and a lot of folks are shooting at. we're not worried about that trying to hack the school server and change his grade. the drive by shootings on the information highway. this is about, you know, chinese hackers using all the resources of the state and intelligence agencies to hack and steal our intellectual property. that is a tough threat to defend against if you're an american company if you don't have the tools of our u.s. government, the things we know to defend ourselves. >> the chinese and russians have this capability. they have u.s. debt in new york city and in beijing. and that's probably true. they wouldn't be incentivized for it. but they're building a capability. what happens when the capability leaks, gets away, gets sold to the terrorists? let me just frame it from economics 101. the world will not work without banking, without the flow of money to lubricate the process for transfer of goods and services and so on. the two banks in new york that clear money clear somewhere

around $7 trillion to $8 trillion a day and our economy is $14 trillion a year. what backs up the transactions in new york city? nothing. there is no gold. there is no printed money. it's just a electronic transactions. what happens when someone contaminates that data base? what happens is banking will freeze. it will cascade in a cascading waterfall and global commerce will stop. devastating consequences for the country. >> and a footnote to that, i mean my biggest nightmare, it doesn't have to be if you erode trust and undermine confidence in our systems. that's all. >> economics 101. you have a banking crisis as soon as people realize my money is at risky must get it. the banking system, you put the money in, they loan it out. they balance prot ses. serve confident, i works. if you threaten that confidence as attacking the reconciliation system by contaminating the

data, you swront to do it for very long. you would have a major crisis. so those are the kinds of things that i worry about. we talk about nation states and information and they wouldn't do this or that. well, they are building the tools and the tools are not necessarily locked up in a way that couldn't leak out to a criminal or a terrorist group, somebody who will want to change the world order. so those are the things i worry about. >> kevin? and just one thing. i see someone who wrote a phenomenal piece, a frightening piece on some of the alleged chinese activity, mapping, what i call the cyber equivalent of intelligence on the battled feel. what could the incentive be other than to map out potential targets? so i just put that on the table for what it's worth. i'll let you not answer that question. >> yeah. getting back to the dhs, nsa

relationship. there has to be a relationship. the capability is tremendous. nsa has a tremendous capability. dhs interviews my chairman and the members of my committee. they need to play an appropriate role for domestic activity. with regard to insurance, i am not a insurance guru. i do not work for the financial services committee. but we do talk with insurance providers and how do we increase the market ability of the cyber insurance? and the answer that we usually get back is we're going to get there. we're going to get there. the market will take care of itself. but we've also heard that data is hard to get with this -- in this area of -- within this issue. people are loathe to share information on attacks. there is a provision in our long

with regard to the niso charter that says information on incidence shared will be collected and made available to the provisions will be -- the organization should make provisions for providing that information for study, academic study and that sort of thing. so is that going to create this insurance market? no. but hopefully it will kind of increase that, fill that apparent need. finally, 80% solution. again, our bill is not comprehensive. it will not solve this problem as soon as it's passed. but it does build a framework in which we can build into the future. the important thing with when you hit say 80% in this issue, it is 85% of critical infrastructure is owned and then

80% of all cyber attacks can be taken care wf good cyber hygiene, right? so if we can incentivize improving computer hygiene across the board both in the private secretarior through identifying risks and identifying workable standards that they can then go and put in place as well as improving the federal information security management act and raising the level of hygiene across the government, we can free up some resources to actually go about that 15, that apt, advanced persistent threat. the nation states, those really bad actors that -- so we don't have to worry about the low buzz activity. we can raise the game and increase the price of entry. so hopefully that's where it's moving. >> precisely my view on that. >> two other things we haven't touched on which i think for completeness we ought to put on

the table. one is the supply chain. how do we deal with the fact that hardware, software is manufactured globally and we have difficulty in ascertaining and certifying integrity of hardware and software particularly in a world of multiple mobile devices plus you have vulnerables with wireless transmission. second issue, less we will focused on but i think security dimension. i believe next week there is a meeting somewhere overseas on effort to address again the question of internet governance and how do we deal with the issue of internet traffic flow? in particular, do we move from the current system of i can which is really chartered by the u.s. government and to where the u.s. would play a larger role in laying out the rules of the road? the chinese and russians are pushing for that. they want to have the itu do this. you know, i mean i don't want to speculate too wildly here, but

just in light of what we've talked about in terms of cyber security, consider what the implications are of moving some of the basic laying out of the rules of the road into a domain like the united nations or u.n. organization. that has serious economic implications for us. it also has freedom implications because there are some countries that view the ability to get anywhere globally on the internet is a bad thing. and they like to be able to stop that. and there are security dimensions. part of the challenge of this is, as admiral mcconnell said this is a good start. there are so many more pieces of this. this is like ten dimension chess. the problem is it moves very quickly. >> absolutely right. and i will speculate. china and russia have been focused on this approach for quite some time. the arms control argument works as reagan said trust but verify. the atrib u bugattribute is dif.

