when significant attacks happened or do you want to do an exercise already? call out whatever anybody's tasks are and do the best possible job? you can take a hit, you are taking some level of damage but you are prepared for it and you know what your actions are at that point. keep things going's as best you can during these events. cleanup after the incidents. learn, get through training, whatever happens. understanding what you can get from that, get that back into your employees and your systems so you have better footing next time. that have been reporting apple and google made significant changes to their new operating systems. it is to keep almost anybody at of these incredibly secured

phones we are caring around. it is an criticized by attorney general holder and the head of the fbi. how much did what apple and google, what they are saying they are going to do, how much did that hurt some of the work you did? was a going too far between the balance of security and -- mike, you start. >> we want to be respectable people jobs. move to protect privacy of individuals and mobile. isis -- we give up so much information. they want to get into our content, look at information. justiceur department of is having discussions with specific organizations. or havee subpoena search warrant's for this information?

that s changed a little bit in the recent past but i am not sure where those discussions are. we look to work for the company's and how we can get the information we can gather in a national security type of information in one of the means do that? it is back to the basic question of what is available? what are you capturing that we could get? we run into this problem before into the and national scale -- international scale. we are fully where unprepared for but we are working with the international law enforcement. it means we need to get the information quicker. i believe we will adapt to it. >> was a damaging blow? >> i am unsure at this point, to be honest with you. >> that is all the time we have.

if any of you have followed questions, corner our panelist and it will be happy to talk to you. can we thank our panelists for uh 00 -- [applause]

>> he was an assistant u.s. attorney for -- his office is calling for the u.s. attorney for 11 years. district ofastern new york research he served as a leader cyber crimes prosecutor. i am also joined by philip who 29 and 2011, the deputy secretary for the national protection and programs director at the department of homeland security. he also served as the chief information security officer of sony, the chief trustworthy incher structure strategist at microstructure. us as we for joining

look at house companies are being effective. at what isook happened in the last few days that did not make the headlines that really has become the norm. jimmy john's, a sandwich shop. american family care, 205 patients with their data potentially risk. a cowboy boot and western where it chair in the midwest and southwest were hit. many of the biggest companies get the headlines and we hear about the lot about breaches that happen at target. there is a feeling of panic and concern. there are countless other examples of data breaches that happen in terms of size and

want to talk about the whole legal system. what is really happening in the commercial sector. i want to start out by asking you what is going on? is a problem getting worse? is security becoming a bigger problem for companies? where is the state of security in corporate america? responding to these kind of attacks, we are seeing the problem is getting worse the problem is getting worse in part because the scope of the attacks has gotten enormous. companies are experiencing intrusions where 100, 200, 300, 500 servers are being compromised. possibly for a small attack or a large attack in terms of the amount of information that is taken out of the network. the scope of the machine affected is so enormous that the cost is rising into the $5 million, $10 million, $20

million range in terms of part costs. there can be reputational costs that run into the hundreds of millions of dollars. from a corporate governance perspective it is hard for companies in advance to prepare themselves for that level of attack. >> i'd love to talk as we go on and get further conversation about what that means for a small company if you are hit and suffering those kinds of attacks and costs. philip, what currently is the biggest problem or issue when it comes to corporate security? >> the biggest problem with regard to corporate security is the biggest problem with regard to critical infrastructure security and government security . the underlying paradigm of the internet -- that does not mean that every attack succeeds. it means that over eight period

of time, somebody devoting enough resources to get into your network, giving the attack of the -- given the size of the infrastructure, will be able to do that. as a result, you see these sorts of series of breaches. more and more reports of breaches. breaches, that does not deal with the loss of intellectual property and government secrets and other things that often take place. which leads to what eric was talking about. the problem is getting worse. the defense curve is going up. the attacker is going up more steeply. they are good at sharing information. they're getting better and there is more information available online. way are all looking for the point where the curves start to come together again. we have not had that moment yet and we might not see it for a considerable. period of time. >> eric, any thoughts of that? >> phil is right, it is a cat and mouse game where companies are playing catch-up.

i get back to the issue of what can they do, you have to increase your corporate governance around these issues. top management has to own cyber security threats and put budget behind it, the right people behind it, technology behind it. to establish a corporate culture of security. and so, that is a big challenge. often, that involves substantial change management. if, for example, in a company, the sales function has been predominant because you are a sales organization. as one of the panelists previously said, security equals one over convenience. it is inversely torsional to convenience. sales culture might drive convenience oriented solutions at the cost of better security. upper management has to take those reins and drive security from the top. one of the things that corporations can do to become a better secured environment is to xl at something within their control, which is corporate governance around cyber. if you do not have that come

about security. if you have that, you have a better chance. >> do they need to know who is attacking? if you are a company in the u.s.? let's back up and talk about who is attacking. can you give us a framework. what do these attackers want from u.s. copies and who are they? eric? >> there are 4 basic buckets.

