given new identities, and once again, that system is essentially disposed of. never used again. so this is a concept that would be very frustrating to an adversary. imagine them spending their time mapping, trying to find holes. maybe they actually identified some. but the next time they come back to take advantage of that, that system's no longer there. so how do we get there? how do we move from the react and chase model to this proactive disposable concept of operation? one thing you don't do is take the current security architecture and implement it onto the flexible reconfigureable infrastructure. for example, you wouldn't want to take today's monitoring application and put them into the cloud. all you're doing is implementing the same paradigm and you're still going to be reacting and chasing. what we need to do is take those six key building blocks, we need

to bring them together, we need to accelerate the integration of those six technologies, and then we need to build that proactive model for security. this will make it far more difficult for the adversary to gain access and persist. if there's an insider threat, it will make it far more difficult for him to breach out and grab information he's not permitted to have. so if we want our systems to be more resilient in the future, we need to think about making them disposable. thank you. and i guess we'll take some questions now. thank you very much. [ applause ] >> i've been given the opportunity to ask the lead-off question. and i'm going to seize that opportunity. so, first of all, vern, i love this image that you present of moving the momentum from the attacker to the defender. and it's very helpful to look at

the three core and three supporting technologies that could create a disposable system. within those three, is there an area that your team is thinking most about, and/or a next step in the integration that would move us forward in creating these disposable systems, i.e., where should we focus next? >> well, we're researching each of those technologies. and some of the customers are also researching each of those technologies. i think where we need to go next is in the direction of bringing those six pieces together. and really figuring out how to implement that disposable command and control, that disposable security model to wrap around the six key technologies. we're already working on the individual pieces. >> okay. great. let's have some questions. from the floor. i think, is there a mic? the gentlemen here on my right.

>> hi. thank you so much. this is very informative and interesting. my name is guy taylor. i'm the security team leader at the "washington times." i have a question about, you were touted as someone who speaks english -- or common language about this. let's say this hypothetical uav mission that you're talking about involves recording some video. where would that video then be stored once these systems are wiped? and would that system on which that video is stored be something that gets recycled constantly? it sounds like an inconceivable amount of data that would have to be wiped and moved, wiped and moved all the time. >> yes. good question. so we're actually not talking about disposing of mission data. you know, the recorded video would potentially be temporarily

stored onboard, or moved into a back end cloud infrastructure. and what we're talking about wiping and restoring are the infrastructure pieces of the system. so the processors and operating systems and the software that collects the video is what would be wiped clean and restored. the mission data would be preserved, and put into the cloud, and moved, and changed as part of this moving target, disposable model. >> in the back. could you state your name and affiliation, please, when you take the mic? >> hi. brian nelson, private security consultant. my question is, what about cost? and risk analysis? you talked about having multiple sets of laptops, infrastructure, businesses have a huge cost there. so how are you going to get them

to buy into this? >> right. so that's a good question. i've been asked that before. what is the cost of something like this? and i think you want to look at this from a life cycle cost perspective of a breach. what does it cost when an organization, whether it be a military o, or a financial organization experiences a breach, what does that cost. the second dimension of cost is the man-hours. how much time, how much money are we spending chasing, reacting, searching for things that are no longer there. we want to shift that to a more efficient use of those man-hours. those are really the two biggest variables in the cost equation. cost of the breach and the cost of the people. and i think if you move the needle on those, you're going to wind up coming out ahead. >> we have time for one last question. that was fast.

yes? the gentleman in the black shirt here. >> voice of america. in terms of the rapid response that you mentioned that is going to shift and you're going to have disposable responses, is that country-specific? we know iran, china, russia used different tactics. do you also analyze what kind of method they used so the response you would give would be specific to those countries? >> i think one of the advantages of a proactive security model is that it's somewhat agnostic to the attacker. our goal is not to try to analyze, react and chase what the adversary is doing. our goal is to take control of our own systems. and proactively configure them so they're very hard to gain access to. so independent of who's attempting to gain access, whether it's a criminal, a cyber vigilante, a nation state, we want to take control of our systems. that's what the proactive security model is all about.

>> vern, thank you so much. it's fascinating to hear of a potential more agile response to responding to cyber attacks. we appreciate your comments immensely today. [ applause ] >> we're now going to move to the next phase of today's discussion. and i want to introduce mike farrell who will be up in just a moment. mike is the editor of the monitor's new pass code veteran. he's a business correspondent who shared in the "boston globe's" prize. he was reporting from our san francisco bureau, and was at one time our middle east editor. we're thrilled to have him leading our pass code team. mike's going to introduce you to our next speaker.

>> are we all micced up? everyone can hear us? great. i'm mike farrell. i'm editor at the "christian science monitor." i'm pleased to introduce michael daniel, who probably in this crowd needs little introduction. but he is special adviser to president obama, and the cybersecurity coordinator, which i think he himself is described as sort of a job of herding cats. because he oversees many different agencies when it comes to their security implementation. and issues. and so i'll turn it over to michael. he's got some words to say. and then we'll do a brief q&a, and then turn it over to the audience. >> thank you, michael. thank you, everyone, for coming out this morning. and participating in this event. i would be remiss if i didn't remark that it is national

cybersecurity awareness month. i appreciate all the interest in this particular topic. i think one of the points that i would like to make, just to start, you know, i think that cybersecurity, you can clearly see it emerging as one of the challenging things we face for the 21st century. i think that is actually driven by several factors. one of them is actually at its root, it's not obvious why cybersecurity is in fact such a really hard problem for us. if you look at the data on intrusions, it actually is pretty clear that most of the time the bad guys are getting in through holes that we know about, and holes that we know how to fix. so at one level cybersecurity shouldn't actually be a hard problem. but if you take a step back and you think about the various aspects that cyber has taken on, and given the depth of penetration it had into all of our social lives, our private

lives, our public lives, in terms of the interaction with the government, and in the private sector, our commerce and economics, you start to realize that cybersecurity is not primarily a technical problem. it is also an economic problem, in terms of incentives. it's a human behavioral and psychological problem. it's a physics problem, because of the way networks are constructed. it's a political problem, because of its international dimension. and when you start to roll all of that together, suddenly you have what the folks in boston might call a wicked problem. and the -- that's what i think starts to actually make cybersecurity the particularly difficult challenge that it is for us. and that's why i think it takes such a wide variety of disciplines to begin to address the problem. from the administration side, one of the things i wanted to highlight for this audience

today is our efforts to actually expand the cybersecurity work force. so to address that problem, you really want a much larger and much broader work force than we currently have. we need a much bigger work force to deploy against the problem. and it needs to have an incredibly wide array of skills, ranging from a lot more technically focused folks to help companies out with -- and government agencies out with their immediate technical problems associated with cybersecurity, but also people that understand how cybersecurity interacts with their industries. how it interacts with industrial control systems. how it interacts with our financial sector. so from a policy standpoint, from a legal standpoint, from an international standpoint. so from the administration standpoint, we're really trying to drive a connection with the administration's jobs-driven training initiative, and in fact earlier this month we rolled out a whole slew of grant for

community colleges and other universities, a lot of which will go to cybersecurity related programs to support efforts in expanding that. and of course, because this is washington, we have an acronym for our efforts in this area, the national initiative for cyber education, a nice acronym, nice. that's focused on three different efforts. one is to expand a heat map -- develop a heat map of where the cybersecurity related jobs are. to really expand the number of cyber centers of academic excellence that are accredited by dhs and the national security agency, and to expand the scholarship for service program that funds specific cybersecurity related scholarships. and all of that effort we're really trying to just do what we can from a policy perspective, to drive expansion in our work force, so we have the personnel

