i served as vise chair along gary and we built a strong friendship and it shows bipartisan works and that is what the national governors association has been. he has been a gentlemen to all. he has listened to all of our ideas and i have to tell you he has been a great leader. governor, on behalf of all the governors at the national governors association, i would like to present to you this gavel as a token of our appreciation. [applause] >> thank you very u. terry is going to a good great job. states are the best hope for america. keep up the good work. thank you. >> thank you all today. i cannot tell you how honored i am to become the new chair of the national governors association.

i am honored that brian from nevada will serve as our vice chair. we will make quite a team working together. brian and i are committed to making sure the role of the nga is recognized as we embark on a new administration coming in we want to make sure the governor is at the forefront and the new president elect to talk about the issues of join concern among all of us. i plan to move the national governors association forward through my initiative which is meet the threat: states confront the cyber challenge. it is important for all of us. this initiative will highlight an issue i have been focused on since first day as governor: cybersecurity. in addition to providing states the cairo sources they need to meet the threat.

we know firsthand that i hit this issue as soon as i took over as governor of the commonwealth of virginia. just an example, since january 1st, virginia has had 53 million cyber attacks. that is a cyber attack every four seconds and 300,000 cyber attacks a day. we successfully blocked 4,042 malware attacks and stopped serious cyber threats. we know domestic and foreign actors are probing and infiltrating our critical infrastructure to access sensitive information and our systems that if are compromised.

the hospital system and data get hacked and they demand ransom for restoring the systems and data. cyber threats of intellectual property and trade secrets alone has cast the united states economy over $300 billion annually. yet our ability to confront the threats in our education system and workforce development programs. we need to grow, train and retain the best cybersecurity personal in our states. as a result, we are missing out on economic growth within our states due to our inability to meet the cybersecurity demands in the private sector. today in virginia, i have 17,000 jobs open in cybersecurity. the starting pay $88,000. that is three billion dollars of annual payroll that we are

forfeiting. that is why we are redesigning our high schools and k-12. as governor, my first executive order was to create the virginia cyber commission. they held town halls that led to 29 recommendations focused on education and workforce, economic development, cyber crimes, cyber infrastructure and network protection and most importantly public awareness. i am proud to see since establishing the commission today virginia has become the first state in the nation to adopt a national institute for standards and technology cyber framework. we passed legislation protecting citizen's digital identifies, established accountability and authority for cybersecurity in all of our state agencies, we developed and enhanced cybersecurity policies and increased the crimes and our

ability to prosecute cyber crimes. we adopted advanced credit card standards for security, increased the number of centers for academic excellence and introduced several cyber initiatives in the 2017-2018 budget. if you give us two years in government, we will pay for the your cyber degree. i am very proud in virginia that per capita we have more veterans than any other state, more female and more veterans under 25 than any other stage. we transition out 10-15,000 veterans and want to roll them through training when they come back and put them right to work. another goal is to expand virginia's economic footprint in the cybersecurity sector. we already have a strong base

and are an international leader in cyber. four days ago i was in israel and they will make an am vestment in the commonwealth of virginia and this is going on all over the globe. virginia is home to 27 military instillations and the largest naval base in the world. all of these have constituted cyber attacks. our partnership with the federal government is to make sure we protect our federal assets so the assets stay and continue to grow. i am proud to say that virginia is now home to 650 cyber companies. the second of any state in the united states of america. that represents an increase from 450 cyber companies in 2011 and i am proud to say that virginia was just chosen for a new air force cyber operation squadrant. more than 67,850 virginians work

in the cyber sector and that number is expected to grow by 25% through 2022. our aggressive approach to grow the cyber sector is special to build the new virginia economy capable of withstanding the uncertainty of federal sequestration and budget cuts. the aim of my chair's initiative is to replicate the work we have done in virginia across all of the states in the country so everybody is best positioned. if virginia is out on the lead in these issues it doesn't matter if another state isn't because as you hear from ceo's they will go to states with weak access and go in through a backdoor. to do this, we will provide governors resources and recommendations, we will focus on how cybersecurity affects all sectors of state government

