to limit federal spending on an annual basis. less spending, more jobs, it's that simple. president obama and democrats in washington should listen to american people who want us to work together on a common-sense solution to stop the spending spree and focus on helping manufacturers and small businesses create jobs. a responsible budget would be a good place to start. thank you for listening. >> this week on "america and the courts" supreme court nominee elena kagan moderates a discussion on the recent supreme court term at the 6th circuit judicial conference. panelists include university of california irvine law school dean irwin shimarinski and former u.s. solicitor general paul clement. last week president obama nominated elena kagan to replace justin john paul stevens who's retiring at the end of the term. "america and the courts" today at 7:00 p.m. eastern on c span.

>> this week on the communicators, a discussion on cyber security with phillip ridinger of the department of homeland security. >> phillip ridinger, what are your duties as undersecretary of national protection at the department of homeland security? >> so my duties fall into sort of three categories. first i'm the deputy undersecretary for the national protection and programs director, which means i'm the number two in a fairly large organization that is bigger than just cyber. so within mppd or the national protection programs director is also infrastructure protection which is all about protecting the country's infrastructure, physical infrastructure and otherwise, the federal protective service which is responsible for protecting government buildings, risk management and anal says component and u.s. -- the biometric and other work for the u.s. government. so all those pieces along with cyber security and communications which is the

department's most significant cyber security component are within mppd. and i'm the number two in the organization that runs those. second, i have been designated and brought in by the secretary to serve as the department's lead for cyber. so i spend a chunk of my time dealing with greater cyber issues across the department and working specifically with cyber communications and its leadership, greg shaver who's the assistant secretary for cyber communications and mike brown, rear admiral mike brown who's the second assistant deputy. the third hat that i've got is i'm also the director of the national cyber country center. in that capacity i actually report to the secretary. and that's a small component that is responsible for helping to coordinate across the different cyber security centers in the federal government, which includes a part of csnc, center of --

that serves as sort of the watch and warning and operational center for working with the private sector and across the civilian government space. but there are other such centers. a f.b.i. run center called the ncijtf and a center up at the national street agency called the ntalk. one in d.o.d. or several in d.o.d. and one in the intelligence community. so all those centers can coordinate effectively together, can be more effective in their mission spatials, and can help drive common situational awareness which is one thing we think a lot about in cyber across government. >> ok. two questions to follow up from that. how do you define cyber security? >> well, it's a hard thing to pin down. there are components of cyber security that i think you cannot lose sight of. it's sort of the traditional definition of computer security or cyber security falls down into confidentiality, integrity and availability. so confidentiality is about making sure that information or other things that you

want to keep confidential stay confidential. integrity is about making sure that someone who shouldn't alter that information or an information system doesn't alter it. so you can imagine when you think about things like confidentiality is important, integrity is far more important. and then last, availability, which is not only that an information or information systems is available but perhaps something that depend on an information system is available. so we increasingly think about in the broader context making sure that essential services such as power and water and transportation where there are interdependencies with underlying communications or information technology functionality remain available. and so we -- cyber in that sense has both a vertical and a horizontal element. let me explain briefly what i mean by. that the vertical element is making sure that

communication systems and i.t. systems that you might think of as the sectors much as there's an electrical power second, to those sectors are secure and are doing their best job. then there's the horizontal element that cuts across the entire economy. power depends on i.t., government services depend on i.t. that's an essential element of cyber security also. and what is common situational awareness? when you talk about working with other departments? >> common situational awareness means to the best of your ability you know what's going on. that are you under imminent threat of attack? what's going on? it's hard to make the right decisions without the right information. so common situational awareness is having a come on operational picture. there's different ways people talk about it. means that you have a good sense of what is happening across your enterprise so you can respond appropriately. for example, mitigating the threat in the most effective way. >> well, here to help us

dive into some of the issue that is you cover is ellen nokochima the national security reporter for the "washington post." >> hi, ellen. >> hi. thanks for having me. i'd like to start with another question about definitions. former director of national intelligence mike mcconnell recently stated in an oped in the post that the united states is fighting a cyber war today and we are losing. do you agree? what's your thinking on that? >> i would probably use different words. what i'd say is we have an increasingly threatening environment. we are trying to secure a broad network of systems. and that network of systems involves more and more devices every day. so we're putting computers in everything. we not only have computers on our desks, we have computers in our television sets. and we have computers increasingly in our refrigerators. and look on the back of

