. i do not think it would be a daunting thing for cyber security. regulation and security has been that the threats are constantly changing. they are not static. the best way to deal was ever security, and others

have spoken, really through risk-management, identifying what your core mission is in seeing their risks of that mission constantly evolving and having a culture of risk-management within the company, not some rigid standard checklists. the concern would be to the extent that the government encourages more of their regulatory standard regime, you will end up directing people who would otherwise be dealing with ongoing risk management and threat to kind of compliance behavior, and i am not sure that is what you want to put in place to deal with this. >> the concern being that the lawyers essentially takeover cyber security. not that they are not an important element. >> take the resources away from reacting and dealing with the threat as they occur in real time and constantly evolving a plan to dealing with something you are seeing as opposed to, have to do all of this. i am not sure that is what we want to do. >> one comment everyone nodded affirmatively, compliance does not equal

security, so it is a culture change, as you are saying. so doug, from a financial services sector standpoint, how is the culture of resiliency being encouraged, not just the culture of compliance? >> it is fairly well baked into our regulatory process as well. because there is a recognition that as it relates to a lot of things with financial services, but in particular when we are talking about information security and data security which cybersecurity is a component of, it has to be management based. it cannot become plan based. and that obviously lends itself toward the environment we have been talking about were you can essentially continuously review how well you're doing, what the threats are, of mitigating measures against those threats, your risk that you have not been able to address, how you will now address it because it is a new risk. there will always be that

environment. will never change. it will become more, not less sophisticated. and so i think that the art is going to be, as we try to deal with the enhanced scrutiny from all these different levels to maintain that kind of culture from the regulatory standpoint. and we have increased interest by the states, particularly the state of new york in terms of what securities firms and banks are doing particularly as it relates to third-party risk management. we have continual increasing interest from the european union and from the national entities as well. and they're particularly interested, you heard earlier, actually coordinating the work that was being accomplished.

to try to understand how the framework might have meaning not just within financial services overseas but really cyber security regimes and sectors as well. so i think that is going to be incredibly important and to try to ensure that we have as great a uniformity as possible because you not only have to look down toward the states but also look at the international level as well, which is going to be an increasing challenge, and they are about one year behind. so i think to the extent we can take the lessons learned and apply them appropriately overseas, we will be well served. we have another challenge trying to ensure that the states and the rcc, the federal reserve, the fdic, the national comptroller are on the same page as it relates to these things. one body to deal with as it

relates to these things. sometimes we act in concert, sometimes they act alone. when they act alone that can be semi problematic on occasion. >> sometimes it is difficult to see where we have made progress regulatory standpoint. just looking at it from the chemical sector standpoint, the chemical facility anti-terrorism standard program ready industry had gone through quite the wringer in terms of having to comply with the regulatory standard and then whether or not it was being followed up on from a d.h. as prospect was in question. that is yet another layer that you are having to deal with. >> absolutely. and i think that the experience for us really kind of demonstrates, you know, it is a cautionary tale for policy makers out there who think that they want to regulate the industry and go too far,

particularly in the cyber security around. i kind of look at it as sort of a static approach to trying to fix a very dynamic threat that exists out there today. so i echo the comments of my colleagues appear on the panel. the right approach to this is a risk management approach. one of the ways that the acc deals with this from that perspective is through our responsible care program. responsible care is a continuous improvement program. it is required of our entire. we require third-party audits are regular basis, and since 2001 we have a security code element that was added to that which addresses cyber security as well. we are currently taking the framework in doing any mapping exercise, identifying gaps so that we

can better bring our code up to current state of technology and fill any gaps and things of that nature. so the regulations and addressed what i would consider to be a very small segment of the issue. and through industry programs like responsible care, for instance, we are able to pass a much broader net to make sure that there is at least a base level of security practices out there that address the whole realm of physical security, environmental protection and safety as well. >> and just again because of the financial-services sector, an awful lot of credit for collaboration not only within the sector but with others. through your experiences, if you were advising a sector that is just coming along and really is trying to build up their infrastructure for information sharing and collaboration, with lessons learned from the

financial-services sector. >> well, for one thing -- that is a great question because we have actually assisted and had dealings with large facilities in the country, large buildings. and we have helped others as well ramp up. and i think that the lesson that i have learned more than not is that there needs to be within the sector -- and every sector has one, a set of individuals that have a long-term commitment to the effort because there is an aspect to this which is really public service, and there is also an aspect to this which might not be necessarily i tend to the day job, a particularly when you're talking about not necessarily my day job, but the members. the members are vital to

