department of energy has a number of extraordinary national labs. one of them is here at stanford, the stanford linear accelerator. we do cutting edge research on cyber and physical challenges to our critical infrastructure at a number of those labs. over the last several years, 80% of the world's control system vendors have been tested through government-funded assessments at our idaho national lab for example. this testing is followed by design reviews and mitigation discussions with the vendor. indeed at idaho, which i visited last week a 900-square-mile grid scale test range exists which enables us to do real world testing of the interdependencies of modern grid technologies and the evolving threat we face to critical infrastructure. we also conduct live exercises

to train government and private sector cybersecurity experts at control technologies at idaho national lab and help them to develop an understanding of what they can do to minimize and mitigate vulnerabilities. so we all know that cybersecurity is going to remain a challenge as far out into the future as we can see. secretary moniz and i have made this a high priority. indeed, we're going to put over $100 million this year and next year towards cybersecurity of the nation's electric grid. in closing, i want to speak directly to the students here today. can you raise your hands? i understand there are a lot of you. when the president of the united states and many cabinet members and ceos of important companies come to your campus, we hope we're going to inspire you to pursue careers that give you a chance to find a way to do public service. that can take many forms, and

you will blaze your own trails. indeed, my 17-year-old son richard will join you here on campus as a member of the class of 2019 this fall. [ cheers and applause ] >> it's my hope that he will take up this call to action alongside you because we need your minds your talent, your innovation and your energy. the problems we're discussing today are some of the toughest that we face as a nation and that makes them the most worth working on. so i encourage all of you to use the privilege of being at this extraordinary university to find ways that you can play a part in inventing solutions that will help us keep our great country strong and safe. thank you. [ applause ]

>> thank you liz. that was great. i didn't even know her son was coming here next fall. that's terrific. in the few minutes we have remaining, i wanted to ask one or two questions. mark, let me put the first one to you. you're our cybersecurity expert in the private sector as part of your firm, which is a rapidly growing firm in this area. the companies represented up here kaiser permanente, pacific gas & electric, american express are probably pretty sophisticated themselves, large public companies in terms of cybersecurity. what is your assessment of how smaller companies, smaller firms are doing in cybersecurity these days? >> i think it's a challenge for everybody no matter how big you are. it's a challenge that you may need more resources, but it's the same threats that are hitting large companies and small companies. bigger companies, like tony for example, has definitely

designated critical infrastructure by your organization, but if you go ask a ceo or an owner of a small company, they definitely consider themselves critical. so they're just as worried and concerned about this and rightfully so because they are the subject of attacks. when a small company believes they're not under attack just because they're not a large company, that's a mistake in assumption, and they need to protect themselves in the process and it's becoming evident. this is where something like information sharing is very very powerful for smaller companies because they'll never be able to bring to bear the resources that some of the larger companies can. we all work together, large companies, small companies public/private. a lot of information we're talking about, that benefit will get to the small companies which employ more people across the united states than the big companies do so it's important for all. >> thank you very much. in the 32 -- 31 -- 30 seconds we

have left let me take the moderator's prerogative to close it out. i want to comment on something my fraternity brother said. we talked about constancy of values. let me say to the audience, particularly the students here, we in homeland security recognize and believe and this is certainly true of myself, that homeland security, whether it's border security, cybersecurity, counterterrorism, means striking a balance between basic physical security and the things we cherish as americans. our values our values in terms of freedom to associate privacy, civil liberties. we cherish diversity in this country. we cherish our heritage and so part of homeland security is preserving the things that really make this country strong

and great. i'd like to tell public audiences we can build higher walls, we can interrogate more people, we can screen more people, we can erect more cybersecurity, but we should not do so at the cost of who we are as a nation. thank you very much for listening, and thank you panelists, for the terrific discussion. [ applause ]