state-sponsored agents that typically want intellectual property. research and development, formulas, industrial know-how. there are russian, not just russian, organized crime groups that are looking for financial information. they want to wire transfer money and steal money, steal credit cards. they're financially motivated. hacktivists. politically organize groups or state-sponsored groups looking to cause embarrassment or data corruption. then there are corruption negligent insiders. if you are a corporate victim, it matters in advance what your threat profile is. a few ra food manufacture -- if you're a food manufacturer, it is unlikely a state-sponsored asian is going to come after you to steal intellectual property -- if you are a food manufacturer, it is unlikely a state-sponsored agent is going to come after you to steal intellectual property. you cannot prioritize if you do not know your security profile. what are your likely threats and

how do you align your security spend with those threats? >> do you think it matters who might be attacking you as a company depending on what industry you are in? >> who is attacking you can be important if that drives indicators you would use to look for to stop an attack. as a general matter, no, thinking about what the threats are, the taxonomy that eric talked about. microsoft did a paper that used a similar taxonomy. i think supplementary, you can think about it. attackers may come after you because of what you know are what you have got. your sources of data. anything they could take from you that might be credit card

data or intellectual property, pre-released content. come after you because of who you are. not that they want to take something from you, they want to take you down for a political or other purpose. the last one, this is becoming more apparent. they might try to take you down, not because of what you know or who you are, but who you know. it might be that you are a third-party to somebody they want access to. you might be a means to an end. you see this more regularly. end users are taken down sometimes not because hackers want the data, they just want access to the computer. even if it is as simple as used on a botnet. there's a broad spectrum of attackers. you have to figure out what you want to protect, what are your most valuable assets. >> why are companies struggling?

>> this is getting harder to do. it takes a lot of resources. eric is right, unique corporate governance. most boards get it now. things like target have helped to ramp up the attention. it is a difficult area to make progress in. we are getting better technologies, they can be difficult to deploy. a lot of our technologies do not scale well. if you cannot solve a problem completely with technology, you have got to have the right people. it is a people problem. there are not enough of those people. many of us that have been around for a while, our biggest job is to find the good people and steal them. >> research -- resources are a big issue. questions from e-mail and social media.

>> there's a question through e-mail about what is the skill of partnership between the government and industry? is a global, local, based on sectors, across sectors? what would help companies and corporations the most? >> eric? >> most companies try to build local relationships with cyber agents, either fbi or secret service, so they have in their incident response plan and initial contact so if there is a bridge they know how to reach out to and they can get to them right away. the main challenge is for us as critical incident responders, what corporations need from law enforcement not on day 20, day 40, or day 60, but day one or day two -- a set of indicators

or compromises that the law enforcement and intelligence community know are associated with this type of attack on this sector of industry. there is a strain and the speed at which incident responders are able to get that information from the government. >> so, today, when is the company getting that information? date 20 or day five? what can a company expect from law enforcement? >> it is spotty. if you get the right group, fbi or secret service, the right circumstances, nobody takes the wrong view about whether or not the information they're going to provide is classified and therefore cannot be provided -- is all that lines up, you get good indicators which you can then search the corporate network and speed your response. if you do not get the right circumstances, the information

is delayed or it does not happen. >> eric is right. the answer more broadly, unique global partnerships. you want to be a friend. if they give you valuable data it is something you can use to increase security now. the real problem is that -- it is not just our human relationships that do not work fast enough. it is our human relationships cannot work fast enough. we need to build out automated information sharing and indicator sharing mechanisms that work on internet speed. the attackers attack circle is tighter than ours. if we are able to operate at internet speed, find out about an attack, a new zero day, we

will be able to protect infrastructure to the degree we need to. >> one thing that is happening, in order to deal with that lack of information from the government -- that lag of information from the government, private groups have cropped up. there's a growing group of retail organizations trying to form for retail iisac -- isac. they will trade on an immediate phone call indicators of compromise so that, let's say you are a bank and you have been attacked. you call your friend and on day one you can get from bank b that had the same attack, useful information that gets transmitted immediately. you turn around and you search for those indicators within your network. you say those indicators have

led me to the fact that i have these 20 machines compromised. now you are off to the races with forensics. that is the way it should work. that is the way government wants it to work. the executive order has asked government to respond in that fashion. it has not gotten there yet. >> let's give some credit where credit is due. the isacs grew out of government initiatives and were supported by government. the original idea came from president clinton's executive order in 1997. that's how old this is. back then it was a single isac that grew into a set of isacs. that's a place for government has played a favorable role. >> does this touch on smaller companies? if you are a fortune 500, are you involved in these sorts of -- the sort of cooperation?