that we'll need to address this wicked problem that i've talked about. i'm sure there are a lot of other topics that folks want to get into, some are which are strategic, and some of which are top cical topical. >> you bring up great points to confront this wicked problem. you also say it's in many ways not that difficult a problem. in hindsight when we look at a lot of the breaches that occur, some of them are occurring because of vulnerabilities we already know about. it's not just an issue of throwing bodies at it, it's also a mind-set shift. >> that's correct. >> so how do you confront that iss issue? is it training? is it redirecting the work force to do their job that they should be doing in a better way? is it a technical fix? >> i see it as a combination of all of those factors. that some of it is baking the security in up-front, so

developers, as they think about developing software, and apps and other things, that security is just one of the aspects, along with usability, along with the interface, that you consider when you do development. so that's one aspect of it. another is really the, i think some of the ideas that are embedded in the cybersecurity framework of standards and best practices. it's, as a business, as an organization, how do you think about cybersecurity risk. and sort of really starting to embed thoughts about risk management, and cyber risk management the same way that companies manage their litigation risk, or their product risk. and that it's something that you invest in to manage the risk. in other pieces of it, it's really us understanding how to enable technologies, and capabilities that are focused on how people actually have to

interact with their information technology. so one example is killing off the password. frankly, i would love to kill the password as a primary security method because it's terrible. but it has to be -- but when we think about replacing it, it has to be replaced with something that's actually easy for people to use. >> right. so what would replace the password? >> i think there's going to be a variety of technologies that will be able to do that. some of which will be biometric related. you started to see some of that with the emergence of the fingerprint readers, but also you can use the cameras on cell phones, which are now ubiquitous so the selfies are actually used for something besides posting on facebook. there are also, you know, all sorts of different related technologies that can make use of multi-factor authentication that's still easy to use, because of the way that people use their devices.

card readers. all of those factors will be combined. i don't think there will be one solution for everything, there will be multiple different solutions. the other thing is, we'll do solutions at different levels. because there will be things that we really care about securing like your bank transactions and things you're a little less worried about like the cat videos on youtube. >> those are important. so, you know, this being cybersecurity awareness month, the monitor did a poll recently to see exactly what people are doing to improve their security, especially after the string of high-profile breaches we've seen in the news. we found that basically half the people did something to improve their network, and the other half did nothing. of the people who did nothing, they said, well, they're not really concerned about it. is that -- i mean, is that a realistic view of the current landscape, given what we're confronting? >> i think that cybersecurity --

you're not going to be surprised that the cybersecurity coordinator says this is an issue that affects everybody. i would not be doing my job well if i said otherwise. but i do think that it's an issue that everyone should be concerned about at some level. because almost everyone lives some aspect of their lives online, either in the form of how you interact with a company, how you -- the data that a company might have on you, even people that are largely not connected are still -- their data is online in various places. it's something everyone should really have some concerns about. but i do think that what that shows, though, is that we still need to work on, again, i come back to making it available and easy for people to use, and to do, and to make it sort of security by default rather than something you actually have to

work really hard at. >> what would that mean, security by default in terms of the apps people use and the websites they visit? >> sure. so, i think that a lot of this comes back to how do we do the development work, to make sure that we're developing a secure code, from the beginning. how do you have systems that are much more intelligent themselves about monitoring their own activity, and bring in the disciplines of things like biology, and how do you have networks that are sort of have the equivalence of the t and b cells that live in your body and hunt down intruders. it's just sort of present on the network. all of that happens, you know, much more in the background rather than being something that people have to actively engage in. it also, i think, is making the

services available to both businesses and consumers, so that they can set them up and have them be functional on their networks. >> should the government be pushing the private sector harder? this framework is nice, it's voluntary, should it be mandatory or should there be aspects of it that should be mandatory? >> from our perspective, we firmly believe that it can remain a voluntary standard -- or voluntary framework, and still be effective. we actually have a long history of voluntary standards being quite effective in the united states. i think that ultimately it's the market forces that will really make that take off, and go someplace. that's the most effective tool that we can harness in that area. >> the whole focus of this talk is developing america's edge in cybersecurity. >> right. >> i think clearly anybody who looks at the news can see, well, we don't have the edge.

i think probably everyone read the "times" story yesterday about the white house being concerned about jpmorgan, that shouldn't be a surprise. but the "times" article didn't really say what the white house is talking about, so we're glad you're here to fill us in on that a little bit more. >> i think that in general, we have watched for several years, you know, the trend of the malicious actors in cyberspace, trying to figure out how to target our critical infrastructure. and the financial sector is, you know, as we all painfully learned in the mid-2000s is a critical part of the economy and definitely a critical infrastructure for us. obviously anytime we see one of our major banks being targeted and successfully targeted, that is going to be a source of concern for the white house. i would put it in its more general context, though, that it is really the broad trend of the targeting of u.s. critical

infrastructure, and how is it that we can do a better job of protecting that critical infrastructure over the long term that is particularly concerning to us. well, obviously we're concerned about any incident that exposes that many people, as that incident seems to have done. it's also the broader longer term trends that we're very concerned about. >> specifically which trends? can you point to a few things that you're most concerned about? >> sure. if you look at sort of three broad trends that you can pick out, one, we are hooking more and more stuff up to the internet all the time. the so-called internet of things that has already somewhat arrived. you know, your thermostat, your coffee maker, your car, your refrigerator, they're all now threat vectors in cyber terms. so that's made -- we thought doing cybersecurity in the world of wired desktops is hard. now we'll do it with a big data

mobile cloud. just throwing the buzz words in at the same time. [ laughter ] that makes the problem just that much harder. >> right. >> we've also watched the malicious actors be willing to move up the threat spectrum. so now it's not just a matter of doing the digital equivalent of graffiti, but they are actually willing to take destructive steps. we saw that with the arab oil company in 2012. we saw it with the south korean banks in 2013. we saw it in our own financial institutions here. and we also know that the tactics and the capabilities that are available to the malicious actors are also growing. they frequently don't have to use them yet. but we know, and we can watch their sophistication growing. if you actually just look at -- there's kind of this myth now that a lot of the hackers are

still, like the disgruntled teen in their mother's basement, there are still some of those, but hacking is a big business. and they are run like businesses. many of these organizations actually operate along very structured corporate lines. and so the sophistication that's available, and the resources that are available to them are far, far more extensive than they were, say, ten years ago. >> that's pretty interesting. because the hackers are basically many steps ahead of what we're doing now, to try to protect our networks. i mean, given that that's the case, should there -- when you think about the world of critical infrastructures, which i guess there are 16 sectors, right? some are semi critical, some are really critical, when you talk about the electrical grid and the nuclear power plant, could you just pull the plug essentially and is that the best

way of protecting a nuclear power plant, for instance? >> as tempting as that might be, to do with a solution, i don't think it's possible for us to wind the clock back and not have some of these systems enabled for access. now, i think you need to think about that. there may be some systems that we actually decide that we may want to set them up so that if you -- you may be able to get data from them remotely, but if you actually want to make changes to them, you have to be physically present. you could set up the systems to do that. but one of the rules that we have around our office is that expediency will trump cybersecurity every time. so that unless you specifically put in policies to prevent that, most people will take the expedient route. and you find that a lot of times when these systems end up being connected to the internet, that's because, well, that was easier for the engineers or

