the global alliance that seeks to protect children online and saying it would be unfortunate and we're going to need the cooperation of companies that when you have a search warrant for a state and local police officer, that you need to be able to serve it. that is a debate or discussion we need to have to figure out the right response. >> can i ask you the same question? can you tell us how international partners share information on terrorist cyberattacks? >> not just terrorists cyberattacks. one thing we are focused on doing is working to build partnerships. .e work with ndoj one of the things eric said in the beginning, one of the things i have seen in the past few years, inside the beltway, but

remarkable, a coming together of all of these federal agencies working seamlessly together. to give you an example, when we have the denial of service attacks that were hitting our financial institutions, we were was working to -- these were bot nets. the fbi was reaching out to their counterparts. there is a lot of noise out there. what we did, and this is unique. to state department decided do --. i was thought it was a bad thing. you can have a positive, where you say i need your help on something, i want you to elevate this. for about 20 countries, we said, this is serious. we want your help. we want to build a cooperative

framework to deal with these threats. that has been part of our mission, working with the other agencies. more and more countries are taking this seriously. is not just a technical issue. that is another transformation. , you would to go in person, youlk to a are the tech, you deal with it. now, people understand it is a national security issue. human rights issue, foreign policy, getting other countries to get to that same level as one of the challenges. more countries are. building that relationship on the technical level and on the policy level, it is a long-term game in terms of diplomacy, what .roper norms for behavior are

being theuence, cyber new black, everyone wants to talk about cyber. it is increasingly happening around the world. as you get them paying more attention to this and reaching out and saying how can we build more cooperative frameworks against the threats, that is helpful to us all. bilaterally?his dedicated all of government bilateral relations with the number of countries. we have had cyber discussions focused on the full range of issues, internet governance, human rights, internet freedom. especially on security. we bring our colleagues from doj, dod, dhs, commerce. to bringes them

agencies. they do not necessarily know what is happening. we have had more formal ones. we have it with the number of close partners, like the u.k. and australia. we have had it with india, we are renewing it with a joint statement. the presidential joint statement talked about renewing the security dialogue with india. we have had it with japan, korea, other countries. we have also done multilateral work. we have done it within the organization of americans aides, the organization for security and cooperation in europe. it is a landmark thing. this is how you build their -- build a better transparency.

we got these measures last year and we are implementing them now. we have to look at both of those and measure our law enforcement. do you have similar cooperatives -- >> we do. we will work with other nation's militaries, due capacity building. there is a lot of demand for people trying to figure out how to build their equivalent of a cyber command. to do that in a responsible way. there are things we learn we did not do as well as we could have. how do you balance that with respect to's of liberties within the law, executive oversight. there is another point i want to make. all sense of operations are something that are an option, but it is only one of many tools that you have available on the policy spectrum. we have made the very conscious decision, especially in dod,

that that should be one of the last things you go to. before you would ever take offense of action, you want to work diplomatic channels, law enforcement channels first. it is pretty sophisticated right now based on this. a lot has to do with the fact that we have gotten practice at that during the denial of service attacks and the some of the past years there have been significant threats. >> can i add one other thing? wasother part of this capacity building. particularly for the developing world. we have done them any staffer africa,ouple in west south africa. we are looking at asia. we are talking about building .tructure in government there has been a lot of work

lawe we are trying to build enforcement channels, build good laws. of activities we have undertaken. we are always challenged by people who can do this. the bench is not that deep. >> let me follow-up on your cyber command idea. is the u.s. training countries -- to set up cyber commands? to defend their networks. there are a group of countries, a small group, that work actively on giving consulting and advisory advice about how we did it and things they can do to build it in terms of training, doctrine, all of the things you do when building a military force. with our closest

partners. we want to make sure it is done right. we are conscious of the fact that a lot of countries want to build offense of capabilities, which we are not in favor of. we would prefer -- >> have we done it in countries that are allies, but are also developing? egypt? >> not as much. the biggest demand signal comes from countries that have more traditionally well developed relationships with the department of defense. >> europe? >> that is right. we spend a lot of time in the gulf trying to help them build capacity and make sure that is balanced with good governance. in asia, we have strong partnerships. >> who in asia? >> most of the countries prefer we do not speak publicly about a. to honor that relationship, it is probably better not to name names.

close allies like the french and germans, we always want to work with. it is a balance of perspective. youhe problem overseas is are dealing with countries in the process of censoring the public. this is another tool for that. how can you have any impact on that? >> part of the diplomatic effort -- this is a broad spectrum. we don't think it separates a cyber security from human rights and other issues. you have the same rights online as you do onlinffline. technologies about , there were some recommendations in terms of technology, where you make sure as you are giving aid or working on cyber security issues, that

you are not enabling them to better monitor citizens or impinge on human rights. that is a delicate balance. you have the larger context of of behavior norms in cyberspace we are trying to promote? countries develop these capabilities, there should be understanding as what is appropriate behavior. in the u.n., we got a group of experts and got something that said international law, including the law of armed conflict and humanitarian law applies to cyberspace. sense, buta lot of before, there were some countries that said this is a lawless space and you can do what you want. that is a long-term game. things that states should not do below that level, we have been talking about that, peacetime

norms. that is part of the long-term game you couple >> with the short-term gain. >> actions matter. these cases are difficult to bring. you need to put resources on the nd because of the difficulty of developing -- with our partners. actorwas a nationstate and they were conducting traditional criminal activity, stealing information from private united states companies for private use by companies back in their home country, we are not pursuing those cases criminally. 2012, the department of justice created a national security cyber specialist networks and 94 u.s. attorney offices, hundreds of

prosecutors, the fbi announced a , that it whichh share the intelligence side of the house with trained prosecutors. most will not result in criminal cases, but some will. we sold the beginnings of that with the indictment of the five members of the people's liberation army. we have had great cooperation from partners in europe, where we will do a global takedown of a criminal ring. at the end of the day, if we follow facts and evidence, antead of leading to organized crime group in ukraine, it leads to the five people in the people's liberation army, we will treat criminal activity as criminal activity. that helps build the norm of what is acceptable in this space. >> have you had cooperation from other nationstates for determining attacks against the

nationstate here? >> yes. you are starting to see increased cooperation, law-enforcement to law enforcement channels, prosecutor to prosecutor channels. can we down the line, from all of your vantage points, what is the cyber threat to the nation? who keeps you up that night? night?keeps you up at and northicular, iran korea. there are new vulnerabilities that come out that have an impact on the industrial control systems. will or difficult -- or difficult to

deter countries. i worry about that. , if i wasy portfolio not a sound sleeper, i would never get sleep. are those who would not be deterred. if they had the capability, they would use it. that is the terrorist organizations who have declared their intent to cause maximum harm and are actively seeking to acquire the capability and that day, i feel all of us working together need to do more working with our private partners, so that we are not commission,ly 9/11 that we are not having a post-9/11-like moment. i have learned to get sleep at night.

