i'm saying in that space, sharing the government and the private sector we are taking that regard. we have private to private sharing as well that we are trying to promote more companies to share information among each other in the sectors and the region and the threat-based sharing to expand all of that in the executive order that was just signed and it focuses on that in a new way by promoting the idea of information sharing standards and getting the new standards out so that we can share more information across the board and create this idea of promoting those efforts to share private to private. again it's an extremely important piece. there's another piece which is private sector to government which is also extremely important if we are going to see the threats that are out there, the incidences that are happening. the government is the place to do that across all the different sectors. the government has its own thread so they can tie that information in and how do we get that information into better? then we hear from the government that the biggest kind of

barriers are the only ones that can make it through the legislation. so there we are focused on the legislation passing. but we also have government to government sharing. let's start with an side of inside of the federal government. there they try to get us for intelligence matters we need to do a better job of doing the analysis. thus ctic is doing the the levin is doing the analysis that isn't necessarily sharing the intelligence but being able to do the analysis. so, then you also have the sharing that needs to happen between the centers. we've done a good job of increasing the sharing among the centers and among the agencies involved. now it's about doing the analysis. so, we have these four different for different kind of sharing that i phrased. each one is equally important. we are trying to come up with policy solutions to figure out where the barriers are in each of them and get the policy answers that salt is different here years. >> and i think that's one of the

-- when i was getting people to push back and say my gosh another agency a lot of what the ctic is going to do it was getting done in the white house. so you're taking a lot of this who is seeing what part of the animal is this what are we looking at would have to have been in the room and it seems like this is now pushing it out so that you guys can focus on the bigger policy. >> information sharing and the government has increased. we've come to this point where now we are going from different people that have different viewpoints here and none of them have the full picture and the question is who can do that and analysis of the intelligence that comes in. today that is happening at the nsc but it's not their job so we have to find a place where this can happen now that the director of national intelligence was created to the intelligence cases, so that seems like seemed like the logical place to move this forward. >> how will you know if you have succeeded? a couple years left in the administration, we will have

another president in a couple years and that president is going to bring their team and they are going to sit back and say all right. have we broken the logjam and how is this working. >> we are not talking about information sharing policy anymore we've moved onto something else that is a high bar. the question is if we have all of these areas we've been talking about with information sharing and it's been kind of a jumble for the last few years where you have a conversation with the conversation with someone and realized that you're talking about two completely different kinds of information sharing that using the same vocabulary. so if we can move past that to the very specific issues to figure out the legislation that needs to be passed into separate the technical issues about the sharing into separate the issues that need to be done to promote the private to private sharing we get the standards for place we will be in a better place. >> and i like that in the isao

concept you are focusing and a lot of time and for the government people they focus on that government is good to be involved in a solution in the information we have to come into the government and i'm pleased that nsa sounds like you're taking it out. >> some of the things people focus on the idea of the hub. but we are not talking about the government being in the middle. we are talking about private sector organizations and these can be small, very flexible if you look at the definition. >> something that michael talked about that we featured in the paper today was focusing on the outcomes. and we found if we focus on the outcomes then you say who needs what information to take what action and you're right when you look at those outcomes to government and is not always critical in those outcomes in the private to private and mark you have been at the center of a lot of these outcomes, the favorable outcomes here for a

long time in your role of the communications and the rest. when you are looking at the news that has come out with your experience -- >> thanks for being here. before i answer that question what should you do to figure out the number you need to express it took some of the -- that will resonate with everyone. you said whatever the sequence is. that would be interesting. by the way if it is mentioned in now -- malware you will know you've reached you reach the right audience. that is kind of answer how do you know things are working including those that are the adversaries if you begin to see their discussions in the literature in the communications they are talking about it's not even adopting the same sort of principles that means you're connecting. and it's not just the washington

centric those who feel like we are in a little bubble here. as you said in the paper and i appreciate appreciate a little bit of the history lesson that you put inside of their. we are talking 16, 17 years of information sharing of the model that is very powerful. granted that that their sector specific they are designed to be that way. as a part of the gap that we have all recognized that they are part of the american economy that don't neatly lined up with sectors particularly the new and emerging high-tech community come across or think communities. where exactly do you put the search engine for example or the countless other types? >> dot benefit of bringing into new in the new ways of doing this is very powerful but we also recognize that there's a good history of development and i think a lot of information of

what works and doesn't work is going to be valuable as we create these new sharing organizations. >> as you've been involved over the years would have you found have been the most important lessons and you think the next steps? >> we all need to serve our time and walk away and let others serve. i think it's really clear let me back up a little but your paper hits on a lot of good observations. if it is just for the sake of sharing it doesn't get us anywhere. when you start sharing between the organizations that can do something about it now you begin to hit your stride and there are a lot of people who want to share just for the sake of sharing. i realize that situational awareness is important that there is strength in sharing between those that can take

action and the soap if you have small groups of people or large groups of people that have these roles and they are talking to each other which they do, that is very powerful. if there is an expectation for those groups that can do things with the raise they have fingers on the web or they have to inform others that were the observers that that distracts from the time that they are taking them back not to say that we can find somebody to bring that information out that the focus really needs to be the amplified focus and it needs to be taking sure those who can take action are the ones who are sharing and communicating the best and yes there is improvement there. so again that is -- i appreciate what you have in the paper because it recognizes some of these challenges and the strengths that we are sharing at a level among those who can do things. but that isn't necessarily visible to everybody else and it is a bit of a challenge how we make that known to others but also how do we amplify and even make better those processes among those who can pull the

levers and take action. >> we had a quote from one of our senior fellow founders at the black hat conferences why share information with people not in a position to take action? some people have their hands on the levers and others have their hands on the levers that aren't connected to anything. >> even at the individual level you appreciate when someone tells you something that is happening so you can do something about it. as an individual you are surrounded by information that doesn't necessarily call you to do things and you see it and that's nice but you don't absorb it. it's those things you pulling that caused the reaction. so if you are using one of the many crowd sourcing applications on your mobile phone that tells you what the traffic conditions are, you love that because you can see that there is a problem coming up ahead and i can take a detour and go around it. that's kind of where we are going. we love to share but we love to share things that can cause you to do something else.