>> i've never worked for a financial services company. the financial services isac has a tiered membership structure. it is quite inexpensive for smaller companies to participate. they get full access to the data being shared. those channels are available. the problem with smaller companies, what are they going to do with that information? that is difficult problem. >> you mentioned the role the government has played in forming a coordinating body. what policies could be put in place? what can government do to help with this growing threat of cyber security? >> i will give you three cap thanks. the government needs to ensure, particularly in critical

infrastructure the right requirements are being met and it doesn't mean massive regulation everywhere but we need stronger incentives to get especially critical infrastructure to invest the right amount in security. i think it needs to work on the people problem. there's great initiatives to increase the amount of cyber security talent we've got. we're stealing people from other people. you can't hire enough people in this space. >> are they trained and educated here? we've infrastructure is still sand and that's got to be changed at least over time. otherwise it's just a bunch of band dadse. >> if you had a wish livet from government what would it

include? >> i think very good progress in trying to build relationships and i think there needs to be more consistency across the platform when we talk about threat information sharing. the white house is clearly indicated with the executive order that it's a mandate that this information should be shared and i think moving down that road as they've continued to do would be a positive thing. >> let's take another question from email. >> as a company you're assuming that you're going to be breached. what does that mean for insurers? if you're meeting a government standard or an imposed standard what does it mean for inshurens and what's the cost? >> i think insurance is a really hard problem.

people have been talking about insurance since 1995. you saw folks talk about the fact there's no data in this spation that would enable you to effectively judge what's effective. so i think insurance can be important but we actually need much more security science, more data about what's happening, what is effective to really enable and insurance market to drive the additional security everyone wants. >> i see this play out quite regularly because post response there's usually a claim under cyber insurance policies. so these cyber insurance policies are working, the claims are being submitted, insurance companies are paying out. the problem that phil is referring to is the underwriting industry doesn't entire to handle the bowl of rick. so they're underwriting a fairly small portion of the

market right now because they don't have underwriting standards. as more data comes in, they will develop those writing standards and a broader set of insurance, especially with consequential harm, will be available. >> one quick rapid question. top two or three things that you recommend practically for a company to do when you go into the office. >> so the first thing is increase your cyber governance. the second thing, invest in people with specialized skills relating to cyber response, third be very careful about the types of intrusion detection that you select. there's many products out there. you have to be very careful about it. >> i'll repeat one of them. if nothing else, get the right person or people. find solutions to scale. it's very difficult to approach

this problem. it's scale and get something that will allow you to address the security of your enterprise. >> thank you so much for joining us today talking about what it's like from the perspective of somebody who understands the hacker and tries to consult with companies on how to be best protected. >> we've assembled these experts from all over the united states to talk about what it means that injury

happened before she came in, thank you. it's not a cyber warrior thing out there. but i'm mary jordan from the "washington post" and thank you for all the people who have been sending comments on line, watching on line. we're going to continue about what -- i'll introduce the panel in a second. but what does this mean when you see yet another big company's been hacked and credit cards have been stolen? next to me is jane with the council on cyber security. before that, she was with the department of homeland security. she was deputy secretary there. so thanks for coming. then brian, an executive vice president at the retail industry leaders association. so that association represents all the big players in retail from wal-mart to gap. then erin, managing partner at

urban security in chicago. she is the one who goes in and undercovers vulnerabilities in a company. and then we have ellen. the executive vice president and chief legal officer and also the chief enterprise officer for visa. she's responsible for all the ompliance and risk change. what does it mean, first of all, who is paying? when i see that home depot just got hit, 56 million cards, what is the damage? i don't get the significance. >> i can start. i don't work for home depot. what's happening is basically we are experiencing first-hand now in a public setting what companies have been experiencing for a dozen years or more. there is no company that has

not been hacked that hasn't been intruded that has not had to deal with it. but in the past, i think most companies have dealt with this as kind of the price of doing business or a nuisance. and those times have changed. in 1995 there were 16 million of us on line. today there are 3 billion people on line on the planet. 3 billion people on line. so these acts now are much more public and more consequential. >> what is the consequence of these breaches? >> i think jane's doze done a really good job of setting context because it is a huge challenge. these are criminals who are very sophisticated and dedicated trying to infiltrate systems. it's not unique to any one industry. in terms of the impact it's significant. there's enormous brand risk to the businesses that are hacked when infiltrations occur. and the costs ultimately is something that's shared between all the players when you talk

about card counter fit praudlnt charges as related to card issues it's shared between marchents, banks, and the institutions across the system. which is why we have argued that the solution to these problems is one where all the players work together. there's skin in the game across the system and we need to be working together. >> but companies are worried about this because you say brand risk. people are worried about turning over their credit card numbers. >> the intensity is going on in every board room. and folks can speak to that how businesses are adapting to the expansion of this risk. >> talk about technically how it works. there's a big company. somebody goes in and steals millions of credit cards. talk how they do that and then what the end game is here. they actually sell often -- resell those credit card numbers.

