want to warn those who came here illegally. what is compassion? he did not articulate them to demonstrate the passion. this is going to be the questions they have to answer. it may not be important to get off the base. if you want to build a national coalition you have to build policies. >> we will leave it there. thank you both. >> thank you. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2014] wax tomorrow, a look at how the health care law has been implemented in southern states. speakers will include former vice chairman of federal reserve alice rivlin. we will hear from the online news website via lakhs. that is live on c-span.

>> this month, c-span presents a debate on what makes america great, evolution and genetically modified foods, issue spotlight with in-depth looks at veterans, irs oversight, student loan debt , and campus sexual assault. it perspective on issues including global warming, voting rights, fighting infectious disease, and food safety. find our tv schedule one week in advance at c-span.org and let us know what you think about the programs you are watching. join the conversation. like us on facebook or follow us on twitter. >> a discussion on cyber security. -- how agencies are

responding to threats with new technologies. deputyhe speakers is the secretary for cyber security and emergency communications. this is an hour and a half. >> i want to thank our guests for coming in. this is one of the best lineups we've had since i joined five years ago. thank you very much. thank you for coming in this morning. i want to move briefly through the introductions so we can let each of them speak and have time at the end for questions and answers. is topic we are addressing that you have ever-increasing challenges securing government networks. one side is agencies have care -- the uncomfortable younger parable, the ever evolving threats hitting the

internet, smartphones, anything connected to networks. on the other side, you have ever shrinking i.t. budgets. agencies are getting pretty creative in finding ways that computer systems are secure. let me introduce each of our guests from industry. we have adam firestone. he is government security solutions. he has been in the industry for years reporting very us agencies. he is a u.s. army officer. then we have roberta stems late. deputy assistant secretary for cyber security strategy and emergency communications.

she works to minimize disruptions in government and the private sector so that government can keep going. she spends a lot of time youring the .gov name that work with on a daily basis. we have a longtime public servant. he is the chief information officer at the pension benefit guaranteed corporation. part of that job involves securing some very sensitive information about engine benefits in the private sector. and servesks at dhs as a cio at the commerce department and various other agencies. itby used to work at the wing of the defense department.

i will let each of you going to your roles more in depth and talk about the role you play in forward looking cyber initiatives. believe is a longtime in the labs in general that there really is a binary definition of the world. there are people that want to create a safe, stable, secure cyber environment. it fosters stability. education. there are people who want to break that down. that is a comfortable place to be for me, personally. i get to be a good guy. that's kind of nice. look at the world

is, what is the state of technology and why are we here you go we see a lot of net 95 artifacts. the internet as it was designed. as it was when we first started using browsers. that was an internet design for use and an ability to get on rapidly and exploit it rapidly to do good things. that design paradigm exploits itself to inherent insecurities. the question we ask when we look at what to do going forward is what can we secure? hack can we do this in a youable, affordable -- cannot rebuild the whole thing. it would take many, many years and nobody could afford it. how do we do this without boiling the ocean? we look at specific spaces at the front end of security. much of what we have done in the

past is respond to security. what has happened, what is happening? how do we respond to that? me personally as a systems engineer, how do i build it right the first time? how do i look at where the holes are, the white space, if you will. and start to put solutions in place that respond to those challenges. bige move forward, the technological imperative will be, where have we gone wrong? what enables the insider threat. what allows data to be useful to those who view it. i dressed those problems up front. we have a lot of basic stuff we can do upfront right now to secure the net.

>> good morning. for givingery much me the opportunity to talk to you today. this is the second one in the to.es i have been i have been with the department of homeland security for more than four years now. years in the19 defense department. i had a variety of roles including being a ctito in a defense organization. we have been engaged in this for a much longer time than i am willing to admit. one of the things that is certainly true in what we do at the department of homeland security is recognizing that cyber security is really an unbounded problem. gives usundedness

the place for innovation. generally, they have been thought of as technical. i am proud of the many we have including the indicator exchange and mechanisms to automatically share threat indicators that puts into hands the people who can do something with it what they need. and get people out of the problem as much as possible. i am proud of so many of those things. innovations in other areas as well that we have really been pushing. there are innovations in how we deploy and how we capabilities. we talk about contests that cio's are in. it is true in the privates to in and it is absolutely true

the public sector. you think of the realities that sequestration caused. the realities that i have faced and i could only imagine that you face every day. support to a responsibility where all of the resources are going towards the responsibility and we are asked to transform an organization, lot. is not a whole it is best to think about how to be most useful to departments in the federal government. if we think about programs, the continued diagnostics and mitigation, which is a first time ever procurement method for deployment of capabilities to cio's that can best be used by the cio. collaboration between

departments and agencies that will provide innovation in business processes inside the department. there are great opportunities that can alleviate some of the allow from the cio's and them to focus on the principal innovations and responsibilities. those are the kinds of things that we recognize. businessinnovations in models that are important and are really facing us. one of the most important areas where innovations are happening and need to be happening more is a workforce. unbounded area. the enemy gets a vote. it you cannot forget that the enemy gets a vote. the demands of our users are changing. the reality of our customers are changing.

