y production particularly on gdp or unemployment, and secondly has inequality increased under this president? "the new york times" wrote the other day that it had not, but they also noted that higher income americans have still benefited the most from growth since the recession. >> uh-huh. thanks for your questions. on page 253, figure 6-10 is the contribution of oil and natural gas production to gdp growth through 2014, and it shows that through 2008 it was basically making a contribution rounded to zero. ..

inequality. if you look at what actually happened to people, a lot of what matters, they are after-tax income and we've had substantial tax cuts in middle-class families, make tax cuts permanent that are worth thousands of dollars a year, had additional tax cuts for the areas like the itc and child tax credit and on top of that you have the affordable care act. when you take all that into

account, the policies of this administration have substantially reduced income inequality relative to what you otherwise would have had. in terms of the underlying trend in the economy i think that challenge is to with this and their dynamics, technology, education, globalization institutional changes, declining value of the minimum wage, all of those factors i think our continuing you know to create an underlying challenge to inequality and that's what we're proposing all the steps we are for minimum wage to education to shaping globalization in terms are good for american workers and the american economy. >> the federal reserve is currently debating its first interest rate increase since the

crisis combat without asking you to move into their turf, what are some of the take with some economic report that the fed should be thinking about? >> the economic report doesn't have a lot of takeaways about what we should be thinking about in terms of investing in infrastructure, investing in education, community college, minimum wage. that's what our focus is about what we can do to strengthen the economy. >> but nice try. mike dorning from a bloomberg. >> this is more of a descriptive economy question rather than a policy question, but usually think of business -- >> also invest in infrastructure. >> usually think of business cycles as not just in terms of the aggregate changes in output and employment but kind of a story of a changing adjusting,

evolving economy in the '80s it might've been the move away from manufacturing, in the '90s finally making productivity gains from technology. other than the ups and downs of the economy and the very well reported, very much discussed impact of fracking and increased domestic energy production on the u.s. economy, what do you see since december 2007 when this current recession started what's been the big change, adjustment in the economy? it hasn't been less investment and finance. the last time i read to the gdp table, finance was just as big a part of the gdp as it was before the recession. >> i think there's two parts to thinking about that. the overwhelming trend has been what's going on with the demand, aggregate demand. just a massive demand shortfall in 2008 and 2009 and then

climbing yourself out of that demand shortfall over the last couple of years. and if you look at how we climbed out of that the first phase, things like the recovery act and fiscal extension. then how is a started growing very quickly and then the consumer has been the last phase of that, of the last year or two. the big move, but underneath that though i think there's been three broad trends. one is energy what we see both in producing more oil and natural gas and renewables, but also using less oil and energy overall is one victory and. and we just talked about how that is directly adding to the gdp growth. the second big trend is a dramatic slow down and cost growth in health care which is now growing at its lowest that it's grown in 50 years.

help -- health cpi is growing at the same pace that cpi which is a shocking development relative to what we've had for decades in premiums that have tied for the lowest in 10 years. that's the second big element and i think that one is actually less appreciated than it should be. and then the third is in technology and really cloud computing combined with mobile devices, and what that unleashes in terms of productivity together with advances in advanced by terms like nanotechnology and life sciences and personalized medicine. so i think you know the big move was we've seen have been the demand movements as that has mostly worked its way through the system. i think will be increasingly clear that these three trends energy, health and technology, have been the three of the most

important, the last couple of years and going forward. >> we are going to go to mark trumbull who hasn't had one and then if we have time we will start going after people who have had one. >> you mention at the beginning of those three areas that have helped the middle class do better, then you just mentioned the idea that these forces had been driving inequality may still be in place technology and so forth. and i wonder if you could comment on how confident are you that if your policy proposals were put in place that we would really bend the curve, if you will, the to get the middle-class on the rising prosperity path? rdc a real risk that you could do all these things and we would still be on a tough path? and what additional steps might be needed? and that's has kind of a side issue on that, how big a role to just

educating our workforce better, how big a role could that play? >> so first of all i don't want people to lose sight of the big picture. the unemployment rate is coming down so much we've seen real wage growth in 2013 and 2014. and i suspect we'll see either stronger family income growth because more families, more people have jobs. it's not just higher wages but people having jobs and continuing that will help. but dealing with the deeper underlying trends, the part of the increase in inequality since the '70s has been a disconnect between technology has favored skills, but education hasn't kept pace. in the '50s and 60s with the g.i. bill and steps like that we were really increasing the educational attainment of our workforce. it's still increasing but it is

increasing at a slower pace than it was then. the steps we have proposed, which start with preschool and include two years of community college to make that available for everyone would be big step increase, educational attainment when you increase the supply of educated workers commute more people can take advantage of those technological development. i was talking about. that's one of the things that could reduce inequality. another thing is increased in accordance institutional changes, the real value of the minimum wage today is lower than it was in the 1960s. and reversing the and raising the minimum wage would result in wage increases for tens of millions of workers, and would be another step that would reduce inequality but if you look at the president's tax plan, child care earned income tax credit, college, secondary

earner those are partly designed to raise after-tax incomes by cutting taxes for middle-class families and families work to get to the middle class to their also designed to encourage more people to want to work to enable them to work, to enable them to go to college and get more skills and would reduce inequality before tax incomes will pick the president put forward a pretty aggressive agenda in this regard that would certainly reduce inequality and increased middle-class income. [inaudible] >> on the optimistic side versus sort of secular stagnation in tough times for the middle-class speed is stagnant stagnant she is a whole nother theory, and all i would say is it's hard to look at the growth of the economy over the past year and find a whole lot of support for the thesis in the context of the united states. >> anybody who hasn't had one who has a two-minute question? if not we will go -- i'm sorry go right ahead.

>> follow-up question on business tax reform that you may be. could you talk a little bit about the challenges that you face i've heard from congressional republicans, namely addressing how do you negotiate, or how do you navigate from policy perspective the differences between really the individual tax code between you and the obama administration, republicans apply to the number of companies that file for -- [inaudible] >> one of the central principles of the president's approach to business tax reform is that it is about all businesses, and in particular for small businesses they would cut their taxes and simplify their taxes. and there's a lot of ways to cut and simple by taxes for small businesses, including small pass-through's that don't require changing the individual rates. so you could, for example

expand section 179 expensing. the president is proposing $1 million. so more generous than what they have floated. you can switch to cash accounting which would both simplify and cut taxes. so if that is the goal is to help small business, help small pass-through's, that is what we can very much achieve. if the goal is to cut taxes for high income households, that's not an area where you're going to find any agreement. and a lot of proposals to cut the individual rate have at least have that effect, if not that motivation and to the degree that's what the desire is if the goal is to businesses, including small businesses and small pass-through, there is complete agreement on that at a lot of ways we can do that through the business tax code itself without

needing to touch the individual rate. [inaudible] >> is that more of a tricky area? >> you were talking about large taxes? >> yes. >> the goal of the tax reform would it comes to larger businesses is have a more neutral tax system from a tax system that is not distorting investment decisions and that is encouraging more investment here in the united states, and that goal would be the same for large c corp and large pastors. >> thank you for -- thank you for the fascinating tour of the horizon. >> okay. >> [inaudible conversations]

>> today on c-span2 the washington institute for near east policy hosts a discussion about how isis recruits foreign fighters. participants include the european union's counterterrorism coordinator and the u.s. general who oversaw detainee operations in iraq. watch it live at noon eastern here on c-span2. >> the c-span cities tour takes booktv and american history on the road traveling to u.s. cities to learn about their history and literary life. this weekend we partnered with time warner cable for a visit to greensboro, north carolina,. carolina,. >> and after months and months of cleaning the house, charles halpern who was given the task was making one more walk through, and in the attic he looked over and he saw an envelope with kind of a green seal on it and walked over and noticed that it was an 1832

document. he removed a single male mail from a panel in an upstairs at the grove and discovered a trunk in books and portraits stuffed up under the eaves, and this was his treasure of dolley madison's things. we've had this story available to the public displaying different items from time to time, but trying to include our life story from her birth to her death in 1849. some of the items that we currently have on display a card, i agree calling card case that has a card enclosed with her signature as well as that of her niece, anna. some small cut class perfume bottles and a pair of silk slippers that have tiny little ribbons that tie across the arch of her foot and that you -- the two dresses are the reproduction

of a silk gown that she wore early in life and a red velvet gown which is intrigued both that it has lasted and is part of this collection, and there's also a legend that is not accompanied this address. >> watch all of our events from greensboro saturday at noon eastern on c-span2's booktv and sunday afternoon at two on american history tv on c-span3. >> c-span2 providing live coverage of u.s. senate floor proceedings and key public policy events and every weekend booktv now 415 years the only television network devoted to nonfiction books and authors. c-span2 created by the cable tv industry and brought to you as a public service by your local cable or satellite provider. watch us in hd like us on facebook and follow us on twitter.