whatever to do their job. and that's true. but there is a security down side to that. organizations need to think about that, that convenience versus security tradeoff. and actually do that as a more explicit risk calculation. in some cases, it may well be the case that the asset is so particularly critical that you don't want it directly connected up. in other cases that may be a risk that you're willing to live with, with putting into place other compensating controls. but i think that's something that needs to be given a lot more explicit thought, rather than sort of letting it just kind of happen. >> right. are there particular areas that you think that we should sort of limit that access? >> it's a little hard for me to say from not sort of being deeply involved in sort of all the technical aspects of all the different industries, right? but clearly, what i would argue is that the -- that's where that combination of the subject matter experts and the security folks in any given organization

need to have some real conversations about what the risk is, and what the benefits are, and really explicitly make that tradeoff. >> one thing that's come up recently, i think, in debates in washington, in the industry, is this notion of having a professionalized cybersecurity work force. in addition to just having more trained people in the field, or just more people, the notion of having somebody who's actually certified in some way, being cybersecurity specialists, what's your view on that? >> i definitely think that cybersecurity will evolve as a discipline. and it is, i think, becoming its own discipline. and it's not the same as some of the other technical computer science fields. and it involves, i think, bringing in capacities from other areas. so i think it will evolve into its own discipline. and i think having some of the certifications would be a good thing. >> so you yourself have had to

learn a lot about this field, right? >> sure. >> you're not a techie. >> i'm not. >> you're not an engineer. you took some grief for that in the press. >> i did. >> what did you think about that? >> well, actually, i was -- it happened during august on, like a friday. that was par for the course in washington. and it kind of just comes with the territory, i think, here. i think some of it, though, was a misunderstanding of what i was trying to say, which is that the -- that was my point about why i think cybersecurity is such a hard problem, is that in fact it involves a whole bunch of different disciplines. and in -- and we need a bunch of different disciplines in order to actually address the problem effectively. so we certainly need, and as i was mentioning about our work force initiative, a huge part of that is focused on the technical work force we need to run the fire walls and develop the software, and manage the security systems.

but you also need people that are savvy about cybersecurity from a policy standpoint, and about how to actually get organizations to make those risk management tradeoffs. how do you actually get organizations to make changes. how do you get the government to actually do something. and how do you get the bureaucracy to actually function. those are all different -- those are actually different skill sets, and we need them all in the cybersecurity area. if you look at, for example, the cybersecurity directorate on the national security council staff, i have an incredibly wide array of people who have very -- who are engineers with technical skills, but also people who are primarily have legal backgrounds, people who have done development work, in the international space, people who have spent time in the military, people who have spent time in law enforcement. because all of those are different aspects of the problem that we need to bring to bear on

the issue. >> i imagine your experience in government, with the various agencies helps you with the herding cats issue that you have to confront. >> yes. >> in your role as a coordinator, you don't have any real power over these organizations, right? you can make suggestions, but you can't say, you have to do this. do you think that role has to change in the future? >> actually, i don't. i think that the -- i believe that as with any of the white house jobs, a lot of it is about the soft power. and the way that you work within the bureaucracy and the different agencies to get them to align policy, and move roughly in the same direction. and i think that with -- you can be very effective in that space as long as you understand how that space actually operates. i think that cyber is such a

humongous issue, that you're not going to be able to put any one person in charge of it in that sense. i actually think that would be -- i actually think that would not work very well. you actually need somebody who can get to the various aspects of the law enforcement agencies, what we're doing to protect our critical infrastructure, what we're doing in the military and national security space. you're never going to put all of that under one person. and i don't think that would be a good idea. so you really need to have those skills to manage across those different agency lines. >> can you give us a bit of an update of what you're doing in congress to get the cybersecurity legislation moving? >> sure. we've been heavily involved with working with the committees on the -- the relevant committees of jurisdiction in both the house and the senate, to work on the legislation, and make improvements to it, and get it into a place that could pass

both houses, and the president could sign. we remain committed to doing that. but obviously getting anything passed on capitol hill right now is quite a challenge. so i think that we try to be realistic. it's something we remain heavily engaged with. >> we talked a little bit about smartphones before coming on the stage. another thing in the news is that apple and google are strengthening their security protections on their phones, something that fbi director and the attorney general don't really like so much. what's your view of that? >> well, i think if the -- the issue is not so much strengthening the encryption itself. obviously if you look at the framework, the encryption is the best practice in cybersecurity. encrypting data in motion are obviously smart things to do. so it's not so much encryption

itself, it's how is it that the government and our law enforcement agencies can continue to gain access to information in the course of an investigation, in a court-approved process, in a way that doesn't put something completely beyond the reach of law enforcement. you know, even things that are in safes or other places are reachable by search warrants in many cases, so we don't want to have something that puts it utterly beyond the reach of law enforcement in appropriate circumstances. on the other hand, i think clearly we need to improve the use of encryption, and how we employ it. and in many cases, that's something that would be very beneficial, for example, in protecting our intellectual property. this is a really hard area. and i think the reason that you see we've had debates about encryption going back decades, and probably for as long as there's been encryption,

probably the babylonians and greeks had use of it in some form. i think this will continue to be a policy tension that we'll have to try to navigate. >> you'll have to talk to jeff moss about getting better hackers. anyway, i think we have time for questions from the audience. if anyone's got anything. you there. >> dave prayer from politico. can you elaborate a little bit more on white house observation of what's going on at jpmorgan and the other financial institutions, in what context? was it stand-alone briefings, briefings to just randomly suggest something, russian sanctions? >> i think the way to think about this is that we keep

the -- part of our job on the national security council is to make sure that the president and his senior advisers remain informed about the wide array of national security threats that confront the country. and so that that was the context in which we were treating this particular issue. it is part of an ongoing law enforcement investigation with the fbi and secret service. so there's obviously a limit to how much i can comment on an ongoing investigation in that area. so i think that it's something that, again, we pay attention to in the sense of that we are mindful of all the threats to our critical infrastructure, whether you're talking about the financial sector, the electric sector, the telecommunications sector. and so we've put it into that broader concept. anytime we see specific targeting or successful penetrations of those kinds of companies, it's something we're

going to engage on. >> you in the back? >> sorry to hog the microphone. but i don't think anybody else had their hand up. thank you very much. maybe this is a difficult question and i don't want to feel like i'm conflating things. but broadly, one of the topics that you two have bounced back and forth on here is the extent to which the executive and the legislature should be potentially pressuring private companies to adhere to certain cybersecurity standards. and on one hand, i think you said that in fact the administration's position is that the government should not be pushing private sector harder, because market forces can be trusted to take care of such. but on the other hand, you said expediency will trump cybersecurity every time. so in a week in which the jp

attack might have been averted if certain standards were in place, which is it? >> i would say that there's a difference between making something like the n.i.c.e. framework mandatory, and saying the government doesn't have any role in controlling and pressuring the private sector to continue focusing on and doing a better job in cybersecurity. and i'm always concerned aboabout a regulatory framework that is the speed of regulation does not move at the speed of technology. and so we want to be very mindful of that fact. that's why as we have tried to make, for example, the framework technology agnostic, neutral for that very reason. that's not saying the government doesn't want to work with the private sector to improve