>> there could be an enpsych peedia of different ways. what we're seeing with credit cards obviously is there's a monrtization to credit cards. there's a reason why people want those numbers. they're easy to use right now and there's a black market solely on the distribution of credit card information for vast amounts of use from just criminals all the way to foreign entities. so in regards to how people are going about getting in, we're wiping off the door mat in a lot of cases. companies have scaled in the last 20 years a gigantic amount and so what hasn't scaled is their infrastructure and a lot of the technology and education hasn't gotten built up. so we haven't really formulated our roots to how to create secure corporate environments from retail to corporations the only difference is with credit card information, payment information there is

monrtization whereas the social security number and data bits we haven't found the black market. >> how does it work? you go in, you turn it around. and then you use the internet to sell them again? and then somebody buys them and buys a pair of $200 shoes? tell me how it actually plays out. >> there are far better experts on the black market than i am. so i'm not even going to touch that right now. >> well, this is secondhand information. i myself -- there are sites primarily housed in eastern europe where credit card information and debit card information card numbers fully equipped cards, cards with pins, the whole nine yards, are available. they sell for different prices depending on the brand, depending on whether it's an affluent or standard card, depending on whether a pin is

provided, whether they give you enough information. it's all quite out in the open. although i doned recommend looking for them because like other underground sites if you are not kind of known within that community they might offensively come back at you. so i don't recommend looking for them but it's a very open and notorious market. and the card information might sell for anything from $3 or $30 or upwards to $100 for a fully equipped card. >> if you sell millions you get $100 for each one. so you're making money. >> absolutely right. >> let's go back. if there's a who pays and what happens when this breach might occur, wherever it might be. the first thing is, that everybody needs to be clear on here in the u.s. it is never the consumer or only very rarely the consumer that suffers any financial loss. and that's because here in the u.s. we have a zero liability policy that i'm sure you've

heard about and the bank will take the charges off. so it's not the consumer. and it has to do within the industry who is going to pay. the second thing is as soon as one of these breaches is identified, and they're often identified by the banks themselves or by law enforcement, difficult often for the breached entity to detect it themselves which is a topic that erin might want to talk about. but once identified this huge machinery goes into play where we get the information about the accounts that might have gone through that environment and we get that information out to your banks as consumers you know that your bank has that information and can either monitor your account with special scoring because they know it's been exposed and protect you from the fraud, or reissue your account. and all that happens in the first instance by the banks then later there are some provision for sharing the cost among the other players. so that's my answer to your

first question. >> do you have anything to add to that? no one -- in terms of liability but ultimately consumers do bear the cost of the marketplace. that's one way or another in all of these companies that are represent bid brian's organization and ellen certainly we love the market for a reason. they're in the market to make money though. so this is going to be cost transferred ultimately to the consumer. but i wanted to come back to sort of the basic theory of the case that underlies this. there are plenty of bad things happening in cyber space but they're happening in the capacity to act. we know what to do for basic cyber higene. we're just not doing it. experts -- i'm not a technology but i hung around those who are. and these basic will prevent 80 to 90%. dror you know what's connected to your network? do you know what's trying to

run on your network? do you know who has administrative permission to ypass your configurations? those basic sort of the top five of the 20 critical security controls constitute basic hygiene. we're broadly not doing that. i think 6 cents of every $100 -- >> i was going to comment on hat. what's changed i think starting last christmas because of the prominence of the breaches that

occurred then at that time of year and affecting so many people is that it's become more a question of trust and confidence in the system which has created a kind of unanimity i think that hasn't existed before. at least let's say a consensus as we need to move forward in the payment system to take the vulnerable data out of the system. and we have the means to do that at least to take it out of the march nt environment. ecause it's such a complex and extensive environment it's going to take some time. moving forward with solutions for the internet shopping and the mobile shopping that you saw for example on the recent announcement from apple pay which uses tokenization technology provide bid the payment system. so all those things will take the data out. >> let's take one at a time. apple pay is just shocking. everybody now shops or puts their credit card on line.

the future of online consumer activity, how is it going to be more secure and what do you think of the apple system? >> let me break it apart. first i have no doubt that technology in the system that is janice is talking about will ex prove systems. but there is no silver bullet. what we have argued is that you need layers of security and ellen has put upon some important aspects. how do we -- we talked about the card information showing up on black market and being monetized. we need to make sure that if a criminal were able to get ahold of this information it would be useless. >> how do you do that? >> that's the technology we talked about. so moving to chip cards, marchents have argued strenuously that those should be issued with pin numbers so you have authentication of the card. we feel strongly about that. but tokenization which we believe is an underpinning of apple pay is also a very terrific long-term solution that would instead of transmitting information

related to the 16 digits on your card, you transmit something else that if intercepted couldn't be sold. but couldn't lead to fraud. >> i want to come to this point. i don't mean to represent the control sort of as the be all and end all. nothing solves a problem to 100%. but because you are going to get a cold at some point in your lifetime did you that mean your atgoing to wash your hands? because you're not going to be in a traffic accident does that mean you don't buckle your seat belt? this is something we're not doing approaching in a systematic way but we're all on the same page. >> what are they supposed to do to protect their identity and card numbers, the standard thing that is we have is secure pass words and now your computer will generate for you. but we're not on the computer generating them.