>> white house cybersecurity coordinator michael daniel oversees federal agencies defenses against computer network attacks and directs partnerships with private companies to protect network security. on wednesday discussed a white house initiative on computer security information sharing between the private sector and government agencies. following his remarks at the atlantic council the a panel of computer security experts discussed the white house initiatives. this is an hour and 45 minutes. >> [inaudible conversations] >> welcome good afternoon, everyone and thank you for

coming. i'm barry pavel, the director of the brent scowcroft said on international security here at the atlantic council, and in the brent scowcroft center is our brilliant director of the cyber statecraft initiative jason healey. so you wonder more about later. welcome to this event on breaking the cyber information sharing logjam. you see the publication out of their four your reference this afternoon's event will be a moderated discussion on the challenges that limit cyber information sharing, ma the administration's recent proposals to address those gaps and the exemplary sure and that was evident in the identification and remediation of the recently disclosed before building. this event is part of our cyber risk wednesday series which is our monthly speakers series designed to bring cyber experts from government, from industry, together with policymakers to examine topics at the core of the cyber statecraft initiative

here. in particular its core mission of building a sustainable cyberspace. today's event is quite time as i am sure most of you know. just last friday president obama visited silicon valley to signing an executive order that will encourage and promote the sharing of cybersecurity threat information between the private sector and the federal government, rapid information sharing is clearly in -- an essential element of effective cybersecurity because it ensures that u.s. companies worked together to respond to threats rather than operating alone without any collaboration because of the executive order lays out a framework for expanded information sharing decide to help companies collaborate with the federal government to quickly identify and protect against cyber threats. so from removing barriers to improve the delivery of timely and relevant intelligence to the private sector to renewed interest in passing much-needed legislation, this year 2015 is really shaping up to be an

incredible year for improved cyber collaboration across the public and private sectors. we atlantic council paid special attention to the role that information plays in defending against the expansive list of cyber challenges that face us all. in august and december last year jay healey it was at stanford friday for the president's event, j. convene a panel of experts here at the council for a closed-door discussion about the challenges and opportunities for an increased cyber sharing, cyber information sharing. today's event in the publication that is out there that was just released this morning emanates directly from those discussions towards the end of 2014. in the interest of information sharing, it seemed a bit disingenuous to keep the lessons learned from those private sessions close to the best for very long. and so i'm pleased that we're able to host this public

discussion today on this important topic feature representatives from all of the relevant sectors. with us this afternoon is a very distinguished group of experts all well versed in the real world nuances of the challenges and potential of cyber information sharing, delivering opening remarks we are very pleased to have michael daniel special assistant to the president and cybersecurity coordinator at the white house. thanks very much for coming michael, and good to see you again. as the lead for cyber issues on the national security council staff, mr. daniel heads the agency develop a national cybersecurity strategy and policy committee oversees the implementation of those policies across the federal government and in this world implementation is really everything. we were discussing that a little bit before this event. in addition to the public sector focus, mr. daniel ensures that the federal government is effectively partnering with the private sector with nongovernmental organizations and with a wide range of foreign

governments around the world. prior to joining the nsc mr. daniel served 17 years with the office of management and budget, either impressive and distinguished length of tenure. and including from september 2001 to june 2012 when he served as the chief of the omb's intelligence branch national security division as a career senior executive service member. so not surprisingly we are very much looking forward to hearing from mr. daniel today on the president's initiative as we work towards that are understand that the administration efforts to enhance cyber information sharing. i have talked way too long so let me pass the floor to mr. daniel. thank you very much. [applause] >> thank you, barry. so last week when we were out in california, we both lisa my boss, the president, we're all able to make remarks about how do happy to be there with the weather and everything else, and

i'm wondering why i left from stanford where it was like 75 degrees. so i like, i very much like the title of this particular event breaking the information sharing logjam, because it sort of implies that behind the logjam there's this whole vast amount of information that's waiting to be shared. and so i think that that's actually now true. several years ago that might not have been in fact in the case, but now i think that we are in a position where we do have a lot more information that could be shared, that could be relevant to what we are doing. some of us have been talking about information sharing for quite some period of time. effect i see some people in the august that it no are almost sick of talking about information sharing to give an and talking about it for so long and i think jay said there are

200 rsvp for this that so that means there are at least 250 opinions on what information sharing actually is. so i'm going to tell you a little bit about what we are trying to do from the administration side in terms of getting through some concrete solutions on approving improving the amount of information sharing that goes on in relation to cybersecurity, and then hopefully set up a panel by talk about some of the reasons why we want to do that information sharing. you know, just company this information should has been a pretty consistent theme for this administration from the beginning. but just over the last few weeks we've had several big announcements including the announcement of the cyberthreat intelligence integration center the cyber summit that happened last week, and then the information sharing and analysis organization executive order that the president signed at that summit. so let me go over some of those and then kind of set it up for

the panel. so last week lisa monaco announced that we would be developing a cyberthreat intelligence integration center, our c-tech. we are sticking with that acronym pronunciation for right now. but really it is designed to fill in a particular gap and the particular series of gaffes that we have seen on the administration side. it's not meant or intended to compete with existing centers. in fact, it's actually designed to make their lives better. it's designed specifically to enable them to achieve their missions more effectively. so what is the ciic supposed to do? a ciic is supposed to provide the integrated all source analysis of what we know about cyber threats. particularly foreign fight cyber threats. who are the? what are the motivations?

what is the context in which they are carrying out their activities. how is it that we can do is begin to develop defenses against them based on what we know about who they are and what you're trying to achieve? it is redesigned to make sure that the existing center, the national cybersecurity and two communications integration center at dhs, the national cyber investigator joint task force, that cyber command and others get the information that they need in order to do their job. that they're getting the access to the intelligence that they need. so in many ways you can sort of draw the parallel to what we did in creating the national counterterrorism center after 9/11. i'm always hesitant to sort of race that parallel directly because instantly everybody's mind thinks i am intending to push forward in building liberty crossing three which is really not what we're trying to do. the ctiic is supposed to be a

much smaller, leaner organization that will rely on the existing center. and so really the ctiic is about the government getting it back and wiring in better shape for information sharing, not about interfacing with the private sector. that's nccic and law enforcement's job. it's not about sort of directly supporting and interacting with the private sector. it's about enabling the government to do a better job in intimate management and intimate response. so that was on tuesday. so then by friday we had the cybersecurity summit last week. and despite the fact that it was on friday the 13th all the way out in california it actually went off pretty much without a hitch, which was rather amazing given the amount of time we had to put the event together. and the summit will be brought together government and private sector experts from across the

country to expand the dialogue on these issues. and one of the points that both lisa and the president hit on at the summit, and one that i've spoken on before come is that cybersecurity really is a shared responsibility between the government and the private sector. there is almost no other issue in the national security and economic security space in this way that is shared in that same manner. if you think about a lot of the other missions that have the national security focus, counterterrorism border security can other things, those are very much government responsibilities and government has the lead. but in cybersecurity that's just not true. the vast majority of not just our critical infrastructure and networks in this country are owned and operated by the private sector. the private sector is the repository of much of the information about what is actually going on in cyberspace.

