off the floor, senators work on a bill to overhaul the country's cyber security framework and protect critical infrastructure. you can watch live house coverage on c-span and live senate coverage on c-span 2. >> this week on "the communicators," a look at cyber security with two business executives involved in guarding cyber systems. >> now we want to introduce you to robert dix, vice president of juniper networks and recently, mr. dix, you testified at a house hearing on cyber security. what was your message to the members of the energy and congress subcommittee? >> it's really important that at the time of the challenge we're facing in cyber security that we maintain an environment that facilitates investment and innovation and doesn't do anything to confine the ability of the private sector which owns

and operates the majority of networks upon which all critical infrastructure and most of the things we've come to rely on in our daily lives, from having their attention directed away from being nimble, agile and fast to respond to this challenge as it continues to grow. >> is that in direct reference to the white house plan that was introduced last year on cyber security, which puts emphasis on d.h.s.? >> it certainly responds to it the parameters that have been outlined in the legislative initiatives we've seen. >> do you expect cyber security legislation to move through the congress this year? >> well, my crystal ball is a little cloudy about that. i have reason to believe that there will be a legislative initiative introduced on the senate side. sure what it will look like yet. i believe there may be some pieces of legislation introduced on the house side. not entirely sure what that looks like yet.

what's really important here is that we're having a dialogue in a different way than in the past trying to drive towards adding arrows to the quiver to help us fight this fight. we may not always agree on that path forward but having this dialogue and finding our common ground is extremely important at the time that the adverraries are getting more sophisticated. >> mr. dix, what is juniper networks and how would cyber security legislation affect your company? >> we are one of the world's leaders in trusted high performance network and security solutions. we are a hardware and software manufacturer. we are involved in data center and virtualization and mobile security so we span the spectrum of offerings in this space. one of our successes has been that we visit -- invest heavily in research and divoment drive innovation. we have operations around the world but we believe innovation is the answer to meeting the challenges of the future. computing, storage and networking is changing as we know it and it's changing

rapidly. the only way we're going to be able to respond to that and be able to address the challenges associated with that is to innovate. so we have believed in that and we worry a little bit with anything that may have an unintended consequence of constraining our ability to innovate or taking our eye off the ball of the mission. >> and also joining us, is gautham nagesh with c.t. technology. >> mr. dix, the number one question for a lot of americans unfamiliar with this issue is serious is the threat when we talk about cyber security, specifically, how far are we from an attack that could either cause significant physical damage or cripple our nation's economy in some way? >> we always have to be vigilant. the one thing i want to remind everyone, including our viewers today, is that even in recent risk assessments conducted across the i.t. and

sectors, we have demonstrated that the networks we rely on today are resilient. that doesn't mean they're not subject to attack but we are resilient. we have built networks that can respond and we do respond. folks read a lot of the press about some of the high-profile breaches we've had. what they don't read too much about is the hundreds of thousands of exploit attempts we repel every day because we have made these kinds of investments i talked about earlier. what really needs to happen is we need to raise the level of awareness and the consciousness of the american people from home users to small businesses to the academic community and non-profit all the way to large enterprises, about how to better protect themselves in cyberspace. >> you talk about deflected attacks and that's clearly true. we've seen numbers that thousands, if not millions of attacks are made on u.s. networks every year but it's also fair to say that's it's how many get through.