the kinds of innovations that ellen was describing, are the future, in fact are the present for certain of us who have access to certain systems. would you share your tooth brush? on't share your pass word. most of you know, my birth day, my mother's maiden name, all those things they ask you on the security questions, that you use in your pass word. right? so in case you want to know my password is not 0316 my birthday. but i have met a lot of people

who use that not that one but their own and that is surprisingly easy for the criminals to fish and find from you or detect from you on social networks. i didn't think it would be worth their trouble but it is. they find that stuff out about you. so watch out for oversharing. >> what's a clever password? > that was a joke. >> a lot of friends say i'm not on any social networks and i don't do that. guess what, their wives, their friends, their family, their kids, they are. and they're telling everything about them. and also our system in the u.s. doesn't help because we have so much public dome main information for a long time never shared my address. but guess what, title companies and all this, there's a lot of public information around real estate sales and purchases

that's just public. i'm not the type of person that's going to say that everything needs to be private but i think we need to do personal from a consumer side a risk assessment and understand what's important to us and what we're willing to share and what we're not. we're talking about passwords and i think that's fantastic because nobody is doing passwords correctly. and i know i can guarantee everybody in this room there's not a single person that's using a unique password on everything they log into. it might be complex but i'm sure it's shared. >> this is all the voodoo that you do in that space. those of us who are not technologies want to know what are the most important thing that is we can do first? lock your door. that's what i say. and i say it in kind of a home about ut we're talking apple pay. >> you have faith in apple pay. >> don't put those words in my

mouth. i think apple pay, i think these are all little pivots to start turning this big die tanic we have. >> pivots towards taking the risk out of the environment and emv to the chips that we're putting on things, that's a card present transaction item. instead of swiping your card it has a chip. instead of that mag strip going across, it -- it's limited. now, the chip has the same information aside from one sexone president. so again -- >> but if stolen it's less valuable. that's why the chip and pin system is supposed to be more secure. >> the chip is a little computer on the card as i'm sure many of you know it generates a one-time use code. so without that code which is different for every transaction you can't complete the transaction. so unless you have the computer itself the chip you can't complete the transaction with

all the rest of that information in the face-to-face environment. how are we going to distribute security? what responsibility should you have? i mean, when you drive a car or you're a passenger or pedestrian you have certain responsibilities for interacting in the automotive transactions that happen every single day. what expectations should we give to manufacturers? why don't we get systems shipped with the security configuration switched on? why do we all have to figure this out for ourselves? a lot of -- >> can you answer the question here? what is the responsibility for the

ensure the integrity of our identification and what will the role of government need as we distribute control? what we are facing, though, is the lack of a conversation. we have industry fighting and security problems. there are no silver bullets. goodness sake, think goodness the medical community and the public safety community did not take that attitude. let us prevent what we can, at cost we can afford. that will allow some important

precious resources to be focused. we not even making it hard right now. as europe have a better system than we do why have we lagged behind? why is that? rex we have been asking that for a long time. we need to be working with each other. to be working between industries, which is something we have done after many years of doing battle over a variety of things. community came together earlier this year to figure out if there were ways to work together. we represent the ecosystem from the big banks to the small banks. all kinds of merchants.

can we be talking about this? generation,at next because there is no a solution today that protects the networks for all transactions in all places. protect theo near-term solutions. holding the card, actually owns that card. that is an important aspect. we need a long-term view -- >> we are moving towards both of those aren't we? >> we are moving towards chip but we are not to encrypt the yet? this, the chips out late -- the chip room started 15 years

ago, driven in part by the fact that here in the united states we have a very efficient and reliable telecommunication system. as a result, all of our transactions online, not online through the internet, but online through the bank. a goes to your bank in millisecond and comes back. in europe, the telecommunication system at the time were not as reliable and they were not able to use online authorization with predictive analytics to identify suspicious transactions. so they were not using those solutions. result, their fraud rates were here, hours were here. they decided because of the inability to bring everything online, they were going to use an off-line solution. withoutg like the chip

needing to go back to the bank. that was the origin of the chip card in europe. meanwhile, in the united states the predictive analysis got better and the weight got from 18 points down to six, reduced by using the formula. -- the thinking was, why should we invest in the chip? benefits,sive, less that is why the united states did not do it. now we're doing it. visa thought we should do it starting in 2011, reported at a roadmap. it is not a that silver bullet in europe and they have now come to the side of using predict if analytics which they can do better now with telecommunications. predictive analytics mean --