and given the nature of cyberspace and how it functions the very physics and math that underlie a net work like that mean that we can't simply assign the responsibility of cybersecurity to the federal government, or to any government agency. whether you're talking state local or at the federal level. it's when -- that's when the private sector will always have to be involved in your and that means that we are having to chart some new ways of doing business in this country it's a new ways of interacting between the government and the private sector that don't fall neatly into traditional regulatory or contractual categories we've had. so as a result we are struggling in many ways to figure out what those are going to be. and i think what you're seeing in the policy process and what makes this part of the policy process so interesting and fascinating to me is we are building those relationships right now. ..

which made them quite happy. to be compared to the rosetta stone. and finally at the summit of the president signed a new executive order to include, to

encourage the expansion of information sharing in the private sector. let me hit on a few things. it encourages organizations to form information sharing and analysis organizations. we have to make it into an acronym. i don't know how to do it otherwise. they were created in the homeland security act that we haven't used the term much. we will hear mark sachs talk from the perspective today the form of the very important and key form of isao and it will continue to improve. but, we envisioned the isao as being broader than that and the concept but is billed in the building a national level sharing and industry groups like isaf but other also types of

groups such as the geographic region like the bay area council or one that is temporary based on a particular threat like the working group. in individual companies that facilitate the sharing sharing among its customers like symantec and public-private partnerships like the national cyber forensics training alliance in pittsburgh. so they call for the creation of a baseline for these isao. so dhs will find the private sector nonprofits to develop the baseline and at the baseline will be developed in a multi-stakeholder process with the private sector and it will enable isao to demonstrate they will handle the information that they are being called upon to share responsibly. part of the reason for doing this expansion of the concept is so that we can broaden what is possible in the information sharing space as much as we can because we believe it is such a

foundational capability that we need to have that basis and foundation be as broad as possible. it clarifies that the ability to enter an agreement with isao. isao doesn't have to share with the federal government in fact we hope that many of them will focus on the private sector sharing. isao i do share don't have to share with the end cake although we do expect many well. but that deo makes it clear how many they can share what they want. now, tied to the legislative proposal that the administration made, we highlighted the fact that in our proposal, we would've tied the liability protection to the isaos which is another reason why we proceeded with the executive orders that it would be clear what they were going to be if they were going to highlight.

we felt that was a necessary step. it also streamlines the process for the private sector entities to the classified cyber threat information. so that is rather obscure because it addresses the national industrial security program essentially that has written but really it is completely inexplicable. what it essentially does this modifies the previous eo to make it easier for the government to proceed with the granting with granting the clearances to people who are in the private sector and enables us to avoid some of the overhead that we have been struggling with. so isaos don't need to have this but if they want that capability and we've heard from many that is a capability they would like some it's something that we wanted to provide. so, one of the things that i hope the conversation can go forward with today is a deeper

discussion on the ends that we are trying to achieve. information sharing in and of itself is not the end. we don't want to just be sharing information for the sake of sharing information. we want to achieve something with that and i think that part of the way to break the logjam is by focusing on some of the outcomes that we want to achieve and debating about whether or not those are actually the policy end is that we want to get to. so, for example if we want to create the concept of a cyber weather map, something that phyllis over to dhs talked about and promoted. if that is our policy goal and one that we at the white house support, thus necessitates one kind of information sharing and we should explore what kind of information we need to be sharing to make that real and what are the legal policy implications of that. if we want to build a public health service for cyberspace

then we need a different kind of sharing to occur. if we want to be able to develop the defenses so they can move at the speed of the bad guys move and undermine their economic business models they are using that's another kind of information sharing so i think that we need to be working through these various end states that we are trying to achieve and really gets down to a very detailed level of discussion of the kinds of information literally down to the field level almost of saying here are the pieces of information we want to share and what are the actual policy and legal ramifications and ramifications on that and i suspect when we do that we will find that it is the limitations are much less than we are actually afraid of when

we are talking here at the abstract level. so i'm very much looking forward to continuing the momentum coming out of the summit and i'm very excited about all the different lines of policy efforts we have ongoing right now is a lot going on in this space and we have the opportunity to make some excellent progress here in 2015. i look forward to the rest of the discussion and i hope that the panel goes well. thank you very much. [applause] thank you very much michael and everyone for joining. i'm jason healey the director of the cyber statecraft initiative at the atlantic council. it's good to see so many faces here.

so, cyber wednesday is part of the series. it's usually every third wednesday and it is just meant for this. a deeper dive into cyber topics and we might normally get. after think tank event and also the chance to network afterwards. we can continue the conversation as it happens all too often that we will start something interesting here and then we never get a chance to finish it. hopefully we will see you at the next cyber wednesday which will be on the 18th of march to look at the healthcare internet of things and how we can secure all these medical devices like pacemakers, insulin pumps, hospital and clement and make sure that we have the benefit of the project we have been doing with mcafee. to continue the conversation on information sharing and other senior director of the white house working with a isac and

information sharing. also a longtime friend and one of our non- resident senior fellows here jeff schmidt who is not only been involved in a lot of the information sharing over the years but also his company recently discovered the patch and last week. there was information sharing that went on with the vendor. some of you might not have heard about it and that's a good thing it was potentially bad that it got taken care of between the discoverers to make sure that it would be as significant a problem as some of the other vulnerabilities that hit the

internet. we will talk for a couple minutes here and then go to questions and answers from the audience. so anything further you would like to add and second what do you think is maybe more important over time in the information sharing in the government lacks >> we feel as though there are different kind of information sharing within the people we tend to lump them all together and we think about it as getting government information out to the private sector. that's one kind of information sharing. we have this executive order that came up two years ago in the infrastructure which kind of shifted the presumption that information should be shared and we try to get that out. we think that made a difference in getting out more information from the government to the

private sector and we heard good things about that effort. one area that was sort of tied up and got held back is in terms of getting the the companies cleared to company is cleared to get the remaining classified information. >> if the fbi or the community found information about the companies that have been hacked from whatever sources they had come at the presumption, the default is they would've told the would tell the company. >> has changed two years ago and 13363 for those of you looking at home. the change in that regard. the new executive order one thing it will do is make it so that we can make it easier to clear the nondefense contractors one thing that we found is a lot of the rules for the clearances

have been written for the defense contractors specifically and what we are trying to share with critical infrastructure companies we are making efforts in that way to share with them so i guess basically i'm saying that in that space sharing the government private sector we are taking efforts in that and we have private sharing as well. that's an effort we are trying to promote as well to try to expand that executive order that was signed and focuses on that in a new way by promoting the information sharing standards and we are getting the standards to share more information across the board and create this idea of isaos and promoting the ideas to share private to private. it's extremely important. there's another piece which is private sector to government. if we are going to get them to

see the threats that are out there and the incidences that are happening, the government is a place that can help do that across all the different sectors. obviously the government has its own thread so they can tie that information. there we hear from the private sector to the government but the biggest barriers are the ones that can be achieved through legislation. so there we are focused on the legislation passing. we also have government to government sharing. let's start with the federal government of their we have the intelligence they need to do a better job of giving the analyst is. he's not necessarily sharing the intelligence but being able to do the analysis. then you also have the sharing that needs to happen. we've done a good job of increasing among the centers and on the agency's now it's about having the analysis so we have

these different kinds of sharing and the competition is the better it is equally important. we are trying to come up with policy solutions to figure out where the barriers are and get the policy answers to solve those. >> it seemed like that was getting done in the white house and so you are taking a lot of things who is seeing what, what part of the was part of the animal is this we are looking at and it sounds like this is now pushing it out of the room so that you can focus on the bigger policy. >> we have come to this point that they have different viewpoints here and none of them have a full picture. the question is who can do that analysis. today that is not their job and

we need to be able to find a place where this can happen. the threats for national intelligence was created for those kind of intelligence cases so that seemed like the logical place to move this forward. >> how do you know if you have succeeded? we will have a new president and a couple years and that president is going to bring in their team and they are going to sit back and say have we broken the logjam, how is this stuff working >> that is the high bar. we have all these areas we've been talking about and information sharing where you have a conversation and realize you are talking about two different kinds of information sharing in the same vocabulary, so if we can move past that and get down to the very specific

issues we can figure out the legislation that needs to be passed into separate the issues that needed to be done to promote the private sharing to get the standards in place for those we would be in a much better place. >> and that concept you are focusing on the private side and i heard people that focus on the government has been to be involved in the solution the information has to come from the government and i am pleased it sounds like you're taking that out. >> some people focused on the idea that we are not talking about the government we are talking about private sector organizations and it needs to be the larger entities. >> something michael talked about that we featured in the paper was focusing on the outcomes and if we focus on the outcomes then you say who needs

what information to take what action and when you look at those outcomes that isn't always critical in those and you've been at the center of a lot of these outcomes in the favorable outcomes here. when you are looking at the news to come out with your experience >> thanks for being here. before i answer that question what should you do to figure out the number you need to express that way it will designate with everybody else whatever the sequence is that will be interesting. >> if it is mentioned you will know that you have reached the right audience.