attack could be enough to cause massive damage. the question is, are we at a place where a cyber attack could result in the loss of lives or perhaps billions of dollars of damage to our economy? >> i always worry about that risk. i would like to believe that the resilient nature of that would be a deterrent. however, the adversaries we're dealing with today are more committed, better resourced and becoming more sophisticated so we talk about the advanced persistent threat. i worry about that and i worry about whether or not we are actually paying sufficient attention to that but let's remember this, point of entry -- this is what we don't talk enough about -- the point of entry often times is at the very low level so bot nets, for example, are the result of home computers overtaken by the adversary because of poor or lack of hygiene on those units because people don't know how to protect themselves. small businesses are ripe victims for getting into the

supply chain, for example. we have to take care of raising the bar and cyber hygiene is one of the ways to do that. that's 80% of the issue. other 20% is tougher and more sophisticated. there are extraordinary efforts underway with the public and private sector working together to address more sophisticated threats. >> on the 80% issue, we've seen a campaign on the part of congress to raise awareness of cyber security as an issue, to make americans aware that they need to safeguard their information. we've also seen rather heated rhetoric behind this issue, talk of a cyber 9/11 behind one of the sponsors from the senate cyber security bill. how do you -- that rhetoric seems a little out of line with the threat you're laying out for us today. how do you reconcile the two? >> there's a lot of hype around this issue and some people are driving a particular agenda and that's fine. i don't want to minimize the risk here but this is about managing risk. we can't protect everything all the time. right now, i don't believe we're

doing a very good job of the basic blocking and tackling of cyber hygiene, of education awareness, of creating operational ability to improve on detection and mitigation. today we spend time and resources around response and recovery. we need to build the capability with government and with industry to create something like a national weather service or centers for disease control where we have a nerve center with the pulse of what's going on on networks in a steady state and during points of enkalation. we have the ability to do that but we have policy issues in the way, legal issues in the way. it's not a technology issue. so i think that we need to have a different dialogue around what are some impediments to creating an educational ability, sustained awareness campaign, what are the law enforcement tools we need that we don't have today and what are the ways we might leverage government procurement activity to drive changes and behavior. >> mr. dix, how is it that the

role of d.h.s. as proposed in the obama cyber security plan, how does that impede what you think should be the goal? >> so as an example, that's a recommendation in the electricityive -- legislative initiative which in and of itself is not clearly defined as to what would qualify or not qualify in infrastructure and leaves it to the discretion of the secretary of homeland security to determine that and it talks about the establishment of cyber security performance requirements. it talks about an annual certification process. it talks about third-party assessments to validate that the presumed covered critical infrastructure is meeting the performance measures of those requirements. all of that takes time. just building the performance requirements and building the compliance model, the regulatory regime that i refer to it as takes time and by the time that's complete, the risk has changed so much. it's very dynamic so probably

whatever comes out of that is old news. we need to be nimble, fast and agile in responding to that which means we need to facilitate greater innovation the ability of the private sector to have access to threat intelligence information to risk landscape and break down some of the barriers we have had that impede our ability to collaborate better. >> in your congressional testimony, you said it is imperative that all of us acknowledge that cyber security is truly a shared responsibility and that managing risk will a true collaborative approach between government and the private sector. the private sector owns and drives the majority of the innovation and also owns and operates the majority of our nation's critical infrastructure. that's whyorrect and it's essential we are at the table and engaged in this dialogue with our counterparts in government and that's happening in some places. we have a framework under the national infrastructure protection plan that allows government and industry to work together through sector

coordinating councils across the 18 sectors, through information sharing centers that are sharing threat and vulnerability information. we need to leverage those relationships we have built and invested time and resources over the period of their existence and utilize them to the nation's best interests. >> mr. dix, you spoke about the need for information sharing and there appears to be bipartisan agreement on that issue, likely to see some legislation move in the house in the near future. however, speaking to the d.h.s. portion proposed in the white and senate plan, what do you propose beyond the information sharing be substituted for audits or regulation. in other words, how can the federal government be sure that critical parts of the infrastructure are being protected without implementing some sort of regulation? >> so there are parts of the senate bill that i think have merit. there is a section that talks about a sector-by-sector risk

assessment. i have firsthand knowledge of work done in the information technology and communication technology sectors to conduct such assessments, utilizing, recognize methodologies and attack processes to identify high-risk activities that need to be identified. it's more about functions than assets but all 18 sectors of the critical infrastructure community have been engaged in risk assessment so working with government partners in a collaborative way to look at those risk assessments, identify what are the protective measures we can recommend across the members of those sectors and where are those gaps that require research and development? these are the kinds of things we can be doing together and i like that piece of the bill and it talks to the broader range of risk we need to try to manage without drilling down and telling individual companies the things they need to do to manage flisk their own environments.

