>> the following move to the regulatory piece, i want to make one other comments. one thing i don't want to be losses why companies like ours and others support the information sharing legislation. partly because to date when we try to stop the cyberthreat it

requires lawyers to analyze a variety of statutes weather is electronic communications, determining what we can do so a big aspect of the information sharing that is not talked about as much is the actual authorization component of the legislation so specifically authorization for companies to do things like monitor their networks or take action to stop the attacks or in the last panel ryan asked a question about liability protection if you don't act on the threat. those are critical aspect because that would provide clear legal framework notwithstanding information sharing it's all the more legal framework under which we can apply and that an cybersecurity. a lot of the reasons we support this legislation is it clears up the legal over hang and allow us to act more independently and streamline the processes. we appreciate all proposals and

are willing to talk to all parties one area the administration could be improved is on the authorization peace. without that, having information sharing by itself won't be moving the needle on security in my opinion. >> in addition to having bureau chief for homeland security i also am a former deputy assistant attorney general for antitrust, and i had a chance to lincoln information sharing across the industries and other circumstances and it is clear it makes a difference in terms of lowering costs and improving performance and that is true if you look at the insurance industry and it's important sharing of past information and the like and it will be true in connection with cybersecurity. it holds the potential to raise

the cost of conducting a successful breaches for the bad guys and lower the cost of defense. on the privacy point i think the senator was absolutely correct when he says we need to care about these issues, we had friends out there and the breaches improved data protection and enhance privacy as well. >> let's talk about regulators. the fcc charged in new working group year ago with coming up with a new paradigm around cybersecurity. the final draft report has been completed. tell us what is a new paradigm

around cybersecurity, what has been accomplished? what is the state of the fcc's working group? >> let me accept the stage for that. i am not on the working group and the report hasn't publicly been released. it will be on march 18th when the advisory committee which is called but since iraq but you would be more border by tried to tell you what it stood for. we set this up when i was bureau chief about two years ago and it was very much coordinated with industry and what we recognize was cybersecurity framework was going to be issued in february of 2014 and this working group which was going to flesh it out and give it meaning specifically for the telecom industry was

going to become active and develop a report issued information that would make it applicable land usable in positive ways by the communications sector and i think that is what we are looking to. we have people involved in an intensive effort and see a report that move than the land helps establish the telecom industry as one of the leaders in making use of the framework in trying to make it usable by small and medium-sized business and the largest business. i haven't read it so i can't comment on the outcome but i think it has been a very positive process that will move the needle. >> robert but shared a group.

we have five subgroups for the major subjects of the telecommunications sector. we have a wireless working group, cable satellite and broadcasts so there were five subgroups and five fetor groups including things like threats, metrics and measurement feeder group that i am sharing so we have ten different groups working on over 100 members of vote working group the we have been working on for the last year. the report that would be issued in march as the 3 ended page report that goes through a lot of detail. what we generally try to do and i don't want to go into a lot of detail but a lot of what we try to do is conform the framework and prioritize the framework for communications and critical infrastructure selleck you look at the overarching objectives, critical infrastructure if you understand it is interdependency

for things like financial services and electricity and water, how do we secure the infrastructure and make sure in a large scale cyberattack the infrastructure continues to function? that was a big focus of the working group, using it for addressing those issues not to say other cyberissues are not important but that is the focus of the working group. my view is the work product is a true example of how our sector partner in with the commission and others to generate what is a solid work product to set a framework going forward. >> question from our online audience directed at you. shifting to tie on 2 regulation. >> first of all i haven't seen

the text of the net neutrality order. it isn't out yet. certainly wasn't a day or so ago. i think i would want to refrain from that. the refrain from giving judgment on that. one of the things that is in play everywhere from the federal court where the wind in case was argued this week in the federal trade commission, to enforce under section v of the federal trade commission act privacy and data breach reason ability standards, to the fcc in october they did their first major data breach case. the uncertainty from the rules and the legislation that is

