also allow us to do adaptive planning when we're in the middle of a crisis to figure out second, third order cascading effects that we didn't necessarily tackle so well during sandy. also, i think over time, a really big issue has become, i remember the early days of the sector coordinating councils on the private side of the partnership, heavily populated with ceos, shakers and movers. i've seen that level of attention and input into that set of processes diminish. now we have some great security officers, ctos, cios, involved in those councils, but they don't own the money. if they don't own the money, they can only do so much. a big exception to this is the electricity sector. huge effort to ramp up that level of senior management engagement. there's four dozen ceos, i believe, that are engaged in that process. that's what we need. the shakers and the movers of the industry are there.

now, i'm not going to let my government colleagues off the hook, because we also used to see a lot of senior government officials on the government coordinating council side of the house engaged frequently in that business. i've seen a diminishment of senior level engagement over the last decade. we need to fix that problem in two ways. ceos and coos need to get supportive of this, so do senior government officials. we need tough decisions and risk outcomes to be decided and that's not going to happen at the gs 14, 15 level. it's got to be higher than that. if we're going to solve some of the nation's most critical problems, like aging infrastructure, and the impacts of climate change, that's not going to be done at the level we currently are structured to deal with those kind of things. it's got to be a high order type

thing. i also want to say, that at the state, local, and federal level, tremendous difference in terms of private sector engagement in emergency operation centers and information exchange than we had a decade ago. i'm seeing seats in operation centers at the state and local level, and at the federal level for people from electricity, from water, transportation, privately owned. that's very good. and those that aren't there physically, are virtually connected. so they're built-in to the incident once it's in motion in many places in the country where we didn't have that previously. but we lack private sector engagement in the risk analysis and planning process in front of any particular incident. we haven't made significant progress to my satisfaction in helping our state, local and regional partners integrate key private sector editees into the fusion center world of intelligence sharing, where that

rabbit meets the road with critical struct protection. until we do that and overcome some of the remaining impediments to having those with a physical presence or virtual connection into the state and local intelligence fusion centers, we're going have a big gap in terms of information they can provide for the intelligence picture and those that need to take front line action based upon what an emerging threat might be, are out of the picture until it's too late. i think considerable effort still needs to be made in those areas. overall, i've become an optimist since i left government. i'm no longer a pes mist. so i think overall, the report card is really strong. but we're at a critical juncture now to take the whole public-private partnership concept to the next level. and in a resource-constrained environment, i'm very afraid of what might happen if we don't continue to focus on this, given the fact that our adversaries are continuing to focus on this

in ever more challenging ways. so that's kind of the parting message i leave with you and i look forward to your questions. >> thank you. >> kirsten, did you have a few comments on the way forward? >> sure. so i mentioned some of them and of course it's always a pleasure to be on panels with alan and bob, because generally i can just say what they said and that covers most of what i was going to say. but i do think some of the points that have been stressed, so we continue to see this moving away from contractual relationships. as bob said, whether it's planning, alan gave some examples in the arc types, we also see where the legal construct concerns arise, less in the public-private interface, and more in how the private sector is organizing to interface with the public. so, for example, the airports some of you might know, have some great mechanisms to provide mutual aid to each other.

the western airports and the southeast airports both have organized around disaster operations groups, called west dog and east dog. the way in which they did that is interesting. because the legal questions arise at that entity level, and then it's that entity representing the private sector that interfaces with the public sector during disasters. so it's a kind of a one-off legal question. it's not the actually ppp, where some of the legal questions or organizational questions are arising, but how the private sector is organizing to do the interface. we've also seen the private sector, for purposes of liability, for purposes of concerns about investors and competitiveness, they have chosen to engage with the public sector in the form of foundations. so ups is one of the older ones. the ups foundation was created in 1951, but it's mission is to increase community resilience and that is done through the