>> ladies and gentlemen, please welcome the panel on improving cybersecurity practices. >> well thank you for having us here today. first of all, i am thrilled to be back on campus. i'm a graduate of the law school and the business school, so this weather is not a surprise to me nor a shock. and it's lots of fun to be back home. and my other comment about the previous panel is i really had no idea that secretary johnson was such a comedian. and i'm looking forward to asking his fraternity brother a lot about his room when they were in the fraternity. secretaries go back and forth with one another. but, any way, we are thrilled to be here today to talk about cybersecurity and how it affects

the private sector. a year ago and a day, our administration released something that's been referred to earlier today called the nist cybersecurity framework. nist is the national institute of standard technology, which is part of the department of commerce. we knew then when we released the framework as we know now, that cybersecurity remtspresents a challenge not just for critical infrastructure which is how the framework was originally created, but also for economic security, and as we've heard for our national security. we recognized then, as we still do today that the most effective way to combat the growing threats on our cybersecurity space is through a strong partnership between industry and government and the civil society. and that's who we have here today. i represent the government, some of our panelists are from industry and some from civil

society. so with the recent high-profile attacks that we've had from sony and anthem it's clear that cyber risks continue to grow and that we as a nation need to do more to strengthen our cybersecurity. that's why congress must pass information sharing and data breach legislation and update our criminal code without delay. that's why the department of commerce is working with other federal agencies and with our educational institutions on something called the national initiative for cybersecurity education, which is aimed at filling the 210,000 open cybersecurity jobs in the united states today. that's why president obama made cybersecurity a priority in the state of the union address last month, and that's why our administration has convened this summit. so our panel today is focused on the perspectives of leading

american businesses and their ideas on helping firms to align their policies, their technologies and their day-to-day operations to better protect themselves and their customers from cyber threats. all of this room -- all of this is about the urgency of the problem that we know exists today, yet a recent price waterhouse cooper survey found that only about 35% of ceos are extremely concerned about cybersecurity threats. i have to confess, i'm amazed it's not 100%. but our nist cybersecurity framework creates a common language to discuss cyber threats and a way to measure success for senior executives and their it professionals. the goal of the framework is to help companies organizesations

institutions protect their it from security threats, ensure their confidentiality, safeguard their privacy and civil liberties and capitalize the cybersecurity marketplace in the process. at its core, the framework serves as a bridge between business leaders and information security professionals within their own organizations. it is through the framework that we designed, you know, with critical infrastructure in mind. any business, though can use this framework to help manage your cybersecurity risks and many are already doing so and we're going to hear from our panelists about that. i'm someone who spent 27 years in the private sector so that i know, as all of you in this room know that good risk management is essential for a successful business. and that's why companies from a

variety of sectors are using the framework to help manage their cybersecurity risks, including probable cause ter probable causecter & gamble, walgreen's, qvc, kaiser permanente, all of them are here with us today and it's also why major auditing firms like deloitte and price waterhouse cooper are using our services today. the fact is it's in our society, our businesses and our daily lives. as we know, there are 3 billion households worldwide and somewhere between 7.5 and 10 billion items, from toasters to thermostats to phones, all on line. and the preliminaryimplications of the cybersecurity threat given those facts are vast. so our discussion today is going

to explore how business leaders and their boards are moving cybersecurity concerns to the forefront. this is an opportunity to learn how this critical issue is part of corporate planning part of corporate communications, part of corporate governance part of corporate operations. so i am really thrilled today to be joined by a number of business leaders. brian moynihan, who is the ceo of bank of america. asha banga who is the ceo of mastercard, peter hancock, who is the ceo of aig renee james who is the president of intel. leo connor who is the leader of technology. so let's jump into this. my first question renee, is for you. what is your vision for how technology can create a more secure environment and protect

data? >> thank you. we have been working on improving the baseline of security and computing for about the last decade. billions of dollars of investment. so our vision is really we'd like to get -- just get a baseline of security for everybody, and to that end we've made significant investments in the security industry, but more importantly, are moving forward with initiatives like giving away free mobile security, putting in multifactor authentication into all new computers, things that we really think will help consumers if it's just there and it's available for them instead of forcing them to have to go out and make decisions about what security what they should put in what are these crazy things. just make it easier for them and just raise the baseline so we can get everyone. one of the statistics that was most concerning to me even just two years ago, more than half of the computers in the world that

