>> what is important with the business. 1996 was an example of the telecom act went into effect. in 1997, we were rolling out digital video and broadband services. commercial services and bringing bundled to the market. with the first to start bundling problem -- press. we have high penetration today. web been able to get into new businesses that others cannot jury about because we got there so early. >> everybody understands that sports and live sports is a sweet spot in media.

it is almost the only code for you have to watch live. that has increased his value. everybody is seeing that now. whether it is social media sites that are partnering with do tweeting about sports or to show sports as we have on facebook or other networks. everybody understands sports rights are valuable. >> more about what is happening in the cable industry at the cable show. on monday onators" c-span2. andanet a. napolitano michael chertoff discuss the cyber security threats. it was hosted by the woodrow wilson center. you will hear from the director and ceo who served as the

ranking member of the house intelligence committee while she served in congress. >> good afternoon. please find your seat. so much for starting on time. this is something that we vowed to do. welcome to the wilson center. i am jane harmon, the director and president and ceo, this is a national conversation of great importance, and one i feel i have been living for the last couple of decades. i imagine the local power generation facility in your

hometown. this has a fence and a few guards. this is safe, right? wrong. that is probably controlled by a system that monitors the cooling elements. this is run by private sector company and is connected to the internet to be managed easily. this runs on software that could have an inadvertent flock that is exploitable by hackers, to cause us harm. as a former nine-term member of congress who chaired the security committee for many years -- i can tell you that this scenario has kept myself and many others up at night. this is very possible.

but any members of the congress and the public who don't appreciate or understand what our government, especially the homeland security department, could do to help prevent it cyber attacks, in the private sector or elsewhere. many, also recently are conflating this issue with what they have been reading in the newspapers about the nsa programs. there are big differences and maybe that will be explained today. for anyone in the audience in front of me, believe me, this topic has to be addressed on its own. and for those of you worried about compromising privacy, we have many different issues to discuss. i think that this is a reset moment for the department of homeland security. now that the president has released an executive order on cyber -- and the investigation from the executive branch, we

can help to explain and conduct conversations around the important role in cyber. this is not to launch cyber attacks, something you may have read about in the newspaper, not to defend us from all cyber attacks, but this is a very significant role that relies on an active partnership with the private sector. i had a conversation the other day with someone on capitol hill. he is senator tom coburn. i mention him because he is a republican and i am democrat, he is a good friend but we do not agree on everything. he has a big role in this issue given his senior status on the second homeland security committee. he has not heard about this. tom coburn was very positive.

of course i would relate the good news story. but this is a guy you may not think would necessarily think that the department of homeland security should be ground zero on parts of this issue. he said -- and i have a note here. the process used to craft the executive order should be praised. this was inclusive and the government listened. he also said he was impressed by the staff -- some of whom are in the room, in this audience looking up at us, that he met with and that he will work for a bipartisan solution for legislation. to enable this process. i think this means a lot, so i wanted to be sure that everyone heard this. everyone in the room should know what the stakes are.

you will hear more in the panels that follow any may even hear more from the secretary. i think it is almost like the israeli-palestinian peace process. we know what the and it needs to be but we don't know how to get there. maybe we should lock the doors and bring in food -- and figure it out. the only missing ingredient is currently serving members of congress. someone -- the person to keynote the panel as janet napolitano, who i have known for decades and decades. she will tell you that when we met, she had a perm. she was a rock star in politics in arizona, the u.s. attorney and the attorney general, and

was the governor, twice, and left to take on the job where she is in her fifth year as the secretary of homeland security she will deliver keynote remarks and will be followed by a panel discussion led by a fearless national public radio reporter who was reporting on this subject and related subjects. i find this stunningly impressive. i will not mention that he is married to martha radditz. we have michael chertoff, former federal judge to -- i found when i was in congress to be a great partner. our friendship has succeeded in our old job and the first question always was, what is the right thing to do, what is the

party you represent? on the panel is steven flynn, of the cost is research institute, or is about to be that. he has worn a number of hats -- and is superbly qualified to address this topic. we also have been able private sector representatives, who is the head of security at general electric. i will say one more thing. this national conversation follows a lunch that we had with department of homeland security representatives. i asked that everyone be very candid about their views of each other. some of this was not so pretty, but i certainly left that lunch very hopeful and you'll hear some summaries. we at the wilson center want to use are convening powers and our

expertise -- to events conversations like this. we are looking for the best policy ideas to form action plans to solve the toughest problems. i think on this subject, we have made a good start today. please welcome my friend with a different hairdoo but a very wise mind, janet napolitano. >> good afternoon, everyone. we're here to discuss an incredibly important topic with a fundamental role in homeland security. i thought what i would do this afternoon is briefly talk about the landscape and talk about the president's executive order and his policy directive on critical infrastructure because that also comes into play, and laid out

for you what is going on at the department of homeland security. some of which she may have heard in other panels. but to reemphasized the importance within the schematics of the department of homeland security. this is the third largest department of the federal government and the youngest apartment, covering many missions that were put together under one roof falling the terrorist attacks of 9/11. we have seen the department grow and mature very quickly. over the last 10 years since this was enacted. we just celebrated a 10th anniversary. chertoff is here, he was the first secretary, i am the third. i guess that makes me thomas jefferson.