at the same time, i agree with what both of my friends have said. the undeterred, dedicated terrorists, rogue states pose a real issue. that makes the case for having a cooperative framework to deal with this. making sure countries have laws in place and using our outreach tools and capacity building tools, this is something we are mainstreaming as foreign policy. are getting people who concentrate in this issue and work with the host government. mike rogers said we have not seen the terrorist attacks yet. we have not. we have been talking about it for years now. there is a lot of vulnerability out there. it is a big issue. it is not just to the united states, that is why we have to

build the partnerships. --this also keeps me awake in dod, my job is to worry about cyber tech. i also worry about doing things that impact one of the last great economic centers of gravity for the united states, the i.t. industry, silicon valley. i think a lot about that. you want to make sure you are not hurting the economy in one of those great centers of gravity that we do have. eric, john, and chris. we will have our next panel up soon. >> thank you. i want to encourage -- we have had great comments and questions coming off of twitter. ashpostcyber.o w

i want to say that all of the speakers are going to be excerpted in a special section of the paper. it is a special cyber security section which will have articles and excerpts of what you hear. up next, i want to welcome david. we are going to switch. we have been talking to government people and now we want to hear from people in the private sector. i will leave it to you, david. >> my name is david cho. aboutwe wanted to talk something that is similar to the first panel, but more on the private sector.

anything with a computer is a target for hackers today. your thermostat, your car, your pacemaker. dick cheney was worried about it, he probably still is. also, it jails, power grids, gas pipelines. how do we protect the infrastructure? that is the basic question. we have three experts to guide us. let me introduce them to you. and attorneyyst tiffany rad is to my left. one of her claims to fame, she demonstrated that jail doors could the opened remotely and we werill hear more about that shortly. man is a senior cyber the and energy security strategist. he is an advisor on energy

security. mckeown is part of the cyber security team that caught five chinese military leaders andling trade secrets so, everyone needs to behave with mike in the room. we have about 25 minutes. ofill pose a couple questions. if you have questions you would like to ask, see my good friend allison. she is also pulling questions off of twitter. tiffany, let me start with you. give us the lay of the land. what has been hacked and what is at risk? maybe you can give us a little bit about your previous work. >> the work that you referenced we did in 2011. it was a team of four.

weeks ofout two research and we found some more abilities in 2011. things have changed since then regarding how much is connected through programmable logic controllers, data systems. one of the things we took from the research and what we were able to show the community was there is a lot that can be done by changing the security mindset and with training. , independentnue security researchers can go to places if they want to do disclosure, especially in regards to different types of technologies the government has an vulnerabilities researchers may find. >> tell me about the prison doors. it was the rage at some of the black hat conferences. >> that is where a lot of independent security researchers

and companies go to share the types of work a have found. the important part is they are there to share it. if you see it at black hat, it has probably already been done by other groups. that type of conference is good for the government and industry to see. one of the very popular topics is industrial control systems. a lab was set up where people could go and a tanker with industrial control systems. it was nothing nefarious about the work they were doing, but it was to teach people about how to design more secure products and what is possible at this time. that is one of the reasons these conferences are excellent for people in the private industry and the government to attend. >> speaking about value of black overall,prove security

one of the motivating factors is that if government and other industry urge a particular type of product manufacturers to up their security rigor, capability and side products and it does not happen, nice people at black cat are known to carry that product onto the stage and show how they can access it and do naughty things to it. that is a very bad form of advertising for the company in weaknessesaving its so demonstrated, but it is a motivator. tell me the likelihood of an attack on a power grid, for example. help us wrap our heads around the consequences and describe what is being done at idaho national labs to simulate attacks like these. >> to the first point -- what it involved.d what is

it is not i.t. you see elements of i.t. you see windows operating systems, but the communication and protocols, the types of processors and the amount of memory and the segmentation is often wholly different. for a standard i.t. hacker, it would be a strange landscape, requiring special knowledge. -- wouldspect about it be attackers on the electric grid, someone can take down the electric grid, the u.s. grid, but the grid is not all one thing. it is many different pieces. it is resilient in the face of natural disasters. it happens all the time. it is not nearly as simple as saying one intelligent hacker

can i hacker can come id of things. there are a lot of layers of protection. on idaho national lab, this is one of a dozen or so department labs.ional energy we focus on energy security matters. we are in the desert in idaho where we dost range not just model what happens on the electric grid in computer simulations, we can do it in what ise and see happening from a cyber or physical attack point of view. let me get you to jump in. how exposed are the systems that control these networks? who is targeting them? >> i will start with targeting. a couple of different factors. could the targeting before a difficult -- a specific company

didhe sector in general something happen, was it ?ccidental or malicious the information more? we are involved in different outreach programs. we work with dhs and their models. we are learning a lot ourselves. we talked about idaho labs. we sent a number of our agents there. we have pockets that have the expertise for ics and they may be around the country, but we have the ability to share the information. targeting in particular, we have gotten better at sharing information. a classifiedis on nature.

a couple of years ago we had a threat against the financial sector. we brought in the financial entities and gave them clearance for a day. >> this was the russian crime ring going after the banks? >> correct. in order to share the information at that time. we are getting better at getting .he information out contractors may have knowledge they can share about indicators they see. we have a couple of different platforms that share that information. there are probably companies that say they need more help from the government. can you describe specific ways -- let me throw it open to any of you -- that this partnership could come together in better ways that it has now, to help companies facing attacks? >> you will hear me speak, not for the lab, but the

department of energy and cyber security in general. job of the lattice to be different than what is in the commercial marketplace. years ahead.o five threats, theth the evolution of the threats, and ways to exploit technological capabilities so that they can do , get hits and misses, and it can be transferred into the private sector to advance and push forward and stay ahead of the threat is much as possible, or at least keep up. are on the ground, talking to these utility companies, what are you hearing? what are their concerns? the cost increase -- what are they up against? of people who

subscribe to utilities -- we think of them as one thing, and electric utility. they range from fortune 10 company's that have some of the most sophisticated folks and tools, all the way down to 100 person co-ops with a security person who doubles as a safetyance person and person. depending on where they are in the spectrum, the challenges they face in what they bring to bear, how much help they need from external sources varies widely. one important point would be to think of utility like any other asset intensive industry. someone who relies on heavy equipment. having a historic cultural between the cyber systems

it is getting the utilities to put their efforts are just on the i.t. side but to look at the ot issues,, the which we call industrial control. coming around to the question, the smart grid driving that many ofons them were working on. on mike fromhear public partnerships. what do you think the cost of upgrading for a utility company is? >> it ranges massively. >> it ranges massively. >> yeah. if you think about the size, the amount of assets they're responsible for, i let not even

hazard -- sorry. >> mike, anything you wanted to add? weon sharing information, have the national cyber investigative joint task force, intelligence community, dhs come together to share different levels of intelligence. i can be different levels of classifications. in pennsylvania, we have partners code located with our fbi unit. i can talk to folks from financial institutions, large retailers, and industry experts. we are right down the road from carnegie mellon. we have that facility available. we have two fbi personnel assigned to see threats coming in real time. going back to real-time information sharing of the indicators that we see. we are cognizant of the fact

that it should be within a sector. but sometimes, across a sector. these telecommunications center might tell us the problems they are seeing and it affects another entity. we have seen that with the telecommunications sector. getting printed notification to the financial sector. preemptive notification to the financial sector. our program as well as working with dhs and experts has been helpful to get the big picture. the facilities to share that over a couple years. >> the relationship between private companies and security when iters, we have -- comes to private companies. if they come across research that exposes former buildings, there was legislation that was proposed, going on since 2012, to give that company civil protection. if they were to go to the

government and say we found these vulnerabilities, the trust relationship between the private company and the government would be established so they feel comfortable about saying we found this and we are doing red team research. we would like to let the government know without whoever the vendor is that the government may be using getting upset about the vulnerability is or how they were found. this type of sharing is important. getting people to come forward with information that they have an trusting that they can still protect some of their i.t. as they share this is very important. some legislation that was was significant for private industry. >> how did consumer expectations about service and reliability play into this? can slow services.