proposed and in some cases delegating to the federal trade commission more clearly and some legislation would remove from the federal communications commission enforcement so we are seeing a lot of uncertainty around standards around how they apply and we need to look at what comes out of the fcc and the net neutrality order before we draw any conclusions about it. i am pretty sure the fcc is going to want to make sure information sharing isn't inhibited. the kind of information we are talking about sharing is not at

the core of what we're trying to protect against and i think i will leave it there. >> any other questions? another one on line? >> we have a second question here for ari schwartz. how do you see the partnership improving the reliability of the electric system. utilities and power companies getting on board? >> we had a good relationship with the electric sector in particular that they have been supportive of the cybersecurity framework. we have -- our plan is to work more closely with them moving forward in terms of incident

response and trying to make sure they are getting the information to respond very quickly, information we have from the government and among themselves to get information in terms of moving in response more quickly. obviously there are different people in the energy space and different kinds of companies in that space. it is not an easy thing to say, if we work sector by sector starting with a large sector makes us move through those to try to make sure we are coordinating and getting the information to move forward so we are looking forward to doing that. they also have existing information sharing and analysis centers today to share information.

the electric -- has been growing and becoming more effective and natural gas is growing and becoming more effective. we hope we can make those move more quickly as we move the process forward. >> i want to thank this panel. that was terrific. thank you for your contributions. [applause] >> we ask our next group of panelists and speakers to come up.

very good. that was an excellent panel and i think you heard ari schwartz talk about the seminole major of the mr framework and we are fortunate to have participants we have today on the panel. going into the future on will refer to adam sedgwick as one of the architect of the rosetta stone or discover. i don't know but it is quite an accomplishment. i would also like to introduce larry clinton who many of you know is president of the internet security alliance and someone who has been outstanding advocate around a framework for quite some time. brian finch is a partner with calgary winthrop, has a lot of experience in cybersecurity policy arena. we are happy to have him join

us. kevin na more lee is with the american water works association which is one of the lifeline critical infrastructure sectors very much involved in thinking about the framework as it relates to his sector and finally very happy to have jesse ward, industry and policy analysis manager the royal broadband association. jesse is one of the leaders of the working group that dealt with addressing small and medium businesses. i would like to introduce david perera. i am ahead of myself. adam will speak and then we will have the panel moderated by david. >> thanks. i am eager to move to the panel too.

we can have that discussion thanks again for u.s. telecom for having me. these events are really helpful for us in terms of hearing what industry is thinking about particularly telecoms sector but we have representatives from a number of sectors in the audience so that is helpful for us. hy was thinking about this event and the title of it on gaining traction or falling behind so i actually wanted to go back and look at the things we were saying and i chose to go back two years ago initially kicking off the work on rosetta stone. there was testimony we gave, my guys gave at the time before the commerce and homeland security committees on what we intended

to do with the framework and it was almost exactly two years ago. it was on march 7th, 2013 sell a wanted to give that a quick look to try to understand what we had done and if we were hitting some of the marks and expectations we had set out. it was helpful to look at this and think about the language we were using me as then, how the approach had been developed and if we had the mark in terms of the expectations on this part of the executive order. one of the things we had in this was a heading called why this approach and had to do work to convince people this was an approach that would have an impact. under that heading director gallagher said this multi stakeholder approach leverages the strength of public and private sectors and helps develop solutions in which both sides are invested.

it does not dictate solutions to industry but facilitates industry coming together to offer and develop solutions the private sector is best positioned to embrace. two years later we're seeing a lot of evidence how industry and government can come together to develop those solutions not only through the process of developing the framework but a process where we had engagement from industry and estimate 3,000 participants but even through groups like sisric, the communications security reliability and interoperability council. and risk-management and best practice. and we think that will help provide to the telecom sector to

think about meaningful implementation guidance but broad and diverse and unique in this space. we were really pleased we could participate with csric. throughout the process we were really happy to contribute to our thoughts how the industry group could develop these products and so in addition to work like that, work like csric for that sector in this sector is come together and some things the water sector has done. certainly we have seen the electric sector and they come together to provide guidance and we have seen a lot of other examples in what director gallagher was talking about to

