of our systems. let me start with the premise that software is broken. how do i know? every week when i shutdown my computer, it doesn't shut down. it tells me i need to wait. it is doing stuff. it is downloading updates. what are those updates for. those updates are to fix the problems that shouldn't have been with it in the first place. think about this in perspective of your car. if i sold you a car and said the steering wheel only goes 260 degrees, you would think i was crazy. don't worry, in two weeks i will send you a new steering wheel. that is literally what we do in the software world. we make the user today the beta tester. do we turnn is, how around and pushed a problem into where we pushed

problems up front back onto the developer? question.technical weekend and the tools exist today apply agile techniques not only to the actual software development but to the methodology of the program management for software development. we can adopt things like continuous integration and .ontinuous tests and monitoring think about what this means. there you are as a developer. you are pushing the new code in, and that code is tested. -- we don't only do functional tests. we look at the other four areas. if you don't pass those tests. if your software doesn't make it in, you don't make it in. you don't get credit for it, and

it doesn't go up the ultimate end-user. it is a question less about what software and my delivering then the mechanism by which we deliver software. it is about changing the thought process in terms of program management for software delivery and project development. -- adam's opinion, four dollars? four dollars gets you in a mature right now. on the metro right now. we need to think with agility. we need to implement agile both in terms of our program technical and the methodology by which we develop our systems. the next question, building off of what each of you hinted at, if you train the workforce and the students how to think

about security from the get go, if you build the software to be , then you might not have to pay as much to fix problems down the road. can you talk about how innovations in technology, training, contracting, deployment can actually bring down the costs? noticed is theve cost -- because we have matured, some of the costs haven't come down as much. the threat continues to increase, and what i'm finding is it is really about the labor costs that go into the controls that you have to put around security. in my organization, we are spending a tremendous amount of time and effort around security controls that are out there.

they overshadow the cost of the tools themselves. i think the program as it matures will help quite a bit, but that has not really matured yet. i think it will over the next 24 months. see a lot ofill price advantages. out.ew rav4 just came is like the cyber security bible for the federal government for federal i.t. systems. >> while you may see some decrease in the tools themselves, i'm still seeing a lot of labor costs that go around supporting those controls. >> one of the things that we see is, it is a bit like your cell phone bill. it has been $40 from the beginning of month, but you are

getting more for your $40 now than you were at the beginning. that's a bit of what we are seeing in the technology landscape. whereas maybe the license costs -- it is a great example. first phase of getting that done right now. the license costs are a volume activity. you are really getting more than just a particular technology, single technology for the dollar, and that is really important. about, iteen talking has to be layered, multifaceted. there isn't a single thing that is a silver bullet. there isn't a single tool that you can buy, single person you can hire, a single process that needs to be put in place. it is a multifaceted kind of situation. cost is one figure.

the value is another. we try very hard to look at both of them. you have to have that trade. >> i would add onto that and say that the third thing besides cost and value is maintainability. i'm going to date myself again was ay that really i journeyman systems engineer when service-oriented architectures became very popular. the principle behind it is really not all that different from web oriented architectures or whatever they are calling it today. the idea is that i develop and deploy my systems as collections of reusable modular capabilities. brickpull out the red

with six connection points and replace it with a blue brick. there is no problem. they only care about what the interfaces look like. in terms of reliability and maintainability, one of the big cost drivers right now for our legacy systems is the fact that they are these tightly coupled, interconnected systems. that means if i fix something here, i break something there. the cost of maintaining that goes up exponentially. to the point where the cost of to ornance is equivalent the cost of new acquisition. i will date myself again.

you could pull a pack on that vehicle and under 90 minutes. among the things that happened in the government is the more ready adoption of open standards , and to that extent, open source technologies that use which lowersds

maintenance cost, which in turn makes your long-term investment, your total cost of ownership in the system, significant in the system. matter? that the dollar i save today doesn't mean i don't spend those dollars. it means i can turn those dollars around and apply them to the heart problems to include the evolving threat nature that very pointed out. anything else you want to add? ok. let's turn to technology now. you have the likes of antivirus that antivirusg is dead. what does that mean to us? am i not going to have scans running down -- running in the background of my computer and slowing down my system? what is its technological replacement?