trade-off always a between security and convenience. when we have your bring your own device to work, there are vulnerabilities that can be exploited in someone's home and bring it into the corporate network. a convenience versus security is always going to exist. when it comes to that type of trade-off, what i suggest, i am a university professor teaching at a computer science department. i teach my students to think like hackers. that might sound scary. we are graduating students where they are writing code and considering security applications of every line of code they write. is not how does the algorithm run? that is important as well. how secure is the stuff you are producing. when they go to the workforce and work for private industry, they are designing things that are more secure. we like to think that this is going to be changing through the graduates that we have in the u.s., taking jobs here. the convenience versus security, maybe they will say i think there is a different way we can

do this that would make it better and more secure. >> when we are speaking about the development and whether it is commercial or on the industrial side of a new product, new capabilities of paramount interest is a concept called security by design. the idea that you have legacy equipment. some of the power systems that are 20 years or 30 years old. you do what you can to isolate and protected from threats. if you are building something new, you have a tremendous opportunity. other it is an internet of things device, a cell phone, etc. security to don a the functional requirements, otherwise nobody will use it or sell it. if there can be up security voice at the table in design discussions. a design decision could go one way or another making security down the road better or tougher. it is nice to get the security person, we really need to get

the security voice into those early design and development decisions. that is power and everything. >> let me get a question from the audience. >> a quick question from our general manager. i want to hear more. you are talking about how you are teaching. what are some of the eyebrow raising things you are seeing from your students or people at cat?n and black can you talk about the eyebrow raising things. >> we did not hack into the jail. one thing we balance with research is where do we cross the line with research that might be controversial. it was a proof of concept we never released. one thing we look at at the is howity and def con the interconnectedness and the internet of things is coming so fast. the computing power is

increasing so greatly. the amount of devices we all have with us and carry with us today and we drive home and cars that are mostly computers. not as much mechanical anymore. the research community is trying to catch up with what exists. for china find vulnerabilities to let the companies and the government know. foror trying to fund abilities to let the companies and government know. >> what are some things that have happened? transportation? .> car security research preventing at black had and def con. consumer vehicles, trains, trucks, and planes. there are people looking at how these systems have networks and how they are connected to the internet and other things. [inaudible conversations]

>> thank you for joining us. i'm the technology reporter for the washington post. berg joined by eric freid from stroz freidberg. he has 20 years of government and had sector experience. robert -- he was an assistant for 11 years at the u.s. attorney's office for the eastern district of new york , where he served as the lead cyber crime prosecutor. i'm joined by phil reitinger,

who was between 2009 and 2011 the deputy undersecretary for the national protection and programs directorate at the department of homeland security. he has also served as sony's chief information security trustworthy chief infrastructure strategist at microsoft as well. thank you for joining us. companiesoked at how are being affected. i wanted to run down a list of what has happened in the last few days that did not make the headlines that is undercover and has become the norm. here are some companies that have been hit by security breaches, data breaches. supervalu conagra's restore. jimmie johnson as a workshop -- supervalu, a grocery store. jimmy john's, a sandwich shop.

a cowboy boot chain in the midwest. the point is to say that many of get theest companies headlines and we talk about the breach at places like target and home depot and bank of america. there's a feeling of panic and a feeling of concern that consumers get. there are other examples of data breaches that happen at companies that run the gamut in terms of size and industry. we want to talk a little bit about the ecosystem. what is happening here in the commercial sector? i was hoping to start out, eric, by asking you what is going on? is the problem getting worse? becoming a bigger problem? where is the state of security in corporate america? iswhen stroz friedberg responding to these kinds of attacks, we are seeing that the

problem is getting worse. the problem is getting worse in part because the scope of the attacks has gotten enormous. companies are experiencing intrusions where 100, 200, 300, 500 servers are being compromised. small attack or a large attack in terms of the amount of information that is taken out of the network. the scope of the machine affected is so enormous that the cost is rising into the $5 million, $10 million, $20 million range in terms of part costs. there can be reputational costs that run into the hundreds of millions of dollars. from a corporate governance perspective it is hard for companies in advance to prepare themselves for that level of attack. talk as we go on and get further conversation about what that means for a small company if you are hit and

suffering those kinds of attacks and costs. theip, what currently is biggest problem or issue when it comes to corporate security? >> the biggest problem with regard to corporate security is the biggest problem with regard to critical infrastructure security and government security . the underlying paradigm of the internet -- that does not mean that every attack succeeds. it means that over eight period of time, somebody devoting enough resources to get into your network, giving the attack thehe -- given the size of infrastructure, will be able to do that. as a result, you see these sorts of series of breaches. more and more reports of breaches. does not deal with the loss of intellectual property and government secrets and other things that often take place. which leads to what eric was talking about. the problem is getting worse. the defense curve is going up.

the attacker is going up more steeply. sharing good at information. they're getting better and there is more information available online. way are all looking for the point where the curves start to come together again. we have not had that moment yet and we might not see it for a considerable. e period of time. >> eric, any thoughts of that? cathil is right, it is a and mouse game where companies are playing catch-up. i get back to the issue of what can they do, you have to increase your corporate governance around these issues. top management has to own cyber security threats and put budget behind it, the right people behind it, technology behind it. to establish a corporate culture of security.