tom ridge -- i guess that you are john adams. i only mention that because -- not only are we changing and growing very fast -- we have seen some things of all over this short amount of time. when we started we were concerned with terrorist plots and attacks similar to 9/11. terrorists taking over commercial airliners. using them to fly into buildings. aviation attacks and plots have not gone away. this has been part of my time at the department. they continue to change. the sources from where they come continues to change, but they remain with us. but fast-growing alongside is this area of cyber capabilities,

connectivity -- and cyber attacks. how do we secure the country in the best possible way while respecting policy and civil liberties and the other values that we hold? this is really the challenge that is presented to us. so we have been growing very rapidly in the cyberworld. when i started it was a fairly small element of the department, the department was engaged with other threats but as we have grown -- this has probably been the largest area of just pure budget growth. this is located in several areas of the department, much of this in the mppd but this is also the secret service.

this is for intellectual property and throughout the department, we have units working on different aspects of cyber crime and cyber security. one big challenge has been to organize ourselves to handle that. the second is to really look at whether the areas that we are most concerned about -- we are concerned about the theft of intellectual property. we have seen a massive transfer of intellectual wealth from the united states and other countries and we are just a filing our intellectual property strategies -- with the congress. for the next year. but this has been an area of concern. all of the countries of the world that need to be engaged in this. and participating and how do we have a connected world and

protect the research and development that goes into the creation of intellectual property? i think of these crimes -- being used simply committing -- simply using new technology -- the social media available now. identity theft and one area is child exploitation. sex trafficking, and of the like. there was a major operation involving that -- facilitated by the internet. this is cyber-terrorism and attacks, and i think this is what most people think about the war in this room. but there is no doubt that there is a number -- there are a number of those who seek to do us harm in this country ranging from individuals to organize groups, to groups that you could

detect as state or state- sponsored. to have been and are willing to engage in -- attacks against the united states and critical infrastructure using the cyber- realm, that gives them a new set of ways to go out there. what does this mean? as she was saying, critical infrastructure like utilities could be subject to attacks. and, by the way, if you think this does not have another set of issues, if any of you are in the new york or new jersey area during hurricane sandy and saw what happened when the power utility was down for a number of weeks -- all of the sudden, not only did you not have electricity for people in tall buildings, the 15-story

apartments had to be walked ups, but then you did not have electricity, you had to get fuel of tankers in the tanker trucks into gas stations and gasoline pumps, then into cars. that set of development -- this whole idea of attacking critical infrastructure and the control systems that govern critical infrastructure, we have seen from mother nature -- much less a human after perspective. we have seen this in the financial-services area, the banking area has been a very active area for denial of service -- and we have seen the energy sector. what happened when you had not just a virus, but a destructive virus entered into the system that actually destroyed -- not

just the software, but hardware. we have a range of things we deal with in the department, and responsibilities now to protect the homeland as a concern. so what does this mean? let me give you a brief rundown of what exactly we are doing within the critical infrastructure and the department, leaving aside cyber crime for right now. we have the national cyber security and communications center -- that has been opened now about four years. they have responded to a half- million incident reports in that short amount of time, with more than 26,000 actionable alerts to the public and private sectors in that time -- and we have different government representatives, different agencies -- but we also have

private sector representation on the floor. we have the united states computer emergency readiness team, and many countries, by the way, have now developed their own search and now we have these relationships -- but to give you a sense -- last year we responded to 190,000 cyber incidents, and issued 7400 alerts to the united states and this was a 68% increase over 2011. that is why this area is so fast growing. we have an industrial control systems search, -- 177 incidents last year. we have 15 teams deployed with significant private sector

incidence. so -- this is not imaginary or something that this speculative. this is ongoing right now. we are working very closely with private sectors and these kinds of partnerships are not new. we work with the private sector where infrastructure is of concern. we now have to guiding fundamental documents we work from, the president's executive order and the president's policy directive. for critical infrastructure. they direct us to take a more broad look at the mission in cyber in a couple of ways, to take the all-hazards approach, to make sure that we include protection of the networks but also resilience and the ability to recover and get back up quickly.

