of this performance standard does mitigate this particular risk better than this particular standard if implemented appropriately. for the vast majority of the economy, that's where this ends. the private sector can then look at the risks and the collected standards, and then make their choices according it to their business sense as to how best protect their interest. this is on the assumption even p if you aren't going out to protect your clients or your partners, you will at least act in the best interests of protecting your investigation in critical infrastructure. then there is that one element that we believe there is a government role, and that is for those that are currently regulated. they think the nuclear sector, the electric sector, the water tre treatment facilities, financial services and those that do fall under this quote-unquote covered critical infrastructure. so the most critical of the

critical. only p if you'if you're current regulated do you work with your regulator to review existing regulation to match up against those identified risks. if there is a gap amongst current regulation and identified risks, then the regulator then chooses a performance standard from the collection to fill in the particular gap. and we believe this one -- this builds upon the expertise in the relationship of current regulators and cuts down on any potential conflicting regulation by introducing other organization by a regulator on top of existing regulators. those are the first two pieces. the final piece is trying to improve information sharing, and in the course of our meetings on this legislation, i try to always ask folks are current nfx sharing mechanisms working as

efficiently and as effectively as possible? i have yet to come across someone who says status quo is acceptable. so what we've tried to do is create, one, get rid of the legal barriers that inhibit information sharing much like tom and the senate bill do. we've tried to essentially band together or create an environment much like you mentioned, mr. secretary, how we need to work together and pool information and expertise. so what we do is we establish a national information sharing organization that is a voluntary, non-government, third-party not for profit organization that stands up an information exchange facility -- an information exchange facilitator. with that members with view the charter and understand what information is shared and what it can't be shared with and make the evaluation of whether this

idea embodied in this charter brings value to the enterprise. we're hoping that not only exchanging of information but having member come to the table and say i saw this on the network. i don't know what to do with this. has anyone else seen it. that facilitation will be available and anonymousization will be available. government participation is a key to this bringing in intelligence and governmental operations. beyond just the information exchange we appreciate them having a common picture amongst the most sophisticated of members. bringing together a whole pot of information we won't normally have that includes government information. those sophisticated members can money ties that and build that back into their products and wases and upon the the information they wouldn't

normally having. we've done away one of the main legal barriers for information sharing and put in liability protections and limitations as possible. shielding it from foya and state and local disclosure. but making sure that the idea of this niso is to share information. beyond that you lose -- if a member fails to use the information appropriately, there are provisions in the law that make sure that is taken care of against a malicious actor, that sort of thing. what we're trying to do is create a structure around information sharing, one, to provide appropriate oversight and these are sensitive issues we deal with. we want to make sure that the appropriate information is getting to the appropriate people at the right span of time. putting a structure around it

enables appropriate oversight, and it also gives people a one-stop shop. they can -- they don't have to worry, do i need to go to the fbi? do i need to go to dhs or nsa on this? i can got national information sharing organization and get that one-up stop shop and get that expertise. our bill is not a -- does not -- is not a silver bullet and will not solve all problems. we believe it does put a framework together that will solve some of our issues. >> thank you, kevin. as you can see, a number of areas are covered in the various bills. i'm going to open it up with a couple of lightning round questions here and then turn it to the audience. let's hone in first on information sharing. i think it's fair to say that there are some differences between the house and how they select intelligence and homeland security and maybe between

homeland security government affairs and house "homelanhomel terms who is the really belly button here. i think it's fair to say that the national security agency has the capacity, the capability, and the wherewithal. the department of homeland security has the authorities, the statutes to be able to engage in this. is the current memorandum of understanding between dod and dhs sufficient, or do we really need to enable that activity? i would argue yes, but i'd be curious what some of your thoughts are there. so what other impediments if any from making that reality. secondly, a philosophical question to build on that. it can no longer be a case of government lead private sector follow. the reality is the private sector owns and operates a vast majority of the infrastructure. they inoue straight and engine of innovation and the backbone

of creativity. it's not all big industry, small and medium-sized businesses really are ultimately the ones that propel us forward. what, it if anything, is in of the legislation it to induce dangers in behavior vis-a-vis the insurance or reinsurance sector or anything to have self-initiated standards and best practices. and then finally my last question is one that's more fif sof cal in nature before i ask you all to look in your crystal balls to see where the legislation will go. but a philosophical one, looking forward is the 80% solution enough? i would argue we can't firewall our way out of this problem. when i read the op eds that these two gentlemen and many others in the national counterintelligence sector have written on the significance of chinese, russian, cne capacity, we can't firewall our way out of

