tv Key Capitol Hill Hearings CSPAN February 28, 2015 7:00am-8:01am EST
7:00 am
line including two to microsoft's dismay they publically released an issue just two days before microsoft was going to fix it. so you know, 90 days and fixing one kind of thing is fundamentally incompatible with fixing a design problem that took 13 months to fix it right so there has actually been activity in that space now and google updated their policy just last week because of the recognition that there are a harder class of problems. >> so for 13 months he were able to disclose this is an interesting -- sometimes the best thing to do with information sharing is to keep a secret. and in this case after, to their credit, they handled this
7:01 am
fantastic. we are lucky that this turned out to be a microsoft problem because they had a sophisticated incident response security program and so it was their mistake 15 years ago but the people that handled it now were the right people and we are all very lucky. but they immediately bought it and there was no convincing them that this was serious. that took three e-mails. they worked on it very hard for a year. the best thing to do was to give them the runway to fix it right. the worst thing to do would have been to put an arbitrary deadline in front of them and told them to fix it fast. in this case there were not ways to fix it fast, so that would have been cited tracking to the detriment of the end of the security goal. so in this case yesterday's way to share information was to give the vendor the runway to fix it and to keep it secret.
7:02 am
>> but that is hard and interesting because keeping the secret especially for 13 months is hard. but we actually discovered this issue under contract with a third party so that made it even more interesting. fortunately, the third party happened to be ican internet corporation for the numbers. they are a 501 c. three do good organizations so they were cooperative, but it would have been a commercial client, they may have been less willing to give microsoft the runway to do what they needed to do. making it even worse, we had to release an interim report saying that we were sitting on a secret for a year in wait for the second report. so, you know, we couldn't sit on it for a year and not tell anybody. it became very interesting. but my take away from this, first of all when we think about information sharing we have to think about former abilities and
7:03 am
-- vulnerabilities and financial disclosure and how all of that works. but hard questions and we crappal with all these questions for the last year. first who do you tell? you tell the vendor but who else do you tell? there can be an argument that you tell the government. the government is kind of a big place. when you look at an international footprint then you get into which government? in some government, the emergency response teams are somewhat indistinguishable from the foreign service intelligence. so then you run into that series of problems. you run into the problem of the offensive versus defense applications. everybody wants to use this knowledge for different reasons. some people want to use it for defense purposes and some people don't. you run into the problem of the economic vulnerability. so we have no money for this. and that's okay.
7:04 am
one of my employees actually said this whole thing working out the way that it did basically depended on us not being rational actors, rational economic actors because we work hard because we had to tell people that we were sitting on it for a year of course we were contacted by people that character as -- characterize as in the vulnerability business. and in fact we are going to run out of basic patriots that are not motivated by money long before we run out of bugs. >> this would have been seven figures, right? >> i don't know but it probably would have been a lot. it's a hard problem and it isn't going away. when we think about information sharing we need to think about this issue as well.
7:05 am
>> by the way, you can tell the hobbies of the different people that are up here. he's policy through and through and uses policy language. mark is a nerd and jeff is a pilot so make sure to get him runway. give him runway. [laughter] >> i have a couple questions but why don't we start and i will look around for the audience if anyone wants to grab my eye i can start -- i started over here number one and then we will go to the back for number two. at the microphone is coming around. in the interim i will say hello to my nephew that's watching. >> andrew from dhs office of policy. question following the conversation from the cyber security summit on the panel with secretary johnson. with regards to the type of information that they are receiving with regards to 85% of
7:06 am
the air can express being what they pay for for the vendors and 4% from the isao and 1% from government and i want the reaction to that breakdown. you know, how much of that needs to be increased? what are types we are getting? >> that's fascinating. out of@h that we see in a year that we get 4% of the signatures from the isac and from the government. you are nodding the most. >> and concurrence area that's an amazing statistic because it would seem like it would be the other way around that they should get most of the information from the federal government or other sharing organizations. but it also points to the source that a lot of the organizations themselves share among themselves without having to go to a higher authority or some other authority looking for problems that they can tell you about. this has long been recognized even before there was a dhs is
7:07 am
most of the information we knew about ourselves is known by ourselves and we don't have to wait for someone to tell us the obvious we can just begin to look for it. the question then is how do you tell others. if american express finds a problem, can they come should they, will they tell their competitor, much less the federal government. that's part of the quandary and i know this is part of what you are trying to help break down some of those barriers so that we can do more of the private to private competitor to competitor type of sharing for the good of all. >> i would love to know how many they then shared with isac. i used to be the vice chairman and we were trying to figure out how we could get devices from our own devices into different banks that way we could collect information. and it literally struck me i tried to back our way out of that because the information was already in certain places.
