i'm not going to get into the weeds. these are important to any bill that has to present a good statd in dealing with this problem, and there's not other good things like research and things, but i think the three core elements are these. first, there has to be information sharing. second, there has to be liability protection and liability-based incentives to drive information sharing. third, and i think probably the controversial piece, or the most controversial, there does have to be some standard setting and prirmt of meeting those standards for critical inf infrastructu infrastructure. let me tell you briefly which these are three fundamental pillars. first, the way you learn about problems in cyberspace is by getting experience in what those problems are. if everybody fights alone, everybody is at their weakest. when you're dealing with network threats, the ability to observe

them, analyze them, and disseminate the information is critical to avoiding replication of the threat elsewhere. basically the more you see and the more you know, the better you are in defending yourself. that's why if we are isolated in our response to threats, if we stovepipe ourselves, we are simply giving the adversary the ability to repeat the same technique over and over again in the next stovepipe. information sharing is foundational. here i would agree you have to create incenincentives. many companies understand there's value of sharing, but they're concerned about loss of competitive advantage, they wonder what they get in return and they're concerned they're creating liability. therefore, that comes to my second point. you have to use the rules of incentives, both liability protection, liability imposition, and protection of dat to drive towards information

sharing. i think there's interesting approaches taken in the various bills about information exchanges. i think what is critical is information has to be confidential, and it has to be anone mized to a certain degree. it has to be shared in a way that doesn't create a competitive disadvantage. i think there's got to be liability protection and incentive for those who do share, and frankly for those who don't share. there's some kind of liability disincentive. that gets me to my last piece. you have the information. now what do you do to build a structure of defense? here i'm talking mostly about the private sector. the government is going to do what it's required to do by law and by executive order. i know this is the area where i've seen the greatest push back. we don't want more regulation. the market can take place -- can take care of itself. we need innovation. i agree that innovation and the

market are important tools, but i will tell you it's my belief that in this area the market will fail to do an adequate job. here's the reason why. if i own an enterprise and it's worth $1 million, i'm not going to spend $10 million to secure it. if that million dollar enterprise fails and the collateral consequences are aa billion dollars in loss, then i've got a cost of failure that far exceeds the value of the enterprise and far exceeds what i'll invest it to protect it. so as long as we have interdependency, as long as we rely on critical infrastructure and people getting to the business of critical infrastructure, we do need to make sure, first of all, that there are adequate incentives for them to invest appropriately. secondly, that there's a level playing field. that the people who are lazy or want to underinvest can't hide in the weeds hoping to get by with those who do invest. third, we've got to construct a system that incentivizes

appropriate standards without being micromanagement or overly intrucive or overbearing or costly. that's why i think the approach taken modelled on what dhs did in the chemical industry of saying, here's some general standards and general requirements. if you meet them and you can show you meet them, god bless you. have a nice life. keep it up. if you don't, then you need to raise your game, and, again, flexibility, innovation, all kinds of different ways to skin the cat, but in the end you do have to show you've achieved the result. i think that balances between harnessing the energy between american innovation but making sure we're not underinvesting. the last thing i would say is this before i conclude on the issue of standard setting. the irony is that when i talk to people in business who are opposed to any kind of standard setting, i often think they

don't realize how much it is in their interest to have standards set. without standardis being set, yu will get standards but they will not be thoughtful and debated and considered in regulation. it will plaintiffs' attorneys going in front of juries and they will set the standards. having spend a lot of years in a courtroom, businesspeople will not like the way the standards are set anymore a whole host of tort industries now. i would argue intelligent, standard-based regulation with ample room for innovation and credit for what you've done in the long run will serve business interests as much as it serves the national security. >> mr. secretary, thank you. admiral, i think you put an awful lot on the table, and i know the bill's touch to one extent or another both

philosophically as well as very specifically some of these issues. i've been of the school of thought mitigate before you litigate. there are areas where markets will not be enough to ensure that we get to that point. what i'd be curious is how some of these bills address these issues, so maybe three to five minutes on some of the substance of the bills and specifically looking to sort of that business case as to what's going in. what are the keep components in that? what are the enablers to incentivize or disincentivize information sharing and sort of go from there into a conversation? tommy, you've been driving a lot of this. if you want to give us and the audience a sense of where things stand right now in the current bill, the cyber security bill, and where you see things going. >> sure. i'd be happy to do that.