predict of analytics mean that it it will know if, say i went to mexico? correct seeing them a little bit higher here in the united states. if a company outsources all of its credit card processing, are they going to have to decide who oversees that? who wants to take that question? -- outsourced processors and other service data, anythat handle

company that transmits credit card data. on another question, can digital hygiene education become part of our education system is a mandatory? rex it can. but i think we need to have the public as an asset to not an obstacle. they are pretty switched on, pretty public. people will do sensible things when they know why. tried to treat the public as an asset here. yes, introduce education. generation that remembers what life was like the four there was online. none of us negotiated our morning without using online in some way. we might as well be educated about it.

onlineyone here not do payments? 93% of the belgian consumer economy is done online. saw in anctoid i airline magazine. -- there is imminent to enterprise in the united states that does not rely on the internet. we have tremendous reliance. we ought to do basic hygiene. so we can focus on those advanced persistence threats. -- >> in a few years it is going to be different. v-chip has brought down the fraud costs. u.s., it has gone up.

you have seen fraud migrate online. now it has moved to the united states, and it has moved online. describing as existing solution is unacceptable. >> service look like in a few years? rex there are a -- you have google alerts, you have other types of wallet solutions. those solutions all allow you to ornsact either in a mobile online environment with a cloud provider such as ourselves or others handling sensitive data in the background. as a proliferation of that.

that is a solution that is both harmful and online. a mobile environment, who are toing an idea of a code enable an application that can be used both face to face using, by the way, shape technology that is too technical for this conversation or on an application on your ipad and iphone or other device, secure -- you have a patent application . it is very simple. >> we are excited about the prospect of these

technologies. imagination of their are lots of players. >> as shareholders and consumers who need to ask him about basic hygiene. you have at a meeting and say, but had a tremendous reach. had administrative authorities of change settings? start to insisting on a higher standard and enterprise performance. >> jennifer lawrence heinously did not like it in the photos went out around him. it should consumers ratchet specifically that it comes in? are and capacities of a romantic burned up. seth practices. investigate and it is a good

post destroyed? in practice is almost time. is a great fast. think of yourself as your own personal brand. lawrence and other celebrities in a him assessment passion is a kind of information. between seven and 10 years of the resource for tax information in cloud storage areas or online storage or on the computers that had him. that is all of information. think of him as it has to be careful. you have a right to expect it

has to companies and enterprises will are taking basic measures have the rightof now. >> last word since we're talking to his amazon is protected financially. a hassle. funnily you can do is i have a scorpio tankers be in control of your. yourn be in charge of card. you can set it however you want. i said is it any/25 hours i had a text and an e-mail -- over $25 i get a text and an e-mail.

>> got it. very interesting. > information sharing across retailers. infrastructure, which will tell it was not. let us take a lesson from that. thank you very much. very interesting. i did not know about the alerts. i have teenagers so it is very interesting. i want to welcome to the stage the final discussion of the day. were very lucky to have david here. he is former washington bureau chief. contributing editor of the washington post. someoneing to interview

from the department of homeland security. [applause] rex -- >> im going to let you in on a secret. this is where they used to print the paper. welcome to the digital age.

i would like to introduce my guest. the united states when he was a child, earned a degree from the university of california at oakland. a law degree at oakland. after that, he became assistant part of in a big california that includes los angeles and many other places. he was a lawyer with a big firm. in 2009 he was appointed by the president as direct or of citizen and immigration services. as deputyrn and secretary of, and security december 23 of last year. welcome. we know you have only been in office less than one year. that you know everything. we're here to extract some of that information from you.

it has been a discouraging morning. we heard from a lot of people. of whata little bit they said. the chairman of the house intelligence committee warned us that the actions being taken attacks on our networks are not necessarily aimed at the government. it is not the government will be learned about. it is the only 5% of the networks and hands of the private sector. -- the 85%. somebody else said here on a panel, the defendants are getting better, but the attacker curve is more steep. offense is winning. somebody else described the infrastructure of the internet as really just a bunch of

band-aids. , when asked said about offensive attack us, he said most of the offensive talk is from the private sector, from businessmen who said, i have had enough. he pointed out the congress told the private sector, "you are on your own." mr. secretary, that is a grim landscape. i think a lot of people are wondering, what is the government doing it is this -- in this time of seizure. -- siege. even congress feels there is a crisis. what are you doing about it? rex let me say that i do not ascribe to a school of pessimism. i do not mean to belittle the

threats both in terms of gravity and frequency of occurrence i think everyone understands that cyber security is a field of growth. with respect to the security of the government and to the security of the private sector. not astake the alarm necessarily a cause for concern but rather a call to action because as my great predecessor distributionis a asponsibility i would posit shared responsibility while attackers are becoming more and more sophisticated our prevention and liability rules are growing out of detection capabilities are growing in and

out of remediation it abilities .re escalating as well cyber threat to israel and i think it will be a growth industry. government, specifically in homeland security have a number of tools and resources to deploy -- employee to protect. i have seen some of those tools used admirably, such as in the heartbleed situation. we used our capabilities to work with the private sector. whether it is sharing teamsation or deploying to a particular company or sector to identify the vulnerabilities and propose litigation steps.