that problem. if we get to the point where by and large we have that 80% solutions, we can tailor or efforts to more sophisticated actors, perpetrators based on actors and techniques, would these bills get it to this point and that keeps me up at night. i'd be curious what all your thoughts are because ultimately do we need to demonstrate an offensive capacity? do we need the cyber equivalent of nuclear tests to demonstrate a deterrent and compelant that may cause actors to think twice? now we acknowledge it. it's in official government reporting. what disincentive does china and russia have to say after we said they're doing it. i'd be curious on your thoughts on those three points and then turn it over to the audience. first question was looking at

nsa/dhs. we know who has capacities and authorities. what's the best way around that? >> i think senator lieberman is very committed to harnessing the expertise and the capabilities at nsa. i think that part of the bill and some of the dhs shorts we include also in the information sharing title, we think ds has been playing the intermediary role for some time. we think it's probably best housed in dhs or a civilian agency. but to leverage the capabilities of nsa through dhs to push up that as much as possible. anything there to induce that sector? i haven't considered that mys f myself -- the network of cyber

security exchanges the bill sets up. this may kind of reach out to more sectors. we basically want to build on capacities for instance for the financial sectors and isacs around the country and who are eligible to be cyber security exchanges. we incentivize sharing information with those whether they're federal or nonfederal and we think establishing those procedures to link this network of exchanges will really facilitate the sharing of information. i think that's ant important point. >> finally the high end of the thread spectrum do you feel this piece of legislation would impede some of their capacities and capabilities? >> i think from -- >> provide strategy to push back? >> i think from a defensive nature on the critical

infrastructure side, yes. i think, obviously, there are advanced persistent threats out there which are, you know, difficult to defend against. but i think that by setting some standards we can really get to that the point. i also think on the economic side of the information sharing, it's really key. >> tommy. >> on information shares, there's a lot of different types of information share you need to allow for. you have a bunch of companies that are engaged in similar activities, face similar threats and need to share information with each other to protect thechlz themgsz as an industry. i think that's important. for me, the big -- the really big fish in this is when you look at the companies and entities that are involved in running the networks, running the internet, you know, the top five or six telcos in the united

states see the network traffic in the world pass through their pipes. if you add that to what the nsa sees and develop that common operating picture, that's a game changer in terms of the threats that you're able to see all across the world and the way that you're able it to collaborate and share information on how to stop the threats. so, you know, i think the answer on information sharing is that, you know, the dod, dhs, mou that allows for the of two them to collaborate is important. models like the dib pilot are really important. potentially an organization like a national information sharing organization could be important. all of them, you know, to harken back to what admiral mcconnell said, all are necessary but not sufficient. you need to push information sharing at all different levels and with a number of different

points of entry so that it's easy for companies and the government to share information across the board. i will leave the insurance question to others that have wrestled with it. >> what about just small and medium-sized businesses? we're talking largely about the owners and operators of the vast majority of the critical inf infrastructu infrastructure, but this country is more. >> absolutely right. i think the legislation -- they can -- since they wrote the legislation, they should get into the details more than i should. you see a lot of things in both kevin's bill and jeff and nick's big. first of all, i think the information sharing bill is huge for, you know, entities from small, medium and large. i think in some of the other bills that you see, you know, pushing for research and development, pushing r for work force development, national cyber scholarship programs, that kind of thing, putting on performance standards more broadly and not just for

critical information entities and then also working on, you know, international standards. all those things are present within the legislation. >> one more thing that i'll point toward you before opening. the carve-out for i.t., can you explain that very briefly in your bill. >> i can. i mean, again, it's a lieberman/collins bill, so i don't want to ownership for it or anything. i sort of challenge the notion that this is an i.t. carve-out. i think what these guys have done, the philosophy with which they embarked on this process was working with critical infrastructure should be an outcome based process. when you talk about outcomes, you talk about not saying you need to have this particular technology or you need to configure this particular technology this way in order to get security. it's rather that you need to look at the entire ecology of your network, find the points of vulnerability and address those from a system-wide standpoint.