>> everybody's looking at the guy from kiss for ski. that is where the company made its bones. there was a time when a parametric concept of security was adequate. it is not anymore. in the cyber world, as the world becomes more connected -- if you look at middleware companies today, they drive your systems integration and everything -- if you look at their business message, their messages connected business. it means that this is an integral part of the whole. aboutns that i do worry this but also have to worry about the servers that support it. about thee to worry ipad, the iphone, the android,

everything. i still have to protect this with some form of endpoint security. that doesn't go away. and point on its own is no longer the answer. we need to look at enterprise security. what is enterprise security? where do the problems go wrong? if we are looking only at the perimeter -- -- i have to tell you the perimeter is not going to hold. the premature and interior at the same time and apply the necessary security parameters, we saw the majority of our problems.

we designed our battleships with the premise of all or nothing. me to make those trade-offs in the way we design things now. i want to leave you with this. i grew up in brooklyn. i grew up around the corner from this guy named anthony.

anthony wins the lottery. what is a guy do like anthony? he buys something. what does he by? he buys a for ari. he tells the world that this car is safe in his barrage because he's rebuilt the entire garage. he's got chains to tie the car in every night. about it.he world five weeks later, he comes on in the morning to unchain his car. the car is gone. gone, buts the car the chains are neatly coiled around the steel. the door hasn't been forced. there are no scratches on the lox.

anthony goes into mourning for about three months. one day, he comes downstairs and has gone past the stage of grief. on the windshield is a note. the note says, if we want it, we will take it. you can't defend against everything. don't let the best be the enemy of the good.

remember what you can achieve, and security is all about that. it is all about assessing your risk saying, how can i mitigate this risk most effectively? missioni continue my within that security paradigm? >> one of the important functions we have in dhs is to help people understand their vulnerabilities, understand the threats and the consequences. by others out there. in each of those areas, what we are dealing with is an environment of scope, scale, and speed that is sort of a typical of other threat environments. i agree with adam that there is a breath of things that have to occur.

activities lot of that have to occur, whatever that perimeter might be, whether it be something around the most important of your data inside or somethingent more broadly. you have to understand what is going on inside your environment. you have to have a sense of what your users might be doing. we are in this evolution time in the technology landscape, as long. it is happening in cyber security and other places. we are applying business intelligence to all of the data that we have and gaining insight out of it and then applying that insight back into the problem, collecting more information on .t we are applying that in cyber security, and when you think , the the einstein program other program activities, the threat indicators we share, it's

really about and flexing as much cio's.tion for as a citizen that the u.s. economy will grow. one of the ways i expect it to grow as i expect industry to innovate. that innovation will be something we then take advantage of in government. i'm really excited about the prospect of companies like symantec and others pushing the envelope and looking at what is necessary in this environment. they are recognizing that the problems they are facing are of scope, scale and speed.

that goess a lot more into it when you take a holistic approach around security that today you need to take into account. that is where the statement was made. it is not the end-all, be-all. >> when you are talking about viruses hitting your system, you are also talking about new viruses that these systems don't understand. to have the other controls in place you are talking about.

