♪ snechbd e ♪ ♪ ♪ ♪

♪ >> next remarks by 40e8ds under secretary spaulding, hosted by the american bar association. topics include cyber security operations and efforts to form stronger relationships with the private sector. this is about 55 minutes. >> thank you very much, joe, thank you for once again taking

the laboring war and putting together this very -- thank you to all of you, who are here today who have taken the time to be here, but who also, i know on a daily basis care about and in many cases work to achieve our shared objective of ensuring safe, secure, resilient communities where our -- this is like a class reunion. and in many ways it is, a lot of former dhs folks here, a lot of current dhs folks here, but also a lot of you in private practice and in academia and elsewhere, all of whom contribute to the solving, addressing, understanding the challenges that we face. so thank you all of you for what you do. i bring greetings from secretary

jay johnson, secretary of homeland security who would love to have been here today. like me, he is a recovering attorney. and we are very, both of us, well aware and deeply appreciate the importance of the rule of law and the role of lawyers. as a vital part of our team as we go forward to accomplish this mission on behalf of the american people. i am aided, as i said by my very able county schedule, i believe you're hearing from later in the program. so we're really quite fortunate in our legal counsel. at the department. i want to talk about three key

elements of how we accomplish and view our mission at the department of homeland security, but particularly with regard to the national programs director for which i have the honor of being the undersecretary. joe described a built about what we do, which is good because the name tells you very little about what we do. but our overarch -- critical infrastructure. and we do that in the context of an all hazards approach. so we look at the threats, the vulnerabilities, the consequences and mitigation across both physical, human and cyber. and that gives us a tremendous strength. we are working very hard, each and every day to make sure that we are not stove piping our approach to that mission of the security and resilience of critical infrastructure.

that folks who are our cyberninjas, who are really smart on the cyber front, and the folks who have gotten really good over the years of -- and the folks who are looking at human security from a biometrics perspective, for example, are all talking together. in looking at these things and understanding their own interdependencies a and that's critically important. we're able to achieve that and get better and better at that each day because we have very talented people at the department of homeland security and i'll talk a little bit about that. i'm going to talk a bit about the role of technology, and that's a particularly important and a challenge for on the legal front, so for those of you in this room, i think you'll -- some of the challenges that i want to talk about there will resonate with you, and i'm finally one of the most important aspects of what we do

which is the public-private partnersh partnerships, a lot of people roll their eyes, and have refused to even mention the phrase anymore, but in fact, i'm here to tell you, it is a reality. that we benefit from each and every day at n ppbd and the department of homeland security. i'm going to start with my favorite part of this is the -- we have always had the benefit of being led by people with extraordinary talentalent. i continue to be amazed at the people that we attract. the people in this ram who were there at the creation of the department and folks who have helped shepherd it along the way who have made this an exciting place for people to come to work. we are very fortunate to be led

by secretary jay johnson, who in addition to being a lawyer, most recently came to us after having been general counsel at the department of defense. so he brings not only the experience he had in private practice representing businesses, private sector, entities of all sizes, which is again, a critical part of what we do, but he also comes and as brought to the department that post goldwater nicholls sense, the importance of the sense of unity of effort. so those of you at the dod know this, about four years after the department of defense was created, the department passed goldwater nicholls legislation to bring greater unity of purpose to the department of defense. i remind them that it took about 40 years for the department of defense to get where they needed to get to begin to get where

they needed to get on unity of effort. we don't have 40 years to get this right at the department of homeland security. but it does help you to keep in mind how young we are, as a department. but secretary johnson has come with a sense of you are generality, to bring the legs sons learned from the department of defense with regard to bringing that unity of effort across those elements of dhs, a very important part of what he's doing. and it is perfectly consistent with what i have been doing, trying to do at mpbd since i came in october of 2011. to bring that unity of effort that i taked about earlier, across npbd, to make sure we are fully leveraging, understanding, data, knowledge, across those es of mpbd and that we are helping

