what he is getting at is a growing republican talking point and concerned. -- concern. it is one they are bringing up, that they want to draft these changes to federal policy when it comes to guns, but the current federal policy has not been properly enforced. republicans especially in the house certainly made an issue about the serious scandal involving the atf. there was concerned about the guns slipping into mexico or some american cities. i could see conceivably at least on the house side, hearings to reveal what the justice department has or has not done in recent years and score some assurances that they will try to up those prosecutions. >> all of the discussion with the chairman was on gun ownership regulation. what about high-capacity magazines? >> that is a big unknown. this is a big week in the senate where they will start to decide which of these proposals that have been put forth will

receive a vote. there is one that would limit the size of ammunition clips. it is unclear whether that will get a vote in committee or whether he will have to bring that to the senate under regular order. national polling suggests that americans are behind it. we will wait and have to see if there is enough pull in the senate. >> thank you, gentlemen. [captioning performed by the national captioning institute] [captions copyright national cable satellite corp. 2013] >> both chambers of congress return on monday. the house cables back in at 2:00 pm for legislative business. -- gavels back in at 2:00 p.m. for legislative business. live coverage of the house here on c-span. the senate devils in at two gavels in at 2:00.

on this week's agenda, the confirmation vote for nor secretary chuck hagel, and sequestration. lefcourt of the senate when returns on c-span2. -- live coverage of the senate when it returns on c-span2. this meeting focused on cyber threats and the strategies and state governments can use to respond to them as well as prevent them. among the speakers, richard clarke, and the chief information security officer for the shoe company, zap those -- zappo's. >> good afternoon.i am governor

brian sandoval. this meeting is called to order. thank you for joining us. the books were sent to governors in advance and include the agenda and background information. the proceedings are open to the press and all attendees. if you all please take a moment to ensure that your cell phones and other electronic devices are silenced. i would like to compliment governor o'malley. it is a privilege and an honor to serve with you, sir. before moving on to state and cyber security, we will begin with an executive briefing on the nationwide safety of a broadband network. last year congress passed legislation to reallocate the radio spectrum to public safety and provide $7 billion to fund construction of the first

inoperable broadband network for public safety. this is intended to modernize communications by giving first responders reliable access to broadband technologies like video and e-mail. this also established the first responder network authority to oversee the construction and maintenance of the nationwide network. as they continue to develop and construct a nationwide network, the governors will be required to make the decision of whether to move forward or to offset out -- opt out and construct their own network that meet the requirements for an interoperability. mr. ginn has worked here for more than four decades.

beginning in 1960 as an engineer with at&t. he went on to serve as chairman from 1988 to 1984.he was chairman of airtouch until 1999 . he is currently a senior adviser at green hill and has served on several boards. he will be providing an overview of the conceptual design.he will provide overview of rfirstnet's activities to date. we will also discuss how they intend to engage was state to ensure the nationwide network is a success.

he's also joined here today by several other members in our audience.mr. craig farrell, also acting as firstnet general manager. fire chief jeff johnson. new york city deputy chuck spoke to the governors about the importance of this meeting. mr. ginn, we are pleased to have you be here to discuss plans for the network and how states can work together to ensure the success. >> thank you. it is a real pleasure to be here. i would like to think nga,-- thank nga, heather, and her staff and all of the governors to worse on the -- who worked on the passing

of this legislation. it actually allocated $7 billion so that we can engineer a nationwide network that is interoperable, secure, reliable, and most of all, local control. if you think conceptually about what we're trying to do here, we are trying to put wifi across your entire state and then you can plug in the capabilities you want and the degree to which you want them and the amount you want them to run your state. it is important to say this. the first question we typically get is this is going to be a nationwide network and we will lose local control and we will not be able to run our own operations.

that is that conceptually what-- not conceptually what we are talking about here. that is the only way you can get interoperability not only from police to fire to emergency to medical but across state lines. if you send a crew from my home state of alabama to colorado to fight a forest fire, you want the instrument they take with them. the communication systems to be able to work when they get to the colorado fire. interoperability, this takes on a new term here. to do this we are going to need your help and your cooperation.

we have a significant outreach program that we're putting in place that asks you to appoint a state coordinator. we are going to come out and make a number of visits to your state. it is very important that we understand the facilities that you have and the requirement that you want so we can take those back and feed them into a national architecture. when you think about it, this is the largest telecommunications projects in the history of the united states. it is going to cover every square meter of land in the united states. it is going to be able to penetrate the basement of manhattan and cover the forest fires in sierra nevada.

we have an enormous challenge before us here to construct this network. you have to be a part of it. you have to make sure that we understand what your boots are-- needs are and we can construct the system to meet your needs. i need to say a word about the board. i could say it is a wonderful combination of people from public safety and private equity. -- industry. on the technical side, you can have confidence in our technical capability. we have people that have built a wireless systems all across the united states.they have built systems in spain, italy, japan, korea, and india.