what iscomment about happening in the environment, how much of it is something we have seen before and now, and how much of it is something that we as a community need to learn ? it stresses the need to collaborate between industry and industry, industry and government in order to reduce the unknown as quickly as possible. and to bring forward that knowledge and insight and put it in the hands of others. i think that is really one of the places where innovation has occurred and more innovation can occur. that how do we create collaborative opportunity for all of us to move forward? there's a place where industry, government, law enforcement, intelligence, and others all caps together and look at things

vernacular, which is really useful thing when we are talking about the need to respond and the need to protect. information sharing. i would like to take that further. information sharing fostered by the government and with the assistance of the government is good. that's great. is important. the lifeblood of the american is small and medium-sized businesses and enterprises. we do not get to an adequate job of sharing information among ourselves. 18 critical infrastructure centers? 16 critical infrastructure centers. what we see now is an attack one,st sector a or sector

and in sector 1 -- retail -- everyone talks. they don't talk to transportation or health care or the other 15 sectors. we can watch this and have a roll of these attacks go across the critical sectors. anything we can do to foster securitymake that knowledge permeate those barriers would add tremendously to our ability to respond. > does that have anything to do with the suspected chinese hackers going into energy systems, and now all of a sudden, we see 4.2 million

health records accessed by suspected chinese hackers. same techniques? >> i don't know if it has .nything to do with that >> one of the things that we are your range ofd on collaboration programs with a number of groups, your point about coordination across

sectors is really vital. it isn't really exclusively taking the single threat indicator and providing it. the non-best technical analogy i use, if you're going to break into a law firm, you wear a suit and tie. if you want to break into a power plant, you wear a hard hat. same thing happens on the network. we have to have some opportunities for translation between one sector and another. it's why it is important to bring them together. folks who are experts can help with that transition points. making sure we can get that information turned around as it comes to us from one sector or another, or create the avenues

for them to communicate with each other such that we don't have to be in the middle of it, and create it in a way that it is trust for people collaboration. one of the things the deputy undersecretary is focused on is .stablishing trust maybe we don't have to be in the middle of the conversation. how they can collaborate with each other in a way they are more comfortable doing, and that so we can get that threat very easily 25 technical information that can and create that, distribute that in an automated way. consume, produce, and provide an automated way. has takenial sector our work even further. the bulletins we release our further distributed in an automated fashion.

i am anxious to take that to the next level, as well, working with other sectors and organizations. >> i think we are also starting to see more of a shift from just the protection to the detection and response. especially over the last three years. also, more of a security in depth approach in using more behavior analysis and looking bad and seeing what are the guys doing, what are their patterns of behavior, and using security as we bring to more enterprises. >> last question from me. the four of us are sitting here 3-5 years from now. what new types of technologies and processes will we be talking

about? what changes are we going to see in the landscape, what ideally would you like to see? >> i would like my car to fly. there are two that come to mind. one of them is -- we are working on it now -- it is the understanding of what normal is, and normal meaning, what is a baseline for my network? what is a baseline for this user? understand that in a reliable way that minimizes false positives and false

information, once we know what normal is, we can measure current activity against that normal on a regular and recurring basis. when argue that, we know 32 gigabytes of information starts flowing to a user who downloads two megabytes that there is something wrong. we know that when given processes to start doing things they shouldn't be doing, or at least now we understand what shouldn't be doing is -- so, across theng normal board, for enterprise, for individuals, is something i would like to see fully realized and 3-5 years. the other one that is particularly interesting, we need to look at the way we grant access to our resources. data loss prevention is a big business and big issue these

days, especially both inside the threat and malicious penetrations from the outside. how do we ensure that everyone has the information they need? of can think of any number domestic and international incidents that rose from organizations having information and not being able to share it. at the same time, we protected against inadvertent disclosures and spillage. i would like to see our data structures and resource access control structures being built in such a way that we really do control access to that data in such a way that everyone has access to what they need where at least the parts they are authorized to. today, we do a lot of all or .othing access to data

it's tremendously expensive. the numbers for having multiple redundant networks based on ranges from $4 billion to $14 billion annually. we can address that significantly, not entirely -- there are policy and legislative issues that are difficult to surmount, but we can address a significant amount of it through technology. that is a security issue along with everything else. >> what i would not like to be isking about in five years fishing and bob's. i would like not to be talking about these. i can remember the first e-mail i got from the nigerian prince. right?got it,

