>> make sure you hold the microphone close to your mouth. >> my question about the tipping and the balance in '56 or '57 on the decision of creating the interstate through the mountains, besides ed johnson, it sounded like the military was the decisive factor. was there ever a military transport on i-70, eisenhower was famously part of the military transport of 1919. obviously, using lincoln highway mostly. was there ever an event like that? >> not that i'm aware of. there were -- there was the movement of missile parts along that interstate from time to time. but i'm not aware of an actual

transport like what eisenhower had, which was one of the things that apparently convinced him of the need for a system of defense highways. i'm not aware that there was any use of interstate 70 for those purposes. it seems to have been, as far as the evidence i have been able to find. there was a lot of talk at those times about the highways being defense highways. the official name for them, for the interstate system when it was created in 1956, the national system of interstate and defense highways. >> thank you. >> two questions. i believe i read or heard that the interstate through glenwood canyon cost more than the entire rest of the interstate 70 cost total. >> i don't know if that's true. but i frankly would not be

surprised at all. the cost as you probably know it kept ballooning as the design changed, as they ran into -- as highway builders always do, into unexpected geological obstacles. i would not be surprised, but i don't know the dollar values. >> another question about president eisenhower's involvement or lack of involvement. in a book called the old gray mares of denver, he tells a story how ed johnson and ed nickleson met with eisenhower. they asked eisenhower to help get approval for the interstate 70 to go west to denver and ihe

asked what he could do then and that was passed and passed in the house. so i take it you don't agree with that? >> i don't agree it was that cut and dried. there was -- as you said, eisenhower supported the idea of thousand extra miles. there were claimants to the thousand extra miles. it was not a conclusion they would go to colorado and utah. even when congress approved that extension, that 1,000 mile expansion, it was up to the highway people to decide where they would go, who would get those extra 1,000 miles or how they would be divvied up. it was difficult to push around politically. there was deference to -- we tend to think of anybody who claims expertise above political

partisanship we're like, yeah, right. we have a more cynical political culture than that. but there was a lot more deference to the judgements and to the power of the highway people at that time. even if eisenhower -- there's no question he made happy noises about having an interstate through colorado. he made happy noises about that. but i was not able to find any evidence in the eisenhower library -- i found evidence of that meeting that you are talking about between nickleson and johnson and ic-- he is instructing his aids to get him to -- to extricate him from any sort of commitment to the colorad coloradans. i think george kelly was probably making -- he was making -- tieing up too neat a story, i would say.

i have an old map. i have been puzzling over why 24 and 50, why neither of those routes was considered for the interstate. >> the biggest reason was denver. neither of them go through denver and the sort of -- again, the greatest political power in colorado but also the greatest sort of engineering argument for an interstate through colorado would be one that went through denver. so that's really the single biggest reason. 24 goes through colorado springs and 50 goes through pueblo. >> what about dylan reservoir? did that have anything to do with the project? >> it did. the biggest thing it had to do

with the project was where would the interstate go. the engineers worked with the possibility for a long time of running the interstate over the top of the dam. that would have required a larger dam, of course. but -- all of this is con verveg at the same time. the interstate planners are making their plans for which path the interstate is going to ta take. the decision to run it through summit county -- the final decision wasn't made until 1960. by that time, denver's engineering of the dam had moved on. so they ended up running it along the base of the dam rather than on it. it did have some affect. like i said, by the time the interstate was designated, it was no longer really an issue. >> it was essentially a water project. >> yes. >> i think we have time for one more question.

which one of you wants to ask the question? >> flip a coin. >> i wanted to know your guesstimate on vacation land of the huge traffic jams we see now on 70. how is that going to impact our economy and the things you have been talking about? >> well, i'm an academic. i like to pick on the premises of questions sometimes. what i would say is the fact that so much of the debate over interstate 70 has revolved around not so much the environmental issues but about congestion, about the question of how for recreational enthusiasts it takes too long to get up there or to get back or for business interests, it might start to harm their business if people are deterred by how nasty and congested it has become. i think it speaks to the

limited -- the limits of environmental consciousness i was making the case for. you miss a lot of other ways of looking at the issue. which way that would go, i have no idea. i got asked that question in the afternoon version of this talk. i quoted the famous saying that a historian is a profit looking backwards. historians are useless for projecting the future. it seems like -- when they expanded the two-lane tunnel just east of idaho springs, that the strongest political support stands for doing some widening here or there. but as to whether that might change, whether there might be a paradigm shift toward rail or a new way of viewing the problem -- i raise the issue of things like as environmental conditions change, if oil becomes less cheap, if climate changes were radically

transforms the regulational industry both s things, we might be forced to change. in terms of what the future holds for interstate 70, that's the mushy answer i will give you. >> i would like to thank dr. william philpott one more time. [ applause ] i know you all have more questions for him. i wish we had more time. the lecture can go keep going o. step on up. he would be happy to answer your question individually. otherwise, stop by the gift shop on your way out. i'm here to answer questions as well. we will see you next month at our rocky flats lecture. thank you very much. >> thank you all. thank you. [ applause ]

campaign 2014 has one outstanding race to be decided. louisiana senate. democratic incouple bakincouple landrieu is up. watch that live at 8:00 eastern on c-span2. here is a look at some of the political ads running in the state. i'm mary landrieu. i approved this message. >> on may 31, bill cassidy gave a speech that was nearly inh incoherent. his record is clear, voting to cut social security benefits. to pay for a tax break for millionaires like himself. >> will it be a senate that -- a senate -- >> for this? >> thank you.

>> before the end of the year, we're going to take whatever lawful actions that i can take. >> that's obama promising executive amnesty for millions here illegally. we must stop obama. as your senator, i will fight his plan. your tax dollars should benefit you, not those here illegally. remember, mary landrieu, obama, 97%. i will stand up to obama. i'm bill cassidy. i approved this message. >> every morning i say a prayer for my kids. i just want them to be happy and to do their best. bill cassidy is a doctor. but he still voted in congress to cut $86 million from louisiana schools to pay for a tax break for millionaires like himself. i don't know what kind of doctor would do that to my kids. i'm mary landrieu and a proved this message because louisiana's children should never pay the

price for a millionaire's tax cut. >> i'm bill cassidy. i approved this message. >> a few words from mary landrieu. on obamacare. >> if i had to vote for the bill again, i would vote for it tomorrow. >> on voting with barak obama 97% of the time. >> i'm very happen my to see the president defend what i think is really an extraordinary record. >> if you dare disagree with her? >> if they like it they can unelect us. >> now you know what to do on election day. >> this thanksgiving week, c-span is featuring interviews from retiring members of congress. watch the interviews thursday at 8:00 p.m. eastern. >> i was elected in 1980, came in in '81. if you look at my newsletters, there's no mention of human rights and religious freedom. congressmen tony hall who was from ohio who was my best friend

from congress, we have been in a group together for 32 years, he asked me to go to ethiopia during the famine. i went up. i got the appropriations and asked if i could go to i'm own y ethiopia. it was very bad. i got in a camp run by world vision. the embassy didn't want me to spend the night. i said, i want to spend a night. a guy said, if you spend the night i will spend the night. right next to his camp was a camp run by mother theresa. we spent the night in a hut. it rained the next day and the plane couldn't back. it was a life changing experience. we saw -- in the morning people died. we saw things that just -- that trip -- in '85 tony took me to

romania. bulldozing churches. i saw people persecuted for their faith. those two trips are bookends, human rights, the poor, the hungry and religious freedom. since that time -- >> also on thursday, thanksgiving day, we will take an american history tour of various native american tribes. that's at 10:00 a.m. following "washington journal." at 1:30, attend aer sa ceremon supreme court justices at 8:30 p.m. eastern. that's this thanksgiving week on c-span. for our complete schedule go to cspan.org. a portion of the american bar association's annual

homeland security conference with senior government officials and others discussing public private partnerships. this is about an hour. >> good morning. this is the panel on public private partnerships for security and resilience. i just want to tell you a little bit about how this panel came to be. we on the standing committee on law and national security began hearing questions from lawyers about information exchange between the government and the private sector about how to handle intelligence sharing. we began hearing all the problems and questions from the private sector, about tort liability and the difficulty in finding out who was in charge. and on the government side, about the difficulties dealing