go out go out with the security turned off, basic firewall, basic virus scanning, so those are the kinds of things we've taken a lot of steps in our technology and in the industry as part of the security industry, as part of the computing industry to move that forward, to get a baseline. >> does that mean then, that as i'm buying a new piece of equipment that i'm going to be able to have my security just know it's there or does it mean we have a long way to go still with the technology being ubiquitous and protective environment for our information? >> i would say i would give us a half in intel speak which is to say in the next generation we're lucky to have a lot of collaboration from the software industry, from companies like apple, like microsoft, others that are actually putting in security that's -- you know, you can opt out, of course, but it's

there. like us putting in mechanisms in hardware so it's a lot harder to break makes the transaction safer. i'm sure the gentleman on the panel will talk about some of that as well. but we still have a long way to go. it's not complete. it's measurably better in this next generation. i think the telecommunications companies are doing a great thing in pushing security onto the devices because mobile devices have been a big target zone. but to say that we were there would be, you know, a mistake at this point. i think we have a lot of work to do. and i do think that, you know, the conversation on information sharing, the conversation on the public/private partnership is a big piece of moving that forward. >> so ashe let me ask you a question. there are numerous high profile and damaging cybersecurity incidents in 2014 affecting a broad range of industries and companies. how have your customers'

expectations about cybersecurity evolved, and how are you promoting what you're doing? >> so a lot of customers are people like the bank, so brian is a customer. brian the individual also carries a mastercard around. there is the consumer customer there is the bank customer there is the merchant, there are telecomm companies in all parts of the spectrum. the fact is whether you pay with cash for stuff or you're paying with a card or foreign or biometric print, you want safety and security in the transaction forum. you don't want to make sure something coming at you would steal stuff that is yours. we want to interact in the last three years which is completely different from the past. technology is changing the way people do business and shop and buy and the way things are done and everything else. along with all those changes,

the thieves are changing too. they're figuring it out, how to break into these security. the first one is stop trying to make me remember things to prove i am who i am. because -- [ applause ] >> too many things to remember and by the way, these darn passwords because of security change are on a different day of the week. if you're working in a company and you've got nine passwords to change on nine different days and you can't use the same password nine times which basically means you write it down on a stickie and stick it on the computer, which is the worst form of computer. the password is gone. it's gone. what they really want is to identify in other ways is going

that direction. the ones look at the heartbeat of you which identify wearing a bracelet and you tap the computer and you're fully live and connected, or you open your car with it and it starts and sets your map to your office, and on the way to dunkin' donuts to buy coffee and pay with your mastercard automatically that's where it's going. that takes away the pain of remembering the password to converting to who you are. i think that will be where this will end up finally. there are challenges of privacy there are challenges of a lot of information about you which you may not want, and those are real topics to be discussed which we began talking outside with our presenter, but the fact is that's the first one. the second one is you can use data and analytics in a clever way and a smart way to create a

safety net. it's one of the things they're launching to be able to protect wrong transactions that come through by them being fraud because of what they are. if you have enough data and enough analytics, you can do a lot with that. that's the second thing going on. the third part is something we launched with a credit union to a number of employees in the silicon valley firms where you'll be able to use a combination of voice biometrics and scans to get telecommunication remotely. if you do those three things together going beyond digital payments which has already been announced. this is the next stage of stuff going on. >> is there really data that is not something that can be discovered? >> so the measure of the data we get is i don't use your name when i get your card. i get a card number, a dollar