foundation, as opposed to ups at large. and lastly, just to take on something that both bob and alan mentioned with the threat picture the way it is, the hyperconnectivity, the increase, or complexity of interdependencies and dependencies, and potential for cascading effects, i think what we're seeing are new roles emerging in proboth the privated public sector which underscore the need for that flexibility, but lead us to unique public-private partnerships. just a couple examples. i grew up in florida. one of the things you learn early growing up there, i had to run away from alligators. when a hurricane is coming, it's just as important that your neighbors sandbag, as it is that you sandbag. if your neighbor doesn't sandbag, your house will flood. you're only as resilient as your neighbor is. but with new threats, enhanced threats, such as cyber, we see

that more and more. one corporate entity is only as safe as every connection point they have to every other entity. so the question, what is that role, who can better determine the interdependencies, the places where the threat indicators can be introduced? is there a call for ate public-private partnership around the emerging threats and roles? we also see some traditionally, inherently governmental functions, perhaps with increased focus on the private sector. one example there is the alert and warning system. fema, as you know, has been working for years on the integrated public alert warning system. but that started with a recognition that the private sector had the technology and resources that were needed to disseminate the alert and warning messages. so perhaps traditionally, an inherently governmental function is delivered from the private sector in the form of a partnership. and the role of city as i

mentioned previously continues to increase. again, a more traditional, inherently governmental function such as situational awareness during a disaster, we see that situational awareness being put together through information from individual citizens. from twitter feeds. from social media. it's quite interesting, when you look traditionally and you look today, as bob gave us a great articulation of where we've been and where we're headed, the role of that individual citizen in providing information and playing a role in community resilience. we also see that through the rockefeller foundation. >> thank you very, very much. alan, we're just about over time, but maybe you could say one or two sentences to bring us to a close. >> i'll take the opportunity as someone who practiced law in the private sector but was never an attorney in government, to issue a charge to all the folks who are attorneys in government in

this area. and that is, be proactive in this area, in thinking about -- in thinking about public-private partnerships. you've heard a lot of great information from everybody on the panel. but understand that many of your clients may say, i don't think we can do that because the lawyers won't ever let us do it. so, i would say, understand the legal landscape and to take advantage of the tools that are being developed by susan and the group that she is leading. think creatively and imaginatively about authorities, barriers, and solutions, and become part of the solution. be proactive in working with the client to figure out new and different ways of using public-private partnership tools to approach problems. >> thank you very much, everybody. and thank you for being here. we're out of time, but we hope that we can talk to you after we

close here in the next session gets started. thank you very much. [ applause ] campaign 2014 has one outstanding race yet to be decided. louisiana senate. mary landrieu is up against republican congressman bill cassidy in a run-off election. join us for the final debate monday live at 8:00 p.m. eastern on c-span 2. congress is in recess for the thanksgiving holiday until monday. when they return, lawmakers will work on extending government funding past december 11th, when the current deal runs out.

they'll also be considering how to proceed on immigration. in the senate, votes are scheduled on nominees to be ambassador to adjace ambassadors. live coverage when congress returns monday at 2:00 p.m. eastern, the house on c-span, and the senate on c-span 2. this thanksgiving week, c-span is featuring interviews from retiring members of congress. watch the interviews thursday at 8:00 p.m. eastern. >> i was elected in 1980, came in '81. if you look at my newsletters from '81 to '84, there's no mention of human rights and religious freedom. congressman tony hall, particular democratic member from ohio, and my best friend. he asked me to go to ethiopia during the famine.

and i went up, just got on appropriations, said can i go to ethiopia. sure. i got on an airplane by myself, and flew there. it was a very bad famine. i got in a camp run by world vision. the embassy didn't want me to spend the night. the guy from world vision said if you spend the night, i'll spend the night. right next to his camp was a camp run by mother teresa. it rained the next day and the plane couldn't come back. it was a life-changing experience. in the morning, people died. and we saw things that just -- that trip, and then in '85, tony took me to romania. they were bull-dozing churches

and i saw people persecuted for their faith. those two trips are book ends. human rights, the poor, the hungry, and religious freedom. since that time -- >> and also on thursday, thanksgiving day, we'll take an american history tour of various native american tribes. that's at 10:00 a.m. eastern following washington journal. then at 1:30, attend a ground-breaking ceremony of the new diplomacy center. and supreme court justices clarence thomas, alita and so sotomayor. with live coverage of the u.s. house on c-span and the senate on c-span 2, we complement that coverage by showing you the most relevant

