with much detail, but i would like to highlight three things that can be done or get begun that can build on the work that has started. . bubba secondly, i want to build upon

any strategy development coming out of the review should include a national strategy at this point. there has some bent -- been some good work done on building partnerships in cyber crime and also crime prevention. as well it has in operation and collaboration mechanisms. they can only go so far without additional leadership and enable meant. we can talk to our international counterparts and our companies are international companies. they have to deal with the borderless nature of cyberspace every day. we have to talk to our international partners and sit down and collaborate with them. there are different ways we can do that. we can highlight the public, private partnerships with one specific thing that we have look for from the energy side from quite some time.

we do not need to bring government and industry together saying that we need to do something now. we need to have the same collaboration on this issue. we cannot do it in the midst of a crisis. we have to do it on an ongoing basis. >> do you have any thoughts on that steps to the report? >> and a lot of what she talked about in this piece of legislation where they try to put -- picked up on different pieces where they have different pieces of the cyber-board where there can be information sharing between the government about presence of threats in the

advance of having a tax on private industry. there is a lot of skepticism about how that might work. they were hoping that they would get engagement from the private sector to help us outline how we could make it work in the real world. i am excited to have the opportunity to ask people about the -- their comments and reviews before we try to market up in the commerce committee? >> history is something that i asked about. if you have any thoughts on that and what do you think about some of the most important things that the military could be doing as far as its role in moving forward. >> that meet think about my thoughts as a department of defense person. we have three fundamental cyber

goals. this has to work when nothing else will sometimes. we have got to have dependable mission execution and cyber warfare by a cable adversaries. it is not just that we're worried about cyber crime. we have to work in the face of this to rep. a lot of other things have to work in the face of this threat. back to sharing with international partners and industries. defining what a mission is, to quickly build outside of the department of defense. essentially, every mission is a coalition mission with lots of other partners.

neither close allies or people we are not used to delay -- doing business with. the chinese in piracy and earthquake relief. >> you mean on the high seas? >> i mean on the high seas. it also in somalia. not cyber piracy or seat -- stealing microsoft code and selling again. the other piece of it is that the communications infrastructure is 80% commercial. that mission dependability is a joint government industry problem. we cannot do this without close interaction with industry. job at two is a sharing. we have had lots of security rules over the years. we made a decision in the 1970's.

it was a computer science decision. it shapes everything the federal government has done ever since. we will have separate top-secret make dashed top-secret networks. once an atom of information gets in that those that works, it is trapped there. it is considered secret. it has inhibited information sharing. the security guys are the ones who cooked up the scheme to make information sharing hard. it had to be their problem to fix. space sharing is the second problem we have. the third problem is the traditional security problem. that is a very coalition oriented thing. we may want to keep a secret within a particular set of countries.

we may keep it within the department of defense. coming up with structures that allow this coalition formation while keeping a secret is another problem. the historical technology problem has been my decision. it is clear based on events and estonia and georgia that cyber work will be a piece of this. dod has to take this seriously. the president is taking it seriously. the secretary of defense is taking it seriously. that is different than it has ben. we have a chance to tackle this. >> could i take your invitation to have the panelists to take over? i want to make sure that we do not drop a point that he raised.

these are all tied together. we were having a conversation about this in the greenroom. there are a lot of primary colors are around this place. it seems to me that this is not just a security issue, but a competitive tennis -- competitiveness issue. we are not producing enough security talent, and development talent that we need to ensure the economic viability of our key private sector players. and for their security and the security of our country. we have to revamp how we do this, starting early on. catching people when they're five or six years old and getting them excited about the possibilities of going into this space. years ago, you'd have kids out there with their mom's or dad's

working on the engine of a car. you have got to get people excited. there is security education early on. when they're in college, if they're taught how to do i.t., they get the security fundamentals. once they graduate and go into the workforce they get mechanisms that have career paths. you are not stuck as a security guy. you can go up to the political ranks as a security professional. back when we were both prosecutors in the middle 1990's, you'd have this problem where you see investigative agents who would develop considerable expertise in doing cyber crime investigation and then they would be rotated out. they would be doing paper fraud.