develop solutions. coming together to talk about products and services that can be aligned with the frame work. we have seen the auditing community thinking of the framework with a consistent standard they can provide their constituency. insurance providers have begun to offer policies and promoting it among policyholders and we have seen states leveraging the framework to improve security of the infrastructure including in many cases the foundation for their work in cybersecurity for state emergency management these settings we are seeing out there for capturing and sharing back and a lot of this material was discussed quite a bit at the of forum last month in stanford. a panel of ceos discussed these initiatives. in terms of what that means for us and how we can help in our work for the ongoing year and i

hope we get good feedback in this panel we will continue efforts to raise awareness on the framework including by working with other organizations including organizations like u.s. telecom and others that are here today and a lot of that awareness will not only be focused nationally but thinking about the international audience. one of the top priorities will be to develop and share information that can advance use of the framework and other risk-management such as how illustrations on how organizations of different sizes, tides and capabilities are using and employing the framework the ability of these organizations to look over each other's shoulder and understand a practices they are putting into place is extremely beneficial. and development material, how all the framework can be aligned

with business processes including the key issue of making sure we can integrate cybersecurity and risk-management with a broader way in which organizations think about race, something our stakeholders that was important and there will be a lot more. in addition to that if you think about what the framework effort was all about identifying best practices that can be used to critical infrastructure developing a structured to be used more widely through the frame work but with third piece of that is the next piece when we release the framework, talk about the roadmap, a list of priority projects ranging from supply chain risk-management to authentication, technical privacy standards and continue to work on. and a living document in those projects we can have a richer

conversation about what the priorities are moving forward to keep this truly iterative and being able to react to those who manage cybersecurity risks. and all of these efforts will be a priority to ensure it can be conducted in the same open and collaborative manner in which the framework was developed. but i thing going to the title of the event, a we gaining traction moving behind? there is a lot of work to do, how we know this effort is really working? based on the advice we have gotten from the private sector and making this the effect of our immediate focus is to continue to raise awareness stakeholders tell us more needs to be done. a lot of that is raising awareness with sectors the don't have regular events on cybersecurity as much as we

appreciate these as well. not only about the value of the framework in addressing and reducing risk, but thinking about the essentials first step to getting to true effectiveness. we know about the pact on the effectiveness because it is much like what we have seen to improve quality and other fields. concerns about cybersecurity and risk like quality needs to be integrated into each organization's approach for doing business. there is no single definitive universal end point for improving quality or cybersecurity. we are recommending organizations do a series evaluation of current cybersecurity practices and develop plans to improve their capabilities ideally through the use of the framework or another risk-management tool. that process will take a lot of time. because the framework is voluntary it allows us

flexibility to continue to increase the number of stakeholders we work with and use the underlying pool. i was relating to some people i realize the people across the aisle from me were talking about bringing the framework to their business enterprise the sorts of things we think we see from this approach. the private sector has voluntary -- voluntarily participated in the development process and we have found that they are more than willing to discuss how they are using the framework insuring lessons learned. what we intend to do in the futures work with partner agencies across government on sectorswide assessments, monitor surveys on the private sector organizations to understand how we can leverage those to understand effectiveness and continue to receive information through the workshop, meetings the we tend to have, meetings like this and all that information where we are

thinking about how to glean helping our stakeholders and improve future versions of the framework. with that i will close my remarks. i'm looking forward to this discussion. hopefully that involves the foundation, i think robert and u.s. telecom for having me. thanks. >> cybersecurity reporter with politico. i am going to be moderator. we have a great panel we have agreed we will be direct, to the point, no circumlocution permitted so let's get to of first question, let's talk about cybersecurity framework scope. we have two utilities on the

panel so perhaps you could address do you envision this as something that is applied just to your core infrastructure? how would you define that? what about the enterprise high tease systems you also control? >> i will go ahead. of framework has flexibility beyond critical infrastructure particularly critical infrastructure as it is in the executive order which is a narrow definition. what we actually tried to do in this working group is thread the needle. as robert mentioned with susan, the small and medium-sized business group within the csric working group, looking it small and medium business issues and what we saw is although many small and mid-sized businesses