with the federal advisory commission act and how it didn't always provide the right vehicle for dealing with private sector. and in general, conversations about what the quid pro quo was. and at the same time, there was a strategic discussion going on about 9/11, about preparedness of the private structure and infrastructure protection. and after katrina, a wide recognition of the dependency on the private sector for reopening the economy. after sandy, a number of questions about how funding could flow from the federal government to it the private sector. of course, an ongoing conversation about cyber security and the private sector role in dealing with most of the threats. so out of that came the working

group on public private partnerships. and we reached out to the homeland security section of the administrative law committee. with help and support many others, we got going. i have to say that what really lit a fire under us was the qhsr, the most recent qhsr, which calls for a new framework for sprtrengthening mission execution through public private partnerships. so we're hoping to produce a book that will be useful to the lawyers in this room both in government and in the private sector that compiles the lawyers that govern those relations such as they are today, that looks at all the executive orders that

are relevant and that also provides a set of models. so when you get asked a question as a lawyer, you can look at the various models for dealing with that question. and we'll identify where there are the unanswered questions and the problems going forward. i'm sure we will be reaching out to many of you in this room as we complete this project. it's a bar association project. it's always team work. to see what -- whether your primary concerns have been addressed. we have a wonderful panel today with three really -- not only expert thinkers about the subject but the originating minds in many respects. we're going to introduce all -- i will introduce each as they begin to speak. our first speaker appropriately is allen cone. he is currently the assistant secretary for strategy planning

analysis and risk in the dhs office of policy which makes him the number two in that office. a very busy man. we're honored to have him here. one thing i wanted to say about him in this context is that before he went to law school, he was an emt in new york. while he was in law school, he t continued works as a disaster assistant employee and as a planning officer. he has a really hands-on feel for issues at the local level and the da to day issues that are faced in the public private relationship. he join eed the government in 2006. i met him when he led the first homeland security review for dhs. so he has a very rich and textured understanding of the back and forth.

he will give us the framework under which dhs is operating today. >> thanks for the opportunity to sit on this panel, especially with colleagues who i have worked a lot with and who we have done a lot of good work together. as susan noted, we just completed the second homeland security review. this is the congressionally mandated review of homeland security that we conduct every four years. the first review, which we conducted in 2009 and released in 2010 was really aimed at answering the question of what is homeland security. laying out a vision, mission arizoai areas and hopefully some of you if not most of you are familiar with that. in the second review we didn't look to repeat the same exercise. but instead, looked to conduct a more focused and collaborative strategy planning and an littic

activity consistent with setting johnson's emphasis on enhancing unity of effort within our department and across all of the participants in homeland security activities. so in addition to identifying a number of risk-based priorities for homeland security going forward based on the strategic environment, based on trends and challenges, one of the things that we did identify and highlight in the second quad renial review was the question of public private partnerships. why did we single that out given the range of different things that a homeland security review could focus on? well, for a number of reasons. first, today's homeland security challenges don't observe traditional organizational or political boundaries. you need look no further than the headlines of today's paper or those of the last several

weeks. biological challenges, cyber security, climate change. these are not things that respect neat, physical organizational boundaries and put stress on organizations of all types. second, there are clear interdependencies between the public and private sectors such as in the global supply change. what that means is that catastrophic events in one part of the world can cause ripple affects across business and government globally. third, in rapidly evolving domains like the arctic, partnerships can enhance security while promoting and spoeri supporting open markets. in addition, partnerships can be an answer to increasing resource constraints, physical environment not only at the federal level but across state, local, territorial and tribal governments, most of the private sector non-governmental

organizations, all of the organizations face increasing fiscal pressures, reasons why we should look as to how we can best work together with one another. both leveraging the ways that we have looked at public private partnership before and enning news ways that we can engage in partnership. for all of you who have been following homeland security since the inception of the department and before with all of its various strands, you know public private partnerships are not a new concept in homeland security. perhaps best known partnership in homeland security is the national public private partnership to advance security and resilience of critical infrastructure that's set forth in the national infrastructure protection plan with our sector coordinating councils and government coordinating councils. it's not the only type of public

private partnership in security. relationships and agreements with airlines and shippers and multi-national corporations, with respect to the movement of goods and people across our borders. the community initiative for national preparedness and emergency management. the port relationships, coast guard maintains with a variety of entities that operate in our port environments. there are a number of examples of successful public private partnership models across homeland security. one of the things that we wanted to do in the second review was to try to best leverage and cross supply the lessons that we have learned in each of those circumstances to look at are there ways we can generalize len s lessons from the experiences, look at the range of private public partnerships and distill

something, government, industry, non-government organizations, look at different challenges and see if public private partnerships of one type or another would be appropriate for addressing that challenge. so there are two things that we sought to develop. one was a checklist, a way to think through public private partnerships. the second was a set of arc types. arc types that generalize things that we use currently or that are used in other types of governmental activities outside of the security and resilience area but where the lessons can be applied in the hole lay eied security area. the checklist we developed has eight elements.

it's just -- it's a way of walking through looking at a challenge and examining whether public private partnerships are a way, a better way, perhaps the best way to address the challenge. first, to identify the critical factors that might impact the issue and the partnership. the capabilities necessary, the authorities that are at issue. what expertise is necessary? what's the range of stakeholders, the scope and scale of the problem? second is to determine the value proposition, pursuing a partnership versus alternatives, whether that's independent action by the private sector, independent action by the government. the value proposition both for the government and for non-governmental entities participating in the activity. and then next two are what we see as the crux of the

challenge. can we define the outcomes that the parties are trying to achieve, particularly the shared outcomes that we're trying to achieve? because when we identify the shared outcome, again, that links to that question of the value proposition for governmental and non-governmental entities. as important as the outcomes are where -- what interests are at play and where do they align. governmental and non-governmental interests will not necessarily be the same. government has interests in enhancing security and resilience. industry has interests in increasing profitability, brand recognition, market share. burt that doesn't mean the interests can't align in the service outcomes. defining the outcomes and identifying where the interests align are key elements.

identify the range of challenges, opportunities, risks and potential barriers to partnering. then identifying the partnership. identifying relevant stakeholders and decision makers and determining how to measure success. that's a way to think about the question. we talked a little bit about outcomes. shared outcomes, aligning interests. the third piece is what is -- what's the best arcitype for aligning the interests. this is where we looked at models for infrastructure environment. can we take all of the examples that we have and generalize them into basic types of partnership? so in the second -- in the report on the second review, i identified five groups of

partnership. the first is probably the best known and most well used, which is partnerships for information and data sharing. this is where parties across public and private sectors share relevant and timely information that may be useful to both parties with the up tension the parties go and use that information for mutually supportive ends but the core is the sharing of the information. most if not all partnerships rest on that base of sharing of the information. but there are other types as well. the second type is coordination. this is where a partnership aligns policies, objectives, messages, relevant activities among a group of partners to produce clarity and consensus. but it's based on independent action just independent action with a greater degree of coordination. the third is operational

linkages. this is where in addition to the information sharing and in addition to the alignment of policies and objectives, this is where we begin to take systems, procedures and routines of each of the individual partners and link them, bring them together in such a way that certain types of operational activities take place together. fourth is co-investment. and as its name implies, this is where not only information is shared, outcomes are coordinating, activities are linked but where each party invests funding towards a common end, a specific project, a specific goal. and then fifth, is co-production. this is where -- this is where the public and private sectors come together to develop and produce in essence a product or

an outcome of security and resilience that neither could produce independently together and that is of value to each party. so thinking about public private partnerships in that way helps us not only think about the ways that we engage in public pry vart partnership today and the range of problems that we apply public private partnerships to but gifrn gives us a way to thi about and allows us toss think about, can we apply a model of public private partnership to this problem? would it represent a better or perhaps the best way to address the problem? let me stop there. hand it back to susan. >> thank you, allen. it's been a very stimulating report. it has helped us begin thinking

about public private partnerships. our next speaker is kiersten nelson. she's also really impressive because of her range of experience relevant to this problem. she did start out as a practicing lawyer in corporate transactional law. she created and managed the office of legislative policy and government affairs at the transportation security administration. we know she's a really good communicator and able to think about people's problems and problem solving. she was then special assistant to the president for prevention preparedness and response on the whitehouse homeland security council. anyone who can handle the pressures and demands of that office definitely hats off to them from me.

