ght. our prosperity and security depend upon the internet being secure against threats, reliable in our ability to access information, open to all who seek to harness the opportunities of the internet age, and interoperable to ensure the free flow of information across networks and nations. we are at a crossroads, and the clock is ticking. the choices we make today will define the threat environment we face tomorrow. all of us have a responsibility to act, to practice better cyberhygiene, to build greater resilience in our networks so we can bounce back from attacks, so break down silos and improve information sharing, as well as the integration and analysis of threats, to pass cybersecurity legislation, and to ensure that we take a comprehensive, whole of government approach to

respond to cyberattacks, just as we do in other con texts. these are hard and very complicated issues, but i'm confident that working together government, industry, advocacy groups, the public, and the congress, our networks can be safer, are privacy protected and our future more secure. i look forward to tackling these threats with all of you. thanks very much. [applause] >> i'm going ask you a few questions and then we'll open it to a conversation from this room and from the overflow room. i hope somebody will give me questions from outside this room. first of all, i noticed as a recovering politician your gentle pitch to congress on a

bipartisan basis, and i hope congress is listening. it has occurred to me for years that the terrorists won't check our party registration before they blow us up, and this is obviously true in the cyber realm as well. the attacks on all of this infrastructure that you've listed, not just the private sector, but also the postal service and so forth, didn't target democrats or republicans, did it? >> nope, it did not. >> so this is in essence one size fits all, and i hope everyone in congress is tuning in and realizing that there's more to do. you made a list of things that congress has to do, more information sharing, a standard setting, tools for law enforcement. you didn't mean immunity. is that adequately dealt with, or does more have to be done there and can you explain? >> sure. it is a essential feature of a package that president obama

announced last month, and it goes directly to the heart of the first list that was recorded there, information sharing. the president's legislation that he announced last month makes it clear and propose to see provide liability protection for sharing from the private sector with the government to the department of homeland security, and in order to incentivize the private sector to provide that very, very critical information that i talked about in my speech. >> now, not everybody is a lawyer, so why would a firm be liable for sharing information? >> there's any number of reasons. i'm a recovering lawyer, as you know -- >> so am i. >> as you noticed. but as we have heard from industry across the board, small, medium, large businesses, that they face real choices and concerns about sharing information about breaches or

hacks or intrusions into their networks. they want to share information with the government about the origin and what they find out about those breaches, but in doing so, there are concerns that it would -- the information they provide could include consumer information or they could be sued for seeming to include consumer information. so what the president's proposal does is it says straight out provide liability protection targeted and narrow liability protection for the purpose of a corporation, providing that consumer security and cybersecurity information to the government after taking reasonable steps to remove private information, consumer information, so that the government can get that information in, look at it compare it, and analyze it along with all the other sources, classified and otherwise, that the government has, and return that information to the public sector, to the

private sector, state and local governments, and the private sector holders of a huge something approaching 85% of the cyberinfrastructure. >> i was going to go there, but let me ask one follow-up question just so everyone understands what you're saying. company x thinks it's hacked. the reason it should tell the government about this is what? >> so a few things. one, we may have seen exactly that signature, that set of ones and zero that is a particular malicious cyberactor uses to use its district or denial of service or other attack that may even go to the integrity of data. so we may, once we look at it and put it together with all the other intelligence and information we have, we may say, we know what this is, we know who it is, we know how it's going to affect your system, and

most importantly, we want to tell everybody else. we want to tell if that company that provided that information to us is a power plant producer or owner. we want to get it out to the rest of the energy sector. >> so when company x comes forward and is protected in a limited way for doing so company x benefits. >> company k benefits. >> in addition to they're being patriotic and helping the rest of the government that may provide, or not the government but the rest of the internet. >> this is why i talked about an ecosystem. we are all intertwined, as you noted in your remarks. one person's vulnerability, frankly, is everybody's vulnerability. and so that's why -- that's why it's so critical that we are working together. >> well, i don't think there's a lot of pushback from congress on the immunity issue, so why isn't congress doing something? >> so this is what we're really

hoping we can galvanize the congress to act, because once you compare the protection that is targeted in the way we've described with reasonable privacy protections, this ought to be the kind of thing that we can get behind on a bipartisan basis. >> the other thing i want to draw you out about, because again, i don't think there's a lot of public understanding of it, is the portion of critical infrastructure that is in the private sector. people should be aware that there is dot-mil, an internet system for our military. there's dot-gov, a system for our government. and then there's dot-com. how many people have some form of internet account that ends in dot-com? ok. how many of you are clueless?