how do you know things are working if they are beginning to adopt and quitting those who you think are the adversaries if you begin to see in their discussions and literature and communications that they are talking about it isn't even adopting the same sort of principles that means you are connecting and it isn't just the washington centric those that feel like we are in a little bubble doing it. but isac we appreciate the history lesson that you put inside dating back to 1998 so we are talking 16 17 years of information sharing which is very powerful. part of the gap we have recognized as they are parts of the american economy that don't line up in the sectors particularly in the emerging high-tech communities and crowd sourcing communities but where exactly do you put the search engine for example so the

benefit of bringing the new thinking and ways of doing is very powerful but we also recognize and i think a lot of information in terms of how you run the isac is going to be valuable as we create these new organizations. >> as you've been involved with this over the years what have you found that have been the most important lessons and steps >> we all all needed to serve our time and then walk away and let others serve. i think it is really clear, let me back up a little bit your paper hits on a lot of good observations. sharing just for the sake of

sharing doesn't get us anywhere. when you start sharing between the organizations that can do anything about it you begin to hit a stride and there are a lot of people that want to share and i realize the situational awareness is important but there the strength and sharing those that can take action and so if you have small groups of people or large groups of people talking to each other which they do that is a very powerful. if there's an expectation there is an expectation for those groups that can actually do things they then have to also inform others who are just observers that distract from the time they are pushing dot to say we can find somebody to bring that information out but the focus needs to be the amplified focus on making sure those who can't take action are the ones who are sharing and communicating the best. and yes there is room for improvement. so again i think i appreciate

what you have in the paper because it recognizes the challenges and the strengths that we are sharing at a level about those who can do things, but that isn't necessarily visible to everybody else but it is a bit of a challenge how we make that known to others and also how do we amplify and make better the process among those that can take the action. >> we had a quote from one of our senior fellows of life share information essentially some people have their hands on the levels and other people have their hands on the levers that are not connected. >> even at the individual level you appreciate when someone tells you something that is happening so you can do something bad about it -- do something about it. it doesn't necessarily cause you to do things and that's nice but you don't absorb it. it's those things you pull that cause a reaction so if you're using one of the many crowd

sourcing operations on your mobile phone that tells you where the traffic conditions are you can see if there's a problem coming up you can take a detour and go around it. we love to share but we love to share things that can help. the rest of the information while it's out there is that the individuals we tend not to pay so much attention to, so again it's important in the cyber sharing that we be careful that we are focusing on what is actionable and who we are giving it to that can do something with it. versus just tossing it out there and there it lies. >> washington, d.c. doesn't fully understand how many nonstate groups are out actually sharing and fixing things today. we mentioned some of them in there that in the paper we say

the best information sharing seems to happen with the groups that are actually fixing things, that are focused on actual outcomes and to me the classic model is national communication system. please walk us through that. >> it is the international system. it's a result of what happened in the cuban missile crisis. they are not really sure whether the president is to get the cabinet altogether once. look at some of the orders president kennedy creates this whole concept.

they had global communications and things that can support the president, but that thinking was back in the early 60s. we were talking about the same concept we are wrestling with today in a different era but bring that forward to 2015 the threats are certainly changing but we still have the national threat against the country and existence that we have to have the continuity. that is still very much built into what the federal government is. the private sector supports up to the companies that communicate and provide hardware, software and allow them to work together with those decision makers form the backbone of the national communication systems and all americans benefit from that. our own interactions --

>> and these other interactions between the main telecommunications providers. >> so that particular case we spun off in the early '80s where at&t was broken up and there was a recognition that we had to we have to share him on those brand-new phone companies the organization and the national coordinating center for the coordinators of the ncc was created at this partnership in the public and private sectors can make sure that those brand-new phone companies could continue to interact in the same way. the ncc today is the communications isac with a common sector. we created a parallel group for the companies to share but we still have strong relationships those strong relationships with the ncc for the private to the public. that is most of the biggest peril that we have to that

infrastructure. other parts of the economy have those needs they can get together and collaborate. a lot of information sharing and focusing on outcomes we think of that is countering cyber espionage but the vulnerability disclosure fits into that also. how can we defend it before the bad guys get their hands on it and that's why we are happy that you can join us. so your company was right in the

midst. can you take a couple minutes to walk us through that process? >> we found a pretty serious issue that affects the microsoft platforms last week. by intent isn't to go through that issue suffice it to say it is a serious issue. the interesting thing about it is there's a lot of things going on right now that are kind of completing this. windows xp which is one of the most broadly used platforms as though particularly things like the industrial systems and atms in things like those will never be fixed.

they said it's too hard to fix it. there was the issue that didn't make it interesting. focusing on the disclosure side of it and the information sharing side of it also is the fascinating story. i've been in the information sharing space for a long time, one of the original people in the program in the mid-90s and the fall of the time that i've been involved in information sharing the concept of information sharing around disclosure and vulnerabilities never crossed my mind until a year ago that whole space just never crossed my mind. they are the munitions in the cyber battlefield that we live in.

there've never been more people looking for vulnerabilities. there've never been more vulnerabilities. the tools have never been better and the software that we have a generate we generated mountains and mountains of software every day so not only do we have more people looking for the vulnerabilities that we have more places to look. so this is not -- this is a growing issue. our auerbach wasn't an implementation issue. they were mostly implementation issues meaning you fix a couple lights of code and you are done. this was a design problem. a fundamental decision that in this case microsoft made 15

years ago that turned out to be wrong. fixing it wasn't going in at adding a couple lines of coding it was adding features. and when you have many supportive versions of your operating system and lots of supporting configurations and customers that have lots of important things and don't like to change things this becomes a long and difficult process. it took them 13 months to fix this. we reported in january last year that's interesting. there's a spot right now if you follow the space between microsoft and google in the disclosure timelines where google has a strict 90 day timeline including to the dismay they released an issue today is before microsoft was going to

fix it, so 90 days and fixing one kind of thing is fundamentally incompatible with fixing a design problem that took 13 months to get it right so there has been activity in space now and they've updated their policy just lost week because of the harder class of problems. so in the 13 months you were able he were able to disclose this and work with microsoft and sometimes the best thing to do in terms of information sharing is to keep a secret and in this case after microsoft took it to their credit they handled it fantastically. we are lucky because they have a very sophisticated incident response and security program and so it was their mistake 15

years ago but the people that handle but now were the right people and we are all very lucky. but he immediately got it and there was no convincing them that this was serious and that took three e-mails and they worked on it very hard for a year. the best thing it was was to fix it and get it right. the worst thing is to put an arbitrary deadline and told them to fix it fast. in this case there were not good ways to fix it fast so that would have been sidetracking them to the detriment of the end of the security goal. in this case the best way was to give the vendor of the runway to fix it and keep it secret. but it's hard and interesting because keeping it a secret especially from 13 months is hard. but we discovered this issue under contract in the

third-party that made it even more interesting. the third-party happened to be the internet corporation for assigned names and numbers and the do-gooder organization. they would have been willing to give microsoft the money to do what they needed to do. we had to release an interim report saying that we were sitting on a secret for a year. we had to tell people that we were sitting on it for a year. so it became very interesting. with my takeaways from this first of all when we think about information sharing we have to think about vulnerabilities and all that. we have all these questions who

else do you tell there could be an argument you tell the government. it's kind of a big place when you look at the international footprint then you get into which government lacks some of the response teams are somewhat indistinguishable from a foreign intelligence services. you're running offenses and defenses applications so everybody wants to use this knowledge for different reasons. you run into the economic problem so we got no money for this and that's okay. one of my employees said coming into this is a great quote this