those things. more and more every day they've got an ethernet jack or they've got a wireless connection to a home network. so we're tying all these things together. because it gives us more functionality. that's what we use i.t. for, information technology for, to give us more capability, to give us more services. but that adds complexity. so we've got a network that is bringing together different devices that are all running different software, doing different things. and ask anybody who's been in security for a long time. they'll tell you secured complexity is the enemy's security. the second thing is connectivity. as i said all these things have jacks on the back. we're all connecting them effectively to the internet. we're tying all these things on this big global network that give us a benefit. network effect people would say to tying these things together. but every window is a door. and they go both ways. so what we're doing is we're taking a complex network of devices, we're making it -- we're increasing what you

might call the attack surface area. there are more ways to get in. and we're depending more on this network of devices every day. so through connectivity, complexity and criticality, we've got an increasing risk profile. and the hackers, the bad guys, if i could use that technical term, are getting better and better. so we've got to continue to up our game to make sure that we're responding appropriately to the threat that we face. >> ok. so the recent intrusions into google's computer network and those of some 30 other companies have really done probably more than anything to date to highlight the seriousness of this threat. and the white house has also said that it's pegged the dollar value of losses to american businesses annually at over $1 trillion, intellectual property. what is the department of homeland security doing to help industry prevent such

attacks and remediate the damage? >> so we work with industry and have worked with industry in multiple ways. you are quite correct that the losses from this sort of activity are continuing to rise. i got involved in cyber security back in the mid 1990's when i was a prosecutor for the department of justice. back then, harks were starting to go more towards money. but still sort of the scrawling on the web page, what howard smith, the current secretary of coordinator calls weapons of mace disruption were the modus operandi. people did things for representation. they wanted to bring down systems. but people are after information of actual value or monetary value. so bad harks or crackers are in it for the cash. what are we doing? if industry has a specific compromise we are available and have on multiple occasions provided

assistance. we have multiple programs for working with industry. we share information with industry both receiving and providing information and work through all of the different sectors to their sector coordinating council. we just recently started a pilot program. the defense department started a great effort to share information with its defense industrial base where they tier information up to a classified level -- and we are sharing that information with the financial services sector. we also share with all sectors both on occasion classified information and certainly unclassified information through the united states computer or emergency readiness team or u.s. certificate that i alluded to for. we provide information to them regularly about what is going on and appropriate mitigation. so for example, in the attack that started last july 4th roughly, we fairly rapidly spoke with industry, got their view of

what was going on, worked with our partners across government and got out bulletins, separate but tins, both to private industry what we call a cinn or critical information infrastructure notice. if you live in this land very long you have acronyms like this. we got bull tins out about what was going on and the activity. we are continuing to work with them to make sure that we are developing the processes and procedures that will let us work together effectively. so people think that the big one or the big cyber incident, what happens when bad thing happens. are we prepared for bad thing? and we are where we are. and we have a long way to go. and there is a long way to go. but we are very focused on continuing to improve both where we are in the short and the long-term. so one of the recommendations out of the president of cyber space

policy review with president obama signed that in may of last year was we needed a better national cyber incident response plan. so subsequently that was launched by the administration and d.h.s. has been leading that effort with around 150 different partners from the private sector and the federal government. and that's to develop both a steady state way of working together, known rules and responsibilities, that can scale to an emergency so we can work together across all the different stove pipes within government and within the private sector effectively a response to an emergency. we're also building out the organizational construct that will enable that to be successful. so for example, during cyber stream awareness month in october of last year, the secretary came by with a number of members of congress and other people to open the what we call the ncec the national cyber and

security integration center which is two offices that integrated. a lot of this is dealing with the changing environment. historically we had separate entities and watch centers that dealt with i.t. and communications. which the boundaries are very distinct. so people think about your computer is really different than your phone line. but they kind of merged together in the center because they're all about passing information. and the sectors are increasingly growing together. and as we -- as phones migrate to things like voiceover internet protocol, effectively you're making phone calls over the same channels that karat internet, the threats are going to migrate from one to the other and they'll be joint in a sense. so we've colocated those two watch centers. we have always had private sector representatives involved in the communications watch center and we're going to increasingly ramp up the virtual and physical presence of the private sector in that joint capability. so we've got not only the plan for how we'ring to work

together but the right organizational mechanisms that allow us to do that. >> tell as you little bit more about that action plan. what does it look like? how did it work? if an incident of cyber significance happened today how would you know and what would be the first thing you would do? >> these can come up in multiple ways. the rules of responsibility i think are pretty well-defined in the core missionaries. the who is responsible in the united states? the president is. go ahead. >> let me pose a scenario for you, ok? so we are in july in the midst of a heat wave and half the east coast is in darkness from new england down to washington, d.c. because of some hackers from overseas, it's not clear exactly who they are, hacked into the power grid using computer ins the united states -- computers in the united states. and at the same time this power outage has overloaded hospital emergency rooms