she is currently president of consulting, she advise officials and private sector officials on the development and execution of preparedness strategies, policies, plans, tools and tabletop exercises. she's right in the heart of the kinds of issues that our group is dealing with. she is also the chair of the world economic forums global agenda council on risk and resilience. and developed and is leading a global initiative on the role of big data in increasing security and resilience. she's a key member of the standing committee on law and national security working group. and we have asked her to focus today on models for public private partnerships. we are just beginning to try to derive the models from the

plethora of organizations that exist today to digest them into accessible models for practicing lawyers. of course, we started with one vision of the models, which is the things that allen has told us about, the five that dhs has found to be very useful. i think kiersten will give us another perspective on what the models and ways of thinks about public private partnerships in security and resilience is. >> thanks, susan. i just want to thank the aba. this is a very important topic. it can seem very dry. but it is also an emerging and evolving area. it's where we are headed as a community in terms of being able to increase our community security and resilience.

the ho the homeland perspective is different than what we have seen. if the look other the last 200 years, and concept of public private partnerships is not new. what perhaps is new is the way in which we use them. the concept of ppp is not new. traditionally over the last 200 years it has been a contractual relationship in the united states. you can see that if you look at infrastructure projects, whether transportation or in the water sector, certainly for funding issues the state and local level that has been a very traditional way to raise funds to work on public works. president obama just announced a new infrastructure project which demonstrates the continued use of public private partnerships in the traditional way. in fact, the recent statistics that i saw are over half of city public works are provided through public private partnerships. it's a very traditional way to

do that. the challenge that we have in homeland, we have different barriers. allen mentioned some of them. we perhaps also on the good side have different incentives. but we need to be a bit more flexible perhaps and a bit more creative in terms of how we organize around and construct a public private partnership. you will see some public pry vart partnerships in the homeland area that are reminiscent of the past. they are contractual based. it's very clear roles and responsibilities, liability indemnification, insurance. but many others are focused on a concept of operations. it's partners coming together. it's plan -- the plan is what guides the partnership. we see that in the national infrastructure protection plan. we see that in the national response framework when you look at a support function, which is a co-lead between the federal emergency management and the american red cross. that's not a traditional

contract. it's based on a plan that describes rules and responsibilities and operational linkages. i just want to refresh a little bit of what allen said. i think it gives us a good perspective in terms of thinking about the models. as an entity, you first sort of make that decision if you can independently effectively and efficiently address whatever issue it is that you have. once you decide that you can't due to capability or capacity, could be resources, could be authorities, you then look for those partners to jointly address the issue. once you have done that, you then have to be very aware of the environmental factors, some of which allen mentioned, that could serve as barriers. when you look to construct your public private partnership, you have to be very cognizant of the barriers. just to highlight some of the ones that allen said, he talked about the nature of the threat. interdependency, supply change. he mentioned resource

constraints. in homeland the private sector plays a critical role in terms of being the primary provider of goods and services, particularly on the infrastructure side. there's a need for partnership based on that. of course, there's differing expertise. we seat the department of homeland security more and more looking to the private sector, particularly in cyber security, with a recognition that the private sector has the ability to be more cutting edge perhaps in some areas in terms of tools and services that can be provided to increase our community resilience. the barriers some of which we are addressing in the work that susan mentioned -- i want to stress here, many of the barriers it turns out are perceived. there's a lot of education that needs to be done in public private partnerships in this area. but we have talked about liability. we have talked about insurance concerns. indemnification. there's some legal restrictions with respect to sharing

information, whether that's pii or it could be the rules that sue mentioned. in some states and localities there's license issues. is this constitute a business and is a business license required. term limit on contracting which can limit its ability to move forward. this concept that the federal government or state and local government due to the public good do not negotiate contracts but solicit contracts and there's a very specialized way in which that acquisition process occurs. when you look at public pry vart partnerships that flies in the face of the concept of the flexibility that might be needed open the private sector side. there are in some states and localitities, there's no authorization in law for private parties to collect service fees. so if you are private partner is providing a service as part of

your public pry vart partnership, there's a funding mechanism problem of how to transfer funds to make it all work. at a higher more cultural perspective, there's the competitive nature of business. we still hear from many businesses that they are hesitant to provide additional information to a public partner because they are afraid it will reduce their competitive ability to compete with their peers. the protection information we talked about. there's misunderstanding of roles and responsibilities. what is inherently governmental versus private. how can we construct that together in this context? cultural, there's a lot of cultural misperceptions. i hear public private pau partnerships are too bureaucratic. we don't trust the government. we don't do it that way. it's not a traditional cultural way in which a certain issue has been addressed. there's a belief that

partnerships somehow demonstrates weakness. if you are a fortune 100 company, what does that say if you decide to address something through a partnership? that clearly is a misperception. on the other hand, it's an education of the investors. finally, there's this belief that public private partnerships are inflexible and they can't be changed over time. there's no way to help them evolve. again, all these are important to consider as you construct your partnership. once you have determined it's necessary. how do you proceed in allen talked about the checklist that was developed during qhsr. in the implementation of the executive order on cyber security and the presidential policy directive on critical infrastructure security and resilience, dhs has done work on what are the successful -- what are the criteria that success public pry vart partnerships share? that's a good place to look as

you are looking to create. as allen said, you start with the purpose. you start with the outcome. what is is it -- what is the issue that you are trying to resolve? that first and foremost will lead you to the construct that will work. allen walked through some of the arc types. i would encourage you to think through after you identify the outcomes and purpose who you want to be involved and where it will be located, if it involves federal partners, state and local partners, if there's a funding issue, if there's a particular liability issue. so if you look at models that exist today, we have ones that are based almost purely on purpose. that's some of the perhaps -- it's an example of the information sharing p-3s that allen mentioned whether fusion centers or information sharing and nal sis centers. there's also sector-based public pry vart partnerships. we see those throughout the

national infrastructure. you could mix a sector and a purpose. that's specialized. you can have a particular information sharing analysis center for a sector like the financial service isac. there are sectors based plus regional locality constructs. an example would be chicago first, which was started really around the financial sector in chicago but is now expanded to include other types of infrastructure concerns. regional, so we have the pacific northwest economic region. for those of you who aren't familiar with that, they do much more than their name might imply. they focus on homeland security issues at large both on the preparedness side and response and recovery side. there's purpose based public pry vart partnerships that are implemented locally. an example of that might be infraguard. it's a parter inship with the federal bureau of investigation. but it's implemented at a local level through chapters.

that's a slight mix on how do a federal level public pry vart partnership and bring it down into a community so it could be tailerrd to the needs. another example of that is d.c.'s homeland security emergency management agencies. business emergency management operation center. it's a new entity. but that focuses on working with the private sector at a local level and having that public private partnership be around emergency response. there's capacity building as a purpose or as a unique construct. we have the dhs loaned executive program as an example there. there's also an example in virginia, the department of emergency management has a private sector liaison program. there's research. this is an interesting area, because you will see dls today looks very differently at the cooperative research and development agreements that they

utilize. you will see dhs more and more focusing on specific areas that a private sector entity is interested in. in the financial services sector, some focus very specifically on teralines and information sharing and how can the financial services sector help dhs understand and tailer raw intel into a operational way that the financial sector can immediately use it? incutel is an example. i'm sure you are familiar with that helps the cia and other agencies have the cutting edge tools. the focus there is using the research capability of the private sector to help the public sector stay on top and on the cutting edge of what they need. we also find very specific legal carve outs in public private partnerships such as the safety act. there's another panel speaking

about the safety act. it's an interesting way in which one company can work under legal construct or regulatory construct with the department of home land security to protect itself from liability in doing x, y and z and providing tools that are related to the homeland. we also have more and more voluntary standards. you might remember the ps prep effort from a few years ago. we also recently have had the national institute of standards and technology issue the first cyber security framework. various people have spoken about that yesterday. if you participated in those sessions. but it's a great example of a very loose public private partnership. it was all voluntary. there's no contract, no formal roles and responsibilities. but it was the private sector in the form of non-profits, individuals, entities, advising and helping the government to create something for the use of