7:08 am
the information was pulling in verizon and microsoft answer we don't actually need additional devices. we needto find out where the information is already pooling and write that mpt did you want to jump in on this one? >> i think there's a lot of ways information comes in and it's hard to do know what the origin of it is and that is one thing we are trying to get more information on. you get information directly that came from another bank and it could also be from the government and they are getting the information from ss isac. it's hard to know how the numbers work out. we need to do more research to try to figure out exactly where information comes from and get to the point raised earlier on what are the most actual information in the quantities it doesn't necessarily mean quality. >> 1% was the most classified.
7:09 am
>> it can be completely useless. we need to focus the efforts. we don't know the answer to that question. it's a great metric. if someone actually hasmeasured and parsed i think it would be interesting to try to draw the cost to say what are the resources that are the most luminous information and what are the most effective. that would be interesting and i wonder if we could get some money on that further studies and take a look at that. next we are going to go into the back. >> this is an inherently international domain. and jeff mentioned the international dimension but
7:10 am
there hasn't been much discussion of how the policy develops when you put it in the international frame. particularly if you agree that sharing the private sector to private sector is what this was about even involve national companies and when you make the national security clearance and important part of sharing how does that affect the ability to quickly share the information? i would be interested in the panel views on how the policy debate will go forward on the international complex. >> how is this working. does this start with the others -- >> i think that the eo by its nature is designed to be international. the focus on the part about the standards body.
7:11 am
one of the main reasons to have it be a nonprofit organization that is worked with to set up the standards that become the basis for folks for new information sharing organizations to come up is because it's really not focused on boundaries in focus on boundaries in any way. any company can join those organizations. you have an international standards. we have standards bodies to set up and work across borders today. we hope this will be a consensus private sector led body that will get at some of the international issues. >> it's one thing that struck me about the british sharing. it seems the u.s. first we started in sectors and now loosening up a bit. and there seem to be everyone come join instead of keeping it
7:12 am
small and trusted it seemed like it has been much broader in people can just come and join the party. >> history is always a good instructor. jay and i were together back in 1999 if you remember good old y 2 k which we all have largely forgotten about. >> look it up, kids. >> summer of '99 was an interesting time because we were in the military at the joint task force and worried about foreign adver saers vradversaries. we looked at it as being completely technical problem. but that summer one of our colleagues raised the point about wouldn't the attack community want to use it as a vector to get into machines and cause havoc and make it look like a y 2 k bug problem? that was raised as an issue and we held an international
7:13 am
conference of which 95% of the attendees were from the united states but because we had it in london it was known as an international conference. that's how we work here in washington. >> i didn't get invited to it. >> it has been a week admiring the problems from all sorts of different directions. what emerged was an international follow the sun model. it works out nice europe and africa tends to be in the slice. united states south america, central america and then asia so think china japan, australia that world tends to be in a slice. we were there at this international conference and we built a follow the sun model with the internet at large as we move through. that lay the groundwork for what
7:14 am
today is a strong international effort in the computer emergency response team world that even today is very strong. they meet physically as well as virtually. the model has been replicated world wide in other sector-based sharing. the international piece is a very mature very well driven thing. the big take away is it came down to individuals recognizing they needed to build this partnership. this 24-hour cycle. those individuals took the effort to make it work. from they're sprang forth fantastic organizations, but it boiled down to people recognizing that information shared is the most powerful building. there are other barriers that we can break down with legislation,
7:15 am
but it really is about people who can do something about the problem. the international, domestic, local, regional. >> the global side of this presents an interesting historical problem. many of the companies are multinational companies. so one so one of the historical problems of information sharing has become how i share this information internally given different organizations. i might have citizens of countries that don't play well with others. all sorts of things, challenges that we have been facing since we started sharing information. you have to hold the secret that
7:16 am
one of the problems is when you get classified information what can you do with it? i have to hold it secret because it is classified and that means i cannot action it. one of the facets is how i deal with international orders. >> and i know the financial service has been expanding out into europe and asia many people have us security clearances and the interesting thing is to see how we can copy it to look at the model. in in your opinion as this international sharing potentially been hit either by the snowden revelations or what nsa had been up to or in the resulting sovereignty laws?