if i had the opportunity to create a call, it would be nice to be talking about something else, not because we are tired of talking aboutif i had the opo create a call, it would be nice to be talking about something else, not because we are tired of talking about this and we can't seem to get past it, but because we have figured out how to actually not have it be a significant problem. >> the first part of your question around cost -- i think the individual cost of products will go down, but the overall willabout security continue to increase, especially hi around the labor costs. you are going to see greater growth around the ability in the next 1-5 years. , andcloud data, encryption

also protecting our web servers and web applications. i think that will continue to .eally increase also, as our mobility and clout increases, our bandwidth will need to increase. >> thank you. if you have a question for any of our catalyst, can raise your hand? >> i will go with the microphone. how do you essentially foster innovation without reliance on ?he private sector foster innovation without sharing proprietary secrets that would give you a competitive edge over other

solutions? it's an interesting question. there is an easy answer, right? private companies have been in the business of fostering innovation without the assistance of other companies or the government. companies have been doing it for a long time. if you develop your capability at the behest of the government pursuant to a contract, the government owns that just like

they were known anything else. him i think the more interesting part of that is, how do we apply that innovation? that is really a question back to the partnership. it's an issue of, how do you bring what you can do to the table and make that available? that's information sharing. we have this capability. does that work for you? in general, i think it gets harder and harder, especially when you work in a public-private partnership justify her really pride terry capability. microsoft handed over the source code for windows 7. it said, look, here is what we have.

that is a trust issue. the private sector will continue to do what it does. i was at black hat two weeks ago. i met a bunch of guys who came up with the next generation of encryption. we want to work with the government. we want to work with them to secure what needs to be secured. we understand we have to share a significant amount of our technology to do that. we are ok with that because the government understands the flipside of sharing that technology is a trust issue of observing the proprietary nature of the technology, making sure

they are not damaged by working with the government, and ensuring the government gets the best value. everyone who has had their eyes bleed reading the cards, raise your hand. all of us have at some point or another. the reason they are there -- they are really effective pieces of legislation -- are to allow the innovation partnership to take place. they may be really tiny words and may be painful to get arough your head, but we have really strong basis in the united states for fostering that sort of partnership. you want to say thank first. rarely do i hear people use the word innovation in the government. eco-cities, -- east coast is, we are not

innovative. thank you for acknowledging it. i appreciate it. one of the most important things that enables us to be innovative is a willingness to collaborate. i find, and it may be true for others, i find that the best solutions, when you bring together diverse perspectives, and then you find the thing that you didn't realize existed in .hat space we try very hard to create opportunity for those conversations. when you look at the operating model we use, it goes from a , talkingip perspective

about how we establish a 21st-century partnership that can help handle the threats we are facing in the 21st century, it's about recognizing that we don't have all exactly the same value proposition and interests, but we do all have the need to be in the room together. we can bring all of our different perspectives together and drive to a different space. about the operating model. think about the operating model that we use with state and local governments and helping them handle interoperable communication issues. it is really about creating that collaboration space, bringing the engineers and other, bringing the policy people together, bringing the business focus together and helping work through all of that.

>> the things that you that night is medical device ever security in the cyber security of the public health sector assets. we are in the process at the fda of setting up a collaboration, which all of you have mentioned in your plenary session medicalons, what about cyber security. you have been approached about this, bobby. i wanted to put a shameless plug in for this opportunity for all of you to participate in the

public style forum. that's about all i can say right now. use --stion for all of for all of you, in regard to fostering innovation, what are some of the ways that you can perhaps allow a regulator like muscle to foster that innovation? tidbits you can offer me? the companies i regulator even more wary of sharing their technology, because not only are they wary about my inadvertent sharing with their competitors, but they are worried that if they were to share something , iut it vulnerability to me might turn around and say, this is grounds for regulatory action. >> clarity.