i think the opportunities for collaboration and advancement are great. >> and a lot of companies are worried and congress has been stalled. in the past few days, general alexander said the chances of this passing in a lame-duck session are now. the chairman of the intelligence committee said there is a narrow window. if this legislation does not pass, can the administration do it on their own? > first of all, i am hopeful it will pass. secretary wrote a very compelling piece last week to that affect. in the absence of legislation, we are not without resource and

without opportunity to do more in this space to better collaborate with the private sector. prior opinionand there are fundamental things we can do to improve our cyber hygiene and there are very strategic investments we can make to improve our cyber hygiene. , but we without tools do have a dire need for legislation to better equip us. >> are consumer is not taking this seriously enough? after several years of debate we cannot even get the most basic legislation passed?

>> i do not think it is a function of consumers not taking it seriously enough. the public in general having seen a number of attack that have impacted a number of individuals around the country -- >> 40 million at target. >> i think they understand the concern. whether they are taking the most rudimentary steps is a different step. how often do people change their passwords? putting that aside, this is an area where some of the fixes -- there is a great deal of debate on some aspects of the legislation. the liability detection is something about which there is not unanimity. that might be a more controversial aspect of the legislation. to keep cyber talent, updating

the statutes that are along outdated -- these are things we should be able to accomplish quite readily. >> there has been a lot of talk about the threat. to borrow a question, what keeps you up at night? what is at the top of your threat list? >> i would say, i do not look at the threat as a monolithic one. singular in identity. there is the threat of the traditional hacker that is out for commercial advantage or for disruptive effect. then there is the threat from

state sponsored action from an intelligence gathering security perspective. that is a threat that we are vigilant in addressing. what keeps me up at night are both. >> can you be more specific? those are very generalized things. what really worries you? you are in charge of defending our security. it is also about things that touch us everyday. >> absolutely. our role is to assist the private sector and work with the private sector in protecting its security. we do not have the tools to alone guard the .com space.

i think that is a very important point. we have seen distributed denial of services. there is -- i hope everybody understands that our country's critical infrastructure is increasingly intertwined with our cyber security and the energy sector is very well aware of this and is at the forefront of protecting itself from cyber attacks. so many of our systems are controlled through computer systems. how intertwined they are is our greatest concern. the grid is at the top of the list -- the grid. >> you mentioned tools.

what is at the top of your list? what do you want that you do not have? >> the department of homeland security's responsibilities are well defined. the codification of those would be well received. the governing statutory scheme in this area is something that needs to be updated. it is antiquated. the national security framework. to have that codified would be greatly advantageous to us. our ability to really recruit cyber talent. we have a difficult time competing with the private sector on one hand because of the financial realities. we are advantaged, i think, vis-a-vis the private sector. our ability to identify particular talents and recruit. >> i know there are a lot of questions from social media and the floor.

>> i will ask the first question. what pay levels do you need to recruit and retain top talent? >> i would say something. the pay level is probably not good and to compete with the private sector companies. it is the opportunity for growth and the ability to recruit particular talent very quickly. i think that is one of the things. hiring protocols are sometimes labyrinthinum and that is something i would focus on. >> thank you for the opportunity to thank you for being here. i am with the office of government relations which is part of the coalition of dozens of companies, civil liberties organizations and many think tanks, all foam oppose the act

because we believe and have the detailed why it severely compromise americans' rights under the fourth amendment. no speeches. i would just like you to comment. it is that opposition that is contributing to stalling the bill in the senate. if we do need a bill, and that

is the case and the bill is stuck, how do we resolve that? >> i appreciate the question. the department of homeland security is not alone but relatively unique in having a privacy office and a dedicated privacy rights officer, not only committed to the cyber arena and the privacy issues but the privacy issues that are implicated in the breadth of the work we are performing. we understand the privacy sensitivities with respect to the bill. we operate on a voluntary system of the provision of information. we benefit greatly from the volunteering of information.