the rest of the information that's out there as individuals we tend is individuals we tend to not pay so much attention to. so again it's important in the cyber sharing that we be careful that we are focusing on what is actionable and who we are giving it to that can actually do something with it versus just tossing it out there and therein lies that is a lot of work. >> one of the things washington d.c. doesn't fully understand how many nonstate groups are actually sharing and fixing things today. we mentioned to some of them but a lot of this in the paper we say don't just focus on those that are sharing information. the best information sharing seems to have been with the happen with groups that are actually fixing things, that are focused on the actual outcomes. to me the classic model is the national communications system. can you walk us through that?

syndicates the national communications system developed over 50 years ago so this is all the way back to the kennedy administration and early 60s as a result of what happened in the cuban missile crisis and that recognition that enough level of sharing who knows what who can do what across the administration that had this good means of communicating. were they sure if the president wants to get the cabinet all together at once, could we do it? if you look at some of the documents in the executive orders even president kennedy creates this thing, the whole concept behind it is being able to reach the decision makers quickly and make sure that they can always do that. the mission was given to the defense department and the global communications and things that can support the president. but the thinking was back in the early 60s. we were talking 50 years ago the same concepts that we are wrestling with today in a different era that is cold war, nuclear threats type of thing.

bring that forward to 2015 the threats are certainly changing but we still have national threats against our country and against our very existence that we have to have that continuity have the ability to communicate and share among the decision-makers. so that's still very much built into what the federal government does. the private sector supports it so companies that communicate and combine hardware, software, but allow the decision-makers to work together together with those decision-makers formed the backbone of the national communications system and all of our benefits from that because our own interactions and hands from it. >> and this other interaction between the communications providers. >> in that particular case we spun off in the early '80s when it was broken up and we had the recognition that there had to be sharing among the phone companies and the organization and the coordinating center for

the telecommunications was created at this point in the partnership between the public and private sectors to make sure that those brand-new phone companies could continue to interact in the same way that the monopoly phone company was able to do. today it is the communications isac for the sector. we created a parallel group for the communications companies but we still have a strong relationship with the ncc for private and public sharing and actually it's strength is mostly winners physical problems. we have hurricanes, snowstorms come earthquakes, fires. that's where the group works really well because that is actually the biggest peril that we have to that infrastructure. electricity has the same sort of thinking. airlines transportation shipping in the same sort of thinking. other parts of the economy have those needs they can get together and collaborated not just for cyber dot any any

peril. spinning a lot has come up for the focus and outcomes. a lot of times we think of that as countering cyber espionage or computer crying or the rest. but for ability disclosure really fit into that also. when we find a big bug in the internet or software how can we make sure that the right people find out about it in enough time so that we can all be defended before the bad guys get their hands on it and that's why i'm really happy that jeff coming you could join us. your company was right in the next -- can you walk us through this process? >> thanks for having me. yes, we found a pretty serious issue that affects the forms last week. it suffices to say that it's a serious issue and there's a lot

of interesting -- spigots with almost every microsoft product. >> it is a remotely exploitable piece of badness. >> the interesting thing about it is there's a lot of things going on right now that are kind of conflating this. windows xp, which is one of the most broadly used platforms still, particularly in things like industrial control systems and cash registers and atm machines and things like that will actually never be fixed. windows server 2003, microsoft said it's too hard to fix it. so even though it is a supported product they won't be fixed. so you know, there is a lot going on on this particular issue that make us interesting.

focusing on the disclosure cited in the information sharing side of it also adds a fascinating story. you know, i've been in the information sharing space for a long time. i was one of the original people in the program and of all the time that i've been involved in information sharing, the concept of information sharing around the disclosure and abilities never crossed my mind until a year ago that whole space never crossed my mind. you have to understand the vulnerabilities are of the munitions in cyber battlefield that we live in. there's never been more people looking for vulnerabilities. there's never been more organized efforts to find and monetize the vulnerabilities. the tools have never been better to find the former abilities and the software that we have we

generate mountains and mountains of new software every day. so not only are we getting better at finding the vulnerability and having people looking for vulnerability but we have more places to look. so this is a growing issue. our bug wasn't an implementation issue. so if you look at those that we saw last year they were mostly implementation issues meaning you fix a couple of the lines of coding and you are done. this was a design problem. it was a fundamental decision that in this case microsoft made 15 years ago that turned out to be wrong. so fixing it wasn't a matter of going and adding a couple of lines of coding it was adding features. when you are microsoft and you have many supported versions of the operating system and lots of

supported configurations into customers and things that have important things that don't like to change, this becomes a long and difficult process. it took microsoft 13 months to fix this. the reported in january of last year. so, that's interesting. so there's a spot right now if you follow the space between microsoft and google about the disclosure timelines where google has a very strict 90 day timeline including two microsoft's dismay they publicly released an released and issued just two days before microsoft was going to fix it. so you know 90 days and fixing one kind of thing is fundamentally incompatible with fixing a design problem that took 13 months to fix it right so there has actually been activity in that space now and google updated their policy just

last week because of the recognition that there are a harder class of problems. >> so for 13 months he were able to disclose this is an interesting -- sometimes the best thing to do with information sharing is to keep a secret. and in this case after, to their credit, they handled this fantastic. we are lucky that this turned out to be a microsoft problem because they had a sophisticated incident response security problem and so it was their mistake 15 years ago but the people that handled its now were the right people and we are all very lucky. but they immediately bought it and there was no convincing them that this was serious. that took three e-mails. they worked on it very hard for a year.