the executive order has been -- has three goals, to protect civil liberty, promote sharing and have a voluntary program to encourage critical infrastructure operators to adopt best practices. let me just stop right there. first -- privacy and civil liberties, from those disclosures about the nsa, this is a different set of things but you should know that in the department of homeland security we have a privacy office and a civil liberties office. those are experts in those fields, whose sole job is to look at what we're doing from the outset, to make sure that we are building into what we're doing with a program protections for personal and private

information, for any kind of intelligence that we gather. we consider those values to be paramount as part of the way of life that we are here to protect. this is from the outset. information sharing. when the legislation failed last year, and i hope congress can come back to this. one thing that failed was the command for real-time information sharing. this is one of the key tensions between us and the private sector. we cannot do anything if we don't know, in real time, what signatures you are seeing and what abnormality -- abnormalities that you are seeing, and we can determine if this rises to an alert level, if this is something that we have to be engaging others on, whether this is a small problem, or a big homeland problem.

without real time information sharing we are starting off behind the ball. this has been a problem, part of the bridge building is solving the information sharing aspect of this. finally, the voluntary program of best practices with the critical industry sectors. this is very interesting -- this is going to be, at this time, an experiment, and a very important experiment because where security is concerned, law enforcement or security, we do not depend on the private sector. this is a governmental function. we don't depend or outsource national defence to the private sector. we do not outsource intelligence gathering capabilities to the private sector. we do not outsource local law enforcement to the private

sector. this is an inherently governmental function. we are proceeding in a different way here, and what this is -- is for the private sector, working with us, -- to set the framework and the standards -- to have a system that creates a voluntary program, a voluntary set of incentives, for owners and operators to adopt the best practices, to change their practices for evolving threats. i think -- frankly, i know that some in the private sector are suspicious of the department of homeland security or any government agency's ability to fulfil their functions.

ifve a system that creates a we can show there is a strong partnership between and your capabilities and needs, succeeded in this experiment. any et no one have question, i think we're still in the experimental fatz. we're still working with each testing each other, meeting a lot with each other, all well and good. we have yet hink this o closure on whether is an appropriate thing to have s a shared responsibility as opposed to an inherently governmental responsibility. expressing no opinion on this right now. but i just want to set for you as you think about this, the is really the

first time in our nation's we've approached a major security problem in this way. already this ink, morning, heard about the integrated task force which is designed to help set up the the ppd.ation plan for n april they launched a collaboration community platform n an idea scale for critical infrastructure, stake holders, members of rested the public to post and share public comment and feedback we strengthen our networks and how we better our resilience. n the first 120 days since the issuance of the eeo and ppd, we've produced a number of including an commerce long with

department and the treasury department incentives to be used for the adoption of the cybersecurity framework. omb whereht now are at they're undergoing an interagency review process. has alreadyial work been done. e produced a description of critical infrastructure relationships that illustrate how or current organizational provide risk management support to owners and it easier formake them to collaborate for us. what does that mean? we shared with you how he big complicated departments are organize and what are the portals of entry so you know how to get help and provide the ideas. e provide instructions on producing classified cyberthreat ability o include the of critical infrastructure

artners to respond to the significant threat. i said unclassified. let me put a book mark down. of the challenges quite frankly is to increase the capacity of those who are owners and operators of critical receive cture to classified material and to receive it on a realtime basis. o the information sharing challenge goes both ways. it goes from private companies us, but also us at -- at the unclassified, but the classified level to you. procedures for the expansion of the enhanced ecs security services, program to all critical infrastructure sectors to cyberthreat reater information sharing. nd we have provided recommendations on incorporating security standards into cquisition planning and contract administration to see taken now to be

procurement g requirements more consistent with the cybersecurity goals. what does that mean? it means that we have to incorporate thinking about cybersecurity when we're purchasing i.t. and likewise, the same needs to owners and operators of critical infrastructure. what are the security needs, how sustain intain and them. commerce, the of national institutes of standards and technology continues to cybersecurity framework. that is due in october. so there's a lot of work that's throughout the last month, ongoing throughout the summer. significant engagement by the sector. next up for us will be eliverables on the public/private partnership cyber-dependent

infrastructure identification. what does it mean? it means that under the ppd and eo, it's the responsibility of the department of homeland what is theidentify nation's core critical infrastructure? talking about? who was included there? we do that from a risk management perspective. core or of infrastructure should be taken down, should it be rendered set of le would have a kast kating impacts similar to hat we see when an electric utility goes down for a period of time. to, in this case develop situational awareness capability for critical infrastructure. need to update the existing national infrastructure plan, that nip, and e need to develop critical infrastructure goals. how, goals are basically to the what -- you know, how are