that is where this has to start. what is the outcome you are trying to achieve? i find trust is eroded when people don't have a common understanding of what roles and responsibilities each of the play.rs when someone switches from one role to another, that just undermines it. it is one of the places that i think we have to start. i would add -- i spoke on andher panel las vegas, they were talking about the cyber security framework -- it was a framework that came out recently that said, here is the way to start him. how do we get people to adopt it? how do we get industry to adopt it? i'm not really a big fan of

regulatory push. my point that i made, as a former trial attorney, i watched make the choice to say, i can fix my production line, and that will cost me $5 million every year, or i can assume i will pay $750,000 a year in lawsuits. sensitization and , you don't get industry to play the way you wanted to play. it's a dollars and cents came. be incentive doesn't have to the stick. it can be caret. from what you said, one of the first things i would look at would be, how can i encourage

this information sharing and make it a positive experience trust,m and foster the make them aware that no bad things going happen to their intellectual property, but also make them aware that if you come in under this, no bad thing will happen to you. a safe harbor concept. level, the legislative safe harbor has been something that has been bandied about. -- a little plug for the cyber security framework.

in that was asked to convene a -- whatf collaborations does it mean to be cyber security effectively? it's a powerful set of discussions. if you went all of them, i think you got a t-shirt. the cyber security framework was and ited late last year, did a handful of really meaningful things. -- haven't read it, and said, cyber security is an important risk and must be risked in your enterprise management activity. it moved cyber security from problem to beroom in a boardroom problem.

said, you must understand, here is a way to think about how to incorporate this risk into your model. here is a list of ways to think about cyber security. compendium of standards and activities that really detail all things cyber security. that is the framework. what we've been doing in the department of homeland security is working with owners and operators, working with departments and agencies to help this again.ugh we strongly believe that working with these owners and operators and helping them through this, folks will find a way. we have eliminated a part of the

confusion that would have existed. we have been very pleased with the kind of results that we've had. ranging from companies were very secure who confine themselves in the framework to have been doing this all along to those who aren't really sure where to start with an important focus on small and medium businesses. how did they find themselves in this framework and move themselves on their cyber security jury -- journey echo that is putting it in the .oncept of risk conversation it really helps with trust building. roles andith responsibilities. it helps put more clarity about the decisions. it enables cyber security to be a decision-maker conversation,

getting the cio the information they need, the ceo the information they need. leverage to organizations. there are some private-sector companies that really focus in the areas where you do have that testbed environment where you can feel comfortable. you good morning. i'm with ibm, and i wanted to thank you for your insights this morning. you talked about the growth and mobility in the next 3-5 years. with the implementation of the wash, wash -- the dhs car how do you see greater

collaboration and adoption and sharing evolving in the future in that area? >> i haven't thought about that when very much. give me a minute. is, went you are making have to have more collaboration so that there is opportunity for mobile apps to come forward. we have to do that. one of the things that we also have to do is understand that the landscape and the federal landscape in particular is not the same from one department or organization to another. path that find a enables us to manage both one of --andre successful ones

him to think it would encourage that as a method. when i look at what we've done over the years, we have had to build enough omentum between different departments and agencies in order to get to that point. it feels like we are right on .he crux of that right now >> you're talking about cloud cyber security. you are talking about applying the same sort of model. instead of each department doing their own certifications for applications. we have enabled a joint model that allows the apartments to express their unique department requirement into the situation.

>> adding onto that, there is a technical component, as well. the certification process for , right now, it is the same for the big gaps, development projects. him it requires a cluster of high-end service to run. the process i use to certify that today is the same process i used to certify the mobile app that was written in a week and a half. apps isme of mobile significantly greater. one of the technical things that i looked at in a previous life was how to push the

certification and accreditation process back on the developer. it becomes a question of methodology, a combination of agile and test driven development. when you finish developing your app, it is certified by virtue of the environment in which you developed it being certified. forth withand coming innovation in terms of the policy side, how do i credit within particular environments, and at the same time, how do i provide a hardware-software methodology to do that becomes very interesting. i would encourage industry in general to look at innovative ways to solve the problem.