including health care, education, workforce development, economic development, infrastructure and public safety. there will be regional talks to educate how cybersecurity interacts with the state government. the idea is to provide takeaways poli policymakers can implement right away. we will develop a library including products developed throughout the year all aimed at assisting states in creating, improving and fostering strong cybersecurity states. there will be templates we can use for policymakers. as a cybersecurity strategy, we will have checklists on critical issues and executive orderers, many we have done in virginia, just copy them and bring them back to our own state and push

them through your executive orderers in sample documents and legislation that we have had approved need to begin immediately to do yourselves. finally, i am excited to announce through this initiative we will launch a series of continuous podcasts featuring leading cybersecurity practitioners discussing issues of particular importance to our state governor folks. in front of each of you is a checklist as you can see here. that you can use to begin to assess your state's readiness to meet the cyber threat that exist in the new economy. last thing i will say is we have been working hard at the national governors association and five states that take innovative leadership and are in good shapes. 20-25 states made good progress. 25 states have a very, very long

way to go. my point is if there is a weak link in that chain it affects everybody along the chain link. it is my goal a year from now that each one in the room, along with colleagues not here today, will be equipped with answers to each checklist items. promoting cybersecurity protects our critical infrastructure but creates economic opportunities. as leader pelosi said this is one area the federal government is going to spend billions and billions of dollars on. as a governor, if they are spending that kind of money i want to make sure we are getting our fair share in the commonwealth of virginia. we cannot do this without training and hiring personal with the skill set to protect them. that is why all of us need to be thinking about what we are doing in our k-12, code writing, computer science in k-12 and specifically the critical high school years. we have two great leaders who

will help us frame the issue, understand the role of governors as they work with the private sector. they are chief executives in their own right and play an important role in protecting their companies. we have two outstanding leaders. i have the pleasure of introducing susan story who is the president and ceo of american water which is in about 47 states. and joe swedish who is the president and ceo of anthem. anthem has a million folks involved with the company. both individuals deal with cyber threats each and every day. it is important for health to have clean, fresh water. so much attention has been paid to potential cyber vulnerabilities in the electric grid. today's discussion highlights

how cybersecurity affects the broader infrastructure sector and in the hillary clinton -- health care structure they are facing threats as well. and proper care is needed to deliver lifesaving sectors. both face challenges similar to what we face in our respective state. we have two ceo's who did not have a cybersecurity background but had to quickly learn about this complex issue and spear head new policies. let's start off first with susan. she will provide us a little background on her company and what she has had to do to deal with these cybersecurity issues. >> thank you, governor. i would-like to thank the

national governors association and governor mcauliffe for making this an initiative. this is critical for every citizen in the country. this is timely and important and thank you for the opportunity to participate in this. also, governor brandstad, i want to thank you for hosting us in this beautiful city. american water has served parts of davenport and clinton for 130 years. it always great to come home. thank you so much. what i want to do is as governors you know this you are chief executives. but you are chief executives with thousands of responsibilities every day. nothing is as critical as your responsibility to protect the people in your state, protect them from any of the critical services you provide. things like fire, police, health and human services. these are very serious things

that people take for granted every day. but you have to think about it every day. as utility leaders, and i spent 31 years in the electricity industry before coming to the water industry we also have to face these critical service challenges. we have to make sure after hurricanes, ice storms, flooding, during droughts, that people have the critical severs they need. we work with you and your states and organizations and agencies in your state to do this. so the fact is we are in this together. as governor mcauliffe said we regulate in 16 states and touch 12 million people. we have market based operations, serve 12 military instillations across the country and we run 41 different municipal cysystems across the country. we in 47 states all in all.

what happens in your state matters to us. we want to be part of solutions you are working on and be a part of the answer. what i want to do for a few minutes is talk about cyber but from my standpoint in utilities and critical infrastructure you cannot separate physical and cybersecurity. everybody hears about the internet of things and it has all of these different definitions. let me tell you what it means if you are in an electric, water, gas or telecom. what that means is our cyber is not just our systems have customer information and employee information. it is the systems that run the grid. it is the systems that make sure the water treatment plants are operating. it is the systems that make sure the environmental challenges are met. it is the systems that insure the water gets through pipes and we don't have contamination. you cannot separate physical and cybersecurity in the world of

infrastructure especially utilities whether it is a municipal utility or otherwise. what do we need to do? from american water standpoint there is four big things as we look at this. i am not going to talk about cybersecurity in general. i want to talk about a specific preparation that is being done in this country that the nga is getting involved with which is the black skies initiative. many of you have probably heard about this. it was headed up by the department of defense, department of homeland security, and the utility industry. back in 2013, tay started looking at what they called a black sky. what if there is an electric magnetic pulse taking out a grid and you have 11 million people out of electricity for at least 25 days.

