a little bit different. one is always in that environment. all of us are always under attack. we are in a slightly different place. the events happened all of the time. telecom companies get cut all of the time because of a back hoe that just dropped. what we all need to do is to be able to scale rapidly to address jubilations that could be much more severe than what we do on a day to day basis. on cases where there really is an up tech, maybe that is a case where it is kind and not like. we need to exercise to plan for that. we have done a series of exercises over time. there is a whole series of exercises and both government and industry to make sure we are

getting ready for future of events. we need to continue to do the things and make sure they are not too burdensome. we need to make sure that we do them and do them the right way and get the private sector involved where appropriate. we are bringing in all of the people that need to play. we need to make sure there is a cadence around those exercises so that we are using them with our policy development and testing things that we actually want to use. as we go forward on exercises, we want to make sure those of land with the processes that we are developing. exercise and inform plants, we exercise plans. we included in our future

planning. what capabilities do we need in three years or five years? design capabilities to address them. it is a virtual cycle. >> i am going to ask one more question. if members of the audience would like to start lining up at the microphone, we are going to start taking questions. a great point was made. what is the flow back to the private sector? we give up information, if you are in a business, you say, what is in it for us? it is great that people are thinking about, how do we send information back so that we can make sure that information is working. the last question for this panel, what do you think we can do to get the word out that

there is a criminal element to cyber security and the problem as well as small businesses. the impact if you buy inexpensive computer, maybe several if your small business person, and they are fried. if you cannot use them. what is the consumer side of this effort? >> the full chapter in the report is the real public outreach campaign. it is supposed to educate the public about how important this issue is. we have to change the culture. kids growing up think that being a hacker might be cool and attacking things might be cool. it is different than breaking into your crotch next door because it is in cyberspace -- garage next door because it is

in cyberspace. that is something that becomes important. they understand that by a getting that information, they are not the only victim. there are lots of other victims. we have to convince them that we can do something for them. it is not just the law enforcement side or security said. they are dealing with things that we can do light -- we cannot do. >> we are running out of time. >> this is something that is a home problem. we have got a collection of people that did not grow up with i.ot. and embedded in the infrastructure. by the time they see -- they are driving, they have been around cars and seen it for ever.

the entire community educates them about driving from when they are very young. we will get there eventually if we do this right. we have to get over that hump. that is where the recommendations are important. people have been doing great work for a long time. we do need to step this up to another level. if, in fact, this is a national and homeland security problem, then we have to treat it that way. we have to dedicate the resources and effort to educate the public to individuals and corporations as to what the threat really is and what they need to do to protect themselves. it is not a mystery what we need to do. >> this is a national priority. >> we are going to take questions from the audience. if you could please introduce

yourself and ask your question. >> this has been a very useful panel. there is a lot of agreement about what needs to be done. i am a little frustrated that we have not spent time on making the infrastructure itself more secure. i wanted to pick up on his point that we needed to have as a foundation and infrastructure that has good authentication built into it with privacy protection built into that mechanism. when we were working inside policy 15 years ago in the clinton white house, we all knew that we had to have better authentication. 15 years later, we have more problems with on-line identity theft, whicwith phishing. to highlight some of the

specifics, i would like to panelists to tell us why do you think that we have not made progress on this fundamental issue in 15 years and what we need to do to win four, industry, in government, congress. >> be an old, i got to watch all of these technologies developed. all of these technologies were developed with the notion that everyone is benign. the network is completely anonymous. there is nothing built into the technology infrastructure that makes it less so. in the department we have a goal underlying some of these other goals by driving entities out of our internal networks. we are struggling with the privacy problems. things like social security

numbers cannot be a part of that. technology is going to a vault long live times secrets. a social security number turn into a long lifetime secret. when we were a kid, we printed them on their checks. they do not require us to have authenticators. we have a big public infrastructure on the classified networks. we have a big one on one of the classified networks. we are ruling it out this year. those kinds of technologies have to become much more ubiquitous. the other thing we have struggled with, it is not just a technology problem point, as you drive it out, you still need to figure out how to establish an f q six so that people trust others that they have just

discovered to our want to do business with him? do i want to interact with him? the other structures come with learning things about richard hale and a dependable way. it can not be easy to mess with that information. there are technology pieces that start to solve this problem. we have worried a lot about privacy as a part of doing this. i do not think we have solved all of the problems. i think that the pieces are there. we have not have the economic reason to do it except in places like dod. >> one of the reasons you have nancy it is that the business case has not been made to the industry or the government. people are losing their

identity. it brings it more home to them. the issue is, how do you build the privacy and civil liberties into this debate? there are some cases where we need anonymity and some places where you need authentication. if you do it right, your enhancing privacy. one of the things that was unprecedented about a report and the structure going forward -- we are going to have the kind of dialogue to make sure we balance the equation correctly. there is a lot in this area that could be done to get a lot of noise out of the system and make us more effective. >> the problem is policy. it is not the technology. the technology has been there since 1995 or before.