value, the transaction and a merchant call. i don't know it's you. but could i, through collaborating with brian or someone else, find a way to try to get back to you? probably. but you chose to have a relationship with bank of america and you took the card. you didn't choose to have a relationship with me. brian chose to use a mastercard. my perspective is play the role with the consumer the consumer chose to have with you. if you chose to have a relationship with the bank or the merchant you deserve to know it's secure. i don't deserve to know that he does. i'm very clever with where my role is and where his role is and together we can make a lot of stuff happen and the merchant community. >> so, brian, the multistake multistakeholder process was used to protect the nist framework, and i think it's been a big success but i don't think we have multistakeholder engagement going on. i'm concerned that policy debates that affect the digital

economy, including cybersecurity, too often occur in silos. what do you think is the role of the public/private partnership, and how do you break down these silos and who should lead? >> i think nist had a framework, and i think if you look across the industry in our company, you see people who are looking at it and studying it people are adopting it. we're in a phase where we think it's good enough and it gives you a common dialogue. initiatives like that are important and collaboratively important. the thing i agree with you is we make distinctions about large and small, we make distinctions about a critical infrastructure or not, we make distinctions about all that. the answer is everybody is in a tent because they all have access. the university has tremendous computing power that can be used to attack other people, so they have to be in a tent. as does mastercard, as does bank of america. i think the issue of getting everybody in and the information

sharing i think they talked about on a prior panel is very important, and we have to figure out the liability structure and that's to do still as to how you have the liability. that will take a lot of change. think about it. if everybody is in the tent, it's a comprehensive view and then you protect the people who share the people who use the information to use it the right way. you actually can then get that collaboration that will help do it. then you get to the individual consumer behavior, and that's the type of thing ajay talked about, the data and communication and things like that. but i think we're still a long way away from the collaboration we need from the parties. we were better a year ago, better three years ago better five years ago but it's getting pushed around the room and it has to be collaborative. >> where should the collaboration occur? >> i think it should occur with the government because at the

end of the day, a terrific amount of the information is going to be coming through that information cycle, and it's got to occur in things like the financial institutions that ken talked about earlier that we share information, so there could be a private sharing among that, but there is an amount that has to go on outside. also an ability to warn us what's coming and an ability for us to find out what is at us has been used before and can be defused faster. things like that that are very touchy i think are very critical. the government spent the money and they have the authorities of powers and capabilities and they see it across everyone. so i think you have to have the government, although we can do tremendous work as we do in the financial institutions sharing information, but i agree there are still a small amount of stuff that goes into that sharing than the amount of stuff that comes at you. >> the president, as you know put out proposed legislation on

a cybersecurity legislation that addresses the issue of not just notification about data breaches but more importantly, offering up liability protection for corporations that share with the government. and that's one of the debates that we've had is to make sure that there is enough protection so there is meaningful sharing so that we can really collaborate between government and the private sector to address bad actors and bad actions without violating people's privacy. but instead trying to get at the threats. and that's the tricky thing. and it ultimately will take legislation in order to create the kind of protections. >> the example is if someone comes into a bank and tries to

rob it we don't ask a lot of questions about why they're there and everything else, we stop the robbery. to get into issues in cyberspace we start to get into that that we have to think through. it's difficult but if they're bad actors they're bad actors. we don't have to sit there and figure out why. >> so peter, what's the role of insurance in the whole issue of cybersecurity? >> well, i think it's evolving. this is an industry that's been around for a long time, and some things just don't change. i was visiting a business in italy not long ago and i was doing insurance and i saw an industry of policy. we geeks will do all sorts of things for amusement. here was a policy dated 1670 for marine cargo. what was that insurance policy's purpose? it was to reduce the fear of

sommer chant exe some merchant exporting to another country. and that has not changed. so when i look at the potential of the use of data to innovate has, it's as profound as international trade was back then. and the role of insurance is to mitigate fear, to empower the economy. and to quote fdr what do we have to fear but fear itself? insurance can at a margin, mitigate that fear. and today we insure about 20000 businesses and about 20 million individuals against cyberbreach and identity theft. we've been doing it for about a dozen years. it's still a tiny, tiny business. but through the early learnings from the breaches, the claims i think that there is a feedback loop of innovation where the insurance industry working together with government can help the adoption of standards, including the nist to better