how do we withstand that? they went through the year and came back and said we realized the number one problem or threat is the water sanitation services. how would you have evacuations of a major urban center with no drinkable water and no sanitation services? so you have issues around diseases. they came, i went and spoke to the group and they said we want phase two, which will be released this summer of the effort. phase two will be the water sector and resources during this time. what is important about this is uk and israel were part of the effort. it was headed up by a consultant by the department of defense but they very much want to get states involved. when the report is issued this summer, they want to have a checklist for public service commissions in every state in terms of what they need to make sure is happening for the

utilities in their state. water, electric, whatever. this is a big effort. i want to talk a little bit about how you approach the black skies initiative and that identifies or helps you with the cyber and physical security. some things we are doing: technology. our systems, cybersecurity cannot be an add-on on top of what you are doing. it has to be a part of the fiesh fiber. as wedevelop the water system that correlates to the electric smart grid we have to build that protocol into every bit of the technology. not something on top to make sure we monitor it. it has to be part of doing that so had investment in technology is critical but it has to include everything around physical and cybersecurity from the beginning or we go back and make that part of the fabric of the systems. the second thing is just like the state of virginia and jour

your states did, we adopt the standards that the industry adopted. we hold ourselves to the same standards. it is voluntary for the water sector at this point. as we move forward it would not be advised to not become something every water provider becomes a part of. the third thing is as we look at what we need to do from a partnership, if you don't remember anything else from my comments today, we all have to work at this together. at american water we partners with environmental organizations, the fusion centers, the public service commissions and we also partner with the emergency planners. on a federal standpoint we are able to help because we partner the homeland security because critical infrastructure is a huge part of ours. in fact, homeland comes in every week to our company and tests

the systems as simple as going to the external website and say how can someone get in and we take those comments and try to keep the system from people getting into it. we partner with the fbi. we partner with the department of defense in a way because we serve the defense but also critical infrastructure. we partner with the cdc. we worked with them two or three years ago about dealing with ebola. we deal with water contamination. what we have to do is find intersections where we force conversations among all of us. it is critical what one person knows the other knows. that we have open communication on critical things that are happening out there. another thing i am proud of is that what we do at american water it is not the job of our it department or ever n our operations department. every level of employee gets

involved with cybersecurity at american water. in 2015, every state has information technology. i believe in my direct reports, only i and the head of physical and cybersecurity knew what the scenario was. i spent all day seeing how the executives would react. you are actually going through this and seeing what they did if an intrusion happens. another thing we did which was it most incredible thing i have done through because it is real life. you divide into two groups, one

is a hacker and the other is a company, and based on what each side decides to do you react in realtime how you would deal with an intrusion. and it as a lot easier to be a hacker than the people trying to protect the system is what i found out. whether it companies, states or local agencies it is incredible how difficult it was. but it was a great exercise. at the end of the day, we have to look at physical and cybersecurity and the integration of the two of those for the critical infrastructure you have in your states and we have in our companies. number two is it isn't enough to keep people from getting into the your system. someone will find a way. how will you handle it when it happens? one mistake. if we defeat them a hundred

million times but they get in once -- and water, you have to make sure fire hydrants. we cannot let that one get in. we have to make sure that when they get in we find a way to stop them. so what i leave you with is i do have a call to action for the states and governors. i think there are four things we need to do together. number one, promote communication and teamwork. make sure your agencies are working with all of the utilities. make sure the utilities commission, electric, gas and water is all doing it together and we bring in the federal department of homeland security. it is really important people are talking and sharing information. the second thing we have to do is make sure we have resilience in our assets and infrastructure. this isn't easy. from a water industry standpoint we have in many states the