to leverage that all across the department. we're also very component head, so he was the head of -- has moved up to be the deputy and i have to tell you that it really is wonderful to have someone in that position who has led one of the components of the department. and understands that relationship and how important that is between department of homeland security headquarters and its operational components and really appreciates the kinds of things that need to be pulled up and really centralized and managed from headquarters and those things that really need to be distributed out to the components. and as interesting as i watch that, because it is the same sort of lessons that i take back to mpbd, as i look at the relationship for what i am, at

mpbd which is headquarters and our sub components and have the same kinds of discussions about what needs to be centralized and what needs to be distributed to create a really effective, agile, dynamic and effective organization. so that is happening, so we are seeing changing at the departmental level. in an effort, as i say, creating that unity of effort to enhance effectiveness and efficiency. the challenge that we are facing on a daily basis is to make sure that we're in sync with each other. but it is in large part thanks to the great leadership that we have at the department. and within mpbd, so we were increedingly excited to recruit our cyber deputy secretary.

quite a while ago now, she can no longer play the i'm new here card. so for those of you who don't know phyllis, she comes to us from the private sector, she was the chief technology officer at mcafee. someone who comes with the understanding already of the importance of policy because she was chairman of the board at info guard, which was a private sector outreach group that was really managed by the fbi. and also with that terrific forensic analysis effort up in pennsylvania, outside of carnegie mellon, the center for republican sick and technology si analysis as it's called.

she's outstanding and-she also helped us to recruit for our assistant secretary for cybersecurity education officer u eat one that brings great technical -- but again, an understanding of the inner agency because he prior to joining us was at the white house, working with michael daniel at the national security counsel. and he has come in and provided some really outstanding leadership along with his deputies greg and bobby. we have got just an outstanding team in place in the leadership of cs & c. and they continue to attract the best and the brightest. we have turn over, which is to be expected when you're recruiting really top talent, particularly in the cyber sector. it's not surprising that the competition would be able to

lure them away at some point. it's always a los, and we're always sad to see them go, we just lost a couple of our key leaders, but we know that we have top talent lined up and ready to come in and join the fight. that is really a wonderful feeling, to know that we will continue to be able to recruit the best and the brightest to join us in this really important mission. we have great leadership across mpbd. and i just want to quickly highlight eric patterson, who's a retired air force general, who leads our federal protective service and they are increasingly, those are the folks that watch federal facilities all across the country. they are in charge of security at over 9,000 facilities across the country, and they do work very similar to what our protective security advisors and

our office of protection are doing for the private sector. they assess security at federal facilities, they provide recommendations for reconciliation. but then they also manage the guard force, the private security officers that stand guard at those buildings, day in and stay out. and the lessons we can learn, the insights we can get from that day to day interaction to see how these mitigation measures actually play out when they're implemented, is something we're working to bring back, in our private sector to help enhance the work that we do at the private sector. so our cyber folks have responsibility for the dot-gov.

fbs is the sector specific a gt si for federal facilities. so again, one of the things we're doing is saying, this is a really powerful combination, we have federal asset systems and networks, physical and virtual, that we have responsibility for protecting, and we are increasingly looking at that in a hole listic way. h how do we leverage those insights on a daily basis, not just to ensure the continue knewity -- protecting the people who work and visit those federal facilities each and every day. but to be able to bring that knowledge in, whether it's from what we're skiing in our dot-gov tools and programs or what we're seeing in the physical realm together to provide those instilgts to our dotcom stake

holders. that gives you an insight into what we are, when i talk about unity of effort at mpbd, that's what we're talking about, how do we bring all of these things together to help all of our stake holders, by leveraging more fully the kinds of things we are doing, and eric patterson is doing a great job leading the federal protection service. we have got great leaders at our office of bioidentity management. they are taking a leadership role across the departments how can we utilize buy owe metrics. and our newest entity which is the office of cyber infrasfrur and analysis, which is a real institutionalization of that looking across cyberand physical. and that group is doing glaet work, bringing together, our