because the elderly and ill are piling in. traffic signals are bottled up. who's in control here? what's d.h.s.'s role in this? what would the military or pentagon's role be and what would the white house's role? >> so who's in charge of the u.s. government? that's the president. so the president is ultimately and would coordinate the cross-government response for example through the national security staff. and on the national security staff, howard schmidt the cyber security coordinator is the lead. for the response to domestic incidents, the secretary of homeland security is in charge and would execute her will through things like cyber security and communications. the so under hspd 5 and 7 -- sorry throwing gentlemanner gone out. homeland security presidential directive 5 and 7, one of which deals with incident management, the ordeals with critical infrastructure, those responsibilities are given to her. so she would be driving the

response, the domestic response to the incident. in a thing like the power grid, obviously other key agencies like the department of enaur are going to be involved. and on hospitals, health and human services. so we'll have a cross-government response plan process that will work under existing authorities. like there is a cyber incident annex to the national response framework. so there are existing policies and plans for working through these which we are enhancing in the national cyber incident response process. we just answered the rest of the question. you also asked about the d.o.d. so d.o.d. is responsible for defending its own network and for things like military activities. those lie within its sphere of control. between those two entities we collaborate on a very strong level. we work together regularly. we have several people on staff that are detailed from the department of defense that we've built that partnership out. and they have a considerable technical capability on

which we can rely also. so that partnership as existing and would be exercised appropriately. >> would you all be in the white house situation room monitoring what's going on with the electric power grid and the hospitals and the transportation system in a crisis like this? >> well, i can guarantee you that if there were a significant cyber incident that were affecting power and health i.t. there would be meetings in the white house situation room. there would be a lot of coordination across government that would be taking place and decisions being made in that forum. there would also be operational activity that would be coordinated out of the department of homeland security. >> this our guest is phillip ride inker of the department of homeland security where he serves as deputy undersecretary of national protection, ellen nakoshima reports on national security issues for the "washington post." mr. ridinger, you talked about some of these threats

and ellen gave an example of what could happen. but where do these threats come from? >> threats come -- let's say attacks. threats, events, attacks, they come from everywhere. one of the key points about cyber space is at distribution is actually very -- attribution is very difficult. back when i was a prosecutor that used to be sort of my business. about defense and not about attribution. but trying to find the trail of bread crumbs back to the ultimate source that's hacked these are very difficult. people are anonymous online. a hacker can go through multiple systems. so if he or she wants to break into a particular government computer they're going to first break into an university computer for example and then go through perhaps a couple of private computers, maybe even some individuals' home computer, before launching a attempt to intrude into and get access to that government computer. and they'll have the

capability to go back because they have what we would call root control, total control over any of those systems most likely to erase any of the data on it. so following that trail back and finding out who's responsible can be very difficult, as shown by the continuing difficulty that law enforcement has in bringing cyber criminals to bear, despite significant efforts. we've had a lot of successes, but it's very hard to catch and prosecute cyber criminals. >> well, a lot of reporting suggestion and ellen has written about, this a lot of reporting suggestion that a lot of these threats come from north korea, china and russia and from government entity ins those countries. >> the threats cough the full spectrum from nation states down to run of the mill hackers. what i can say about this is they've gotten more significant over time. the quality of attack is going up not only because the best are getting better but at least because at least in the middle they're

writing simple tools. that's one thing that's nice about i.t., right? you don't have to be an expert editor to produce a high-quality photograph now. you can get plenty of software packages on multiple platforms that will let you produce a really high quality pro. fuelly you can do the same thing for computer hacking. hackers write graph crack interer space tools that let you write your own virus that are very sophisticated that will let you get access to things. so the really really poor hackers, what we used to call and still do to some extent script kitties, right, because they used to run script. now a script kitty can be a very serious hacker simply by using a tool that someone else wrote for him or her. those are available online. >> steve shabinski of the f.b.i. testified last fall that f.b.i. was looking into terrorist groups like al-qaida who are interested in obtaining these tools.

how worried are you about that possibility and that threat now? how good have they gotten at hacking? >> i'm very worried about the full spectrum. i mean, obviously we have to be most concerned about people who want to get access to the most valuable information or might want to cause the highest degree of harm. so we've got to pay a lot of attention to that. >> how much of a threat is al-qaida today in that sense? >> i think they are developing capabilities across the board. certainly the threat level i think of actors across the board is increasing. we've just got to keep an eye on it. >> ok. mr. ridinger, you talked a little bit about stove pipes. has that decreased over the last couple of years? is more information being shared? or has d.h.s. been integrated more into the whole system? >> the level of stove pipes are certainly decreasing. it remains true that

information sharing is hard. because there are risks anytime you share newscast between government an between government and the private sector. so we've got to continue to do our best to remove barriers. so part of that is continuing to reduce the technical barriers, making sure that the only reasons we don't share information are based on policy as opposed to technology. so it can't just be it's too hard for me to give you this date too. it's i either don't want to share it for a real reason, or i can't share it for a legal reason. and we're moving forward. all of that is happening. i think that there is a high degree of willingness across government and a high degree -- high increasing degree of actual sharing across government to make sure people get the information they need.