dramaticcing a shortfall and professionals who understand this. we have to have innovations and how we identify, develop, and bring into the workforce the rest of the nation as well. it is another place where interesting innovations are happening. it is another reason why the department of homeland security is such an exciting place to be. we are in the midst of all of that at the same time. >> it good morning. thank you for giving me the opportunity to be here this morning. i came back to government about a year and a half ago after about a 25-year career in government and the military. i went off to the private sector. what is the biggest thing you notice that is different? it is security. it is the threat level that is dramatically increased along with the active participation of

the cio as being involved and engaged in their organization as a cyber threat. before, it was really easy for the cio to give your organization the reigns to go do what they needed to get done. has to be deeply engaged in the partnership to make a change around security. some of the things we mentioned already, it is a balance between the innovation peace. how are you bringing new tools around security and keeping the day today going and addressing the needs around security? that continues to be a big effort. budget issues, i am fighting those weekly. buying some of the other tools.

you?is important to at is finding that true balance of what works. a lot of it is not so much the technology, but the process and the people and getting them educated and learning to think about security from the beginning. that has really been a challenge over the years in getting these units to embrace security and not looking at it as something that the cio will handle. a good has to be marketing person to work with the business units and work with the benefits of embracing security early on. >> thank you. ate walker, rogan manager the defense advanced research project agency was going to be here. he had a last-minute conflict. he was going to talk about

robots doing cyber security. if you want to learn more about that, we will have a cyber challenge. you can find out more information. first question. how do you combine existing legacy systems, processes, techniques with new tools and procedures so that you're not throwing away investments? this goes for existing contracts. you are changing procurement processes. workforces, how do you train them to meet the demands of the cyber world. do you want to go first? >> we have the finest acquisitions force in the world. i believe that 100%. it is not sarcasm, it is not a joke. this is the community that develop systems engineering.

standard 498 became a eee standard. when it comes to buying stuff, and complex stuff, aircraft, tanks, ships, they do extraordinarily well. software and cyber, unfortunately, are an area where taking someone out of the user community and having them help run or identify the requirements is where the model fails. how do we do that? it was veryife, interesting, i was working on a weapon system. it had legacy components and i had new components. what i also had were industry developer teams who worked with

the program office to deliver this kind of capability to the government are. those development teams, more so than the government, but the brakes on new technologies. why did they do this? they did this because it was h,w, it was risky, oh, my gos i don't know how to do that. and it was wrong. there are two sets of obligations we have to look at in terms of innovation. it is less technology. mentioned atl was the security forum by senior nsa officials as a way of mitigating and moving forward from the damage caused by the events of last year. has been around, that standard since 2004. there have been more than

adequate commercial tools available for integration that supports such access control mechanism since 2005-2006. it is not a matter of untested technology. it is more a matter of changing the acquisitions landscape. we need to do this in two ways. we must support our acquisitions professionals with talented and knowledgeable people. whether that means we create a new structure or having cyber aware or technically aware folks tours with those people or whether that means we create a separate career path within the government or the military to account for that, that falls into the weeds. that is a limitation. the second part is a commitment from industry. inlast 20 years have been

industry. we need to step up to the plate. we need to say it is not enough just to know the domain. if we're going to work in this area, ciber is so important. we really need to put our best foot forward. everybody who walks forward has to be the triad. that is domain technical process. you need to understand what you are working in. you need to understand and be conversant, i am not looking for experts. i have five people in d.c. that can handle all of these. you need to be conversant in the technology. you need to be understanding the process. you need to understand the process by which that technology is applied to the domain. if you can do that, you can start to remedy the acquisitions

hole that we fell. that acquisitions hole is represented by the fact that our security is done at the tail end . if you look at your engineering teams, you have people that look at security and think about security. more often than not, we push that to the information folks at the tail and the last five minutes before it goes live. instead of requiring that in by ourto be built developers, our systems engineers. and $2.50nion, this gets you on the metro. i work in virginia. that we reallyis need to start addressing the needs of our acquisition community. there is a gulf right now.