whole thing working out the way that it did depend on us upon us not being rational economic actors in this case. because we had to tell people we were sitting on it for a year of course we got contacted by people i would characterize as in the former of the business and we are going to run out of basic patriots not motivated by money. >> this would have been seven figures right clicks? >> it would have been a lot. it is a hard problem and it's not going away so when we think about information sharing we do need to think about this issue as well. >> by the way you can tell the different people that are up here. he's a policy guy through and through. mark throws in hexadecimal and jack is a pilot so he says make

sure to give people the runway. >> i have one more question. why don't we start and what amount to the audience if anyone wants to grab my eye i started over here and then we will go in the back. the microphone is coming around. >> following the conversation in the cyber security summit on the panel circuitry johnson made the comment with regards to the information they are receiving at least with regards to the isac and 70% of american express being with a page of vendors and 4% from isac and 1% from government. i want a reaction to that breakdown. how much does that need to be

decreasing how much are we getting for that. >> it's really fascinating out of 100,000 vulnerabilities that we see in a year that we get 4% of the signatures from the fsisac. >> it was an amazing statistic listening because it would seem like it would be the other way around but they should get much of the information from the federal government or other sharing organizations. they also played to the source of a lot of the things that is the organizations sharing among themselves without having to go to the higher authority looking for problems they can tell you about. this has been recognized even before there was a dhs that most of the information that we know about ourselves is done by ourselves. we don't have to wait for somebody to tell us the obvious we can just begin to look for

it. the question then is how do you tell others. can they, should they, well they tell their competitor. this is part of what you are trying to help break down the barriers so that we can do more of the private competitor sharing for the good of all. >> i would like to know how many of them share. during my time i used to be the vice chairman and we were trying to figure out how we could get the devices into different banks so we could collect information. the information was already pulling in different places and verizon and microsoft and so we don't actually need additional devices. we need to find out for that information is already pulling and break that logjam. did you want to jump in on this

one lacks >> there's a lot of information that comes in and it's hard to know what the origin is and that is one thing we are trying to get more information on. it doesn't mean it came from another bank it could also be the government is chaired it and they are getting the information it's hard to know how those numbers work out and we need to do more research to find out where it comes from and get to the point. >> we need to focus and we don't know the answer to that question.

>> if someone has measured i think it would be interesting to try to drive it across to say what are the sources of the voluminous information. >> next we are going to go to the back. this is an international domain and jeff mentioned the international dimension that there hasn't been much discussion of how the policy debate developed particularly if you agree sharing private sector to private sector is what this

is about even in a multinational companies and especially if you make national security clearance and important part of sharing how that affects the ability to quickly share information. i would be interested on the views of how this will go forward in the international content. >> hell is this working and living into the international to start with and how does this work with and the birds and the birds and the other allies. >> it is designed to be international. the focus on the standard body into the main reason to be the nonprofit organization that folks can work with in order to set up the standards that are then event will become the basis

for the new information organizations because that is not focused on the boundaries in any way to join those organizations we stand up and work across the borders today and this will be for the private sector would body that will then get at some of those international issues. >> is one of the things that struck me about the british sharing because it seems the u.s. tended to go first we started in the sectors and now they seem to be very everyone come join. instead of keeping it small and trusted, it seems like it's been much broader and people can just come and join the party. >> we were together back in 1999

if you remember. the summer of 99 -- the summer of 99 was interesting because we were in the military at the joint task force we were all worried about the foreign adversaries breaking into the dod networks comes it was an interesting time. we looked at y2k being a technical problem something microsoft would just fix it but some are one of our colleagues raised the point wants to use that as a vector to get into machines worldwide and caused havoc and make it look like a y2k problem when indeed it was really malicious activity. that was raised as an issue and we held an international conference of which 95% of the attendees were from the united states but because we had it in london it wasn't an international conference.

>> i didn't get invited. >> so as we like to see in washington from all sorts of different erections but emerged out of that was an international following us on model because we recognized that earth is a rotation every 24 hours and there's one third of the planet literally a life and doing things if you think think an eight hour slices and geographically it works out nice. europe and africa tend to be any slice, united states can't central america, south america and asia so think china, japan australia that tends to be any slice and we were there at this international conference and we build a don't be followed us on model watching the internet at large as we moved from december 31 january 1. that leaves the groundwork for what today is a strong international effort in the community through the computer emergency response team even today in 2015 is very strong. they worked together and meet physically as well as virtually.

the isac sector model has been replicated with other sharing both the international pieces across the team is a very mature and very well driven thing. but the big take away is it came down to people individuals individuals recognize it and they needed to build a partnership in in a 24 hour type of cycle and those individuals took the effort to make it work and from there there were some fantastic organizations but it really boils down to people recognizing as we were saying earlier that the information shared among those who can do something about it is the most powerful building point. there's other barriers and hopefully this is what we can break down with the legislation and other things to improve the sharing but it's about people who can do something about the problem working together international, domestic, regional etc..

>> the global side of this site if this presents an interesting historical problem. many of the companies that are members of the forums are multinational companies with operations all over the world. so the one of the historical problems of information sharing has become how do i share this information internally given nationally the different organizations that move this information across borders i might have citizens of countries that don't play well with others as the case may be. so all sorts of things these are challenges we have been facing since we shared the information along time ago and i think that some of the things in the clearances are designed to smooth a lot of that internal discussion in the companies. one of the problems is when you get classification what can they do with it. we have to hold a secret because it's classified that means i can't do anything about it and

so one of the facets to that is how i deal with national borders. >> they have really been expanding out into europe and asia bringing the non-us banks into that and many people have u.s. security clearances even so it will be interesting to see how we can copy that to look at that model. in our opinion has the international sharing potentially been hit either by the snowden revelations of what the nsa had been up to where the resulting or the resulting sovereignty log the information can't leave europe or brazil or wherever does that automatically by definition hinder them of the national information sharing? >> the key is about the privacy world.

some have come up with different groups about what information they taken and how they deal with it and that's part of the reason we've emphasized this set of concerns. we can make sure we have the information we need for the purpose that's being used for that cyber threat and what is the reason that we are sharing it and there are privacy controls over it and people feel a lot more comfortable internationally than they do with people using all sorts of different definitions of things and sharing. the key is making sure we are sharing information that we need and we have the oversight mechanisms and then those concerns are less. >> one of my favorite moments of the summit was michael mentioned here today about wanting to give practical. let's really get down to we want

to share this with these people. what are the actual impediment to get from this two-tier and then let's know that it's going to flow smoothly. last week there was a panel on sharing for many of you will know she's been in the community for a year from, very associated with the electronic and others and she said you know i have my friends that work on signatures will sit down and show me the different ways that they share the signatures and i saw nothing that and pinched on privacy and any one of those things they showed and that to me is such a powerful example. if we say that we are going to share stuff it brings up what i think are very understandable and automatic antibodies and here's someone that is fully on that side saying i don't see a

problem and i really liked that as an aspect of coming out and i hope we can do more of that. >> are there other plans that they are going to issue? >> the request for information will get a number of questions out the people get a sense of feedback. really the plan is to work with the community to make sure that it is aimed at what folks want to see getting at the kind of standards and i'm certain the privacy will be part of those discussions. >> i've been waiting to ask this question. i get a lot of questions from critics on the focus of information sharing into something they bring up a lot is what the sharing have actually helped sony come and gone, home depot, target, j.p. morgan and

so i am kind of looking at whether this sharing has helped and if not, what else can we be looking at now that we are getting it under our belt. >> the answer of course is that it depends. what would you have shared. >> how long have you been here now? >> you get this language down really good. it is a fair question of something we always ask. but for what could this have been prevented and certainly knowledge and the bad actors were targeting. could that have been picked up by intelligence sources? could somebody -- we went through this drill of september 11. what did we know before it happened that we could have told others about and integrated and shared and could have presented. so that's what we are good at. i don't know that even if they