i want to talk about where the market is inadequate and pick up from where secretary chernoff said. first, brief background. senator reid is working with chairs of six or seven or eight, depending on the day, committees to bring together a range of different proposals on cyber security legislation. i actually really liked the sort of goldilocks analogy, because it's sort of the supreme compliment to get a ledge to when half think it's too much and half too little, because it's compromise. i also think that as admiral mcconnell was suggesting there's through poles to navigate. a security pole with regard to

civil concerns and civil liberties and privacy concerns. trying to find a balance that, you know, carefully takes into consideration each concern has been really tricky and has been really delicate. it's taken us three years to do. we've worked to pull in a number of different elements into the bill that include critical infrastructure, regulation, or performance standards and information sharing and research and development but also that include privacy protections and that included addressing all the issues with the business community clearly in mind as we do so and trying to calibrate each thing we do so all three poles are in balance. i think the -- as has been noted, the one of those issues that has been most controversial is the critical infrastructure regulatory framework, which provides dhs the authority to on

a targeted basis set performance standards for critical inf infrastructure that meet a certain threshold which means these control network critical to national security because their disruption will cause a huge love the life or a systemic economic disruption or will damage national security capabilities of the united states. the concept of letting the narcotic drive security is really important, because that's one of the ongoing conversations we had with the business community. i think that, you know, for a lot people involved with the bill, where the market is able to drive security and drive innovation, that's what we want to see, and that's absolutely right. i don't know anybody wants to legislate to get in the way of that. there are areas within the critical infrastructure sectors we're looking at where the market is unable to drive

security and innovation. here i wanted to pick up a little bit on what secretary chernoff has said, because i think there's a few reasons for that that are important to understand. one is when you're looking at private sector innovation towards security, when there's competition in place, there's a real incentive to ennotice vat towards security. for me when i go home and make a decision where to get my internet service, i don't have to use comcast. i can use verizon or other sorts of -- other different providers. so, you know, when i look at comcast and they provide, you know, some extra security with my service and i know that my service, therefore, is going to be more reliable, i may go with them, or i may go with verizon if they are able to demonstrate their reliability over their competitors. there's a built-in incentive to innovate towards ensuring that liability for their customers and that leads to better

security. in places like the electricity sector, i don't have a choice. i buy my electricity from pepco, and that's the only option. they lack the competitive ens t incentive to innovate towards security. that's an air why the market doesn't have the same sort of incentives for pushing security. you know, that is the case with a lot of the different critical infrastructure we're looking at. the electricity sector, nuclear facilities and the transportation sector and things like that. the second area that is also very important to to understand is that, you know, there's a range of different threats we face, and you can chart them out. there are incidents and attacks that are high probability in rel live low conditions and the consequence of the risk goes up. it's at that far end of the chart where you have the low

probability but high consequence attacks. those are the ones that are really important to our national security. it's a pretty low probability at this point that a sophisticated actor will enter into a nuclear facility's system and take control of it and cause a nuclear meltdown. we've not seen that happen. it's certainly possible, but it's not a high probability attack. however, if it happens, it's a major event for national security. that's the kind of issue we're concerned with here and it's one where the mark because there's low probability there's not much of an incentive it to invest. there's the high probability penetrations on a daily basis which require fewer resources, but the notion of putting in as second chernoff was talking about putting in a huge amount of resources for events unlikely to happen doesn't make as much business sense. so the market fails to incentivize and driving towards

security. there was an article yesterday -- couple of arls yesterday talking about how the nsa is now warnings within a couple of years the group anon muss will have the capability to take down significant portions of the power grid. that is something -- frankly, i was surprised that they assessed it would take a couple years, because i would have assumed it's something they were moving towards more quickly. the article was interesting to me because down towards the end of the article it was talking about how the electricity sector made some investments in cyber security but has not put in place all the safeguards necessary to prevent against someone takes down the power groid because there's not a match-up between capability and intent. there are actors out there, iran, north korea, that have the intent but don't have the capability. then there are actors out there that have the capability, russia, and china, but people

don't believe they have the intent. this to me is -- we can go back to the cold war metaphor. right now i think russia have however many thousands of nuclear warheads point add the united states. it's negligent for us as a government and a a defense architecture to not defend ourselves against the possibility of that threat. it's the same thing in sib her, except arguably worse where you have a bunch of cyber weapons pointed at us, but i think most security experts could assess that there are already cyber tools that are p put into our networks by our adversaries and are waiting for the switch to be flipped for an attack to be carried out. it would be negligent to address those threats, and to do so the government has to work with critical infrastructure to ensure they achieve a certain level of security. that's what our bill tries to