the private sector. and finally, we see more and more public private partnerships in the form of sharing resources. so you all might remember the aid matrix. another recent example is the united nations has launched the humanitarian data exchange that provides government-owned data out to the community for purposes of humanitarian missions. it provides analysis tools that are available. the information mimics there is from the private sector. it's for the private sector as well as emergency providers throughout the world. so i think susan will ask us after this kind of where we see this all going. so i will talk a bit more then about that. but i did want to just say that to sum it up that in homeland what we see is the need for a lot more flexibility and again that's due to what allen described, the highlight of which is the evolving nature of

the threat. we also see a lot of different times of parter ins, from venture capital firms through to specific entities through to organizations of entities interfacing with the government through to perhaps more and more individuals, which has not been a traditional role. the public in terms of the public has not traditionally been involved in public pry vart partnerships other than as funders perhaps through other mechanisms. now we see individuals participating in activities to increase community resilience. i will turn it back over to susan. >> i think that was a really good preview of the types of models we're going to try to provide for the legal community. of course, when we do it, we will also have very concrete examples. we will try to put it in terms of the kinds of questions that lawyers are asked by their clients at the state, local as

well as those dealing with the federal government. our third speaker is here to kind of bring us down to earth. from the abostraction of the models to the working relationship between the public and private sector. colonel robert stefan is the executive director of griffin scientific. his career in government began with a 24-year air force career where he commanded two elite air force special tactic squadrons and worked on contingency programs across the world of troubl trouble.

and had a very distinguished air force career. he moved into the homelandcaree. >> he moved into the homeland security arena, to the protection of critical resources. he was the assistant secretary for infrastructure protection at the u.s. department of homeland security. and in that capacity, he had a very formative role in the documents -- the planning documents that still guide the community today. the first national infrastructure protection plan, and the identification and cataloguing on the nation's critical infrastructure and resources. today he's involved in private sector incident management planning, training, and exercises. along with working with the federal, state, and local

governments. his focus is business continuity and resiliency. he's been very involved in training and exercise activities all around the country, from san diego to philadelphia and in between. table top exercise programs at various levels within the private industry. and i'm very eager to hear from him what his perspective from the ground is. >> thank you, susan and thank you all for inviting me here today to spend time with you. i'm a little intimidated. i'm a bit at a disadvantage being the only non-attorney represented on the panel in a room of distinguished legal professionals. two things i have to say about that. one, did i have two classes in law at the u.s. air force academy. i got a's, so i'm banking on those to pull me through somewhat today. and my son is entering his senior year in law school and we have this banter back and forth about legal issues a lot. he bounces a lot of things off me. so i'm going to release him into

your collective custody next may 10th. we're looking forward to that, but there's a sad aspect to it because i'm going to be replaced as the most iconic figure in his life by someone like joe whitley, eminent legal scholar. so we'll see how that crash on impact goes. but anxious to have a lawyer in the family. and he's told me no more lawyer jokes after may 10th. public-private partnership, the bottom line, in my job at dhs, responsibilities for coordinating a lot. but the directive authority to make protective actions happen anywhere with respect to any of the critical assets, or systems, including my own office space, was very minimal. so it was all about public-private partnerships. i frequently use statistics. 85% of this challenge, ownership of critical infrastructure about

10% in the hands of sedatate an local government officials and only about 5% in terms of ownership and authority. in all to make this work in a constantly changing and threat and hazard environment, that public-private sector piece is critical. it that can't be worked out, you won't have anything. so some important notes there. to further set the context for the challenges before i talk about where we are now and where we're going in the little bit of the road ahead. you have to understand this public-private sector thing has become a buzz word, but it's not a monolithic entity. there's no such thingas a single public-private partnership. this partnership, it operates at various levels across various levels of government, various levels of the private sector, from the facility level all the way up to the corporate level, from the white house, all the

way down to local municipal and county government. and all of those things, viewed in a very different way sometimes, depending on what we're talking about. as we've evolved over time, beginning with the clinton administration, through the bush administration, now into the second obama administration, this thing has morphed metastasized very quickly in some areas, not so quickly in others. it's made up of organizations and individuals. those individuals and organizations have distinct personalities, interests, bureaucratic politics, authorities, capacities, resources, buddy networks. i wish all that could be checked at the door when we're talking about public-private partnerships, but absolutely none of it is, and you have to deal with all of those things when you're trying to get in this business of establishing an effective, efficient set of public-private partnerships to do something like protect the nation's critical

infrastructure. would caution you all that public-private partnerships are not an end state. they're a road to an end state. that end state is a safer, more secure, and a prepared america, in an all hazards, all threat, 21st century, global risk environment. that's a mouthful of words there, but very important words. again, it's a journey to get to an end state. a very important road of many things that have to come together to do this thing called homeland security, homeland defense. it has to operate in all threats, all hazards context, and has to demonstrate flexibility to go from one thing to another. here are some examples. we have rogue nation states out there that don't necessarily respect the rules of international law or established international norms. we have international terrorists of varying types and categories. the most dangerous of which has emerged recently as isis in syria and iraq. domestic violent extremists, disaffected employees, malicious

insiders with a grievance against somebody or something. ever more catastrophic disasters, ever more consequential disasters. mother nature capable of throwing us in harm's way. technological failures, industrial accidents, hazardous material releases, things that we have to deal with now, through this public-private partnership. cyber attacks, global pandemics to include ebola and other things, climate change, space weather impacts on earth. display chain disruptions, materials in the hands of the enemies of the united states. those are all things that impact the public-private sector partnerships. has to be able to morph and adapt to the very specific issues associated with each one of those things. we can't develop a public-private sector

partnership by issue area. we've got to develop things that can be flexible, mobile, adaptable and agile to deal with this world in which we live which is ever more crazy. >> i think public private partnerships are really good in that they take us beyond something that is important, a baseline in critical infrastructures that didn't exist prior to september 11th, which pride a baseline for security and emergency preparedness in many infrastructure sectors. however, if that's all you do, that's a minimalist approach which is even more effective than having somebody doing something because they fear they will incur a penalty if they do not, is to have somebody doing something for the national good because it's the right thing to do and because they elected to do so voluntarily. that's more powerful and it gets more into the nooks and crannies than any regulation can. and using this voluntary

public-private sector partnership approach, when the world around us changes dynamically, regulations don't change so dynamically. takes years to go from one to another, or make modifications that would allow a regulation to respond to the world around it. public-private sector partnerships, if they're the rind kind and agile and flexible and they build themselves that way, they can turn on a dime, depending on the issue, and that's much more effective to get at emergent and dynamic threats that we face today. finally, we must always remember that public-private sector partnerships, in my world, critical struct protection, are really in addition to regulation, where we apply those wonderful, state, local and federal ordinances, statutes, directives, whatever it might be, processes and systems, products, techniques, technology, whatever it might be, those are the vehicles to apply a lot of good stuff developed at different levels of the overall public-private partnership community around the country. so a bit of context for why this

is so critical. but some of the things you have to think about as you're trying to apply the concept of public-private partnerships to an area in homeland security, for example critical struct security and resiliency. before i drive the car forward, sometimes i take a look in the rearview mirror to see where i came from. if you take a look, imagine if you will, a world in which hardly any private sector individual had a national level security clearance. imagine if you will, a world in which there were no technical systems or platforms through which the public and private sectors could change meaningful operational and intelligence related data. imagine if you will a world in which the legal context was designed to make information-sharing a very open type of enterprise. a legal framework in which it was very difficult because of anti-trust considerations for the private sector to meet

together as an entity to address common security issues, and because of faka, very difficult to hold more than one meeting between government at a certain level and a certain industry group. so that's not a make-believe world. that's the world we had on september 10th, 2001. and that's the world we had to operate on september 11th and 12th, 2001, and for years beyond that. many of you in this room worked tirelessly to address, help us address in the right way, the proper way, the legal frameworks that served as impediments at the time to the formation and establishment of really effective and efficient public-private sector partnerships. it's not yet a perfect world. it never will be, but a applaud the efforts of you involved in the process moving those forward. because without a change in those, this public-private sector thing would be a buzz word that people would put in the paper and magazines, but it

wouldn't have any meaning, because it wouldn't exist in my world of critical infrastructure protection. that's always something that i have to remember. president clinton, starting with pe-63, put an organizing framework in place, a conceptual framework. the first sector liaison, on the private sector side, we started with eight critical stru infrastructure sectors. we did have something to hit the ground running with in the immediate aftermath of september 11th. then the bush administration, the people associated with that, in and out of government, and now in obama 1 and 2, have continued on that very important work to get the public and private sectors engaged with one another, in policy development, where there's appropriate, and legally acceptable. in plan development and implementation. in technology development, application and implementation, information-sharing, so on and