have perfect knowledge of what was going on that individuals than would have taken the proper action to know what to do because it's sometimes been boils down to what he said earlier if the individuals are the key and the information put in front of them based on what they know what's going on right now would they even recognized the threat and see it as a problem and somebody else who doesn't have the full context of the sound the alarm. there is no correct answer. >> i think looking through the framework is a better discussion about that because the companies would cut the risk that they have committed to figure out where they were vulnerable and what steps do they plan to take, taking a look at that to figure out whether that would have helped them if they looked at the risk in a different way and the information can help feed into that and address those issues that it's almost a better discussion tuesday with kind of risk modeling and risk management did they do in advance before they got hit as opposed to if they had this one

piece of information. >> we talked a lot about these unknowns, things that are around you. that's an education piece. it's not so much information sharing but how can we train the workforce that can recognize these things when they see it. none of these stand independent from each other. it fixes the cybersecurity and all these initiatives in the private sector, public, private, international. they have to be interrelated in order to move the ball forward. >> many information or security risks stem from preparing for their own adversary and not understanding the adversary or thinking you have a different adversary than you actually have

and you could make the argument that if any of those companies were not prepared for the adversary they actually had they were prepared for the one reading from the compliance manual, not the adversary that wanted to do whatever. so i think as we move up the stack so to speak in the information sharing right now is a lot about rules and signatures and things like that, but a lot of kind of what we are talking about right now is moving up the stack to the threat actors motivations capabilities. as we move up the stack and understand, you know what kind of threat actors are out there and what motivates them and the capabilities they have come have, they might be interested in targeting and why. that sort of information sharing had that existed several years ago may have actually helped somebody like and -- anthem and

realize that there are different sorts of people out there. >> and i know that our port director were here she would also be pitching the basic cybersecurity controls because she will do that at the drop of a hat. >> if anyone has questions i did want to also -- this is helpful as we put this together and i want to tip my hat off to them. we will start over here and then we will go to arnold. >> can you comment about the decision by the top companies skipping the summit to say about the white house relationship of

industries when it comes to information sharing? >> i think that was overblown. people at the summit to know that there protects companies that were there. so the panels that we set up for decide to have a wide range of folks from different industries involved and so we had a couple of people on the panel and we obviously had the one keynote from the tech company and then the panel that had all four of the major companies that were mentioned in these articles is aware we had all of the chief information security officers. so that was a bit overblown in terms of the participation in the summit. the goals were to really try to talk about the cybersecurity in a way that addressed with the consumers were thinking about. that means getting at the health companies and financial companies indicating that the retail companies. tech companies tech companies play a role in that, too.

and in terms of the breath of what we are looking at for the summit, we felt like we had the companies in the room. >> you were aiming to get a specific commitment from companies and fact sheet from the white house and talk through a number of those commitments. obviously this isn't going to be a success until you get even more commitment online. >> more trips to san san francisco -- connect with one interesting thing about the summit. we used it to make our commitment too. that's what the executive order is into some of and some of the other work we are doing to get more information out the door. we are making a commitment to the companies. so that is i think a big key to this. we have a number of policies willing out down the road and we will use that to get more folks on board some of these issues.

i was pleased with how many companies said they are using the cybersecurity framework and look at the companies like intel bank of america. they are requiring it of their vendors and contracts and that is great news. that shows that the market system and insurance companies say that they are requiring the policyholders, too. that is what is going to make the cybersecurity framework a success in a way that we are not requiring it. >> and is the use of the event policy that you're working on right now when will they be held? >> who knew that these would be out now. we are just working on the calendar to try to move forward in all these areas where we still have the barriers. >> i think that there are several events that happened all at the same time and certainly

the sony got a lot of peoples attention. >> arnold abraham. >> arnold abraham with the institute and ellis is. i have a question i'm surprised that supposed to put the emphasis on the cybersecurity clearances. i spend time with the department of homeland security after 9/11 we looked at the threat information with local police departments over 10,000 local police departments in this country. a lot of people were pushing saying we need security clearances and we said at the time that was not the answer. jay and marcus after having been in government, do you think that an emphasis on the security clearance is a proper answer, is it an effective answer or not?

.. >> that's really where we're going here. and if the federal government comes up with something that needs to be shared one of our many frustrations is they'll pull in a clear private sector individual, they'll brief that individual on what's going on, but then that individual can't take any action because you've been told a government secret but you're sworn to secrecy, and

you can't, you can't walk out the door with that. so frequently we'll say, okay so what's the tear line? in washington speak that means if you have something classified, dot, dot, dot dot dot, here's what's a unclassified, you tear it off, literally in the old days, you can pass that along. what's the tear line? let me ponder that. and the answer comes back hours, days weeks later rather than when the information is first prepared it includes the tear line right up front. it's going to be the same analysts anyway that are doing this, so prepare the secret, but prepare it with the information that can be made public, and that generally means minus any of the sources meds and things -- methods and things. that then begs the question why not just take the tear line set that in front of industry so we can do things. this is a process problem. >> yeah. >> nothing more than that and it's something we have to work through collaboratively, is how to improve that speed of information that's coming at us that's previously classified required clearances. you guys have done a lot.

that last eo addressed that head on. we've seen some remarkable changes here in washington in terms of streamlining. there's certainly a long ways to go. i think we all recognize that but the steps are being taken in the right direction. of. >> yeah. i would second that. i mean the most frustrating thing for quite a while on this topic has been, you know you clear one individual and a private sector organization he or she gets information that then can't do anything with it and that becomes a struggle. you know to answer your question though, i mean clearances are valuable, right? some things should be cleared. >> classified. >> now -- i'm sorry, classified. some things should require clearance. but there's a balance right? i don't think anybody would argue that, you know sometimes there is a tendency to overclassify. so there's a balance. but there is value in finding a way to handle this and handle it correctly, and i think, you

know, we're moving in the right direction. >> yeah. >> i mean, we're not going to clear our way out of the problem, and that's our viewpoint here in that we need to get more information out in an unclassified way. that is our goal. dhs is working hard on that the folks at nsa are working hard on it. however, there is still going to be some analysis that is going to be classified and more companies want that than currently have that information, so we still need to address that -- >> sometimes the clearance just gets you into the room, you know? even if it's not the information. but if you look at a lot of the cyber conflicts we've been through, like conficker. that was completely rub by -- very few people involved, you didn't need it, you were able to drive it with what we're seeing now with companies like fireeye the amount of intelligence they're able to gather that normally would have required classified sources and to me especially as a do, sigent guy if the bad guys are releasing

their attacks over the internet, it doesn't matter if we collected it through a satellite, through whatever it doesn't matter. it's on the internet right? they're not going to suspect that we've got some sneaky signals intelligence. they put it on the internet. and just like any cat picture right, when something's on the internet, it's on the internet. so to me, unless we are in their system and taking it and figuring out the signature then to me we've got, we've got plausible deniability for anything like that. and i agree with the panelists you know, i learned a lot of my trade at the chief information security officer at goldman sachs that said you always try to lower your cost of control. so if you've got, you always go to the cheapest control that's going to get you to your desired outcome, and clearances are a really expensive, high cost of controls. anytime i hear someone say we're going to deploy something but you're going to need to get

clearances, there's probably a better way to get it. oh, let's get the mic here from -- >> paula stern. >> [inaudible] >> this really follows on i think, i hope. are there companies that you would not want to see participating even -- want to participate in the isac? >> interesting. >> this is state-owned enterprise, say, that may have large -- you know? >> yeah, that's a great question. >> how -- clearances is one way in which you would say no. >> yeah. >> so i'd like you to just help you understand how much information sharing was in this -- >> i'm going to pull this part in a couple of different ways because, marc, you deal with other big telecommunications providers. some of them are in countries u.s. may or may not have good relationships with at the

moment. i'm very interested in the company-to-company basis how that goes, and then when we're looking at the isaus, how does it work when we say, all right let's bring in -- [inaudible] or let's work with these companies, these big chinese banks or the rest? i'm curious -- >> that's a great question. so for a sector-based isac we are sector-centric, so the water isa will be water companies the energy isac is energy companies. it wouldn't make sense for walmart to join the airline isac. that's just not what they do. >> not yet. >> not yet well, maybe that's true. [laughter] maybe more like amazon if they get the drones. you see where i'm going there. these are like companies forming an organization called an isac because it's sector-centric. they have a similar sector of the economy.