and probably a few that i have forgotten. i want you to have confidence that we have the technical expertise to deliver this system to you. what you need to do for us is make sure we understand your needs. another point i would like to make is one that may be not so obvious. this system is transformational. you have been pushing for voice transformations. -- ben oen operating with push-to-talk transforatmations. what we are going to do is put a massive data capability right at the public service working level. what that will do is allow you to develop services that will lower the cost and answer your customers better. -- and serve your customers better.

let me give you a simple example of a situation in california that happened a few months ago. it was a fire chief in a restaurant. a person had a heart attack and died in the same restaurant. had he known about it he felt he may be could have saved a life. he went back to his cpr classe, and he asked the civilian volunteers if they would volunteer to let a dispatcher know of the location so that when another call comes in the dispatcher can look up and call the closest person to the heart attack victim and essentially have a better chance of saving their lives. that is a simple application. my prediction to you is that a decade from now you will have thousands of those applications and that it in your public

safety experience. it will transform how you've served your citizens, the cost structure, and the service capability. i encourage all of you to work with us, be our partner, help us define the requirements of this system. we know how to architect it. we know how to build it. do ill do will a good job. thank you, governor, for this opportunity. >> do you have any questions on firstnet? this was a big win for this organization. democratic and republican governors came together with our organizations, law enforcement, and first responders to make

sure this was reserved for first responders so we could finally build out this. >> thank you for this and for the panel you have convened. governor o-malley, governor sandoval, as i understand, $7 billion, has that been appropriated or are we using a different spectrum to borrow money to get the $7 billion? does it cover the cost? can you give us the time frames. in terms of this, it would be a key component to have a sitting governor on the committee. >> i would do the first part.

in response to the funding, the legislation that reallocatedthis did so through spectrum auction proceeds. it is not a new revenue. it is going to be auctions conducted by the federal communications commission. the proceeds will be provided as having been a dedicated specifically to fund the nationwide network. there may be additional funds. $7 billion is currently earmarked. >> they also directed treasury to loan us $2 billion to get the project started until the options came to take place. -- optoinsions could take place. >> are we selling part of that d

block? but what are we taking from this? >> is a totally different sections. it is other spectrums that will be auctioned for commercial purposes. >> in terms of representation, although it is not a bad idea, i appreciate the outrage you're asking for. -- outreach you're asking for. i think that is your request of us today. how do we stay involved in terms of governors? >> the board appointments are made by the department of commerce. the next time there will be a couple of openings, they are one, two, or three years.ther wie will be aopportunities to he new board appointments made in august.

this is something that is dependent upon the department of congress. we do not have a current or former governor on that. what we have done is to advocate with the board. they have been happy to work with us. we are on the executive committee for the public safety advisory committee. nga holds one of the vice chair seats. >> just to follow up, it would be great to have a governor on the board. in terms of timing, what is happening in the next year? is it a three-year plan? give me a sense of where this is going, the timing of the state to present grant requests.the grant requests, are they paid up front or is it half now or half later? >> the grants are handled by ntia. you will be getting funds to organize with in your state to

communicate. -- communicate with firstnet. this has been an interesting experience. i am at a commercial guy. i am not accustomed to working in the government world. it is an interesting experience. we started out with a board of mployees. but no eomploye no strategic plan and no management systems, nothing. we have been in existence for four or five months now. we're beginning to put those structures in place. we are coming on very nicely. we have the technical expertise to get this done. the other thing i want to mention is conceptually we are a company with a board of directors owned by the government with some

independence to build the system. i think that is important. i think you are right. the board of directors are in a position to greatly influence this. we are developing requirements. we have a basically architected the system. we know what it will look like and now we need to build in the pieces. we should be able to do that within the first year. >> thank you. thank you for that. i think there is a lot to this. i think heather will have to see how we can be actively involved. the expense looks extraordinary to me, especially in wyoming, which is one of the most rural states in terms of our population and land mass. --

versus our land mass. when we talked about opt in or opt out, when gov. o'malley worked on the d block issue, and the concept is very important. the details will be important. >> you do not hear me say our-- you hear me say that our objective is to cover every square plans. it is 65% or 70%.we are taking on the responsibility to cover every square meter. >> if you can do that in wyoming, you're making tracks that have not been made before. it is going to be a challenge. >> we may do that by satellite. >> thank you. any more questions?

will the state and local authorities have control over this in their state? >> that is part of the criteria. >> this is another part, it because of broadband services will be less than the current ones? >> there is no reason why they should not be. the couple of reasons why you probably pay 5x.-- why. if you buy locally now, you probably pay 5x. we will have failed if we do not build this cheaper than you can build it.