we going to get there? that we he framework all together seek to achieve? is a very active process right now. it's fast moving. a very aggressive timeline when you think about directive and executive orders are issued and when we are responsible to have and to have the performance goal set, the efinition of core critical infrastructure set. nd the public/private partnership moving. within dhs, we have been busy and nly maintaining sustaining the capacities we had, but building on those. i must say ay, that's somewhat of an interesting challenge when you there's e a budget and sequester. all i will say about that is, if look at the president's budget request for dhs over the years, you look at what congress has actually

appropriated including in the fy-13 budget, you cyberarena,at in the we have had dramatic increases in funding? why is that? ecause i think there's a general recognition that we have to build civilian capacity where cybersecurity is involved. that, your look around the government, where is the home for this? it will be within the department of homeland security. that's where the core sharing should come. critical infrastructure is concerned, that is where the information hould be shared and that is where we should talk about how to do the most we can, the best successful revent attacks while also dealing with resilience should an attack succeed.

i don't think we should let congress off of the hook. set forth the civil liberty safeguards. we need legislation to make sure ealtime information sharing occurs. we need law enforcement tools in the digital age. this is ed, and peculiar to dhs but very, very important, we need the same kind hiring authorities that are within the department of defense where cyberis concerned the allow us not to use normal civil service hiring and so that we are even more exceptive than we are right now. we're competitive for cyberexperts, why? competitive because of the mission we're forming and the fact that if people want to be really is the t

foundational work for the cybersecurity is involved from that security i ect and that security talked about, the work is at dhs. mission itself is a huge us.ruitment advantage for but let me not say that we all understand that there are other need to take ople into account, including how much they can get paid. want some relief there. has to be done by statute. meeting with ear a critical time. you see people in and out all day. hey're working on all of the deliverables i just discussed. moving very quickly on the timelines. cannot succeed and this experiment will not succeed total buy-in by the nation's operators and perators of critical infrastructure.

this is the grand experiment. we intend to succeed. you do as well. thank you very much. >> hello. npr.ohn from i'm assuming that congresswoman be back after she says good-bye to secretary napolitano. ery provocative thoughts there

from secretary napolitano we'll have a chance to respond to. let let me say on what have of we are for eciative sponsoring the series of programs that we'll call a it's al conversation and great honor for me in particular ersonally to be able to moderate these discussions. to me was interesting that secretary napolitano talked about what she called there in grand experiment. this is the first time talking cybersecurity challenge. this is the first time that the has really in a ense depended on the private sector for such an important partnership role. i noticed one word we did not all is the word mandate or mandatory.

and what a different standard from a year ago from the time that the lieberman onversation when mandatory approaches were part of the discussion. the word she used instead is incentive. i noticed she didn't seem 100% that this approach was going to work. referred to it as an experiment. he said she wasn't convinced that the private sector is ready to fulfill its mission. begin with that point. this is a provocative idea that scope ity problem of the and scale that we're facing in cyberdomain the government depending on private sector to play a huge role. verdict is out on whether the experiment is going to be successful or not. down the line and get your own thoughts on this

and whatever else brought your the secretary's speech. secretary chertoff? novelty. we're used to the security, the national defense in law enforcement is largingly a responsibility. we may have private guards but we don't expect the private depp fend itself against attacks for the most part. obviously what's different here dealing with assets largely e that are distributed throughout the united states in networks and private hands. for the u.s. government to own the major responsibility for we'll ng the networks, put the government into everybody's computers and networks what we don't want do is to keep them. that means it private sector has shoulder the major responsibility. i think the secretary is right. two-way street.

ou say i operate in critical infrastructure, but i don't want i don'tss to it because want to go off line for a couple of days. as we heard in hurricane sandy hurricanes, a lot of eople depend on that critical infrastructure. so there has to be acceptance on protect the ion to assets and their employees. be a s got to collaborative effort. mechanismswe can put in place that we can talk about it in a little while, i think it will be done. but i think the message is at he end of the day, it's not done. and if the private sector does a major up and there's event that causes significant damage, the or demand mandates.

hats here.orn both you've worn both security hats in the government and private sector. > i find the private sector really does understand the responsibilities here. scale ference may be in the amount of money that's required to be invested. it's always a discussion. but the idea that private sector does not understand from either risk, from a al customer value perspective, the i think e of this, we've gotten to that point very clearly now. question for partnership is how does that partnership work. here are many definitions of partnership. one is top down, one is bottom up. up. i believe it has to be a artnership of mutual responsibility and respect for what we each bring to the table.