cybersecurity across the board. in fact, i firmly believe that one of the key challenges we face is actually figuring out how the federal government should interact with the private sector, with respect to cybersecurity. and it won't be a traditional regulatory framework. it also won't be a traditional contractual framework that we've used, where we're just buying goods and services from the private sector. it's going to be a new kind of partnership. and that in fact is kind of one of the defining policy challenges that we'll be working on over the next, i would argue five or ten years really is. how is it that the government at all levels is going to interact with the private sector on this issue, that cuts across so many different boundaries and jurisdictions, both within the united states and internationally as well. >> talking about hiring

cybersecurity staff. when you've spoken to people in the industry for years, they said some of the main problems with working for the federal government has been salary, job structure, and also the issue of getting a job with the federal government, it can be a bit of a pain. we haven't seen -- >> that's an understatement, yes. >> those are three areas that we haven't seen much movement on. i'm wondering if there's any push, any progress? >> we are pushing on various -- along various avenues trying to address some of those problems you're talking about, including trying to get broader hiring authorities in cybersecurity, for cybersecurity professionals, to make it easier to move among agencies once you're in the federal government, to address some of those key problems. i think that it's unrealistic for the federal government to expect it will compete with the private sector on salary. directly. and so i think that we can do a

better job in that space, but we're never going to completely overcome that, so we have to address it more in the form of kinds of work that you get to do in the federal government, that you are not able to do in the private sector. and focus on those aspects of the job. it's a complicated area, and it's one that we're trying to dedicate some resources to addressing. but i think that, you know, overall, we still have to grow the work force as a whole, because we're still poaching from -- everybody's poaching from everybody else from the limited talent pool out there. >> what's happening in that regard in terms of recruitment? are you going to college campuses, showing up at m.i.t. and carnegie mellon to get kids to come work for the federal government? and how does snowden's nsa incident hurt that? there is obviously a pr problem

that plays out there. >> certainly we're trying to do recruitment and expand our efforts in there. clearly, the fiscal challenges the federal government has faced overall have not made that any easier to do. i would say that we continue to try to focus on recruiting the best talent that we can. and certainly nsa has faced some challenges with the revelations as you said. but what's interesting to me is that, you know, the cyber skills are really needed across a wide variety of places in the federal government, including our law enforcement agencies, which more and more crime has moved online, so they have a greater need for that. dhs has a huge need for cybersecurity experts in protecting critical infrastructure. places like n.i.c.e., that developed the framework, they have a need for cybersecurity

work force. so i think that it's also something that we're having to address holistically across the federal government. >> anybody else? >> i'm josh higgins from inside cybersecurity. i was wondering with the n.i.c.e. workshop coming up, what does the administration hope to see come out of that and moving forward in the framework? >> a large part of what we're hoping for with that workshop is really starting to get some feedback from organizations about how they've actually been employing the framework. and what's been their experience with using it. what has been the strengths, what's been the weaknesses of it, where does it need some refinement, some clarification, expansion. we know that one of the areas that was less well developed in the original work that we did was in metrics, for example, how you measure employment, and the effect of the framework on the

organization. we still need more development in that area. so those are the kinds of things that we're hoping to get out of that workshop, as really sort of a lot of the experiences with how the framework's been actually employed. >> i'm with the federal "times." just to follow up on that, i wonder if you could talk in what you're seeing with the adoption of the framework, how you're measuring that, especially when it comes to the government agencies that are involved. thanks. >> there are a couple of different aspects to your question. certainly from our perspective, we have gotten a lot of feedback from a whole bunch of different sources, including the sector coordinating councils that dhs works with, our different agencies that have connections with different industries. treasury with the financial

services industry, energy department with the energy providers. i mean, and in our own connections with the tech sector and other things. in general, the feedback we've gotten has been very positive for the framework. and even companies that oftentimes they will tell us, yeah, we're not going to completely come out publicly and completely embrace the framework, but we're using it internally. and we're using it even if we aren't officially using it, we're using it to benchmark our progress to measure ourselves against. i think that in general, we're seeing more and more different uses for the framework. you're seeing different sectors come up with their own sort of overlays for the framework. in my own mind, i actually view the framework's success is when people start using it for things that we never even anticipated in the first place. that would actually be a really good sign of af dopgs.

adoption. internationally, we've gotten a lot of good feedback from other governments, that they are looking at how to use the framework in their own domestic contexts, which we think is really important. you also raise the federal government itself. the recent guidance that came out from the office of management and budget is tying it ever closer to the framework. and so i think agency cios are getting tired of me coming and talking to them about how they have to use the framework inside their own agencies. that is clearly the direction we're moving in. and that we're bringing those principles in to how we manage the federal government's own cybersecurity. and we're developing in fact an overlay for the federal government that's related to the framework. >> so if, say, for instance, jpmorgan had -- you've been following the framework, the

breach that happened, are there others like it? >> maybe, maybe not. the framework isn't a particular cookbook for a particular set of security controls. so without having more of the detailed knowledge, it's difficult for me to say. what i can say is what the framework enables you to do is start to think about your cybersecurity from a risk perspective. and so what it enables an organization to do is really have a way of confronting what is sometimes otherwise seen as an intractable problem. >> i think we've got time for one more question. the gentleman there in the black blazer. >> aaron from the university of washington. >> you flew all the way in from washington. >> courtesy of the tech policy lab. my question is, we talk about the jpmorgan breach, the target

breach and so on and so forth, and these are just hits that keep flowing in the media. but the operational reality for cybersecurity is you assume you've been breached, and you do something about that. and there's a distance between that, that i feel like may not better inform the general public. what are your views on how to kind of bridge that gap? >> so i think that when you look at -- i take it back to the framework. when you actually look at the framework, the very first thing the framework actually talks about, has nothing to do, it seems, with security at all. which is identify. but what it's really saying is, you've got to figure out what information you have that you care about. and why do you care about it. what do you actually want to protect it from. is it exposure at all? or is it that you want to protect it from manipulation? that's your greatest concern. so that starts to define how you think about it, and how you protect it, which is that second

step. but also, the framework -- it goes on to say you've got to be able to detect when the bad guys are almost inevitably getting past your defenses. what are you doing to recover and respond to them quickly and then recover from that. so i think that the part of the way that you have to start to address that is, as an organization, you need to be clear about your holistic approach to handling breaches. from all the way from the beginning, this is how we've identified the information that we care about, here's why we care about it, here's what we're trying to protect it from. and if something happens, here's how we're going to respond to it. here-our metrics and measurements for how we're going to respond and how we're going to recover from it. organizations have to learn how to treat that whole process from beginning to end as part of the cybersecurity problem, not just the protect part. which is the part that's easy to get focused on. in fact, i would actually argue that one of the things that we've been working very hard on in the federal context is the

back end pieces, the response and recovery part of starting to build the machinery inside the federal government to not just do the protection mission, but also the response and recovery mission. >> there's also been a lot of talk recently from mike rogers, a congressman, about developing offenses measures in cybersecurity. a lot about what we're talking about are defenses operations. actually going -- you know, preparing ourselves to go out and confront these issues where they arise. any thoughts on that aspect of this? >> there are a couple of different aspects to that issue. one of which is that, i think that there are many different tools that you have to think about in that context. one of which is, well, there are a couple of different ways i think about it. one of which is, it's very rare that a cyber issue is purely going to necessitate a cyber response. in fact, actually, the proper

response might be a diplomatic response. might well be a law enforcement response. it might be one that occurs in cyberspace. but it might be one that we do primarily through network defense. it might be one it might be one that we do primarily through law enforcement, authorities. ; it is nevertheless true that cyber authorities are going to be a much greater part of state craft. they have become that over the last 20 years. and that trend is going to kobt. continue. i think that has as a government, one of our challenges is to think about how we talk about that policy development and how we talk about what the rules are for the road -- what the rules of the road we want to be in the international environment. you know, we want to, i think, start talking ant how we establish what the norms of behavior are in cyber space. things like you don't target

critical infrastructure in peacetime. that you don't steal intellectual property for the benefit of your domestic companies. that you don't -- maybe that you treat serts like hospitals, that they're off limits, so that they can continue to do their network functions. so those are the kinds of norms that we want to promote in that space. it's another area that's going to involve a lot of policy work and development. >> i think we have time for one more question, if there's something else? yep. ed marino, i'm an attorney here in town. my question is truman did a lot of work for passage of cyber legislation. i think on the macrolevel, it appears like the president has done things like create your position, passed a couple executive orders.