public affairs events. on weekend, it's the home to american history tv with programs that tell our nation's story. the civil war's 150th anniversary, visiting battlefields and key events. american artifacts. touring museums and historic sites to reveal what information can be revealed. history book shelf, with the best known american history writers. the presidency. looking at the policies and legacies of our commanders in chief. top college professors delving into your past. and our new series with educational films from the 1930s to the '70s. c-span3, created by the cable tv industry and funded by your local satellite provider. watch us in hd, like us on facebook and follow us on twitter. this part of the american bar association, looks at security

risks for air and rail transportation. it's about an hour and ten minutes. thank you, emily. thanks, everyone, for being here today. this is the transportation and security screening break-out session. glad to see we have a sold-out room here for this discussion. my name is jeff surl. i'll be the moderator of today's panel. and just to reiterate by way of brief introduction, i did serve at the transportation security administration for a couple of years and then at the department of homeland security for the secretary. three years in total with the administration and i'm thankful not only to have survived the experience, but i'm actually thriving. so i'm excited today to have our panel, five experts in supply chain security and operations. i was looking over the bios last

night and noticed that four out of five of them, their last names start with f. i don't know if you noticed that or not. so i was trying to come up with a clever name for our panel, maybe the f-team. but that leaves larry out. so -- okay, we can certainly insert an f into your name. but that's not a very complimentary name for this auft ear group. i'll introduce them, and then they'll want to introduce themselves to you in their opening statements. the format today will be a panel discussion. i'll open with a brief statement, setting the stage for the issues we'll be discussing. then each of the panelists will give a five to seven minute statement themselves. and then i'll aggressively cross-examine each -- no. i will delicately toss questions to the panel for about 15

minutes. and i think that based on their depth of knowledge and expertise in these areas, we'll have a vibrant discussion of the issue. and then i'm going to open it up to you all for questions. so i expect some good questions from you. get ready. as the panel description states, threats to transportation sector and supply chain continue to require government and private sector efforts to reduce financial risks and logistical vulnerabilities. cyber warfare present new difficulties this panel will review the currently legal and public policy issues facing these critical infrastructure sectors, including legislative and regulatory efforts to reduce risks that impact businesses.

for example, over the past year, 18 months, some of you have followed this issue for a number of years before that. but there's been an increased activity in on the government side in particular, the president's executive order 13636, the missed framework of development and publication and adoption. and several bills in congress, two of which have passed the house of representatives, both of which placed dhs in the position of go-between between the private and public sector on cyber threat information sharing. and so the discussion will also address the effectiveness of current transportation and cargoes security programs. the status of the public-private cooperation information sharing and the implementation of the nhtsa framework as i mentioned. by way of brief introduction,

fay is the leader of the boeing commercial cyber 1 team. developing and coordinating a public-private partnership between the aviation industry and the u.s. government in order to establish an aviation-information sharing analysis center, isac. >> they still haven't changed that name, have they? something a little bit more catchy. where he leads work on cyber security insurance and risk management and support of imelementation of the president's executive order. prior to that, he served on the house homeland security committee. tom farmer is assistant vice president for security at the association of american railroads. tom and i had the pleasure of working together at tsa and he still agreed to help me out here today in his current role, he coordinates the development of railroad industry security

policy among other duties. and at tsa he served as the mass transit lead. and larry leads and manages projects in the field of telecommunications and security for acom. i'm sorry. global architecture and engineering firm. he will give some insightful remarks on how cyber security affects certain modes of transportation. i caught a presentation that larry had given regarding airports and cyber security, which i found fascinating because i don't think there's much out there. i think you come up at the top of the google list. so i'm looking forward to your comments. and then andrew farly is the co-founder of c.t. strategies. which provides strategic advice to clients seeking current innovative insight into border management and supply chain challenges in the u.s. and around the world. he's a former customs and border