and so, that is a big challenge. often, that involves substantial change management. if, for example, in a company, the sales function has been predominant because you are a sales organization. as one of the panelists previously said, security equals one over convenience. it is inversely torsional to convenience. sales culture might drive convenience oriented solutions at the cost of better security. upper management has to take reins and drive security from the top. one of the things that corporations can do to become a is to secured environment xl at something within their control, which is corporate governance around cyber. if you do not have that come about security. if you have that, you have a better chance. do they need to know who is

attacking? if you are a company in the u.s.? back up and talk about who is attacking. can you give us a framework. what do these attackers want from u.s. copies and who are they? eric? basic buckets. state-sponsored agents that typically want intellectual property. research and development, formulas, industrial know-how. there are russian, not just russian, organized crime groups that are looking for financial information. they want to wire transfer money and steal money, steal credit cards. they're financially motivated. hacktivists. oritically organize groups state-sponsored groups looking to cause embarrassment or data corruption. then there are corruption

negligent insiders. if you are a corporate victim, it matters in advance what your threat profile is. a few ra food manufacture -- if a food manufacturer, it is unlikely a state-sponsored asian is going to come after you to steal intellectual property -- if you are a food manufacturer, it is unlikely a state-sponsored agent is going to come after you to steal intellectual property. you cannot fire ties your security -- you cannot prioritize if you do not know your security profile. what are your likely threats and how do you align your security spend with those threats? matters whoink it might be attacking you as a company depending on what industry you are in? >> who is attacking you can be important if that drives

indicators you would use to look for to stop an attack. as a general matter, no, thinking about what the threats are, the taxonomy that eric talked about. if microsoft -- microsoft did a paper that used a similar taxonomy. , you canupplementary think about it. attackers may come after you because of what you know are what you have got. your sources of data. anything they could take from you that might be credit card data or intellectual property, pre-released content. then i come after you because of who you are. takehat they want to something from you, they want to take you down for a political or other purpose. the last one, this is becoming more apparent. you down, try to take not because of what you know or who you are, but who you know. it might be that you are a third-party to somebody they want access to.

you might be a means to an end. you see this more regularly. end users are taken down sometimes not because hackers want the data, they just want access to the computer. even if it is as simple as used on a botnet. there's a broad spectrum of attackers. you have to figure out what you want to protect, what are your assets.ble -- most valuable assets. struggling?ompanies >> this is getting harder to do. it takes a lot of resources. eric is right, unique corporate governance. now.boards get it things like target have helped to ramp up the attention. it is a difficult area to make progress in. we are getting better technologies, they can be

difficult to deploy. a lot of our technologies do not scale well. you cannot solve a problem completely with technology, you have got to have the right people. it is a people problem. there are not enough of those people. many of us that have been around for a while, our biggest job is to find the good people and steal them. research -- resources are a big issue. questions from e-mail and social media. >> there's a question through e-mail about what is the skill of partnership between the government and industry? is a global, local, based on sectors, across sectors? what would help companies and corporations the most? eric? >> most companies try to build local relationships with cyber agents, either fbi or secret

service, so they have in their incident response plan and initial contact so if there is a bridge they know how to reach themo and they can get to right away. the main challenge is for us as ,ritical incident responders what corporations need from law enforcement not on day 20, day 40, or day 60, but day one or -- a set of indicators compromises that the law enforcement and intelligence community know are associated with this type of attack on this sector of industry. there is a strain and the speed responders arent able to get that information from the government.

when is the, company getting that information? date 20 or day five? what can a company expect from law enforcement? >> it is spotty. if you get the right group, fbi or secret service, the right circumstances, nobody takes the wrong view about whether or not the information they're going to provide is classified and therefore cannot be provided -- is all that lines up, you get good indicators which you can then search the corporate network and speed your response. not get the right circumstances, the information is delayed or it does not happen. >> eric is right. more broadly, unique global partnerships. you want to be a friend. if they give you valuable data something you can use to

increase security now. -- ital problem is that is not just our human relationships that do not work fast enough. it is our human relationships cannot work fast enough. we need to build out automated information sharing and indicator sharing mechanisms that work on internet speed. the attackers attack circle is tighter than ours. if we are able to operate at internet speed, find out about , wettack, a new zero day will be able to protect infrastructure to the degree we need to. happening,g that is in order to deal with that lack of information from the isac.ment -- that lag retail i- will trade on an immediate

phone call indicators of compromise so that, let's say you are a bank and you have been attacked. you call your friend and on day one you can get from bank b that had the same attack, useful information that gets transmitted immediately. you turn around and you search for those indicators within your network. you say those indicators have led me to the fact that i have these 20 machines compromised. now you are off to the races with forensics. that is the way it should work. that is the way government wants it to work. has askedive order government to respond in that fashion. it has not gotten there yet. >> let's give some credit where credit is due. s grew out of government initiatives and were supported by government. the original idea came from

president clinton's executive order in 1997. that's how old this is. back then it was a single isac that grew into a set of isacs. that's a place for government has played a favorable role. >> does this touch on smaller companies? if you are a fortune 500, are you involved in these sorts of -- the sort of cooperation? i've never worked for a financial services company. the financial services isac has a tiered membership structure. it is quite inexpensive for smaller companies to participate. they get full access to the data being shared. those channels are available. the problem with smaller companies, what are they going to do with that information? that is difficult problem. mentioned the role the government has played in forming a coordinating body.

what policies could be put in place? what can government do to help with this growing threat of cyber security? >> i will give you three cap thanks. ensure,rnment needs to particularly in critical infrastructure, that the right requirements are being met. it means we at least need stronger incentives to get especially critical infrastructure to invest the right amount and security in different places. i think it needs to work on the people problem. there are great initiatives to increase the amount of cyber security talent. all stealing from other people. you cannot hire enough people in this space. >> are they being trained here or overseas? >> people are being trained all over the place. we are training fewer people in the u.s. done some other countries. the last thing, this goes back to what the director of darpa

was talking about. we need a more secure infrastructure. we have gotten good at building more secure houses based on infrastructure that is sand. that is still sand. that is got to be changed over time. otherwise it is a bunch of bandits. wishic, it if you had a list, what would that include? goodey've made a very progress at the beginning in public-private relationships. there needs to be more consistency across the platform when we talk about threat information sharing. private industry is very hungry for threat information. the white house has indicated with the executive order that it is a mandate that this information should be shared. moving down that road as they continue to do that would be a positive thing. >> another question print e-mail

or social media. .> from twitter as a company, you assume you're going to be breached. what is that mean for insurers? if you are meeting a government standard, what does it mean for insurance? >> insurance is a hard problem. people have been talking about cyber insurance since 1995. if you watched the earlier panels, you saw john and chris talk about the fact that there is no real actuarial level data in this space that would enable you to judge what is effective. i think insurance can be important. we need more security science. we need more data about what is happening. we need more data about what is effective to really enable an insurance market to drive additional security that everyone wants. >> eric? >> i see this regularly. post response, there's usually a claim under cyber insurance

policies. these cyber insurance policies are working. claims are being submitted. insurance companies are paying out. is that the underwriting industry does not know how to handle the entire ball of risk. they are underwriting a fairly small portion of the market right now. they do not have underwriting standards. as more data comes in, they will develop those underwriting standards and a broader range will be available. >> one quick question. top two or three things that you recommend practically for a company to do when you go into the office. >> the first thing, increase your cyber governance. invest in people with specialized skills relating to

several response. the typesreful about of intrusion detection that you select. there are many products out there and you have to be careful. those are the top three things. them i will repeat. get the right person or people. find solutions of scale. it is difficult to purchase this at scale. get something that will allow you to address the security without increasing complexity. >> thank you so much for joining us and talking about what it is like from the perspective from somebody who understands a hacker and tries to consult with companies on try to be -- on how to be protected. join me in thanking them. [applause] >> we're going to continue talking about companies and the consumer.