the example i give is that, you know, if you're talking about an electricity utility, you know, you can put in all the latest and greatest technology to stand between the public facing internet and the system that operates the electrical grid. you can put in firewalls. you can put in infrusion detection systems and spend millions on that technology to make sure no one can penetrate from the system or you can do all that radio shack technology and air gap it. both of those approaches lead you to an outcome that is more security. but the approach that we've tried to put in place in this legislation, you know, allows for a company or an entity to make the choices that work for them in order to get to the outcome. so the provisions you talk about that say, you know, no you cannot regulate, you know, specific -- the design and development of specific technologies, that's been the

philosophical approach to this all along. i think the problem is over three years is we try to explain that philosophy to people. there was some concern that there may be overreach within the agencies in implementing those -- that philosophical approach. so the bill drafters decided it would be a good idea to make it clear, make it apparent to everyone that we weren't just talking philosophically. we were really true to that approach and wanted to make sure it was implemented that way? >> terrific. i was fascinated by your eig eight-story building. >> i was going to touch on that. tommy said something i'd like to build on. he talks about carriers and a set of characters, at&t, verizon, sxo on and various levels of internet service providers and what he said was

they see about 80% of the world's traffic. nsa is looking at foreign things. if you put that together, you have a tremendous incapability. you asked for an 80% solution. i think we have a 95% solution. we're building dpenfences aroun. where in the tworld do we have the best understanding of what's out there? what's bad? what's happening? who is doing what, and who is talking to whom? what might thiey do to infiltrae and cause harm? that's nsa and exists today. the way i think about this, why don't we task nsa to establish an all-store total information awareness center. you have to have clearances. clearances are an artifact of what we created. loose lips sink ships. you have to protect secrets. okay, the world has changed clearly. clearly it's internet service providers and all the players

and put them in the facility. the way i think about the facility. top floor is all source information. everybody seeing everything. you have authorities to do things. in this nation of laws you have authorities to conduct law enforcement activities or homeland security activities, whatever that authority stipulates you do. once you're informed of everything, you go to your floor to execute your authorities. that's when secretary chertoff and i tried to frame this in a way that would be easier it to understand. the top floor has all the information. anybody that needs to do something can down to the other floors of the buildings and execute the authorities. i had one other comment to make. the way the bills are framed is for critical infrastructure to prevent massive casualties. who gets to decide massive? who gets to define that? was 9/11 massive casualties? was katrina massive evacuation? i think you wind up in a debate of what's mass sxive and what's

not. i have a more fundamental worry. we're now focused on massive casualties and critical infrastructure. the chinese today are bleeding us of intellectual capital. they are sucking the life's blood out of this country in terms of noin vags, innovation, code, going on unabated. at one level it's a national security level and people die and so on. that's one worry. what about this competitive disadvantage we have because the chinese have a policy of economic espionage. the united states does not engage in this. if we did, who would pick the winners and losers? we don't have a was way to do that, so we don't pick companies to award. nation states, primarily china and russia, have this policy and others do also. we're going to get intellectual capital, because we're worried about the massive casualty or

protecting a clearance rather than harnessing the information and sharing it in a way that we could do the maximum benefit for the nation. i think as it's a national security issue. i think it's a national economic issuement and we' issue. we're not fully embracing it. the bills are insufficient. >> until we respond, there is no disincentive for that activity to occur. one thing i'm sure there will be questions on the national security agency assuming what could be perceived as a greater role not only overseas but domestically. >> overseas, there is not much pushback. >> the question is, if it moves at network speeds and goes from one side of the globe to the other in less than a second do, we want to empower nsa to look at domestic networks tofi bad things? wait a minute. that is monitoring. or you can say well it is scanning. you can find this lots of ways. you can also make it illegal to

look at content. i think if you understand the behavior of these agencies, they do not violate law. so make it that part illegal. make scanning for malwear illegal. that's another way of dealing with this issue. >> i'm sure there will be questions on that. one other things that -- that i think is worth looking at. mr. secretary, perhaps can you touch on that specifically as well. you know, at the end of the day we're talking technology. but it's really about the convergence of human intelligence and technical means when you're dealing with the most sophisticated actors. i mean wouldn't you rather have a source inside one of these organizations than perhaps all the technology to make that happen? and fair to say that our adversaries have already done that if you're to believe as i do the ncif report. >> i think what you're pointing out this is not just a

technology issue but a lot is what i call counter intelligence issue. and it's about, you know, really how do we look whole holistical we preserve poverty against people taking it without our knowledge? because they can connect up over networks. sometimes they can insert somebody. or it's a combination of the two. it's giving somebody a thumb drive that they wind up putting into a laptop or careless newness on the human operators on the machines who decide they're going to bring their home device in which is riddled with, you know, malware and stick it in because they want to play music and hear it on the head phones. you have to look at this as a series of problems. one of the big mistakes i think we made historically is to think there is one solution here. if you can just find the right tool, our problems are over. you're never going to find that tool. it's going to be a lot of different tools. and by the way, at every