may not fall into that strict definition of critical infrastructure, that doesn't mean they can't adhere to the same spirit of this assignment. they can keep this goat the same but just scale inappropriate before their operations so what we are looking at is having each small business define for themselves what is the critical infrastructures so for instance when you are talking small telecommunications companies it might be that one of those telecom companies defined their switch as core infrastructure because without that there wouldn't be communications taking place within the local area. there is applicability beyond how they define the framework. i would also say in the working group what we looked at his -- i

am sorry. the framework also has applicability at the enterprise level so that is good corporate citizenship good business practice and every company wants to be more secure so was much as they can look at that that is helpful. >> seem to go out of its way to not discuss enterprise i t systems out of fear that might as i understand it give the sec some additional leeway in regulating what it doesn't regulate. >> from our perspective if you are a company that has 10 employees you have extremely limited resources, you have perhaps one technical officer who is the chief security officer, he looks a new business opportunities and if he has limited resources where should he prioritize that? what we said is he should look at core critical infrastructure first but all of the associations network operators

agreed that this is good business practice so yes, it should be applied at the end of price level as much as they can. >> if i could add to that, we have actually embarked on this process a little before the executive order came out and been anticipating the need for a sector based on some work we had done collaborative the with the department of homeland security 7 years ago and we have run the gamut from some very small rural communities to washington d.c. and new york cities a we had to be cognizant of the scaleability and part of that effort, there has been a lot of activity and hope folks can get their hands on enterprise business systems that are operational and the types of things that are done and there has been less talk in the past on process controls

systems or industrial control system where some of the standards that are embodied in this framework are focused on so perhaps not unlike what's csric did we developed a process to make a framework more transactional for our members understanding that a lot of them don't have c i os and putting in terminology how they apply at the technology in a prioritized manner given limited resources where should they focus their time and effort? we have created a prioritization tool to help from work through implementation application to try to change that behavior and institutionalize it as we heard from so many other speakers today. >> so the answer is yes.

>> that plays to the enterprise system as well. >> are we going to be changing the name of cybersecurity for critical infrastructure any time soon now of the we have established it is not just critical infrastructure? >> you pose your question in terms of how companies evaluate critical infrastructure within their entities and can the framework be used more broadly and that is one of the discussions we had in the development of the frame work. jesse was saying different entities view it very differently, some entities will treat how they deliver critical services separately. others take an enterprise wide view and are leveraging the framework in that way. the way we talk about the framework is people do it in different ways. you can set up a series of profiles within your organization but you are seeing people using it organizations

based on the feedback we were receiving, we received, getting more utility from broader application where you can look across your entire enterprise and that is the sort of thing without auditing and insurance community likes to see. they like an approach that shows managing all risks for all net works. in terms of other organizations using the framework even though it was developed for critical infrastructure we talked about a few look back to our kerri first, given -- we talked about using the term generally organizations. one reason we did that is we had an expectation that critical infrastructure also evolve as organizations and businesses changed and at different services moving up and down in the marketplace so we wanted as we came from the department of commerce we thought about doing this in a way that could be

broadly used and we are excited it is being used by organizations that are not critical infrastructure. >> larry. you talk a lot about the need for the federal government to follow through on a portion of the executive order about developing cost-effective measures. one beam officials a lot of and private sector executives as well is that the framework is infinitely flexible because every company is a special snowflake and what constitutes cost-effectiveness necessarily must vary from company to company. therefore there can be no federal government cost-effectiveness standard for guy or what have you.