it seems like every day you open the paper. we will welcome our next panel up. every day we open the panel and another few million credit cards have been stolen. we've assembled these experts who will over -- from all over the united states to talk about what it means. thank you, alan. ellen.k you, i am mary jordan from "the washington post." thank you for the people who have been sending in comments online and watching online. i will introduce the panel. what does this all mean when you open the paper and see another big company that has been hacked and credit card stolen. next to me is jane holl lute, president and chief executive council onthe

cyber security. she was a huge deal at the department of homeland security, she was deputy secretary. the executive vice president at the retail industry leaders association. that association represents all the big players in retail, from walmart to gap. then we have erin jacobs, managing partner at urbane security in chicago. and under covers one abilities in a company. -- former abilities -- vulnera bilities in a company. , executive vice president, chief legal officer and chief enterprise risk company for visa. what cdodoes it mean -- who is paying -- when i see that home depot got hit, what is the

damage? i do not quite get the significance. >> i can start. i do not work for home depot. what is happening is basically we are experiencing firsthand and a public setting what experiencinge been for a dozen years or more. there's no company that has not been hacked, intruded, or had to deal with this. in the past, most companies have dealt with it as the price of doing business. or a nuisance. those times have changed. in 1995, there were 16 million of us online. today, 3 billion people online. these acts are more public and more consequential. you represent the retail association, what are the consequences?

challenge.uge these are sophisticated and dedicated criminals trying to x-ray systems -- trying to infiltrate systems. in terms of what the impact is, it is significant. there's a brand risk to the businesses that are hacked. the cost, ultimately, is shared between all the players. when you talk about cards, counterfeit charges related to cards. betweenre shared merchants, banks, and institutions across the payment ecosystem. which is why we have argued that the solution is where the players work together. there is skin in the game across the ecosystem. are worried. use a brand risk. people are worried about turning over their credit card numbers. >> the intensity of the conversation is going on in every boardroom.

how businesses are adapting to the expansion of this risk is intense right now. want to talk about technically how it works? somebody steals millions of credit cards from a big company. talk about how they do that and what the endgame is. do they sell -- resell the credit card numbers? >> there could be an encyclopedia of different ways people get into the system, especially in retail. with credit cards, there's a monetization. there's a reason why people like those numbers. they're easy for them to use right now. there is a black market on the distribution of credit card information. use.ast amounts of from criminals all the way to foreign entities. in regards to how people are going about getting in, we are off the doormat.

companies have scaled a gigantic amount in the last 20 years. what has not scaled is the infrastructure and a lot of technology and education. not formulated our roots to how to create secure corporate environments. from retail to corporations trying to protect intellectual property. the only difference is with credit card information, there monetization. with social security numbers, we have not found the black market. >> how does the black market work? use the internet to sell them again? and buys ays them pair of $200 shoes? >> there are better experts on the black market and the da rk net. i'm not even going to touch that. >> this is secondhand information. i do not frequent these sites.

there are sites, primarily housed in eastern europe, where credit and debit card information, card numbers, fully equipped cards, cards with pins are available. they sell for different prices depending on the brand, whether it is an affluent or standard pin, depending whether the is provided. it is all in the open. going onrecommend them. like other underground sites, if you are not known within the community, they might offensively come at you. i do not recommend looking for them. it is a very notorious market. card information might sell from three dollars to $30 or even upwards to $100 for a fully equipped card. if you sell millions, you get $100 for each one and make money. >> your first question.

>> let's go back. what happens when the breach might occur. the first thing, everybody needs to be clear. is very rarely the consumer that suffers any financial loss. u.s. webecause in the have a zero liability policy you have heard about. your bank will take the charges off if they are unauthorized. it is not the consumer. as brian was saying, has to do with within the industry who is going to pay. the second thing, this is one of these breaches, they are often identified by the banks themselves or by law enforcement . it is difficult for the breached entity to detective themselves. hugeit is identified, the machinery goes into place. the payment brand gets the information about the account that might have gone through that environment.

we get that information out to your banks as consumers you know that your bank has that information and can monitor your count and protect you or reissue your account. that happens by the banks. later, there is provision for sharing the costs among the other players. that's my answer. >> anything to add? ,o the consumers, in the end ultimately consumers do bear the cost of the perturbations of the marketplace. all the companies that are .epresented, we love the market they are in the market to make money. this is cost transferred to the consumer. basic to come back to the theory that underlies this. plenty of bad things are happening in cyberspace. they are happening in the face

of a capacity to act. we know what to do for basic cyber hygiene, we are not doing it. pick your number. i am not a technologist. willsay basic hygiene prevent 80% to 90% of all known attacks. do you know what is connected to your network. do you know what is trying to run on your network. do you know who has administrative permissions to change or override your configurations? do you have an automated system diagnosticse dhs's and medications that allows you to be alert t and take action. those are the top five of the 20 critical security controls, basic hygiene. we're are not doing it and there is no excuse. >> ellen, you said that $.6 of every $100 --

>> in terms of what the cost really is. the cost to the payment system, $.6visa's system, less than for every $100. which is why i believe it has been treated as business as usual. changed starting last christmas because of the prominence of the breach that occurred at that time of year and affecting so many people, it has become a question of trust. the confidence in the system. it has created a unanimity that has not existed before. let's say a consensus that we need to move forward in the payment system. data outhe vulnerable of the system. we have the means to do that. at least out of the merchant environment. because it is a complex and in stacks of -- because it is a complex and extensive

environment, it will take time. moving forward on the chip rollout. the announcement from apple pay, which uses technology. all those things will take the data out. about apple pay. almost everybody now shops and puts their credit card online. the future of online consumer activity, how is it going to be more secure? what you think of the apple systems? >> a break it apart. i have no doubt that technology of the systems would improve systems. hopefully we will see more. , we talkede argued about the card information on the black market being monetized. we need to make sure as a criminal or able to get a hold of this information it would be useless. >> how do you do that

>> moving to chip cards. russians have argued that those cards should be issued with the ts have arguedchan that those cards should be issued with pin numbers. underpinning of apple pay, is a terrific solution. transmitting information on your card, you transmit something else that could not lead to fraud. >> the point that brian made, i do not mean to represent controls as the be-all and end-all. nothing can solve the problem 100%. because you're going to get a cold at some point in your lifetime, does that mean you're not in a wash your hands? because you are going to be in a traffic accident, you do not buckle your seatbelt? this is basic hygiene we are not doing. a anything approaching

systematic way. we are all on the same that. >> you talked about hygiene for a company. what about a regular person? what are they supposed to do? the standard things. secure passwords, now your computer will generate them for you. we are not always on the computer and we do not always keep them in our keychain. 2 factor authentication. the innovations are the future. they are the present for certain ones of us who have access to certain systems. would you share your tooth russia? do not share your password. let's -- would you share your toothbrush? do not share your password. >> let's go back to the future -- thing foradd one consumers. it is a shocking thing, the sharing of your personal information. if you wanted, you could know my

birthday, my mother's maiden name, my first pet, where i went to high school, my favorite teacher. all the things they ask you. and that you use in your password. in case you want to know, my password is not 0316, my birthday, i have met a lot of people who use that. that is surprisingly easy for youcriminals to find from or detect on social networks. i did not think it would be worth their trouble, it is. they find that stuff out, watch out for over sharing. >> what's a clever password? [laughter] >> i wanted to add to that. be careful what you share on social networks. i have a lot of friends from the security industry who are like i am not on any social networks. i don't do that. friends andthere their family, their kids are.

