. . .

. . .

isis, homeland, and the secret service. i want to speak today primarily about mppd and the response side. i will note that our agencies are key partners and we have two representatives in treasury today and they will be chiming in on their role. i would like to thank of a cig -- significant cyber incident as

an arson in the world. you kind of wonder who is going to catch the arsonist and if the police showed up, you would want help to put out the fire. the fire fighter is the role that dhs bring on the asset response side. i will note that obviously leaving analogy somewhat both of the threat response and asset response are really hugely fueled an empowered by the intelligence role, that tonya will speak about later. for a victim you aren't going to see the intelligence role, you'll see the threat and asset response and i will focus on those from your perspective. you are your arson. you have a fire fighter there, you have the police there, threat responders, the police, if you will. what is the fire fighter doing? the fire fighter to leave our

analogy is going to help you find bad guy, clean up the mess, figure out what do they do to you and what do you do to improve your security so that this doesn't happen again. in addition, to helping you improve your security after the fact, part of our job is to take what we've learned and distribute to others in the private sector to help them protect themselves, right. so asset response is about helping the victim clean up after the incident, kick the bad guy and be helping other people not become victims. spreading awareness so that others can defend themselves. let me talk a little bit about the role we are playing in what i think as tactical asset

response and also strategic response, on the tactical side, we've come and help companies and we may help them remotely with things like log analysis or malware analysis or we may help them on site, literally coming on site to help them remove a deeply embedded adversary. ly tell you the people that i hire to do that have been technically proficient, they also have to be diplomats. i had a hard time hiring cybersecurity after i asked him diplomats. and so they have to be there both to provide help but so in a way that makes the victim comfortable, happy, that they the victim remain in charge. that's one of those principles that michael highlighted earlier .

so that's the tactical role. and i'm big into analogies and in this conversation i'm big into mixing them. i told you that my guys are firefighters and then i made them diplomat firefighters. i'm going to have start paying them more. at the strategic level, it's just like the role on fema on the response side which is helping coordinate the delivery of all that the government can do in support of a victim to help them in this significant kinder incident. the lead response role is that high-level coordinating bringing to the table making sure specific agencies or energy are there in providing deep insight into the sector of the affected entity and whatever other government capabilities we can bring on the asset response side to help the victim or help the entity out.

i will close by noting that michael briefly mentioned the work that he had given us. and the ppd gave us 180 days to do that work. i'm -- if you can't see me, maybe the cameras i hope can't see that, i'm sweating bullets, 180 days is a pretty short time to update the national response, that's a plan where all of you have a role. so this ppd brings forth what the government will do in the roles and responsibilities of the government agencies n. the national cyber response plan, we need to hear from you about what you can do, what you want to do or what you need from us. and so we very much need your help, 180 days is a tight time frame. it's faster, i think, than any of us would like but we also need to get it done and it will be a document that i'm sure will evolve over time. so a little bit more about the national kinder response --

cyber response plan. in may anticipating that this ppd would come out we invited councils to participate in webinars where we started -- essentially started the thinking on this effort. we formally kicked off in june, june 13th and we have a writing team already composed of individuals, other sme's from territorial governments and other critical infrastructure representatives. by september, we anticipate -- or in september we anticipate publishing a draft for a 30-day public comment period. i would ask that each of you make sure you see that draft and submit comments. in november we -- at tend of november, i will note we anticipate delivering to our secretary for delivery to the

white house in december. and that's how we are going make that very tight 180-daytime frame. so with that, i'm happy to be here and happy to talk to you about asset response and let me pass the metaphorical price -- microphone. >> i appreciate the opportunity. i want to talk briefly about three things today, first the fbi's role with regard to ppd41 and the second thing is cyber response and the third thing is what the private sector can expect from the fbi when we show up on your doorstep. so, the fbi's role in ppd41, you heard from michael how the directive organizes the federal government's response to significant cyber incidents into three distinct lines of effort, threat response, asset response and intelligence support.

i would also deline -- delineate which has the lead. the bottom line is that it doesn't really change what the fbi does or how we do it, it does clarify who is on point in a given scenario and sets out a plan for how different agencies will coordinate moving forward. let's chat a little bit about threat response. threat response activity investigative actions related to cyber incidents. identifying opportunities for further investigation and collection activity. the fbi will continue to do its business as intelligence agency and its activities will also inform the other lines of effort, i think that's really an important point and i want to

reinforce that. what we find will be extremely important an useful to our partners of the dhs and -- who do you call if you're a victim of the cyber incident, the ppd direct any federal agency that first becomes aware of a cyber incident to notify other federal to facility response. we also say a call to one is a call to all. the fbi encourages companies who have discovered they are the victim of a cyber incident to notify whichever federal entity they feel most comfortable so with. it could be the fbi, it could be ice, it could be the secret service or any other federal entity. if a company decides to report a cyber event to the fbi, of course, they can recall their