7:17 am
if information can't leave europe or wherever does that automatically by definition hinder the multinational information sharing? sgh. >> i think the key is the rules. that is part of the reason that we have emphasized this set of concerns. if we make sure we have the information we need for the purpose it is being used for for that cyber threat, what is the reason we are sharing it and privacy controls over it and oversight mechanism controls for it i think people feel more comfortably internationally than they do with people using all sorts of different definitions and pouring information and without the thought of privacy on the other side. the key is in terms of making sure we are sharing information we need and have the mechanisms for privacy. >> one of my favorite moments at
7:18 am
the summit were amongst my favorite moments, mentioned hear -- here today about wanting to get practical. let's get down to we want to share this with these people. what are the impediments to get from here to here? amongst my favorite moments last week was a panel on sharing. she has been in the committee for years, associated with the electronic frontier foundation and others and said i have my friends that work on signatures from our sit down and show me the different ways that they share the signatures. i saw nothing that impinged in privacy, any one of those things that they showed me which is just a powerful example. if we say we're going to share
7:19 am
stuff it brings up what i think are very understandable and automatic antibody, and here someone that is fully on that side saying i don't see a problem. i really like that as an aspect and hopefully we can do more. >> other plans for me going to issue an rfp. >> we will do a request for information and that will get a number of questions out there and that will give us a sense. the plan is to work with the community to make sure the rfp is aimed at what folks want to see. i'm sure privacy will be part of that discussion. >> i have been waiting to ask the question. i get a lot of questions from
7:20 am
critics on the focus on information sharing. something they bring up a lot is would sharing have actually helped sony, anthem home depot, target jp morgan? so i am looking, what sharing have helped and if not what else can we be looking on now that we are starting to get sharing under our belt? >> it depends. >> how long have you been in the beltway? >> we get this down. down. it's an absolutely fair question and something we always ask. but for what, and certainly knowledge that the bad actors we are targeting, could somebody -- we went through this drill with
7:21 am
september 11. what did we know before it happened that we could have told others about, integrated, shared? armchair quarterbacking is what we are good at. i don't know that even if they had perfect knowledge that individuals would have taken proper action and would have known what to do because that boils down to the individuals being key and even if information is put in front of them, would they even recognize the threat and see it as a problem? could someone else see it without full context and sound the alarm? again, you can armchair quarterback this to death and there is no correct answer. >> i think looking at the framework in some ways is a better discussion to have. the the companies companies figure out where they were vulnerable. taking a look at that and trying to figure out if that would have helped.
7:22 am
information can help feed into and address those issues but it is almost a better thing to say what kind of risk modeling and management did they do in advance before they got hit as opposed to if they had had this one piece of information. >> and we talk about these unknowns. it is right they're in front of you and you don't recognize it. that is an education piece. how can we train a workforce that can recognize these things. this is another piece being worked on. none of these things stand independent of each other. there is know silver bullet, that fixes cyber security and all of these initiatives, they interrelate and have to be in order to move the ball forward. >> my answer is i probably would diverge. but it is a funny thing, many
7:23 am
information -- security risks stem from preparing for the wrong adversary or not understanding the adversary. or thinking you have a different adversary than you actually have. in that -- you can make the argument that many of those companies were not prepared for the adversary they actually had. they were prepared for the adversary reading from the pci compliance manual not the one that wanted to embarrass themá+atju @r(t&háhp &hc% do whatever. so i think as we move up the stack so to speak in our information sharing, so information sharing right now is a lot about tools and signatures and things like that, but what we're talking about right now is moving up the stack to threat actors, motivations, capabilities. as we move up the stack and understand the kind of actors out there, what motivates them, what capabilities what capabilities they have, who they
7:24 am
might be interested in targeting and why, that sort of information sharing, had that existed several years ago it may have actually helped someone like an anthem realize that there are different sorts of people out there. there are different sorts of people out there. >> and i know our board director, if she were here she would be pitching the basic cyber security controls. >> once you figure out the risks. >> so if anyone has questions, please catch my eye. i did want -- cisco have been helpful as we were putting this together. i wanted to tip my hat to them. firstly we will start over here.