protection official. certainly physical security and resiliency play a significant role in protecting transportation in the supply chain sector, as well as the critical infrastructure as a whole. over the course of several years and i spoke to the moderator of this panel for -- he moderated the panel for the last several years, i mentioned to him cyber security. he said we've been migrating from the physical to the virtual and talking more about cyber security. and i thought that, you know, particularly looking at chronology of events after 9/11, we certainly focused on physi l physical -- re-looking and reevaluating security for critical infrastructure. and over that course of time, i think there's been tremendous strides made, not only on securing the critical

infrastructure, but on resilience, public-private partnerships, but one of the things that i thought it was missing, or at least hadn't been fully baked, was the cyber security. and now that we're see interdependent on networks and communicating and operating systems using open networks, as well as closed networks, i thought that there were certain vulnerabilities that even me as a novice were thinking about. so i thought that today's panel, we could focus a little bit more on the siper side of things. certainly don't want to leave out new developments or news regarding the physical side of the equation. but i do want to focus on the cyber side. that seems to be a theme for this conference overall. so i look forward to hearing the panelists comments. why don't we get it started with you, larry, is that okay?

thank you. >> good late, early morning, everyone. thank you to jeff and to the institute for the opportunity to come and speak before you today. once again, i'm larry javi. i work for a company called ae com. i like to think of us as the biggest company you've never heard of. we're architects, engineers, construction managers and operations and maintenance personnel. on the operations and maintenance side, we operate and maintain a couple of large buildings, large facilities for the government and for private industry. on the construction management side, you may have seen us or a subsidiary company on the pentagon renovation, wedge one. we were the construction managers on that and also on the world trade center reconstruction. but my group is part of the design and engineering portion

of ae com. and we focus mainly on roadway, bridges, tunnels, mass transit, sea ports and airports. we also have -- we also work in the energy sector, as well as transportation. the public sector, and we do a lot of critical infrastructure protection, in terms of water systems. and arenas like that. my group specifically, i work in the technology area. i provide all the technologies that go into these facilities. the telecom systems, the audio-visual systems, radio systems, as well as the security systems that go in there. and i provide some of the cyber security aspects of these systems. so control systems, like the security systems or the building management systems, so you know, you walk over in the back of the room and somebody hits a button

on the wall and the lights go to a certain brightness and all, that's a building management control system, also the ones that control the h vac in the building, or perhaps ones that maybe if you're an industrial facility, the valves that control the flow of chemicals through the pipes, in a refinery, for example. those are control systems. in the transportation arena, positive train control and signaling. also, to some respect, we're dealing with things like variable message signs that you see on the side of the road. the intelligence transportation systems that are out there. i know i've got a commute on the way home here that i'm going to pass through a lane that switches direction. in the morning, it's heading into d.c. in the evening, it's headed out of d.c. i've always wondered if somebody got a hold of the controller and flipped the signals, somebody who wasn't driving that road every day could go the wrong way and cause some trouble. and if something like that were

to happen at the same time we coordinated that with some bad weather. we could be in for a whole mess of trouble there. but what i find interesting about these operational technologies, i want to spend a minute talking about the difference between operational technologies and informational technologies. we have laptops and cell phones. this is the kind of stuff that we've all known has been around since the '40s and the '50s. and from a cyber security standpoint, we've been doing a lot of work in that arena, for information technologies. so the pcs, you have at your desk and the servers in your employer's server's room, the cloud, if you will, the thre internet. a lot of time has been spent securing that infrastructure. how good it's going is another

story. but there's been a lot of effort in that respect. operational technologies are more of those control systems or systems that manipulate physical things. okay? as i mentioned, the lanes of traffic that go back and forth. the industrial controls out in refineries and chemical plants, train-control systems, as i mentioned. what's unique and different about these systems, first off, they control physical things. so if they go awry or someone were able to control them and set them up in a way that could be detrimental or harmful to personnel, to physical assets, to the environment, these are the things we want to pay attention to and unfortunately there really is very little with respect to -- there's very little going on in the realm of cyber security in these physical, logical systems. with respect to what's going on in i.t., we've been doing this