ability to get capital investment in realtime in terms of replacing pipes every year which is really important but to get okay to do something for resilience that you hope never gets used and you as a state leader trying to invest in things you don't know if you use or not we have to figure out how to deal with that. that is not an easy task. the third thing is public-private partnerships. nobody can do this alone and we all have to share our best pract six weeks ago the commonwealth of virginia did a black sky simulation. there were 130 people, federal agencies, the military, homeland security, state agencies, all of

the utilities came together for a full day and did a black sky simulation. if we are faced with an ex tended outage and can't get power for 25 days how will we keep the water system running and the sanitation systems going? i think if we work on these together i think we can insure our citizens, our customers are vibrant and can feel peaceful knowing we can handle whatever comes along. >> thank you, susan. [applause] >> i think sometimes people think of health and don't think of the traditional critical infrastructure but it is clear that the cyber terrorists out there clearly are targeting health information and in fact it is one of their chief targets. anthem as you know had one of the largest attacks in our nation's history. there is a merger going on and

today almost every american will be touched by anthem if the merger goes through. two of my children got their information taken on that. tell me about it and what did you do to respond to that breach? >> thank you. it is an honor to be here as a health plan that serves many of you. actually 26 states total. we are involved in a variety of health benefits and engagement there it is state employees or a variety of sports. we have a deep engagement in many, many states. we protect data and protect the nature of how our members engage in the marketplace with respect to their monitoring and managing their health status. true personal health information has to be guarded.

me as ceo it was incredibly troubling and frankly mind-boggling we could experience a breach of a scale that you mentioned. i want to first say congratulation to the governor and the work of the commonwealth with respect to the speed you took it on. priorphrey the commonwealth. now the populating state resources that hopefully you can take a lot of your information in terms of learned experience out to the marketplace. let me share what we experienced and in terms of understanding our company we touch 72 million lives in a variety of ways and the majority of it related to health benefits, balance of the millions related to speciality

services along life and dental insurance and so forth. we have a very sophisticated it infrastructure and invest sums of money in order to protect data. what happened is about 18 months ago we learned of the breach and it touched 80 million records. as you pointed out, probably the largest breach in the nation history. we do know at least by virtue of our relationship now, which is very close, with the fbi that we have been assured none of the da data went to the black market and that is amazing because it

lends up in the hands of people using it for commercial purpose. that did not happen. we are very pleased with the outcome. not withstanding that fact we are concerned with respect to the intrusion in our systems, how it happened and how we can manage our way out of it. let me first talk about the fact the growth in technology as we know is unprecedented. now it is escalating at an even greater pace and depth with respect to social media, with respect to tracking technology. and our concern is what we are aware of is we are focus on regulation creating privacy and security, we are focusing on understanding vulnerabilities and the levels of risk it

precents and we want to make certain that in terms of -- presents -- managing the threats we have the use of data as an endgame that is effective for the individuals and services that need our information with respect to highlight information that is used for the betterment of care delivery and health status of all of our members. so we learned i would say three core elements that hopefully we probably get a chance to talk about with respect to the depth of q&a that is going to happen in a moment. three core elements. we have to target advancements and the culture is what differenti differentiates the culture. if you have a system that is committed to protecting every

customer or citizen you have a running head start. number two is collaboration. i want to talk more about this a little later. what i witnessed was how i detected a sense of competitiveness where, well you got breached, but we are okay. we don't really need to share information. i think what you are creating, with respect to your work in the commonwealth and connectedness of the states, is representative of the collaboration startup that is necessary to get traction and achieve greatness with respect to the controls necessary to protect our society. and third, i want to make certain that we talk about commitment. commitment is absolutely essential with respect to resourciing and resourcing is oe of the core elements of your effort you mentioned. i cannot tell you how many times

i heard i have a budget problem, i don't know if i can get the kind of commitment i need from a superior. to your point about data, and data that we now monitor carefully, every month we have 1 million hits that we would consider a threat. what is interesting is we have 250 individuals dedicated to nothing but managing the risk of a cyber attack. we have 55,000 employees and every one of them by way of training and the engagement we expect is monitoring those individual workspaces. the 250 individuals are looking carefully at the 19 million that distills close to 5,000 hits we believe are nefarious in nature and we identified, it doesn't