7:25 am
sean linkous with as ew. can can you comment on the decision by the top tech companies say about the white house relationship with industry when it comes to information sharing? >> that was completely overblown. the people at the summit know the tech companies were there. the main panels we set up were designed to have a wide range of folks from different industries involved. we had a couple tech people on the panel. the one keynote was from a major tech company and then we had all four of the major companies mentioned in these articles saying that they did not attend. we had all their chief information security officers there. i think it was a bit overblown in terms of their participation of the summit. the goal of the summit was to try to talk about cyber security
7:26 am
in a way that addressed what consumers were thinking about which means health companies, financial companies, retail companies. tech companies obviously play a role in that, too. in terms of the breath of what we are looking at for the summit we felt like we have the companies in the room that we needed. >> you were aiming to give specific commitments companies and the fact sheet from the white house. yu obviously this won't be a success unless you get further commitments. what is your action plan to get even more commitments online? more trips to san francisco. >> that's the interesting thing is getting folks to make commitments. we use it as well. that is what the executive order is. the other work that we do.
7:27 am
we make a commitment to the companies that make a commitment to us. that is a big key to get commitments. we have a number of policies rolling out down the road. and we will use that to get more folks on board with some of these issues. i was i was pleased with how many companies said they are using the cyber security framework and with the companies like intel or bank of america who are now saying that they are using it. they are requiring it of their vendors on the contracts. that is great news. that shows that the market and you have insurance companies saying they are requiring it of their policy holders. that is going to make the cyber security framework a success in a way that we are not requiring it. it is the market place that is requiring it. >> and so you said the policies you are working on now. >> you know, who knew that these would be out now. were just working on the
7:28 am
calendar to try to move forward. we talked about the areas where we still have barriers i i think there are several events that happened at the same time. certainly the sony one got a lot of people's attention. >> i am sure the president wanted to sign this one so he could release it or around the same time we did our paper. >> arnold abraham with the institute for defense analysis. i have a question. i am a little surprised about the emphasis on security clearances. i spent time with the department of homeland security. we looked at the sharing for threat information with local police departments. over 10,000 local police departments in this country. a lot of people were pushing. we said at that time that that was not the answer.
7:29 am
jay and marcus with your time in the private sector after being in government do you think an emphasis on security clearances is a proper, effective answer or not? >> i will take a quick stab. >> and then i am going to go to jeffrey. >> the security clearance thing is a bar that sometimes we cannot meet. particularly if we have a smart a smart person who might not have a clear of all background, how do we get them on the team? if the only people must have top security clearances. this is a new question that we have not had to ponder before. in an earlier era we could focus on those who had the proper background, but now we need the brainpower of those he might not have had that clean background. the bigger question is how much of what the federal government knows has to be classified. that is really where we are going.
7:30 am
if the federal government comes up with something that needs to be shared one of our many frustrations is they will pull in a private sector individual and brief that individual but that individual can't take action because you have been told a government secret and sworn to secrecy. you can't walk out the door with that. so frequently we will say what is the terror line? and that means if you have something classified, here is what is unclassified. you you turn it off and pass it along. so we will ask. the answer comes back hours, hours, days, weeks later, rather than when the information is first prepared it includes a line right up front. so prepare with the information that can be made public, minus the sources and methods and things which begs the question
7:31 am
why not take the tear line and set it in front of industry so we can do things? this is a process problem, nothing nothing more and something we must work through collaboratively, improving the speed of information coming at us that has been previously classified. you guys have done a lot. we we have seen remarkable changes in washington in terms of streamlining. there is certainly a long way to go, but the steps are being taken in the right direction. >> i would second that. the most frustrating thing for quite a while has been you clear one individual at a private sector organization and he or she cannot do anything with it which becomes a a struggle. to answer your question, clearances are valuable. some things should be cleared. >> classified. >> of course. course. some things should be classified but there is a balance.
7:32 am
i i don't think anyone would argue that they're is a tendency to over classified. there is value. i think we are moving in the right direction. >> we are not going to clear our way out of the problem. we need more information out in an unclassified way. dhs is working hard on that. however, they're will still be analysis that will be classified, and more companies want that than currently have the information, so we need to address it. >> sometimes the clearance just gets you into the room even if it is not the information. but if you look at a lot of the cyber conflict we have been through that was very clear.