they are telling everything about them. our system in the u.s. does not help. we have so much public domain information. for a long time, i never shared my address. guess what? title companies and all this, this public information around real estate sales and purchases that is public. i'm not the type of person that's going to say that everything needs to be private. i think we need to do a risk assessment of our own information. and understand what is important to us and what we are willing to share and what we are not. were talking about passwords, that is fantastic. nobody is doing passwords correctly. nobody is making complex passwords correctly. inan guarantee everybody this room, there's not a single person using a unique password on everything they log into. i'm sure there's a shared password. it might be complex, but it's shared. >> this is all the voodoo that you do. those of us who are not

technologists want to know what are the important things we can do first? to reduce water building. -- to reduce vulnerability. >> lock your door. we're talking about apple pay. google has the same technology. >> you have faith in apple pay? do not put those words in my mouth. i think apple pay -- these are all little pivots to start turning the big titanic. >> pivots towards more security? >> towards taking a little bit of risk out of the environment. the ships we are putting on thanks, that is a card ips wection item -- the ch are putting on things, that is a card transaction item. instead of the mag strip. it's limited. the chip has the same information aside from one component. >> if it is stolen, it is less valuable. that is why the chip and pin system is more secure?

>> right. >> the chip is a little computer on the card. it generates a one-time use code. without that code, which is different for every transaction, you cannot complete a transaction. unless you have the ship, you cannot complete the transaction with the rest of that information in the face-to-face environment. we need to add a solution for the online environment. this raises the question about how are we going to distribute responsibility for cyber security? what do we want to give consumers? what responsibilities should you have? when you drive a car or are a pedestrian, you have responsibilities for interacting. in the trillions of automotive transactions that happen every day. what expectations should we give manufacturers? why don't we get systems ship with security configurations switched on?

why do we have to figure this out? >> what is the responsibility for the retailer? >> there are three basic questions that are more interesting when it comes to cyber security. how do we architect systems we can trust from components we cannot yet go how do we ensure the integrity of our information and our identity in an open internet? we talked about privacy, data integrity is a big problem. my blood type is a positive. there, it is out there. i don't care if you know it, i do care if you can change it. how do we ensure the integrity of our information and identity in an open, not closed internet. what will the role of government b? as we distribute responsibility. allen described an industry that is taking more responsibility from trying to get ahead of the curve. facing is a lack of a conversation.

we've had industry fighting the security problem. there are no silver bullets. nothing will do with all that needs doing. thank goodness the medical community and the public safety community did not take that attitude. prevent what we can act costs we can't afford. that will reduce the noise level prevent what we can act costs we can afford. that will reduce the noise level. focus on the persistent threat. >> why does europe have a stronger credit card system? why?ave lagged behind, y >> we've asked that for a long time. >> happy to answer. >> the solutions you are talking about can happen -- can't happen in a silo. we need to work between industries. that is something we have done.

after many years of doing battle on a variety of things. the financial services industry and emerging community came together to figure out are there ways to work together? we represent the full length of the payment ecosystem, from the card network to the big eggs and small banks and all kinds of merchants. can we talk about near-term pin,ions chip and tokenization. there's no solution today that protects the network for all transactions and all places. we can try to address the near-term solutions. russians have argued that that is chip -- merchants have argued that it is chip and pin. and tokenization, encryption, a long-term view. >> we are moving towards both of those. >> we are moving towards chip, pin.hip and

we are moving towards encryption tokenizer should but we are not there. >> a question about europe. chip rolloutd the more than a decade, like 15 years ago in response to a problem they were having. the problem was a highly elevated fraud right first is what we had in the u.s. driven in part by the fact that here in the u.s. we had a very efficient and reliable telecommunications system. as a result, all our transactions go online. not on the internet, but online through secure channels to the bank. your starbucks coffee goes to your bank for authorization in a millisecond and comes back. the telecommunication systems at that time were not as reliable. they were unable to use the online authorization with

protective analytics to identify suspicious transactions. they were not using those , theirns as a result fraud rates were here and ours were here. they decided that because of the inability to bring everything online, they were going to use an off-line solution like the chip that could function in the conversation between your card in the terminal without needing to go back to the bank. that was the origin of the chip card in europe. in the u.s., the predictive analytics got better and better and better and the fraud rate dropped from like 18 basis points down to below 6. using that system solution. that was why, why should we invest in chips and disrupt the market? which was the most highly outfitted payment card market in the world. more expensive, less benefits, that is why the u.s. did not do it. now we are doing it. we putd the way in 2011,

out a roadmap. now, with target we have more consensus. at the same time, it is not a silver bullet in europe. they have now come over to the side of using the predictive analytics. they are better able with telecommunications to do the online -- >> predictive analytics means that if i go to mexico, someone says she is not in washington. and we get a call. might get au message that you can answer yes or no. more efficient. >> how are the fraud rates between europe and the states? >> they've evened out. the u.s. now being somewhat of a magnet for counterfeit fraud. it has gotten ahead of europe a little. you are seeing them a little higher in the u.s. neck and neck. >> we will go to audience questions. outsources all its credit card processing, are they required to be compliant?

who is overseeing that? the ones that -- the ones that question? withlking about compliance data security standards. yes. outsource processors are required. other providers that handle payment card data. any company that stores, processes, or transmits in a car data. >> this is probably for jane. can digital hygiene education become a mandatory part of our education system? >> it can. i think we need to treat the public as an asset, not an obstacle. we have a prudent public, a pretty smart. a pretty online public. people will do sensible things when they know why. we have always tried to treat the public as an asset. introduce education.

we are the last generation that remembers what life is like before we were online. conference of late -- com prehensively, none of us negotiated our morning without being online. we have reliance and we might as well be educated. >> does anyone here not do online payment? 93% of the belgian consumer economy is done online. that was a fact i saw an airline magazine. random. we are all -- there is enterprise in the u.s. that delivers value that does not allow connectivity. we have tremendous reliance and we got to do basic hygiene to lower the noise level of the threats that are out there so we can focus on those advanced, persistent threats. now, is itars from

going to be different? it strikes me as odd that you put your credit card number and your security code. i want to build off a point a moment ago. the migration, chip and pin rollout has brought down fraud. without it in the u.s., our fraud rates have gone up. building out of this, in europe you have seen fraud migrate online. the strength in the systems -- >> the transaction -- >> it has moved to the u.s. and moved online. what you are describing as the existing solution is unacceptable. we need to evolve. >> what will it look like in a couple years? >> nobody knows exactly. this is a free market and we have to please the consumer as well as the retail and make it work for the bank. first is mobile. you see apple pay, google wallet. other types of wallet solutions. we have our visa check app.