no, clueless people don't come to the wilson center, ok. so, lisa, can you talk about the percentage of -- let's just start with critical infastructure that is in the private sector, and why leaving the private sector with inadequate tools exposes all of us. >> so, you know, like most statistics, they're all over the place, but by any measure, you know, there's references to 85% of critical infrastructure and the backbone on which we ride, whether you're a power plant whether you're a financial company, whether you're a shopping center, all of that resides, the vast, vast majority of it resides in private sector hands. state and local government or privately owned. that means that the dot-gov piece or the dot-mil that is

solely in control of the united states government, is a very very small portion, and so we are incredibly reliant for all the services we rely on, that are critical in many instances to our life and sustenance whether it's a hospital or whether it's your financial bank account. you are vulnerable if you are hooked up to the internet. >> so, in my brilliant introduction, i referred to rail switches, water mains, power grids. >> yep. >> what percentage of all this is in the private sector? >> all of it. >> all of it. everybody hear that? >> state and local government, or the private sector, it is all privately owned. it's not the federal government's responsibility. it doesn't come under the control of the federal government. in any event, if you're hooked up to the internet, you're vulnerable. my former boss and somebody you know well, jane, former director of the f.b.i., robert mueller, said and has been quoted often there's only two types of company owners, those who have

been hacked and those who will be hacked. jane: well, the wilson center has been hacked, and we're pretty careful about things, and we are taking precautions every day. has anybody here never had an experience being hacked, or does here not know someone who's been hacked? all right. yes, one person. we're going to call on you later to explain how you're so lucky. well, moving along. something we brag about at the wilson center is how good our people are. that's, of course, why we're now in the top five think tanks in the u.s. but my question is about, how good are the people the government can hire to work on cyberissues? i ask this, because i'm well aware, and i know everyone here is, that the private sector pays much, much bigger salaries. lisa: look, we have the same --

or i should say greater recruiting and retaining challenges that the private sector has. now, we can offer something, jane, that the private sector, not all the private sector can and that is obviously a tremendous sense of mission. but we've got to do more to be able to hire top-notch cybertalent. we've got tremendously talented people working in the n.s.a., in the f.b.i., in the department of homeland security, in the defense department. these folks are top, topnotch. but they also can be hired away for vast sums. jane: so what do we have to do to get these people to come and to stay? by the way, i was at the n.s.a. recently being briefed on some aspects of our programs, and they said that really good kids coming out of college are turning down much bigger salaries because they're patriotic and they want to protect our country.

lisa: so we've got a sense of mission that we can offer, and that's a huge recruiting tool. but we need funds. we need the funds and the authority and the flexibility in particularly in the department of homeland security to be able to do that extra hiring. this is the wave of the future. jane: is another obstacle to hiring some of these kids our clearance system? lisa: well, look, there is always -- there are always ways that we can do better to streamline the security clearance system. always the president's counter terrorism and homeland security

advisor, you're never going to hear me say anything that would seem like we're scrimping on security, but there's more that we can do to streamline that process and to get people in who are patriotic, who have huge skill sets, and who we can put to work. jane: well, obviously i'm not encouraging more edward snowdens to apply. got that message. knowing we all got that message. but what about a kid who incorrectly downloaded music for free, which is not ok, on his -- one of his systems? what about that kid who answer that is question correctly? will he be cleared? lisa: you know, not having recently gone through my security clearance, although i've had many, i did not have that question trip me up. but, you know, look, what i would encourage folks who are patriotic, the first thing is be honest on your security clearance form. but something that is a crime is going to be something to talk about. jane: last question for me, and we'll have 20 minutes for audience questions, is about the only criticism i've heard since news that you have just made here was printed in the newspaper this morning, that's ok, as long as you came here to deliver the speech, we're very happy. but the criticism was, is, that you're building an unnecessary bureaucracy with the ctic.