war, it's e the cold the stepping off point. most of this is back of the the future. you look at the nation's response, it wasn't saying sector, take care of this problem for us. because the them threat requires a society response. for me a stepping off point with is so rticular issue sobering is back to the issue of al qaeda threat in the late '90s, some debate in circles nal security about whether it was the serious threa threat. while i fell down that it was, i can accept there was disagreement. threat, i rticular know of no other else that consensus amongst the top officials that look at it as

expert everybody is an on the academic side. that it is the real problem. and we're getting the act deal with it.w to threat warrants the mobilization effort that is in ired that we have seen the past. beyond just saying can we split this out. happiness on our the side here, thanks very much. coreography challenge. you need rinkle, why the engagement, they're global or infrastructure. lot of this -- the juice, the power that we get up here in the northern new england area is quebec. you have a conversation amongst state, local, and tribal networks that sprawl across borders, you're not going get from here. players are in these markets. that's another reason why the critical.hip is so

you mention world war ii, it's interesting. i heard the point that in world sector the private albeit playing an important role, it was a support role, the guard. if there were to be a major yberconfrontation -- cyberconflict, the private sector would not be in the rear. the private sector would be on front lines. that is a very different situation. >> that is the difference. providing the but ial and the support this case the conflict will be network. a case in which there was public attack. so there you have the tip of the sphere or the people who are network. in the this requires, actually, we think carefully about how we coordinated response.

were a cyber9/11, you want the private sector and the together.t working to do that you have to have a advance, a ing in mutual understanding of what's coming in and what's within the network. that's new for us. it's going to make people uncomfortable. people when i o was secretary, accept the fact the government is going do be in network. the question is which government, the u.s. or the chinese government. but no way to take yberspace and remove it from the domain of conflict and threat. >> i promised jane i would not quote anyone from lunch. but i can say generally there was a lot of concern about the cybersecurity. ecause in order to protect the networks to the degree we all

gree, it's going require expenditures, a big investment. and whether the private industry is able to come up with that funding is a big question. whether the government can come big th that funding is a question. whether the government can to ire private industry spend that money is a big question. does this mean that the risks is have to accept? >> risk is part of the world we live in. is, what's the mitigating that risk and are you going to fire it to the net or are you going specific steps to deal with the risk at the right level mitigated ityou've appropriately? this is expensive, but not so do it.ve you can't the discussion we had earlier

the things that can thwart many of the risks that we simple patching and vulnerability that we know about. it's not that it's so expensive but getting people to and to do it in a specific way. there is not to the threat of a massive attack on infrastructure, but rather a scale. protectabout how do you cyber-9/11? that's a different order. >> the change here is we're from the cyberthreat tealing data or disrupting comment to basically deering them. you could do it as it was laid

generator substation or pipeline or hydroelectric can go on. the net.tems are on some are so old and daily broken, you can't come men deer them. stepping in to the economics. that's the challenge. coming late to the game. boilerplate on the safeguards or the systems that safe.not built to be made ramp's a bit like taking a home and make it handicap accessible. expensive, ugly, and not work well. everybody looking at the going, oh, mye and god. we need to talk about designing safeguards.

in. is the world i'm the private sector is working and in glove essentially with the folks who are developing the ideas and the applications. is the security conversation happening after those things are developed. simple.omic case is if a business wants to continue to provide a service, it doesn't disrupted. the cyberthreat is going to disrupt it. the cost effective way you assure the continuity of that business, that's where we need have the conversation. and tcretary napolitano others were disappointed that in huge effort ended failure. learned e been lessons from that?

i helped out pro bono with members of the senate. hey were migrating to a compromise. a broad compromise then the session ended. hallenges on the information sharing side and on the standard side.ng legitimate concerns are raised. there's an k opportunity here about what is is rtant is that urgency.ding the maybe there's not a real appreciation. theoretical no discussion but they're dealing in the area. not if god forbid we had something

you would n cyber, see legislation. people didn't like what was coming, we had a few that would see.nhappy with what we so the time to think about it in plan is in advance, not the immediate aftermath of a big event. >> i remember covering this in debate last year, there are a number of comments made by that owners side of critical infrastructure, in utilities y in the too often downplayed the threat. now, i just mentioned there's perhaps now to the urgency. would you agree with that? we all have come to understand the nature and how it impacts our business models and do research, protect the intellectual of erty and those sorts things.

say people downplay it, but what level of risk are for ing to be available managing to. understanding the risk and the threat to our operations and our very clear ink, is in the private sector. >> one challenge for private mystified.t's all a lot of civilians who hear this jargon and throw their hands up feel that it's so complicated, either we can't deal with it or we're going to it a technical problem. n fact, it's not too complicated. you want to manage the risk but it, you n understand can translate it to plain english. there are things you can do. decisions, do you allow everybody to bring their own

device to work. get to take their own thumb drive and stick it to knows work and bring god what else in to the network. they're not technical issues, policy and governance issues. >> private entities that cut in the shortenefit run by not taking those measures. to bat is that we're misdirected. standards. if you're a large company, a 're doing the right thing, smaller player say i'm not going to do that, i can offer points.nt price if a standard is set and people have confidence they're in playing have a level field. is the trust between private and public players. sense, it will make whether they will address the problem. should eal conversation be about that.