7:33 am
the amount of intelligence they gather, to me if the bad guys are releasing their attacks over the internet that makes them -- it doesn't matter if we collected it through a satellite, through whatever it doesn't matter. it's on the internet. they're not going to suspect we have some sneaky signal intelligence. they put it on the internet. to me unless we were in there system and taking it in figuring out the signature than we have plausible deniability. i agree with the panelists. i learned a lot of my trade. you always try to lower your cost of control. you go to the cheapest control
7:34 am
that will get you to your desired outcome and clearances are a really expensive high cost. any anytime they hear someone say we're going to deploy something, there is probably a better way to get it. >> this really follows on i think, i hope. are there companies that you would not want to see participating? this is a state-owned enterprise say that may have large -- clearances is one way in which you would say no. i would like you to help me understand how much information
7:35 am
sharing is in this isac. >> i'm going to pull this apart in a couple of different ways. you deal with big telecommunications providers , some of which are in countries the us may or may not have good relations with. i am very interested in the company to company basis how that goes. and then when we are looking , how it works when we say all right, let's bring in this persky or let's work with these companies with big chinese banks or the rest. >> a great question. for a sector-based we are sector centric and you are generally in that sector. so the water isac is water companies and the energy is energy. it wouldn't make sense for wal-mart to join the airline isac.
7:36 am
it is just not what they do you see where i'm going. like companies forming an information sharing organization that is sector centric. we also see sharing organizations that are not isacs. he talks about one group that emerged. we start to see warms and things happening, international and oriented on individuals vetted by other individuals. in order to join somebody has to nominate you as an individual and then you are vetted by others as being trustworthy. these trust groups are very powerful. it's almost like the movie series of survivor you can be voted off the island if you are
7:37 am
untrustworthy. these groups make their own rules. >> they are sector specific. they need to share sector specific information and there is a formality to that. they will still be there. >> someone asked the question. >> it is good to get the clarity and a lot of it is based on what you can bring to the table. are you a player? are you a contributor? can you can you pull a lever, do something, action on the information being shared? each of the groups will have to write their own rules. how can you build a group of sharing individuals? how can you learn from previous groups that have gone through the process so you can increase
7:38 am
the amount of sharing going on and still keep the trust and privacy and the things we feel must be in place in order for rapid sharing to happen? >> and the us government to five. >> let's take. >> the way the executive order is going to work, they're will be an rfp and the staff group formed just that standards. trust is the currency. if they're are elements, people that join which causes people to not trusted it will be sharing much information and it will fall apart. we have seen it happen. in fact, i worked in something that became the anti-spyware coalition. prior to that there was another group that was run and people do not trust the. we came up with our own standards of selecting who the
7:39 am
membership was and what the roles were for it. we were not sharing threat information but discussing definitions that became the basis. it is the same type of thing, how you go about building trust and keeping it. they can pop up. you can have two or three. >> i wish i remembered. the anti-spyware coalition is coalition is a great example of what we are talking about a clear goal. we want to take spyware out of the system. who who do we need to include? and that is what i love. focus on the outcome. sharing is a supporting part of the process but doesn't necessarily drive the process. i wish we had more space to explore this. the net supplier of cyber
7:40 am
security information and net consumers of cyber security information, and most companies are on the down stream. they have the demand for cyber security information but a lot of the companies are here, palo alto, semantx microsoft. they have the overall suppliers of information. and they love to look at these more market-based solutions. %ñ i am one of those people that thinks, that is a place for market. if supply and demand don't match up then what can you do to get the market there? have a couple hands joining in there. we we will come over here. >> chief security officer. two things. i think we should be careful not to be overly critical of the framework.