i would disagree with richard. i do not think the point is driving the anonymity out of the system. the problem is making strong authentication available in places where it is appropriate. that may be on a dod network everywhere. on the internet, it is not. anonymity is not only highly sociable -- socially valuable, the constitution protect it. we have to keep that in mind. we have to make it easier to have strong authentication. it is not a public good problem, it is a public action problem. too many pieces the to move together at the same time to make this happen organically. maybe some entity and in industry wants to use strong authentication. it is not worth their economic

time to do that. governments never really provided ways to optional league authenticate online if you wanted to do it. the people that could act do not have the incentives to act. what we have got to get is that we have to get to the point where if you could not want to use a user name and password, a set of shared secrets that may be shared, but they're not really secret, you cannot have to use them. you could use some sort of a credential that provides you a greater deal of security. if i want to see my irs information or something, i have a strong means of authentication. i could option only do that. how we get there is to find the places where we could have the action and spiral downward. >> i think we address the first

part. how do we get more technologies that are available already? if truly there is a place where a market has not met a need, then perhaps we could look for a way for another public, private partnership to bring the resources development and the resources of the private-sector and whoever else is involved in for a specific project to address things were there is not a current system to address their into a structure. >> thank you for your question. >> i am with the terrorism research center. this may be a question for richard. we have received some supports after cyber security experts that china has developed its own secure operating system in the past six years and they started deploying it in 2007. is this something that the dod

is doing. it seems like we are on the reactive rather than the product. dod has spent $100 million on the cleaning up cyber security issues. do you think we can continue to partnership with some of these private entities where their focus may be more on business not being more about security? should we be developing a our own security software like the chinese have done? >> this is another old guy question. back in the system i was in, dod did make the decision the current operating systems were not capable. also for general resistance to cyber attack. we wrote a guidebook on how to have been operating a system that was more resistant and how

it had access control based on the labels. we had a public, private partnership going. we had a really great one. every operating system in the world except for microsoft built one of these operating systems. people looked at that and said that i am not spending money on that again. you promised that if we made these, we would make a market for them. there are a couple of lessons. the government does have to be more active in demanding infrastructure that is more robust. the government is going to have to pay for it. the government is still a big technology information customer. we can help nudge the market. we have to be much more serious

about using car buying power to help us with some commercial things. there are places where we will have to deal with this technology. there will be more infrastructure pieces. >> the next question. we have 15 more minutes. i am going to try to move it through as many questions as weekend. i makeup of the panelists after of one or two. please keep in mind questions you want to revisit. >> when i hear the rhetoric that we are under attack at all times, it is difficult for me not to associate those things with warrantless wiretapping and community spirit printers print out information in pages that give up individual's affirmation about who printed that the

affirmation. what will be done to ensure that these policies are open and transparent said that we citizens can decide whether we want to give up those rights in the name of this work that is being put forward? >> i do not think you should be asked to give up rights. we should find ways to move forward. i really mean this. we need to find ways to move forward and to protect security and privacy at the same time. there will be places where there will be pushed points. in a lot of areas, we can do that. we obviously need transparency to the greatest extent possible so that we can provide oversight to the public about what we are doing. the last thing i say, as he pointed out in response to the question earlier, the 60-day review said that in the white house, there is going to be a

privacy and civil liberties person present. we have to institutionalize the perspective that we need in order to protect privacy. during the course of the 60-day review, the average that was done probably by the team that did it under her leadership was extremely broad and included the privacy community. that was a very lights on fact for the people in the community. >> that was right. we have met with them several times. they were delighted by us. they had not had that experience before. this president has made transparency a bedrock principle of his presidency. it is something we want to take seriously. >> thank you for your question. >> i represent the center for defense studies.

in a situation where we have civilian, military, the private networks running operating systems and not just our own networks, how do you pulled that relationship between a potential offensive capability with the military research and offensive applications, how do you balance that against the need for defense if we discover vulnerability of the other side of the public, private divide, especially on the military side. should that information be shared? do you patch a vulnerability or do you keep it secret to exploit? >> i think it is a great question. right now, we tend to share the vulnerability information that we find. i cannot talk about some of how these processes work because

they are not public processes. there is a vigorous debate process inside of the whole federal government. about how this should work and in general, the way it works is that we choose to share the vulnerability information and fix what ever the vulnerability was or a least encourage this. we do have a very active program to do that. we have also tried to catalog these things and share them as by the as we can. there is something called the national vulnerability database that is run out of the national institute of standards and technology were a lot of this vulnerability sharing is done.