and by virtue of that certify the things that are coming out of it. >> i think we have time for one more question. pro ai am from political few of you have mentioned how important small and medium-sized businesses are. there has been a bit of an will, if i'll run somebody else everyone's favorite story is how the bad guys got into target through a vendor. up to aou bring them level so everyone is safer? i will get my times a little bit wrong here.

about three and half months ago, to collectn -- information as a mechanism. we are not inferring what their challenges might be and to talk about what that kind of solution that might exist in order to enable them to be successful. it was important to us to have an open and direct dialogue in that space. we got a lot of feedback from both small and medium businesses and from the i.t. industry on them as our focus a customer and constituency. there was a dialogue i think the first time in a meaningful way

out parties in the room together talking about what their realities are. insight to metant have some of the exact same needs, as well as -- there isn't as much i had thought they would be more aware of what cyber security threats are. it feels like we talk about target a lot. there wasn't as much brought awareness as we had expected. we are focused on the language that is accessible to them for an easy first step as we go forward. solutionsaging the and capability that are accessible to them as well. >> i think the good news is that the smalls and mediums are much more agile, we can change

policies and procedures much quick we. -- there are larger programs and they can get access to a lot of those large requirements around security. that would be my suggestion. >> from industry perspective, the security industry perspective, let me say two things. merrily --ocus and primarily on the structure. organization as a whole, especially the u.s. based supportiven is very adoption,on, integration of the framework for small and medium-sized businesses and is uniquely positioned to to it significant foot print.

that is one of the companies goals and missions. it only helps everyone. whether it is because it is your business or because you have a .overnmental -- we push that we make our partners aware of it every chance we get. >> ok. ank allat, i want to th of you for coming. i think they might be sticking around for a little bit if you want to come up. but you are all free to enjoy it the rest of this lazy day of august. thank you very much. [applause]

[captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2014] >> on the next "washington eomans talksliam y about the civil rights division and the ferguson, missouri case. we begin our series on modern political campaigning with a look at fundraising. they talk about today's multimillion dollar operations. lestingi ande joe joanna burgos.

as always, we will take your calls and we will take your comments on facebook and twitter. at 7ington journal" live a.m. eastern on c-span. on september 18, there is a referendum. scotland host the second debate agenda national party leader and the opposing candidate later. advocating for an independent scotland wall british prime minister believe scotland should stay in the u.k. 51% support staying in the u.k.. favors percent independence. at 3:30 p.m.ns eastern on c-span. >> next week, special primetime

programming on the c-span networks. glasgow, a debate on scottish independence. on tuesday, issues on the irs targeting conservative rips. a preparatoryt, magnet school on educating children from his advantage backgrounds. thursday, a house hearing on federal state and antipoverty programs. and a night, native american history. on c-span 2, book tv primetime. a discussion about school choice. tuesday night, a writer on his book "how the poor can save capitalism." of a neilthor armstrong biography. depth" within ron paul.

on american history tv, reconstruction era and civil rights. tuesday, world war ii and the atomic bomb. wednesday, the fall of the berlin wall. friday, a nasa documentary about the 1959 apollo 11 moon landing. find our television schedule one week in advance at c-span.org and let us know what you think about the programs you're watching. call us at the numbers on your screen. or e-mail us. join the conversation, like us on facebook, follow us on twitter. withnight on c-span, "q&a" democratic congressman charlie rangel of new york talking about his career and life before public office. members of the scottish

parliament discuss a referendum declaring scotland's independence from the u.k. and then the results of a recent poll on how education is viewed in the u.s. ♪ our guessek on "q&a" is you as congressman charles rangel. he talks about his years in the house and his life before entering public office. he recently won the democratic primary in his new york city district. he has decide if he wins reelection, this will be his last term in congress. charlie wrangle back in 2007, you came out with a book. "and i haven't had a bad day since." have