7:41 am
a number of companies don't quite understand, but it is clear the value as a risk analytic tool for global organizations and a translation engine so that global companies can compare apples and apples in contrast apples and oranges for they're global operations and suppliers. secondly, i ask how we are leveraging the examples given earlier regarding the defense industrial base framework agreement being expanded across the critical infrastructure for closed mou information sharing and the training alliance for sharing among the major banks. how well are we leveraging to strengthen information sharing? >> using the framework. >> we use the framework as one
7:42 am
of the risk analysis tools for understanding global operations and suppliers. >> thank you very much. so i mean, michael talked about those concepts. i i don't know if i can go into more detail. certainly in terms of expanding we think it was successful in getting information out to those who need it. >> can you explain in 30 seconds. >> we have a set of signatures out there that can be used. the defense industrial base contractors getting to them the signatures so that they can use it to protect themselves in a way that they don't even necessarily need to bring it to an individual company. it can be used to help protect them. we have a similar set of efforts
7:43 am
going beyond critical infrastructure. it has been more difficult to get the other sectors to spread the news to use the same set of standards that we are planning on trying to get it out in a more comprehensive way in the future. folks should look at how we go about expanding that. >> i will take the last two questions from the audience. this gentleman hear. >> hi. thanks. head of the cyber threat intelligence information sharing ecosystem project. you hit the nail on the head in a town where money is the answer, what is the question there are net producers of information and net consumers
7:44 am
of information and there is a bit of an air, we will do all the work,, the government we will set up these information sharing groups yet economically it does not make economic sense no matter how much government might say you really should share. is they're kind of a focus on helping out or recognizing that there is a reason why verizon has services that people pay for, symantec has services that people pay for and so on? >> i'll start to get us warmed up. it is too bad. we try to keep our panel limited. there are a couple of other folks who would love to have on the panel. we would have loved to have someone from the hill to talk
7:45 am
but also someone involved in one of the companies that is set up to facilitate sharing, identifying the space. been in this business, red sky alliance. been in this business, and it would have been interesting to here how they dive into this. you can look at crowd strike in releasing the information as part of identifying the market need. and a targeted question which surprised me a little bit. when it comes to these, cloud strike. in the mentioned cloud strike could set up one. that is interesting. that really bends the model. >> and that is what i imagine. is not the system you think of. an individual company could
7:46 am
become. in the in the short term the advantage of that is that becoming they are saying, we follow a certain set of standards. once the rfp is out there the standards body is formed and there is a baseline. general counsel knows what they are getting into. so by automating it people can feel more comfortable because they know what it means. that is useful. obviously our legislative proposal has this other hook which says you get liability protection if you self assert so
7:47 am
that gives obviously another real advantage there. and then you might start seeing individual companies start saying so we are sharing with other individual companies they are following these rules and then you get liability protection in place for that. then you see different companies in different sectors. i think that level of complexity and change will affect the way people think about it but it is useful for expanding the discussion in building trust. and getting rid of friction when people say i want to share information and then it turns out you have to get all of these lawyers to sign off and you have to get all of the other lawyers to sign off and say what they are doing and answer questions when there is no basic set of questions to ask each other. >> this is going to be interesting. we continue to move up the stack.
7:48 am
if you look at the last 20 years the private sector intelligence has been largely antivirus vendors. going out and finding the signatures and publishing that as a part of the product. as we move up the stack and get more information and more interested in who is doing what and why and capabilities and that sort of thing, i think that the things that private sector intelligence organizations can do and the things the government can offer will become more interesting, more dynamic. and like anything there will be value in both. there will be certain information from one and certain information from the other. >> let me also add, we have an audience of thinkers. we are searching for something
7:49 am
as an analogy for cyber space. and often the one that comes up as the weather system. we think because the weather system, where is the snow? we can see something different, expecting something else. we think cyber works the same way. there is predictive mechanisms. we can put censors out. there is truth, all all we have to do is look at it and we will see the truth. that's not how cyber space works. we unfortunately get caught up in analogies where we think that because it is something like what we see in the natural system it ought to behave like that. when the sun comes out in seattle people stop what they are doing and run outside. when the sun comes out in miami they are like, this is too hot. almost a different reaction.
7:50 am
in the private sector world there is information that private companies can gather to to there observations of what they see in cyberspace. that is that is information they have developed, sense, can market and sell. they're are things that the government sees that might be more public in nature. i think it all works together. there is plenty of room for the public side to infer and see things, plenty of space for the private sector to infer, analyze, sell the information, but this is the think -- the thinking question, what is the model that we are using here? it's not atmospherics. that is what we like to look at. we need to develop a new model that comes together with this magical thing we call
7:51 am
information sharing what we all do what we are best at and amplify with the private sector can do. maybe your think tank can answer that question. >> especially the funding. okay. last question. >> hi. the department of defense. one of the lessons we learned the government signatures were not necessarily not necessarily as valuable for the industry as we thought that they would be. . . differences in vectors that come to industry and i wonder if you have seen different vectors in different sectors so that there is no one size fits all.