what's your answer to that? lisa: so my answer to that is, look, as i laid out in the speech, this is filling a critical gap. in the ntct, the national counterterrorism center, we did nothing to take away the mission or the role, the responsibility of c.i.a.'s counterterrorism center, of f.b.i.'s joint terrorism task force, or its operational hub. those are operational arms and operational centers that have clear responsibilities and clear missions. what we need, the gap that the ctic fills is critical rapid coordinated intelligence to feed those operations so. -- so it is not duplicative at

all, jane, and i think what weave seen with nctc is operators and policy makers are very, very well served in facing an evolving threat by having a source of rapid, integrated intelligence at their disposal. jane: well, expressing my personal opinion, i was there when first the terrorist threat integration center was set up by president bush, and then it was renamed nctc, and then congress codified it as part of the 2004 intelligence reform law, and i think nctc is terrific, and shout out to the people who work here so. if you're building something comparable to that that's going to work as well as that, my own view is you're on the right track. lisa: well, thank you. we think so. jane: all right, folks, 18 minutes and 40 seconds, please identify yourself and ask a question. do not give a speech. right here. wait for the microphone.

pete baer: thank you. i'm pete baer with "energy wire." could you elaborate on the second of your four action points, how can the government use all of its capabilities more effectively to disrupt serious threats to critical infrastructure before they occur? lisa: so it's a very good question. what i met by that is, and the reference in the speech is using all of our tools. again, the terrorism model is instructive. we get around, literally get around the table in the situation room. our diplomats, our intelligence community, our military, our prosecutors and law enforcement officials, and we discuss what is the best way to disrupt this threat, to deter this actor, to determine how to address the threat. that's what i'm talking about with respect to cyber. you see us using all of those tools, diplomacy in trying to work with other governments to establish cyber norms of behavior, on the military side on the intelligence side, on the law enforcement side. just last spring, the department

of justice, the national security division, something i know a little something about, brought indictments against five members of the people's liberation army in china for conducting cyberespionage in this country. that is an effort to say we will take account of these actions. we will determine who has committed these malicious cyber actions and go after them. and then there's, of course sanctions. you see that in our response to the actions of north korea. the idea is, you're going to look at all your cybertools and you're going to look at all your tools, including your cybertools, and determine which is the best one. jane: i know it is u.s. policy

not to do economic espionage. could you explain the basis for that? lisa: sure. the president's been quite clear about this. we are not conducting and will not conduct economic espionage for the benefit of our companies. full stop. that's what the president has said, and that's what the intelligence community adheres to. jane: high there -- hi, there. question on the side. >> i am from "politico," do you believe in the cannibalization of different companies? lisa: the government does not

cannibalize. you have authority in the dni, and the director of national intelligence has the authority under the terrorism reform prevention act that was passed after 9/11 to create intelligence centers specifically for this mission to integrate and bring all sources of intelligence together. so yeah, as ntct does, this will bring it analysis from other centers and other government agencies that have the national responsibility and the cyber responsibility. jane: we actually promoted that idea, because it gives broader experience, and they are able to do a more whole of government

response, which is something i would assume what you are mention you are trying to achieve. lisa: yes, and that is a really good points. if you are in the intelligence community, in order to get promoted, you have to do something that is called joint duty. and i think this is actually smart innovation. you would have have to have served in other agencies and see what your partners in the intelligence agencies do. jane: there is a law called goldwater-nichols which was passed in the 1980's. the whole notion of this law is that by pooling people together, you have a better chance of ringing the best capabilities together. lisa: that is exactly right. jane: right over here, third row. :>> i was wondering if you could discuss the german attack on the

mill, and do we have the right tools for that. lisa: you are on to that, and i alluded to it directly in my speech, which was the north korea attack that sony pictures entertainment is a game changer the cousin it was both destructive and co. are some. we saw in 2012 an attack, a destructive attack, on a large oil facility and producer. 30,000 computers just created and turned into bricks, basically. this is incredibly destructive obviously, and it has a huge impact on the bottom line. that is the thing, as i said in my speech, that is probably the most concerning to me, that and what i was going to say is another element of the struct of the cyber behavior, and that is

manipulating and leaving an impact that makes us question the integrity of data, when you don't know what has really happened, so you lose trust and faith and confidence in the data that is there. jane: right in the center here, the man in the glasses. yeah. >> hello, as you mentioned the response for international corporations, are there any concrete plans that the white house has to lead? lisa: that is a great question, and president obama talked about this with the sony pictures attack. we have got to do more work, quite frankly, on galvanizing international cyber law, things like getting the international community to all agree and sign up for the fact that we are not going to commit a cyber attack on critical infrastructure.