cyberninjas, particularly those who have unequaled expertise in understanding industrial control systems. together with the physical people who can say the so what of cyber. so ow industrial control system folks can say, here's all of the ways that somebody could hack into you know, status systems and industrial control systems, and the processes that are controlled by those systems. and then the physical, the folks who understand how to model and simulate and understand those interdependencies can say here are the consequences from that. and that is a critical part of prioritization, right? all of us understand that we have limited resources, limited time, and we have got to make decisions about how we

prioritize the allegations of resources. will it's a superstorm sandy, a cyber attack or a physical sabotage. something on the scale that we at the homeland security department are worry -- to keep generators going, and it is the folks at npbd that says, there's a communications hub that people aren't paying attention to, that if it's running out of fuel in our generator, international communications up and down the eastern seaboard will be avblged, we got to get fuel or generator help to that facility. that's the kind of dynamic prioritization that our folks in ocia, the office of cyberand instruction analysis do.

so the growing expertise at npbd is actually increasingly being recognized by outside observers. for example, i mentioned phyllis snek, and bob stanley, they were recently recognized as two of the top 50 it professionals in government. our colleagues have won major awards from organizations like the -- and the information systems security education. phyllis i think has been particularly pleased to gain an expeer -- in the private sect ,

sector-she had said time and time again that she had never worked with smarter people than she has here. we recently got the most recent kudos from our stake holders out there, from a company that we had sent one of our sert teams out there to assess, who wrote back and said that he had never worked with a momore professional and talented team. for those of you again who ---.

my second point that i want to talk about is technology and how that impacts our mission. as we have talked about, we are increasingly at risk, our nation's critical infrastructure. and the technology, as technology advances, it challenges and opportunities for the folks who look at vulnerabilities, who look at threat vectors and who look at consequences of litigation, but it's also a challenge for the lawyers and dan and i have frequent conversations about how this presents increasingly challenges for us. because our adversaries are not slowing down in their evolution of technology and techniques, and we have to be equally agile. in the cybercontext, when people ask me to summarize the nature of the threat, i typically draw

a matrix, right, so on this edge of the graph is destructive intentional and on this angle is capacity. those who have the greatest destruct ty sbrnt at the moment, have the least capability. i always point out that this top -- those who have les capacity today are constantly gaining kpas capacity. and this bottom point, depends on what's happening in the world and at any point could flip up. so that's the threat picture, it's very dynamic, and we're

aware that it's very dynamic and we never get too complacent and a lot of that is because of technology, just as our adversaries are taking advantage of the advance in technology, the department too is looking at and making great strides in terms of the kinds of technology that -- our department -- science and technology director has some very innovative programs under way, both in the cyber context, and also in the physical context. so those of you who are familiar with the metcalf electricity substation out in california, understand the importance of transformers and that they are a long pole in the tent. our science and technology director has for some time now been working with their private sector colleagues to develop

transformers that can be -- as i said, that's a significant vulnerability and a long pole in the tent. our colleagues at ice, who are also involved in our cyberactivities and do terrific work on forensics, to uncover and prosecute criminal activity online are constantly innovating and using technology to get faster and better at the ways in which they are able to do that forensic activity. secret service is closing complex international investigations and they are crippling international crime networks and again becoming increasingly innovative, not only in the ways in which they do prosecution, but also maybe

really working hard and rolling up their sleeves in the way they can carry out a successful prosecution while sharing information with us to share to our private sector and government stake holders as quickly as possible. and that is a real challenge and something that has bedeviled in the past. we have terrific stuff going on in our cyber ops center, the national communications and cyber community integration center, the nk, it's our 24/7 ops center, it has sitting on the floor of that ops center, not only our colleagues across dhs, but also our colleagues across the interagency including law enforcement and the intelligence community, and programs most significantly our colleagues from the private sector, who come together and with increasingly sophisticated

tech until and tools are able to provide us with stational awareness in the event of incidents, but also understanding how to detect and stop and block those technologies. who are developing the tools and technology, we have the spopt for.gov. there we have employed our intrusion prevention technology, but also continuous diagnostics, which is going to revolutionize and assess the health of our government networks. right now under the federal information security management act, this produces every three years ago, a big, fat, binder that's a compliance checklist.