that is debilitating economically and for national security. let's -- please. >> can i just make a comment about information sharing? i feel so strongly about this issue. if it's not required, it won't happen. niso sounds look a nice idea. but bureaucracies will not put information into the system unless they're forced to do so. what i do mean fwha? i grew up in the navy. 30 years, loved the navy. had a great time. the navy's view of the world was we have our own ground force. we have our own airplanes and all these ships. why do we need the army or air force? and so our whole mental attitude was we were not going to cooperate with those guys. they're competing for funding that we want, we need to build ships. that was our argument. so we went to great extremes not to participate in anything joint. well, the legislature led by senator goldwater and nichols said, you know, this is just not

right. we need a joint fighting force not a navy and an air force and army. so after years of debate, i think it took six years, goldwater/nichols was passed. every service chief testified under oath. every service secretary the same. the secretary of defense was against it. it was passed and president reagan signed it in 1986. we had a little dustup called desert shield, desert storm. i got to be a front row observer. the law was passed and said that if you fight, you only fight in a joint force. so make it the law the land. second, if you all expire to be generals and admirals, can you not be a general or admiral until you have joint certification, everything changed. okayme okay. we had the first gulf war. i got to go with the service chiefs on the hill, under oath,

goldwat goldwater/nichols sbest thing that happened to the department of defense. it forced collaboration, information share ing and it changed attitudes and behavior. i think information sharing is the key. but the current draft, while i applaud them, they don't go far enough to require it in two dimensions. require it in law. and reward it because you engaged in information sharing. >> and nothing like promotion paths being tied to here what has to get beyond the traditional national security to include our economic security, for lack of a better term, even beyond u.s. government to include the private sector csos and others. >> the department of -- >> how do you incentivize that career path? >> you cannot be an admiral or general unless you are certified in warfare. you have that experience. that way it makes you qualified for promotion. that's the incentive. >> we have time for a few

questions. please identify yourself before your question. and let me, mark, i'm curious, you heard a lot about the backbones and telecommunications in particular since you drive policy for verizon. where do you sit on some of these issues? >> thank you, frank, for putting me on the spot. gentlemen, thank you for your current and past service. it's important that we all collaborate on this private sector and public sector. we do, obviously, own and operate quite a lot of inf infrastructure and this is extremely important. admiral, you're right on the money. this is the focus that we need to move forward. two quick points. role of government as setting the example. for me, we talked about this before. i think that's key here. the government is a critical infrastructure just as the power sector, just as chemical, just as electric, just as others. we need the government in this game as a player, as a peer and

as an equal. we also need to think in terms of the law enforcement angle, something we haven't talked about here. much of what we see online is criminal in nature. criminal aspects is what we all fight with. that's the day to day problem that we're facing. we need law enforcement. we need crime prevention. we need that type of emphasis as much as we need the national security espionage type of piece. i would like to see additional tok there as well. thanks for the opportunity to comment, frank. >> does anyone want to respond? >> actually, he makes a point that i tried to make earlier which is it's not just one problem. there are a lot of criminality, there is fraud. and one of the things i'm for doing is every agency to take the particular problems that it happens to fit its skill set and make that what cyber security is

about. it's not. it's going to require -- it's like physical security. you have everything from first scale land war to making sure you can walk down the street without being mugged. and you've got to look at this as an entire spectrum. >> a couple comments. one on your first point. i think you're exactly right about the government needing to be a better partner here. you know, i think we talked to a lot of folks in the private sector who have been breeched or, you know, have had some sort of cyber incident and called the government and looking for help. and response they've gotten is never one that's been adequate, right? whether it's nsa, dhs, fbi, whoever it is. it's never been exactly what the private sector is looking for. we have to get better at that. secretary chertoff mentioned three pillars for legislation. actually, i agree with all three of those. i think the fourth is the government really has to get better. that's why we're looking at things like physical reform, the workforce development and personnel authorities that will

allow for hiring more qualified and competitive candidates. not just, you know, entities like dod and nsa that already have those authorities can do that. but to dhs where, you know, there needs to be domestic center of expertise. right now they don't have the expertise that they need to fully realize that. i think that's really, really important. i think just sort of get into the procedural weeds of our legislation on the criminal stuff, you know, we do hope to add some additional pieces to the legislation as we get to the floor and having them in the process. the criminal code proposal from the administration are ones that we view as very important. we hope to add them into the base bill. there is still some sort of minor disagreements between the chairman and ranking member of the judiciary committee that we really ought to be able to work out. i'm hopeful we can add that piece and the additional pieces on the law enforcement side. i that i is very important.

