Cyber networks. It was part of a George WashingtonUniversity Conference on cybersecurity policy. This is about 50 minutes. Thank you. Ive got the timekeeper here. Im going to very briefly introduce our panelists and immediately to my left is Richard Andres who i might note and failed to mention earlier, we announced our new coal hort of senior fellows and we have a few in the room and are thrilled to have richard as one of those. He is the former scholar in residence at the National Security agency and is currently at the National College defense university, national war college, so and aaron hughs who recently stepped down as the Deputy Assistant secretary for all things cyber at the office of the secretary of defense, brings a lot of policy expertise as well as a wonk at heart so can marry those up exceedingly well and last but certainly not least, admiral will mets who the former j2 or head of intelligence for u. S. Pacific command and has also had roles inside the Intelligence Community as well as obviously the u. S. Navy and is also one of our new senior fellows. So thank you to the panelists here. So i want to go deep on some of the deterrence related questions and i think aaron maybe start with you to sort of paint the picture in terms of where the i think for those of you who havent read it the defense Science Board jim miller did a great study articulating some of the dilemmaas, challenges and opportunities to get to a deterrent approach but what should we be thinking about, what what is missing in and i would argue one of our greatly big holes in our Cyber Defense strategy but help us think through some of that. Thank you very much and let me first put a plug as a 21 year member of the national guard, a tremendous talent in the guard that can absolutely get involved in helping us here in the cyber domain. When ive often asked the question around cyber deterrence and our policy decisions during my time in the pentagon, it was always hard pressed because i think its deterrence theory in like the traditional Nuclear Cold War context doesnt naturally lend itself to how we talk about it in cyber. Theres so many more of the capabilities that are fed rated across a number of different adversaries. Its not all nation state capabilities. So you have to ask yourself like what are you actually trying to deter. From my seat we were trying to deter destructive actions in cyber and i think that to some degree, whether it was a combination of our broader military, economic, legislative activities, we were able to deter actions which caused destruction. Now if the question is can we deter malicious cyber activity across the Broad Spectrum from the equifaxs to the world to the influence operations to the just disruption of Network Traffic that happens day in and day out, i dont think well ever get to that point in time. Until we can agree on what were actually trying to deter, theyll never be a agreement in what our policy considerations should be. I think we do need to get to the point where we have absolutely been better in declaring certain things as the congressman mentioned. If we talk about where the evolution is, its getting to the point where heres a capability and were willing to use it. I view this as a very difficult point because well never get to a point where were able to deter all malicious cyber activity. I think that part of we dont really deter cyber any way. We deter actors from engaging in cyber activity, which is really a political will set of issues as well, and not to i think both administrations fell a little short in terms of how they responded to russias activities during the interference in the campaign. Previous administration was on their watch and we were opining about it, the Current Administration didnt seem to really acknowledge it was a significant set of issues. Id be curious what you guys think on that, so something that the department of defense advocated very strongly for a variety of responses around that activity. We raised it obviously all the way up to secretary carter, secretary defense at the time and he was vocal in interagency discussions about the nature of the activity that was going on and what potential options the d. O. D. Could bring to the conversation. Ultimately it was an Administration Position to not act probably in a timely fashion around that. We did get to the point where some sanctions and other actions of messaging was made but i wouldve totally agreed with your assertion that we were paralyzed to act for the various Political Considerations at the time. Richard, any thoughts on the deterrent approach generally and you dont have to touch on the specifics of the recent events but part of deterrence is actually having the will to respond. Sure. So i guess its complicated but i start by saying that deterrence actually works in cyber space. Theres probably a number of countries that could really damage our Critical Infrastructure with cyberattacks and they dont. Theyre deterred from doing so. But the problem is figuring out at what level to start to get the political will to start deterring our opponents. Weve said many times our opponents are stealing intellectual problems from corporations. Theyre installing Different Things on Critical Infrastructure. Theyre doing things we dont like. Sony was attacked by north korea. The problem is that theres a real cost to deterrence. It really is very costly to us so we have to get up the political will to be able to say, okay, we really seriously will have credible be able to do this bad thing to you if you continue to do what youre