what cdm will do, and within a matter of hours, scan your network, assess your network being government networks, assess the health of those networks, and tell you where you've got problems and help you bri prioritize what you've got to assess first. in that you have got to have real time sense of the health of your network, it is really remarkable. and an example again of the ways in which the department is taking advantage of technology to try to stay ahead of the game here. the mkik. is again an illustration i'll talk about in a minute in terms of public-private partnership. since 2009, they have responded to nearly half a million incident reports, and they have put out over 26,000 actionable alerts and i will tell you, these -- actually they are making a difference.

we just got word from a private sector company that they had gotten an alert from our mkik, some of the information from that alert came from the secret service, we put that information out through our mkik and this private sector company got an alert about a possible mall ware and they said to their tech folks we have got to figure out if we have got this, and they looked and indeed they did, and they were able to take mitigation measures. that is exactly what we are about. we are all about getting that information out, making sure it is actionable. and trying to prevent, mitigate the consequences of cyberand physical intrusions, cyberis impacting the law as i spoke

about earlier. as you can imagine, we are -- dan and his famiteam are dealin with a number of cutting edge issues in the law but a number of them have to do with technology. and the reason you all understand this, is that there is really a disconnect, still, between the incredibly rapid pace of technological change and the intentionally deliberate speed with which the law changes. all right? the law is intended to be thoughtful, careful buildup over time, whether you're talking about the development of law through the judicial process which can take a long time. or the development of law through the conference, which can sometimes take forever and which often runs the risk of

being outdated as soon as it's enacted. so this is a huge challenge, it is one with which we wrestle and what you wind up doing is that you're going to laws for legal guidance that were written -- that lie behind those legislative enactments, you're familiar with the number of questions with which this takes place, speed is one of the issues, quantity is one of the issues that we are increasingly confronting and that you're seeing increasingly play out in lower court cases.

are we in a blase where a difference inspect quantity becomes a difference in kind? the amount of information that technology allows us not only to gather, u but to understand and make sense of so it's both the citizensing and the sense making part of technology, that has presented some interesting new issues for our courts and our lawyers as they look at those issues. the balance of the bucket in which these -- international or foreign and domestic. between nation state actors and nonstate actors, between criminal actors and nation state actors. and these lines that have served us pretty well in the past to try to understand who has the authority and how that authority is going to be implemented achkd

how just exactly how the fourth amendment applies, et cetera, those things are being challenged as we know. and that debate and those questions are being asked and we, you know, we're looking at do we need new kinds of buckets, how do we make sure that our legal framer is keeping up with the real -- the changes in the world. and one of the ones we deal with on a daily basis and that is roles, particularly the role of the government and the role of the private sector. those of you who like me came up in the traditional national security world, you will remember, that we basically -- if we interacted with the private sector, it was generally in one of two contexts. they were either a contractor providing you a specific good or service pursuant to a particular

good or contract. so this notion that the department of homeland security was in part stood up to implement and treating and recognizing the private sector as a full partner in achieving that security and resilience that are is our fundamental mission, that is a new concept. again, despite the fact that we have been talking public-private partnership it seems like forever now, it's actually a new way of thinking for traditional national security folks. and i have watched as negotiation have sort of begun to get their head around it. but it is something that we, again, work on day in and day out, at the department of homeland security and that we go to the traditional national security table, you know, having to constantly remind our