>> and we can lead by example. get your own house in order. >> both of our bills have provisions that allow the sharing of threat information that pertains to a crime that is happening, about to happening or happened to law enforcement. and that's obviously a delicate balance. that is something we want to continue to work on. but i believe, kevin, you were the same. you had similar provisions. >> we have similar provision. not exactly the same. but the house process is a bit more fragmented than that chosen by the senate. again, the speaker and i started the task force and that included members from i think -- i want to say nine different committees. and so tom and i only represent two of those committees. and so there will be other

action by other committees. we're anticipating something from the judiciary committee and we're anticipating something from oversight government reform. and other committees will probably operate within their jurisdiction as well. >> i'd like offer a quick comment on government activity and so on. i have a very high regard for the government workforce having been a part of it and observed it over the years. when it's very specific what their mission, is they'll do it and do it well. let me use dod because that's my background. anywhere, any time war or rescue, globally, you call, we haul. they will deliver. that's the whole mindset. readiness and being prepared. i think about law enforcement and the fbi. when there is a specific mission of the agency and then you are professionalized or rewarded to perform that mission, you'll do exceptional work. that's what we have to grapple

with here. having the agency that's are responsible for information sharing or cooperation with the private sector. i'll use my example of nsa again. nsa is frightened to death of crossing any line that might reach to the private sector. they're not authorized to do so. so if they see something coming, what they're authorized to do is write a report. and put it out. then we'll call a meeting and start the discussion. too late. so how do we get to the point of moving at the speed with which we need to move and as a specific mission of the players? >> ron, wait for the mike. >> this is for mike mcconnell. this is for a couple old intel guys. one of the things that spared us a lot in the cold war and spared the military is having a

doctrine. when i listen to this today, it's fascinating. a lot of hard-working people here. but if i'm listening to this in nebraska, it looks like a bunch of kids playing soccer on the field. everybody has their own lane here. the question i have for you at this point looking forward here, have we or are we in the process of developing some kind of doctrine that approaches the use, the enforcement, our international or domestic use of cyber as a cold war having that doctrine allowed us to inform our national security strategy. it allowed us to inform the law enforcement strategy with the fbi, it allowed us to enforce our military strategy and intelligence strategy. and i'm not seeing that right now. >> my view is your observation is exactly right. we don't. and now there is something sort of impressive about a mushroom cloud and the shock wave and the reports of radioactivity val beganized as one. in the early 50s we had a huge project. we worked through a lot of that

and determined our doctrine for nuclear policy and deter ents and here is destruction. there are many aspects of that in the context of congress trin and the military services. we haven't had that debate as a nation on the doctrine for cyber and cyber defense and so on. the reason is because it's so insidious. it's just sort of crept up on us. it's not broadly understood the magnitude of this issue in terms of how dependent we are in the digital infrastructure. so my own view is we'll do the things we're doing now. we have these kind of informed political -- or public discussions and debates. we'll have something that will cause us to galvanize just like 9/11 causes us to get focused on a terrorism issue. we mentioned law enforcement earlier. remember the cold bombing in the '90s. we made a political decision to

interpret the bombing in yemen as a crime. and we react to it as a criminal activity. how should we react to the chinese capturing the research and development of a company that may invest a billion dollars to develop a new tool or technique or capability? is that a violation of law or is it a national security issue? we haven't had that debate yet. >> i think that's important. i do think there is a bit of a lack of doctrine. one of the challenges is this -- in the cold war, the nuclear bomb issue was remote for most people. it would infect them if there was a war. but they were not involved in it on a day to day basis. there were a small number of experts. here this problem is intimate to everybody. when you discuss the doctrine, what you do touches everybody from the most sophisticated actors in cyber to the kid at home on the pc. and so people become much more alarmed about it.

so it doesn't mean we don't have to do it. we do need to sit down. i would actually argue the right way to do it is to figure out the doctrine first and then go the legal authorities around the doctrine that permits you to do what you needed to do. >> that's powerful and well said. i don't think we can still to it day answer concrete wla an act of war is. is it perpetrator action? something that there is fundamentals and a lot of strategy. >> we don't have a declaratory policy about what we would do. we just haven't gone that far yet. >> i think we need to. >> just to add real quickly. i think all that is absolutely right. i will say that i think it's important, you know, to sort of distinguish what we can accomplish through legislation and what we can't. i think in this case doctrine and strategy and the answers to the big picture questions are not ones that we can answer in legislation. however, i will say that those questions have been of very

intense interest within congress and that we are working very hard to try to move the ball forward within the executive branch to answering the questions. an example is just when general alexander was up for his nomination as commander of central command, arms service committee slowed down his nomination until he and the department would answer a whole range of questions including, you know, to begin to give answers about, you know, what cyber warfare is? what deterents is in this context? and whether we ought to be looking at a declaratory policy and those kinds of questions. so we're working very much to push the executive branch forward. those answer do have to come from the executive branch. >> we have time for two more quick questions. i want to make sure we have a student be able to ask one question. any students there with a question? going once, going twice. we'll have shavone and then right to lyn.