we are able to assist the provider of information in addressing the exploitation that the volunteer has suffered. we can assist in remediating and preventing in the future further vulnerabilities. the more volunteers that we have, the greater a perspective we have on the security landscape at large and the greater ability we have to make systemic recommendations and proposals to the private sector with which we interact. we encourage cooperation with us. it is a cooperative environment

within which we work, and not an environment of compulsion. >> more questions? >> another one from e-mail. if dhs is contemplating publishing a roadmap so they know where you are heading and what is needed in the future. >> we are working on a plan and a vision for the future. we are working on that. that is a shared plan, a plan of collaboration. >> i know that you are searching desperately to hire skilled

people. we are told that u.s. cyber command is competing with you. it seems that on offensive cyber programs are racing ahead. we have heard there is a lot of worry about inadequacy. what do you think about that perception? that offense is outstripping defense? >> i would respectfully disagree with that contention. i think both are moving forward. we specialize on the defensive and not on the offense. our ability to recruit talent is best exhibited by the fact that we brought on board an outstanding leader in cyber security from the private sector. we intend to draw additional talent just like her. this is a priority of the secretary. secretary johnson visited georgia tech to recruit the best and the brightest in cyber talent. i have seen the capability on

the defensive side with our u.s. team, a rapid response team that has been enlisted to assist in the defense and the protection of the .gov space. the usis situation that was reported on. it has been deployed in the financial services sector and in private industry most capably. i do not think the defensive capability to assist the private sector should be under estimated or understated. >> have you had any national level cyber exercises and can you tell us what happened? >> we have had exercises within the department. those are important to make sure all our response protocols and measures are best practice. we identified room for improvement. >> you can't be more specific than that.

>> i do not know that i should be. but with respect to a broader exercise, i do not know the answer to that question. quite frankly. >> the former director of the nsa said it is impossible for the government to have an adult conversation with the american people because there is too much secrecy about it. i think a lot of people feel we need to have that conversation. people need to know before there is an attack on the grid what our vulnerabilities are. what you think about what he

said? do we need more openness? >> it is interesting. from my vantage point, i see the conversations that we are having all across the country. so whether my answer is satisfying those of you who are probative, i will leave it for you to judge. we have conversations all over the country with respect to cyber security. we meet with industry, citizen groups, privacy advocates. the dialogue is an ongoing one. i do not know to what he was referring when he speaks to a lack of openness. >> there is a feeling that sometimes threats we face have not been fully revealed. people are shocked at some of the things they read about in

the headlines. how is it possible 56 million credit cards at home depot, if you are on alert and detecting the country that people abroad it still 56 million credit cards? 56 million credit cards? >> that is a distinct point from the lack of a dialogue. the success of an attack is not the measure of whether we are communicating openly and effectively nor is it the measure necessarily of whether we are being vigilant. this goes to your first point. the point of doom and gloom.

i do not mean it to embrace it is improving every day. as is the sophistication of those who would wish to do is harm. whether it is for commercial advantage or otherwise. the fact that an attack is successful does not speak to a deficiency but rather it speaks to a need. of a need to be ever vigilant. i will share with you that in working with the private sector, we have, for example, observed varying levels of cyber hygiene t many corporate entities.

some are very more advanced than others. it is an comment upon us in the federal government to our partnersith and our counterparts in the private sector about the need to elevate cyber hygiene. where i think it is going to be interesting to watch the marketplace is on the development of a standard of care. of goods that is interacted with a company is harmed by reason of the breach of that companies cyber security, what is the responsibility and the liability of that company for the breach?

what is the standard of care to which it should have adhered? what is the reasonable standard of care? did it comply with that standard of care? did it not? i think those types of questions comprise at least one aspect of the future landscape in the cyber security realm. a >> one quick follow up. we should not take the worst and most serious breaches and the idea that part of the private sector is unprepared, we should not take that as some sign of worry about performance? me what keeps me up at night. it presupposes that i am up at night and unable to sleep because of something in the cyber realm, which is true.

i don't mean to diminish the fact that there is cause for worry. what i mean to say is there is cause for action, and that is what i suggest we take away rather than a ringing of the hands. i am a member of this company. when it was the last time this its cyberrubbed security system? when was the last time it determined whether the security safeguards were adequate to address the most a sick threat -- most basic threat? >> i think we are out of time. >> i think there is an appetite for dialogue and i appreciate you coming. thank you, david hoffman. i want to say that all of our conversation will be online soon.

8, there will be a six page section dedicated to cyber security. we have many things coming up. the day before veterans day, we will have a conversation about returning from iraq and afghanistan. many of them are doing very interesting things in the community. ceoave howard schultz, the of starbucks, who has written a book. thank you. we will see you next time. [applause] >> on the next "washington withal," david wasserman the political report.

a roundtable discussion on public opinion and politics with a pollster and a pollster. you can join the conversation on facebook and twitter. we will take your phone calls. on tuesday, jeh johnson discussed counterterrorism in an event hosted by the canadian-american business council. this was his first official trip to canada. this is 20 minutes. >> thank you for the opportunity to speak to you here today. i appreciate the warm welcome to ottawa and the hospitality from this this this council will stop and i welcome the opportunity to be here in ottawa, your capital. i also book militancy to escape