colleagues that the private sector actually is part of the security solution. so, for example, we have a private sector clearance program, where we can clear folks on the private sector, not pursuant to a contractual relationship, but pursuant to this partnership, and so we can bring in critical infrastructure, owners and operators, with top secret clearances, show them all the intelligence that we have, and say here's what we think we see in this intelligence, here's what we think this is saying, what do you see? what are we missing? and most importantly, help us to craft the unclassified alert that we can put out through our appropriate channels to all of our critical infrastructure owners and operators across the country, so they can take action, tell us what in this classified information, you

would really need to know as the chief security officer of a piece of critical infrastructure, or as the chief information security officer. and that gives us ammunition, then, to go back to the -- eater the intelligence community or the law enforcement community saying this piece of -- this is what they need to be able to take the action that we look to them to take, as our partners, in addressing the security challenge, that's a really powerful combination and just one example of the way in which that plays out. which leads smoothly into that next topic, which is that public-private partnership, because we really do recognize that we are not going to achieve the security and resilience of critical infrastructure. we are going to do everything that we can to assist the owners and operators of that infrastructure, whether they're federal facilities or private

sector or public seccor utility owners and operators to make weisser risk management decisions. so traditionally, that meant that the government would -- you know, would provide the threat information. all right? and we still do provide significant threat information as i just described. but increasingly, particularly in the cyber context, the private sector is developing threat information and in some cases, better and more threat information than the government. at least -- certainly with respect to what's coming at the private sector. so we are in a situation where, again, we're having to think about this in a very nontraditional way. not just threat information, but -- how do we do that that is consistent with private rights and civil liberties. that task is made easier for me

at the department because we have a statutory privacy security officer and i have an mpbd, my own privacy security counsel and she has a team, emily andrew and her team, they are a full part of our team, they are with us at the development of programs, we don't go to them afterwards, we have built this program, now tell us how to make it consistent with our privacy, they are right there from the get-go to bake it in from the beginning. not only do we have some legal obligations to make sure that we are complying with privacy laws, but our privacy counsel helps us to focus our efforts, and again in a time of scarce resources, we want to make sure that we're focusing on the things that really matter. so they are helping us accomplish our mission of str n strengthening our security in critical infrastructure.

that close relationship and doing this right is essential to that trusted relationship that we have with the private sector. that is, again that is our reason for being, we are only here to assist our stake holders in that security and resilience of critical infrasfrur mission. and we can only do that if we have the trust of the critical structure owners and operators of american people. so we are extremely grateful to have this team helping us with the privacy and civil rights civil liberty issues from the get-go and all the way through. the importance of our private sector partnership is reflected in the national infrastructure protection plan for 2013, and i system a number of people in this room, and so you know what a huge undertaking and what a huge challenge it is, always, to develop this document.

we have tremendous collaboration and input from the private sector. folks who worked incredibly hard and for whom this was not really their day job. i do have other things to do, but who rolled up their sleeves across our critical infrastructure sectors and helped to make sure that we got this right. so subtitle of that national infrastructure -- to strengthen the security of critical infrastructure. and it reflects the lessons we have learned and continue to learn day in and day out as we strengthen those relationships and that interaction. so, i'm going to wrap it up, you kn know, the bottom line of my message is, we're from the government and we're here to help. and that's a pretty guaranteed laugh line. but it really is true. and i think increasingly, our

stake holders are coming to see that we really mean it and that in fact that we have a lot that we bring to the table to help in what is increasingly seen as a shared mission, to preserve the functionality of those services, and goods, that under lie our way of life. than's when we talk about critical infrastructure, that's really what we're talking about, we're talking about all those things, that go into our day to day, that we depend upon to sustain and enrich our ways of life. that's critical infrastructure. this is that broad. and traditionally, 85%, we say 85% of it is owned by the private sector. one of these days we'll figure out whether that's true. but it's somewhere around that

number, in any event. the vast majority is owned by the private sector. so that relationship is very important. we have things we bring to the table. so as lawyers out there, those of you in this room who work with clients in the critical infrastructure owner-operator arena, lawyers are always very cautious and i think appropriately so, that's what we get paid the big bucks for. but i want you to know, that we do come -- when we come and knock on the door and offer to do a vulnerability assessment. when we respond to a call that says we think we have seen an intrusion or breach, those of us who are coming from npbd, we're coming for no other reason than to help you, we don't have a law enforcement mission our colleagues in the secret service go after organized crime and financial crimes.