two-way e get into the street and develop the standards versus the standards is can live that we without. how been doing this for many years? and we're is growing faced with the reality that we're not making the best progress. up to the representative private sector. s-word, used the standard. tay already. i work at tv. standards are important but they realistic. often this conversation is so that people get turned off. >> i think -- mean by that.

going to come to the end tomorrow if you don't do this. it's not that dire or drastic. the conversation about realistic addresses bout what the vulnerabilities is what needs to be had. a lot of times the conversation well, you shouldn't do business in so and so. can sell go where they things. having a rational discussion of be to e standards should address the risk, most of the companies would come to the that discussion. of threat t be out mongering as i call it? > are you guilty of threat mongering? >> mongering the threat here. newspaper.the that's public reporting.

they're obviously also important knowledge too. one of the 's reasons i think by the way making classified information because you -- you declassify it or because you have people to be clear, there's important part of this. in terms of standards, it would collaborative. would involve the private sector and public sector. general base standards. that requires the private sector as well to recognize that they hurt if they are outliers that don't bring up their capabilities to a reasonable risk management. i think that's what the experiment is. i think if they get good forward.s going i think it's got to be dynamic. not a stack threat. recognition as we said earlier. there's not risk elimination. management.k but the one tool the government

which is important is looking at the liability system, having insurance play a role here. using that as an incentive. a they make an investment to reasonable degree and they meet some standards, they get protection to spur investment. > that's why this conversation is hosting it. other places are important. we can't have this conversation without education -- without the public iq up a bit. hygiene are our behaviors. it's an act of leadership to get out after talking to government. that's going to be the backdrop public to say i'm willing to pay or support one way or the other. don't get there, we'll have a problem.

the instance of this is the utilities. just set ties can't the rates. they are governed by states. hose utility boards overseeing it are trying to keep the costs for the users down. trees are colliding with the in new england, aging equipment, backup substations. those all have risks. the government comes in and says you need to take on this new set of problems with these new costs. the way, there's no relief on your price because the public doesn't get the rates will have if we have a problem, to make users both public and the companies to depend on that part of the conversation to say this is an acceptable cost i'm willing to bear because it will provide me service that i need. anybody who lived in the east, i as in new jersey and connecticut. i discovered that's a proposition.

civilized hat for a country. most people will be happy to pay more in the rates. to understand when they're connected. >> i know when i was at the unch today, we have a distinguished group of people in audience today. microphones on both sides. f we're willing, identify yourself if your affiliation and first.ompany open the floor now to questions in the audience. in the back? >> urban studies program here at the urban wilson center? >> okay. >> i have two questions, if i may, be patient. i read in this report where they talking about a lack of cyberprotocols and they went on to say that the problem is no wants to take accountability

for creating the protocols or cybersecurity. who will be accountable? we need the laws, the accountabilities, the protocols, who is going to step up and take responsibility for creating stick to it.et's is the nd question number of devices used to commit they're es and promoting, helping longer rorists, they no need a stationary terminal to cybercrimes. since mobile and cloud computing is growing, rapidly, it's out of ontrol, who's going to take responsibility for that? ho's responsible for governing cloud communities and devices use ontrolling people who them to commit these crimes, thank you.

>> presumably, the framework rolled out to be this fall as a result of the executive order will address issues, right? >> some of them. you put your finger on an important issue. every enterprise can set its own requirements and standards. at large, it's libertarian. by the way, there are poom who absolutely committed to the or the t any regulation internet is problematic. there's good reason to be leery that.ing so i think it will be much more will rise specific and it be about standards. on the issue of who will bear that's onsibility, american life. a round of finger pointing. a 9/11 commission and we'll go back over all of the things we

hould have done and all of the reports that were written before will be brought out and people we warned you. we worked hard to avoid that by place a set of practices and standards and capabilities in advance that dramatically the likelihood of that kind of event.ophic reenforces for me that we have to talk about this in the design stage. having to talk about this conversation in the university world, in the where these are being done. not to say they would get the ultimate outcomes. there's sensitivity there. we're dealing with this after the fact, trying to develop afeguards being aware of vulnerabilities. government does have a role to lay in supporting accountability.