the best thing to do was to give them the runway to fix it right. the worst thing to do would have been to put an arbitrary deadline in front of them and told them to fix it fast. in this case there were not ways to fix it fast so that would have been cited tracking to the detriment of the end of the secured the gold. so in this case yesterday's way to share information was to give the vendor the runway to fix it and to keep it secret. >> but that is hard and interesting because keeping the secret especially for 13 months is hard. but we actually discovered this issue under contract with a third party so that made it even more interesting. if a third party happened to the internet corporation for the numbers. they are a 501 c. three do good organizations so they were cooperative, but it would have been a commercial client, they may have been less willing to

give microsoft the runway to do what they needed to do. making it even worse, we had to release an interim report saying that we were sitting on a secret for a year in wait for the second report. so, you know, we couldn't sit on it for a year and not tell anybody. it became very interesting. but my take away from this first of all when we think about information sharing we have to think about former abilities and responsible disclosure and how all that works. about hard questions, and then we grapple with all these questions for the last year. first who do you tell? you tell the vendor but who else do you tell? there can be an argument that you tell the government. the government is kind of a big place. when you look at an international footprint then you get into which government? in some government the emergency response teams are somewhat indistinguishable from

the foreign service intelligence. so then you run into that series of problems. you run into the problem of the offensive versus defense applications. everybody wants to use this knowledge for different reasons. some people want to use it for defense purposes and some people don't. you run into the problem of the economic vulnerability. so we have no money for this. and that's okay. one of my employees actually said this whole thing working out the way that it did basically depended on us not being rational actors, rational economic actors because we work hard because we had to tell people that we were sitting on it for a year of course we were contacted by people that characterized that an affordability business.

and in fact we are going to run out of basic patriots that are not motivated by money long before. >> this would have been seven figures, right click >> i don't know but it probably would have been a lot. it's a hard problem and it isn't going away. when we think about information sharing we need to think about this issue as well. >> by the way you can tell the hobbies of the different people that are up here. he's policy through and through and uses policy language. mark is a nerd and jeff is a pilot so make sure to get him runway. give him runway. [laughter] >> i have a couple questions but why don't we start and i will look around for the audience if anyone wants to grab my eye i can start -- i started over here number one and then we will go to the back for number two.

at the microphone is coming around. in the interim i will say hello to my nephew that's watching. >> and grew from dhs office of policy. question following the conversation from the cyber security summit on the panel with secretary johnson. with regards to the type of information that they are receiving with regards to 85% of the air can express being what they pay for for the vendors and 4% from the isao and 1% from government and i want the reaction to that breakdown. you know, how much of that needs to be increased. what are types we are getting? >> that's fascinating. out of 100 vulnerabilities that we see in a year that we get 4% of the signatures from isac and

from the government. you are nodding the most. >> and concurrence area that's an amazing statistic because it would seem like it would be the other way around that they should get most of the information from the federal government or other sharing organizations. but it also points to the source that a lot of the organizations themselves share among themselves without having to go to a higher authority or some other authority looking for problems that they can tell you about. this has long been recognized even before there was a dhs is most of the information we knew about ourselves is known by ourselves and we don't have to wait for someone to tell us the obvious we can just begin to look for it. the question then is how do you tell others. if american express finds a problem, can they come should they, will they tell their competitor much less the federal government. that's part of the quandary and i know this is part of what you are trying to help break down some of those barriers so that we can do more of the private to

private competitor to competitor type of sharing for the good of all. >> i would love to know how many they then shared with isac. i used to be the vice chairman and we were trying to figure out how we could get devices from our own devices into different banks that way we could collect information. and it literally struck me i tried to back our way out of that because the information was already in certain places. the information was pulling in verizon and microsoft answer we don't actually need additional devices. we need to find out where the information is already pulling and write that. did you want to jump in on this one? >> i think there's a lot of ways information comes in and it's hard to do know what the origin of it is and that is one thing we are trying to get more information on. you get information directly that came from another bank and

it could also be from the government and they are getting the information from ss isac. it's hard to know how the numbers work out. we need to do more research to try to figure out exactly where information comes from and get to the point raised earlier on what are the most actual information in the quantities it doesn't necessarily mean quality. >> 1% was the most classified. >> it can be completely useless. we need to focus the efforts. we don't know the answer to that question. this package is a great metric. if someone actually has measured and parsed i think it would be interesting to try to draw the cost to say what are the resources that are the most luminous information and what

are the most effective. that would be interesting and i wonder if we could get some money on that further studies and take a look at that. next we are going to go into the back. >> this is an inherently international domain. and jeff mentioned the international dimension but there hasn't been much discussion of how the policy develops when you put it in the international frame. particularly if you agree that sharing the private sector to private sector is what this was about even involve national companies and when you make the national security clearance and important part of sharing how does that affect the ability to quickly share the information? i would be interested in the panel views on how the policy debate will go forward on the

international complex. >> how is this working. does this start with the others -- >> i think that the eo by its nature is designed to be international. the focus on the part about the standards body. one of the main reasons to have it be a nonprofit organization that is worked with to set up the standards public on the basis for folks for new information sharing organizations to come up is because it's really not focused on boundaries in focus on boundaries in any way. any company can join those organizations.

..

and then asia. and and we were all there at this international conference and build a follow the sun model with the internet at large as we move through. that lay the groundwork for what today is a strong international effort in the computer emergency response team world that even today is very strong. they meet physically as well as virtually. the model has been replicated worldwide with others scheck -- other sector -based sharing. it is a very mature and well driven thing. the big take away is it came

down to individuals recognizing they needed to build this partnership. those individuals took the effort to make it work. from they're sprang forth fantastic organizations, but it boiled down to people recognizing that information shared is the most powerful building. there are other barriers that we can break down with legislation but it really is about people who can do something about the problem. the international domestic, local, regional. >> the global side of this presents an interesting historical problem. many of the companies are multinational companies. so one so one of the historical problems of information sharing has

become how i share this information internally given different organizations. i might have citizens of countries that don't play well with others. all sorts of things challenges that we have been facing since we started sharing information. you have to hold the secret that means i cannot action it. >> and i no the financial service has been expanding out into europe and asia

many people have us security clearances and the interesting thing is to see how we can copy it to look at the model. in in your opinion as this international sharing potentially been hit either by the snowdon revelations or in the resulting sovereignty law? of information can't leave europe or wherever does that automatically by definition hinder the multinational information sharing? >> they have come up with rules about what information they taken and how they deal with it. we emphasize this concern.

i i think people feel a lot more comfortably internationally than they do with people using all sorts of different definitions and pouring information and without the thought of privacy on the other side. the key the key is in terms of making sure we are sharing information we need and have the mechanisms for privacy. >> one of my favorite moments at the summit were amongst my favorite moments mentioned hear today about wanting to get practical and was just take those out and no that it will flow smoothly. amongst my favorite moments last week was a panel on sharing. she has been in the

committee for years associated with the electronic frontier foundation and others and said i have my friends that work on signatures from our sit down and show me the different ways that they share the signatures. i saw nothing that impinged in privacy, any one of those things that they showed me which is just a powerful example. if we say we're going to share stuff it brings up what i think is an understandable and automatic antibody and here someone that is fully on that side saying i don't see a problem. i really like that as an aspect and hopefully we can do more. >> other plans for me going to issue an rfp.