so forth. again, not that the universe is 100% rosy in any of those categories, but man, when you get in that car now and attempt to drive it, the wheels are on it. the wheels weren't on the car 11, 12 years ago. it's an important milestone. i don't think any other nation on the planet and i've looked at a lot of them, have achieved this level of an integrated team that operated again, at various levels according to various premises to deal with a common set of threats and hazards. so we're about the best there is and i'm not saying it because i was a part of it. go take a look on the internet and look at other people's infrastructure protection plans to the extent they have them at the national level, you'll be amazed the scarcity of that kind of information. moving forward and then we'll go back to a group discussion, i think here. i think that the public-private sector partnership piece does need more refinement. in some cases, it needs a major kick in the tires. the department of homeland security doing a great job to

manage this enterprise across a lot of very complicating circumstances. i would have to say there's room for roommate there. we need more focused attention and resources on joint public-private sector catastrophic disaster preparedness planning and risk assessment across the united states of america. the department of homeland security, fema specifically has the ability to condition grant funding, with support from congress from time to time, to make sure we're focusing on analyzing risks jointly between the public and private sector. start with urban cities and the top 10 or 12 have remained constant over the last decade. do you know there hasn't been a single joint public-private sector assessment done anywhere in any of those top 10 cities?

bits and fragments of pieces of sectors have been done. specific facilities have been done. specific assets have been done. you go to new york and chicago -- i was there last week on a project. there's not an integrated set of analysis yet that leads us down the rabbit hole of infrastructure dependencies and interdependencies that are commonly known guy the public and private sector sides of the relationship. we got to get better than that. because if we're not using that grant money in that kind of area, that means we're building plans on a lot of data that either doesn't exist, or that is insufficient. and we're building plans hoping they will work, as opposed to being backed up by credible data. again, lots of great work has been done in individual silos, individual pieces of the puzzle across the country, but we need some leadership to bring that all together to make sure we're informing our planning processes with good, solid, cross-cutting interdependencies and dependencies analysis that will also allow us to do adaptive planning when we're in the middle of a crisis to figure out

second, third order cascading effects that we didn't necessarily tackle so well during sandy. also, i think over time, a really big issue has become, i remember the early days of the sector coordinating councils on the private side of the partnership, heavily populated with ceos, shakers and movers. i've seen that level of attention and input into that set of processes diminish. now we have some great security officers, ctos, cios, involved in those councils, but they don't own the money. if they don't own the money, they can only do so much. a big exception to this is the electricity sector. huge effort to ramp up that level of senior management engagement. there's four dozen ceos, i believe, that are engaged in that process. that's what we need. the shakers and the movers of the industry are there. now, i'm not going to let my government colleagues off the

hook, because we also used to see a lot of senior government officials on the government coordinating council side of the house engaged frequently in that business. i've seen a diminishment of senior level engagement over the last decade. we need to fix that problem in two ways. ceos and coos need to get supportive of this, so do senior government officials. we need tough decisions and risk outcomes to be decided and that's not going to happen at the gs 14, 15 level. it's got to be higher than that. if we're going to solve some of the nation's most critical problems, like aging infrastructure, and the impacts of climate change, that's not going to be done at the level we currently are structured to deal with those kind of things. it's got to be a high order type thing. i also want to say, that at the

state, local, and federal level, tremendous difference in terms of private sector engagement in emergency operation centers and information exchange than we had a decade ago. i'm seeing seats in operation centers at the state and local level, and at the federal level for people from electricity, from water, transportation, privately owned. that's very good. and those that aren't there physically, are virtually connected. so they're built-in to the incident once it's in motion in many places in the country where we didn't have that previously. but we lack private sector engagement in the risk analysis and planning process in front of any particular incident. we haven't made significant progress to my satisfaction in helping our state, local and regional partners integrate key private sector editees into the fusion center world of intelligence sharing, where that rabbit meets the road with

critical struct protection. until we do that and overcome some of the remaining impediments to having those with a physical presence or virtual connection into the state and local intelligence fusion centers, we're going have a big gap in terms of information they can provide for the intelligence picture and those that need to take front line action based upon what an emerging threat might be, are out of the picture until it's too late. i think considerable effort still needs to be made in those areas. overall, i've become an optimist since i left government. i'm no longer a pes mist. so i think overall, the report card is really strong. but we're at a critical juncture now to take the whole public-private partnership concept to the next level. and in a resource-constrained environment, i'm very afraid of what might happen if we don't continue to focus on this, given the fact that our adversaries are continuing to focus on this in ever more challenging ways. so that's kind of the parting

message i leave with you and i look forward to your questions. >> thank you. >> kirsten, did you have a few comments on the way forward? >> sure. so i mentioned some of them and of course it's always a pleasure to be on panels with alan and bob, because generally i can just say what they said and that covers most of what i was going to say. but i do think some of the points that have been stressed, so we continue to see this moving away from contractual relationships. as bob said, whether it's planning, alan gave some examples in the arc types, we also see where the legal construct concerns arise, less in the public-private interface, and more in how the private sector is organizing to interface with the public. so, for example, the airports some of you might know, have some great mechanisms to provide mutual aid to each other. the western airports and the southeast airports both have organized around disaster

operations groups, called west dog and east dog. the way in which they did that is interesting. because the legal questions arise at that entity level, and then it's that entity representing the private sector that interfaces with the public sector during disasters. so it's a kind of a one-off legal question. it's not the actually ppp, where some of the legal questions or organizational questions are arising, but how the private sector is organizing to do the interface. we've also seen the private sector, for purposes of liability, for purposes of concerns about investors and competitiveness, they have chosen to engage with the public sector in the form of foundations. so ups is one of the older ones. the ups foundation was created in 1951, but it's mission is to increase community resilience and that is done through the foundation, as opposed to ups at large. and lastly, just to take on

something that both bob and alan mentioned with the threat picture the way it is, the hyperconnectivity, the increase, or complexity of interdependencies and dependencies, and potential for cascading effects, i think what we're seeing are new roles emerging in proboth the privated public sector which underscore the need for that flexibility, but lead us to unique public-private partnerships. just a couple examples. i grew up in florida. one of the things you learn early growing up there, i had to run away from alligators. when a hurricane is coming, it's just as important that your neighbors sandbag, as it is that you sandbag. if your neighbor doesn't sandbag, your house will flood. you're only as resilient as your neighbor is. but with new threats, enhanced threats, such as cyber, we see that more and more. one corporate entity is only as

safe as every connection point they have to every other entity. so the question, what is that role, who can better determine the interdependencies, the places where the threat indicators can be introduced? is there a call for ate public-private partnership around the emerging threats and roles? we also see some traditionally, inherently governmental functions, perhaps with increased focus on the private sector. one example there is the alert and warning system. fema, as you know, has been working for years on the integrated public alert warning system. but that started with a recognition that the private sector had the technology and resources that were needed to disseminate the alert and warning messages. so perhaps traditionally, an inherently governmental function is delivered from the private sector in the form of a partnership. and the role of city as i mentioned previously continues to increase.

again, a more traditional, inherently governmental function such as situational awareness during a disaster, we see that situational awareness being put together through information from individual citizens. from twitter feeds. from social media. it's quite interesting, when you look traditionally and you look today, as bob gave us a great articulation of where we've been and where we're headed, the role of that individual citizen in providing information and playing a role in community resilience. we also see that through the rockefeller foundation. >> thank you very, very much. alan, we're just about over time, but maybe you could say one or two sentences to bring us to a close. >> i'll take the opportunity as someone who practiced law in the private sector but was never an attorney in government, to issue a charge to all the folks who are attorneys in government in this area. and that is, be proactive in

this area, in thinking about -- in thinking about public-private partnerships. you've heard a lot of great information from everybody on the panel. but understand that many of your clients may say, i don't think we can do that because the lawyers won't ever let us do it. so, i would say, understand the legal landscape and to take advantage of the tools that are being developed by susan and the group that she is leading. think creatively and imaginatively about authorities, barriers, and solutions, and become part of the solution. be proactive in working with the client to figure out new and different ways of using public-private partnership tools to approach problems. >> thank you very much, everybody. and thank you for being here. we're out of time, but we hope that we can talk to you after we close here in the next session gets started.