but it seems like there's a limit how far the government can go in itmplementing the needed reform for the private sector. so i'm just wondering. looking at things like cispa x what do you think the prospects are for passage of cyber legislation. and what are the ramifications if it doesn't pass? >> so i've been in washington a while now. there a few things that you don't bet on, one of which is the weather. the other is congress. i think it's very difficult to project on that score. i know there are a lot of people up on the hill like representative chairman mccall on the house side. on the senate side, you have a number of senator white house and carper and others that have been incredibly ininvolved in the cyber issues.

so there's a lot of interest in cyber security legislation. i do think from an administration standpoint, one thing that has evolved in our thinking is i do think it would get easier for us to get smaller rather than one giant, comprehensive bill. so getting whatever we can passed in whatever vehicle we need to as long as the policy and the legislation is 5:00 septemberble. that's one thing i would say that we're trying to do different. we're trying to press forward with doing everything that we can. we do need to get to legislation, and i think that we will, eventually.

we will continue pressing forward under the policies that we have. >> okay, good. thank you very much for talking with us. >> thank you very much for having me. i really enjoyed it. [ applause ] >> later today, an illinois senate debate between dick durbin and jim oberste. and right after that live coverage of a massachusetts's governor's debate, between republican charlie baker and democrat martha cokley. here's a look at some recent campaign ad there. >> just a few years ago, wall street gambled with our money and destroyed so many lives. we can never let that happen again.

but that's what's at stake in this election. tax cuts for corporations. not much for the pres of us. we need an economy with a fair shot. equal pay for women. the old boys club wants charlie baker. i want to be a governor for you. >> democrats and independents across the state are voting for charlie baker. that's because baker delivers. creating jobs, balancing budgets, fixing government. >> he's pro-choice. >> charlie baker got people off welfare and made massachusetts first in jobs. charlie baker will lead massachusetts in a new direction. >> i'm voting for charlie baker. >> she's been a powerful a advocate for women and kids. now, martha cokley is running

for governor, with a plan that works for everyone. so our people get the skills they need to succeed, investments in roads, bridges and mass transit and creating reej nap economies so that every area of the state can thrive. martha cokley, she's not the insider's choice. she's ours. >> governor, dad? that's a bit optimistic. >> why not? >> you saved from brupty. >> bipartisan leadership is what we need. we can make massachusetts great and create jobs. by controlling spending, lowering taxes and requiring work for welfare. >> no problem, i've done it before. >> recent polls list this race as a toss up. you can watch tonight's debate live at 8:00 p.m. eastern on

c-span. >> tonight, on the communicators, president and c.e.o. of the wireless organization. >> as you remember, this is repurposing spectrum for the department of defense. and this process, the lessons learned have really been learned. it's paired, it's internationally article monoized. we are going to turn around and have the broadcast incentive option. those numbers have really turned the discussion from a policy discussion to a business decision, which is where that discussion needed to turn to. so we're excited about both options. i'm certain that our carriers are going to come to them and it's going to be a win-win

situation for everyone. >> tonight, at 8:00 eastern on the communicators on c-span2. >> october is the homeland security department's national cyber security awareness month. next, cyber experts from mic microsoft, google, facebook and the homeland security department. the event was hosted by bloomberg government. it runs an hour. >> thanks for joining us today. we're thrilled to be hosting an event with the department of homeland security on cyber security. we started bloomberg government back in 2011. we had the aspiration of creating a one-stop shop to help them make better, faster decisions.

part of that conversation was convening legislation. last year, we did a study to see that over time, has government increased. it has over the past few years. we went back to that same health departmentology to see what companies have said about cyber security. on 2010, out of all of the u.s.-based companies, publicly traded, how many companies do you think mentioned the word cyber security in their annual report? thousands of companies? twenty. a total of twenty mentioned cyber security just four years ago. the world has clearly changed in that time. in fact, bloomberg government has written 122 pieces to talk about cyber security.

we've held dozens of events and recently created a marketplace that identifies all the cyber security con tracts by the federal government. so it is a new world. will're parter inning with homeland security on this topic and on this event. we've got a great group of panelists. thank you for joining us today to discuss this very important topic. with that, i'll be passing things over to sandy who is our senior technology analyst. >> don, thank you very much. i'd like to welcome in everyone who's watching on our live web cast on bebo.com. we'll also turn to the audience for questions and people who are watching online, please submit your questions. i've got an ipad right next to me and we can take questions that way, as well. this just seems to be a great time to help us in cyber security. it's not every day but every

week we hear about a new major cyber security conversion. my colleagues from bloomberg news said they may all be victims from the same hackers. it's a great time to have the panel that we have here today. i'm just going to give very brief introductions because you have the details bios in your program. to the far side is andy ozmit, the asis tant secretary of communications at the department of homeland security. next to andy is angela mccay. right next to angela is benjamin strouss. and right to my immediate left

is the security princess at google. he said he's considering it. but i guess my first question is we're hearing a lot about that. we're not quite sure what it means and we're not quite sure if it can help. so i guess just starting and then down the lines to your kpaebs companies. we'll even vet it to the side for a minute. bimt in cyber security, what's google's take on this and what's google doing? >> i should probably preface by saying i'm an engineer. i joined google as a software engineer or a hire d engineer. our main goal is to make chrome, the chrome operating system secure so people can browse the

internet secure. as an engineer, i tend to think about that first. but, in my experience at google, i've been at google for about seven years. i've really come to appreciate the people and process that. now i think about how we've scaled in the past 7 years to where we have a dedicated security team that was able to support all google products at the time and how we've had to grow that model to support all of the engineers and all the intimate processes that can make security part of the whole software engineering development life cycle. they're certainly a key tech nono technology. >> i'm actually a very engineering-specific angle. i'm a member of a security in a infrastructure team. what we try to do is minimize

risk by building frameworks or tools that completely eliminate or vastly redice the possibility of errors. actually, i think that that's exactly right. there's a big human element to it. we've actually empowered everyone at the company, not just in the product organizations. but across the entire organization, we 5:00 kmumly run several programs to high light security focus. >> you'll see as the panel goes down, i think we're going a nice blend of engineering experience and policy experience. i also have a background in security engineering at microsoft. but i'm part of a team that has been, if i'm stoking with these guys, forward deploy to help

work with policymakers as they continue to struggle where these iesh shoes. microsoft's commitment to this series of issues is long standing. we consider security, privacy, reliability and transparency in the practices that we engain with our customers. a lot of that is evolved over time. i agree with the comments of my colleagues here in terms of thinking about policy, process, the human element in training. >> you want to look across that full spectrum of doing the right things in design, engineering and coding.