>> i think the reality is if we are going to have a voluntary system in a capitalist economy it is going to have to be cost-effective. there is no other way to deal with this and this is what every single study that has looked cybersecurity tends to find. price waterhouse coopers, c i o magazine, the list goes on and on. companies make decisions based on cost-effectiveness and one modification building of adam's comments, integrate the framework, at but really we have to think closer to what senator johnson said at the beginning. we need to integrate the framework and other security steps into profitability, into a growth into innovation. they are one and the same thing.

as to whether or not to offer any guidance on this, this is what we do with everything we do in the private sector now. companies look at environmental regulation more activity or disabled regulation or activity and make it cost-effectiveness assocation. so we have to do this. might guess is we could come up with some fairly useful guidance because electric utilities don't look much like i keep companies, defense companies don't look much like other manufacturing companies. i think we could do some useful study and we have proposed that this be done in a collaborative fashion integrating a sector specific agency with sector coordinating council's to jointly come up with a mechanism so they can determine together what would be the most

cost-effective way to implement the framework within their particular sector. i s a has gone further and discovered various sizes of companies even within the category of small businesses client different things to be cost-effective so we have looked at companies with one security person such as jesse was pointing out and certain things can be done in that small companies that are cost-effective and not necessarily the same thing, ten security people, the reality is that if we are going to get through the broad based voluntary adoption of this framework we have to address this at the economic level and integrate this into the overall mission of our economy which is growth, innovation, security, profitability all tied together.

>> so guidance by industry sector and guidance by industry size. >> those are two of the most obvious ways we could subdivide these things. i am sure there are lots of others but i would be happy to start both. >> individual companies are not as special as they like to think. >> we are all individually special every single one of us probably does well if we exercise, watch our diet, things that our health rcise, watch our diet, things that our health effective, notwithstanding individual of the, if we study and do our homework and students there are certain best practices that can be applied across -- probably true -- even with regard to this

framework. >> i am morally opposed exercising, dieting and studying and doing my homework. it is very interesting building on larry's comments and senator johnson's comments. the framework can be extremely flexible, excellent representation of how companies can begin to look at cybersecurity. it was not dedicated to cybersecurity and misleading in terms of how the framework will be. it is still breached at any given moment. it is not necessarily about preventing the event but recovering and managing the risk as much as anything.

when it comes to cybersecurity and the utility of the frame work. in my opinion looking at the framework for critical infrastructure i don't think it came as a big surprise or as something truly innovative for larger utilities larger companies, it is not in any way, shape or form to denigrate the great work nist has done. they have done a fine job. is helpful for smaller and medium-sized businesses that have no clue where to start when it comes to cybersecurity. usually get the answer about the internet or what firewall we should buy etc. ettc. i would like to look at the framework from that perspective. the other thing that is very important to note and i have seen at a make comments on this as well, a lot of times when people talk about the framework they talk about we have adopted

the framework. we fully integrated into the systems and we will seek comments in media from lawyers mostly you sny if you don't adhere to the framework you have violated the standard of care and that is the benchmark for determining liability when it comes to cyberrisks. i don't think that is the case. i don't think the framework represents a standard of care. >> are those lom yers charlatans? >> i call from schiller's. i am not above showing. it is not necessarily that they are charlatans or what have you but it is a fundamental misunderstanding about what frameworks' intended purposes, to understand your risks and generally organized at the end of the dames if i can watch a video of the old tiger woods as many times as

i want and i am never going to get it exactly right july will never pounded throuly r 340stlartig down the middle of the fairway and i guarantee you this never happens in my life. it takesly r shots to get 30 yards down the fairway. when we are looking at the utility of a framework or extending its use beyond critical infrastructure we have to understand it is one piece of the puzzle just like information sharing is one piece of the y.f talking about fred's signatures or indicators of compromise, that is all well and good but ik it3 c1 is not going to provide you with complete cybersecurity because you're getting tpoueat iritiormation. there is good information and that information and a lot of .seless iritiormation and so it is all about how you execute at the end of the day. the framework will be helpful in some context it comes down to how does the company implement? that is where the rubber meely r

the road. >> i guess this brings up a question about how to measure is than to are we measuring it? there has been a lot of talk about measurement. there has been a lot of talk that because the framework is individual we implemented, on .niversal set of measurements isn't possible or could measure the wrong thing, but we hucte heard sectors hucte commonalities. business horizontals like size hucte commonalities. there is common ground for some kind of measurement isn't there? adam? >> i will take this opportunity you said to keep this brief. i will do a little bit of shelling myself. one of the things we recently put up was a frequenindiy asked i guestion, a very lengthy one in future forms you can use from