thank you very much. [ applause ] campaign 2014 has one outstanding race yet to be decided. louisiana senate. mary landrieu is up against republican congressman bill cassidy in a run-off election. join us for the final debate monday live at 8:00 p.m. eastern on c-span 2. congress is in recess for the thanksgiving holiday until monday. when they return, lawmakers will work on extending government funding past december 11th, when the current deal runs out. they'll also be considering how

to proceed on immigration. in the senate, votes are scheduled on nominees to be ambassador to adjace ambassadors.alita and so

sotomayor. with live coverage of the u.s. house on c-span and the senate on c-span 2, we complement that coverage by showing you the most relevant public affairs events. on weekend, it's the home to

american history tv with programs that tell our nation's story. the civil war's 150th anniversary, visiting battlefields and key events. american artifacts. touring museums and historic sites to reveal what information can be revealed. history book shelf, with the best known american history writers. the presidency. looking at the policies and legacies of our commanders in chief. top college professors delving into your past. and our new series with educational films from the 1930s to the '70s. c-span3, created by the cable tv industry and funded by your local satellite provider. watch us in hd, like us on facebook and follow us on twitter. this part of the american bar association, looks at security risks for air and rail transportation. it's about an hour and ten

minutes. thank you, emily. thanks, everyone, for being here today. this is the transportation and security screening break-out session. glad to see we have a sold-out room here for this discussion. my name is jeff surl. i'll be the moderator of today's panel. and just to reiterate by way of brief introduction, i did serve at the transportation security administration for a couple of years and then at the department of homeland security for the secretary. three years in total with the administration and i'm thankful not only to have survived the experience, but i'm actually thriving. so i'm excited today to have our panel, five experts in supply chain security and operations. i was looking over the bios last night and noticed that four out of five of them, their last

names start with f. i don't know if you noticed that or not. so i was trying to come up with a clever name for our panel, maybe the f-team. but that leaves larry out. so -- okay, we can certainly insert an f into your name. but that's not a very complimentary name for this auft ear group. i'll introduce them, and then they'll want to introduce themselves to you in their opening statements. the format today will be a panel discussion. i'll open with a brief statement, setting the stage for the issues we'll be discussing. then each of the panelists will give a five to seven minute statement themselves. and then i'll aggressively cross-examine each -- no. i will delicately toss questions to the panel for about 15

minutes. and i think that based on their depth of knowledge and expertise in these areas, we'll have a vibrant discussion of the issue. and then i'm going to open it up to you all for questions. so i expect some good questions from you. get ready. as the panel description states, threats to transportation sector and supply chain continue to require government and private sector efforts to reduce financial risks and logistical vulnerabilities. cyber warfare present new difficulties this panel will review the currently legal and public policy issues facing these critical infrastructure sectors, including legislative and regulatory efforts to reduce risks that impact businesses. for example, over the past year, 18 months, some of you have

followed this issue for a number of years before that. but there's been an increased activity in on the government side in particular, the president's executive order 13636, the missed framework of development and publication and adoption. and several bills in congress, two of which have passed the house of representatives, both of which placed dhs in the position of go-between between the private and public sector on cyber threat information sharing. and so the discussion will also address the effectiveness of current transportation and cargoes security programs. the status of the public-private cooperation information sharing and the implementation of the nhtsa framework as i mentioned. by way of brief introduction, fay is the leader of the boeing

commercial cyber 1 team. developing and coordinating a public-private partnership between the aviation industry and the u.s. government in order to establish an aviation-information sharing analysis center, isac. >> they still haven't changed that name, have they? something a little bit more catchy. where he leads work on cyber security insurance and risk management and support of imelementation of the president's executive order. prior to that, he served on the house homeland security committee. tom farmer is assistant vice president for security at the association of american railroads. tom and i had the pleasure of working together at tsa and he still agreed to help me out here today in his current role, he coordinates the development of railroad industry security policy among other duties. and at tsa he served as the mass

transit lead. and larry leads and manages projects in the field of telecommunications and security for acom. i'm sorry. global architecture and engineering firm. he will give some insightful remarks on how cyber security affects certain modes of transportation. i caught a presentation that larry had given regarding airports and cyber security, which i found fascinating because i don't think there's much out there. i think you come up at the top of the google list. so i'm looking forward to your comments. and then andrew farly is the co-founder of c.t. strategies. which provides strategic advice to clients seeking current innovative insight into border management and supply chain challenges in the u.s. and around the world. he's a former customs and border protection official. certainly physical security and

resiliency play a significant role in protecting transportation in the supply chain sector, as well as the critical infrastructure as a whole. over the course of several years and i spoke to the moderator of this panel for -- he moderated the panel for the last several years, i mentioned to him cyber security. he said we've been migrating from the physical to the virtual and talking more about cyber security. and i thought that, you know, particularly looking at chronology of events after 9/11, we certainly focused on physi l physical -- re-looking and reevaluating security for critical infrastructure. and over that course of time, i think there's been tremendous strides made, not only on securing the critical infrastructure, but on

resilience, public-private partnerships, but one of the things that i thought it was missing, or at least hadn't been fully baked, was the cyber security. and now that we're see interdependent on networks and communicating and operating systems using open networks, as well as closed networks, i thought that there were certain vulnerabilities that even me as a novice were thinking about. so i thought that today's panel, we could focus a little bit more on the siper side of things. certainly don't want to leave out new developments or news regarding the physical side of the equation. but i do want to focus on the cyber side. that seems to be a theme for this conference overall. so i look forward to hearing the panelists comments. why don't we get it started with you, larry, is that okay? thank you.

>> good late, early morning, everyone. thank you to jeff and to the institute for the opportunity to come and speak before you today. once again, i'm larry javi. i work for a company called ae com. i like to think of us as the biggest company you've never heard of. we're architects, engineers, construction managers and operations and maintenance personnel. on the operations and maintenance side, we operate and maintain a couple of large buildings, large facilities for the government and for private industry. on the construction management side, you may have seen us or a subsidiary company on the pentagon renovation, wedge one. we were the construction managers on that and also on the world trade center reconstruction. but my group is part of the design and engineering portion of ae com. and we focus mainly on roadway,

bridges, tunnels, mass transit, sea ports and airports. we also have -- we also work in the energy sector, as well as transportation. the public sector, and we do a lot of critical infrastructure protection, in terms of water systems. and arenas like that. my group specifically, i work in the technology area. i provide all the technologies that go into these facilities. the telecom systems, the audio-visual systems, radio systems, as well as the security systems that go in there. and i provide some of the cyber security aspects of these systems. so control systems, like the security systems or the building management systems, so you know, you walk over in the back of the room and somebody hits a button on the wall and the lights go to a certain brightness and all,

that's a building management control system, also the ones that control the h vac in the building, or perhaps ones that maybe if you're an industrial facility, the valves that control the flow of chemicals through the pipes, in a refinery, for example. those are control systems. in the transportation arena, positive train control and signaling. also, to some respect, we're dealing with things like variable message signs that you see on the side of the road. the intelligence transportation systems that are out there. i know i've got a commute on the way home here that i'm going to pass through a lane that switches direction. in the morning, it's heading into d.c. in the evening, it's headed out of d.c. i've always wondered if somebody got a hold of the controller and flipped the signals, somebody who wasn't driving that road every day could go the wrong way and cause some trouble. and if something like that were to happen at the same time we

coordinated that with some bad weather. we could be in for a whole mess of trouble there. but what i find interesting about these operational technologies, i want to spend a minute talking about the difference between operational technologies and informational technologies. we have laptops and cell phones. this is the kind of stuff that we've all known has been around since the '40s and the '50s. and from a cyber security standpoint, we've been doing a lot of work in that arena, for information technologies. so the pcs, you have at your desk and the servers in your employer's server's room, the cloud, if you will, the thre internet. a lot of time has been spent securing that infrastructure. how good it's going is another story. but there's been a lot of effort in that respect. operational technologies are

more of those control systems or systems that manipulate physical things. okay? as i mentioned, the lanes of traffic that go back and forth. the industrial controls out in refineries and chemical plants, train-control systems, as i mentioned. what's unique and different about these systems, first off, they control physical things. so if they go awry or someone were able to control them and set them up in a way that could be detrimental or harmful to personnel, to physical assets, to the environment, these are the things we want to pay attention to and unfortunately there really is very little with respect to -- there's very little going on in the realm of cyber security in these physical, logical systems. with respect to what's going on in i.t., we've been doing this for decades.