we also see sharing organizations that are not isacs that are also very old that are like in jay's paper he talks act one group that merged many years ago following the y2k stuff when we started seeing a lot of worms and everything very international and very oriented on individuals vetted by other individuals. so in order to join, somebody has to nominate you as an individual, and then you're vetted by others as being trustworthy. so you're trusted. and so these trust groups are very powerful, and it's almost like in the movie series of "survivor," you can actually be voted off the island if you're deemed untrustworthy. [laughter] but these groups build their own rules. they're not run by the -- >> corporate council is not necessarily nearby. >> is that an isac? >> no. >> no? [inaudible conversations] >> it could be -- >> sector-specific, okay? their created in a mindset -- they're created in a mindset of

sector-specific information, and there's a little bit of formality to that. and the isacs continue, they'll be and they are, in fact isaus -- it's good to get the clarity as to who's in who's out. >> yeah. >> and a lot of it is based on what can you bring to the table are you a player, are you a contributor, can can you pull a lever? can you do something? can you action all the information that's being shared? and each of these groups are going to have to write their own rules. this is where we go to the baseline standards of how can you build a group of sharing individuals? how can you learn from previous groups that have already gone through this process so you can increase the amount of sharing going on but still keep the trust, keep the privacy, keep the things that we feel must be in place in order for rapid sharing to happen? >> and the u.s. government will not have any say in what is -- >> well, let's, let's take it over to -- right here.

>> so, i mean the way that the executive order is going to work, there will be an rfp and there will be this nonprofit group that will form and set standards. now, the way that isaus have worked, trust is the currency right? so if there's elements if there's people that join an isau and that causes people in that group not to trust it, it's not going to be sharing very much information, and it's going to fall apart right when we've seen them fall apart in the past. in fact, i worked in something that, you know, that became the anti-spyware coalition. prior to that there was another group that was around, and people just didn't trust membership there. >> right. >> the group fell apart and then the anti-spyware coalition came up and formed behind it and we came up with our own standards of selecting who the membership was and what the rules were for -- we weren't sharing threat information, but we were discussing definitions that became the basis for software. so that, the it's the same type of thing. how do you go about building trust and keeping it.

one of the good things is they can pop up, you can have two or three that do similar things and let the marketplace decide how they're going to work. if people don't trust them they're not going to survive. >> i wish i remembered -- i think the anti-spyware coalition is a great example of we're talking about don't focus on sharing, focus on outcomes, right? i mean, you had clear goal. we want to take spyware out of the system. who do we need to include in the alliance that we can get rid of this. and that's what i lo, it's focused -- i love, it's focused on the outcomes. sharing is a supporting part of the process, but it doesn't necessarily drive the process. and i wish we could have had more space in our paper to explore this and related concepts. you've got net suppliers of cybersecurity information and net consumers of cybersecurity information. and most of us most companies most state and locals are on the downstream. they are, they have a demand for cybersecurity expertise -- for information. but really a lot of the

companies are here the companies that were out in palo alto, you know the symantecs the microsofts, i mean, they've got the overall suppliers of information, and they'd love to look at these more market-based solutions. if we've got a mismatch between supply and demand, i'm one of those people that think boy, that's a place for a market, you know? if supply and demand don't match up, then what can you do to get the market there? i've got a couple hands that are joining in there. perhaps unsurprisingly next is going to be andy purdy, and then we're going to come over to here. >> hi, yeah, andy purdy, chief security officer for huawei usa. i think wished be careful not -- we should be careful not to be overly critical in this network a number of companies don't think adoption and they don't quite understand views. but it's clear the value in the framework as a risk analytic tool for global organizations. and a translation engine so that global companies can compare

apples and apples and contrast apples and oranges for their global operations and for their suppliers. it's indisputable. secondly, i'd ask how well are we leveraging two of the examples that mike daniel gave earlier regarding the framework agreement which is being expanded across to critical infrastructure for closed mou information sharing and the national cyber forensics and training alliance he also mentioned for sharing among the major banks and whatever? how well are we leveraging the experiences in those to try to strengthen our information sharing? >> will huawei use the framework? [laughter] >> we use the framework as one of the risk analysis tools for understanding our global options and our suppliers and we have several thousand suppliers. >> great. thank you very much. >> so, i mean, michael talked about those concepts.

i don't know if i can go into more detail than what he did in terms of those are areas that we're looking into. certainly, i think in terms of expanding we think that it was successful in getting out information to those that need it. you know -- >> you just explain -- >> so the idea is that we have a set of signatures out there that can be used, and this was aiming at defense industrial base defense contract canners getting to them the signatures so that they can use it to protect themselves in a way that they don't even necessarily need to bring it into each individual company. but it can be, it can be used to help protect them. we have a similar set of efforts for the going beyond in critical infrastructure. i think it's been more difficult to get some of those other sectors to spread and use the same set of standards, but i think we are planning on doing, trying to get it out in a more

come comprehensive way -- comprehensive way in the near future. so i think people should look at how we go about expanding that in the future. >> i'm going to take the last two questions from the audience. this gentleman here, and then we're going to go to mike -- [inaudible] >> thanks. eric berger director of the security and software engineering research center at georgetown and head of the cyber threat intelligence information-sharing ecosystem project there. and you hit the nail kind of on the head in that, you know in a town where money is the answer what's the question? there are net producers of information and net consumers of information, and there's a bit of an air of we're going to do all this work, the goth's going to help -- the goth's going to help set up all of these sharing groups when economically for a lot of organizations it doesn't make economic sense, you know no matter how much government might say, well you really should share.

so is there, you know, kind of a focus on either helping out or recognizing that there's a reason why verizon has its services that people pay for symantec has services that people pay for and so on? >> um i'll start just to get us warmed up. it's too bad we try to keep our panels limited to a moderator and three, and too bad because there are a couple of folks we would have loved to have had on the panel. we would have really loved to have had someone from the hill to talk about their bills but also i'd have loved someone involved in one of these companies that set up to facilitate sharing that's identifying the space. of paul kurtz has been in this business, red sky alliance jess dutchman has been in this

business, and it would have been interesting to hear how they dye into -- really you can even hook at what cloud strike and fireeye and indian have done as part of identifying this market need and trying to step into this place. i'm going to ask this as a targeted question because it surprised me a little bit when michael was saying when it comes to these isaus, then cloud strike, and he even mentioned cloud strike as one of our senior fellows could set up an isau for this. that's really interesting. i mean, how does that -- >> yeah, so i think -- >> that really bends the model of how we think about this. >> right. and that's what i mean when i say it's not the way the hub system has been talked about in the past. so an individual company could become an isau. now, in the short term the advantage of a company for a security company like a cloud strike or a fireeye or one of those or symantec is that they become becoming an isau, they

are saying we follow a certain set of standards. so once the rfp is out there, the standards body is formed, there's some kind of baseline. then general counsel knows what they're getting into when they say they're setting up our software to default share back information and get information back. so by automating it so people can feel more comfortable with that because they know what that means, right? some kind of understanding oh, they're following the basic set of rules that everyone's supposed to follow. so that's very useful for them today. now, obviously our legislative proposal also has this other hook to it which says you get liability protection if you self-assert to being an isau. so that gives them obviously, another real advantage there. and then you might want to -- can you might start seeing individual companies start saying we're isaus so when they share with other individual companies, they say we're following these rules self-asserting, then you get the liability protection in place for that.

then you can see individual companies in different sectors not even necessarily in the security sector wanting to do that. so i think it adds a level of complexity and changes a little bit the way people think about information-sharing organizations. but we think it's useful for expanding the discussion and building trust and getting rid of some of the friction that we see today when people say oh, i want to share information. and it turns out well yeah, but you have to to get all these lawyers to sign off and you have to get all the other team's lawyers to sign off to say what they're doing and answer each other's questions all the time, and there's no basic set of questions to ask each other. we have to get to that point of having that basic set of -- >> [inaudible] >> this is going to be interesting as we continue to kind of move up the stack. you know if you look at, you know the last 20 years of private sector intelligence in this space, it's been largely antivirus vendors, right? the av vendors have been going out and finding all of the signatures and that's -- and then publishing that as a part of their product.