>> that we will get a number of questions out they're. the plant is to work with the committee to make sure the rfp is aimed at what folks want to see. i'm sure privacy will be part of that discussion. >> i have been waiting to ask the question. i get a lot of questions from critics on the focus on information sharing. what sharing and actually helped? so i am looking what sharing have helped and if not what else can we be

looking on now that we are starting to get sharing under our belt. >> it depends. >> we get this down. down. it's an absolutely fair question and something we always ask. but for what, and certainly knowledge that the bad actors we are targeting could somebody -- we went through this drill with september 11 what did we know before it happened that we could have told others about, integrated, shared. armchair quarterbacking is what we are good at. i don't know that even if they had perfect knowledge that individuals would have taken proper action and would have known what to do because that boils down to the individuals being key and even if information is put in front of them would they even recognize the

threat and see it as a problem? get someone else see it without full context? again, you can armchair quarterback is to beth and there is know correct answer >> i think looking at the framework in some ways is a better discussion to have. the the companies companies figure out where they were vulnerable. taking a look at that and trying to figure out if that would have helped. obviously information -- information can help feed into and address those issues but it is almost a better thing to say what kind of risk modeling and management did they do in advance before they got hit as opposed to if they had had this one peace of information. >> and we talk about these unknowns. it is right they're in front of you and you don't recognize it. that is an

education piece. peace. how can we train a workforce that can recognize these things. this is another piece being worked on. none of these things stand independent of each other. there is know silver bullet bullet, and all of these initiatives, be they public come up private public-private, international, they all interrelate and have to be interrelated in order to move forward. >> my answer is i probably would diverge. but it is a funny thing many information -- security risks stem from preparing for the wrong adversary or not understanding the adversary. in that -- you can make the argument that many of those companies were not prepared for the adversary they

actually had. they were prepared for the adversary reading from the pci compliance manual not the one that wanted to harass them or do whatever. so i think as we move up the stack so to speak in our information sharing, so information sharing right now is a lot about tools and signatures and things like that, but what we're talking about right now is moving up the stack to threat actors, motivations, capabilities. as we. as we move up the stack and understand the kind of actors out they're what motivates them, what capabilities what capabilities they have, who they might be interested in targeting and why that sort of information sharing, had that existed several years ago it may have actually helped someone like and them realize that there are different sorts of people out there. they're are different sorts out they're. >> and i no our board dir. if she were here she would be pitching the basic cyber security controls the

issue will do that at the drop of a penny had. >> once you figure out the risks. >> so if anyone has questions, please catch my eye. i did want -- cisco have been helpful as we were putting this together. firstly we will start over here. >> i. sean linkous with as ew. can can you comment on the decision by the top tech companies say about the white house relationship with industry when it comes to information sharing? >> that was completely overblown. the main panels we set up were designed to have a wide range of folks from different industries involved.

we had a couple tech people on the panel. the one keynote was from a major tech company and then we had all four of the major companies mentioned in these articles saying that they did not attend. we had all their chief information security officers they're. it was a bit overblown. the goal of the summit was to try to talk about cyber security in a way that addressed what consumers were thinking about which means health companies financial companies, retail companies. tech companies obviously play a role in that, too. in terms of the breath of what we are looking at for the summit we felt like we have the companies in the room that we needed. >> you were aiming to give specific commitments

companies and the fact sheet from the white house. obviously this won't be a success unless you get further commitments. what is your action plan to back -- plan? >> we use it as well. that is what the executive order is. the other work that we do. we make a commitment to the companies that make a commitment to us. that is a big key, key, to get commitments. we have a number of policies , and we will use that to get more folks on board with some of these issues. i was i was pleased with how many companies said they are using the cyber security framework and with the companies like intel or bank of america who are now saying that they are using it.

they require they require it of there vendors other contracts. >> and so you said the policies you are working on now. >> you know, who knew that these would be out now. were just working on the calendar to try to move forward. we forward. we talked about the areas where we still have barriers i i think there are several events that happened at the same time. certainly the sony one got a lot of people's attention. >> i am sure the president wanted to sign this one so he could release it or around the same time we did

our paper. >> arnold abraham with the institute for defense analysis. i was a a little surprised but the emphasis on security clearances. i spent time with the department of homeland security. we looked at the sharing for threat information with local police departments. over 10000 local police departments in this country. a lot of people were pushing. we said at that time that that was not the answer. j and markets especially with your time in the private sector, do you think that an emphasis on security clearances is a proper and effective answer? >> i we will take a quick stab. >> and then i am going to go to jeffrey. >> the security clearance thing is a bar that sometimes we cannot meet. particularly if we have a smart a smart person who might not have a clear of all background, how do we

get them on the team? this is a knew question that we have not had to ponder before. in an earlier era we could focus on those who had the proper background, but now we need the brainpower of those he might not have had that clean background. the bigger question is how much of what the federal government knows has to be classified. that is really where we are going. if they come up with something that needs to be shared one of the many frustrations is they will pull in a private sector individual but then that individual can't take action because you have been told the government secret but you are sworn to secrecy. so frequently we will say what is the terror line? and that means if you have something classified here is what is unclassified.

you you turn it off and pass it along. so we will ask. the answer comes back hours hours, days weeks later, rather than when the information is 1st prepared it includes a line right up front. so prepare with the information that can be made public minus the sources and methods and things which begs the question why not just take it sit in front of industry. this is a process problem nothing nothing more and something we must work through collaboratively improving the speed of information coming at us that has been previously classified. you guys have done a lot. we we have seen remarkable changes in washington in terms of streamlining. there is certainly a long way to go but go but the steps are being taken in the

right direction. >> i would 2nd that. the most frustrating thing for quite a while has been you clear one individual at a private sector organization and he or she cannot do anything with it which becomes a a struggle. to answer your question, clearances are valuable. >> classified. >> of course. course. some things should be classified #. but there is a balance. i i don't think anyone would argue that they're is a tendency to over classified. there is value. i think we are moving in the right direction. >> we are not going to clear our way out of the problem. we need more information out in an unclassified way. we are working hard on that.