sound like a lot, but it only takes one, 150 hits that are truly threats to the intrusion we think can create another breach on the scale that occurred to begin with. those threelems make up the difference with respect to whether you succeed or fail on the world you came upon with respect to threat that has been presented to us. so what i would like to do is maybe just pause there and begin opening it up for questions. >> before we open it up to questions -- why don't we go ahead and open it up to questions. >> sure. appreciate you being here and your window into this issue. certainly as resources are not being fully allocated and more and more governors are paying attention to this. two questions. one, how did you change culture

in your own organizations? because we are in a similar situation yourselves. we have a million things going on but finding the time and space for that to happen. and what places do you see states can provide you unique and critical support? >> so the interesting thing about changing the culture and the great thing about a water company is our employees get the criticality of what we do. people ingest what we deliver. we are a health agency in some ways. what we had to do was at some point cybersecurity is considered an it function. i think that is the biggest cultural issue in states by human nature. the computer guys will take care of it. what we had to do was show the number one, weakest part of our company, will come through an

employee who mistakingly clicks on something. once we started communicating that. i have to tell you one thing we do once a month, our i.t.sends out fake fishes every month to employees to see who clicks on it. what we found was some of these fish will have may name e-mail but an extra r maybe in my last name. what we did was every single e-mail coming from outside our company and domain that is proven has a red banner right after the subject it says this e-mail is from external sources mock sure you know the sender before you click on anything.

at first our employees were like what a waste. we found from some of the fake pishes it was reduced 50% after we started putting the header on anything that came from an ex ternal demesomain. our 67,000 employees are thinking about and the help desk is getting more calls. another thing we are doing, and i think this is important, we have had a chief information officer and then we also -- one question is how do you deal with the big stuff and little stuff. we put our environmental under one chief technology and innovation officer. and his whole role is integration. not just the system for e-mail

but the people running the water treatment at the plants. connecting that and saying technology is not separate from business and separate from business and state. it is the business. i think the cultural shift of getting people to understand it is everything single employee's job. >> maybe i can go back it the leadership. they say leadership, leadership, leadership. it was amazing when i learned of the breach. i got with my team and the realization was that we needed to send a clear message to the importance of what we run up against which i am certain they appreciated it.

we made commitments to the associates and bringing them on board so they are aware of our responsibility but made a commitment to our members so that we gave them a sense of security we were taking care of them with the support and security that gave them a piece of mind that in spite of the breach we would take care of their situation no matter what it might be in terms of how someone might use that data. so, let niasia ellis that for our company it began with the board. -- me say. they hold us accountable with respect to audit insight, regular reports with respect to how management is managing the

affairs of the organization in terms of security, he have a very educated highly expert risk management process through an it security officer. that security officer has been given tremendous amounts of responsibility and authority not only internally but we encourage him to get engaged on various levels of national policy, state relationships and other societies like you may have heard of high trust. we have a variety of certifications and have brought them on in terms of a total engagement to get to kind of routine inspections that are necessary for us to be assured

we are protected as an organization. we retained mand ent and they are assessing our performance on a routine bases. so we have multiple sources of certification. our engagement in terms of building a culture that is protecting the member because at the end of the day we have sensitive, vital personal health information. unfortunately, social security information, addresses, and e-mails and that nature of information but we were blessed it did not involve personal health information. not withstanding that we have a culture in our company that is highly protective of data and every associate is expected to

be engaged and committed to securing the organization so they are monitoring in their space and a collective bases. it is cultural, cultural, cultural driven by leaders that get it and are committed to the safety of information for members. without that, you are treading water literally. >> governor, you ask what the states can do. i mentioned some of those. we have to start communicating between federal, state, local, utilities from the critical infrastructure i was talking about but also key companies that are there and part of this. simple things like having an exercise once a year. i will tell you a great trial run, hopefully we don't have it, but during natural disaster recovery we are learning lessons from not talking to each other. after superstorm sandy northeast

we have plenty of fuel because 90% of the critical assets that serve water to customers have backup generation. so if the power is out we can have water and sanitation. we had fuel but no place to restore the fuel. local areas in new york, pennsylvania and virginia needed fuel. we worked out a deal saying we will provide fuel if you give us space to keep the fuel. we did it during the recovery but it is now built into the emergency plan so every time this cyber incident, the conversion of physical and cyber, don't necessarily have to have separate plans. emergency planning, there is a broad brush that should be there same whether it is manmade or natural when you talk about critical access. it is different with just the information systems. the best thing is we know each other, we share information with each other, and make it a physical exercise one day a year.