but in npbd we don't have a law enforcement mission and we don't have an intelligence collection mission, our mission is just about helping strengthen the security resilience of critical infrastructure. so i would encourage you to encourage your clients to feel comfortable in reaching out. the information is protected under the protected critical infrastructure regime and we have never had an unauthorized disclosure of information that was protected under that regime, that was stet up when the department was -- i have been working with the american bar association to try to see if we can't get a more clear statement about the responsibility of lawyers that are doing due diligence in mergers and

acquisitions to include cyber security in the risks they are assessing and analyzing. acquired companies and later find out after they have connected all their networks and systems that that company they acquired did not have good cyber hygiene and was riddled with problems that have now infected the entire network. lawyers need to help with that. auditors need to help with that. venture capitalists, sayingive you're invested in a company, you're investing in large part in that intel lek k4u8 property, and if you haven't done your due dpil negligence -- you are throwing your money down a rat hole, because that intellectual property is going out the backdoor. attorneys in this room and your

colleagues work with these folks on a daily basis, i need your help in spreading the word. the more security any of us become, the more secure the rest of us are. this is a working collaboration and only by working together will we meet this challenge. but i am confident that those of you in this room understand that, that's why you're here today, that's why you're going to be here for the next couple of days, and i thank you for the work that you're doing and for all of your help as we tackle this significant changes. thank you very much. so i talked longer than i meant to for which i apologize. but i am happy to take a few questions. i see david wolf in the back of the room, which reminds me, you should never sort of thank

people oreck nice people in your organization, that i certainly meant to call out among the talented people that we have in npbd, our assistant secretary, for the office of infrastructure protection and has really been with npbd since it's inception, if not the day of, or shortly photograph brings tremendous expertise to that role and energy and passion. and david wolf who works with her as the head of the infrastructure security and compliance division, which is the office that manages cfacs. and david and kaitlin have done an outstanding job of turning around what was a very troubled program that was -- that had a very difficult time getting off the ground. and i'm here to tell you that within the last two years, they have with their team gone from having approved zero, no sight

security plans for highest risk chemical facilities across the country to having just signed the 1 ,000th approval, so they have gone from zero approvals to 1,000 approvals within the space of two years and they are on a great trend line to get through what became a pretty significant backlog of plans to be approved to raise the security for the country with regard to his highest risk chemical facilities, they are making a difference every single day. >> questions? >> yes. >> we have a microphone up here, please come up to the microphone if you have a question.

>> i'm not shy, let me ask a question if i could. suzanne, i know you can't look into a crystal ball right now and think about, it's been more than 10 years since the department was created, if you could project ahead what you might be seeing in this sector in the next ten years. i think you have touched on that already in your remarks. i'm going to ask a multipart question, this is always the thing you get sometimes with questions like this, but i'm thinking about the international piece, the second piece, the international, when i worked for tom ridge, one of the comments he made to me as he was going out the door, he wished he had spent more time on the international piece. so much of this is domestic, but if you could toich on the projection ahead and the international piece. >> that's great, joe. i'll start with the international piece and i

appreciate you bringing it up because it's a critical part of what we do, and our folks are very much engaged in conversations and collaboration with their counter parts across the globe. we have a particularly rich relationship, of course, with our what we in the intelligence community refer to as the five is, which manifests it's in the critical five, and the ottawa five and any one of these forums in which critics some together. but dealing with the eu on these issues and folks, as they say around the world, on both the general critical infrastructure protection across all hazards, in the counter terrorism context and of course in the cyber context. and in the cyber context in particular, we have very strong and active relationships fwun our computer emergency readiness