this because they are the operators, the ones that are actually going to know how things work within the organization are not, what the threats are. but a lot of times what you will hear sometimes is that i need to focus internally for a while because of the fact that so much effort extern of from the organization might not necessarily be as appreciated internally as it necessarily should be. it is helping those individuals with the level of commitment and building of that network which is the precursor to success because that builds the trust between individuals as well as it provides the sweat equity because it is only to the extent that you have trust between the individual's that share that information that you can really have the effect of information sharing. the other piece of it is, you need to ensure that you still are able to have individual companies

maintain control over the dissemination of the information. they need to be able to control whether the information is attributed, who the information goes to, and violations of that protocol need to be treated with severely. we have kick people out of the club because of the fact that they have violated our information sharing protocol because it seriously impact the ability of us to be able to effectively share information. sell its starts with the individuals building of that network, creating the trust which is necessary to have an effective information sharing environment. the associations play an absolutely vital role in terms of pushing individual members and also providing redundancy in terms of those that are not involved. we do not pretend to know whether or not a particular individuals number is joined our not. we are going to up sheets

and the information of a critical vulnerability anyway. the measure of success, first of all, having an environment where the information is effectively shared, made to be actionable and pushed out to the entire industry. >> of course, from a communications sector standpoint, a lot of people may not know that one of the most longstanding public private relationships is with the communications sector in terms of the national communications system r you have got government and private sector working hand-in-hand together. how has this sector been able to leverage the experience over decades in terms of cyber security and prepared this? >> i was going to start with that a little earlier. [laughter] >> just by way of background , the communications sector will started in 1962 after the cuban missile crisis. we have been partners with government for over 50 years

now on national security matters, and there are three prongs to that, policy prod, the national security in telecommunication advisory council, and that is basically an organization that provides policy guidance to the president. a variety of different security issues. so that group is comprised of other ceos are ceos from larger communication companies and provides advice to the president on national-security matters include cyber security. they have done a wide variety of different reports and different measures. one of the recommendations made was the formation. it has also written reports and enter dependencies, a report in 2006. so there are things that have been happening at the policy level for quite some time that have incorporated cyber security. and then the second prong is the operation and planning. that is where the coordinating council fits in. that is the group i serve on it really works on function.

they do a lot of organizational planning for communication and how we participate. it is things like this ever security framework or whatever other kind of planning functions are going on to develop things. on the operational level the third prong, the fbi in t ig t f and the wide variety of different information sharing groups, the actual operational side. those are the three prongs of what used to be the national communications system. we have incorporated cyber security into each one of those elements of the last five to ten years and continue to do so. >> that is a great summary. in terms of information sharing, i think one of the challenges most of the sectors have is, you are not only dealing with one government entity in terms of receiving information. you have the intel agency, maybe vhs, ideally, vhs, you have all kinds of entities. in terms of streamlining

that process, what would be helpful from your perspective in terms of getting information as timely, relevant, and actionable from eight cyber perspective. [laughter] >> here is your worst. >> let's see. easy answer. get a direct feed from fort meade. okay. independent of that, we will have to keep working on that . you know, there is not an easy answer. part of it, i think, is getting back to, as we discussed, paying attention on not just the data, the ones and zeros and the technical information, but the actor and their motives. because a lot of times we will get the signatures to make it the elements committed some of the details, but we did it before we know what happened, which is good, but there is no context spirit

we have a model that we go through to flesh out where we are in the maturity model and where we are with tools and capabilities where we looked at the actor, their motivation, the action it will take, the asset to think that there will go at to achieve their objective. once we try to understand all of that we go into our overall strategic. and so we knew just get a technical bit of information , it does not really help you understand the actor or what their motivation is, and it definitely does not help you start pivoting sometimes what one of our cyber assets they will go after. and it is definitely, the risk management approach on how much time and effort we invest in it if we don't have a way to anticipate or model the outcome, the impact in consequence. so we definitely need to figure out a way to get some of that really highly actionable until data kimono because it is highly

exploitable and we need to get in and update, attached, deployed, see what assets are not only vulnerable but susceptible to that type of attack mechanism. but if you back up from that , a little more understanding. the questions we get asked all the time. our front office starboard directors, they get it. one of our sources of intel is our ceo and others who will say, hey, i read this this morning. what do you guys think? did you read this? so we get things all the time for our chief innovation officer. >> that has never happened here. >> and so they get that. i mean, we have to help with that information, come up with their risk management decision. cyber engineers that i have on my team, very professional, very good, but

also very risk averse. they would like to drive a solution down, bring it up and then put things into the asset they're going after, the critical information to the organization. >> what your saying sounds an awful lot like what admiral rogers was saying, the type of information they want from the nsa perspectives. if you want to be flooded with data, you can floods them. those key elements. >> more than just an adviser . >> it's extremely important. i talked earlier about the technical things that we look at on the network side, will be applied a contextual of relate to that. it is not just the bits and bytes, but the context of what is going on. >> from home depot or target or staples kind of thing, can they do that to us?