we theroned this over a long time. standards are forged. be rcement ideally should third parties, user base and so forth here. but there's a need for the to make sure that, in fact, outliers are not outliers from the e isolated system. ing on way we know how do this stuff. talk setting standards. but some of the issues, there ability of e policing. may not be domestic. to move forward. made the - whoever

comment before that we're in the discussion the because i think we get some back-and-forth thinking when we talk about the threat and how combatting this. we're talkingthat about which do exist solve 9le% f the problem, a, currently already exists, and, b, those re going to combat the low-level threat. i don't know anybody who thinks the standards or the framework that comes out is going to be effective against persistent threat that could take down the electric grid, etc., etc. that's the area i'm interested in. secretary chernoff said, and i him, that the private sector is going to have to step up. the private sector is and willing to step up. i'm curious as to what the

overnment does to assist the private sector. not talking about a little more money, we're talking a lot more money. 8% as much money. o we're going to need big incentives for that. what can the government do to private sector in taking on this unique and fairly substantial new role? >> first, you're right about that. you have to separate the ajority of small businesses to make a relatively modest investment to take care of the 90%.o must of the discussion we had was the top critical infrastructure. those are intenterprises, if th fail, there's a huge effect. the air traffic system failed planes started to fall out of the sky.

i'm not saying that's going to happen. that's the idea of something. you need to have an focus on the advanced threats. different standards there. what's it going to take? some of it is going to be enterpriseso get to in that critical field to raise investment.e of recognizing that as a benefit that, they should get liability protection and caps. they don't have after the world after 9/11 where everybody sues the owner. that's a road to bankruptcy. that's one set of incentives. i think the government has to be of tly bound in terms information sharing and sharing of techniques and capabilities. going to require maybe looking at the law again and going to be addressing people like the idea of the government being involved in this. but if something happens really fast, you're going to want to have the government working side-by-side with the private to stop that. so those are a couple of areas

that we're going to have to work in. add on the critical nfrastructure component, the high-threat realm. there's a little bit of what's challenge -- cyberis all of what everybody is focusing on. that's where the resource is going. we should all talk about cyber. withe need to talk about the tate of the infrastructure and the range of risk for the infrastructure, cyberis one of those. society, you ed need infrastructure to work if advanced.o stay if you don't maintain it or pgrade it for the types of weather events, so i think part of the element of being more just sful is not disaggregate the conversation from the larger one we have with the public is how do we assure that mobility, communications, of this water, all happens because one has a isruptive risk, the clear and present, is signer is.

not going to be talking about infrastructure safeguards to show continuity. to broaden the onversation away from just cyber. that's the physical that's the opportunity that we haven't harvested yet. i'd like to go on, to frank taylor's response secretary chernoff's explanation that liability might be an incentive.

another question. back here. you? >> thank you, i'm jake warwick, 'm from the certainty of the study of the presidency in congress. what would have the play for required standards for companies. thinking, for example, the grid act. >> what? >> the grid act in congress a ago and failed. any of you -- challenge is aggregating utilities from their customers. and take the port authority. day rough any given

hours like the way it is in new york and in new jersey. 1.8 million people in a authority facility. in the terminals, bus terminal, airports. all of that requires energy if it's going to work. sandy.aw again with that customer is not part of the utilities n with the and saying what are you doing to make sure that the power stays mission is ur ritically again depend on your mission. one of our challenges here is to broaden the focus of not just sector to do finding a asically way for the sector to make the case. would be nudging procejonlgt along.

>> they're looking continually upgrade.of remember, if we go to a smart going to y node is become a potential aperture now where malware can come into something. it's what i mean about it being dynamic. what'se to stay ahead of happening. >> i know from talking to there's actor people, concern about the compliance mentality being a product of the talking about. regulation is helpful and poorly. if it's done so a compliance regiment in this fraught with w is danger if it's not done properly.

if it's mandated -- we had a cfats and howabout that rolled out of dhs and the talent -- facility.emical 50 the chemical facility. but not a lot of private sector input to that. it adjusted over time. just coming out with the without realgiment collaboration, cooperation on this. that the private sector does not understand this risk, we operate globally. we operate with the internet and ybersystems being critical to our model. we're attacked every day. of e have an understanding the impact of this. the question is, how do we work governments but not only governments here, but governments around the world to what's on that et york that iminal acts against

network occurring around the orld that impact us as well as impact security and certain regiments of regions around the world. >> i would like to invite any of the folks at lunch today. comment to make or question, i know we have a lot of concerns that i think represented here. dan? >> with caterpillar. really tactical question. but one of the things we've seen is there's a major vulnerability caused by poorly written code, ode that underlies our applications, our operating telecommunications devices. andalked about the security having code that's stable, that's secure, that's just not happening. silicon valley. root 128. about the

he same are inherent in the same companies and the violations. they write bad code. can't be mething that done on the private sector. it can't be done purely on the sector.nt has anyone given that a thought? whole we change the vulnerability plan? >> so many codes are not written silicon valley. sometimes the problems are eliberate rather than accidental. push to get code out quickly and to update. domain, ng time in this the pressure was get things out quickly. the security element is not a major feature. of say omer has a lot here. the customer wants to look at validation and

that's true. that becomes supply chain security. e use a whole other chapter of whate with want to talk about. >> acquisition rules are key. acquisition,ernment that can lead the way. just corporate one. the gaming industry, the gaming years ago were like everybody else in the garage. is now the gaming industry very large players who push out products for a lot of people. there's a lot more leverage in to say before you give me "x" product, i want it diligence here with regard to the code. not enough has been done about clearly. cultural sense of change. we all hallenging that citizens have it policing activity.rnmental