those allow you to transact in the mobile or online environment with a cloud provider such as ourselves or others handling the sensitive data in the background. that is number one. you will see more of a proliferation of that. that is a solution that is global and online. in the mobile environment, you are seeing the idea that you can with your fingerprint or entering your code and able an application, a payment application that can be used chipface-to-face using technology. or an application on your phone or other device. so you will have a payment application that securely transmits information without anything other than your fingerprint or biometric identification. it is very simple.

do not disablee that. it is really inconvenient to put your finger on a phone. thee need to embrace innovation and the space and make sure it is preserved, the competition for new technologies. what the prospect is for some of these technologies, we want to make sure there are lots of players. trying to hold everybody else accountable. >> as shareholders and consumers, we need to start insisting and ask for the performance record of companies on basic hygiene. wend up in a meeting and say just had a tremendous breach, did we know what was connected to the network? what was running, who had authority to change our settings? do you have an automated system in place? but we can insist on a higher standard in enterprise security performance. >> do you have advice for consumers question equity tell them about jennifer lawrence, she did not like it when her new

photos -- do you have advice for consumers? jennifer lawrence did not like when her nude photos went around the world. with respect to the cloud. >> you do not need to know that when you touch a stove you will get hot. where you are storing your information. >> where is a place to store it? you practice this all the time. what do you not do? >> what i said about a personal risk assessment. what is going to damage us? think about yourself as your own personal brand. the celebrities, what are you doing taking these pictures on a mobile device to begin with? much less, putting it somewhere aside from on a polaroid in your closet. it is all these kinds of information. ago, years to 10 years people were storing their tax

returns in cloud storage areas or online storage or on computers that had no security. that is all their information. >> think of what would damage you if it was public and see where it is located. ofis a distributed system responsibility. we need to be smarter citizens, smarter members of society when it comes to being online. we also have a right to expect that companies and enterprises with whom we share our data are taking the basic measures that we know prevent 90% of the stuff that is happening right now. they are not doing it and have to insist that they do. >> last word from ellen, then b rian, then we will wrap it up. >> consumers are protected financially. to avoid the hassle, one other thing you can do is sign up for alerts. real-time alerts for your bank. you can be in control of the use of your card.

it is an alert that tells you what? want. can set it as you e-mail text and an simultaneously as soon as a transaction happens. >> then you call your kids? hotdog?"50 bucks for a >> make sure the customers are safe and to build upon the processes. it has been extraordinary. criticalr infrastructure and taking lessons from that. >> thank you very, very much. very interesting. i didn't know about all of those alerts.

i want to thank this panel and i the to welcome to the stage final discussion of the day. david hoffman, former moscow bureau chief, contributing writing an editor and he will be interviewing alejandro mayorkas from the department of homeland security. i want to welcome them to the stage. david and alejandro. [applause] >> ready? where do you want me? >> here. >> ready. here.is a pleasure to be i will tell you a secret. in the old days, this is where

they printed the newspaper. the giant pressroom was filled waiting ond people the street to get the newspaper. here we are in the digital age. welcome. i would like to introduce alejandro mayorkas. a native of cuba. came to the united states when he was 1 year old and made his way to los angeles. loyola.gree from u.s. that, assistant attorney for the central district of california, the really the of california that includes los angeles. was a lawyer with a big firm. appointed by the president as director of the united states citizenship and immigration services.

he was sworn in as deputy secretary of homeland security last year. welcome. we know you have been in office less than a year but you know everything. thank you for joining us today. >> thank you for having me. >> it has been a discouraging kind of morning. we heard from a lot of people. here is a little bit of what they said. actionswarned that the that are being taken from outside attacks on our networks are not necessarily aimed at the government. networks in% of the the hands of the private sector that we are worried about. he said we will not be ready. barely aboves just

water. the defenders are getting better but the attacker curve is more steep. offense is winning. somebody described the infrastructure as just a bunch of band-aids. the chairman said when asked about offensive attacks, he said most of the offensive talk is from the private sector. for businessmen who have had enough. congress has told the private sector, you are on your own. so, mr. secretary, that is kind of a grim landscape. a lot of people are wondering. doing inhis government

this time of siege? business, even congress feels there is a crisis. what are you doing about this? >> i did not ascribe to a school of has a medicine. i do not mean to belittle the magnitude of the threats in terms of the gravity and frequency of occurrence. i think everyone understands cyber security is a field of growth. with respect to the security of the government and of the private sector. i would take the alarm not as necessarily a cause for concern but rather as a call to action. as my great predecessor jane there is apoke,

distribution of responsibility, i would say shared responsibility. becoming more and more sophisticated. our prevention capabilities are growing in sophistication. our detection capabilities are growing in sophistication. the cyber threat is real. i think it will be a growth industry. we in the government and the department of homeland security have a number of resources to deploy to protect the .gov environment. we have seen some of those tools deployed effectively. in the heart bleed situation, we work very closely and used our

capabilities to work closely with the private sector, whether sharing information or deploring our expert teams to a particular company or sector to identify vulnerabilities. i think the opportunities for advancement are great. >> you said in june there was a need for this legislation that would help companies and the government work more closely. companies are worried about liability. congress has been stalled on this question for a long while. the chances of this legislation passing are practically nil. the chairman of the intelligence committee said there is a narrow window. thishe administration do

on its own? >> i am hopeful that the legislation will pass. the secretary has been a strong proponent and wrote a compelling piece last week to that effect. we are not without resource and opportunity to do more in this space, to better collaborate with the private sector. there are fundamental things that we can do to improve our cyber hygiene and investments we can make on a longer-term basis. we are not without tools. we do have a need for legislation to better equip us and the like. reasonst wonder if one we aren't seeing progress -- people are saying there is a

crisis in the country. consumers doasons, not take this serious enough? do you think politicians have not heard the alarm? they cannot get the most basic legislation enacted. >> i do not think it is a function of consumers not taking this seriously enough. public iner, the general having seen a number of attacks that have impacted a number of individuals around the country -- >> 40 million at target. >> i think they understand the concern. whether they are taking the most rudimentary steps is a different step. how often do people change their passwords? is ang that aside, this

area where some of the fixes -- there is a great deal of debate on some aspects of the legislation. the liability detection is something about which there is not unanimity. that might be a more controversial aspect of the legislation. talent, updating the statutes that are along outdated -- these are things we should be able to accomplish quite readily. >> there has been a lot of talk about the threat. to borrow a question, what keeps you up at night? what is at the top of your threat list? i do not look at

the threat as a monolithic one. cingular in identity. there is the threat of the outitional hacker that is for commercial advantage or for disruptive effect. then there is the threat from from anonsored action intelligence gathering security perspective. that is a threat that we are vigilant in addressing. what keeps me up at night are both. >> can you be more specific? those are very generalized things. what really worries you? you are in charge of defending our security.