for decades. on the o.t. side, not so much. the operational technology systems, they were one-off devices. they were in areas nobody saw. they were specialized. they were often physical relays and things that had to physically move in order to make these controls happen. they were almost never networked together with any other systems. and it was a very, very small group of people who really understood them, knew how to program them, or design them. and that was the case really up until just a few years ago. most recently, i got a bill from my electric company that told me to go to the website, and they showed me day by day how much electricity was using in my home. that's because -- and i can get on -- excuse me. i can get online and i can look at all kinds of different statistics on my energy usage in

my home. and that's because the meter on the outside of my house is in some way, shape, or form, connected up to a web server somewhere, that i can then access. so if i can access that web server, and that web server can access some way that meter on the outside of my house, so i'm wondering, is it possible for someone now to go turn off the power to my house? now imagine that, times 100,000 homes or businesses. so we have that as one difference between the operational technology side and the information technology side. what's also interesting about the operational technology side is that these systems were built, many of them, 30, 40 years ago. and they were designed and engineered to operate 24/7 for decades. okay? one thing you might notice on your pc at the office, every tuesday, well, once a month on tuesday, your computer reboots itself in the middle of the

night. this is microsoft sending down a patch to your computer to fill any holes that they've discovered over the last month. sometimes it's more often. sometimes it's twice a month. and your internal i.t. department may do it once a day or even more often. and that's because we can turn off your computers for a few minutes and it's really not a big deal. but i really can't turn off one of these positive train control systems. or a refinery's plumbing. i can't turn that off. it may take a day or more than a day to restart that equipment. so the opportunity to patch known vulnerabilities in these operational technology systems is very limited. and so that causes us to have to do a bunch of other mitigations to get around that problem. and that's where some of the work i do comes in.

[ inaudible ] -- where this comes in. back in 2003, might have heard of csx had an issue, one or more of their systems was infected with a virus. i believe it was the so-big virus. and in cleaning that up, as a matter of prudence, they shut down or took off line some of their operational systems just to make sure there was no impact to them. and indeed that caused, you know, some ability for them to halt traffic around and even spilled over onto amtrak schedules. more recently in 2008, in poland in the city of luj, a young fella, 14 years old, sat and watched the light rail train system that went through the city. he figured out -- i'm not quite sure how, but he figured out that the trains used infrared signals, what you have on your remote control tv at home. that's what they use. the trains would send a signal

on the grounds to move them from one track to another. he figured this out, went and bought some remote controls, had them record the signal and was able to play it back to the switches, and he was actually able to control the switches throughout his town. one thing led to another, and he did manage to derail four cars and cause about a dozen injuries one day. they found him and i'm hoping they have since changed to something other than infrared. we all know about the metro train collision that occurred here a couple years back. that was caused by a faulty piece of operational technology equipment. that's not really a cyber security event per se. but had wamada had a cyber security program, specifically focused on their operational technologies, they might have tested the equipment more often and realized this was a piece of equipment that had actually been

failed for quite some time. so while these operational technology systems, they originally grew up as stand-alone, kind of obscure systems, what's happening now is that they are indeed getting connected to the internet in one way, shape, or another. and they are communicating between them, originally with some custom protocols that really was very obscure. but now we're starting to use more common protocols, internet protocol, ip, you've probably heard of that before. and that is part and parcel to the issue. not only now do we have systems that are connected to the internet and using commonly available protocols to do it, but the -- our adversaries have learned about this, they know about this, and they're taking much more interest in it. now, about once a year, verizon comes along and does a big metta study. this last year, they looked at

about 63,000 security incidents across the country, across many industries. the good news from that is that the transportation industry had a very, very small amount of reported incidents. not to say there weren't more. but of this large sample, there are only 24 incidents reported in the transportation industry. what i found interesting and different than all of the other industries were reporting, is that the highest percentage of incidents in the transportation industry, were of the cyber espionage-type. and with a small sample like that, it's hard to make an extrapolation, but it gets you to raise your eyebrow, why potentially could our state adversaries be interested in our transportation systems? so that's something we need to look at. and the other thing that, you know, in other systems, as well, are also getting connected. airport badging systems, for example. you see the pilots and the folks who work there, they have their

badges and there's been a lot of regulation involved around badging people at airports and ports. and so that regulation has caused us to sort of make these badging systems super badging system. we've had to separate them out and make them stand-alone systems. in doing so, we've had to connect them to the internet to allow people to register and to do ncic checks. so it's becoming a more interect canned world in the arena of operational technologies. and the problem that we're seeing is that there just isn't a whole lot of attention being put on it by the operators. we know that in the energy sector, they're probably the most advanced, they have the most regulation and rules about how and what you have to do to protect from a cyber security standpoint, the energy systems here in the u.s.