>> as we are building this out, there will still be the expenses that state and local governments have to come with the dollars in order to build up their own. i hope there's some accommodation. if we are going to control this with in the local and state, i hope you'll give us the capacity to give us priority to give us the preempt and allow us toraise dollars at the local level so we can invest. >> could be individual states to do that better in negotiation with at&t or sprint or verizon @? could we cut a better deal nationwide? >> you want to put the savings back into this structure. --

pricing structure. >> which then goes back to the fact we should have a governor on the panel.>> on behalf of my colleagues, territories are included. she said puerto rico was included. thank you. >> and puerto rico. rico. purteo rio >> thank you. [laughter]>> anything else? thank you very much. thank you for your comment.

we should consider sending out another letter. this will be an issue in terms of maximizing the value of this and whether it becomes something that is intercepted by the governments, whether we actually have it so we can in chief-- achieve interoperability among our first responders. let's move into the next topic which is going to be the balance of this meeting. we're also joined from the governor of arizona and we think her work on these issues. -- by the governor of arizona, and we thank her for her work on these issues. we have a number of distinguished presenters here he will be talking to us about the cyber security imperative that we face as a nation and as a state. last month janet napolitano

warned that a cyber 9/11 could happen at any moment with the potential to cripple our nation's technical bridge. -- electricla gal grids and informn networks. there have been attacks on cyber networks that have increased the frequency, that have increase in their sophistication and have the potential to inflict more serious damage on our serious infrastructure such as our water treatment facilities and so on. financial networks, transportation systems, and so on. attacks have emerged as one of the nation's greatest threat. it requires all levels of government to work together. all of our state governments are the trustees of sensitive personal information. we control services for citizens, supporting a emergency response, supporting private sector partners.

all of these things require a new level of vigilance in this era where people can potentially enter our networks, still-- networks, hack them, steal secrets, and also leave back doors and other avenues that we may not have even anticipated in the future. in addition to, i also want to make this other announcement. there is no one size fits all solution. , ernorovernor rick synder and i we recently announced the creation of the resource center for state cyber security. we want to thank our corporate sponsors, ibm, hewlett-packard, and semantic. working with public safety entities in the private sector,

it is the hope that this resource center will help examine the roles states can and should be planning to ensure the security of state based networks as well as keep critical infrastructure that impact the operations of our state and their economies. it is our hope they will identify best practices. we all like to be the best at doing something second. if someone has figured out how that is like accomplishing the research and development for those of us in state government. we have one other announcement. tomorrow all governors are invited to a top-secret briefing from 4:00 to 5:00 p.m. it will build on a session today and will provide governors of information on the current cyber threat environment and how this thread may affect our states. --

those threats may affect our states.it happens between our lt meeting and when we are supposed to be at the formal dinner at the white house. i can assure you that anybody who comes in a tuxedo we will keep james bond jokes to a minimum when you show up. we have a number of experts. i would like to thank governor sandoval for the many opening remarks he made on its cyber security. >> i appreciate the opportunity to give these remarks. cyber is security is attack on a daily basis. it is one of the most pressing issues we face. in addition to storing data, we rely on these to conduct activities including critical homeland defense in response operations.

improperly coordinated attack can destroy a multiple state agencies are multilevel some of government, preventing this from reaching our citizens. this past october the national association of the chief information officers released a report that the majority of states are not adequately prepared or equipped to combat and respond to a sophisticated cyber attacks. according to the report, while states have made progress, shortages of qualified personnel and resources have left states unable to address the growing number or against nature of the attacks the face. without proper resources in place, states have had difficulty putting procedures in place to effectively respond to a potential breach in their

networks. in addition to compromising personal information, mitigating these breaches could further strain on state budgets. our success in defending our nation against the threat is dependent on our ability to develop a common sense approach to cyber security. we must work together across all levels of government as well as with the private sector to identify best practices and eliminate our vulnerabilities. just as important, we need to begin preparing now to quickly and effectively respond to it and recover from a breach to our daily lives. i look forward to hearing from our panel on how we can better respond to an recover from a cyber incident. it is my hope that our discussion will provide governors with the information

they need to engage with our congressional leaders as they continue to develop cyber security legislation. i welcome our speakers and look forward to hearing from me. >> we are pleased to have with us our first two speakers. the first is richard clarke. he previously served in the last three presidential administrations as a senior white house adviser including special advisor to the president for cyber security and national coordinator for security and counterterrorism. he also worked for several years in the u.s. department of state for political military affairs. we also have with us dan lohrmann, chief security officer for the state of michigan. i do believe he is a native of maryland. he began his career as a

computer systems analyst with the national security agency and served in a variety of positions in the public and private sector for over 25 years. he served as chief information officer at in 1997 for the michigan department of management and budget. in october 2011 he was appointed the first security officer by gov. rick schneider. thank you both. let's begin with richard. >> thank you.

thank you for the opportunity. a lot of press has been devoted to this issue of cyber security including the president saying foreign entities had hacked their way into our power grid controls and that they were stealing our industrial secrets. the national intelligence estimate which you hear about tomorrow has concluded. we can say this in an open meeting that there is a pandemic of a foreign s&p not going after our companies, research institutions, throughout the country. part of the problem with cyber security is it is three different issues. people tended to lump it all together. when you lump it together you cannot solve it. i suggest you start by did abrogating it and realizing it is three different things you are dealing with. one is cyber crime.