and that's basically, you know private sector intelligence. as we move up the stack and get, you know more information and more interested in who's doing what and why and capabilities and that sort of thing, you know, i think that the things that private sector intelligence organizations can do and the things that the government or public sector intelligence can also -- will become more interesting, more dynamic. and i think like anything there'll be value in both. there'll be certain information you get from one and certain information you get from the other. >> it'll be also -- >> yep. >> let me also just add we have a smart audience here of thinkers, so let me throw a thinking question out at you. we often like to say -- we're searching for something an analogy to cyberspace, and often the analogy that comes up is a weather system. and we think that because the weather system -- and we see outside it's sunny today when they're actually forecasting snow and in our mind it's like, well, where's the snow?

we can see something different, but we're expecting something else. we think cyberspace worked the same way. there's predictive mechanisms. we can put sensors out there, and there is truth out there. all we have to do is look and we can see the truth. that's not how cyberspace works. we unfortunately get caught up in these analogies where we think that because it's something like what we see in the national system, it ought to behave like that. so just extending the weather thing, when the sun comes out in seattle, people stop what they're doing, they run to outside -- [laughter] >> yep. >> when the sun comes out in miami, they're like, oh, i'm going back in, this is too hot. it's come almost to a different reaction when you're surrounded by things. you take different pieces. so in a private sector world, there is information that private companies can gather due to their observations of what they see inside cyber space much like what you're talking about with the she tech world. --

symantec world. they can market, they can sell. there are things that the government sees that may be more public in nature, kind of like the national weather service can see that snow is coming and make a prediction. >> uh-huh. >> i think this all works together. there's plenty of room for the public side to infer and see things and talk about and share what they see a. there's plenty of space for the private sector to infer and analyze, sell that information. the things actually work together quite nicely. but we have to be -- and this is the thinking question -- what's the model that we're using here? it's not atmospherics. that's what we like to look at, but that's not what it is. there's something else. or do we need to develop a new model that's very compatible to public sector, private sector working in our lanes doing what we do best that comes together in this magical thing that we call information sharing where we all are doing what we're best at, and we amplify what the private sector can do what the public sector can do working together. that's a challenge. and that may be a think tank,

which you have, that can help answer those questions. [laughter] >> yeah, yeah. and especially with funding from communications providers. i'm going to go last question to mike combs. >> hi mike combs, department of defense. one of the lessons we earn learned with defense industrial base was the government's signature were not necessarily as valuable -- >> i've never heard -- >> and so we found that there's differences in vectors that come into the industry, and i just wondered if you've seen different vectors in different sectors as well. so there's no one size fits all. certainly, there's some of those like the jazz bug, but in other cases there's not, and just any comment on that. >> well, i think i mean, yes and no, right? or it depends. no i mean the vectors are all, you know there's a short list

of low-hanging fruit that works pretty much anywhere right? so your basic vulnerability suites your basic social engineering, spear phishing has become shockingly effective in the last couple years. i don't know why we haven't solved that problem yet, but we don't seem to have. so, you know in that way we're all kind of the same, you know? no matter what industry, what you're doing what your line of business is, you know, find an insider that you can co-opt that sort of thing. but then from there, you know it all changes. from there it's then, you know, who and why is your objective to, you know embarrass is your objective to exfiltrate is your objective to the steal? based on what your business looks like your motivations will go from there. even if you look at the public incidents lately they've all been reasonably foreseeable hazards in the space.

>> from an isac perspective i think the frustration was with the signatures that all threats come from the network, all threats can be detected by this, you know wall that we put up, and if we just can put the right cards in place with the right filters, we can make the bad go away. as you and i both know and most in the audience know, threats come from all over the place. and really good isacs are holistic. they're looking not just at the network devices, but they're looking at people environment other things that are around them. that's where the dib pilot showed that the -- >> defense industrial base finish. >> right. and we share yes. can we get to the legal pieces, yes. back to jay's original thesis here what we are sharing, can we do something with it? or are we just sharing? and i think that's really biggest lesson that we're taking away from here is sharing, of course, can be done. but now what do you share, and what can you do with it? how do we a, on it?

and at an isac level that's what we're trying to do. have been doing pretty good over the years and definitely learning as we go along what do we share so we can action on it. >> and i'll come to you gentleman for a last one minute comment -- gentlemen for a last one minute comment if you have one. so our next cyber risk wednesday is going to be, as i said, on the 18th of march and releasing a report that we've done on mcafee on the health care internet of things and how we can get security right to make sure we're getting the reward of those network to medical devices. also on the 13th and. 14th of march we're holding our cyber 912 student challenge. so there are competitions for university students with a hack/counterhack. ours is the only one for policy students to come in and say um, as if they're advising lisa monaco at the national security conference -- national security council after a major cyber

attack and give real national security policy advice. you know? no one's died yet it's too early to invoke collective defense for nato, but we can look at article iv for nato. and that's going to be the 13th and 14th of march. still looking -- finish still have some sponsorship positions open more that. and, okay let's turn to final thoughts. >> so i'll just say that, i mean, in general the way i like to think about information sharing problems as with many problems in cybersecurity policy today, it's really a collective action problem, and it's trying to get everyone to move at the same time. that's the only way that we're going to be successful in information sharing which is why i say it's important to kind of do all these pieces at the same time. so that means we need folks here from all the different places that you come from to work with us trying to move some of these things forward at the same time and think about it, help us think about it and if you have ideas, we want to know what you're thinking. >> can i -- it reminds me of the

question earlier from eric which is i wish we could have explored this more in our paper. it seemed i would love to get some beaferl economists on this. because you've got the short term, if i share in the short term, there's a really good chance i'm going to get yelled at by my boss and my corporate council even though i know it's collective action and everyone would be better off in the longer term. to me, this is such a behavioral economics problem that i'd love to see more of that in the field. >> [inaudible] >> jay i think you hit very close to the conundrum we have here. our sons and daughters, our kids we tell then when we're in preschool, little johnny, you should share with little susie share your toys, share, share, share, but when they grow up, they don't share. sharing is bad, you know, keep things private. and when they become adults, oh, no, you're supposed to share. the information sharing's good. [laughter] we've got to work through this culture. are we supposed to share or are we not supposed to share?

what should we share? again, a think tank that's a right perfect area. produce papers, produce thought. dig into in this what does it mean the share not just for cyber tactical stuff, i but in this highly connected world where we are socially connected in a way that humanity's never been done. what should we know about each other, about bad things, good things, what should we share and how do we do it? leverage the social media, leverage the crowd sourcing leverage those new tools coming out of silicon valley. that's the hotbed of this type of thinking. can we use that to our advantage in this new world going forward? but let's work on that together. >> great. >> so and -- actually can i jump in on that? especially i want to point out you just wrote an interesting paper did it make sense not to share, and i was hoping to get to some of the points of that paper, but perhaps another time. jeff? >> you know, we've been -- everybody on this panel and many of the familiar faces out here we've been talking about

information sharing in one way or another for literally 20 years. i am heartened that the sophistication of the conversation is improving. kind of reflecting back at where we were, you know, pre-9/11, immediately post-9/11 when the world, you know kind of changed and where we are now, we are making progress. i am heartened and excited about the steps the administration is taking on these fronts recognizing the importance, and i think there really is, you know, we are, you know, at a point where it is going to change and dramatically get better in the next couple years. >> wow. >> and i'm actually really excited about that. i think this is an exciting time to be having these kinds of conversations. >> okay. so we are the cyber state craft initiative, and you can't have state craft without statesmen and women. they've been drinking from these nice cyber statesmen mugs, and we have several mugs we'll give to each of them as part of our thanks. but, please, help show your

thanks as well to the great panelists. [applause] [inaudible conversations] >> when we're finished here networking goodies outside meaning wine and cheese and other things so that we can continue this conversation. thank you. thank you again for your attention. >> here are some of our featured programs for weekend on the c-span networks. saturday morning starting at 10 a.m. eastern live on c-span our nation's governors get together to discuss issues affecting their states. guests include danny meyer ceo of