here. >> prevents me from doing my homework. >> let me read the response. how can organizations measure the effect of the frame worted it depends on approaching its use. is this seeking an assessment of seiders of the security risks and processes? seeking a specific ou etome like better management of cybersecurity, and assurances to customers? effectiveness managers and cir somstance, the framework leave specific measurement to the users dil frretion. individual entities may develop quantitative metrics for use within the organization or its business partners but no specific model recommended for measuring the eancectiveness of use. that is where we are and what we heard from our stakeholders and our overall fouly rt on that issue. something we can certainly study and discuss and work with our pa, iners to think about what

these measurements and metrics are. that is something we're very interested in seeing as people use the framework and rily

we could do a real favor for for private-sector companies and in particular smaller companies if we gave them some samples that they could work from. if we could say we did a study of small water systems for large water systems and found out this set of best practices was most

cost-effective and this one was not people would look at that. now they know where they can go to implement the framework with their own particular use in a way that is most likely going to benefit them and they will then study it on their own to see if it was true in their case and they will make adjustments moving forward. that is how we integrate the flexibility of the framework which is one of its major pluses, with the inherent obligations of these businesses which were weekly charged with maximizing shareholder value. we have security and profitability. we must integrate them and as i mentioned in my question to senator johnson that is really difficult in the digital age to drive innovation and productivity, actually undermine security so we have to look at these pretty carefully and come

up with ways to move forward. >> the points adam made and others on the individual nature and flexibility, the beauty of the framework and the opportunity to provide entities or utilities, not telecom, to apply practices applicable to the operating environment and looking at their operating systems and architecture, there is a significant variability in the types of things that i do so the controls that are applicable to this particular utility, only half are applicable because of the way they operate. so the aggregation of the date outside the individual becomes apples and oranges.

>> no way to come up with a measurement. >> the question is what are we trying to measure? that i tie my shoes or put meyer shirt on left-handed or right-handed? is that important? will what it is important is entities are taking the appropriate risk-management activities through application of the principles and framework that are laid out in the guidance we designed to help utilities supply in this framework. there are different measures of activity whether it is process related, that is good, an individual entity, that is how they do their internal benchmarking but at the aggregate level trying to see a change in how it is integrated, through some form of options or

to use the term loosely and how we approach it in our sector. >> i agree with what kevin said. looking at an aggregate level companies utilize the framework, improving their security posture, or better securing critical infrastructure, their core networks making sure the network is still available, looking at the framework in a subcategory control level, what one company does compared to another might be very different. if you are a small world telecom and serving defense contractors a small world tell coat in middle america has different customers, different institutions and different

needs. we are having a discussion about the framework in d.c. circles. when you talk about the framework, this is the real nascent concept to those outside the beltway. i had to define missed to the audience. and awareness and education, from our perspective our members are 900 world tell cos across the united states during security for many years and all of them want to be more secure and want to protect their core network and customers' data and personal information. is a question of assisting them with doing that more effectively and efficiently. >> talking about metrics it comes down to a critical point which is the framework is about

risk-management, not risk elimination. every company has corporate risk manager, they don't have a corporate risk eliminate it. why don't you have a corporate risk eliminator? because you can't eliminate risk. at the individual corporate level you have to utilize it, define the threats and types of malware and a tax that you can suffer that you can protect against, you might be able to protect against and those you cannot protect against. no one in this room or the federal government and it is more about incidents responds. and that does the middle area at a nation state or organized-crime is sort of a mix between incident response and defense and should be able to protect against available

malware, individuals, etc.. ultimately it is how the individual companies looking at the risk annualizing the framework to appropriately protect themselves, to stop it at the perimeter or minimize the loss associated with the cyberattack. one thing i want to add to an article you wrote a month or so ago that we were dancing around a little bit, some of the responsibilities of the software developers, you wrote an article about google releasing zero days after a certain time frame that they have come to discover. that is an important as well. as much as companies can do to protect themselves, perimeter defense or incident response there are lots of moving parts and part of the problem we have to confront is companies are receiving software utilizing software that has unlimited