some of them said, and enough of this. i will go to the private sector were my skills are in demand. that has changed throughout the federal government. we have to provide that training. lots of other people have thought about that. >> the career path is important. one of the agencies that he mentioned, the fbi, cyber is one of their top priorities. you'd do a little bit of cyber, you do something else, and you do it again. you cannot really understand this field of the sea stay in it. the developments are too fast to go away. it is true across the board. they have developed a career path where somebody comes in and they stay with it throughout their whole career. that is happening in the security field of government. we need to make the school for kids so that it is something that they -- it cool for kids so

that it is something that they want to do. >> on workforce development and training, there could be professional encouragement of sisters scholarships. this has its own training. google has its own training. that is a place where we could come together and put more resources so that we are prepared for the future and we would not run into any of the controversies. >> gould does have training on this for our engineers. -- google does have trading on this for our engineers. we have this conversation and the waiting room. i found it fascinating, the idea of getting kids involved. we teach spanish, french, language to kids.

why not considered code as another language the kids could do? you could have cyber security awareness. does anyone else have comments on the pipeline issue? how do we get the cyber security professionals of tomorrow ready to date? >> there are some examples or models that we could follow. the national security agency and their centers of excellence programs were they teach it. if you have the national science foundation and the nsa programs that are graduating first-rate kids that owe the government a a little bit of time. they tend to stay in the government when we can give them good work. that is incredibly successful. that is the best money we have spent so far on cyber security.

we need to do more of that. we do need some curriculum review. this technology is really fragile. everybody who writes software house to think about security. it cannot just be security people that think about security. security has to start with people who are doing the designing and encoding of things so that every single computer programming class has to consider security as part of the class. it is not an algorithm class and then is -- a computer security class. it is like doing civil engineering without worrying about gravity. it is all about how to make bridges stand up. human behavior and gravity in our computer program. we have to consider it.

that is a thing that the government might help influence. this is partly by the way we prewar colleges and universities. we might put some screens on it around curriculum development or curriculum change. >> i am not going to disagree with anything that they said. as we look at ways to develop our cyber security professionally over the long term. this is a huge effort. to think of it and a multi disciplinary way. you have the of very difficult architecture. all of the things we do now use

computers and other things. both of you probably said it. this is the human element. this is not just the technical training. it is also a multi disciplinary effort to build practices and norms and the things that individuals need to do as well. not everyone that is working on cyber security today as an engineering degree. i would like to think of it in as flexible of terms as possible. those that can contribute to a multi disciplinary, every

evolving technological environment. let's try to keep some flexibility in that evolution as well. >> one thing and i would like to ask on the point made was the importance of public, private partnerships. on the private sector side of this, what does collaboration look-alike when you have your response? there was legislation that proposes the idea of shutting the internet off from critical infrastructure. i like to get your take on how that would work. >> i touched upon what collaboration might look like. the key part of that is that it is not just doing an incident. it is doing the cooperation, the

analysis, a true partnership from day one. when something happens, there is an organic way to respond, not a forced way. it is a proactive approach to addressing the problem by working together over the long haul. with regard to eight disconnect -- a disconnect proposal, as proposed in the last bill, i would say that we need to have a strong dialogue about that kind of thing. in today's technical -- technological environment it cannot disconnect somebody for the unintended services that that network provided or it because there are all kinds of redundant networks or ways that people continue to do business. even though you have to it -- a

disconnected one thing, you have not disconnected another. what would actually happen if you did that? there might be alternative measures to protection and emergency efforts that might be needed. >> i am going to give you a chance on this. i wanted to get a perspective from dod on this. also doing private-sector and infrastructure from other systems. how does this play out? >> i am an old guy. i have ancient history stuff that might be helpful as we go through this. when at&t broke up, they said that are common infrastructure is no longer owned by one company.

the country actually said that it is a national security priority to work with an industry. we have to work across the whole industry that handles telecommunications. there was an outfit formed over the bay of pigs. there was a telecom emergency thing, the national communications system. after the breakup, there was this national coordinating center. it was manned by people from all of the telephone companies and by dod people and intelligence people. we had an operational entity. it still exists. i think that priority has gone down because cyber has overwhelmed us. we had a model where we could operate quickly in an emergency and we used it. on 91 want it is used heavily to

restore this. -- 911, it is used heavily to restore this. the ncc, coordinate actions by industry and governments of that we could all work together towards those goals. another thing that's started, dod started worrying about its technology secrets leaking out of its industry partner networks. big defense contractors pulled all of the technology data for the department. they were getting cyber attacked as well. the department started another thing that i think might be a bit of a model called the defense industrial base cyber security effort. we started to wrestle with these problems of, how do you have a

really tight sharing relationship with somebody that you also want to compete for business with you? how does industry respond to that? we want them to share information. we do not want it to be used against them in our competition for a fighter plane. we have a really robust pilot project with about 30 companies where we work through the legal or arrangements and are proposing some federal acquisition regulation changes. the thing that the industry folks came back with was, fine. we will tell you internet data, but you have got to give us something. we have always share best practices through this or through some dod entities. we started it sharing classified thread data.