>> under that suggestion, if a company were to have gaps in their protection identified and weren't able to address it either from cost issues which have been cited by industry or other reasons, what can the government do essentially, should it be up to the company to leave their systems open to attack, if they decide that the risk doesn't outweigh the cost? >> that's remember these companies want to stay in business and staying in business depends on a reputation and reputation includes the ability to be secure so companies will make those kinds of investments, in some cases, particularly small business, they oftentimes don't know what they should be investing in and what are low-cost or no-cost items they can do to improve their protection profile. the small business administration can be engaged us to help. the internal revenue service have engagement with citizens time.e lots of things we can do together. >> mr. dix, in your testimony, you write, "in today's

increasingly connected world, the move to cloud computing and the explosion in the use and proliferation of mobile devices and applications mean that we must be able to rely on the resilience of the network more than ever." this change the equation with the -- expanding use of the cloud and also the mobile proliferation? >> it's a perfect example of what i was talking about, the technology is moving rapidly and every time the technology changes, the adversary changes their modus operandi to take of that so we need to be nimble and fast. the cloud and the virtualization and use of data is responding to the demands of the users. the increase in data, video, voice is demanding that we have this virtualized capability that is the next iteration, as i mentioned earlier -- computerring, storage and networking is changing to be able to deal with the scale and the rirnlts of the big data so

we need to protect it, actually, i think that we have a great opportunity with cloud to be able to be more secure and this is what we need to be able to innovate and stay ahead of and not spend our time, resources and attention on complying with a regulatory regime. >> does this issue stop at our nation's borders and could more regulations in your view make us less economically competitive? >> that's part of the problem is this really is an economic issue and it's about u.s. competitiveness. no, it doesn't stop at the border. this is a borderless, global challenge and u.s.-based companies dealing around the to deal with laws and regulations and requirements of other countries, as well and we need to be cognizant of that in whatever steps we take and make sure of that we're thinking of that in the global context. >> coming up next on "the communicators," we're going to talk with bill conner, president and c.e.o. of a company called

entrust. now on your screen is bill conner, president and c.e.o. of a dallas-based company called entrust. what is entrust and what do you do? >> we're a software security that focuses on protecting digital identities and digital information so about half our business is with governments around the world so everything from your u.s. passport or u.k. passport has our technology in to to protect your personal information to some of the next generation passports in europe and other places that have biometrix. here in washington is an example, if you're a government employee, your access card under hspd12 uses our technology to protect that and enable it and banks use it for secures email to clients and content as well as fraud detection or fraud prevention which is what i was talking about in the committee meeting. >> you testified at a cyber

security hearing today and what was your message to members of congress? >> what we were trying to do is make it simple. cyber security is complex, hard to see until you see the money leave your account if you're a small business, especially, and the question is, what do you do and what is it and what can i do? what i wanted to provide is a real example which is a man in a browser zeus spy-i attack crippling small business so i explained how it happens and what small businesses can do with technology available today to get behind that and when they need to ask their banks to do to protect them in terms of it and then we went wider with what are the issues in public, private sharing. i co-chaired the public-private partnership at d.h.s. so we'll experience straps on the back in terms of that experience. >> the obama administration came out with a cyber security proposal last year.