on the o.t. side, not so much. the operational technology systems, they were one-off devices. they were in areas nobody saw. they were specialized. they were often physical relays and things that had to physically move in order to make these controls happen. they were almost never networked together with any other systems. and it was a very, very small group of people who really understood them, knew how to program them, or design them. and that was the case really up until just a few years ago. most recently, i got a bill from my electric company that told me to go to the website, and they showed me day by day how much electricity was using in my home. that's because -- and i can get on -- excuse me. i can get online and i can look at all kinds of different statistics on my energy usage in my home. and that's because the meter on

the outside of my house is in some way, shape, or form, connected up to a web server somewhere, that i can then access. so if i can access that web server, and that web server can access some way that meter on the outside of my house, so i'm wondering, is it possible for someone now to go turn off the power to my house? now imagine that, times 100,000 homes or businesses. so we have that as one difference between the operational technology side and the information technology side. what's also interesting about the operational technology side is that these systems were built, many of them, 30, 40 years ago. and they were designed and engineered to operate 24/7 for decades. okay? one thing you might notice on your pc at the office, every tuesday, well, once a month on tuesday, your computer reboots itself in the middle of the night. this is microsoft sending down a

patch to your computer to fill any holes that they've discovered over the last month. sometimes it's more often. sometimes it's twice a month. and your internal i.t. department may do it once a day or even more often. and that's because we can turn off your computers for a few minutes and it's really not a big deal. but i really can't turn off one of these positive train control systems. or a refinery's plumbing. i can't turn that off. it may take a day or more than a day to restart that equipment. so the opportunity to patch known vulnerabilities in these operational technology systems is very limited. and so that causes us to have to do a bunch of other mitigations to get around that problem. and that's where some of the work i do comes in. [ inaudible ] -- where this comes in.

back in 2003, might have heard of csx had an issue, one or more of their systems was infected with a virus. i believe it was the so-big virus. and in cleaning that up, as a matter of prudence, they shut down or took off line some of their operational systems just to make sure there was no impact to them. and indeed that caused, you know, some ability for them to halt traffic around and even spilled over onto amtrak schedules. more recently in 2008, in poland in the city of luj, a young fella, 14 years old, sat and watched the light rail train system that went through the city. he figured out -- i'm not quite sure how, but he figured out that the trains used infrared signals, what you have on your remote control tv at home. that's what they use. the trains would send a signal on the grounds to move them from

one track to another. he figured this out, went and bought some remote controls, had them record the signal and was able to play it back to the switches, and he was actually able to control the switches throughout his town. one thing led to another, and he did manage to derail four cars and cause about a dozen injuries one day. they found him and i'm hoping they have since changed to something other than infrared. we all know about the metro train collision that occurred here a couple years back. that was caused by a faulty piece of operational technology equipment. that's not really a cyber security event per se. but had wamada had a cyber security program, specifically focused on their operational technologies, they might have tested the equipment more often and realized this was a piece of equipment that had actually been failed for quite some time.

so while these operational technology systems, they originally grew up as stand-alone, kind of obscure systems, what's happening now is that they are indeed getting connected to the internet in one way, shape, or another. and they are communicating between them, originally with some custom protocols that really was very obscure. but now we're starting to use more common protocols, internet protocol, ip, you've probably heard of that before. and that is part and parcel to the issue. not only now do we have systems that are connected to the internet and using commonly available protocols to do it, but the -- our adversaries have learned about this, they know about this, and they're taking much more interest in it. now, about once a year, verizon comes along and does a big metta study. this last year, they looked at about 63,000 security incidents across the country, across many

industries. the good news from that is that the transportation industry had a very, very small amount of reported incidents. not to say there weren't more. but of this large sample, there are only 24 incidents reported in the transportation industry. what i found interesting and different than all of the other industries were reporting, is that the highest percentage of incidents in the transportation industry, were of the cyber espionage-type. and with a small sample like that, it's hard to make an extrapolation, but it gets you to raise your eyebrow, why potentially could our state adversaries be interested in our transportation systems? so that's something we need to look at. and the other thing that, you know, in other systems, as well, are also getting connected. airport badging systems, for example. you see the pilots and the folks who work there, they have their badges and there's been a lot of

regulation involved around badging people at airports and ports. and so that regulation has caused us to sort of make these badging systems super badging system. we've had to separate them out and make them stand-alone systems. in doing so, we've had to connect them to the internet to allow people to register and to do ncic checks. so it's becoming a more interect canned world in the arena of operational technologies. and the problem that we're seeing is that there just isn't a whole lot of attention being put on it by the operators. we know that in the energy sector, they're probably the most advanced, they have the most regulation and rules about how and what you have to do to protect from a cyber security standpoint, the energy systems here in the u.s. but as you go down towards transportation and water, those

are much less developed. so that's the area that we're trying to focus on now, trying to help these transportation industries get more up to speed. so i think that's if for me. i want to thank you all again, i want to thank the institute for this opportunity. i'll turn it back over to jeff. >> thank you, larry. fascinating. tom farmer. >> thank you, jeff, very much. thanks all of you for taking time to join us for this forum. our organization represents the major freight rails that operate in the united states. bnsf, kansas city southern, csx, norfolk southern, union pacific, and canadian rails, amtrak, alaska railroad, hundreds of short line carriers and a

growing number much commuter railroads. and as a real credit to this industry, in the immediate aftermath of 9/11, the industry came together, brought in subject matter expertise in the areas of intelligence, counterterrorism, and focused on developing an integrated security plan that would be applied across the board and adapted by each participating railroad within the context of its unique operations. that plan took effect in early 2002. and literally there was still fire burning at the pentagon when this group convened a focused effort. looked across the board to assess risks. broke it up into five teams, hazard accounts material transport, life cycle of a train, where potential vulnerabilities, communications and cyber technology, and critical infrastructure, assets throughout the network. what that produced by early 2002

was a security plan with four alert levels that called for increasing security measures in those areas, as threat levels escalated. so before you had a fully functioning transportation security administration, before you had a department of homeland security, before you had that color-coded system that was initially used to evaluate the threat level in various sectors of the economy. they developed a plan along those lines. it's in effect today. it's updated based on lessons learned and there's a continuous improvement effort dedicated to ensuring we're maintaining the right capabilities and processes and effective coordination in government to make sure that plan remains viable. there's a lot that can be talked about in that plan. the commodity we focus on at our association as we help manage the overall security program is information. and so at the association of

american railroads, we operate with what's called the railway alert network. that's a means why which we provide intelligence, security information, across the industry, to sure we're informing awareness of potential security concerns. that includes a good communication with government, driven by priorities we've agreed with, to make sure we're putting forward the right type of information and maintain the level of preparedness that we need to, based on evolving threats. now i think that many problems in life can be better understood by analogies to baseball. so if you'll indulge me a couple moments i'm going to do that here. one of the most iconic moments in the game, october of 1951, the culminating event in the national league. bobby thompson hits a three-run homer in the bottom of the ninth inning, propelling them to the win and the pennant against the dodgers.