it is the same as any other type of crime. people still money by hacking into systems and writing themselves checks. the second phenomenon is s&p not. this is not a james bond. it is someone in china hacking their way into a company and stealing any information that company has that is of a value or into a research lab. this is a pandemic. it is a quiet pandemic. billions of dollars, $300 billion, it would cost the united states in lost research and development. that means lost jobs. you cannot be an american company in compete against a chinese company it all the money you pay for research and development if they get for nothing. they get all of it for nothing. whether it is taxpayer money or

stockholder money that pays for it, they wait until it is done and they steal it and use it to compete against us. the third issue is cyber war. it does not happen that much. it has been demonstrated that it could happen. instead of blowing something up with a bomb or missile, you blow it up with a cyber command. it is not science fiction. it has been demonstrated. the united states did it to iran, blowing up 800 nuclear centrifuges with a cyber command instead of dropping a bomb overhead. we also demonstrated you can do it two electrical generators. you can do it to pipelines. you can do is to trains. you can do it from the safety of your little office in shanghai or tehran. worse than that is that this knowledge is now faltering down

below the state after level to the non-date after level. we saw 30,000 computers completely wiped clean, all data gone, not recoverable, in one very quick attack. three different issues, crime, espionage, war. what is the role of the state? there are five rules the state inherently has that apply here. one, you are a corporation. you read people's checks. you'll credit card numbers. just like any corporation, you have to secure that data. secondly, you are a regulator at the state level.

you can regulate the power grid and trains. that causes them to have higher levels of cyber security than they have now. you are an emergency responder. the gloomy to know what you would do it the emergency was not a hurricane or tornado or something he recognized. what if it was a cyber attack? would you know what to do that have exercised a cyber attack? you probably exercised a snowstorm. you are a law enforcement organization. at the state level it can help companies that have been hacked that sometimes not all the attention they need from the federal level. you are an educational

organization. you run universities and colleges. the big gap isn't trained personnel. we created something called scholarship for service. if you pledge to work for the government, we will pay for your education. i have a longer list the things you can understand. i have this all on the web site. you need to begin with a strategy. figure out what you think you mean to do and what you think the role of government should be. where do you want to go on this issue? through a gap analysis of what is the difference between where philosophically the state ought to be and where it is now. do a path of getting from where you think you are thought to be

in a state strategy from where you are now. a few states have started that. the sharing of best practices is a great idea. do not rush out and start programs. to begin with a strategy that represents your philosophy about what you think the state ought to do against these three distinct problems, cyber crime, espionage, and cyber war. >> thank you. >> thank you. thank you for the invitation. it is an honor to be invited to speak on this important topic. let me begin by emphasizing the

state of michigan in government faces a barrage of unauthorized access our systems. we removed over 31,000 pieces of malware from incoming e- mails. we see it daily in michigan as every other state in the nation. what can be done? what are we doing now in michigan? it offers seven actions the governors should take. they go right in line with what mr. clarke was just mentioning. governors must make cyber security a top priority. gov. schneider led the charge by establishing accountability

authority in visibility of governance. michigan is centralized by i.t. we have now merged into one cohesive program. the chief security officer provides risk-management and security associated with assets, property systems, and networks. it also leads the development and the implementation of security strategies from all michigan technology resources and infrastructure. each state needs a plan for cyber security. following this framework, and guidance to be provided, each state must implement a level of defense. gov. schneider brought together this across the nation. this lays out a comprehensive

strategy and safeguards are in data. our plan can be seen at michigan dot gov. provide next-generation awareness. in every state employees are our weakest link against cyber attacks. these are the number one cause of breaches. in the past, this quickly became outdated and was a failure.

we now covered the training. we call it 2.0. brees interactive lessons are develops. feedback has been overwhelmingly positive. even sharing the information on family members at home. a stafford is sensible training. in 2012, we launched the michigan cyber range. it provides a secure environment for cyber response and the latest in a technical response for the public and private sector. the tax can come from anywhere and anytime. we can ensure confidentiality ends this.

michigan is in the process of security operations centers and never speak. we are working to develop a report using new metrics. what if there is a major cyber incident in your state? are you prepared? what if there is a breach? build a cyber response plan. state governments become very good at the responding to natural disasters. the same level of discipline must be applied to cyber incidents. we are developing a cyber plan

to map out a clear strategy. states should align these with presidential order. cyber destruction plants might be disruptive. allstate should be testing the plan to ensure resilience. michigan is benefited by participating in all global exercises as well as 2012 which focus on its cyber response. we are testing the cyber protocols. perhaps most importantly we must establish this. the cannot be done on an island

or it will fail. we must work together to share information and coordinate a response. michigan has strong partnerships with the national response come at the u.s. department of common security, the fbi. the multi state analysis center. michigan state police. this must be a key for each state moving forward. cyberspace has revolutionized the government. they are doing this for good and evil at the same time. each state must further protect their investments. i look forward to answering your

questions. >> can we break for questions that are a good? >> it is a pleasure to make this from a nevada company that i get to interview. i am glad we have the chief information security of zappos.com. to his role, a he served as chief officer for a leading contract organization where he implemented the security strategy to protect and secure confidential data. prior, he worked at equifax where he was instrumental in building the engineering operations and compliance teams. he helped build one of the largest and most important data loss solutions as well as the highly regarded programs.