this is a big breakthrough. we need to grow this model. this is a conversation that we need to have internal to the government as to how classified this data needs to be. can we share it with the banking sector? if something is coming at them, we want them to be robust. we started with this defense industrial base. it has been under the critical the for structure protection laws. it is a model tectum be grown out and inherited to have this brought of a conversation. -- broad of a conversation. >> the first point is, there cannot just be partnership around incident response. there does have to be

partnership more generally. it has to be built into the dna of all the different players. it's something like that happens, the last thing someone in the private sector is going to do is to reach for the binder on the shelf behind them. they are going to start doing what they do on a normal basis. they will meet the emergency. we have to build those organic ways of working together. we do not start from scratch. the national model is a very good one. that particular model of what amounts to a joint operation center is behind a lot of the proposals that you see coming in. some of you in the audience were deeply involved in developing this. those ideas do not go away.

we have to figure out the way that we refine those and help them to meet what is a broad cross sector issue. we could spend the rest of the panel talking about public, private sharing. i will call out three things that are essential. you have got to have trust. with trust, almost everything else will work. you have got to build that and start with personal trust. you can have to move towards organizational trust. there is a return on investment for everyone involved. you have to play in that partnership. that involves government making sure we share the information that we can share. not overly classifying information. if necessary, providing the right information to industry and give them the information that is actionable.

this is classified information, you cannot do anything with it. that is not helpful accepted generally conform what to do with the threat. the second sang is agility. we have built a lot of mechanisms to work together. the sector coordinating council, the various advisory committees and the bodies to go along with them. all of these things and more are designed to work together. we need to work with them where they are working. we also need to have the ability to bring together the right people and a very agile way. you can get unique problems. you conceive of vulnerability that came up in three sectors. you need to bring together the right people to solve the problem very rapidly. the last thing is a light weight process for how they are going

to work together. we need to tie down, as part of the response plan, who does what? what are the rules of everyone? how to implement that in their existing business processes. they could all work together without trying to refine this world that things are happening. >> this is a perfect place for me to jump in. the provision in the legislation that's no introduced in a way to get this kind of dialogue going. we did not envision it as any sort of on, off switch. the terminology in the draft is in perfect. we need to change its. we only are speaking to lines of authority so that we know what happens in the event of a cyber attack.

so that we do not have the situation and confusion that we had with katrina or 9/11 where there is confusion between national decision makers and local and state authorities. organically, there has to be an understanding of who does what. we were trying to state the obvious. in an extreme cyber emergency attack, the president ultimately has constitutional authority to protect the country. it was not meant to go beyond that. this kind of discussion was something that we have been having and conference rooms. this bill is very helpful in this process with this legislation. it is actually moving the legislation and hoping that it will be warmly received. >> a core part of the report was exactly that, the finding what the lanes of the road are and

how the government sectors work together. we know that this has been a problem for some time. we have not had a response plan. that was only one part of the plan. i echoed most of the sentiments heard here. partnership for what purpose? people throw that around without any content behind it. what relationships do you need to develop? what do you need from the industry as government? what can government give industry? getting people to report to you incidence, that has always been a big problem. people who were asking the report, did not receive what benefits they get out of it. making that clear is the government and industry problem. i do not think that government is necessarily going to pick up and get the 300-page thing off

the shelf either. we need to have a defined lanes of the road. >> can i ask him a question? >> what we do is that we plan. we are planning an outfit. we work out relationships. in spite of all of that planning, we have discovered that there's no substitute for practicing your plan. all of the details that you did not think of appear there. what do you think of how we should work out? we have some legislation that defines some lanes, but how should we work that out in a crisis? >> i agree with you completely. one of the reasons that dod exercises and practices so much is that the exercise is that one is not in ward normally. if you want to practice for what you should do.