what does it mean to me? can they do it? if not, what was the signature, and is our intrusion system updated to stop that? and it is more detail. >> flash back a couple years before you had that kind of cl interest in the issue, it is really our obligation to do what you guys just said, and that is contextualize the information so that it is digestible because they're going to ask the questions. we are very glad to ask. and the resources are being deployed to a greater degree than they were in the past because there is a greater recognition throughout the entire organization, board of directors on down that this is an important matter. that is a real opportunity for us to take advantage of to further protect the environment. >> let's continue along that line. the financial-services sector has done a lot of drills, exercises, does the

regularly. could you tell us a little bit more about how you conduct those drills and two or the other players who are not within financial services that are involved in those exercises? >> sure, happy to. we test to death. and sure the other sectors to as well. they are getting better in terms of individual exercises. i think one of the things which we recognize is we need to expand to a greater degree so it is not silent, assist you with his financial sector participants. we have done it with the merchant environment as well, for instance. we have joint exercises with small business for the last four years of least, which has been helpful to understand our mutual areas of concern. i think that the other thing we're trying to do better is

also, i'd to a genuine draft correction analysis and take action after. a lot of time exercise are just exercises. everyone lives their brown afterwards and then goes home. ..nd then goes on. the learning was worded you do anything associated with that and make your organization better. we will do a better job on the to-do list for 2015 in terms of after action exercises. so we need to ensure that we have the appropriate players in the exercises and also we apply the lessons associated with those exercises and do a better coordination of exercises as well because sometimes there is a redundancy associated with them and there are a lot of international exercises as well.

so the larger institutions end up having a hard time coordinating the testing that's going on. that doesn't mean you don't do it. the other thing that we've done recently. it's an exercise in a box. there's a recognition that we need to be able to ensure that all different types of financial institutions regardless of their size and client base have the opportunity to be part of these exercises as well. >> it's not the size of the company. >> let's turn to the speaking of an framework. it's been a topic of discussion. from a chemical sector

perspective argues being your members implement a framework and what's been the reaction to mast >> >> in this free-market is what this says it is, it is a framework. for a dialogue that can happen across sectors across large and small companies, adapted to fit unique needs as i mentioned that chemical sector is very diverse. so we clearly understand there is no one-size-fits-all application. what i say from the acc perspective is it is mapped

well to the response of care program. they are both management system types of programs and they help companies to do something in a coordinated fashion to assess risk and address the rest in of way that it's their needs specifically. and to present the openness that invites people and companies and organizations where a mandatory approach particular the at this stage of the game i'm afraid would put people away and a push people off. the framework really has a

capability it stimulates innovation within the industry. the companies take this and adapt it to build off of this and pushing the envelope for word. that is exactly what we need today to help thwart the threat of cybersecurity and a cyberthreats. from a chemical sector perspective what is the greatest cyberthreat? with the theft of intellectual property. whether from the insider threat or the external threat. many members are involved in military contracts. they're developing unique applications for military applications.

there are faults -- people domestically and overseas and a the framework helps to address those issues. and it is a language. it is a standard language that the companies can use across the organization and all levels. >> are using the members of your sector asking with then the supply chain to adopt the framework as well? are you seeing that happen in the? >> definitely. since 99 as an industry we are required to hold a major supply chain partner for security standards that we have to abide by.

but how deal on a chair for that? and how that gets accomplished is sometimes very difficult and regulators are requiring continuous monitoring of our larger vendors. so the larger banks are wrestling with what that means and the community banks are trying to understand how they have the leverage to even accomplish that. but the common language is very helpful in that regard. because what you can do it is applied pieces of the framework to the third parties. having said that it is just a framework. one of the criticisms is that it is not very metrics

driven. you cannot benchmark against other companies, your scoring associated with it the framework might be subjective in nature. but with a common language alone is very helpful because with financial services in a space in terms of the sector a various level of maturity that could be a critical vendor as a company because it does not have maturity associated with them and they don't necessarily get the fact that cybersecurity is front and center as an industry player. the short answer is yes larger institutions are increasingly using it and community banks look at it as the way to talk about

security with their core processors in particular. >> and as said earlier today this is something that will evolve and that would seem appropriate given the nature of the changes is self. version 2.o might be necessary down the road

and taking questions on former nsa contractor edwards noted and talk about the recent shootings. jesse brown moderated the to our event.