this ought to be something we can sign up for. jane: ok, on the side of the aisle. steve: hello, my name is steve and i am an independent consultant, and you said that the counterterrorist side, there is reaction to the encryption of apple and law enforcement platforms, and that has been less than enthusiastic so how far does that pillar extent for it was a glee -- four intrinsically secure? jane: you used the word default encryption, can you explain that to other people? steve: on the iphone platform, they have if limited strong

encryption by default, so if the phone is compromised physically, nobody can obtain any a tap from it, so your data is inherently secure on it and apple has no easy way, or law enforcement has no easy way, to recover it. that would be the intrinsic security of our information, yet the reaction from law enforcement is that they do not have a back door into these security systems is very negative. lisa: i think you raise two very important issues, and i will take the consumer protection case second, on the first issue you raised, i think you run up comments that were made, and president obama spoke about this in recently in a press conference with prime minister cameron. look there is incredible value from strong in critz -- strong encryption. by the same token, as the president has observed, there is a real concern if we cannot have

and give leavell -- give legal power to law enforcement to have access to information or evidence that stops terrorist attacks and stops crimes. so we got to have a dialogue about this. we've got to have a real informed discussion. that is what the president has called for, so i think you have raised an important point. this is about a delegate we need to have on a consumer protection peas, which these things are quite obviously related these are things we were talking about in stanford in a few days -- we are talking about at stanford in a few days. what are the new and next generation of payment systems that could move us past the password to multifactor authentication, i never thought

i would sit in front of a group of cameras, and other secure forms of payments, whether it is a biometrics or using additional things beyond the password so we have a more secure payment system. jane: let's go in the middle sort of your hand is still up to serve. you are the one. and by the way, if there are questions in the overflow, someone please handle to me. christian: christian becker, you mentioned that a key distinction between counterterrorism and cyber security was the tremendous role in the private sector, not just as a target but as a collector, and given that just should -- given that the station, how would you make that the station between he and ctc -- between the ntcdt?

lisa: we have the if those of if you see something say something but this goes to what we were talking about at the offset, which is that so much of our critical infrastructure and our infrastructure. is in private sector hands, we are relying in large measure and in significant measure on information about full abilities and attacks that happen to the private sector, so that has a space at least under our proposal that the president announced last month, which is to say, if you are a company and you find out you have been hacked or there has been a breach, provide information to the department of homeland security, to its national communication of cyber communication center -- national

branch of its saga communications center, and engaged specifically with the private sector, give that information in in. that will then be shared appropriately with the rest of the federal government to include the new ctic. ctic can pair that private sector information with other information that we in the government uniquely have, so they idea is -- the idea is a two-way street going here, and we use the private sector information and put it back out. jane: i will assume that you would be able to be in touch with it. what safeguards do you have against people putting this information into the system? lisa: this is the type of thing that we are talking about in the proposal with the president which he announced last month, which he said if you are a

private corporation, we want you to provide the information, it is vital. we want you to take reasonable steps to ensure that you are not a, giving the government private, personally identifying information, and you are not providing malicious codes or malicious information. so there is responsibility on the part of the private sector. this is to take those privacy enhancing steps. jane: i get that. you work for target and you're trying to get the right information. what if you don't work for target and you pretend that you do and you are committed getting information? these are: -- lisa: we want to make sure that we have kos to ensure that we don't have a vicious cycle here. jane: the market for malware is a growing please do not tell us precisely what you are doing

about it, because then people work around it, but can you assure us that you are doing all of the right things in a finding and getting rid of the exploits and the malware that is available for sale for cheap on the black market? lisa: as you said, this is something that we are very focused on, and the hacker for hire, the criminal networks that can and are behind a lot of these malicious cyber activities is something that we are very focused on, and is not something people should be underestimated. jane: we are going to take to last questions together because we are out of time. the one is back there in the blue shirt with your hand up wherever you are. amon: high thanks, i am amon jab bers with nbc, i heard that readers of kforce.com and u.s.