fbi field office, they can call the internet crime complaint center or ncigtf. approximately 20% of those in the private sector who have suffered computer intrusions have turned to law enforcement. i'm not a map be what that means is 80% are not reporting and simply put, we just have to do a better job and that is not good enough. we collective i will have to get to a place where it is routine for the private and public sector to work together on these matters. we understand that a company's primary concern is to get back to normal but we need to figure out who is behind the attack and, yes, there may be a diversion of interest, enterprise may think i don't care who is so much behind the attack, i need to get past it but long-term interests are finding out who did it and imposing costs on those actors because we want to make sure that companies are not victimize time and time again.

so what is our strategy to change the reporting equation? it's in our response. what can you expect from the fbi? we are constantly talking about why it is in the private sector's interest to tell us what is happening and at the same time prove that we will not hurt you with that information. we will treat a company the way we treat victims of other crimes. the notion is codified in the directive as one of the five guiding principles where it states federal government responders will safeguard details of incident and private information. what does that mean to you? we will work hard so that you're not revictimized. we cannot promise that none of your information will ever be exposed but we will have constant conversations about what would happen to that information that you provide to us so that you can make the right hífic-base decision.

we will minimize the disruption to your and your employees. we will protect your privacy and we will share as much information as we can as quickly as we can. the first step is to get to know us, develop a relationship with the fbi office, do it now. don't wait until after something bad happens. let me just wrap up real quickly by thanking anne and the chamber for the opportunity to be here and talk to you and represent the fbi. i want to thank everybody on the panel and their teams for their efforts and contributions to ppd41. it's really an important document. it took a lot of hard work and collaboration to produce it. it's got great value not only to the federal government but to the private sector as well. i look forward to answering any of your questions at the

appropriate time. thank you. >> thanks. i will turn to the third line of effort. tonya. >> hi, good afternoon. so let me first begin by giving you a little bit of background on the cyber threat intelligence integration center and how we fit into the broader if i recall cyber community can helps inform how we will be fulfilling our in the event of significant cyber incident. ctec is the newest under the director of national intelligent or dni. we are focused on national direct securities, we are small center with the discreet mission to build understanding to interest to inform decision-making.

and she notice that had there had been improvements in the policy response to significant cyber threats and incidents in response to increasing number of breaches and intrusions into private and public networks. michael has referred to cyber response group which convenes from the federal cyber community to share and coordinate information about significant cyber threats and incidents and to coordinate the government's response at the highest levels. but i'm sure michael would be among the first to tell you that integration of information and coordination of that sort should not only be happening at at white house level forum, it needs to be happening at every level of the federal cyber community, at the working level, amongst all different

disciplines and often and needs to be happening because we all see value to it, not because someone is directing us to do it. so at the time that miss monaco was making that announcement about the creation of ctiic, we at the government were responding to and realizing the scope and scale of the breach of records in the personnel management and in month's prior cyber-attack against sony pictures entertainment and even as outstanding work was being done by individual departments and agencies in response to those events, there was a growing realization that there was no single government entity that was responsible for producing coordinateed across the intelligence community assessments of current cyber threats of ensuring that information about those threats and incidents was moving rapidly across the government and getting where it needed to be to

inform decision-making and supporting operators and policy makers with timely intelligence that they need to understand and respond to the latest cyber threats and incidents. so ctiic was create today provide just that role. its specific responsibilities were outlined in the president's memorandum in 2015 which is available online and the center was authorized by congress in december of 2015. so i provide this background on ctiic's purpose because we see our role in the new ppd41, our intelligent support role as the natural outgrowth of what our day-to-day mission is, which is to integrate the government's understanding of foreign cyber threats to u.s. national interest who build the picture of what we understand, what our

significant intelligence gaps are, the potential means for addressing those gaps and the purpose of the effort to ensure that we are arming decision-makers with the information they need to decide how to apply all of the tools and government tool kit to anticipate, mitigate and respond to those threats. i look toward to -- forward to answering your questions, thanks. >> thanks, tonya, i would like to -- we heard from the leads for the three lines of effort, but when we are talking about a significant cyber incident there's going to be the whole of government that responds and as andy was talking about, in order to actually do that effectively, we need to deep expertise that's brought by the sector specific agencies.