enterprise whether it be government or private, it's going to be facing somewhat different threats and consequences. so what works or is important in one area will not be very important in another area. the second point i like to make is an 80% solution. and here i would say remember this -- it's the natural tendency of people who are trying to penetrate into your network or steal something to use the cheapest, least effective tool they can and still get away with it. frank lishgs they li frankly, they like to keep the best tools in the box until they need to use them. when you drive security up to a higher level, you're forcing them to play with the most valuable tools. once you see a tool, now you then shift. so essentially if you recognize

it's a managing risk process, driving the adversary to have to do more and more complicated and sophisticated things to get by our admittedly imperfect defenses, actually generally raises the level of security across the board. and also enables the people looking at what's going on in the network to catch more stuff. >> in the cold war, the soviet union could not think about design field test or put into operational context any military equipment that we didn't know about, understand and had counter measures built before they put it in operational conte context. so now let's take this to the cyber world. if the kpunt i cacommunity i ca really does its jobs to go to the secretary's point, you know that malware before it is ever used. harnessing the community and interest of the nation in that

context is like looking at an advanced fighter or new submarine or whatever is coming our way in terms of a kinetic issue, we can have similar capabilities in the digital world. it is harnessing the capability that's exist. and doing it in a way that's consistent with our values and our privacy. >> great point. i would almost say do we need a checkmate equivalent in terms of technology in the cyber domain as we did in the physical domain? i think there are wonderful initiatives that have been moth balled from the cold war that do have real value. the tyranny and time requires a bit of a tyrant so we can be quick. want to get some audience questions quickly. >> i guess what i would say to follow on the comments that have been made is the way we've tried to do this in our legislation is to think about the cyber issue as sort of a three-legged stool. with one leg being information sharing. another being sort of the protection of critical

infrastructure. the third we talked less about today is reform of the federal information security management act to improve the government's own security. if it's working properly, all three of these things should inform one another. so you ask about, what do you do for the small and medium sized business that's may not be picked up in any of these? if information sharing is working correctly, and if we're identifying the threats to our critical infrastructure or identifying the vulnerabilities or threats to our government agencies and all three are sort of communicating as they must and should, that kind of information will then be shared more broadly and benefit all those who are not sort of directly implicated in sort of the legislation itself. and while i would defer on the question of insurance, i would say that there are incentives built in to this. not only the liability protection but also the ability for companies to demonstrate that they are sufficiently secure to avoid any requirements. that's an incentive for them to go out and continue to innovate so that they can essentially

escape any government requirements. and then lastly, keeping in mind the time -- >> nick, we're okay. i thought we were at a different time. we have time. >> just in response to your earlier question about the information technology piece, we have heard from everybody being spoken to that there's no way for us to keep pace with the technological change. and so what we've tried to do is to take that to heart and also to be consistent with what we've said from the beginning which is that owners and operators should choose their security measures in order to meet the outcomes that we are asking them to meet. and so we're trying to make clear that government is not directly regulating the design, innovation, product development of our i.t. products, particularly our commercial i.t. products while at the same time setting sort of these performance requirements that should be the target that's folks are aiming to meet. >> thank you. >> let me ask one other

question. anything in the bills stymie our ability to do what we need to do offensively? >> in many cases the best offense is a good defense. if we're studying up and i'll leave the broader -- >> sticky question. >> not expecting that. >> the best offense is a good offense. >> i agree with. that and the best defense might sometimes be a very good offense. >> secretary chertoff, there is no silver bullet out there. even if you get your network up to the state of the art with the latest bells and whistles, the threat doesn't stand stillment we have still. we were mindful of that problem as we were drafting our language in that if we root the language too narrowly, it will get left

behind. the i.t. sector inowe vats and things are moving so fast. we still have this back in the 70s with the surveillance act. we wrote that law tied to that day's technology. the technology doesn't stand still. i think as we go through this, we have to keep in mind this bill needs to last 20, 30 years. we can't be too narrow in our focus. in terms of incentives, when we talk to folks in the industry about, you know, why they do or don't he could operate, you know, it's the disincentives. i think if you knock those down, i think folks want to cooperate. they want to find out what is out therement they want to talk to the government and the peers in and out the industry. there is just disincentive that's stop them. if you knock down the barriers, there is a lot of structure that can be leveraged for folks to talk and cooperate. >> what about that prc threat? your chairman is also very eloquent in voicing. any of these bills going to help tlus?