do, and that's why we believe that fills in where the market doesn't work is so important. >> tell me one thing i want to underscore before jumping into questions. nick and jeff, i'd love to hear your views before we go to the bills on the house side that are very information-sharing focused. one of the things imt not sure people fully realize is the last statement. the flip the switch from computer exploit it to attack is merely one of intent. if you demonstrate a capability to exploit, if if your intent is to attack, either independent or in concert with other means. i think that's worth underscoring. when we hear we haven't these attacks, we have seen the exploit capability that could be tuned into an attack, unless anyone disagrees on that. nick, jeff, quickly on some of the other components on the

senate bill? >> first off, i would echo what tommy said that probably one of the controversial elements of bill we deal it is infrastructure. there are a lot of things in the bill where there's broad agreement, information sharing is one of those that everybody agrees we need to address. senator collins is working on this issue for years now. we're very fortunate in that senator collins and senator lieberman have the kind of working relationship where they've been teamed up to address this problem for a couple of congresses now. they introduced a bill in last congress that was reported by the homeland security committee and reintroduced that he bill with additional protections at the beginning of this congress. just last week they introduced a bill along with chairman rockefeller and feinstein that we hope is the basis for the

senate debate on this issue. if there are three things driving us on this, the first is to to try to prioritize the greatest risk. that's why we're focusing on critical infrastructure, and not on critical infrastructure but those systems and assets within the infrastructure that if damaged could cause truly catastrophic harm. we're trying to focus on the highest risk. we're trying to take full advantage of existing structures and relationships. we're trying to take advantage of regimes where they currently serve a purpose. we're trying to take advantage of best practices that currently exist. we're trying to take advantage between homeland security and various critical infrastructure elements. we're trying to take advantage of the expertise, where it rides. so we're trying to leverage the expertise of the nsa rather than re-creating it.

we're trying to leverage the experti expertise of the private sector by making sure that when best practices and performance requirements are developed. they are first identified by the private sector and put forward by the private sector in that it's only through a process and collaboration with the private sector that we sort of identify the best practices that really should be the standards for it is most critical infrastructure. those are the things we're tried to do through legislation. stimdz it's sometimes it's hard to get legislation perfect. there is consensus on the need to account, and our hope is that action will occur soon and will address the sort of areas of highest risk. >> thank, nick. >> nick did a great job of describing some of the points of our bill, and i'll just add to that briefly. i think secretary chernoff

described the bill quite well when he talked about some of the flex iblibilities in the chemic facility regulation. we're focusing the on the most critical, and it's the way we define it are those that if disrupted on or damaged could lead to mass casualties, mass evacuations, catastrophic economic damage, and a severe degradation of national security. so you are waived out if you can demonstrate you're secure. additional lir, there's a provision na gives president authority to exempt a sector or portion of a sector if they're already regulatory controls in place that require sufficient amount of security. then as nick said we want to give the owners and operators the flexibility to meet any performance requirements, how they think is best.

th they know their systems best, and weapon don't want to be in the process of telling them how to go about doing that. i will add quickly on the formation sharing, and there are obviously some other proposals on out there and we think they're very serious efforts at trying to address some of the problems out there. but the information sharing provisions in our bill take down some of the legal barriers that hinder the sharing of cyber security threat information between the government and the private sector and within the private sector. we also try to incentivize that by invoicing some liability protections nare procerowly foc that sharing of cyber security threat indicators. that's one of the -- i'll highlight last the cyber security threat indicator concept in our bill, which we basically permit private entities it to share with each other and with these cyber security exchanges are basically

kind of defined by two prongs. the first is that a cyber security threat indicator indicates an attribute of a malicious attack. that's kind of spelled out in the bill a little more. the second prong is it has to be recent efforts undertaken to scrub it of personally identifiable information. so i think what we're talking about a narrow slice that would help companies and the government know the risks out there. that's to prevent them. with that, i will turn it over. >> i understand that they have a bill that has passed through committee very heavily focused on some of the issues we addressed here in term was information sharing providing the incentives, maybe some disincentives to not share information. can you give us a quick snapshot in terms of the status and some