[inaudible conversations] hello. my name is bill ibm's a organizer and to i have done these before and these are great supporters but a little bit of the history here the reason i am bringing plan is he is a friend of mine. it is an important message this time in canada i ask him to come to ottawa and he has. so thank-you glenn greenwald.

actually i was commenting years ago when he first carted we had some good comments and we would debate and he would always jumping to the comments because people lived in dread of them to say no. this is why you destroy it it. over the years we would exchange comments i would send him stories and they would be in his column than eventually we started exchanging emails. then in 2012 i brought him here for the first time. contrary to the image you see on tv, but he is the nicest guy you'd ever want to meet. i will not talk too much that i am holding in my hand a rubrics cuba -- cuba

because it is central to the store because when he went to hong kong he had no idea what edwards noted look-alike he could not because that is the bad operational security so he told him i will carry the rubix cube then he looks of there with edward snowden and he looks like he is 19 and he has rubix cube. he thinks he is looking for the senior nsa guy. so they talked and this is where we are. we are almost ready. our house for the evening is jesse brown who was the real journalist and has a lot of experience with the cbc and currently has his own web

site called canada lands. he will do an interview with glenn after glenn talks men the promise of probing interview. and that is basically it. i will leave it at that. and before i go thank-you to the sponsors for helping and also turn off your cell phones. so right now we have jesse brown. thank you for coming. [applause] >> it has spent one hell of

a week. i was falling along on twitter as things were unfolding and and did everything else i was dealing with the confusion and the shock and the sadness i felt something else. i thought this is bad luck. this is too bad and had to happen so soon before the glenn greenwald defense. everything i heard as the events unfolded to affirm the sense the timing is off. we here in canada lost her innocence on wednesday. and we hear we have to say goodbye to the old normal because doubt it is the new normal and things don't feel the same anymore. and with this pervasive sense it was not the time for this conversation and then i thought i thought the

lawful access legislation calling the of protecting children from on-line predators act and then it was reprinted as the anti-cyberbullying lot but whatever you call it it makes it very easy for law-enforcement to call up the cell phone provider to get information about you without a warrant. which they do anyhow but this makes it legal. we have been beating down. privacy advocates and commissioners are against it and the supreme court has ruled it is a constitutional we have be back for years but this week to pass a third reading in the house and the commons for the rubber stamp. after the shootings the prime minister promised us he would expedite

anti-terrorism legislation to make certain kinds of speech illegal end it will make it easier for authorities to detain suspects of terrorism. this is not a new normal. it is the old normal. we have seen moments of drama and fear that come with a subtle messages that is not appropriate to have certain conversations during those times. and while we get that subtle message that those conversations are not appropriate that this has happened before. so to see this auditorium filled with canadians says this is the exact right time to have this discussion to talk about surveillance and our rights. i feel incredibly lucky to be introducing glenn

greenwald i feel very lucky there is a glenn greenwald. [applause] consider for a second of edward saluted did not have that glenn greenwald to root contact to wedding crypt the conversation or if the nsa heard what edwards noted was trying to convey or if the journalist that snowden contacted was not as committed to rigorously the response of the reporting of revelations that he was brave enough to come forward with? we would be worse off for ignorance i don't know where snow did would be. glenn greenwald has paid a price to reveal the truth with patriotism questioned questioned, he is been called an accessory to a criminal. he has had his freedom

curtailed the he is here with us in in ottawa tonight please give a pulitzer prize-winning journalist glenn greenwald around of applause. [applause] >> thank you very much. good evening to every bet a. thanks for coming out tonight and thank you to open in media for sponsoring the event and my very enthusiastic reader for organizing a great event to help meet me able to come this week to canada where i have had a very eventful 96 hours. [laughter]