it is also about things that touch us everyday. >> absolutely. our role is to assist the private sector and work with the private sector in protecting its security. we do not have the tools to alone guard the .com space. we have seen distributed denial of services. there is -- i hope everybody understands that our country's critical infrastructure is increasingly intertwined with our cyber security and the energy sector is very well aware of this and is at the forefront of protecting itself from cyber attacks. so many of our systems are

controlled through computer systems. are is ourined they greatest concern. the grade is at the top of the list -- the grid. >> you mentioned tools. what is at the top of your list? what do you want that you do not have? >> the department of homeland security's responsibilities are well defined. the codification of those would be well received. the governing statutory scheme in this area is something that needs to be updated. it is antiquated. the national security framework. to have that codified would be greatly advantageous to us. our ability to really recruit

cyber talent. timeve a difficult competing with the private sector on one hand because of the financial realities. ,e are advantaged, i think these are the the private sector -vis the private sector. our ability to identify particular talents and recruit. i know there are a lot of questions from social media and the floor. >> i will ask the first question. do you need to recruit and retain top talent? >> i would say something. the pay level is probably not

good and to compete with the private sector companies. it is the opportunity for growth and the ability to recruit particular talent very quickly. i think that is one of the things. hiring protocols are sometimes um and that is something i would focus on. opportunity for the to thank you for being here. i am with the office of government relations which is part of the coalition of dozens of companies, civil liberties organizations and many think tanks, all foam oppose the act because we believe and have the detailed why it severely compromise americans' rights

under the fourth amendment. no speeches. i will like you to comment. it is that opposition that is contributing to stalling the bill in the senate. and thatneed a bill, is the case and the bill is stuck, how do we resolve that? >> i appreciate the question. the department of homeland security is not alone but alatively unique in having privacy office and a dedicated piracy rights officer, not only committed to the cyber arena and the privacy issues but the privacy issues that are implicated in the breath of the

work we are performing. we understand the privacy sensitivities with respect to the bill. systemate on a voluntary of the provision of information. we benefit greatly from the volunteering of information. we are able to assist the provider of information in thatssing the exploitation the volunteer has suffered. remediatingt in and preventing in the future further vulnerabilities. the more volunteers that we have, the greater a perspective we have on the security landscape at large and the

greater ability we have to make systemic recommendations and proposals to the private sector with which we interact. we encourage cooperation with us. it is a cooperative environment with which we work. >> more questions? >> another one from e-mail. if dhs is contemplating so theyng a roadmap know where you are heading and what is needed in the future. on a plan anding a vision for the future. we are working on that. planis a shared plan, a

of collaboration. you are searching to higher skilled people. we are told that u.s. cyber command is competing with you. that on offensive cyber programs are racing ahead. we have heard there is a lot of worry about inadequacy. what do you think about that perception? respectfully disagree with that contention. i think both are moving forward. we specialize on the defensive and not on the offense. our ability to recruit talent is best exhibited by the fact that we brought on board an outstanding leader in cyber

security from the private sector. we intend to draw additional talent just like her. secretary johnson visited georgia tech to recruit the best and the brightest in cyber talent. i have seen the capability on our u.s.sive side with team, a rapid response team that has been enlisted to assist in the defense and the protection of the .gov space. the usis position that was reported on. it has been deployed in the financial services sector and in private industry most capably. i do not think the defensive capability to assist the private

sector should be under estimated or understated. >> have you had any national level cyber exercises and can you tell us what happened? >> we have had exercises within the department. those are important to make sure all our response protocols and measures are best practice. we identified room for improvement. >> you can't be more specific than that. >> i do not know that i should be. but with respect to a broader exercise, i do not know the answer to that question. >> the former director of the nsa said it is impossible for

the government to have an adult conversation with the american people because there is too much secrecy about it. i think a lot of people feel we need to have that conversation. what our vulnerabilities are. what you think about what he said? do we need more openness? >> it is interesting. i see the conversations that we are having all across the country. so whether my answer is satisfying those of you who are probative, i will leave it for you to judge. we have conversations all over the country with respect to cyber security. we meet with industry, citizen groups, privacy advocates.

the dialogue is an ongoing one. what he wasw to referring when he speaks to a lack of openness. feeling that sometimes threats we face have not been fully revealed. shocked at some of the things they read about in the headlines. how is it possible 56 million ifdit cards at home depot, you are on alert and detecting the country that people abroad it still 56 million credit cards? point froma distinct the lack of a dialogue. the success of an attack is not the measure of whether we are

communicating openly and it thevely nor isi measure necessarily of whether we are being vigilant. this goes to your first point. the point of doom and gloom. i want to a jurassic it -- to address it directly. the sophistication is evolving and improving every day, as is the sophistication of those who wish to do us harm, whether it is through commercial advantage or otherwise. the fact that an attack is successful does not speak to a need,ency but rather to a a need to be ever vigilant and to raise the bar of cyber

hygiene across the board. inill share with you that working with the private sector we have observed varying levels of cyber hygiene among significant corporate entities. some are much more advanced in their cyber hygiene than others. it is incumbent upon us in the withnment to proselytize our partners and counterparts in the private sector about the need to elevate cyber hygiene. former practicing lawyer, where i think it will be interesting to watch the marketplace is on the development of a standard of care.

consumer, a consumer of goods that is indirect and with a company is harmed by reason of a breach of that companies cyber security, what is the liability of that company for the breach? what is the standard of care to which it should have adhered? what is the reasonable standard of care? did it comply with the standard of care? i think those types of questions comprise at least one aspect of the future landscape in the cyber security realm. >> you seem to be saying we should not take what we heard today, the idea that part of the private sector is unprepared, we

shouldn't take that as some sign of worry about performance? what keeps me up at night. it presupposes that i am up at night and unable to sleep because of the cyber realm, which is true. i do not mean to diminish the fact that there is cause for worry. there is a cause for action, and that is what we should take away rather than a wringing of the hands. when is the last time this company scrubbed its cyber security system? when is the last time it engaged in a tabletop dialogue to determine if the safeguards are adequate to address the most basic threat and a really

elegant exploitation? >> on that note i think we're out of time. >> thank you very much. thank you, david hoffman. all of our conversations will be and october 8 there will be a six page section devoted to cyber security, including much of the conversation we had today. we have many things coming up in the fall. veterans,tion about returning vets from afghanistan and iraq. we have the ceo of starbucks who called "lovea book of country."

it will be on stage talking about veterans. thank you and we will see you next time. [applause] [captioning performed by national captioning institute] [captions copyright national

host: "new york times" reports the health and human service is is in talks to increase production of action per mental drug to be used to treat those with ebola. marines have positioned a force of 2300 troops in kuwait to deal with security crisis in the middle east, saying this deployment was planned for before the u.s. led attack. the next head of the secret service may come from outside the agency's