welcome. >> thank you. session four heading up this committee. welcome. i am honored to be geared to speed about something i am passionate about. it is nice to hear that a lot of these are similar. we asked to come in here and talk to you about what we do after. we were told that previous comments is spent time on threats. from this conference and happy to do that for you. and going to give you a framework for some good questions from those who are responsible for security within your organizations. i want to get a little bit of a framework.

there has been a lot of breaches the last couple of months that are out there. i will spare repeating the names. more importantly we know there are more that do not know they're being attacked today. they have not decided to publicize for what ever reason. i want to focus on a few common things you hear. i have gone through all of the press releases. i want to use it as a frame of what i'm going to talk about it. you will hear a statement similar to this. we were victims of a sophisticated attack. we are aware of the attack and are launching a full security practices to make sure we can prevent this in the future.

take a moment to think about those things. i'm going to tell you some facts about that the bridges. we can take these lessons and start asking additional questions. assertions are always been nice. data tells us that most breeches are the result of unsophisticated attacks. 96% were not highly difficult according to the 2012 data reports. 97% of the breaches were avoidable through "simple or immediate controls." there were no vulnerabilities that people did not catch or provide controls for. it is important as you think about what you are doing. as i discuss it here, it will be about action. knowing this, one of the key things you should do after a breach, it is not rocket science. it is not a secret.

it is almost common sense. it is harder than it seems. what you need to do is follow your response plan and take actions you have already deemed necessary to learn from it. it is that simple. the do not have them, that is a different story. this is no time to think about what needs to happen. you have to react and think about what needs to be taken care of. time is precious. you have to understand and contain those particular events. >> it is not have a matter of if but when. when you going to be attacked? it could be today would not even know it. you need to prepare for that. companies and organizations seem to have so much time after an event to spend looking at

the security programs. why are they doing it before something happens? the two most important things to focus on during an incident from my experience our communications and executions. you have to keep people informed. you have to enable your teams to go execute what they are supposed to do in order to contain the breach that you had. in order to do that, it makes sense to focus on a few key things. these are questions you should be asking about a data breached or incident that gave confidence in your security program. here are some key questions. do you know your environment? ask how many incidents have been reported this month.

either you do not have the technology to detect the attacks are the people that you have to not know what an attack looks like. just read the newspapers. all the evidence is there. you are being targeted. define the rules. who's in charge of security? do they know this? is it really just your cso or dba? or even the data owners out there. it is very dangerous when everybody thinks someone else is responsible. do you have the right people? we have heard this echoed.

people are the greatest asset that we are lacking here. you're not going to do anything without the right talent within your organization. you can have all the greatest technology and processes but if you do not have people who know what to do in the event of incidents, who know what incident even look like, you have lost the game already. and how often do you test your security measures? answer is, we really haven't -- i'm not talking about desktop exercises. i'm talking about getting something unannounced and going and seeing what you can take from a third-party, because you want to see see how your team is reacting. you want to understand, are things working, so you can make adjustments before they are too late. and what do you have that others want? without understanding that, how do you know what to look for? only you can answer that question, what is the data you have. whether it is a straight

strategy plans -- do you know where it is, do you know who has access to it? you will be surprised of who has access to your data. you have to be able to detect suspicious activity. 94% of companies are told by others they have a breach. they could not even detect it themselves. someone else let them know about that. connection is not enough. it is about prevention. -- detection is not enough. it is about prevention. the average time a hacker is involved is 416 days before they are detected. really? you have to ask yourself, how effective are your programs? don't be fooled by false security. sometimes i encounter things that people are talking about. we talk about security risk management. i want to make one point on that.

just because you know about a risk and you have excepted it does not mean it goes away. as a security person, i keep it simple. i'm not going to come to you with something complicated. i will say to you, this is the issue. if we do not do anything, the risk will stay the same. who would sign off on that? it is still there for someone to take advantage of to do harm to you and your organization. the audience here is really important. how do we share data? we heard from the panelists about sharing data. how do we do more than just share data, operate together more effectively? we are duplicating so many things. we are taking resources from each other. how do we work together to

manage that better? it is a challenge for other people to go out there and try to figure out, what about shares resources? -- shared resources? what is so private about the actual networks that you cannot find trusted partners to share those resources? we do have a shortage in trade resources. that is an area i want to challenge you into. we have great schools and universities. we need to get people excited about security. without these components, you would not know who to communicate with any would not know how to assess the impact of the event. spend your time now and validate the information you receive from your teams. it seems odd that we have plenty of time and resources to fix issues once a breach happens.