and at the same time, also really actively engage in the response process. most people know there are going to be vulnerableties and hardware, software and services. and collectively, we need to be able to ensure that we can respond to those to make sure that we serve all of our customer's interests. >> we've heard a lot about nist. if you could talk about what the congress' perspective is and what they're really trying to achieve. >> we're attacking this from a wide variety of different approaches. on the one end, you have r&d and

how we build things more securely in the first place. you have missed standards. to a more practical end of things, the f.d.a. just released a set of guylineliidelines in t few weeks as they build medical devices. a year and a half or so ago, the transportation department did the same thing for cars. so there's this whole spectrum of government 5:00 tities, from the more forward, future-looking r&d to guidelines to individual sectors. we have to create the demand for

secure products in the workplace. the work government does to raise companies and individuals. that's growing to help in itself. >> i think i have an idea what it means to take responsibility in the prosays and safeguarding passwords and those kinds of things. from the company's side, would anybody like to address what kinds of things we're talking about? >> sure, i can take a step at this. >> i work on chrome. it's a browser. everyone needs to be thinking about security. and that's why we don't focus on any specific technology, but really principles.

one of them is defense in depth. the idea here is that we need multiple defense layers. there will be holes and there will be bugs. and we need to make sure that if one if something is penetrated in one place, there needs to be protection. think about what you're promoting. there's a technology called sand boxing. what we try to do is really think about the principles.

i think a huge benefit is focusing on common security pitfalls or vulnerableties. it turns out they're actually the same class of problem. and we can actually fix those. whether he can they're building a product, we come in with sittoms of common problems and solve them under the hood. we do things by default. >> one of the ways to really flush out these sort of things is bug bounties. so the idea that we can pay external security researchers a bounty for bugs to companies that use software enables us to fix these problems and give recognition where recognition is due.

one of the things that we've been doing for many years and i know other companies are using, as well, is something called the secure development life cycle. so this starts to look up front of the coding and the design of the system. where are there going to be data source. where is the flow? that piece is called threat modelling. when you move into the coding experience, one of the things that we found is really important is integrating, like ben said, that directly into the coder's experience. so in the tools, you know, as they're working on things, it's not like oh, i need to go check and see if i'm allowed to do that.

it's one of those kmampls. so that's kind of band and use. there will be issues found. >> google has a vulnerability work around for chrome. as i was talking about how you think about building a specific piece of software with defense and depth, also, this whole development life cycle needs depth. you can't always make software to solve problems. it's probably why a lot of our neighbors have been doing. it's definitely a hot topic.

>> so, abandy, there was a recent presentation that -- actually, there have been several. and the words that struck me were there's a national imperative. and this has come in across many stages from various people. how do we get the pry sat sector to take that off. >> let me first talk to why there is a national imperative. you're hearing from three organizations that are primarily information tech nolgs organizations. but as you leave the world of primarily itu whether it's the

refrigerator or your car, you name it, in the world of the internet of things, as we call it, is it a national imperative. absolutely. that reliance is obama going to increase. if we build these devices to be insecure from the get-go, they're hard to update. they're hard to improve. we're in deep trouble if we don't start off with more secure devices. so, to your question, how does a government help bring about that change? can we leave it to the market? you know, the approach of this administration is to take a voluntary approach, right?

think about what the throats are. think about what the impacts could be. it's not at all prescriptive. i think it's a very good approach to take. the same for the department of transportation's guidance for smart automobiles. that's one area. giving guidance to sec tors who are new to thinking about this problem and helping them understand that it's their problem,now, too. anything that we can do to raise awareness. et's it's putting out thread investigation so that people can understand what the bad guys are doipgs in the real world and how they can defend against those activities.

the fda says these are things to consider. so, presumably, they're going to look to see if they're in devices that manufacturers are trying to get approved for for the market. does that make some of these recommendations have -- maybe they're not o blig obligatory, may not aproouch the device for sale. so i'll be honest with you. the nuances are more than i know. but what i will say is to the degree that that's true, i think that's a reasonable case to make. the fda has a mandate to ep sure that medical devices are safe.

it is extremely light tuch. yopg anybody knows yet how that will play out in practice. but i think it's a very good way of giving direction, creating a north star so that the device makers know which direction they need to be heading vpt and then letting them identify the best markt to be in. >> i'd just like to remind our all yeudienc audience, i'll soon be opening it up to you for questions. one more question might be starting with the companies.

wh what we're hearing a lot is everybody is suffering incurs n incursions. so i guess my question is, the kinds of things that we're talking about, the building things in, the design and 5:00 techture phase, hoich of that incursion problem can we take off the map? is some of that just going to go away? obviously, no security is absolutely perfect. how much of the problem can we take off by building in some of these things from the get-go. anyone want to take that? >> i mean, i'll jump in on that. and i know it looks like angela might have a few thoughts. one of the things i'll say is.

>> humans are huge. and i think that that's actually -- i just want to throw that out there. it's not always a vulnerability. social interaction is a really effective way to get into an organization. one of the things i'm always he has tant about is when people think technology alone, or, really, any one thing is going to solve this problem, but there is a big human aspect. and these things are much larger than just the internet. >> i think that's a very true

statement and we absolutely can't forget the human element. totally agree. >> tieing together the two points, i think that we may be able to minimize some of these, but when you go with however many lines of code that are getting dynamically up dated in cloud-based services and all of the humans who are touching these machines, it's going to be impossible to stop the incursions. so i think it is really good that we do think about the defense in-depth. how to engineer detection capableties and making sure that we know how to contain the o kurgss that do occur. this's some really interesting work going on right now in

architecting systems where we all know there is no boundary. i know how to secure a computer completely. you drop it in the ocean. it's risk management, as you said. we won't get this perfect, but it's because we're trying to innovate and do a lot of thicks things. and the internet can be a scary place. and it's increasingly becoming scary. but it's also increasingly

becoming powerful in terms of what we can do. >> i stithi there's a couple of easy steps toe minimize it. if you report an attack against you, you got a cool t-shirt and recognition. what's really cool is we've gotten over half the company to join in an internal discussion group, but even better, in august, we get these reports like, hey, are you sending out october early? here's this spear fishing that's really well crafted.

getting people engages about secure and when they're doing their job, there's some security things that they shoild think of. >> let me jump on that. i think that's totally awesome. october is national cyber security awareness month. and that's a really innovative way to make it very relevant for your own organization. what i would ask everybody who's in the room and who's watching and e or listening on line, is yo organization taking the same approach. really say what can we do? >> on the notion of hacktober, i'd like to turn it over to the audience. please, ind kate if there's a question right over here, please. please, just state your name and affiliation andoff to the races.