congress is now looking at actual legislation. what is it about that proposal that you agree with, where do you disagree? >> well, i won't talk about obama itself, let's talk about all -- there's lots of legislation. the issue is, we need to do more and it needs to be focused and it starts with, you know, this is an identity issue. governments give you your best government protected identities. we have to take it and make it useful for businesses and how they use that. second, in public-private sharing when i co-shared the task force on this, you can't share information. i'm a security company that most of the government and the u.s. uses for protection. when i talk to the people that work on cyber threats and those pieces, it's a one-way dialogue legally. i can give them information but they can't give me information because of the competitive nature and antitrust and all

that. when i work with compadres, c.e.o.s and other companies on the private side, all c.e.o.s and presidents can be in agreement until you get the legal team in and then the minute you guys do something, you kind of got all kinds of antitrust issues and more importantly, then you're raising a different standard, be it criminal or civil, of whatever you do that's not out in the standards body regulation or legal framework. >> also joining us is gautham nagesh, editor of c.q.'s technology briefing. mr. nagesh? >> thank you. you spoke about the need or the result of cooperation being that you're setting a new standard. who should be in charge of setting that standard? we've seen debate on this. >> that's one of the real issues, right, and is it a u.s.-only standard or not? if you look at -- i think you got to be careful to go by what

sector you're involved with. passports, there is a global standards group and it's icao and they do a great job in terms of first generation digital passports and let's leave that as a global standard. as you come to the u.s., you have a plethora of standards, some created and embraced and some that are developed by industries on their own that are de facto standards. and i think mist has a role to play in helping us say, what is the floor to what is acceptable in terms of encryption or protection of data as well as what's the policy, procedures behind how you use it. >> of course, setting the floor itself is the base of the controversy. >> correct. >> do you believe that it's necessary for the government to establish a baseline? >> yeah, i do, i really do. and let me tell you why. today, if you want to -- if you look at one of the most significant pieces of legislation that brought security to the forefront was california 1386.

unfortunately, we have 40-plus states with their own legislation and laws in place but it said, if you encrypted and protected data, you had a carrot and a stick. if you had done that, you didn't have to nondisclose it, you didn't have to disclose it and you were protected from class action. if you hadn't, the stick was, you're subject to notification and brief and a fine in terms of it in class action. that certainly gets a c.e.o.'s attention in the private world. the problem with that is there's over 200-plus encryption standards, some of which might not be useful to our country or the good guys, forget our country at this point. who's -- whose encryption you're using and how you use it and protect it are critically important. i don't think people want to do the wrong thing but it's the

availability of pick up things you think are good but are not. you need to have someone helping the industry understand what that floor is. >> of course, we saw some of this difficulty in terms of compliance and standards getting outdated with the federal information security management which is also part of the reform proposals from both sides but the question is, then, how do you effectively set these standards, these baselines, in such a dynamic sector where things are changing so quickly, faster than the government? >> i think that's why i go over the minimum, because i think minimums change a lot less but if you get them too nebulous, they have no meaning. in washington it's popular to want to create a cyber security organization to oversee this and i think that's just folly and the reason i think it's folly is, having done this before, energy and grid and nuclear are very different than financial infrastructure than telecom,

where i grew up, than health in terms of the information, how the businesses work, the information that's trying to be attacked and the ultimate risk or liability in terms of the company and the country and the individual. and so -- i look at the joint forces advisory board where i serve. i think that's a great model. joined forces, you still have army, air force, marines, coast guard and they all have what supposed to do best. joint forces were to sit and coordinate and look across it and the best people and some of the money got carved into that. that doesn't mean i ask d.h.s. or n.s.a. to know more about it than energy, who already have the information and processes and priorities you need to do. we need to give them the money, give them the resources and say take 10% of that and force it between public and private in a

not just withring i.s.p.'s, because, here i sit as someone who's supposed to be secure internet, carriers, at the end it's not about an i.p. address examine. anymore. that's what's getting knocked off. you got to get into the businesses of what's at risk and how do you deal with that at that level. in your testimony at the hearing today, mr. conner, you said, what we face is a threatening cyber environment where warfare is being protected by foreign governments, international crime rings and common thieves in the u.s. it takes everyone, government, organization, small business and together to working defeat these forces and then you go on to talk about moore's law and we'd been talking about standards and procedures. are we outdated as soon as we form these standards and procedures?