pay juror role in incident response. let me turn to jin to talk about their roles from their perspectives. >> thank you very much, michael. a little bit closer. so as sector-specific agency, we really play a critical role in the gooft approach in bringing unique expertise for each sector to be able to cut across all of the activities that were described today, we actually contribute and participate in all three of the lines of effort and we are ensuring that our expertise helps ensure that any responses tailored specific to that sector and that federal decision makers and responders understand the unique characteristics of the sector and how a particular incident may impact the broader sector. we made sure that the federal

response is supportive to the sector's effort and reflects your priorities and need as you restore operations. we maintain this expertise through day-to-day coordination with the sector in our case energy sector but this is not unique to other ssa's that do the same with their own, working with them on matters of security, resilience and response in planning to be able to bring that together in the time of a significant incident. i will stop there to give jan a chance to provide expertise and perspective from your sector. >> thanks, jen. as michael mentioned the agency responsible for coordinating the cybersecurity efforts for the financial sector across the u.s. government and we have a four pilar approach to our cybersecurity effort, the first

is really based on adopting and promoting the adoption of best practices and baseline protections among financial institutions, the second is around facilitating timely sharing of information around cyber threats and vulnerabilities and incidents both between and among the government and the private sector. the third is deterrence function using our sanction's authority to try to determine malicious sibber threat and activity and finally relative to this conversation, enhancing reprocedures among financial institutions in the sector. ppd41 was in -- falls squarely and we work closely with our partners on ppd41, really driven by our core mission of treasury which is to promote economic growth and for ppd recognizes

that a significant cyber impact could have broader economic implications and we at treasury are keenly focused on doing whatever we can to prevent any potential cask aiding of cyber impact or cyber incident in a broader financial stability impact. fortunately as we are providing input, as michael mentioned, there was a rich data set to draw from, not only some of the actual incidents that michael was talking about but, for example, at treasury for the last several years, we posted a series of public-private exercises that are focused on cyber-attack that involve both the government partners that are here in the room as well as wide range of entities of car various

types. they have helped to inform the ppd effort and the input that we have given here and really support really the central importance of the ppd which is really clarifying and codifying the processes by which the government coordinates and responds to cyber incidents. as jenne was saying, i would say there are two critical elements to why the sector-specific agency i think is so important, potentially important if it's relevant in this case. one is really, i think, a coordinating function as was described as appropriate through the cyber response group or unified coordination group, treasury can pull together

contingencies, we have solid relationships with the regulatory community and the government and then obviously private sector institutions and we can play a role in connecting those financial sector institutions both public and private to the rest of government where we also work very closely so there's an important, you know, serve cord needing in that regard and as mentioned, there's a knowledge function, i would say, an insight, depth of knowledge about the sector and it's -- an its institutions, so, for example, a sector in this case, treasury could help articulate the specific channels, for example, through wh a cyber incident might affect a broader economy or the financial system or help inform how a particular cyber-attack would impact a bank differently than it might an exchanging, for example b, and

help involve that particular perspective. it's really about bridging the financial stability considerations and the financial consideration community with the technical incident response resources and considerations. that's sort of the unique role that i think the sector specific agency plays in the overall process. now, of course, it's important to maintain the public's confidence and trust in the financial system, we think ppd is a incredibly significant step in that regard and we look forward to working with many of you in the room here financial institutions of including, by the way, bridging the ppd and national cyber response plan eventually to the private sector response plan which exists in the financial sector, resident

in the financial services information and analysis center, we all it the all hazards plan and also bridging with the regulatory community have in the sector, hopefully we can take the effort forward in that regard. thank you again and thank you for the chamber for hosting. >> thank you. just to close with one thing, we don't often clearly many presidential policy documents are classified and many of them are kept close hold, but because this and how the federal government was organizing itself in the area, we took tun usual step of making this unclassified in public. and that was a very deliberate

policy choice on our part to enable us to have this conversation much more effectively. so that is again one of the goals of why we actually put this policy out, policy out publicly even though it was really design today instruct the federal government to do something. we wanted to be able to have that transparency. so with that, we can turn it back over the anne. >> thank you, michael, that was very helpful. we have about 45 minutes or so for questions and we did gather some from the audience ahead of time as well. i'm going to take the liberty as the host and just kick off with the first question. something that's very important to the chamber and our members is the cyber information sharing act that was passed, as you know, last year. so i guess the question really focuses on how will the private sector be protected from regulators using the information in the formation of rule-making that we got through -- that we had a lot of protections and

going through the pdd, we didn't really see mention of that. can you address that? >> sure. so, i mean, obviously the ppd has to operate within the statutory framework that -- that exists and all of the statutory protections that could come through information shared through any of those programs would still remain but i think andy can talk to that in more detail. >> sure, i think it's important to distinguish in this case between an incident and indicator. so an incident, you'll hear another analogy, i told you i'm full of analogies, the incident, is hey, somebody broke into my house. ip caitor is, hey, somebody came and knocked on my door and when i answered they said, wrong door and went away, i thought that was strange. i know they don't live in the neighborhood. that's the description of the person. that's indicator. be on the lookout. this -- this is a sign of suspicious behavior. you should defend against it.