>> you've talked about the human element, mostly internally. how do you breed a user base that's security awae. users are the best testersment they love breie breaking things. how do you go about that. >> i would say that we do try to raise awareness. i take a very conservative approach at how effective education can with for use others. we tried to have as much safe and secure by default as possible, as we've described. for that, i think chrome tries

to be opinion nated. >> it's backed by google. if the use erp tries to navigate to that, if they actually were to load it, maybe there would be a social engineering attack. with safe browsing, we can tell that. i think we do try to make the software as opinionated a possible to make it so people don't encounter those threats in 2 first place.

maybe just to add to that point, technology companies are really starting to fine tune the kind of investigation that we're pro vieding to users to help them make informed decisions on one of the classic examples that used to occur in i.e. was, you know,a pop-up window would come up and say this may be an unsafe site. well, awe many. i don't know anything asdigsal from that than i knew before i browsed to that site. the other side is incentivizing folks. one of the other things we need to look at is how do you compensate employees who have different functions inside of the overall development life cycle. you don't want to have folks who are focused on review to be

compensated lower than those who are doing development p. so i'm going back many, many years at this poishlt. but i was really thinking about what are the incentive structures that help drive behavior. other questions? >> yes, icf international. as the framework starts foe make available cyber standards, i'm curious to ask what should be our expectation in time and e and i believe i believe e investment and other infrasfrukture. how can we use the life cycle an imaginement, essentially, an em dead embedded set of critical infrastructure.

if you look at water plants or power facilities, they buy expensive equipment that was never meant to be reachable by the internet or you'd never up grad or ime install a patch on it. this is incredible lip difficult. we stasht with a really tough legacy base of this equipment that is often connected to thor e swer net, wu, like i said, was never intended to be so. what are the protections in place. the other, overwork, is that you build that security in. a third point is one we haven't touched on. it's usually important.

you could have the best software developmental approach in the nation, in the world. we're still going to have vulnerableties. you're still going to have design flaws that have nothing to do with your user interface confusing you and making the wrong decision. you have to have an ability to fix it. you have to have the ability to update that sovtware. it's also about that life cycle. sam, you asked, what's that markt going to look like? their answer is they other going to do what their business needs compel them to do. i can't solve the ones that were built 20 wreers ago.

>> it's an excellent point. . >> i get annoyed with up dates, too. i don't always want to install security up dates because they means i'll have to stop what i'm doing. or i'll have to reboot my machine. >> one of the things that i hope to see is that updates can

be rolled out automatically without use herbs having to opt in them. >> maybe just one other thing that hasn't been mepgts e mentioned is when the folks who were building ics systems, we worked a lot with the secure development practices. one of the other things is you'll be able to start using virtual machines and stid e still do updates. this would be something where, i think, you know, we would like a lot of consumer enviernt to koblt to e soo the autmatic environment. so you knead to make sure that you have that right model on updating and do think about the innovations that are occurring that can allow systems to up

date when they have high availability requirements. >> from our online community, paul had a question and it basically ties into this. why do your companies take building inside sieb e cyber security to imperatively. if it is a market immertive, do those things amgs imply like a situation like the power kbrid. there may not be the same kind of market forces at work. anybody take that on? >> i'm from google. a lot of users entrust us with their data. if we lose that trust, we don't economist. it's fr day one. if people don't trust google with their data, we have to business.

>> i'm g e bl e be very surprised if you don't hear all of us say market confident. it requires us to address security, privacy,rieblt. all of those component factors of trust. i think that's an area where you do see some mediation about what the market dynamics are. this is what a reasonable cyber security risk framework cow be. and then the ek e contraction o

system, to affect the markts die notwithstanding r fang e nappic to drive. >> i'm sorry. just to completely focus itened to try to pull into am cease question before, let's talk about the power i didn't do or other parts of the economy that are utilities. you're hearing from a lot of companies that these are ens e oex pence ef. what do you think? one of them is, absolutely, ilgts's expensive. you may have to speak to your state level regulator about whether you need to make other prioritization increases.

to angela's point, there's another aspect to it. the market gets fairy ready eft as to wlr or not your products are secure. products and individuals that don't act with it, the feedback mechanism is much less clear. if you're a power plant and you want to buy a secure control system, this is not an easy question. how do you know which system is more secure. question right here in the second row? in the middle.

? >> one of the things you mentioned was a balancing. a blabs of security versus usability. and the famous windows, vista, the pop-up neverification show. so what steps have these three platforms, women does, facebook, chrome have taken to immediate that balance between security and usability. i think security means usability. auchb times, the solutions that are proposed to improve the security of some system have a usability trade-off. but i don't think that has to be the case. really, the best solutions are going to have both.

in terms of what chrome is doing, they're dedicated to what chrome is secure. security is like speed. if we want the product to be fast, everybody has to think about it. but we really focused our experts on the problem. their backgrounds are, you know, completely different come it puter science and academic design to think about these problems. >> i think that's exactly right:

>> we've recently tried to codify. we've asked wile did you have this bad speerps. getting people to understand what that means is hard. we'll say hey, are you worried about the security or face book account. here's how it works. >> it's not just enough for us having technical flaws. we have to get 1.3 bimon people to use it in a secure fashion, which means we have to br much better with feasibility. >> you actually highlighted what i think has taught a loath of industry.

and the usability was effected. much like these other companies have said, those are integrated functions now where you're bringing together competencies from across different skill sets. it's no longer just the technical folks. the folks who are malicious averwards are pretty darn creative, too. >> other questions? >> yes, right up here in the front row, please? >> there's an interesting public -- private

infrastructure. it emphasizes i.t., but it's also on power and water and pransz e transportation and everything educational. it's a vetted community. so a couple of these people have to be approved to dpet in. i wonder if the companies are working to share information and to get information about risks that are known. it's possible, but i'm not should recall. >> there's a lot of possibilities. >> yeah, echoing the point of a lot of collaboration between people who compete in the marketplace, but we're going to

clab rate on security because our user experience is not defined by anyone product or service. we have found that bringing together expertise has been very effective. one of the things is how to share information and enable cyber risk maneningment is there's aufr times in the eye sock et. >> i guess i wroilt say in the information sharing problem set, it's important that there is no model. we have to think about how to bring together communities who have prance particular sbeernsings band-aid e and also rz e have the able to act on the information to help manage risk. squl some cases, that mile be a

stead sdi e ted e steady organization. >> so it isn't necessarily one mode el or the other, gull a come pill nation of those. >> we've seen koeng passed a version which woimd where he shire information among sthems and with the federal government. for anybody on the panel, is this something that you're company supports? and, andy, from the add mempb strait perspective, i know the administration has threatened to veto zerks ico. do we see thoo changing anymore

time soon? >> what has do happen for that to chak. what i would say is mile cosoft, for me, is committed to advance of investigation sharing and does seed a roll for government in helping to do that. i will add that one of the challenges that is historic, but has also increased lately is government has several roles that it takes in cyber security. so that complexity has made the information sharing conversation much more difficult.

that's a separate list of information that goes on in the law enforcement, intelligence community. >> i would just add to that. from an administration perspective u we abshutly there's a need to encourage and provide comfort to industry and sharing information to the government and to each other. we toent want to insoentivize any other than the exact baif i don't recalls.

taking a step back, how do we lower the potential risks. one of my goals for the department of homeland security is to make sure the companies reap the benefits of sharing information. the potential downside is waitsings for congress. again, for the purr poses of the room, the kind of thing we're talking about, hey, if you see this file, this file is a vie russ. don't let it infect you're computer. or there e this is a vulnerability that you need to know ashlt. so that's the skiend of e of information we're talking about.