vulnerabilities. they will not discover them all their own. this is a shared burden throughout the entire supply chain and you have to look at the holistic picture before getting closer to true managing this risk. >> more of a comment than a question but metrics that going on. the focus on frame work, education and awareness outside the beltway, totally agree with that but one thing that frustrates me about the metrics conversations, people focus on are you doing the framework or how do you use the framework? the real question is what is the outcome the framework is providing? is really about outcomes, not activities. you do the appraisal, where you busy this year? is not really an outcome. the fact the we are using the framework for companies using it

is almost irrelevant to the fact that using it as an effective tool to drive a particular outcome and doing work in the working group we focus heavily on things like availability and resilience of and how to recover from attacks, with response activities. as opposed to just activity. >> we have a question from the online audience, this is directed to you bet anyone, considering the vast amount of devastating breaches that have occurred and i known through the media and taking into consideration the breaches that are not publicized how confident are you that use of the cybersecurity in private and public sector will produce events in the future? >> on the awareness front, this

continues to be a priority to suggest this point to communicate to people and why it matters to them. in terms of the other part of the minimizing of incidents, one thing i talked-about quite a bit is there are those unknown unknowns the company's won't be able to prepare for so the reason we talk about risk-management and resiliency is in some ways we are trying to have folks understand we can't prevent every incident from occurring and focusing on the framework. the reason we have five functions, we talk about respond and recover. from the security community there is a wide understanding accents that you can't prevent incidents that that understanding has and always made its way to corporate leaders and policiesmakers sell

having processes in place to recover from an incident we see are critically important and to the point of the question if you go back to ari schwartz's presentation this is one element of many that industry is undertaking, the federal government, the state governments, international governments are undertaking to help manage this problem and to get their we hope it will have the approach of making things better out there. >> to just build on adam's comments and agree with them and particularly the last one about how many things we are dealing with here, and thinking of the title of the event with we are gaining traction or losing ground we are gaining traction and losing ground. the problem is so complicated,

taxes are cheap and easy and profitable. there is no return on investment and no law enforcement. jesse's comment about going out into the community outside the beltway and do more awareness and education that is so true. this past week mr. clapper said cybersecurity is a bigger threat to our nation than international terrorism and that is probably true but the spending in our government which does get it and is expert is about more on terrorisms fibers of the security. most of us in the room making in this space are not nearly enough. we need more efforts and funding

and much more investment and thinking about this. otherwise we will continue. >> last question. >> small company in virginia. a couple comments. i mostly disagree with the panel on metrics. it is measuring outcomes with the framework being rosetta stone is the ideal framework for measuring progress and outcomes among different organizations even though they do it differently and if you want to know how there is some measurement is that everyone ought to be measuring, how do they respond and do they respond to those priority indicators and security breach? because they don't. those breaches there are indicators of compromise.

there are indicators. we miss them and it goes back to what mr. fitch said, process control management in the cybersecurity framework is great. >> if you have a question. >> talk to me about how to measure it. >> there is one thing one point i would make if you talk about reducing complexity, the goal of getting these things out is not the guidance to have more paper to go through but to make these conversations elise easier because we all understand where we are coming from. we think a lot of these efforts are really important, one of the things we think will be really helpful in the long run in terms

of reducing costs when products and services are coming in we have a much richer conversation. >> please join me. [applause] >> i am going to say thank you all for attending in person and acknowledge all but folks who attended the at live stream. i want to thank all the panelists i thought it was great excellent informative, panels and discussions and i also want to announce that we will have, you heard a lot today about the work of csric working group 4 which will be released on march 18th. on march 19th u.s. telecom will have another national policies site perform and talk about that event so look at that on our web site and we will push that information as well. thank you and have a great day.

[inaudible conversations] .. ..