isac is energy companies. it wouldn't make sense for walmart to join the airline isac. that's just not what they do. >> not yet. >> not yet well, maybe that's true. [laughter] maybe more like amazon if they get the drones. you see where i'm going there. these are like companies forming an organization called an isac because it's sector-centric. they have a similar sector of the economy. we also see sharing organizations that are not isacs that are also very old that are like in jay's paper he talks act one group that merged many years ago following the y2k stuff when we started seeing a lot of worms and everything very international and very oriented on individuals vetted by other individuals. so in order to join, somebody has to nominate you as an individual, and then you're vetted by others as being trustworthy. so you're trusted. and so these trust groups are very powerful, and it's almost like in the movie series of "survivor," you can actually be voted off the island if you're deemed untrustworthy. [laugh

it wouldn't make sense for wal-mart to join the airline isac.t is just not what they do you see where i'm going. like companies forming an information sharing organization that is sector centric. we also see sharing organizations that are not isacs. he talks about one group that emerged. we start to see warms and things happening, international and oriented on individuals vetted by other individuals. in order to join somebody has to nominate you as an individual and then you are vetted by others as being trustworthy. these trust groups are very powerful. it's almost like the movie series of survivor you can be voted off the island if you are untrustworthy. these groups make their own rules. >> they are sector specific. they need to share sector specific information and there is a formality to that. they will still be there. >> someone asked the question. >> it is good to get the clarity and a lot of it is based on what you can bring to the table. are you a player? are you a contributor? can you can you pull a lever, do something, action on the i

today it is the communications isac for the sector. we created a parallel group for the communications companies but we still have a strong relationship with the ncc for private and public sharing and actually it's strength is mostly winners physical problems. we have hurricanes, snowstorms come earthquakes, fires. that's where the group works really well because that is actually the biggest peril that we have to that infrastructure. electricity has the same sort of thinking. airlines transportation shipping in the same sort of thinking. other parts of the economy have those needs they can get together and collaborated not just for cyber dot any any peril. spinning a lot has come up for the focus and outcomes. a lot of times we think of that as countering cyber espionage or computer crying or the rest. but for ability disclosure really fit into that also. when we find a big bug in the internet or software how can we make sure that the right people find out about it in enough time so that we can all be defended before the bad guys get t

but we face cyberthreats, what isac do we join? what's for us? so that was one of our first realizations. trust comes in all shapes an sizes. and our job as the government is to encourage the creation of trust groups, help them share information with each other an help them, if they're willing and interested, share information with the government so we can connect them so an intrusion over here, attempted intrusion over here shares information to help everybody inoculate themselves. that was the first recognition. we need to work with organizations beyond just the sector-based isac's which have been extraordinarily successful and will remain and thrive under this new regime but we also need to accept other organizations geographically based organizations, there are folk that was come together in differentcies -- cities, asking us, why wouldn't we reich -- recognize them? and we said, you're right. we will work with you. you decide what shape you want to take, we'll work with you. the second problem we're trying to solve is companies would come to

100,000 attack indicators yearly from various sources yet only 5% comes from industry sharing through isac less than 1% comes from the government. in order to incentivize the greater industry sharing we need to pass legislation that provides liability protection for private-sector sharing and channels government resources more effectively. the government needs to aggressively share with the private sector in an appropriate manner the indicators of attack. this is critical to helping the private sector better defend itself. with these changes, we would greatly enhance the timeliness and quality of threat information. in addition to information sharing around cyber threat the public and private sector should continuously partner to illuminate barriers. now i will give you an example of a common sense and simple change to an old regulation that would show an immediate benefits for consumers and consumer protection. we constantly communicate with our members about potential fraud on their accounts. we reach them from a variety of channels, their home phone the internet, the mx app and text mes

on inverse -- information sharing, to my left, marcus sachs here in his hat from the communications isac that has been on information sharing and we've been friends since the early days of some of the cyber and also a longtime friend and one of our non- resident senior fellows here. jeff hasn't only been involved in a lot of information sharing over the years but also, recent his company recently discovered that came out in microsoft's patch on tuesday and it is a very was a very elaborate information sharing that went on with the vendor. some of you might not have heard about it and that is a good thing. it was potentially bad or worse and heartening. but it got taken care of between the discoverers and the vendors to make sure that it is wouldn't be as significant a problem as some of the other former abilities that hit the internet. i will start to my left. we will talk for a couple minutes here and then go to questions and answers from the audience. >> anything else you would like to add? what do you think is good to be more important over time, the information sharing in the governm

your isacs have a lot of vertical information that is very helpful. this is a horizontal viewpoint to share among competitors so all our customers can have that. four new members joined this morning, so we're very happy about that. we invite every security company to become a part of this for the good of all the customers, and we think these are steps forward. of course, getting all that information shared as fast as possible public to public, public to private private to private is a good outcome. to do that, it has to be done in a responsible manner. that's a lot of the discussion here. it would be about how would do that without having companies face baseless liability litigation, but at the same time you can't minimize the sharing perspective. they're usually boiled down to security versus privacy. those are not mutually exclusive concepts. there will be difference of opinion on that but we're not going to get over those unless we sit down and talk about them, which is the point of some of these summit sessions the administration is leading. i thi