>> standards, by definition, are always going to be lagging because someone will get advantage on the good or the bad by either being pre or post them and i don't know that's the issue. you still need standards and you still need a floor to say this is how you operate. i think the difference is, if you allow people to innovate and people like us to do what we do best and take off some of the shackles and share really meaningful content -- not just within the u.s. i mean, we've got five intelligence groups around the world that will coordinate. you look at defense today, they share some stuff publicly, with their companies, they share other stuff not publicly, and they share it across borders with other m.o.d.'s around the world. cyber security has to mature the way it did with air, land and sea. the next battlefront is where we have to take some of the lessons

and reapply it to a digital age instead of a brick, mortar, bullets and millions -- missiles world. >> what level of interest would you say members of congress have in this issue and what level of comprehension? >> that's a great question. 11 years of dealing with this subject and being one of the first ones, i saw goodlot, the more than after bush spoke to the joint sessions, i and goodlot spoke on the need to look at cyber and i spoke at nato and i look at that today and say, we're still talking. we've made great strides and great progress and this is not something like year 2000, it's dealt with once and we're done. it's more like quality. if you look in the last 10 years in the amount of time i spent

personally not for profit on this subject, it's trying to get a lexicon and an understanding just like deming did with quality so i think that lexicon and governance and companies and in governments is way better than it's know -- ever been but on the corollary, country states and criminal intent, organized crime people, also understand that they can make money at that ambiguity and that's the pace that they're at in terms of that think when i but i hear stuff like today when people say oh, the cost of security is too great. what i said today, that's what i heard in quality. well, what is the cost? is it really the cost to do it once and keep it up or is it the total cost when it doesn't work? when people started with quality, it was, oh, it's a process and it's too costly, i don't understand it, let's not do it but the government was

pretty effective in using quality in the bully pulpit and got it, gotiness the lexicon and saw it was cheaper in the total cost of ownership in terms of that and i think cyber security and all of us have to kind of learn this is good if for us. it can be a brand differentiator and the total cost of not being secure, for those who are now breached as an individual or small business or a company, you quickly understand the cost of not being. as you heard today, from the question of congressman rogers, there's companies even in security that are out of business today because they were breached. so i think that's the message that we've got to keep focused on is -- it's not going to go away overnight. what are the things we can do and take that and hopefully up the pace a bit. >> we have time for one more question. gautham nagesh? >> i think you did just touch upon one of the roots of this debate which is that critical infrastructure providers are saying it costs them too much to

pleant the latest technology or take necessary precautions. how do you, as a security expert, evaluate that argument given the potential for catastrophic damage? >> i think it's how you define cost. economists are going to define it one way, operating guys, another. and if you define it as my up-front cost to fix everything, it's a big number. but i would offer to you a lot of what they're spending today is not even relevant, they could cut their cost and be more relevant by using some of the later technologies that could be used to protect their infrastructures. >> so it's in your view long term versus short term. >> absolutely, correct. >> we have been talking with bill conner, president and c.e.o. of entrust. mr. conner, thank you for coming to the communicators studio. gautham nagesh of c.q., as well. this program, as well as the hearing we have been discussing on cyber security is, available

to watch online at c-span.org. the hearing was held on february 8, 2012, and you can search it in our video library there. [captions performed by national captioning institute] [captions copyright national cable satellite corp. 2012] >> the american israel public affairs committee kicks off its annual policy conference here in d.c. tomorrow. beginning at 10:30 eastern, we'll have live coverage of remarks by president obama and israeli president shimon perez. and monday at 9:30, remarks from benjamin netanyahu, mitch mcconnell and nancy pelosi on c-span 2. housing secretary shean donovan thursday said the federal housing administration will be able to meet its requirements for the fund it uses to back its portfolio of government-backed home mortgages. the fund,