the dodgers had a lead in august of 13 1/2 games. giants were perceived as dead and buried. people said, the giants, are they still in the league? they were. they won 38 of the final 45 games and finished the season in a tie. call it came down to the finale in new york at the polar grounds. many things happened at the polo grounds. that was the home field of the new york giants. tight game. 1-1, seventh inning. don newcombe leans over and says, i'm spent. i got nothing left. and jackie robinson said, you go back out there and pitch until your arms fall off. that brought two more innings. dodgers take the lead and newcombe gives up a single,

single. now it's second and third, score is 4-2, and the manager knows that his pitcher is spent. he goes out to get him. he makes a decision on who to bring in the game. brings in ralph blanca. he throws one pitch for a second. second pitch hit into left field for a three-run homer that prompts the giants announcer to exclaim, the giants win the pennant. the focus is on that moment. that's the moment that is etched in the history of the game. that's the moment that if you ever see a program talking about key events in baseball, that's always in the top few. that's the consequence. when you're considering things from a security perspective, the consequence matters. but far more important is setting yourself up to deal with that and trying to prevent that consequence, is how to happened. so let's take a look at what he should have known when he d

disregarded that decision. bobby thompson was the best hit ner the game when the giants came from so far behind. his average of 110 points higher than it had been in the season up to that point. he was the reason the giants were in the playoff. on deck, they had a base open. it was second and third. on deck was willie mays. hall of famer. but willie mays in 1951 was a rookie. in that same stretch, his avera average plummeted. 40 points lower in his production. runs batted in was way down. ralph blanca had been a sterling pitcher when the giants had the lead. but lost 7 of 10 decisions when the giants made their run. giving up more than two runs per game. most telling of all, of the dozens of pitchers that bobby thompson had faced during the season when he stepped up to the plate, he had 29 home runs. six of them against one man, ralph blanca. out of the dozens of pitchers he

face, more than 20% of the runs came against one guy. shirley povich, who is memorialized at nationals park, his headline item the next day in writing for "the washington post," the art of fiction is dead. the theory being that what happened is so inconceivable as to have been fiction. but i submit to you what he should have known, he made the wrong decision. that was a foreseeable consequence of ignoring the intelligence he had available. what does that have to do with what we do here? physical and cyber security, very often we focus on the consequence. sometimes focusing on the consequence, you can lose sight of the fact of the means you have at your disposal to narrow the chance the consequences will come about. it's important to step back and say, what do we have at our

dispos disposal? how can we take what we have already and put it to better effect to ensure we're informing preparedness at the right levels. a very important aspect of that is intelligent and security information. the plans i talked about, they do depend upon an awareness that situations are developing, that necessitate elevating threat levels. we have a very good partnership in physical and cyber security through the transportation and security administration that has really changed the dynamic. so we in the industry proposed to tsa, a set of priorities for intelligence, both in physical and cyber security. we focused on, don't spend so much time telling us what happened. focus on how it happened. so what it is, in the course of the london bombings in july of 2005, it's important to know what happened that day. from a security perspective, what was going on in the months leading up to that event? were there opportunities for security to make a difference? tsa focused the shift, and

allows us to walk through the preparation time and see opportunities to make a difference. they've allowed us to take that information and bring it further to other constituencies where many of those indicators that precede terrorist attacks are more likely to be observed. the likelihood that a train crew member is going to see a terrorist in the act of committing an act or some reconnaissance is very small. it's more likely a local police officer working a community will get a report, a complaint, or happen to see something. and we want that see something to trigger a reaction. so as an example, in the months leading up to the london bombings in july 2005, there were a whole series of indicators of concerns in leeds, about 200 miles away. where the bombers had holed up. they were in an apartment.

undertaking their preparations for the london bombing. we take that analysis, delineate those indicators, to inform training of our employees and share them with local police, so that as they go about their jobs, if they get a complaint there's an odd smell coming out of this apartment that was not there until these people moved in, or as happened in leeds, of all the plant beds outside the windows, only these two are dead. and it's odder still they put up this opaque coating. and they used to dress as muslims, but then changed in western outfits. now any one of those things may not be sufficient to trigger concerns, but maybe trigger a question taking a look. similarly on the cyber side, it's important to know when you suffer an attack that disables 30,000 computers, what happened

that made that event possible? similarly, we've gotten them to shift their focus to that sort of analysis. help us understand the tactics used to make that happen, the protective measures that were lacking, the vulnerabilities that had not been addressed, so we can take that information, look within our own networks and ensure we are narrowing the possibility, whether it's attempt to get into operational systems, which are secured in our industry, or in business systems, for espionage, that we're narrowing the opportunity because we're using information in a far more effective way. doing great work in this space and putting out indicators to the private sector of terrorist tactics, of cyber tactics. putting out information based upon the assistance they extend to private sector entities that have suffered intrusions. we've asked them to take a next step with that information and look at that body of work, hundreds of thousands of indicators and draw from that the sort of information that can very well inform risk management

decisions in our industry, in the transportation sector. we've asked, from that body of work, what are the tactics you most often see? what are the vulnerabilities most often exploited? what are the protective measures found lacking? and a real purpose of the executive order that the president's issue is not to solve cyber security. it's an insolvable problem. but you really want to begin to narrow the risk profile. and so where the window may have been open this wide, some of the efforts talked about through that order are aimed to narrow that, perhaps chase away some of the actors because the task is not as easy as it was before. and to make the actors who were good before, get even better. one of the sat realities, the means of intrusion is often simple. it's sending a phishing e-mail asking you to click on a link. it's sending a file attached to an e-mail that you click on and

introduces a virus into your computer. often these e-mails have indicators, that if you spent 15 seconds, you'd see there's something ought abodd about thi. i've never gotten an amae-mail saying read this article. this e-mail address is different. we have committees that con convenience once and twice a month and predate 9/11 in its operations and activities to coordinate industry cyber security. one of the emphasis we place on that, dhs has that good program, we had to pause. pause and look at an e-mail. if there's something odd about it, from a source you're not familiar with, take a look. you can scan it and get a pretty good idea whether it's the type of communication you're used to receiving or whether there's a basis for concern.

there's a lot to be covered. i wanted to bring to your attention, the efforts of our attention in partnership with government to address these types of concerns. i can say with pride, particularly in the transportation sector, there's been a real effort between tsa and the various representatives of the transportation modes to put a public-private partnership, a term often used very expansively, to put that in practical action. in some of the areas, they are areas when first proposed was, we just can't get there. and we've gotten there, result of a good partnership. happy to take questions on that as we proceed. but i'll turn it over to the next speaker. thank you. >> thanks, tom, fascinating. last night on the drive home from the baseball game, my wife asked me what a walk-off run was. and so i fumbled through the explanation. we're not big baseball fans, but have become recently with the

nationals leading their division. so part of your story scares me, because we certainly want the nationals to win, but boy is she going to be impressed with my knowledge of baseball history when i get home tonight. next speaker, andrew. >> thanks, jeff. >> good morning to all and thanks, tom, as a life-long dodger fan and family whose love of the team dates back to brooklyn. always nice to have the salt in that wound. so we'll get started. it's a pleasure to be here. when jeff asked me to participate, there are a number of ways to go with the discussion. my background, my quick background, not that i love talking about myself, but it's particularly relevant to this discussion, i'm about a year out of customs and border protection. i did a number of different stints within the organization, but key to this effort is, i was

the director of targeting programs at the national targeting center for passenger and cargo programs. and you know, there's a real push in customs to start moving even more to advanced data and using private industry data to help make better risk decisions, from the border management perspective. companies have been doing it forever. customs often times gets late to the game when they have these different efforts, but the plea i'd like to make to everybody in this room, particularly in your profession is to be really creative. these ideas, when it comes to the government use and the security use of data, these ideas are moving very quickly. and they're certainly moving faster than the nprn process, you know, the number of times i was in my office at the targeting center, being told that we had to wait for a

rule-making to get the data that we were looking for that would stop the next attack, or that would better facilitate cargo through the border, i would hear that daily, i would hear that weekly. and it was -- it was frustrating. because, you know, for me, i'm an attorney on my resume, but not real like you guys, i had to believe that as industry evolves and rein vents itself, there had to be a way for the federal government to keep up and to really adapt their processes, their data collection and their efforts that moved, if not at the speed of business, maybe one generation behind, instead of several. and often times the greatest catalyst for change in the security jirenvironment, i'd li to say it's creative thinking, but a lot of times it's a threat. i'll talk about examples.

the threat piece, the example i can give you, you all probably remember in 2010, in october, where there were explosives found in the printer cartridges over in the uk in dubai. the response to that was a great example of what i'm talking about now and should serve as the model for programs to come. it was what had come to become the advanced air cargo screening. and what happened was in the immediate aftermath, i mean the absolute immediate aftermath of that threat, customs and border protection, tsa, dhs, and the express consignment operators, all got together and said, the regulations right now for advanced information, coming into customs and border protection and to tsa for international shipments come way too late and there's not enough. what do you have available? what can you have right now? what can you provide voluntarily

that will help make better risk determinations and help to move the action that can be taken in the supply chain further out, you know, before an event becomes, you know, a catastrophe or a tragic event?