however they're will still be analysis that will be classified and more companies want that than currently have the information, so we need to address it. >> sometimes it just gets you into the room. but if you look at a lot of the cyber conflict we have been through that was very clear. the amount of talent to have intelligence they were able to gather. if the bad guys are releasing attacks over the internet it makes them -- it does not matter if we collected it through a satellite, clandestine's or whatever whatever command does not matter. it is on the internet. they're not going to suspect

we have some sneaky signal intelligence. they put it on the internet. to me unless we were in there system and taking it in figuring out the signature than we have plausible deniability. i agree with the panelists. i learned a lot of my trade. you always try to lower your cost of control. you go to the cheapest control that will get you to your desired outcome and clearances are a really expensive high cost. any anytime they hear someone say we're going to deploy something there is probably a better way to get it. >> this really follows on i think i hope. either companies that you

would not want to see participating? this is a state-owned enterprise say that may have large 25 clearances one way in which you could say no. i would like you to help me understand how much information sharing. >> and going to pull this in a couple of different ways. you deal with big telecommunications providers some of which are in countries the us may or may not have good relations with. and then when we are looking how it works when we say all right let's bring in this persky or

let's work with these companies with big chinese banks of the rest. >> a great question. forest sector -based we are sector centric and generally in that sector. it would not make sense to join the airline. it is just not what they do you see where i'm going. like companies forming an information sharing organization that is sector centric. we also see sharing organizations that are not high sex. he talks about one group that emerged. we start to see warms and

things happening international and oriented on individuals vetted by other individuals. you are vetted by others as being trustworthy. they are powerful. these groups make their own rules. >> they need the share sector specific information they will still be there. >> someone asked the question.

>> it is good to get the clarity and a lot of it is based on what you can bring to the table. can you can you pull a lever do something, action on the information being shared. each of each of these groups we will have to write there own rules how you build a group of sharing individuals learned from previous groups so that you can increase the amount of sharing and keep the things that we feel must be in place. >> and the us government to five. >> let's take. >> the way the executive order is going to work they're will be an rfp and the staff group formed just that standards. trust is the currency. if they're are elements,

people that join which causes people to not trusted it will be sharing much information and it will fall apart. we have seen it happen. in fact i worked in something that became the anti-spyware coalition. prior to that they're was another group that was run and people do not trust the. we came up with our own standards of selecting who the was. we were not sharing threat information but discussing definitions that became the basis. it is the same type of thing how you go about building trust and keeping it. they can pop up. you can have two or three.

>> i wish i remembered. the anti-spyware coalition is coalition is a great example of what we are talking about a clear goal. we want to take spyware out of the system. who who do we need to include? and that is what i love. focus on the outcome. sharing does not necessarily drive the process. the net supplier of cyber security information and net consumers of cyber security information, and most companies are on the downstream they have the demand for cyber security expertise but a lot of the companies are here palo alto semantic, microsoft the overall suppliers of information and they love to look at these more market-based solutions.

i am one of those people that thinks, that is a place for market. what can you do? have a couple hands joining in there. we we will come over here. >> chief security officer. two things. we should we should be careful not to be overly critical of the framework. a number of companies don't quite understand but it is clear the value as a risk analytic tool for global organizations and a translation engine so that global companies can compare apples and apples in contrast apples and oranges for they're global operations and suppliers. secondly i ask how we are leveraging the examples given earlier regarding the

defense industrial base framework agreement being expanded across the critical infrastructure foreclosed him ou information sharing and the training alliance for sharing among the major banks. how well are we leveraging to strengthen information sharing? >> using the framework. >> we use the framework as one of the risk analysis tools for understanding global operations and suppliers. >> thank you very much. so i mean michael talked about those concepts. i i don't know if i can go into more detail. certainly in terms of expanding we think it was successful in getting

information out to those who need it. >> thirty seconds. >> a signature is out they're that can be used. the defense industrial base contractors getting to them the signatures so that they can use it to protect themselves in a way that they don't even necessarily need to bring it to an individual company. we have a similar set of efforts going beyond critical infrastructure. it infrastructure. it has been more difficult to get the other sectors to use the same set of standards that we are planning on trying to get it out in a more comprehensive way in the near future. folks should look at how we go about expanding that. >> i we will take the last two questions from the audience. this gentleman hear.

>> hi. thanks. head of the cyber threat intelligence information sharing ecosystem project. you hit the nail on the head in a town where money is the answer, what is the question they're are net producers of information and that consumers of information and there is a bit of an air we will do all the work the government we will set up these information sharing groups yet economically it does not make economic sense know matter how much government might say you really should share. is they're kind of a focus on helping out or recognizing that they're is a reason why verizon has services that people pay for symantec has services people pay for

and so on? >> i we will start to get us warmed up. it is too bad. we try to keep our panel limited. there are a couple of other folks who would love to have on the panel. we would have loved to have someone from the help but also i would have loved someone involved in one of these companies that is set up to facilitate sharing identifying the space. been in this business, red sky alliance. been in this business and it would have been interesting to hear how they dive into this. you can look at crowd strike in releasing the information as part of identifying the market need.

and a targeted question which surprised me a little bit. when it comes to these cloud strike. in the mentioned cloud strike could set up one. that is interesting. that really bends the model. >> and that is what i imagine. is not the system you think of. an individual company could become. in the in the short term the advantage of that is that becoming they are saying, we follow a certain set of standards. the standard body is formed. general counsel knows what they are getting into.

so by automating it people can feel more comfortable because they know what it means. that is useful. obviously our legislative proposal has this other hook which says you get liability protection which gives them obviously another real advantage and then you might start seeing individual companies start saying we are following these rules. you get the liability protection. then you see different companies in different sectors. i think that level of complexity and change will affect the way people think about it but it is useful

for expanding the discussion in building trust. it turns out you have to get all these lawyers to sign off. there is no basic set of questions. we have to get to the. >> this is going to be interesting. we continue to move up the stack. the private sector intelligence has been largely antivirus vendors. going out and finding the signatures and publishing that as a part of the product. as we move up the stack and get more information and more interested in who is doing what and why i think that the things that private

sector intelligence organizations can do in the government can offer we will become more interesting, more dynamic and like anything, they're will be value in both. >> let me also add we have an audience of thinkers. we are searching for something as an analogy. and often the one that comes up as the weather system. we think because the weather system where is the snow? we can see something different, expecting something else. we think cyber works the same way. there is truth, all all we have to do is look at it?