but as you go down towards transportation and water, those are much less developed. so that's the area that we're trying to focus on now, trying to help these transportation industries get more up to speed. so i think that's if for me. i want to thank you all again, i want to thank the institute for this opportunity. i'll turn it back over to jeff. >> thank you, larry. fascinating. tom farmer. >> thank you, jeff, very much. thanks all of you for taking time to join us for this forum. our organization represents the major freight rails that operate in the united states. bnsf, kansas city southern, csx, norfolk southern, union pacific, and canadian rails, amtrak,

alaska railroad, hundreds of short line carriers and a growing number much commuter railroads. and as a real credit to this industry, in the immediate aftermath of 9/11, the industry came together, brought in subject matter expertise in the areas of intelligence, counterterrorism, and focused on developing an integrated security plan that would be applied across the board and adapted by each participating railroad within the context of its unique operations. that plan took effect in early 2002. and literally there was still fire burning at the pentagon when this group convened a focused effort. looked across the board to assess risks. broke it up into five teams, hazard accounts material transport, life cycle of a train, where potential vulnerabilities, communications and cyber technology, and critical infrastructure, assets

throughout the network. what that produced by early 2002 was a security plan with four alert levels that called for increasing security measures in those areas, as threat levels escalated. so before you had a fully functioning transportation security administration, before you had a department of homeland security, before you had that color-coded system that was initially used to evaluate the threat level in various sectors of the economy. they developed a plan along those lines. it's in effect today. it's updated based on lessons learned and there's a continuous improvement effort dedicated to ensuring we're maintaining the right capabilities and processes and effective coordination in government to make sure that plan remains viable. there's a lot that can be talked about in that plan. the commodity we focus on at our association as we help manage the overall security program is

information. and so at the association of american railroads, we operate with what's called the railway alert network. that's a means why which we provide intelligence, security information, across the industry, to sure we're informing awareness of potential security concerns. that includes a good communication with government, driven by priorities we've agreed with, to make sure we're putting forward the right type of information and maintain the level of preparedness that we need to, based on evolving threats. now i think that many problems in life can be better understood by analogies to baseball. so if you'll indulge me a couple moments i'm going to do that here. one of the most iconic moments in the game, october of 1951, the culminating event in the national league. bobby thompson hits a three-run homer in the bottom of the ninth inning, propelling them to the

win and the pennant against the dodgers. the dodgers had a lead in august of 13 1/2 games. giants were perceived as dead and buried. people said, the giants, are they still in the league? they were. they won 38 of the final 45 games and finished the season in a tie. call it came down to the finale in new york at the polar grounds. many things happened at the polo grounds. that was the home field of the new york giants. tight game. 1-1, seventh inning. don newcombe leans over and says, i'm spent. i got nothing left. and jackie robinson said, you go back out there and pitch until your arms fall off. that brought two more innings. dodgers take the lead and

newcombe gives up a single, single. now it's second and third, score is 4-2, and the manager knows that his pitcher is spent. he goes out to get him. he makes a decision on who to bring in the game. brings in ralph blanca. he throws one pitch for a second. second pitch hit into left field for a three-run homer that prompts the giants announcer to exclaim, the giants win the pennant. the focus is on that moment. that's the moment that is etched in the history of the game. that's the moment that if you ever see a program talking about key events in baseball, that's always in the top few. that's the consequence. when you're considering things from a security perspective, the consequence matters. but far more important is setting yourself up to deal with that and trying to prevent that consequence, is how to happened. so let's take a look at what he should have known when he d