security data. but the concept of insurance as a risk transfer is certainly one part of the role. it's the advisory part, the feedback loop where we choose to insure only people who put in robust controls, only people who have the right corporate culture to put an end-to-end view of where the weakest link in the chain might be in terms of securing their customer's data. >> so part of what you're doing is if i'm running a business, you're helping me do a better job at my own cybersecurity, so then you feel that your risk of loss on your policy is less because i'm a more sophisticated actor? >> absolutely. there are many many consultants and advisers who are much more technically able than we are on this topic. the difference is we have skin in the game. if you get it wrong we have to pay. so the nature of our advice is very much in a practical way what statistically tends to be the result?

and as ajay said, it's often a yellow stickie note with a damn password. it's not that complicated where the vulnerabilities are. getting these simple things right significantly reduces the frequency and severity of loss events, and that's where i think we can really help spread the word and be a catalyst for a more secure data environment. >> is it your perception that as the fear level continues to grow, we've seen what happened at anthem and other major corporations. is it the fact we have insurance that people aren't that worried about it, or do you really feel that there is a new level of fear that needs to be addressed? >> i think that the insurance is still woefully underutilized. i don't think people are becoming complacent because they've got insurance, i think they're complacent because they're not aware. and a lot of people are reassured by their technical

advisers, oh it's absolutely watertight. but that's maybe watertight in one silo but it may not be the technology, it's human error that's the problem. so having enterprised risk management that expand silos is the critical ingredient to being secure. >> so if you're running bank of america, your running mastercard or you're running intel, you have large organizations that manage this. if you're running a medium-sized business and i come to you of insurance, what kind of guidance will i get on how i do this when i don't have the large resources to grow with the challenge? >> to be honest for these large companies, our ability to provide sufficient capacity for them is really limited so it really is the smaller median companies that we can help most. so we have a lot of on-line training and we have tools which we deliver with our technology partners to provide information sharing on threats.

so it's really making it affordable for smaller companies who have rich data sets. it's very critical to their future, but they don't have the resources to fund all of the security apparatus that a larger firm might have. >> i think the nist framework actually opened that, because by creating different levels of companies based on the low level of sophistication you create a benchmark process that makes it possible for companies smaller than medium to try to live up to the benchmark, makes them impossible to rewrite because of the benchmark. i think that's a critical part of what the framework does. >> i want to get back to the framework in a minute. there is a perceived tension between privacy and cybersecurity. i mean, do you think this is the case and how are you dealing with this? >> well i do think it's the case that a lot of people think that is a tension. i wouldn't agree there actually

is. in my time in the private sector, we saw privacy and security two sides of the same coin. you can't have good privacy without a good security system. you can't have good protection of your data without knowing data is secure. you can't have good cybersecurity if your employees aren't well trained, if you don't have the right practices and principles. we built a great team here that know how to merge those two mindsets and two corporate values. at amazon we call data an issue of customer trust and customer respect. it's about respect for the individual. it's their data, it's their dignity at stake. and this kind of always on always connected world, we are all sharing data. i'm sharing data right now. i'm proud i'm going to get all my fitbit numbers in today, so somewhere in the cloud the computers are watching what i'm doing. i'm incredibly proud of the great work the technology sector

has done on these issues. but we have to know as customers, as citizens, as individuals that our data is going to be protected, it's going to be kept secure, it's going to be treated with the respect when we do business with these communities and it's not going to end up in the hands of the federal government for no purpose at all for a kind of reckless and wanton collection of data. although we respect the fact that there are national security issues and real threats to this country. the whole collection of data in the hands of the federal government is not the solution. i work at this great organization the center for democracy and technology, and we believe there are solutions. there are ways around encryptions, there are ways to de-identify and really protect the data and still achieve the ultimate needs and ends we have to get to for cybersecurity in law enforcement. >> but is there a limit to what