defense contractors were hacked, and what can you tell us about that particular incident and hitting third-party residents with an eye towards capturing the eyeballs going towards that website. jane: and we will hold an answer for the question the front row. what? kendra: my name is kendra, and i continued to hear out the need for international cooperation, but have yet to hear about an international response. lisa: the last piece of having norms and getting and garnering international support for cyber norms is something that the president and prime minister cameron talked about in terms of cyber terrorism groups, and talked about hacks and leaks into the financial sector. this is about garnering international support for a set of norms is an -- norms is

something that we do need to focus on, and with respect to the gentleman's question in the back, again, i cannot tell you anything about the breach of which you referred, i would say though it sounds like, not having been briefed yet on it, his son like exactly the type of thing that we are going to continue to be concerned about, and we are going to continue to see more and more of, and it is exactly why we need something like the ctic, something to bring in this information very rapidly, so we can say this is something we have seen before and get that information out to the private sector and for the united states government. jane: on that happy no, first of all i want to thank lisa monaco for escaping the white house for a minute or two, and i also want to observe that here is an incident of the white house putting out executive orders that are not getting blasted and that are i hope, adding

some protections to all of us, but step two is congress hitting into this picture, and they are obviously thinking that executive orders cannot do, on this subject and many other subjects, and as someone who has 10 in this game for a long time, the obvious lack -- who has been in this game for a long time, the obvious lack of partisanship and the need to work together, whether we are in the dot-com dot-mil, and dot-gov base, we need to work together. on behalf of the wilson a center, we hope that forms like this will shed light on policymakers and again, lisa monaco, thank you again. lisa: thank you so much for your service. [applause]

>> cyber security was in the focus of a summit yesterday. it took place at stanford university in california. it included remarks from tim cook, who announced the expansion of the apple pay act to include government transactions. he also spoke about the importance of providing security to consumers. >> ladies and gentlemen, apple ceo, tim cook. [applause] >> good morning. >> good morning.

>> thank you for the warm introduction. [laughter] >> it is a great to be here with all of you. i appreciate the president's invitation to discuss these topics. i want to acknowledge secretary johnson, lisa monaco, and jeff -- i am grateful for the opportunity to join them and discuss the privacy and security. at apple, we design products that change people's lives. we believe in the power of values to change history and we strive for those values every day. we believe the country that made our success possible should be the land of opportunity for every american, that is why we support president obama's initiative to serve under

privileged scrolls with cutting edge technology -- schools with cutting edge technology. we started manufacturing more of our products and components in the united states. in fact, our products and innovation, so far have led to the creation of more than one million american jobs in all 50 states. we believe in leaving the world better the and we found it. that is why we are on track to meet our goals of running our entire company on renewable energy. [applause] >> thank you. we believe in human rights. and we believe in human dignity. that is why we put so much thought into how our products

are manufactured, not only how they are designed. we believe deeply that everyone has the right to privacy and security. that is why i stand before you today. at apple we start with a simple premise, our company -- our customers'trust means everything to us, and we have spent decades working to earn that. privacy and security are built into every one of our products and services from their inception. we have strict policies that govern how all data is handled. our network and system, our hardware and software, they use encryption. and we have a security operations team monitoring our infrastructure 24/7. beyond that, we have a

straightforward business model that is based on selling the best products and services in the world. not on selling your personal data. [applause] >> thank you. we don't sell advertisers. -- advertisers any information from your e-mail content messages, or your web browsing history. we do not try to monetize the information that you store on your iphone or in icloud. when we ask you for data, it is to provide you with better services, and even then you have a choice, how much privacy on how much information you share and when you want to stop sharing it. we set the industry's highest