disregarded that decision. bobby thompson was the best hit ner the game when the giants came from so far behind. his average of 110 points higher than it had been in the season up to that point. he was the reason the giants were in the playoff. on deck, they had a base open. it was second and third. on deck was willie mays. hall of famer. but willie mays in 1951 was a rookie. in that same stretch, his avera average plummeted. 40 points lower in his production. runs batted in was way down. ralph blanca had been a sterling pitcher when the giants had the lead. but lost 7 of 10 decisions when the giants made their run. giving up more than two runs per game. most telling of all, of the dozens of pitchers that bobby thompson had faced during the season when he stepped up to the plate, he had 29 home runs. six of them against one man,

ralph blanca. out of the dozens of pitchers he face, more than 20% of the runs came against one guy. shirley povich, who is memorialized at nationals park, his headline item the next day in writing for "the washington post," the art of fiction is dead. the theory being that what happened is so inconceivable as to have been fiction. but i submit to you what he should have known, he made the wrong decision. that was a foreseeable consequence of ignoring the intelligence he had available. what does that have to do with what we do here? physical and cyber security, very often we focus on the consequence. sometimes focusing on the consequence, you can lose sight of the fact of the means you have at your disposal to narrow the chance the consequences will come about. it's important to step back and

say, what do we have at our dispos disposal? how can we take what we have already and put it to better effect to ensure we're informing preparedness at the right levels. a very important aspect of that is intelligent and security information. the plans i talked about, they do depend upon an awareness that situations are developing, that necessitate elevating threat levels. we have a very good partnership in physical and cyber security through the transportation and security administration that has really changed the dynamic. so we in the industry proposed to tsa, a set of priorities for intelligence, both in physical and cyber security. we focused on, don't spend so much time telling us what happened. focus on how it happened. so what it is, in the course of the london bombings in july of 2005, it's important to know what happened that day. from a security perspective, what was going on in the months leading up to that event? were there opportunities for security to make a difference?

tsa focused the shift, and allows us to walk through the preparation time and see opportunities to make a difference. they've allowed us to take that information and bring it further to other constituencies where many of those indicators that precede terrorist attacks are more likely to be observed. the likelihood that a train crew member is going to see a terrorist in the act of committing an act or some reconnaissance is very small. it's more likely a local police officer working a community will get a report, a complaint, or happen to see something. and we want that see something to trigger a reaction. so as an example, in the months leading up to the london bombings in july 2005, there were a whole series of indicators of concerns in leeds, about 200 miles away. where the bombers had holed up.

they were in an apartment. undertaking their preparations for the london bombing. we take that analysis, delineate those indicators, to inform training of our employees and share them with local police, so that as they go about their jobs, if they get a complaint there's an odd smell coming out of this apartment that was not there until these people moved in, or as happened in leeds, of all the plant beds outside the windows, only these two are dead. and it's odder still they put up this opaque coating. and they used to dress as muslims, but then changed in western outfits. now any one of those things may not be sufficient to trigger concerns, but maybe trigger a question taking a look. similarly on the cyber side, it's important to know when you

suffer an attack that disables 30,000 computers, what happened that made that event possible? similarly, we've gotten them to shift their focus to that sort of analysis. help us understand the tactics used to make that happen, the protective measures that were lacking, the vulnerabilities that had not been addressed, so we can take that information, look within our own networks and ensure we are narrowing the possibility, whether it's attempt to get into operational systems, which are secured in our industry, or in business systems, for espionage, that we're narrowing the opportunity because we're using information in a far more effective way. doing great work in this space and putting out indicators to the private sector of terrorist tactics, of cyber tactics. putting out information based upon the assistance they extend to private sector entities that have suffered intrusions. we've asked them to take a next step with that information and look at that body of work, hundreds of thousands of indicators and draw from that

the sort of information that can very well inform risk management decisions in our industry, in the transportation sector. we've asked, from that body of work, what are the tactics you most often see? what are the vulnerabilities most often exploited? what are the protective measures found lacking? and a real purpose of the executive order that the president's issue is not to solve cyber security. it's an insolvable problem. but you really want to begin to narrow the risk profile. and so where the window may have been open this wide, some of the efforts talked about through that order are aimed to narrow that, perhaps chase away some of the actors because the task is not as easy as it was before. and to make the actors who were good before, get even better. one of the sat realities, the means of intrusion is often simple. it's sending a phishing e-mail asking you to click on a link.