but that is not how cyberspace works. we unfortunately get caught up in analogies where we think that because it is something like what we see it ought to behave like that when the sun comes out in seattle people stop what they are doing and run outside. when the sun comes out in miami they are like this is too hot. almost a different reaction. in the private sector world there is information that private companies can gather to to there observations of what they see in cyberspace. that is that is information they have developed, sense, can market and sell. they're are things that the government sees that might be more public in nature. i think it all works together. there is plenty of room for

the public side to infer and see things, plenty of space for the private sector to infer analyze, sell the information but this is the think -- the thinking question, what is the model? it is not atmospherics. that is what we like to look at. we need to develop a new model that comes together with this magical thing we call information sharing what we all do what we are best at and amplify with the private sector can do. maybe your think tank can answer that question. >> especially the funding. okay. last question.

>> hi. the department of defense. the government signatures were not necessarily not necessarily as valuable for the industry as we thought that they would be. we found that there are differences in vectors that come to industry and i i wonder if you have seen different vectors in different sectors so that they're is know one-size-fits-all. certainly they're are some but in other cases they are not. >> i think, i mean, yes and no or it depends. the vectors there is a short list of low hanging fruit that works pretty much anywhere.

shockingly effective in the last couple of years. we don't seem to have. in that way we are all kind of the same know matter what industry: what you are doing, what your line of interest is. but but from there it all changes. from they're it is then who and why. is your objective to embarrass infiltrate, steel and then based upon your sector and what your business looks like. but the initial vector, even if you look they have been reasonably foreseeable hazards. >> from that perspective the frustration was with the signatures, all threats come from the network and can be detected by this wall that we put up and if we can put

the right cards in place with the right filters we can make the bad galway. the threats come from all over the place, and they are holistic can we share? but back to the original thesis what we are sharing can we do something with it? i think that is the biggest lesson we're taking away. what do you share, what do we do with it? how do we action on it? they been doing pretty well and learning. >> i we will come to you.

enclosing our next cyber risk wednesday we will be on 18 march the 18th of march releasing a report we have done. >> the 13th and 14th of march. they're are competitions for university students. as if they are advising lisa monaco at the national security conference after a major cyber attack to invoke collective defense for nato. the 13th and 14th of

march looking for sponsorship positions. let's turn to final thoughts the cyber security policy, it's really a collective. so that means we need folks hear from all the different places moving these things forward at the same time. think about it. we want to to know what your thinking. i wish we could explore this more. i would love to get behavioral economists on this. the short-term there is a good chance i we will get

yelled at even though i no it is collective action. to me this is such a nudge problem. i would love to see more of in the field. >> i think you hit very close to the conundrum we have. when they grow up and get on social media they don't share. keep things private and then they become adults. what is sharing? and again socially connected

in a way that the amenity has never been done. bad things, good things. leverage the social media the cloud sourcing. we were out their last week. let's work on that together. >> jump in on that. when you don't perhaps another time. >> everyone on this panel a familiar face talking for literally 20 years. i am heartened that the sophistication of the conversation kind of chains

and i wonder where we are now were making progress were at a.where it is going to change and dramatically get better. i'm actually really excited. the cyber initiative. we have several months. to the great panels. [applause] [inaudible conversations]

>> that wraps up this atlantic council forum. today's event, it will be available shortly to view online anytime. join us later today. today we we will focus on fisk university and morehouse college. spokesman josh earnest. here is what he had to say. >> the president selected mr. joseph quincy to serve.

a 27 year year veteran of the agency and the former special agent in charge. the acting director since october 1 of last year. many of you will recall he stepped into that role at a rather difficult time for the agency. he has demonstrated what many of us expected him to demonstrate. based demonstrate. based on his long track record, a lot of credibility command he used it to put in place reforms that were recommended by this outside panel. so he has a lot of important work ahead of them but we are pleased that he has this

permanent appointment. >> more live programming. join us for a discussion of future women it is live at 530 eastern on our companion network. >> three nights of tech featuring the executives and innovators. >> it should be a bentley or something. he can be impoverished. >> here from insiders special presentation. >> the country in the world gdp growth, job

creation, inclusion of minorities, arabs by the way, the partner all the way through it.

>> next a panel examines the impact the world prices. prices. they discussed the reasons behind crude oil prices and what they mean for oil-producing nations. this is 90 minutes.

>> good morning. i am arthur herman, senior fellow at the hudson institute. i want to welcome you. our arctic conditions to come. also to welcome our c-span audience for what is the 1st of a series of seminars we will be doing hear at hudson on energy and national security. and i want to also at the same time welcome our panel of guests and experts who are going to talk to us today on the topic of the phenomenon over the last seven months which you see displayed graphically on our powerpoint slide.

the falling price of crude oil both in the case of the united states production wti index that you see hear and in terms of global prices talking about what that price decline, why it happens, what it means now, what it means in the future. good news bad news. the crude oil prices, this is in many ways an historic drop. ways that are important to think about. this has been not only an economic shakeup but in many ways a cultural shakeup. this falling oil prices

many people have come to realize this was a lesson in how those who deem themselves the prediction years of future energy prices and supplies that's an important economic lesson the ways in which one calculates the value. tricky business. the other lesson that comes out of this is it has jolted the american public out of some key assumptions that used to govern the way in which we got about energy. and is only going to get in the long term in the future. our guests are all going to

have views perhaps differing views about where oil prices are headed and where they are going but the one thing we have learned is the degree to which oil prices can go sharply down. a lot of america's attitudes and policies came at times from the sharp rises in energy and oil prices which forced important and sometimes even radical policy changes. now we may be looking at an environment in which sharp drops in oil prices force important possibly radical. the other big change which jolted americans, for so long the belief that america's days as a major energy producers were over.