the transition from need to know to need to share is significantly underway. there's still a lot of barriers that we have to work through with the private sector. people in the private sector actively want to partner with government because if for no other reason it's in their interest to make sure that their country and their countries -- because it's an international private sector -- basically they depend on this network of network's core value besides having the people who work for them live in the united states and other countries. so they want to address the issue. we are continuing to build out the mechanisms that will let us work more effectively. i mentioned sort of the financial services pilot. there are other activities that we're engaged in with the private sector to continue to improve our ability to both share information and receive information from them. so the stove pipes are decreasing. but i'd be the last one to tell you that that problem has been solved. >> all right. you might want to tell our audience what some of those

mechanisms are. my understanding is that private sector -- there's an issue of trust. they're often not wanting to share information with the government that they think might be either released again publicly to foil or use against them, maybe hard them in an acquisition or might lead to prosecution. >> of course. it's somewhat fact dependent but there are a lot of mechanisms both to protect information and to share information. so company sharing information when there's a return on investment for them. so that doesn't mean they want to sell information, it means that it's got to be mutual. a company will bear risk by sharing information so you want to get something back. so sharing information back on a classified or unclassified level is an important incentive to set up those sorts of efforts. and there are lots of different ways we're moving

forward to continue to enhance this effort. there are long-running information exchanges such as the n sie the network security information exchange, which has been run under the national communications system that brings together companies and government to share information on a very collaborative basis. bound tightly by agreements that say we're only going to use this for appropriate purposes. we have other mechanisms that will protect information shared from the private sector. but particularly the pcii or protected critical infrastructure information program that itself provides an exemption from further disclosure and limits use of information voluntarily provided by the private sector. we also work through mechanisms that can provide assurance through the private sector that information will be used appropriately. for example, the information-sharing pilot we're doing with the financial services sector

now, we're working through an information sharing and analysis center which were a number of centers set up by sectors to work more directly operationally with the u.s. government. so the financial services sector is sharing information under that program with the u.s. government through the fsi center which provides some degree of anonymousization and still gets the government information about what's happening and we can pass the information through the secretary to them. >> let me move onto the privacy issue for a moment. when we ask privacy advocates what they fear most about government efforts and cyber security they say it's government monitoring of purely private communications where the government is not a party to one end. do you agree that that should be a bright line? can you rule out government monitoring of private communications? >> well, i can't. because in law enforcement -- >> i'm sorry. purely private communications and outside

obviously of the law enforcement or espionage crime where you have a warrant or a court order. >> so i mean, that's an important line to draw. because obviously privacy is essential. and one of the things we need to do in this eco-system of the future is protect privacy as we protect security and build competitiveness. but there will be cases where under appropriate legal rules one needs to monitor a private communication. so for example when law enforcement is investigating criminal activity, they get a warrant. they get a title 3. or they can get a court order to get access to stored communication. >> but this is where the whole issue gets fuzzy, right, between cyber security and surveillance. because often it's the same tools or sorts of tools that can be used for both. and i guess from the privacy community's perspective, it's hard to know without more transparency or stronger oversight when

you're use the tool for one purpose as opposed to another. >> so i would say i think two things in regard to that. the first is that when we build out -- when we're building information assurance mechanisms that involves monitoring as we need to do -- for example if you've got intrusion detection system, we're deploying that under our einstein 2 program so it's an array of intrusion detection sensors that are being deployed to provide detection for communications going to or from federal government entities. you actually have to look at those communications to say, you know, to look for specific indicators of an attack. so if you want to detect an incoming attack you actually have to look to see if that signature, if the indicators of that attack are present. that doesn't mean a person is looking the at it. it means that a machine is look for a signature. much like a person would run antivirus software on their home computer that would

look for those sorts of things. so our purpose in engaging or prevention capabilities, we are information assurance professionals. so that's the purpose limitations. the second thing is, we are striving for or we build in the right privacy protections from the very start. it is essential to us, the department of homeland security, that we include protections for privacy. so with regard to the people that do this information assurance work that you assert, they get regular privacy-related training. we've developed processes and procedures in terms of -- that limit our use of information, how we handle the information, what our actual activities are. and those are reviewed by both our chief privacy officer and her office and the office of compliance within c.s.c. we work with the department of justice to make suret