as an industry guy, i can tell you everything that is broken. if you want to buy me a beer afterward, we can do that. that is the wrong answer. the right answer is to say that we understand what is needed. we understand where the gaps are . let's start closing the gaps with policies and norms. we had a was a cio, saying. legacy work. i will argue a little bit with the question. that is that it is an either/or. in the environment we were in, we have things that were there, things that are there, and things that have to come in. for us, it is certainly about creating the space to have the

happen.n that needs to whether that means long-standing commitment of the government to nonproprietary standards-based solutions. there is a reason for those. it is because it creates that space for sustained men of things that exist and have to exist and movement forward into the capabilities. to get enables us closer to the front end of the problem. i will use a personal example that will make me feel old. when i took my first programming class, all my teacher wanted was for me to print, hello world, on the screen. that is everybody's first programming class. no such thing as boundary

checking. no concept. it was, print hello world. it was a long time ago. my middle row remington arms or took her first programming class in high school. her first program was to print hello world. there was no concept of boundary checking of her variables. conversation. a couple decades happened between those periods of time. we're smarter now. we have to understand what creates the environment. there are a lot of simple things that could be put in earlier and earlier. her first programming class at virginia tech was not to print hello world. they had a conversation about andriy checking. these create space for malicious activity to occur. the process is happening, and it

is happening slow. the kinds of innovations that need to occur need to occur in all of these places. significantost challenges that we see with operators who want to focus on cyber security with government departments and agencies who are really trying to do the right thing to put in place the kind of layered defenses that are necessary is the hump they are getting over to focus on that. we need to find ways to get that thats low as possible so is not so insurmountable that they do not take that step. one of the principles we use in designing the program to support

owners and operators is to identify that particular problem and articulate that in a way that can be useful. >> without losing sight of the legacy systems, they are going to be out there unless you have a clean slate and you are starting. on the new focus tools and processes. thewant to look at interfaces into the legacy systems and the new tools and processes. you also want to look at agile. more and more organizations are having success with agile. more and more are building security around agile. proving successful.

you want to leverage existing technology. a lot of the shared services out there in the government. managed services in the crowd. -- cloud. >> that is really interesting. one of the opportunities that that creates is the opportunity to re-architected the business process, which increases security. the cloud movement, which is a really powerful movement, it is not just a technology movement. your datathink where is. how holistic leave these drivers can do more than just one-step improvement. >> i am glad you mentioned agile. a projectot just technique for software development. >> can you talk more about what

agile is? about 10 or 11 years ago when a bunch of developers came together and said that the way we do software is wrong. the way we do software is wrong. we assume today that we are god. room, let's in the try a test. everybody in the room who knows exactly what is going to happen if every project they have three years from now, raise your hand. you are amazing. how do you know what is going to go on three years from now? [inaudible] you would be the first person i have ever met that has known that in advance. that is pretty impressive. .he reality is that you don't

these guys and gals got together and they don't. we have an idea of most of the things that we need to do. we also know that people do not work well for long periods of time under pressure. i guess you can get those five developers to work 150 hours a week for a week, two weeks, three weeks, but by week three, they are crashing and their productivity tanks. they sat down and they said, how can we come up with a technique where we understand what happens and we can prioritize what goes first and weekend determine what needs to get done in terms of functionality and then we can get them done? i have this much, i will

allocate this much to this two-week period and work my way down. i will have a manage process to work our way back into that list. can have a, i continual and governed workflow that allows things to get done rapidly, i can learn from everything that i do, i am going to demonstrate capability every time i deliver. it.'s how i'm going to do reeing introduced agile to th different programs and watch the difference in productivity, not just to software development, but in engineering, logic development. it really works. let me talk for a second about agile and how we would implement of ourn the delivery

systems. let me start with the premise that software is broken. how do i know? every week when i shutdown my computer, it doesn't shut down. it tells me i need to wait. it is doing stuff. it is downloading updates. what are those updates for. those updates are to fix the problems that shouldn't have been with it in the first place. think about this in perspective of your car. if i sold you a car and said the steering wheel only goes 260 degrees, you would think i was crazy. don't worry, in two weeks i will send you a new steering wheel. that is literally what we do in the software world. we make the user today the beta tester. do we turnn is, how around and pushed a problem into an agile model