standards and we are committed to living up to them. today, so much of our information is digital. we have families, friends photos and videos, medical history, our most private conversations at home, and at work. this comes with great benefits. it makes our lives better easier healthier, but at apple we have always known that this also comes with a great responsibility. we know that hackers are doing everything they can do to steal your data. it is why we have used all the technology at our disposal to create the most secure devices and the most secure systems that we can. in 2013, more than 13 million

americans were victims of identity theft, which is now one of america's fastest-growing crimes. in the last few years, hackers have infiltrated some of our biggest companies and banks, stealing credit card and debit card information of hundreds of millions of people. the other week, we saw hackers steal information from one of america's largest health care providers. the personal impact of these security breaches can be devastating. by clicking on the wrong link or simply using your credit card , too many people have had their identities stolen, finances written, and their lives turned upside down. these costs are economy billions of dollars every year.

there is some good news. the good news is that we have the ability to protect people from this growing threat. with that -- with apple pay, we have put in place a system that is significantly more secure than the old days of the plastic card and the magnetic strip. this is another product for security. security was part of the reason that we developed the technology in the first place. apple pay starts with a premise that your credit card information is -- and purchases are personal to you, and they should stay that way. when you add a card to apple pay, you are actually -- your actual credit card numbers are not stored in your device, or on our servers. instead, for every payment, we create a unique code that is

only good for that one time transaction from your device. your purchases are private. and we do not store details of the transactions. they remain between you, the merchant, and your bank. we do not know your credit card number or what you bought, or how much you paid. and we do not want to. just three months after we launched over 2000 banks had signed on to bring apple pay to millions of their customers. and today, we are excited to announce that the beginning -- that beginning in september, apple pay will be available for many transactions with the federal government. like, when you pay for admission to your favorite national park. we are also working to make sure that credit and debit cards

issued to government employees for expenses can be used with apple pay. and we are working on initiatives with a leading banks to use of the technology with the benefit programs like social security and pensions, at both the state and federal level. we can imagine a day, in the not so distant future, when your wallet becomes a remnant of the past. your passport, your drivers license, and other important documents can be digitally stored in a way that is safe, secure and easy to access. but only by you after all we should not have to trader security for the convenience of having all of the information at our fingertips. when a system is designed

properly, security and convenience can actually work in harmony. this is a world of greater privacy, and a world where criminals find it much more difficult to carry out their crimes. without a doubt, safeguarding a world of digitalized personal information is a -- an enormous task. no signal company, or organization, can a cop wish that on its own. that is why we are committed to engaging productively with the white house and congress and putting a result of these conversations into action. when it comes to the rights of customers and the rights of citizens, it is important to realize that we are all talking about the same people. people have entrusted us with their most personal, and

precious information. we owed them -- we owe them nothing less than the best protection that we can provide. by harnessing the technology at our disposal and working together as businesses governments, and citizens, we believe that we can bring about a future that is fully -- that fully embraces both privacy and security. we must get this right. history has shown us that sacrificing our right to privacy can have dire consequences. we still live in a world where all people are not treated equally. too many people do not feel free to practice their religion, or

express their opinions. or even love who they choose. the world in which that information can make a difference. -- difference between life and death. if those of us in positions of responsibility failed to do everything in our power to protect the right of privacy, we risk something far more valuable than money. -- we risk our way of life. fortunately, technology gives us the tools to avoid these risks and it is my hope that by using them, by working together, we will. thank you very much.

[applause] >> thank you. >> more now on the white house cyber security summit from the washington journal. sex -- >> we will now shift our focus to the white house executive action on cyber security. here to talk to us, catherine lotrionte. she is former counsel to the white house foreign intelligence advisory board. thank you for joining us this morning. i want to start out with a clip from president obama talking on friday at the cyber security summit. there he outlined what the administration is proposing to do on cyber security. >> we call for a single national standards of that within 30 days you know if your information has been stolen.

this month, we are proposing legislation called the consumer bill of rights, to give people some baseline protections. that includes the right to decide what personal data that companies collect from you and how they are using the information. we have proposed the student digital privacy act, landmark -- modeled on the landmark law from california. internet should be used to teach her students and not to collect data for marketing of students. we have taken new steps to strengthen our cyber security. proposing legislation to promote information sharing and liability protections. today, i want to get calling on -- today i want to call on congress to come together and get this done. this week, we announced the creation of our new cyber threat intelligence integration system. just like what we do a terrorist