teams and certs that are being set up all around the world by other countries. the uk had a couple of certs, but there are certs in lots of countries with which they interact on a daily basis. and that is obviously essential. these threats i mean it's most obvious in cyber, but it's true across the board. mother nature really doesn't know borders and we saw that as we contemplated the effects of the tsunami in japan. we have got to have that international piece. the 10-year again, the landscape changes so rapidly that it is an incredibly hard challenge to think about what we might confront. but i will tell you my utopian

vision for where i would like to see us heading and where i would like to see us closer to in ten years. and again, it starts with this notion making. it is really all about better understanding and taking advantage of our comparative advantages. it goes back to these partnerships with our stake holders across dhs, across the federal interagency, state and local territorial, tribal, private sector and international that we would all understand each other's capabilities, authorities, limitations and that we would have an ability through our shared information exchanges. we would have tremendous situational awareness of what's going on in the world out there. we would be able to detect property bagss. we would be able to quickly

share that across all of those stake holders. and we would understand inherently, you know, who can bring what to bare to address that challenge. and as the situation changed, we would understand to -- okay. now you've got -- the situation has now changed. you now have the comparative advantage, over to you. i've got the con and that we would be able to -- in that way, you know, really bring all of the talent, the resources, the capability to bear in a very efficient and effective way to address these challenges. so, that's a pretty utopian vision. i understand that. but i think it's important to have some sense of where you would like to go, where you would like to be as you build capability and as you build those relationships. >> hi. my name is kimba walden at dhs. you mentioned for a minute that you were working with the ava to

encourage the private bar to do more effective due diligence on evaluating cyber security networks before they merge. i'm just wondering if you can talk a little bit more about the contours of what -- how your incentivizing the private bar to do that and what the response has been. >> yes. thank you. i have been working most closely with my former colleagues at the aba standing committee on law and national security, but they are reaching out to the business law section and others in the aba, very early stages of those conversations, but just before i went into the department, help stand up a cyber security legal task force in the american bar association and i met with them in boston at the aba annual meeting just a couple weekends ago and again encouraged them to put this on the agenda. and there is a resiptivity and understanding that this is really just a fundamental part of what the -- of their responsibility and what they

should be doing. so i don't think this is going to be a hard challenge to get lawyers to sort of again take this more seriously and stand up to it and there are a lot of lawyers -- don't get me wrong, who are doing this extremely well today and who have -- from the get-go understood the por s importance of this. the goal is to get those best practices out more broadly to folks. in terms of sort of how do you do that, it's the same kinds of assistance that we are providing directly to critical infrastructures owners operators into small and medium-sized businesses and businesses of all size all across the country. first and foremost, we're encouraging folks to use the sieb security frame work developed by nist with help of dhs and the private sector which was developed pursuant to the cyber security executive order. that cyber security frame work is not just a compilation of best practices, which it is, it

is taken from the private sector all of the standards and things that are already out there and best practices and they put them and they've organized them, what is, i think, most useful is really the tax onmy. it gives us a language and a way of talking about and addressing the threat. it's those five categories, right, identify your risks and the assets that you need to protect to look at the steps you're taking to protect them to detect things that might come in, to respond, and then to recover. pretty basic, but to have that framework and have everybody adopt that, gives us a way of talking about this. and then there's very useful guidance in there about how you would implement this in a business with a meeting of your board of directors to provide high-level guidance and make sure they understand the importance and the allocation of resources, providing direction to management that then provides technical, you know, more

granule lar guidance to the technical team and feeds it back up. all of these elements of framework are very important. the department of homeland security has the responsibility of assisting entities in using this framework to improve their cyber security and we do that through a program we call c cubed vp because you have to have an acronym for everything. it's critical infrastructure cyber community because it really is a community effort here. voluntary program. and if you go to the uscert website, u.s.-cert.gov. mitigation guidance, et cetera that the u.s. cert puts out. so that is out there for the legal community, law firms are increasingly targets themselves because they hold customer data and oftentimes intellectual property of their clients,