congress passed legislation in this past december, december december 2015 giving private sector companies liability protection for sharing indicators to be on the lookout information. information sharing organizations and also protection if you share with dhs through the automated indicator sharing por tale. we then share it with the rest of the government. they are be on the lookout. e-mail address in which a fishy e-mail is coming, you name it. you do receive liability protection. in our asset response role, dh is is on site we will like lie find indicators that we can push out to private sector companies to further protect them. those could be protected if submitted by the company under

this portal but we also have another statutory regime which is design today protect you in an incident. so the cybersecurity legislation passed december is about protecting indicators, since the homeland security act in nearly 2000dhs has had a regime that protects companies from freedom of information act request, from disclosure and civil litigation, it means dhs can want share the information with the regulator, so if we go on site and apply that statutory protection or help you in another way, we apply that statutory protection and whatever you share with us cannot be shared with the regulator, now i want to be clear, it's not a safe harbor, if you have to tell your regulator about an incident. the fact that you told dhs does not mean that you do not have to tell your regulator. we cannot share it with that regulator.

>> thank you. questions, comments from the room? there's two microphones on the back of the room for those who are not on the table with the mics, i will have plenty here if no one has at the moment. >> she asks tough questions, so please, somebody. >> i've got a list. [laughter] >> okay, this next one gets more specific about the scheme that you passed out. >> so ting short answer to that is no. you know, i think the scheme is really -- you know, it's not connect today a regulatory regime or anything along those lines. it's really to help us do a couple of things. one is actually to have some

degree of internal consistency about how we were thinking about cyber incidents. particularly to andy and for us to be able to look at it from a holistic standpoint and say, wait a minute, everyone is rating this. we sure don't seem to be acting like it. is this really right or, wait, a minute, everybody is running with their head on fire but we rated this a one. making sure that the responses are actually calibrated correctly, so that we get to a common understanding of the pictures so we don't have and educationy operating so it's not common across government. so i really think it's -- the

reason we made this scheme of public is we wanted in the interest of transparency for people to understand how we were thinking about what constituted something that was a significant cyber incident. there's still a great deal of the art of the judgment in this and i don't think that we can reduce this to a quantitative algarythm. none have been the same. maybe successors will be able to say, we have dealt with this incidbefore but we have not found ourselves in that position with any of our significant cyber incidents, they've all been highly different. >> thank you. >> another thing that as we talk to our folks around the country, the people today in this room, i think, you know a lot of participate in, you know, the financial sectors here. we have great representative

people who live and breath security, c-span is covering this and so folks watching this, this is new to them. we are trying to socialize the cyber framework. how can we explain this to them if they're not a critical infrastructure. does this ppd affect them? does this mean anything to them? does this have to change behaviors and reporting in most basic terms for folks out there? >> so -- and i will get perspective from my other colleagues, but i think the answer is the ppd on a significant scale is agnostic as to -- well, not agnostic, it's not right. it does not wholly depend on whether you're a infrastructure company. the -- i think that the -- that is a factor in how we consider the consequences because if you

look at the scheme it's about consequences, it's about the impact on national security, the impact on foreign policy, the impact on public health and safety, now it's easier to draw those connections when you're talking about something that's critical infrastructure. on the other hand, it is entirely possible to have a significant cyber incident occur in an entity that is not critical infrastructure. so i think that is -- that's entirely possible to happen. i think as david said, i think we are -- we want to encourage more companies, more entities, more organizations to come forward when they feel like they've had -- if they've had a significant cyber incident because that's the only way that we can -- that's the only way that we can help and the only way that we can actually gain a greater understanding of what's actually happening to us. i don't know if any of the other folks -- >> maybe, if i could just add that in the financial services

sector because of the high degree of inner connectness in the financial sector defining what a critical institution is, is sometimes not -- most straightforward thing because a small institution that could be interconnected into the broader network could actually pose some risks to the broader system because of those inner connections, what we would hope that the ppd encourages all institutions to really take a hard look at the incidence response policy and put -- what we had talked about putting a place book in play and the ppd provides a framework or guide post to do that. of course, that play book should be proportional to the risk that is that institution not only faces itself but the risks that the institution poses to the system as a whole. and it's important that it would be proportional.