the individual wants by using the data versus the privacy they want of feeling, hey, my device is not giving away my not giving away my whereabouts or my -- invading my personal space? >> well, i hear that dichotomy a lot. obviously consumer control, individual control, and the control that good companies are already building into their devices, exists and we want customers to take advantage of them. the argument that, well, just because i put all my data on facebook doesn't mean i want any privacy, that's not a legitimate argument. i should have the right to engage in a fully engaged digital self, digital world, without feeling like i should be spied on by my government. >> it's not just the government. you're vulnerable also to folks that are trying to breach all of these folks' businesses to get at information. the other issue is really one about, as i am as a user,

customer and product, and how do you reconcile the fact that my data becomes a product that you're selling, but i'm also a customer. i'm not sure i -- and i know that when you push agree on the button, you've agreed to all of these things. but is that, you know, we don't have an opt-out system. should we have an opt-out system? >> i think it's more than -- the discussion is so much bigger than opt in and opt out. the state of stewardship that i think really good companies like the ones here today are engaging in thinking about the respectful use of information, the legitimate use of information, to serve their customers' needs to create new products. this is part of the ongoing dialogue. i really want to encourage, we're thinking about this issue and people around the world are thinking this is no longer property rights, my data is something i can barter and sell and trade. although the companies have legitimate interest in them and we want to engage in this fully digital world.

but we're thinking about this in terms of the digital self. this is part of me. latin americans have the concept of habeas data, my data myself. i think this is the way we need to start thinking about data transactions in the digital world. this is about my individual space in the online world. i choose to be there. i choose to communicate. i choose to transact. but at the end of the day this is my personal data. some of the most intimate data flowing through the systems of these great companies now and it should be protected. >> so i want to return to the issue of the framework and ask you, maybe starting with brian, about do you use the nist framework and how do you use it and is it helpful to your company? >> as i said earlier, my observations are colleagues and institutions are people at different levels, some sort of figuring out and we're sort of of in the implementation on a framework which helps us think through some of the management practices going to the

commentary that ajay had earlier. i think people use it because people are looking for -- especially boards of directors are looking for frameworks of how to deal with companies. and interestingly enough, last week, the board giving my review and it's not that we're not good at cybersecurity. that's the process where they can remain engaged without getting into the details about what's going on and frameworks using this as a series of principles and how you think about things are things that you can then use to say, okay, if you do this you ought to be covering enough but let the professionals really do the work. you know, on a day-to-day, hand-to-hand combat stuff. my observations, people are adopting it, people are using it. and people continue to look for ways to say, am i doing this well enough that peter's company will insure me? that i can protect myself and i've done the industry standard in some court of law or some proceeding or regulatory proceeding. that benchmark you get when you get the common frameworks is good.

>> peter do you have a thought on this? >> well, we've helped contribute to the developing of the naic, and so we certainly believe that in the effectiveness of the ideas there. they're a great foundation, a necessary but not sufficient condition. i think that an important element that we have implemented for ourselves is the appointment of a chief technology risk officer reporting to the enterprise chief risk officer as opposed to being part of a technology organization. because i do think that sitting within technology, you can't help being co-opted by your own procedures. so this provides some objectivity that looks across the organization at the weakest link in the chain. and we also incorporate the nist framework in the underwriting questions that we pose to our potential insured. so we hope through that that's going to really create some standardization, some

benchmarking, as ajay said. >> ajay and peter do you think we need framework 2.0? >> absolutely and three, and four and five. it's going to have to be iterative. >> evolving all the time. you have a risk road map and you have created what i would call a storm for everyone who talks the same language. where a little while ago in cybersecurity we were not all talking similar language. it's a really good first step but if we sit on this right now the other guys are moving way too fast. the guys you're trying to protect from are moving every day. every minute. right now there are people trying to hack into our companies. right now. and one of those idiots might succeed. that's the fearful part. and what you have to be careful of is that you are being able to stay agile enough to protect yourself, and not think that there's one framework to solve every piece. >> that's the over all issue, is that with just a number of agencies and internal parties, external parties, this things