i think that is the best practice that we should be able to target in all of our states. >> governor hogan? >> well, first of all i want to say congratulation and thank do is the governor for his focus and leadership on this issue. as most of you know, our two states, maryland and virginia, we surround the nation's capitol and are home to most of the federal government's defense intelligence and cyber assets and have about 1500 of the top private sector cyber enterprises in our two states. our little region there in my opinion is the cyber capitol of america if not the world. but i want to thank you, terry, for your leadership in this area. i want to thank both of you for this fascinating discussion. this is one of the most critically important discussions we have had at this conference. i have a simple question.

it follows the line of discussion with governor loopers question. in implementing cybersecurity efforts within your organization, can you give specific examples of some of the internal resistance you came up against and how you are able to overcome it? >> fascinating question. it is the -- with respect to getting out of the gate one of the most painful experiences i have had coming to the realization people don't know what they don't know. that is a lot to overcome. you are starting with the basics of getting information out and people on board. you realize you have to

establish educational models that get folks n board and develop that sense of responsibility. number two, there is a resistance to transparency. it is interesting when the breach occurred how many folks said we have time. we don't need to go to market. let's figure it out and run it out as long as we can. and contrary to that, i call it human nature. wanting to slow walk it. and you know, within the boundaries of regulation. don't get me wrong. we made the decision to go to market fast and get the message out to our 40 million members by e-mail and first-class mail in order to inform them of the breach. transparency is something you have to deal with and overcome the sensitive threat that exposes people don't know what they don't know.

and then the last thing i guess is sort of budgetary considerations which is, you know, i don't have to dollars. i don't have the support. whatever, i don't have. and therefore i can't. you know, that old saying if you say you can't then you won't. i think the final piece of the puzzle as i said earlier is this leadership has to protect a commanding presence that this isn't going to be business as usual and the realization whether it is me as a ceo or any one of my executive leaders, every individual lives in the shadow of the leader and from that point forward after the breach people know that literally job one for me to protect a company necessitates my commitment to protecting our information and so living in the shadow of the leaders of day one, day two and forever

experience i appreciate with respect to this realm that we have now come upon. >> and it is interesting and i will start with the biggest one that is broad spread. as you start doing exercises and want to see how people are going to react, no one wants to look bad so saying we are going to do an exercise and you, mr. executive vice president with not going to know what it is, and we will watch and see how you respond and follow up with best practices to say where did we screw up. if we are not -- it is interesting but culturally it is important that we deal with this is for us to learn. set the expectation up front. we don't expect you to be perfect. i think as we do these exercises i talked about to have a safe place where we can go in and say we may not do everything but if we don't let's support each other and look for best practices and not try to do the

facade of going through the motions but trying to find out weakness weaknesses. that is from the bottom levels to the highest levels and i think the same thing in state agencies. the general population of employees didn't like having the extra verbage on the e-mails but you have an information technology group and that is what they do. saying this is everyone's responsibility it takes getting used to. as leaders we have to set the tone for cyber to say none of us are where we need to be. none of us are perfect. and we will mess up and together we will figure out a way to make it right. if we go through these joint exercises within a company or across agencies and we don't go in saying we are not going to be perfect and it is okay and we are not going to madmouth or say they don't know what they are doing that sounds like a small thing.