-- do with terrorist threats, we will have a single entity that is analyzing and quickly sharing intelligence on cyber threats, so that we can act on those threats even faster. today, we are taking additional steps. that is why there is a desk here. i'm signing a new exit of order to promote even more ever mason -- information sharing of cyber threats. it will encourage more companies to set up organizations and hubs so that you can share information with each other. it will call for a common set of standards, including protections for private and civil liberties so that the government can share information with these house -- hubs, more easily. it will make it easier for companies to get classified cyber security threat information that they need to protect their companies. host: catherine lotrionte, five

or six big bullet points there. walk us through what this means for the average consumer. guest: the things that the president discussed at the summit, you can group them into a few categories. first, he made it clear that his view of these cyber security challenges, is that there is a shared mission. it is not a one entity jobs. we need to leverage both the strength of what the private sector can do and what the government can do. there were times when the government cannot necessarily do all the security work but have to leave out to the company. -- leave it up to the companies. key to that, to solving that problem, and ensuring that joint mission is the information sharing aspect. president obama, in his executive order, made it clear that what a lot of people have believed to be key in the success is that the private sector needs to be sharing amongst themselves. the information sharing and analysis organizations that is

now in the executive order would be the hub that the presidentb referred to. hopefully dhs, through the effective order, plays an essential role in making sure there is an appropriate hearing. the classified information, when needed, is shared with the private sector. and making sure that the privacy and civil liberties of americans are protected. host: you mentioned two things i love your thoughts on. one was a consumer privacy bill of rights and the student privacy digital act. guest: on the consumer side, there have been a number of large publicized breaches. where of those that are actually damaged are the consumer, the private data sometimes financial information has been compromised and loss.

-- and lost. the president, hopefully working jointly with congress, working to realize that what we need to do is protect the consumer. how do you do that? you can put more responsibility on the retailers. so, part of the executive order, and what the president is pushing for, is a data breach law which would actually require any company that has suffered of -- from a breach of data lost, that they report in a timely fashion. that does not mean six months. it means early notification to consumers. on the student information, as the president identified in his speech, he does not want the information, our private information, to be used by others as a commercial entity. a commercial product. there ought to be certain protection. that includes student data. i think it was a very time on

-- host: you mention congress. i want to ask you this before we get to calls, if i'm ever -- if i am correct the president , has been trying for three years to get legislation on these data breaches through congress. is that looking any brighter this year? guest: if you recall a couple years ago, there was a proposed -- a proposal of legislation. it was key to information sharing. the president has kept up that focus. the hope is that we will get new legislation that will create liability protection for the private sector, but the same time, the necessary protections for when the private will share with the government. in terms of other legislation, the data breach, the goal is to get one federal statute which actually incorporates, and consolidates, what we have.

something like 56 different data breach local laws. they don't make sense. they're not always harmonize. there is hope that the legislation will go through. i think the biggest push is on the information sharing. that is what went into the second order and set the tone for congress to move forward on passing legislation. host: our guest is catherine lotrionte. she is at georgetown university, and also former counsel to the white house for the intelligence advisory board. we will go to calls. republicans, you can join us at (202) 748-8001. democrats, (202) 748-8000. independents, (202) 745-8002. our first caller is larry from ohio. democrats line. caller: i would like to say that the cyber security stuff really makes the nervous.

somehow, some way, you can have a little toy in your hand that can control people's cars driving down the street. and if they can do that, they can control everything. i mean, last i heard there were bombs that could blow up electronically. airplanes fly through the air and i don't like the idea that someone can do this stuff and appreciative -- and control that airplane when the pilot is trying to do the best he can to avoid the drones that are coming at him. somehow, someway, we have to find a way to protect our personal information.