it's sending a file attached to an e-mail that you click on and introduces a virus into your computer. often these e-mails have indicators, that if you spent 15 seconds, you'd see there's something ought abodd about thi. i've never gotten an amae-mail saying read this article. this e-mail address is different. we have committees that con convenience once and twice a month and predate 9/11 in its operations and activities to coordinate industry cyber security. one of the emphasis we place on that, dhs has that good program, we had to pause. pause and look at an e-mail. if there's something odd about it, from a source you're not familiar with, take a look. you can scan it and get a pretty good idea whether it's the type of communication you're used to

receiving or whether there's a basis for concern. there's a lot to be covered. i wanted to bring to your attention, the efforts of our attention in partnership with government to address these types of concerns. i can say with pride, particularly in the transportation sector, there's been a real effort between tsa and the various representatives of the transportation modes to put a public-private partnership, a term often used very expansively, to put that in practical action. in some of the areas, they are areas when first proposed was, we just can't get there. and we've gotten there, result of a good partnership. happy to take questions on that as we proceed. but i'll turn it over to the next speaker. thank you. >> thanks, tom, fascinating. last night on the drive home from the baseball game, my wife asked me what a walk-off run was. and so i fumbled through the explanation. we're not big baseball fans, but

have become recently with the nationals leading their division. so part of your story scares me, because we certainly want the nationals to win, but boy is she going to be impressed with my knowledge of baseball history when i get home tonight. next speaker, andrew. >> thanks, jeff. >> good morning to all and thanks, tom, as a life-long dodger fan and family whose love of the team dates back to brooklyn. always nice to have the salt in that wound. so we'll get started. it's a pleasure to be here. when jeff asked me to participate, there are a number of ways to go with the discussion. my background, my quick background, not that i love talking about myself, but it's particularly relevant to this discussion, i'm about a year out of customs and border protection. i did a number of different

stints within the organization, but key to this effort is, i was the director of targeting programs at the national targeting center for passenger and cargo programs. and you know, there's a real push in customs to start moving even more to advanced data and using private industry data to help make better risk decisions, from the border management perspective. companies have been doing it forever. customs often times gets late to the game when they have these different efforts, but the plea i'd like to make to everybody in this room, particularly in your profession is to be really creative. these ideas, when it comes to the government use and the security use of data, these ideas are moving very quickly. and they're certainly moving faster than the nprn process, you know, the number of times i was in my office at the

targeting center, being told that we had to wait for a rule-making to get the data that we were looking for that would stop the next attack, or that would better facilitate cargo through the border, i would hear that daily, i would hear that weekly. and it was -- it was frustrating. because, you know, for me, i'm an attorney on my resume, but not real like you guys, i had to believe that as industry evolves and rein vents itself, there had to be a way for the federal government to keep up and to really adapt their processes, their data collection and their efforts that moved, if not at the speed of business, maybe one generation behind, instead of several. and often times the greatest catalyst for change in the security jirenvironment, i'd li to say it's creative thinking, but a lot of times it's a

threat. i'll talk about examples. the threat piece, the example i can give you, you all probably remember in 2010, in october, where there were explosives found in the printer cartridges over in the uk in dubai. the response to that was a great example of what i'm talking about now and should serve as the model for programs to come. it was what had come to become the advanced air cargo screening. and what happened was in the immediate aftermath, i mean the absolute immediate aftermath of that threat, customs and border protection, tsa, dhs, and the express consignment operators, all got together and said, the regulations right now for advanced information, coming into customs and border protection and to tsa for international shipments come way too late and there's not enough. what do you have available?

what can you have right now? what can you provide voluntarily that will help make better risk determinations and help to move the action that can be taken in the supply chain further out, you know, before an event becomes, you know, a catastrophe or a tragic event?