but i worry that could be the thing that could trip up effective exercises. >> you talk about resources and if you don't asking ballpark of what you are spending protecting yourself from cyber attacks? >> year one the investment was substantial. a hundred million plus to get up to the standard we felt necessary to meet the threat. onward, looking into the future, we budget 50 million a year specific to enhance technologies and quite frankly that doesn't count people. that is literally hard cost capital deployment to embed new technologies. quickly, it is fascinating, i have become a little more educated about this topic and i am thinking i now got to the

point of i know what i don't know. we are learning that it is amazing how predictive analytics is having a substantial role in proactively looking forward and helping us model what the risk levels may look like so we are ahead of the game. that is the next level of investment for us to get engaged in predictive analytics as opposed to reactive and waying for something to happen. really predicting what the future may look like based on solid data that gets us to the future faster than we would other wise is helpful. >> i think that is a great point. most of us have enterprise risk management maps with the senior executives say what is the biggest risk to the corporation and cyber or technology was listed as one of eight in the

past. now it is part of every one of the identified risks. we don't make it public but the technology and cyber piece is integrated into every risk. joe is right. the use of predictive analytics to say how will this impact part of the business or this agency? these two agencies may look like they have almost no interconnection but they do with our systems or in terms of services. where are those interconnections? and a predictive analytic can say this breach may affect 20 agencies where you think it is maybe one or two. i absolutely agree with you. i think it is a powerful tool and we started scratching the surface of what predictive analytics can do. >> if i can get back to the core basic way of running the shop and that is did we experience

angst or resistance? as ce 0 i am subject to the lockout of the system and you cannot imagine how much anxiety that created. but as way of our data analysis teams they monitor all lockouts and when an executive, or anybody is locked out of the system, they immediately consider that a threat. they go to that executive, walk them through what happened and why it happened. it is another heavy lift but the necessity to manage the system. >> happens after you change your password after 30 days, forget it and get locked out. i understand that. >> i understand the pain, too. >> any questions? governor mccory? governor branstad?

>> quickly, what are we doing about the talent shortage? supply and demand. how are we going to afford? in the government, you in the private sector steal all of the talent. terry is doing innovative things in virginia but what are you doing for the talent now and the talent long-term? >> thad is right on point. we had a meeting with the council governors and dod at fort dodge and dhs. they cannot get folks at the federal department and we have problem with the state level. the private sector plays three or four times more. this is a big issue. >> when we do get them they are taken quickly. one of the best ways to move up in it is to move out. it has been that way for years.

i used to be a duke power recruiter. just curious what you are doing as far as talent, recruitment, and retention. >> typically that meant what are you doing with it talent. i will go back and i hate to sound like a broken record but for us in critical in infrastructure it is not just the people in it we are seeing challen challenges with. there are challenges with the blue collar workers. they have 12 screens now where they are monitoring the quality and everything in it and the majority of them don't have college degrees. so one of the ing things we are doing is partnering with state community colleges, state technical colleges and i will talk about that later because it isn't talked about a lot. they did studies about the skillsets required coming out of

high school for a college freshman or someone walking straight into the skilled technical jobs and do you know the immediate needs are greater for someone coming out trying to get a job than a college freshman? the math, the computers, everything around it is critical. so for us, it is multi prong. the first thing is getting these skilled professionals. we partner with a lot of national labor unions. we have 18 different labor unions represents across the united states in our business and some are excellent training. rather than re-create the training, we are working with them to try to especially go into communities that are underserved, that have young people who if they learn a skill we can bring them in, and that has been very effective for us. that is that group. then in terms of the it we are fortunate because i will tell you that the millennial's coming up and there is a new name for the ones behind it but they want

to do something that matters to the world. they want to have security. one thing that helps states and federal governments is a lot of them saw what happens when their parents lost their job after the financial crisis. it is amazing how many 24-25 year olds say i want a stable job. their definition is not what it was when we were there age. their definition of stable is 5-10 years. but the ability to have stability is what we are finding is important but the secretary part is we have to appeal to the alterism so many have. they want to be part of water. they are going to be doing something that makes a difference. the more we can talk about that and that is not everything but if you combine stable retirement benefits even though they are not what they used to be they are better than what com petive companies offer along with making a difference.