7:52 am
certainly there are some, but in other cases they are not. >> i think, i mean, yes and no, or it depends. the vectors, there is a short list of low hanging fruit that works pretty much anywhere. your basic vulnerability suites, social engineering, spear fishing has become shockingly effective in the last couple of years. i don't know why we haven't solved that one yet. we don't seem to have. in that way we are all kind of the same know matter what industry: what you are doing, what your line of interest is. but but from there it all changes. from they're it is then who and why. is your objective to embarrass,
7:53 am
exfiltrate, steal and then based upon your sector and what your business looks like. but the initial vector, even if you look, they have been reasonably foreseeable hazards. >> from that perspective the frustration was with the signatures, all threats come from the network and can be detected by this wall that we put up and if we can put the right cards in place with the right filters we can make the bad go away. the threats come from all over the place, and they are holistic they are looking not just at the network devices but people and environment, everything around them. that is where the pilot showed that the process can work. can we share? yes. can we get to the legal pieces?
7:54 am
yes. back to the original thesis can we do something with it or just sharing? i think that is the biggest lesson we're taking away. what do you share, what do we do with it? how do we action on it? they been doing pretty well and learning as we go along what we share amongest ourselves so we can action on it. >> i will come to you gentlemen for a last one minute comment. in closing our next cyber risk wednesday we will be on march 18 releasing report we have done. >> the 13th and 14th of march. we are holding our cyber student challenge. there are different competitions
7:55 am
for university students. ours is the only one for policy students to come in and say as if they are advising lisa monaco at the national security conference after a major cyber aacto -- attack to give real national security advice. the 13th and 14th of march looking for sponsorship positions. let's turn to final thoughts. >> in general like many problems in cyber security policy today it's really a collective action policy.
7:56 am
so we need folks here from all the different places moving these things forward at the same time. think about it. we want to to know what your thinking. i wish we could explore this more. i would love to get behavioral economists on this. the short-term, there is a good chance i we will get yelled at even though i know it is collective action. to me this is such a nudge problem. this is such a behavioral economics problem. i would love to see more of in the field. >> i think you hit very close to the conundrum we have. our sons and daughters we tell them in preschool to share. when they grow up and get on social media they don't share.
7:57 am
keep things private and then they become adults. you are supposed to share. we have to work through this culture. what is sharing? and a think tank is a perfect area. what does it mean to share in this highly connected world where we are socially connected in a way that humanity has never been done. what should we know about each other about badg things, good things. leverage the social media, the crowd sourcing and new tools coming out of silicon valley. we were out there last week because that is the hot bed of this type of thinking. can we use that to our advantage in this new world moving forward. let's work on that together. >> jump in on that.
7:58 am
when you don't perhaps another time. >> everyone on this panel, a familiar face, talking for literally 20 years. i am heartened that the sophistication of the conversations is improving kind of reflecting back of where we were pre9/11 and post 9/11 when the world kind of changed and we are now we are making progress. i am heartened and excited about the steps the administration is taking on these fronts recognizing the importance. i think there really is -- we are at a point where it is going to change and dramatically get better in the next couple of years. i'm actually really excited. >> so we are the cyber state
7:59 am
craft initiative. you can't have it without states men and women. they have been drinking from nice cyber states men mugs. we have several mugs to give to each of them as partf oour thanks. please help show your thanks, as well. with live coverage of the u.s. house on c-span here on c-span we show the most relevant congressional hearings and on weekends c-span 3 is the home to american history tv with programs that tell our story. battlefields and key events american artifacts touring museums and historic sites to discover what artifacts reveal.
8:00 am
history book shelf, the presidency, looking at policies and legacies. lectures in history with top college professors in america's past and real america featuring archival government and educational films fr >> work around corporation in 1960 seven, daniel ellsberg became a consultant to the white house in the defense department about the vietnam war giving him access to top-secret documents. he photocopied a 7000 page study that later became known as the pentagon papers. in 1971, he gave those documents to the new york times. coming up next, part one of a two-part interview with daniel ellsberg. he talks about his motivations in leaking the pentagon papers as well as his opinions on the vietnam war. the richard nixon preside
46 Views
IN COLLECTIONS
CSPAN3 Television Archive Television Archive News Search ServiceUploaded by TV Archive on