why don't we have that same opportunity before so we can prepare for it? hope those questions give you a good framework. i look forward to the conversation we will have. >> thank you, all. i'm sure the members will have some questions. let me ask richard clarke, in your handout, which was excellent -- this is been passed around to everyone, the 12 steps. number three, you say, receive regular security briefings from cyber security including state employees and contractors responsible for protecting information assets.

regular briefings from the department of homeland security. so much of our ability to set priorities and get people focused on the things we can and must do, and the follow-up depends in our ability to ask the right questions. what are the things that you would advise those of us that served as governors to ask for as a template in these briefings so they are not a show and tell, there is an actionable 1-2, 3? >> flowing from that strategy is a plan. with metrics and milestones. there are 12 things or 20 things you want to get accomplished. you know when you want to have the accomplished by. you could get briefed every

quarter for half an hour or so and how that progress is being made. there are all sorts of things you can decide are your priorities in this issue -- area. education, law enforcement. new ideas, new programs. and then you get briefed every quarter from an advisory board, may be an government advisory board and an outside government advisory board. sometimes your employees are not as willing to be frank with you as some of those on the outside. get refund progress on implementing the plan, -- briefed on progress unemployment in the plan. what has happened lately, what have the attacks been like lately? if they tell you we have got it under control, fire them. >> good point. questions? thank you. >> i came into a situation in my state in which the capacity for even our departments or

divisions within departments were utterly incapable of talking to one another. pardon my 20th-century century approach. i actually believe in talking. this had in norma's consequences for a system on a fiscal basis. -- in norma's consequences for our system. we found five files, six files, all separate, all silo from one another, incapable of cross- referencing. i wanted to change that. we found that -- we stopped counting after 736 different systems. 736 different methods, techniques, infrastructure.

i found three people i cannot fire, because they are the only people who know where to go on ebay to get the parts for the computers they were using, which contained all of the information in certain areas. [laughter]i found somebody who had been using the computer for 36 years and was very smug about it. not everyone is in as bad a situation. we had no chief information officer. we got a chief information officer to try to put all this together. i give you that preamble because

i am thinking to myself that everything i thought i was planning, they come to naught. [laughter]you talk about centralizing. wouldn't that make me form more vulnerable -- more vulnerable than less vulnerable? if there are 600 different ways of doing things, maybe people will leave us alone. maybe we ought to do singles or something with morse code. is there a danger in getting to sophisticated -- too sophisticated? my goal is to yank us into the 21st century. but am i setting myself up then for a failure, vis-à-vis cybersecurity? >> i can start. i think if you bring together your resources -- the chief information said, let me

explain what is happening. >> we published the hotel peru and. where we being attacked -- why we being attacked? >> you have a reduced number of pipes so you can watch those pipes. the apartment of homeland security has a similar process that is happening in the federal government. there is a large number of tools. the question is, are you going to have 20, 30, 50, 800, whatever number of security groups not communicating with each other. as you heard from david and others and also richard clarke, there's is a shortage of

qualified staff. bringing them together, i think we have shown in michigan -- not to say we have had no problems -- i believe you can be more effective. it is been shown by and large in industry and other states as well to be more efficient, better use of taxpayer dollars and overall better security program. >> maybe it's my lack of sophistication in this, by centralizing everything, i thought i was making everything more efficient. but am i making it easier for people to get into our systems, are not? >> as dan said, you're making it potentially easier but also potentially easier for you to defend it. you have limited resources, limited trained people. rather than having 12 state department or agencies or however many you have all tried to do this -- you know they cannot all do it -- have one organization at the state level that is the chief information security officer for the state. have one operations center for

this kind of thing. and maybe have one cloud operation. you can actually make things more secure in the cloud if you do it right. >> that is counterintuitive to some of us, the cloud. >> it is an extension of this observation. rather than trying to secure a bunch of different physical locations, you put it in the cloud and the cloud can exist in multiple locations if you do it properly. you do not put everything in one data center in one place. you have two data centers in key of different states -- two different states. everyone who is involved in security is looking at that one target . it is easier to try to defend than try to defend hundreds. being one of the older people in the room and having used that system, i would say if you still

have that working, keep it. nobody knows how to attack it. [laughter]that is what i got told. they came in and said, we have three in full girl -- -- three in vulnerable employees. >> when i came into office two years ago, i started trying to prepare my budget and i found out all of our state agencies, we had 76 different pewter software programs. i was trying to match apples and oranges and figure what the agencies did -- computer software programs. i was trying to match apples and oranges and figure out what the agencies need. we brought them all together, started combining the information like governor abercrombie has been talking about.