of the meat around the bones in terms of the bill itself. >> it's good to be back. great to be here today. over on the house side speaker boehner asked if they could be aa task force to lay out a broad framework of policy objectives for the house. each individual committee chairman is supposed to work within their jurisdictions to achieve what's in the jurisdiction inside that framework. so chairman rogers asked us to take a look at what the intelligence community could it do to contribute to solving this problem. this is not a complete solution to the problem, but i think it can make an important contribution and early on in our examination of the issue, we came across the pilot as a model that harnesses the unique value added and we kind of talked about that information they gather overseas about advanced foreign threats and provides it to the private sector. it's a very narrow pilot, but we

think it scales very well. we based our bill on that structure. we provide positive authorities for the intelligence community to provide classified information to competent entities in the private sector. as everyone else discussed, we knocked down the barriers of information sharing. as they were proceeding to do the pilot, they found the information going outbound to the companies was going well. not a lot of information of value was going back. companies have a lot of disincentives both real and imagined. but they become real when they don't share information. we talked to about 130 folks or probably more than that, actually, out in the private sector and talked about the issues that stopped them from information sharing, and then we tried to knock all those barriers down in that process. i think what's great about the pilot model, if you scale up to the economy, is that it's harnessing private sector drive information to dissolve some of

our more steeerious problems. this is going after the advanced cyber threat like china. they're out there stealing our intellectual property every day. chairman rogers have talked about this historic transfer of wealth between the united states and china right now. folks are -- chinese hackers are getting into our companies and stealing our ip, the research and development that the u.s. government depends on to create jobs and drive innovation in the market, the chinese are stealing that wholesale. we believe that the private sector is doing great stuff out there. they just need some help. they're paying for that great work that goes on at places like nsa it to collect that sensitive data. they should get the bent fit of that data in defending their networks. you know, i think as you've heard there's a good consensus that this is a good model for going forward. there's some important disagreements in the details about how to get it done. it's encouraging there's so much

thinking between the house and senate on the aisle about this problem. our bill, as i said, is bipartisan and fairly narrow, 13 pages. so, you know, we tried to achieve that in plain english. i think we got that done. >> terrific. i'd like to pick up on some of those points later on sort of it to get a sense of the defense industrial based pilot projects. this is specifically whether you've looked aat tear lines to stymie the sharing from the federal government to various entities. i hear the same. we have defense industrial based folks in the audience, i'm sure they'll have questions. mr. lungren has dropped out of subcommittee. can you give folks a sense of

what's in the bill, maybe some of the differences and some of the belly button questions and the department of homeland security or other entities are addressed there. let's go from there. >> essentially the building on with thornberry it task force, the house homeland security committee took it upon themselves to draft a bill within its jurisdiction. not meant to be comprehensive in any manner, but strictly within the jurisdiction of our committee. it's essentially three big pieces. first the roles and responsibility of the department of homeland security with regard on a cyber security mission. i know the secretary is well familiar with the lack of legislative authorities that dhs has with its mission. it's been doing an admirable job based upon executive order and public expectation, but we wanted to codify that current

mission of dhs and make sure that they have the roles and responsibilities clear to protect critical infrastructure in this country. the second piece does touch upon various aspects we've already heard. that includes the protection of critical infrastructure. we do take a bit of a different approach to it. the thornberry task force found that while regulation is not our first choice, there is a rule for the government in protecting the most critical of critical. in trying to determine what was regulated, how it was regulated, and who did the regulating was the task that we had to determine in the committee. what we try to do is build upon the department's division of covering critical infrastructure used in the senate bill. so a facility or function of

critical infrastructure that would if if damaged or misused would cause deaths, mass evacuations, systemic problems in economic markets or severely degrade our national security. that's just one ticket we have in order for this regulatory authority to come down. in our conversations with critical infrastructure. we have heard quite a bit of yes, we open the paper and we see these problems, but what are the risks to me and to my sector, to my critical infrastructure? there are many companies out there that don't have a -- are in constant contact with the fbi on or dhs or nsa. their level of knowledge of these risks, they know it's out there, but they can't put their finger on it. so we authorize the government in the form of dhs and secretary specific agencies to engage with the private sector and actually

identify risks on a sector by sector basis. the government coming with intelligence and operational knowledge and their knowledge of their own networks, and they can come to the same table and agree upon a list of identified risks to their sector. that information is then made available to the secretary or as a whole so the people that don't have washington presence or constant contact with the fbi are put on the same playing field as those that do and can address those as appropriate in their networks. the second step is then to take and collect existing performance standards. we're not about going out and creating new ones, but identifying existing, recognized performance standards and collecting them and putting them in one spot and then evaluating them against the risks so you have a rack and stack