>> one of my interests is to tie events and rent news. napolitano pointed out the solutions we're talking rguments the approaches we're talking about are going to require a level of intimacy is she used between public and private sector. curious if you had any thoughts hat the recent collaborations among tech companies have jeopardized, made more difficult, or tainted the whole collaboration between he private sector and the government? >> she said quite rightly, we emphasized. what we're talking is completely different from the other program. public discussion, a lot of conflated. there is a risk that some

be when articularly there's not a bad event, they themselves worked up imagining or hypothesizing it's oing to be a big government thing. there are things in the private sector that are not going to be rolled back. not again dent on networks for not only moving information things happen. it's best to inks let things develop is going to be in for a rude awakening. to be honest about it. we need to be clear. nd frankly since you're a journalist, it behooves the media to spend time actually explaining with clarity what is proposed as opposed to disgruntled one person may spin and put it out there as if it's the gospel. i agree. and lors the dialogue

discussion. it has to be a public discussion about those issues for people to understand. these are complicated issues thought le haven't about in terms of their how that is and exploited. theft. about identity but the more sinister aspects of that is not clear to the public. one that said the government had last for $5,000 in the month. you read between the lines, you on't do a law enforcement investigation in this company without going to get the cell records. it's a part of how law enforcement gets to the facts. it's a push about the big overnment involved and the private sector.

explain that more efficiently and how this part of nfrastructure protection is quite different from intelligence collection and hose sorts of things i think will go a long way towards the how c better understanding it must work. reflects in part the transition that they were going through. the terrorism threat is governmental. the job is for citizens for travel. apparatusg to put the on steroids and make it go away. this many years later, the gone away.not and also that the way we get at targeting is it's the civil sector is to engage the broader sector in the civil society. the cold war apparatus is is it's not governmental.

some things have to be closed but i think what the government has to realize is it needs to of more openness about what it's doing. the president is saying that. we can work behind closed doors and take care of are gone. and if this messy situation we helps us make that cultural shift that much outcome s a positive instead of a positive one. to give each of you an opportunity if there's a point ou left unmade or a comment that you can throw out there as one of the final parting thoughts? wood row to thank the wilson center for highlighting this. we are at a time when people are focused on this. this is a little bit of a talking about the private sector having responsibility and ccountability at the infrastructure level.

let's not put it indefinitely or unhappy place. comments. echo mike's the private sector understands risk. the risk to the reputation, to our customers. that every day. in the t with our heads sand talking about what the government is going to do. this is day-to-day. integration of that, the structures of countries and other countries, asking the same questions will be the real challenge. that's where the partnership has to be. has towhere the dialogue be. i spent 30 years in the airport ago, the government was having a discussion after who's in charge and who's going

when we saw able years ago. some public e juncture in private discussions in terms of what's the share of responsibility. who's going to lead the way. processes that we're going to use to do that? a political science point of view, a fascinating moment. >> we're representing sectors and the sectors are there. i'm delighted to have a of this be a part conversation. academia has to be a part of this. that means the manhattan project mentioned earlier was taking a bunch of people who ere smart and knew nothing about national security and harvesting the expertise to deal with the threat. have that. the strength we have in this

it on the t we left sideline from this conversation. public-private gone public? >> private academic. okay. thank you so much. from my point of view, a really useful and interesting would like to i thank the wood row wilson center and my own organization npr for sponsoring this.

>> next, q & a with the national affairs editor. that, british prime minister david cameron takes uestions from the members of the house of commons. and the recent g-8 summit in ireland. tomorrow, a discussion on u.s. exico cooperation with mexican ambassador to the u.s., eduardo medina mora. the assistant homeland security secretary who used to customs ad of the u.s. and border agency.

we were rolling out residential services.commercial bringing the bund toll the market. we started bundling them together. before that, the high of product today. able to get to new businesses that others didn't dream about. got in there so early. >> everybody understands sports spot of media. it's almost the only thing you have to watch live. increased its value. and i think everybody is seeing that now, whether they be social media sights that are partnering tweet about sports or

show sports that we have. networks, other cable etworks, i think everybody understands they're quite valuable. >> more of what's happening in today's cable industry from this year's annual cable show with leaders of two of the country's companies.mmunication the communicators, monday night at 8:00 eastern on c-span 2. levine, k, yuval national affairs editor on public ssays and thought. your wikipedia site has in the second sentence, "he had been