we have a saying in oklahoma that we are running our technology on an eight track technology and ipod world. we were running off old technology when we needed to come up together. we have a backup separate system. if i ask, how do i make sure it is secure -- you mentioned something about resource kits that you did in michigan. what are you referring to? >> sure. you can go online and see those. the efforts in michigan have not just been about state employees. it is also looking at the schools, looking at universities, looking at how we can work across public and private entities and coordinating. clearly the private sector has their own independent authority. whether it is the family, the home, the school, small business, what are checklists

they can use of helpful tools they can use and actions they can take to protect their individual entity, school, business, whatever. >> when we brought although services together and had our chief information officer in charge of all these different agencies and branches and their i.t. functions, we were able to save $86 million in i.t. costs in the state of oklahoma. >> what do you believe is most significant cybersecurity threat facing the states? >> i think i would distinguish between the most significant threat and the most likely. the most significant threat would be an attack by either a state government like china or iran, or a nonstate actor, like hezbollah, that took down the

power grid. or cause pipelines to go up or cause trains to derail. -- blow up or cause trains to derail. the emergency response that you do for those kinds of things is similar to hurricanes. there are some distinct differences. i think knowing what you would do and exercising it is very important. knowing what authorities you have in those situations, and knowing who the right people are, and who to call them and what they will do. that is the most significant threat. the most likely threat is happening every day, and that is people are hacking into your networks and writing themselves checks and stealing you blind, and you don't know it. >> would you care to comment on that question, gentlemen? >> i would agree, and to the

folks out there, think about your infrastructure. you are always going to see a computer terminal somewhere. everything that is out there is susceptible to attacks. the only way you're not going to be successful is haven't disconnected. . even that is not 100%. attacks come through other means, unfortunately. it is anything that can stop all your critical operations. it would be highly detrimental to any government out there. i like the way richard framed it, they are taking whatever you have that is valuable. it is happening right now. whether it is enough information to do identity theft, whether it is enough information to understand how you award bids and then manipulate that system -- anything out there that is critical and secret to yourself.

if it is connecting and you are not protecting it, you don't even know how someone would use that information against you. it is happening right now. >> at the same time that all of us are trying to do more of our services online, and facilitate consumer transactions online. as the head of a state network, who are the people you: in the federal government to help you with the exercises? are there resources we can call on as governors to help us do a better job of protecting our networks and information? >> absolutely. we work with the department of homeland security very closely. we also work with the multistate isac. this is daily we are talking to them, ongoing operations. >> describe for us what the isac's are.

in the case of state governments, there is a multistate isac that works with the 50 state governments. there are sector specific plans for each individual. for the water sector, for transportation, you can go to dhs board, the national infrastructure plan, and that lays out the sectors pacific plans for each individual critical infrastructure -- sector's specific plans for each individual's article infrastructure. we work with the fbi, criminal justice organizations, department of justice as well. >> has anyone offered a regimen of training exercises and drills that are useful and

valuable, or is that something we are still working to create? i know after the attacks of 9/11 -- there are a lot of people rolling out drills and exercises. some of them were so expensive, none of us running cities could afford to do them without a huge amount of federal help. when we were one of the lucky winners that would be supported, we came late and said, that was a lot of time. i'm not sure how much more we learn from that than from a tabletop. i would think in this sphere that there should be a way to do this in both the cost effective way and also in a way that where you truly do learn something without it costing you

a small fortune as a state. >> i agree. the cyber storm exercises did exactly that, across state lines. they also work with other countries, allies around the world. in addition, i know the national exercise 2012 -- they are out there. there are exercises. i would agree with you that states should really take advantage of those opportunities to test their systems. >> richard? >> you can also apply for fema grants. while there is still fema money left -- [laughter]you might want to think about applying for that. it is expensive to do the big field exercises, but it costs almost nothing to do a tabletop exercise. while they are not as valuable, they can be very valuable for you and learning who does what and what capabilities. >> what about our national

guard? that would be a great reservoir of expertise. have you found that is helpful in michigan? >> absolutely. we work very closely with our michigan national guard, working tabletop lance with him, scenarios -- tabletop events with them, scenarios. >> would you say that most all of our national guard's have some cyber capacity? >> it varies around the country, but i certainly believe that is being built up and i think it is a way of the future. it is an opportunity for all of the states to look at beefing up their capability in that area. >> that would be a way to institutionalize it. with the national guard, it is always there for you to call upon. >> governor sandoval? >> thank you. the question was asked, what is the most likely vulnerability.

>> don't share it on television. [laughter]>> i do all the time. when you ask what is most likely vulnerability, it is almost like, where do i begin? all of your databases can be breached. anything in your databases, any information. social security numbers, credit card numbers, any records that you have. the ability to hack and and write checks, make yourself an account payable and get paid, the fbi has discovered a number of cases like that where small corporations have discovered they were writing checks to people who were actually in the ukraine. the check does not go immediately to the ukraine. it goes to a local bank account and then hops several times. the most likely is cyber crime, identity theft, and monetary theft.

that is happening all the time. the president said in the state of the union address something we have known for a while that has been secret, that foreign entities are now in the control grids, have hacked their way in, water systems and other critical utilities. you have the power to regulate at the state level. sometimes better than the federal government does when it comes to utilities. you could establish cyber regulations for electric power, for example, that would make an even playing field for all of the companies so there would not be a case of one company having to spend more money to achieve security. everybody would have to do it within your state. i think if you have the power and the federal government doesn't -- power -- and the federal government doesn't -- to regulate your utilities, you want to do it. -- ought to do it.