moving very quickly. and so where on the real cyber threat attack transactional fraud, information stuff like that, is sharing information has to move at a pace, and the dialogue has to move it is a bit different than you can think harder about the use of information as a company having date stay and we're stewards of data and we take it very seriously. that's something we can think about awhile and make sure we kind of get it right. the reality is with the amount of hacks go on intrusions and phishing we've got to be able to move fast. no framework can keep up with that. but the concept of forcing and sharing of dialogue will. >> i have been are begun to talk about there is in the way that likens it to the development of the road infrastructure in the country. it is a public collaboration. we built roads this one, interstate, that one the parkway, that one you can't go through. here's how you turn, there's where you don't go. that's where the speed limit is.

here's where you get the license. and there's law enforcement. our new digital super highway is going to need some rules of the road, with no pun intended, and the rules of the road are going to evolve as the quality of the cars and the trucks and the methods of moving keep improving. and private sector should feel free to innovate as much as it wants on designing the cooler car and a cooler truck and a car that listens to peter's voice and starts playing, you know, the music that he likes. that's fine. but it's got to have four wheels and move with a certain set of safety rules, driven by a driver with a license. and preferably not 51 different rules for 51 different states but a federal license would have been great. now do you think about it. right? this is all history. we have chance to do this the right way. if you learn from all that we did in the physical infrastructure, and that's my only point. to do that then nist 1.0 is the beginning of nist 2.0 and 3.0

and -- >> right. it should be evolving. >> many others. >> i think it's an interesting analogy on this pace of version release in other areas in driving regulations, and building regulations. both of which we watch closely. and in superstorm sandy, we had to pay over $2 billion of claims to businesses and infrastructure that got damaged. and there had been a flood in the same area 40 years ago, and the building code changed about 2007, about 22 years after the first flood, and to move mechanicals from the basement above the flood line, and underwriting guidelines can change much more rapidly than the regulations can. so we can perform an interesting bridging role between version releases. to feed back the learning and the constant litany of daily claims. we have claims every day that teach us something. >> well, in fairness, we're not

-- government is not getting that kind of daily feedback loop. but we can get the feedback loop from you and then revise the frameworks. >> exactly. >> knowing that the adoption right now we're focused very much on adoption because as soon as we can have, using as you said the rosetta stone the same language where it becomes u ubiquitous then you begin to say what are the rules and regulations that ought to exist there. how do you judge whether the return on investment of your cyber investments? is this an unlimited pool of money that needs to be thrown at this problem? how do you know you're doing the right amount? >> i don't think any of us is doing enough. the guys at the other end are doing much more than all of us do. if you're a bad actor at the other end is the mafia group versus a young kid versus the state government. none of us can spend enough money individually. that's why this public/private partnership is so important.

the federal government and resources that are used in many different aspects that we could benefit from and we could benefit from innovation of what the federal government could do. i don't think any of us spend enough. so there's no way to say i'm actually spending enough. i don't sell digits i sell a global network that people use because they rely on security and safety. how much money is enough to protect that? i don't know. >> as i mentioned -- people ask this question, there's 230,000 people in our company and i can any day know exactly where every one of them is and how much they cost and everything else. the one thing i never ask is the group that protects us, what they're going to spend because at the end of the day they have to spend what is done because the rest of the company doesn't operate if you have a problem. so is it a lot of money? is there a return on it? yeah, we're open today and we're operating and we protecting our customers' data. we're protecting the financial services system. we're protecting trust in the public and the financial services system. 23 we lose the confidence in the mobile phone we don't have people to actually process the