we are finding that is bying successful. >> i will just add, we have over 20 interns we employ that are working with respect to moving up in their career. so we put them on a variety of special assignment. we cannot go so far to say it is an achilles' heel in finding the right talent but we have a responsibility to build and train and give folks a career path in this profession that allows our organization to be protected in terms of having the right talent, right place, right time. >> when it comes to cybersecurity and infrastructure what is the regulatory role of

the state? and should be looking at incentvising laws? >> we have regulated operations in 16 states meeping we are regulated by public utility commissions -- meaning -- new jersey did setup a requirement with a framework of what is required to make sure every utility has the framework in place. i don't think government can define specifically what everybody needs to do but a broad framework of expectation and this happens and here is what we expect. i think having that dialogue is healthy and very constructive and we welcome it. >> speaking from my industry's rer spect we have so many regulations laid on us by

external forces. ... 800 regulations, but somehow we all have to getting my-- to my term earlier, collaborating and working together so that cultural connectivity occurs amongst all the parties that are involved in this and so, again, unification and standardization and maybe not so much regulation. >> there is a commission on uniform state laws. is this something you think would make sense to go before that group and i know they tried

to recommend certain areas where they want to have uniformity. i know in insurance regulation, although state regulated we try to be as uniform as possible across the country just for the facilitation of industry. >> well, following our breach as you can imagine we were front and center with every insurance commissioner that-- intensely multiple times and it's probably difficult for me to characterize the because it is a work in process, but to me it was amazing and uplifting how much connectedness there was amongst insurance commissioners to the nic and individually working with each i really had a sense of the spirit of unification and collaboration that really benefited us and i think it would be a tremendous asset going forward. >> that is good news. i'm glad to hear that. i will let my insurance commissioner know that.

>> from the utility standpoint it's a bit different. we have different regulatory constructs in every state. no two of our states are the same from a commission standpoint from water, electricity or gas. for as it tends to be a long environmental requirements, if they conflict with federal requirements zero we are okay with some customization because we understand there are differences in states. with epa tells us once and that state tells us one thing is when we get trouble. from utility standpoint that is most of what we are concerned about. >> let's give joe and susie a great round of applause for this great great panel here, folks. [applause]. >> in front of you you have a brochure. governor snyder and i were asked the other day, your states have spent a lot of money why don't you just use this to recruit

businesses to say it will be safer in your state. the point i'm trying to make is, we are only as good as if all 50 states are doing this because you can backdoor any stay to get to any other state. you want to get to our fm folks you can go do some states that have it and you can get to us, so this is the role of the national governors association, 50 states all of us together going in the same direction and we are also giving you-- i'd notice governor branstad was looking in at supportable phone charger that you get to take with you. it's a gift from us. now, we are closing the weekend out and oh, i think conclusion with a memorable memorable weekend we have had from going to the historic state capital to getting our root beer floats to the fireworks and what a better way to end this great conference then going to the greatest players in the history of mankind, the iowa state here tonight and let's all give our

great governor terry branstad and christine branstad a great round of applause for doing that [applause]. >> this would not have happened as governor branstad will tell you it would not have happened without the cosponsors that stepped up to the plate. these are hard deals to put together and we have most of our cosponsors out there. let's give our cosponsors a great round of applause, if we could. [applause]. >> finally, i went to thank our nga corporate fellows and on behalf of all of you and only have the nation's governors we could not do what we do without all of you. give them a great round of applause, if we could as well. [applause]. >> tomorrow we encourage everyone to stop by the marriott tomorrow morning on their way out is that they can help package a few meals to help folks in the service of that will run from 8:30 a.m. to 10:30 a.m. tomorrow morning and if you do that that would be appreciated.

without further do, just for old times sake son calling that meeting to a close. gary, for old times sake come and give it rap for us. >> thank you. it's been a great conference and thanks to everyone that has made a contribution to this effort. nga is doing really good stuff and under terry's leadership it will even do better. i know there have been people asking about the booklet that we passed out to the governors on highlighting the successes of the states. if you want to those contact scott and his people. also, there will be a website with the continuation, so the things you are doing and other innovative things taking place we will have online and to see some of the great things taking place that you can access also, he didn't contact scott or the nga to have access to the website. with that-- >> hit the gavel schemata boom, meeting is adjourned, everyone. thank you. [inaudible conversations]

[inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations]

[inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations]