>> if have you any thoughts on that and what do think about some of the most important things that the military could be doing as far as its role in moving forward? >> let me talk about my

thoughts as kind of a defense perp. >> we have to have dependable mission execution in the case of hostile cyber work or capable adversary. back to sharing with international partners. defoining of this quickly spills out no the defendant of defense the chinese in pie

rassy or off somalia. but the other piece of it is at least the communication structure is 80% commercial that mission depend ability is clearly a joint government industry problem. we can't do this without close action with ministry. job two is safe sharing.

we made a decision in the 1970s called system hoy. it was a computer skipes decision but it shaped everything the government has done since then. once an at tom of information gets to a network, it's trapped this. so the thorery was if the security guys were the ones that cooked up the sceems. it had to be the security goys problems to fix that.

we may want to soo a secret. coming up with a structure that allows us to this adhoc information sharing. the historic technology problem. i think it's also clear based on events in georgia that cyber work is going to be a piece of the next big tight. that is different than it has been. we have a chance to tackle this. >> could i take your invitation to the start? >> i want to kick off and make sure we don't drop a point that chris raised.

that is sort of the human element. those are all tied together. it seems to me this is not only a security issue but also a competitiveness issue. i think we have to revamp how we do this starting very early on. catching people when they are five or six years old and getting them excited about the possibilities of going into this space, doing coding and other things. years ago, you'd have kids out

there with moms and dads working at an engine of a car. it's the same thing. make sure this is security education early on. when they are in college when they are taught i.t. that they get the securities fund of that. >> so they are not unlimited. oh, you are the security guide or g 12. back when chris and i were both line prosecutors. you had this problem where you co-would see investigative agents some of them said enough

of this. we have to go farther and make sure we develop that work path. you can't really understand this field unless you stay and play in it. no that's not just true in the law enforcement field but the energy fold. i think we need to make this

cool for kids so it seems like something they want to do. it is something there would be congressional interest on. we were having this conversation in the waiting room before. i found it fascinating getting kids involved.

we teach spanish, french and language to kids. why not teach code as another language. there are models we could follow. we found they tipped to stay in the government when we give them good work. that's probably the best money we've spent so far on cyber

security. i think we need to do more on . that the other piece is we do need some curriculum review. technology is really fragile. everybody who writes software has to think about security. this really has to start with the design of things everything in civil engineering is how do you make buildings and brinls stand up. so human behavior is our graffiti. he have to consider it in

everything we do. that's a thing the government might help influence partly by the way we reward colleges and universities with r&d. we might put some strings on it witho+q the change. >> i'm not going to disagree at all with anything that's been said. as we look at ways to develop our cyber security over the long term. ultimatey, yes, you have to built up the expert he's of those working on software

projects >> back to the human element. it's not just the training or a multilevel element of the kind of things we need to do. not everyone working on cyber

security is an geer. on the private sector side of this, what does co-lab operation look like? i'd also like to loop into this question, there's slegslation that proposes shutting the internet off from critical infrastructure. it's in the collaboration,

co-analysis and true partnership from day one, really. when something happens, there's a forced way by working together over the long haul.he the services for that network provided or the fact that there are all kind of ways that people continue to do business.

even though you might have connected one thing, you still have yet to connect another. what would happen if you did that there might be at native measures i want to get the objective of the d.o.d. on this. guard entering off how does that play off?

the country said it's a national security organization and we have to be able to work across a whole industry it was actually manned by people in all of the telephone companies and d.o.d. people and intell geps people. we had an operational entity that still exists. cyber has overwhelmed us a bit. we had a model that we could operate quickly. we used it.

in finle, it was used heavily to try to restore. worrying about its partnerscñ data was being ex-fill traded from they are network.

>> how do you work that and how does industry respond to that. we don't want this to be used against them. we are proposing some regulation changes. industry folks came back and said fine. we have always shared some

practicing. i think we need to grow this model. hoss classified does some of this threat data need to be. can we share it with the banking sector. we think it maybe is a model that can be thrown out to have this broader conference. i think i only answered the first part of your question. the first point is you have to

be partnership more generally if something bad happens, the last thing somebody is going to do is reach behind them. that particular model is behind a lot of proposals you see coming out of bodies which some of you were involved in developing.

those ideas don't go away. we have to figure out a way to define those i'll call out three things i think are essential. the first is trust. almost everything else will work, without that nothing else will work. or if necessary, provoiding the right clearances to people and

making sure they see it. not here is how they classify information. this is what you have to do with it. we built a lot of mechanisms to work together. the national coordinating center. all of these things and more are designed to work together. we need to work for them when they are working but sl the opportunity to bring the right people.

sort of a light weight process of working things together. who does what. how do they implement that in the government business processes so that we can all work together without trying to build the plane as we are flying it while bad things are happening. >> that's a perfect place for me to jump in. the cyber security act of 2009 inter doused to get this dialogue going we didn'ten ving it of any kind of on/off switch. we only are speaking to lines of authority so that we know what happens in the event of a

cyber attack so people aren't guessing with the kind of confusion we had with katrina. it is about trying to make sure oregonically who does what. we are traying to state the obvious that in an extreme cyber attack, it really wasn't meant to go beyond that. this kind of a discussion is something we've been having in a conference room. it is very hopeful so that by the time we got to moving the legislation, i'm hoping that it will be more warmly received. >> i think a core part of the report is exactly that.

defining the lines on the rode we've known this is a problem for some time. getting people to report to you incidents has always been a real problem. one of the reasons for that is the people asking the rourt don't really see what benefit they will get out of it. we need to do our part too. i don't think government is going to pick up in a big siper

incident either. we need to have organic processes and come together april really respond. can i ask a silly question? >> absolutely. >> d.o.d. is a planning outfit. we work out relationships. all those details appear in that practice. what do you think about what we are going to work out. how should we really work that out? what is not in war normally. you want to train and practice to what you are going to do.

we need to scale rapidly even if we didn't want to, we need to exercise to plan for that. there is a whole series of the

industry to make sure they are getting ready for future events. we need to make sure there's a cade answer around those skices to use those and test the things we want to use. as we go forward, we want to make sure those align with the incident, planning and response problems developing. and then have a cycle and what

do we need? >> i'd like to ask members in the audience to start lining up for questions. you say what's in it for us. how do we share? how do we send information back to figure out framework? the last question for the panel.