this is not like a one-size-fits-all type of thing. but it's important that hopefully what we've done here is encourage all kinds -- all types of institutions in the financial sector at least to take response very seriously. >> and i would jump in to add, first, don't worry about whether your critical infrastructure, i have found that to be entirely not -- certainly not a fun conversation and it's not helpful. you as the company should worry about protecting yourselves against cyber threats, let us worry about whether we define you as critical infrastructure. second, build the relationships now and this is a point dj made with both the local and federal law enforcement agencies that you'll want to have if you do have a cyber incident.

one of the points of ppd, i don't care which asian you you build the relationship with, build a relationship. let us coordinate ourselves on the back end but build your relationship now. i would argue from an asset response perspective, you know, have response plan, sign up to get alerts from the federal government. you can get some at the dhs page, the fbi has alerts so you find out broadly what's going on and if you have an incident, please call. that's all you really need. we have more things to be secured in the background but around the incident, have a plan, build relationships in advance and call if you have a problem. >> and if i could just jump in quickly not to be left out but speaking from the perspective that you raised of maybe the c-span viewer, i think it's important to know and follow on what michael said about the effort made to make this ppd

unclassified and available to the public, which is that while we within the federal government and within the intelligence community do deal with very sophisticated cyber adversaries, the reality is they don't often need to use incredibly sophisticated means in order to be able to access and intrude upon networks and those maybe networks of individuals who work in an entity that they are trying to target or maybe networks of the entity or organization itself. so to the extent that this ppd helps raise awareness more broadly about the types of activity we all face when we use connected networks and to raise awareness of basic cyber hygiene that can be employed in order to prevent these types of intrusions. i won't even approach andy's facilities but i think it's fbi

director comey, if someone were trying to intrude on your house and you don't reck these them you wouldn't open the door and yet we are so quick to click on an e-mail. so general awareness i think will be useful by-product of this. >> thanks, tonya, just as a reminder if you're going to ask a question, please identify yourself. >> first of all, thank you to each of you not just for being here today but for your service. so i think it's great that ppd issued and significant effort for the government to work to get better organized on these types of things. i would like to raise three points on the form of question and request perhaps. some of the people in the room here today including me were involved in the original effort to develop a national cyber

instant response plan in 2008 and 2009 and one of the -- lack of operational play books that would deal with different levels of escalation should we have an event that had national consequence. the first question is -- what is our thinking right now about the follow-up, the short time to develop update that we are trying to get out bring the end of the year, i think it's going to be important for us to follow that up with the actual operational play books that talk about the integration at various level of escalation. that's one. the second is one of the challenges we've had for a long time and i don't see addressed yet and hopefully you will share thinking about that and if not, let us know how we can work together to do that but often times confusing to the private

sector, many times if an event happens, a a fiscal event, many times asking the very same question and sometimes in different parts of an organization. so it creates a lot of confusion and inefficiency. so how will we try and address the issues of how the various government agencies fit together, so as an example the nic, the nrcc, the various groups, the crg and all of that, how will that be coordinated with the private sector piece, not just in inner agency but the owner-operator community? how would we get coordination around that? and the third piece as a follow-up, it's also important for us to continue to work together collaboratively on detection, prevention and mitigation. so what is our thinking about taking that effort to the next

level and hopefully reduce the need for response and recovery. and again, thank you all for being here. >> thanks, bob, thanks for those questions. i'm going to take sort of the last two and i'm going to kick the first one over to andy. and also let other folks chime in. i will go in reverse order. i think one is that as we think about -- andy talked about aif. i think that globally we are trying to build a much better picture. think of it -- andy's league at dhs often talk about weather map concept for cyberspace. how is it that we do what we have done for weather in cyberspace, how is it that we integrate across what you see, what we see, what our partners globally see to build a common

picture of what might -- what is happening now and therefore allow some prediction about what might happen in the future that will allow us to get ahead of the bad guys to some degree. and so that is an important part of it. another part of it is the work that we've been trying to do to raise the level of cybersecurity in our critical infrastructure and focusing on those sectors, how is it that we create the right incentive structure for companies to invest in their cybersecurity in a risk-based way. that's what the framework is all about. and then there's a lot of the stuff -- and you heard andy talk about this, we are putting in place the tools and the tool box, building a bigger tool box, first of all, and then stocking it with additional tools to

enable us to disrupt the bad guys in a much tailored, effective way across the board. the truth is most of the time you're not going see that. occasionally that will be public, diplomatic actions, occasionally we will do attributions but a lot of times that's going to happen behind the scenes or may result in law enforcement action indictment, it might result in sanctions, it might result in technical operation that is if we do them right no one will ever see and intentionally so so enabling the government and policy makers to have the broad set of tools to tailor it to the incident, to the adversaries so that we do a better job of countering who they are trying to do in cyberspace whether you're talking about cyber criminal, activists, coordination states