spectators to what was going to take place in the forces that controlled and directed global energy prices. what has happened is focused our attention on the degree to which over the last decade the united states has been an emergent major energy producer. an emergence when producer from the.of view of shale, revolution, sale, oil, gas. the united states position once again. the world's biggest energy producer. enormous policy implications and we will be a subject that i distinguished drove to focus. >> the way it's jolted his to understanding the degree to which its energy, not money. controlling the sources but

only to promote economic growth but also to enhance national security and even to possibly deter national security that we will be exploring that i want to kick off. it's a panel of experts on the subject. i'll bring it to bear for you. important possibly even a story change. the 1st speaker we have is doug zigler. financial market economist

a former analyst for the canadian department of national defense. trust. trust me, if they're is anything about the candidate energy industry that he doesn't no, it's not knowledge. an ma from johns hopkins university, a student of the late great for water jambi. a keen understanding regard to energy policy and i'll add the festival. so we have with us someone who understands the importance of harmonious proportion in the musical sphere as well.

i want to welcome them and have them speak to you on the economic consequences of this historic oil price drop [inaudible conversations] >> good morning. i'm hear to talk to you today

>> >> pretty much to consistently since 2011 when the boom of u.s. oil production commenced. with a 1 billion barrels per day oil over the last three years 20 million only incremental barrels per day

this upsets the order of global crude prices but that our rich rice has grown to the point rand has become extreme. most believe this meant the united states would have an oil price advantage for the foreseeable future with a natural-gas price advantage. but no one thought precipitously on international oil prices. but what occurred over the last six or seven months was an increase of u.s. production and so what change? the first the mitt change was global oil supply. this shows that old line of the incremental increase of u.s. oil production and millions of barrels per day and then the bars asher b. unplanned shutdown of global

oil production of libya, iraq and what you see is a heightened geopolitical tension has the results of various developments associated with recent revolutions in the middle east caused unplanned shutdowns their production and that equaled or exceeded the increase of oil production. almost a race between the two and got to get ahead in 2014 when the prices start to decline very rapidly. that is one factor but quayle is also an asset. it is depreciating pretty much against any currency in the world for the last 78 months with changes and

actual monetary policy in other countries as interest-rate fall other places in the world as part of that interest-rate complex the u.s. dollar becomes more valuable. if you are european behalf of the exchange rate of 1.four year rose to the dollar now is 1.to even though oil prices have fallen but it has not by a commensurate amount but the drop of oil prices actually is a drop to the same degree in the united states. the final flight is there is the globe will commodities super cervical level kinds since pre-much 2006 and that to pick up given an

extraordinary way that coincided with global financial crisis that we're in the midst of a of financial world but we were exhibiting peculiar financial behavior and ramifications of the asset markets globally. because it is a very compelling story rising of china and india and commodity demands that allowed global investors with respect to investments to focus on the one that they believed in and commodity prices around the world to things happened since then. recently knock on wood the global economy has emerged from the european financial crisis is now over the

american financial crisis was over of 2009. and that type of economic behavior we're not used to seeing during the first five years we are now seeing good behavior and as a result of a broader spectrum that has limited the financial demands. but that cannot be proven statistically. the data that people are looking at past to do with the cause of the extraordinary increase of oil production. obviously there is an increase in u.s. drilling in the shale area and as prices have fallen some of the recent ups brewing -- upswing has been associated

with the weekly announcements of decline in the united states. that would tell you possibly american oil production starts to slow down looking at the efficiency is shown more efficient in a major way and that oil production per reagan is going up. but this points to the technological aspect of the u.s. increase of oil production. that has gone up because of a new technology to produce a real that it shows that the ultimate ability we are not yet aware of there are not oilwells that a seven for 10 years old. we don't know the actual decline rate for the most efficient shale oil production and we will find out because the global this

position of supply seems set they will reduce production to see what the american royal complex is able to do. i don't think it is a conspiracy but just uncertainty in the year in a period of tremendous price discovery which is one of my final remarks and a decline in oil prices. u.s. trade balance has been getting substantially narrower with respect to oil. the charts show petroleum products trade balance in nominal terms and in real terms and what you see in volume terms the u.s. is

importing fewer products and every year it -- than ever before it is a refining less crude and that is an important development from the economic standpoint and the results in the gdp numbers to look better and that mine is part of net exports and the trade balance is less sensitive to oil prices. however the trade balance remains pretty similar. i would say it is a north american phenomenon just not that u.s. produces more oil but canada and mexico mexico, canada of much more and mexico has level production based on the forms so this point to an integrated north american increase of production and

still that should be more stable. from u.s. consumer perspective edges shows a regression of the change of the oil price of the gdp taken up by spending on oil that is oil prices fall consumers have more money to spend is a social science demonstrating the obvious. the expense seems to be moderate. to have between 0.two is 0. four is not a game changer but it is a good thing. so i want to conclude with those remarks but leaves us with some questions and who the winners and losers are globally.

weld revenues in the essential mix of the budget that is not true for all countries with respect to russia and a variety of a larger exporting states in the middle east with the neighbors it can be an important mix of the tax revenue side of the counts. another side that bare spot is how long this can go on. if we're in a period of price discovery that no one can actually know. an important example of how free markets are supposed to operate with the new technology is invented new supply becomes online than we can discover the duration through price discovery in that period it means quality reject -- volatility then it is integral to save the

extent of which we can maintain efficiency in the u.s. oil complex. very few countries have ever seen oil production increased by 3 million barrels per day. summer unprecedented in the history of global oil production with respect to technology. this has been driven by the discovery of a new technology. with that in mind with a policy perspective we have as much technology as just one simple supply of oil reservoir. so we don't know where this will lead us to but we will be in it for some time. with a macro economic

benefits should be an important than persevering factor for the next little while and on the investment basis said technology needs to stop and i will conclude my remarks there. >> thanks. i was thinking of someone who could speak to the panel of the fall of the oil prices, the big picture and how it shapes and will shape the paul energy picture and the of global economies. an is a seasoned c-span veteran, and speaks around

us country on energy issues and co-director of the institute for analysis of global security and is co-author of three books of the energy security challenges of the 21st century, a collapse of america's energy security paradigm, and treating oil into salt, energy independence through fuelled choice. also a member the energy security council. including t. boone pickens secretary of state shultz, former governor and

department of homeland security tom ridge and former secretary to the navy and other assorted washington heavyweights. and it is my great pleasure to introduce you and present to you and. >> i am glad to be here. and going to talk about where we were and where we are and where we are headed and what type of black swan many to consider as we think of the oil market and the impact of the oil strategic importance on the call will economy. we may think prices are low by now but if we go back through 2001 think before september 11 it was under