in an interesting way i feel how tumultuous it has been a rather productive week because i feel i have accomplished something on life objectives that people believe the stereotypes that would be impossible to achieve that i have to spend the entire week with my in box full of enraged canadians. [laughter] people would say that is just impossible to achieve so i can check that off my list. [laughter] their reactions to the article i wrote this week that i wrote after the attacks and shortly before the news of the ottawa it broke it did provoke among the most polarizing reaction of anything i have ever written. and i looked at as a sign that was 80 absolute worst

rioting because the role of journalism especially at difficult times is to question and challenge the assumptions that people claim to. i heard from at least as many canadians tour supportive of the arguments and appreciative it included those arguments and perspectives hearing from enraged canadians and underscores an important point that the events of this week as tragic and horrific as they have been to watch unfolds provide the perfect remarkable lot of ways to think about all the issues to discuss. i have been working on for many years but really brought into highlights by the work i have been able to do over the last 16 months

with the extraordinary archive of documents provided to meet by my heroic source edwards noted. these issues pertain to the messages and narratives of the government of western democracy in the post 9/11 era of the nature of our society to pertain to policies that have been assured and as a result of those claims and a lot of ways i got to see that unfolds first and by being here like a laboratory to understand how countries in the west responded to the policies and perspectives they could entrench as a result. the very first event that happened that i immediately

noticed and recognized as extremely familiar and significant was the instantaneous injection. i mean instantaneous injection of the most inflammatory but also the most meaningless words of terrorism. before anybody knew anything about the perpetrators the media and political class all agree by consensus that were adequately and necessarily describe to be terror. there was no discussion as usual what that word means or what the act passed to do to qualify but it is a label that was instantly applied without any reflection or deliberation or discussion of every -- seven a kind. has no definition but it is

inflammatory that it happens over and over again. kit is worth thinking about what that word means that we have not allowed it have that effect. that was followed by how the government responded to these attacks. i am not a particularly enthused fan of the government. [applause] but i think it is important to give credit where due. the speed and aggression and brazenness and shamelessness with which the prime minister move to manipulate and exploit those powers is almost impressive you have

got to give him credit. if you look at how other western governments have responded they have the decency to wait two or three weeks before admitting that they are exploiting these fears to justify a new legislation but prime minister are for is sunbird and. [laughter] really is amazing. less than 48 hours the ottawa shootings he stood up in the house of commons yesterday and said '' our laws and police powers need to be strengthened in the areas of surveillance, a detention much strength and i assure members that work is already under way will be expedited. the only thing unusual about that is the speed with which it has happened but this is ben the process in the 9/11

era to further dismantle protections of civil liberties and corer principles. another visible and familiar dynamic that i could see this week is what is referred to as the two soon tactic. they would say i agree with what you said and the interviews this week it is important but i feel like it is too soon. apparently there is a time limit you have to wait before you start talking about these attacks. while i understand the kind that claim the problem is there is no such thing as too soon when it comes to how the government and their allies in the media start to politicize these events it

is instantaneous it was labeled a terrorist attack and there were all kinds of claims, a very debatable claims made on that motion and if you are a journalist or a citizen it is irresponsible when citizenry is most engaged to think about the issues to let the government messages go unchallenged. data away before they politicize the bench or the well intentioned ritual that springs up around them and it is worth talking about that as well. but the most dynamic part of this dynamic is the way we have been persuaded to think about the world in a drastically different way than realities suggest that we have been persuaded to think about our own

societies and governments under own behavior there is very the resemblance to the reality of what we allow society to do so to illustrate that i want to share an anecdote that involves canada. the very first story that i could report specifically all stories of all canada that they are all about the internet but the first three i could report about surveillance was back in october of last year and reported this with a large brazilian television network. what this story revealed it new documents from your version of the surveillance agency csec it was silenced on the communications of the brazilian ministry which

coincidentally just happens to me that agency in brazil of greatest interest of the timber and logging industry. before i reported the story i knew it would be huge in brazil because they are concerned the way surveillance is used to cheapen the economic marketplace for economic advantage but it smacks of colonialism with which the company -- country has been plagued so long with the neighbors to the north i did not expected to be a big story in canada the reason is when i have done reporting country a spying on country be, the country that is being spied on cares said huge amount but the

country that does the spying does not care of all they care the stories that they are spying on but they don't care that they spy on others around the world but might exhortations were thwarted it was a huge story in canada that led the nightly news for our five consecutive nights a was day least four interviews to help them do further reporting and a lot of them did. i was very surprised at how much that story resonated. i spoke to a couple of canadian journalists that i know well and i asked why is this so big in canada? they said it shows why that number one there were a ton of canadians who did not evno