in how we deal with those. i think the place --ly turn it over to some of the other folks to talk about. i think but you're obviously right and that has been in terms of how we actually interact with the private sector. that is one of the reasons why we are trying to -- that is a key way that we are going to try to organize the government interactions with the private sector so that we have the cross visibility that says, all right, who is going out to talk to the victim and how are they going to do it, wait, maybe we don't want all 16 showing up at once. and also the ucg concept enables us to bring the private sector in to some of those conversations, we can't do that all of the time and in every circumstances but certainly the intention of being able to incorporate into that let me ask

andy and dj to answer that. >> you wanting to first? >> sure, thanks, andy, thanks, michael. in my previous life i was a special agent in charge out in san francisco and i heard that all the time in the valley, bob, companies in the valley were getting pinned by a consistent basis by federal agencies on a regular basis and it was very frustrating for them, so what we internally decided to do in the fbi is we stood office of private sector to try and wrap our hands around issue internally first before we looked at it from a government approach. we are looking at how the fbi is approaching companies and trying to reduce the duplication of contacts with them. we stood that office up at fbi

headquarters and then in the field office, just a pilot, one of the things we are trying to do or what we have done is stand up a private sector engagement squad. so all of the contact -- i shouldn't say all, most of the contacts with the private sector are being coordinated from that one particular squad and we've seen over time a reduction in terms of the redundancy of contact by the fbi out in the valley. so that's a good thing. there's plenty of work, more work to be done, not only internally with the fbi but within the federal government as well. as michael mentioned, the ucg is another step in that direction to try and come up a better solution to alleviate your pain. andy. >> and i will just highlight that one of the benefits of the ucg is to, you know, designate

internally who is going to be talking to the affected entity and share that information with the other government agencies, so as the source for the government to collect request for information rather than everything trying hit the affected entity at once. you also asked about a follow-up on play books, one of the -- one of the consequences of the short time frame to complete the ncrp, they'll be work that we have to push off for follow up, that's good and that's bad. that's good because we will bring something to a conclusion and put a bow on it and be done, it's bad because obviously the work won't be complete. i don't know yet whether we have a plan for specifically to produce operational play books, i think that makes sense. i know that you are involved in these conversations so let's absolutely talk about that. that appeals to me. >> great. >> i would add one other thing

under mitigate. outside of the response base, my organization is dedicated to helping you run more secure companies and organizations and we have four lines of effort by which we do that. he help organizations adopt best practices and we focus on the cybersecurity framework. we share information. you heard about the automated indicator sharing program today, we have other ways of sharing information including the u.s. web page where you can sign up for alerts. we do response, we talked about that at length here and we work to improve security of the entire ecosystem and that's through things like university education programs, efforts to help companies develop software more securely, working with the insurance industry to help the insurance industry understand cyber risks for their insurees

and do work on that best practices and if any company is interested, please come up to me afterwards, if you're on c-span, go to dhs.gov. >> so even apart from the ppd that we are talking about, he was perfectly scoped not to have a liaison role to the private sector, stay with local law enforcement and that's because my colleagues here at this table already have very well defined roles and relationships with those partners and it would be a poor use of resources and would only add confusion to have ctiic jump intoas those lanes as well. what we do have a responsibility called out in the president's memo which is to support the

other cyber centers and agencies here that do have those relationships and provide them the intelligence that they need and then to help them whether it's downgrading, declassified information that they could then share with their partners. >> just before you jump to that, speaking from an agency that works closely with the subset of private entries, we have three dimensions of our work that get questions and concerns that you raised, bob, one is partnering directly with the entry closely. this is to work on play books both as industry organizes themselves together and as we as a froth do and where we find ways to connect those two and bridge them together. it's also about communication and not just about the federal government communicating with state and local entities as well as the private sector and public private information sharing, but it's also about public messaging in a significant incident and

what needs to get out and how do we get that out as soon as possible and get the right information both to help restore operations but also to restore confidence. the department of energy has 17 labs, these are not just for the sector but all private industry and government and we support work there both in partnership with private sector and academia to be able to provide capabilities to respond to an incident, to reduce likelihood of incidents as well as reduce the impact for when incidents do occur in infrastructure. and the third piece, of course, exercising our plans, making sure that the playbook, the work that we put together actually would work at various scenarios

and we can reduce issues like multiple lines of communications coming through and how we make that as efficient as possible coming through practice. >> thanks, jenn. >> thank you all for being here today. i know we've had this conversation before but i'm curious as to your perspectives and that is it's probably a major effort to create the agency, landscape coordination, but one of the issues and concerns for our industry and i think it's the case for a lot of other sectors that are regulated at both the federal and state level is the level of coordination that will exist with state entities, so if we look at a state, for example, you could have the governor's office, you could have homeland security adviser, emergency management adviser, public service commission, on and on