transactions that go through that device today. we have to go back and hire 50,000 people probably to do it. so how much do you spend for that? it's really not something that you can sit there and say, okay, if i spend a dollar, get $1.50 in return. you say i spend it because it's the whole infrastructure. >> renee i have a question for you, changing the subject a little bit. the intel commercials about scientists and about technicians are just some of my favorite, and we, the skilled workforce is a priority of the department of commerce. what do we need to do? how do we train people to fill the open cybersecurity jobs? what are the good ideas? how can you help us inspire people to be interested in this area? >> thank you, madam secretary, for the easy question. i was going to tell you how we implemented the framework and i was so excited. >> well, you can tell us that, too. >> exactly, then i'll have background and stats and half of them are going to be women. so, before i go into that --

[ applause ] >> before i go into that, i want to -- >> we have to remember we have students here. >> exactly. i want to inspire them. we have jobs for you. please stay in the computer science department. like the gentleman on the stage is talking, both we're all intellectual property companies in the end, and so we have all collaborated on the framework and ajay talked about this a lot. one of the things that i think uniquely we're all in different phases of using the framework and the common language is super important. we published a white paper because we're actually through the other end of an implementation of it which i think can be a blueprint for others so i wanted to put that out there so other people knew that we, this week, published you know what actually we did with our seven-month journey, and how it worked, and the framework. and the other thing we've done that i'm very proud of the team for doing is we wrote in to our

supplier agreement on a going forward basis and we have a supplier network as you can imagine, 7,000 suppliers around the globe that we want them to consider the framework and all of the extensive intel that's the first step on the journey of needing to implement the framework. separately we'll probably work with our insurers. on the topic which is a very, very serious topic if you look forward for how people use technology and information certainly with analytics and new business opportunities, we need to continue on our journey on s.t.e.m. education and increasing the capabilities in math and science. you know you hear everybody say it. we all say it. we're not making enough progress. so, we are doing our part. i know bank of america is doing their part. mastercard, aig, we're all doing our part. but as a collective we do need to have even more dialogue and probably more partnership with

the government on this. this is a serious issue. and it will become a competitive issue for us. >> is this about deciding that i want to be in computer science in fifth grade or fourth grade? or is this something i can recover from if i'm 16 or 18 or 20? >> i think there's varying opinions on that and i welcome the other panelists' point of view. but what our -- you know, what the data has suggested is that if you don't have the right math and science education from k through 12 and especially through, you know, high school and in the early -- you know, if you don't go to college, if you don't have that basic math and science foundation, it's hard to recover from. you don't have to be a computer scientist, but the basic analytical skill, you're going to need. and so we spent a lot of our intel teach which has been a 25-year foundational effort and intel on teaching in the classroom as part of our community effort. we send our own engineers out to

teach k through 12 and to really teach teachers how to be better math and science teachers, and also teach classes as part of their community service. and i think we're just -- we just have to continue to extend and extend and really get focused. we also know that math diversity is one of the big initiatives for me, but we know that young girls drop out in middle school for math and science. that's the other big focus area for us. you know, half of the workforce, we need to keep them interested in math and science. let them know that they're cool jobs. they're not boring jobs. you know. that kind of thing. >> one of the things i've often thought about, and this is a question for all of you, is how do we make it real at a young age for how cool these jobs are? what can you do? and that do i have to be, you know, the a-plus math student throughout high school you know and have taken college

math at 16 in order to be eligible? i mean, i think there's too much ambiguity about what does it take to be eligible. and i also think there's not enough of a collaborative process or -- i mean we go and we lecture to women and young girls. but the question is can they really feel that this is a fun thing as a group as seventh or eighth grader that i want to be a participant in? and how do we make more of that happen so that it's not i'm the outlyer in my group doing this? and i'm more the norm. >> i'm living the dream as a mother of a middle school girl and a junior high school girl and an elementary school girl. and you're right, there's all this data around k through 12 education. i was also a teacher before i went to law school. but there's also the societal kind of attitudes around what's cool and getting your kids into coding camps and coding class and my friend cameron who runs code.org trying to get coding