eric fisher for the congressional research service. my question is what has the impact program been and are industry folks involved with that? >> so dhs has a larger effort in my organization. and we also have efforts in cyber security organize saix. all are arnold doing the r.&d. that helps us understand how where he do build security in the first place. it's really about industry and

the experts doing really strong software assurance. a lot of the lessons we learned kind of fell by the wayside. and there's this huge core of historical knowledge that we ere now bringing together in this soft ware ashurnsz form. i think it's a great way to talk to other education perts in the field. sales pitch over. thank you. j we've got a question from our online audience. the companies are large players, but cyber security is a problem

through the the infrastructure. so aet e what's the role of larger companies helping smaller companies. and u also, on the governmental side. how do we reach them? >> one approach that google takes we also have the cloud platform. it's a large part of want they need to operate theous r out source to google who has the resourss. we something like 300 people working exclusively. that can be appropriate for some customers that actually want to have a hosting to their business. so google offers that.

i think that we also offer other tools and don't assume that what works for us isn't going to work for every organization. >> a lot of the hard security problems, we've built solutions for and try to put them out in the community, as well. other companies won't have to try to reinvent the wheel and we've been really active in hosting that and trying to bring other companies from other

places to talk about this. >> i talked about what this challenge can be done inside of a large organization versus a small organization. so we've actually created a sim that can be created and used by i.t. companies but other companies doing in-house app development. one of the key developments we've been talking about is there's a case study out where one of the -- an electric power company leveraged the simplify sdl process and they were able to demonstrate that the life cycle cost of that system was lower by engineering security in up front in a response system. it's a berkshire hathaway company. the name is eluding me right now. but if you looked up simplified sdl and that, you'd find the information. two other things i think are important is whether it's in the cloud platform or in development

tools, we work to enable those security features and functionalties for others. we have taken those lessons ourselves and put it in that toolset. and the last is in the policy sphere. let's talk about policy. as we engage on the challenges that are before policy makers today, the partner play for microsoft is incredibly important. we want team building on top of windows, on top of our cloud-based platform. so we have to think about the innovators' experience. as we have resources to engage and major capitals around the world on these issues, we look if we're advising on policies, it's not only something that's going to be working for the large companies sbu going to continue to enable innovation in this industry and innovation in other industries. >> going back to the simplified

sdl, it was a heck of a page turner and i'm looking forward to the movie. >> just on the government side in terms of trying to raise the level of security in smaller firms, it seems to be a challenge because there's not awareness uniformly even among larger players of some of the things dhs is doing. what can the government do to help in that? because obviously a vulnerability in one player can spread throughout the infrastructure fairly quickly. >> i think we have to separate the two key things here. one is what smaller firms are building and are they building security into those things and what is smaller firms using and are they operating their environments securely? in both of those places, we see this is a huge issue for small firms. we did a request for information in february which is the government's way of having -- how do we help small and medium businesses. you know, i'll tell you, didn't

get a lot of clear answers back. i think this is a problem everybody is struggling with. if you're a small company and you're an innovative start-up, time to market is everything for you. you can maybe postpone some of the security risks where some of those don't seem as important because you have all sorts of other risks. you may run out of pizza tomorrow. you never know. right? so this is -- i don't think anybody has cracked the code on this. at dhs we are partnering with the small business administration to see what we can offer to help them. but stay tuned. i don't think there are great answers yet. >> other questions in the audience. yes, in the back on this side, please. >> i had. so i had a question. people brought up trust which i think is a very relative piece. i think a lot of us as i.t. professionals think about the trust on the user end. a question i want to ask that i think is probably relevant to the size of the organizations represented is, as i.t. professionals we have a lot of trust in things like protocol

that has some significant challenges to them. and i think one of the unspoken things from heartbleed was around certificate authorities around protecting and revoking security certs. that's when i think at the level of some companies up there would love to hear some thoughts and ideas on what's going on at that level of those fundamental things that are really something the big dogs can do that are probably relevant to all of you. >> anybody? >> i like the model of trust but verify. we build protocols and we assess them, but i do not trust there are no vulnerabilities in any of these protocols that build the internet. and that's why we build extra checks in place to give us a specific anecdote for chrome, we -- i believe in ssl as a protocol. the certificate exchange is an important part of that. and there's a certificate

ecosystem that has shown its flaws. that's why we've built something in called certificate pinning. which actually goes one step further and in general you might expect that you can trust a certificate has been issued by one of these trusted authorities. well, we noticed that sometimes a certificate authority is compromised and they end up issuing certificates to the bad guys. within chrome we do some extra checks. and it showed -- it's led us to detecting gmail users that were being targeted in parts of the country. at the root of it was a compromise authority. and so i guess a specific example, but i do think as an engineer and somebody who started her career finding bugs, i trust very little and i assume there are bugs and i get my kicks out of finding them. and i accept that they're there and really try to think about a layer defense. and, you know, you hope that

somebody can't chain together all of the bugs and they trip on something. >> certificate pinning is a great example of chrome providing us additional security. we don't have to trust the entire ecosystem. but in terms of using core libraries like implementation we've seen across the industry of sponsoring research into it and minimizing the threat there. i think a model of implementations is really good. it shows when the community is aware, there can be problems. it responds quickly to those issues. >> the only thing i would add is that the identity ecosystem is a place where there is still, i think, a great opportunity for adoption of existing practices. and enhancements of how to use those to manage across the ecosystem. so one of the things is hardware based trust. sometimes when people say identities, they tend to think about it as just the humans.

so what we're talking about is what is the identity associated with a piece of data, what is the identity associated with an application or operating system? what is the identity associated with that hardware. and how can you combine those elements of trust to kind of get the user experience of a trusted system and a trusted experience from potentially parts where we don't necessarily trust all the components? >> and on that i think that'll be the last word. unfortunately i saw a lot of hands. i apologize for that. we have a reception, please stay and mingle with the panel and yourselves. and thank you very much to the panelists. [ applause ] c-span has coverage of more than a hundred campaign debates this fall. coverage continues tonight at 7:00 eastern on c-span with the second ranking democrat in the senate in dick durbin as he challenges his opponent. and live at 8:00 we'll bring you a debate between democrat martha

coakley and republican charlie baker. we'll be looking for your reaction to that debate via facebook and twitter. and at 9:00, david perdue againperdue michelle nunn. and after that we go to al franken challenging mark mcfadden. we'll be looking for your reaction via facebook and twitter. and at 11:00 eastern, a debate between david ige and duke aionna. tonight on the communicators, meredith adwell baker. >> as you remember, i was at the commerce department and this is repurposing spectrum from the department of defense. and this process, the lessons learned have really been learned. it's going wonderfully. and the spectrum is paired, it's

internationally harmonized, it's 65 megahertz. and we're going to turn around and have the broadcast incentive auction. i think that discussion is really going well too. i think we have the green hill report which values the spectrum. those numbers have really turned the discussion from a policy discussion to a business decision which is where that needed to turn to. so we're excited about both options. i'm certain our carriers are going to come to them with big checkbooks and it's going to be a win/win situation for everyone. >> tonight at 8:00 eastern on the communicators on c-span2. earlier in october marked the start of a new supreme court term. in heien versus north carolina, the court decided whether a police officer's misunderstanding of the law can justify the stop and search of a vehicle under the fourth amendment. the oral argument is an hour.

>> our first case this morning is heien versus north carolina. mr. fisher? >> mr. chief justice, in a country dedicated to the rule of law, governmental officers should be presumed to know the law at least as well as the citizens are. that being so, when questions about individualized suspicion arise under the fourth amendment, they should be addressed against the backdrop of the correct interpretation of the law, not simply any plausible reading an officer might have. >> suppose that this state, north carolina, did have a good faith exception to the exclusionary rule. what would you be arguing today? >> we would still be arguing if that were the case that not only the fourth amendment was violated, but that the good