and on. state cio's, as you add more states and more entities from an incident response perspective, it can become overwhelming and highly polemic. the question i would ask is have you given thought how to engage governors or some people at the state level so that there's model or similarities across the state in single point of contact that affected entities can work with when dealing with a major cyber response? thank you. >> so robert, i think that's a really great question and observation both. we have worked with states on that and they do have a single designated cyber entity. it is not the same position in different states. but i do think there's more work to be done. and frankly, i think that's work that we can take to a certain level but ultimately, you know,

states are going to make their own decisions and you may have observed that states do not always want to federal government's advise. i don't understand. i love my advice. i also encourage you to reach out directly to the states and pass on that feedback because they need to hear it. they ultimately want to be responsive to you and they want to hear from you that that's a -- and that's something you want. >> and just to add, robert, i think the chamber can help in that regard as well. there's a group called the homeland security con his or her -- consortium. i know that group is following the development of for ppd, has sent out to members which includes homeland security advisers, public health as well but i think your point is well taken and will bring that back. thank you.

other questions, comments? yes. >> my question is on the defense side that have cyber incident reporting requirements. i know from the industry point of view it's really not clear what happens, who is responsible, once the report is made and there's a group of us in industry trying to make with dod trying to make a better process. i just want a point of view when reported is there sharing across the agencies or does it depend on the severity of the incident? >> yeah, i think the -- i think some of that is still a working progress but i think one of the -- one of the commitment that is we have made and one of the realizations we have had going through this process of getting this policy out of the door is

getting or machinery right and getting our back-end machinery right should be our problem and not yours. we should figure out how to navigate the federal bureaucracy. that shouldn't be your problem, right, to figure out how to plug in the right way. what you heard dj mention is one of the commitments made to this policy is that we are going to be sharing the threat information that comes in, we are going to be making sure that no matter where you plug in to the federal government, if it's a significant cyber incident we are going to be responding with the right pieces of the federal government that need to respond. in the case of a dip company, that's going to inevitable involve the state department because of the lead for that but we are going bring the right pieces to bare on a coordinated basis and i think that's the commitment that we are -- that

we are making to get our own house more effectively in order. i think a lot of it is going to be very dependent on the particular circumstances and sort of how a particular incident fits into the broader scheme of things. the other thing that i want to emphasize is that our scheme does not -- any group by themselves by not be significant. for example, just to take the defense industrial base for a second, you know, if -- if we actually started seeing and you started reporting to us all of you simultaneously reporting a similar intrusion, that might tell us that something big is going on and the response needs

to be more than dc3 could map and that it requires much more engagement of all the folks here to make sure that we are not actually missing something that's, in fact, much bigger. and so it's that kind of context that is really important and that we are committing to doing on the back end. >> yes, mike. >> thanks, anne. good afternoon, thank you to all of you for all your hard work. i just wanted to amplify some of the comments that were made from maybe a practical perspective here. we are a critical infrastructure company. we've been involved working with just about everybody at the table for the last several years and we appreciate those relationships and i think to the point andy was making earlier about building relationships earlier and better and commuting

are extremely important. we see ppd41 another right -- step in the right directionment one of the things that we talk about the company a size of ours is, you know, we have the capacity to communicate in the relationships to get things where they need to be and we have been in a good position over the last several years as a result of that. but we continue to want to emphasize that the small-medium size businesses, suppliers that we work with along the way who might be listening today really need to join in this effort because they tend to be the areas that need the help and i know we work closely with our suppliers and talk to them, but that type of communication relationship is just as important.

you know, we've been involved in the cybersecurity information sharing collaboration program. that's helped us. we have been involved in the development with oil and gas, working with our association api and in working with the cyber leadership team here at the chamber of commerce. long story short, people need to get engage, communicate and take advantage of these programs. ..

i would actually argue, again a lot of this policy grew out of our experiences with the significant incidents that we have experienced over the last particularly four years. one of the things that is true, cyber is it doesn't really respect boundaries very well, and the other thing that's true on the federal side no one agency has all of the expertise we need to bring to bear so we

actually very deliberately made the choice we could not simply say one particular agency was in charge of cyber incident response. that we needed the capacity and capability across all the different agencies in those lines of effort. so that's why we divided the work very carefully into the lines of effort and put a lead in charge of elite coordinating agency in charge of those lines of effort, but we didn't try to merge all the lines of effort into one place. now, i am also the first one, some members of my staff are here, and they know that one of my frequent sayings is that no plan ever survives first contact with the enemy. and so i am very well aware that we will, almost undoubtedly discover that we did not get some things entirely right in how we did the lay down. that's why we created specifically the ability, for