>> hello. i was just looking for to get a little bit more reaction from the panel. i'm a mcconnell made a very interesting suggestion in his points when he said well why can't you just task nsa to scan the network. if given this whole panel spent a lot of time looking at these questions and come up with a different solution just sort of what your take is on that suggestion? it certainly is very direct. >> i would love to jump in there and hopefully my colleagues can help me out. i think the answer is that, you know, it needs to be sort of sophisticated approach that recognizes there's a lot of different types of activity we need to be involved in and a lot of different ways for nsa to be

involved and for dhs and other ogss agencies to do so. there is not going to be a clear authority within the bill for nsa to take ownership of monitoring private networks. that said, our intent is that nsa can work through the memorandum of understanding with dhs to, you know, lend its expertise and resources and technology both to dhs and to the private sector on a voluntary basis which admittedly is problematic. it is voluntary. but it's a matter of going back and walking that balance between those three polls of security, business concerns, and civil liberties and privacy concerns. this san area where that balance is particularly important. i'd also say that we look really closely at sort of defining what's content and what's not for the purposes of the information sharing. and eventually we move away from making that distinction because there are a lot of things that

really straddle that line and are not easily defined as either content or noncontent. so we may want to get -- we may want to track ip addresses for the supurposes of uncovering th network or that kind of thing. we're not reading e-mails. but for a lot of people this is considered content information. that's not the kind of thing that we want to be out of bounds for specific purposes with regard to sovereign security. but it is something that is more difficult to define and the types of information given the changes within the network to the technology, the types of information and how they might be categorized changed as well. we tried to stay away from making that distinction. i do think there is an important role for nsa. we need to be creative and harnessing that as we move forward. >> tom? the question is how to do that in a way that doesn't trigger

the concerns. and here's with that solution came up. nsa collects the threat information, brings back home and then gives it to folks out in the private sector who can handle that information the way -- they can use it operationally. but they can also protect us while they're doing it. folks like verizon. they have very advanced capabilities when it comes to defending their network. >> anyone else want to jump in on that one? >> quickly, i agree with that. the intent of the bill is to harness the capabilities of nsa. but it's also testament, i think, that senator rockefeller, former chairman of the intelligence committee and senator feinstein, the current chair of the intelligence committee and also we've had many debates on the issue. i think the outcome was that it should be within the secretary of homeland security's jurisdiction to be the prime

facilitator. i think that's, you know, testament to quite a lot of discussion and debate. >> there's a message for getting nsa support. it is called tsr technical support. it is used for years and years when the fbi needs some information. i need a request that is approved about it potential and happens. this could happen with nsa supporting dhs. i go back to my story about the department of defense when we had army, air force and navy for goldwater/nichols bill. we have to wrestle through that issue. how do we capture this? you have to do the things that are necessary to do -- to provide an adequate level of protection for the country. >> last question. i'm not going to let the panel have my last political forecast and question. quick question, please.

>> thank you. one of the things we've seen over the years is the government has been very resistent to sharing information as you pointed out, admiral mcconnell. and the issues of classification, we've seen issue after issue being classified simply because the government knows it. sources and methods have been debated for years. taking methods and putting them out so people can then defend themselves against them also raises the bar and makes people have to use the more sophisticated equipment as the secretary pointed out. and they have to pull all of the tools out of the toolbox f we can back off from all of the classification issues, we can get along way down the road. in canada and a few other countries where the isps are required to work with the government to block malware as they see it running across the networks. so they reluced a lot of significant issues in these ways. one of the other things we've seen is that from a standpoint

of a government, we have never been able to adopt an industrial policy in this country. when we had the year of the spy, the response of the government was to create an assistant attorney general for national security. we created a national security division. and then we created national security courts so that we have a situation where we didn't have some the district court making a negative case law. so why don't we have an economic security system? and that same mechanism for economic security where we start using economic sanctions back against the chinas and the russias even though they owned a lot of our debt, it doesn't matter. if they're going to be attacking us, let's use the sanctions back against them. what i'd like to see is a thought process of how do we get beyond some of those barriers and change the mentality so that we can focus on these things and get the