>> employees clicking on links. phishing attempts, spearfishing -- an e-mail that looks so friendly from a bank or a government focus, and they click on that and then it creates identity theft -- people send in their credentials. that is going on in every one of are states right now. >> which then dials of the importance of the training. >> there is been a shift over the last 10 years and most of the attacks are now coming through individuals in these phishing incidents, rather than the old method, which was to have it directly at the mainframe.

>> you have to think of it in terms of whatever folder ability is easiest. that happens to be people. -- vulnerability is easiest. that happens to be people. where are you getting security awareness training? where are you learning about these types of things? if you study attacks, because of the way technology is, they are mass using systems. they are getting independent people's systems contaminated. we have to do something about educating folks on security so they do not participate in that. well it is not difficult, it is getting harder at the corporate level. we are getting better.

>> just as we insist people show up for work, we need to start insisting that people get this training on a regular basis. anybody that uses a computer in our state government -- we require police officers periodically have to make sure they qualify at the range. what is it, 86% of them are now coming at individuals who click on these innocuous e-mails. that is where 86% of the attacks are coming through. i would think that all of us need to adopt policies that insist that our employees get the training regularly so they do not do that. >> there is technology that will train them for that. >> we had training in the past. quite frankly, michigan failed earlier miserably in this area because our employees but it was a waste of time .

>> gentlemen, thank you. >> i want to add one thing. there is a dirty little secret about security, and it is the non-sexy part. the reason that there is vulnerabilities is because people are not doing their jobs. if the vulnerabilities are there and we know about it, why aren't they getting fixed? it is not hard. it is time-consuming. it takes effort. he goes back to execution. you have got to be doing things. >> are you talking about individual users? >> system so they take advantage of. -- that they take it vantage off. if you're a system administrator, there are patches. >> we need to wrap up.

>> it occurred to me, virtually everything you have been saying to this point was somebody outside coming in. one of the things i discovered very recently, i'm sorry to say, is people who are already inside state employees -- you mentioned for the abilities of privacy and social security -- vulnerabilities of privacy and social security. people looking people up. you say, let's go see richard gere's tax returns or something like that. let's see richard clarke's tax returns. let's find out how he's really

doing. we are going to get him. [laughter]how do you deal with that, then, in terms of security? you are talking about centralization and figuring out how to defend yourself from outside. how do you defend yourself from people who by definition almost have to know what it is you are doing in order to protect yourself on the outside? you protect yourself from them -- how do you protect yourself from them? if you have a statewide security operations center, you can have stopped work in human eyeballs' looking for activity, so that if someone is doing something they should not be doing, if you can pre defined what their roles are, it will alarm when it happens. >> is this field " let of the internal affairs and the police department? >> it is the automated and works better. >> provisioning with management.

really, who has access to what? doing a better job with identity management is a national initiative. so what do you have access to? what is your role? what did you see and are not allowed to see in getting better hands around identities. >> the only reason i brought it up is when this was being done it was not being done for criminal purposes. people had too much time on their hands and were getting curious. what if someone else is looking for a way into people's tax returns, those that open -- doesn't what you're doing opening up the possibility of other people getting technical access to what you're doing to

do the same thing? >> we focus a lot of the external, but the same controls has to be internal also. you, governor. we have had some very light moments, but this is a very serious issues. i am looking forward to developing the best practices and figuring out the states that have come up with the best policies. unlike some other areas where we can be and should be totally open and transparent about things, this is one area where perhaps that does not serve as well, at least initially. we will be having that briefing tomorrow, top-secret briefing tomorrow. seveners only. we will announce were the secret location is.

we have before you 5 policies of the help and homeland security committee. we will consider five policies. what is temporary assistance to needy families. only a security and emergency management. third is armed forces. public safety communications, and the fifth has to do with health. key issues in health and public safety communications. the homeland security managed a policy was amended to include language regarding the importance of the project several collaboration with states to enhance food supply chain and armed forces policy amended to include language regarding state and federal court in nation to serve our nation's veterans. they are before the members of the committee. the members having been vetted

by staff and the commanders prior to the assembly that we consider them together as a bloc. >> i move that we considered the motions in block. >> let me say before the vote. the national governors' association from my experience just over the past three years is one of the finest groups of people, most professionally- dedicated and knowledgeable possible. the reason i am confident we casting a vote is because of the extraordinarily good work they have done. >> that sounds like a second from gov. abercrombie. it is unanimous. this concludes the meeting. thank you all very much. [applause] [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2012]