example, to update the ucg con-ops. that is why there is built in timelines for updating some of the policies and procedures that will flow from this ppd. i believe that we have created a framework that will stand the test of time but the underlying con-ops and other documents underneath it, those will have to be updated as we learn things. as i mentioned earlier none of the incidents that we've dealt with, that ended up in, you know, treating as significant cyber incidents have been exactly the same. if you would have told me when i was interviewing for this job i would eventually have to brief the president on a foreign nation-state attacking a u.s. entertainment company because of a comedy, i would have told you you were crazy but that is exactly what i had to do because

the circumstances demanded it. so i think that we have tried to a accommodate as broad a concept as we can within the ppd structure and i think it is a very flexible structure that will enable us to adjust whatever the demands are of the particular incident we're dealing with but i am sure that the bad guys will test our levels of creativity, because that is just kind of the nature of cyberspace and i think that we will try to learn and continue to learning from the both significant and not significant incidents that we face and incorporate those lessons learned, just like we do in the physical world with natural disasters, and just like we do with our counter terrorism response. >> we have a time for couple

more questions if there are any. yes, go ahead. >> thank you for the opportunity. the fmboa, when china's president xi xinping made a visit in september he promised to president obama that china will crack down criminal activities in the cyberspace. i wonder if you give us update where things are because we've seen conflicts reports. is there reduction of intrusion from china since shen in i understand that the united states and china are cooperating in this field as well as, cybersecurity working group. what kind of things are the two countries cooperating? and also wonder whether the tensions in the south china sea between the two countries have

some impacted this kind of cooperation? >> so, so thanks. there is no question that the relationship we have with china one of the most important. you have heard the president say that. it is also one of the most complex, that we have with any other country, and that there are plenty of areas of tension and disagreement. there are also areas where we cooperate. and all of that is within a very large, you know, geopolitical context that you, that you can never escape. but we did reach some historic commitments last september between the u.s. and china. and we have been focused very much on implementing those commitments. i believe that we have seen some

shift in behavior but that is something that we, and other folks besides me have talked about that in public but i think it is something we're continuing to track and pay very close attention to. i'm sure this is an issue that will continue to need to be addressed in the bilateral relationship going forward. i'm sure it will come up when the president meets with president xi this fall. we're trying to work on areas where we can cooperate, particularly in the law enforcement domain and in cert to cert cooperation. we made some progress on that. we have agreed, as the commitments called for, for moving forward how to establish communication channels to head off potentially es can --

escalatory tensions between our two countries if that were to occur. we agreed to continue high level dialogue between dhs and doj and ministry of public security within china. the next meeting will probably be in september. that is the target we're shooting for here in washington, d.c. so we're continuing to try to build that level of cooperation. >> can i have a very quick follow-up? you mention ad shift in behavior. can you be a little bit more specific about that. what kind of shift? >> unfortunately that is something i can not really be specific about. this is an area we continue to pay close attention to, that fully implementing the commitments is really important. >> thank you. okay, i think we had, that was a terrific briefing, we appreciate that.

as michael said, many if not most of the presidential policy directors, 41 is not. i know you and your team and everyone at the table here spent a lot of time and effort into this directive and we appreciate that. i want to add to on behalf of the u.s. chamber and our members we appreciate the partnership we've had over the past eight years with you all. it really been tremendous particularly in cybersecurity. thank you for that and your leadership, as well, michael. appreciate that. so i just also want to say that we are having a cybersecurity summit, our annual summit here at the chamber in september 2th. we'll have a reception and 2th will be a full-day event. many people you heard from will be there as well as luminaries such as general hayden, mike rogers, et cetera. we hope you join us for that. more to come if you're interested in learning where and what the u.s. chamber of come blesser is doing next on

cybersecurity advocacy.com. thank you all for being here. appreciate it. >> thank you very much. >> marine corps commandant robert neller speaks about maritime security and strategy at the center for strategic international studies. that is live at 10:00 a.m. eastern on c-span. at same time on c-span2, a look at health insurance cost for employers, based on the recent survey conducted by the national business group on health.

the c-span radio app makes it easy to continue to follow the 2016 election wherever you are. free to download from apple app store and google play. get audio coverage and up-to-the-minute schedule information for c-span radio and television, popular public affairs and book and history programs. stay up-to-date on all the c-span coverage. c-span radio app means you will always have c-span on the go. >> experts in the global fight against aids talk about the out come of this summer's international aids conference in south africa. the topic include latest advances of hiv/aids research and new vaccines and funding challenges. from the center for strategic and international studies, this is just under two hours. >> good afternoon. welcome to the center for strategic international studies.