>> an important aspect of that is the ongoing dialogue between the various parties on an ongoing basis. there is also the notion of responsible disclosure that has to work on overtime between government and industry about how this looks. it also does not subject invar meant to be exploited without some protections being put in place. there is a lot of dialogue required and a mechanism for that on a consistent basis. there will be times where there is tension between a disclosure or not. that could be worked out as quickly as possible. there have been businesses were the traditional ways of disclosing have been overruled by the dialogue that has taken place.

>> i have to go to the moderator now. i may provide the first two questions. how what a lack of international law affect u.s. development of cyber defense capabilities? as the defense department outlined, the moral outline for cyber warfare? could the concepts of mutually assured destruction apply for a cyberspace? we could laugh -- we could let you off the hook. >> we are not lawyers. i would say one of the lawyers. >> i do not think we need to wait for a treaty, which might not be optimal anyway to work on defensive measures. >> one of the things we talked about in this report that we need to do is to try to find

what some of the norms are in cyberspace. one of the things that is clear that when we look at these events that have happened is that a fundamental thing that we need to do it the mayor what the factor is. these are criminals commit nations-nation states, there are a whole realm of threat actors. we have to make sure we have the defense measures in place, response plants in place, and the partnerships in place. those are at the core no matter what. we do not always know who is doing what to us. we have to get better at doing that. >> we were talking in the waiting room about this. we were talking about piracy on the high seas. it is an international problem that is age old. 350 miles off of the somali coast was attacked. richard and i both have made the

connections. i used to be a frogman. that was ended by the navy seals. the development of both international norms, cooperation, and the private sector. i was just watching a documentary on what happened and the procedures that these vessels have. the share of monks themselves best practices. one of the first things that they did was to call some anti piracy center in the uk when they were being attacked. on this question, you thought about history quite a bit. what are your thoughts on this question. >> we have tried to have as many ad hoc relationships as we can. some our relationships with our closest partners those relationships have been in place since before world war ii.

we have used those relationships to expand sharing crown cyber stuff and iran incident response. we have succeeded in some of the cyber emergencies in putting together ad hoc coalitions. that is part of what dod does. it tried to get something done around the cyber a emergencies and other parts of the world. there are not social norms yet. we need better notions of where the boundaries are. we need to figure some of those out with our partners so that it is not all ad hoc. >> one quick point. this is another area where we need to go further, stronger, faster. this is an inherently

international problem. no one government could solve this. acknowledging that we have a lot further to go, let's not pretend that nothing has happened. we serve to time on high-tech crime. many years ago, an internet time, a century ago, the council of europe developed a cyber crime convention. this was the first major international incident. it is a very effective way for law enforcement around the world to work together on a rapid scale to solve crime. that needs to be adopted much more broadly internationally. we need to find ways to build on the successes. >> thank you. question? >> earlier someone mentioned the

idea that we need to pay security and the process of creating art digital infrastructure that is used on a daily basis. that is a wonderful idea. i am curious what ideas you have for implementing that. my own experience and the private-sector is that it is not a lack of confidence on the part of the programmers, but regular time and money. security is one of the first things to fall by the wayside. there needs to be some sort of incentive. it is systemic lot in the process. do any of you have any insight as to how you might approach that. >> incentive is one thing that you could look at. the market has changed to some extent. if software is more secure, it might demand a little bit more of a premium. there is a combination of incentives.

also, the market value with them a little bit more. on the government level, it is having the security people in the same room as the end of asian people. if they're integrated and exchanging information cut the outset. >> the government can help drive information and the sector if they offer incentives. people on the commerce committee are very interested in doing this. this could be a tax incentive. we are looking at all of those options. >> if you want to bring the market to bear, you have to have an ability to high-let them make decisions. you have to have this based on data. >> i like to take one more question. >> the government still has a lot of buying power. if we band together, we can make

a market for some of this stuff. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2009] >> up next, "q&a" west douglas brinkley and then the british house of commons. following that, the election of a new speaker of the british house of commons.