host: your thoughts? >> we have advanced technologies by control most of our life. it can control our refrigerator at home remotes for vehicles most of our airlines. the reality is that we cannot reverse that trend. we cannot on -- un-innovate. we need to impose certain standards for securing those networks. we need to protect data and also make sure that any of the controlled products, including planes, function properly so that we are safe. it is about physical safety and the security of our data. >> we will head to addison

texas. this is 10. caller: thank you for taking my call. i appreciate c-span. my question is about what i'm hearing reporting on the reluctance of other nations to share information data outside of their borders for fear that the u.s. government will have access to that information. and what impact that could have on international trade and commerce. guest: one of the key -- and this came up at the white house summit, as well. one of the key means in which to combat some of the most dangerous, troubling cyber threats, is through international cooperation. at the summit, there was one panel focused on international cooperative law enforcement efforts without cross birder -- without cross border sharing information, we will not be able

to tackle a global problem. a key is getting individual nationstates and their governments willing to provide assistance and share information to our law enforcement. and so we do that in a number of ways. we do that through treaties. we do that through the fbi secret service cooperatively jointed states. there are some states less willing to cooperate. that is a reality. so one can try to leverage it, whether it is economic and diplomatic means and the pressures, to actually get them. you need to find states that are able and willing. how you help on the able side is you do capacity building and train them and educate them. but if they are unwilling, it takes a little bit of encouragement or economic

pressure to get them to cooperate. it is necessary to solve the threat. flex west palm beach, florida. -- caller: probably cyber security warrants a more -- [inaudible] -- the united states cyber spying where we drew insecurities and not conform cash nonconformities from the other countries by simply spying on them. that includes a trade and market failures. guest: certainly the revelations of mr. snowden and the

surveillance programs and some witting and some unwitting cooperation with the u.s. companies has caused great concern globally, but also domestically. that is why the president has sought to review the collection of programs at nsa. there have been recommendations made for reform. and i do think that there are some that discuss this, the cyber security discussions. there is proposed legislation, particularly for information sharing. the majority of people are saying, is that we need to do the same while we reform nsa to make sure that there are rules about the receipt of information, the retention their use. and assume -- and certainly their sharing of it, it is in

conformity with not only congress, but with the american public and particularly our allies. host: i want to get your thoughts on some comments made by general keith alexander from politico article. what he says is, we do not have the norms the rules of engagement, the rules of the road for how we and other countries should operate in this space. talking about the cyber warfare. what are the rules of the road? is there one? guest: what we don't have right now is an international agreement or a consensus among all nationstates to the particulars of those rules. we do have official statements at the u.s. is abiding by international law and the cyber domain as well as the physical domains. that means, all of the

international laws with respect to the uses of force and armed attack in the u.n. charter and the laws of war, that the u.s. is committed to applying these same rules. right now, we have a handful of about anywhere from 15-18 states rere agreeing to that. that certainly is not universal. what happens, if you do not have international consensus on those rules, you will get a mixed response. one state is abiding and one state will not be. what particularly, the state department needs, they have been working with international partners, other national governments to get those governments to agree to those rules. you do need states to come to an agreement on exactly what it means to use force in the cyber domain and how we will regulate that.

what are the reasonable expectations for that behavior in the cyber domain. we are not there yet. general alexander is right. and there is great concern when you have asymmetric understandings of what the rules are. >> what can -- what kinds of attacks can the u.s. do? what -- guest: you have to assess the damage and the target. an important point in any discussion of proportional response, the proportionality of a response is key to following rules, but the united aids and the -- united states and the key

to that is attribution. you need to know who did it. that isn't something that the u.s. government is more capable of doing than any private individual company that might have been the target of, for example, sony. the president discussed, that the government has greater awareness that can help make that attribution. if it is a state actor, he can call those state actors out publicly. what can the u.s. government do? let us step back. the u.s. can actually encourage the private sector to do the right thing. protect your systems. share information when you have been breached. try to minimize the damage. if there is a significant event that the government can only decide, particularly on the critical infrastructure that we are concerned with, that affects

national security, the the government has a few options. you can start with the diplomatic angle. you can have marches, talks with other countries, and we are seeing that with china. you can have sanctions. the government can impose economic sanctions, including trade sanctions. at the most extreme end and what we have not seen yet is it you can have a response that would be proportional depending on the incident, both in the physical realm and the cyber realm. you get, in the cyber domain you can reach out and touch the adversary and powerful way. the government has the ability to do that. the question is, they will have to do that within the bounds of the law. that is key to the proportional response. once you have done the attributio