$30. so they are really not that low right now just in relation to $147 a barrel oil and $100 while. and it is important to understand what happens in the united states in terms of shale oil production in this fantastic to be encouraged of every way that may support the exploratory activity but it is not enough to be in game changer over the long term with the way a market. because and that is still dominated by the opec cartel - - cartel. this will give you a thought exercise. despite what we see today

going back to 1973 global population was around 2 billion to 87 billion global gdp since the 1973 has increased by a factor of 14, 250 million cars on the road then and 1 billion today. global demand with 55 million barrels a day now is 88 million barrels a day to day. bulblet get opec production in 1973 and what it is today we are in for a large shop because it sits on 72 percent of the oil reserves which is the cheapest to produce the yet in 1973 produced 30 billion barrels per day you would suspect with the massive growth of population and gdp that opec production

would have increased? today it is 28 million barrels per day is the fundamental story of his has not increased and it is obvious because opec countries can substantial budgetary obligations and the input into their income is energy sales so they have to maintain a particular price to balance their budget. the might of the alleged price is drop? today's saudi arabia produces 9 million barrels per day. was the third is consumed domestically. more heavily because it is more heavily subsidized. that leaves 6 million for the export market at $58 a

barrel making 50 million barrels a day would if you decided to cut production by 3 million barrels per day that will lead offset what we have seen. go down to 3 million barrels per day does anybody think that prices would not go back up? will over $100 to let's be conservative making exactly the same amount of money so if that's the case so why haven't they been cutting production? then we see possible reasons

similar tuesday's shift from the electricity sector that uses a large portion to generate electricity and uses less than 1% of what is generated from oil we see that the saudis dropped the oil price in order to undercut the competition. but there remains to be seen what it economics and shale production in look-alike and how much will be knocked off the market at low prices. but as the side benefit to a weakening of iran and hurting russia with the conflict between the city

and though she had but also high sulphur wailes paula dash wheel and it is dedicated to processing is not the same refineries to the light sweet crude that is produced in the shale sector for the most part. if you offer this to asian consumers and large so they are beholden to your type of whale and they build refineries specifically dedicated. so it makes sense to keep the lower right now because it builds up refinery capacity with the sulfur rich oil then you try to guarantee the market down

the road when you put on the brakes to send the price back up. thinking about supply and demand side there other factors you think about that people don't like to consider that is the saudis and friends in the gulf have created a monster. by funding radical islam throughout the world they have now created a cancerous growth in the middle east that has turned on its creators. to funnel they anger and aggression to be controlled by a the population they see is frivolous.

through fanaticism and analysts -- also other related groups just because to put a label on it does not mean it is the only group. idle see any difference between those that be headed daniel pearl and those that be headed -- and slaughtered in cold blood. and the jordanian royal air force pilot. those who are willing to do this and fly airplanes and into buildings and murder people surely they would have been willing to murder more. if they get tarpans -- there he and to have the capacity to murder millions do you think they would all get it?

the answer is clearly no. and as a lot to do with the oil market because at the end of the day two-thirds of reserves it in the middle east the cheapest to lifting and produce. slowly but surely we see a conflict raging out-of-control with isis gaining popularity and an enemy that cannot be negotiated with are contained and only destroyed and we don't necessarily see a desire or willingness among the powers that our capable of doing that. to have so many dangerous

factors that impact the future stability to continue producing oil for the rest of the world even though they do not necessarily import a great deal on the middle east we have been reliant on that day and the black liquid itself. in its history we have never imported more than 15 percent at one time from the middle east. but it has determined to the price of oil whether a $50 price of $100.150 price. if we get to a situation and that iran did said nuclear-weapons are the saudis gets one off the shelf there will not

tolerate having that shia power in their vicinity well they do not and if we do not think about what that means with the non state actors to get their hands of those types of weapons and what that means to the global economy at large the we are being very shortsighted. so where are we going for word? it is not a pleasant vision vision, i know but it is important to consider how the united states states, europe, asia can utilize the energy resources that the globe has in abundance to make oil a much less strategic commodity to make these type of unexpected blacks one defense -- swan yvette to

make ideal -- oils by very high valley can inoculate ourselves to a region that we simply cannot control or stabilize. the matter how much we contribute to the effort. but that derives from its virtual monopoly from transportation fuel. the fact that almost all transportation fuel is petroleum based means when oil prices spike moving people and goods from one place to another becomes very much more expensive so everything we consume becomes more expensive.

so like years ago rand salt was a strategic commodity the only way to preserve food because countries fought over salted it placed collodi's based on that. today oil is a strategic commodity because it has a monopoly over transportation fuel but unfortunately for us it is married to the opec cartel even though opec has suppressed its capacity to the point is less than one-third of global production, if we think about what happened if it was exxon rbd sitting on reserves does anybody think prices would be at $50 a barrel? with they constrain the production? no. it would be an antitrust action.

prices would be 15 or $10 a barrel or lower. assuming that the opec countries are not lying about their reserves. we don't know but if that is what they claim there is no excuse for constraining capacity to that point except of course, something that is perfectly rational for them to do to maximize the revenue prospect for the regime's now and in the future with periodic drops of price to kick the competitors out of the market. because opec has a collective acts as a monopoly in the oil market and that has a monopoly over transportation fuel, opec acts as a monopoly in the fuel market what we need to

do is destroy that position in the global transportation fuel market. that is fantastic with benefits to the local economy but it is time enough to keep fuel down in the long term manner. but if we open it to fuels from coal, natural gas, biomass and other resources so it could be an arbitrage against oil with a sufficient capacity expansion made from non petroleum resources to where we get a situation that is compotation over the market share it with dry fuel costs down in a sustainable long-term manner that would make a global economy able to withstand the craziness in different parts of the world.