doing to us. Its that political will and the way that its worked out is our adversaries have gotten very good to undermine that political will, to put their attacks at that level where the frog doesnt jump out of the pot. They can continue to do this and at the same time theyre using numerous techniques to keep our will from getting up to that point where we could retaliate. Theyre also doing something else, which is theyre very, very active lobbying campaigns on the part of our opponents to try to influence our political system. Youll find so many senior officials when they leave government, right, theres i wont give any names, theres a senior official a few years ago who used to rail against ralway while he was in office. He got out and immediately went to work lobbying for ralway. It makes it very difficult to develop the political will to be able to respond. Thank you. Will, anything from your perch . I think, first of all, its important to understand the focus of todays discussion and relative to a policy on deterrence as you alluded to, frank, we dont necessarily deter cyber actors, we attempt to deter those that enable them, whether its a nation state or a government or other agency. So it is helpful that one the trump administrations executive order, which specifically called out deterrence as a policy objective which i suspect mr. Bossert will speak about later this morning, but i think as it relates to partnerships specifically between government and private industry to define one, the type of capabilities that will ultimately raise the cost on the type of behavior that is considered to not be acceptable as a matter of u. S. Policy is an area of interest from a private industry perspective were certainly interested in assisting with. I do want you to jump in, aaron. Where do you see it going . Do you see natural progression in terms of where policies might evolve from the Previous Administration to the current or what do you think . So i want to make sure its not lost on folks when we talk about cyber deterrence, its not always a cyber action that can deter the adversary. Were talking about the ability right. Publicly disclose it is not its the full range of what the u. S. Government can bring to the problem. I think areas that would help the public better understand what were thinking here would be as i mentioned earlier having some better declarery elements of that policy. If youre talking about how we can evolve from obama to trump administration, i dont foresee any of the red lines because again as the congressman mentioned, i think the strategic ambiguity has helped us. It helped us to be more flexible in our response. I give the poker analogy. I feel like it always depends, depends on the situation, depends on your cards and your opponent and that can help form the calculus of what the response action should be. If it should be diplomatic discussion, if it should be indictments if its criminal or military action or otherwise. You brought up the indictments and i was an advocate for the pla indictments as well as some of the recent russian indictments and everyone the likelihood of anyone seeing them the courtroom is zero, i guess that. But it signals the capability, it limits their ability to travel and it demonstrates that we take some of these issues very seriously. So i would be curious given everyone heres had a bit of military and intelligence background. Ill start with you richard. What are the tools . Do you see the military tool being the primary predominant tool . How would we get to that orchestration of whole of government and whole of Society Given the private sector roles in all of this . I would say absolutely not. The military is not the main element you should use for deterrence against cyberattacks. I think that probably economic sanctions are by far a more realistic incredible threat. Its the threat that we could make that our opponents would say, yes, they will actually go through with that if we continue this bad behavior. I think its very possible. But the other side of this, the flip side of this coin comes from a comment that the former director of National IntelligenceJames Clapper made in Senate Testimony a while back. He was asked, so why didnt the United States respond in some way . Why dont we do Something Back when these guys attack us and his responses were afraid. Were afraid because we have so much Critical Infrastructure that they could hit and thats a broad category when you talk about that that were afraid that theyre counterretaliation would hurt us worse than their retaliation. You never want to be in that position. Thats really bad so we have do more to defend ourselves before we can even start to think about retaliating or making Credible Threats against our opponents. The United States is the most cyber vulnerable nation. Thats led to our prosperity. In the virtual glass house in which we live, that is exactly the right point that we are not to a point that we are resilient enough or defended enough in the Critical Infrastructure area to withstand anything if it were to be escalatory in any manner. If i could, its important to take a look at history. So looking at history, 2007, 2008, the situation with estonia, 2008 the situation with the United States d. O. D. Infrastructure and the ultimate incursion in both cases by a nation state actor. The response at that period was we really have to up our defensive game and from 2008 until about 2013, 14 at least from a dotgov, got mill perspective, the expectation between 2013 up until now has been a significant escalation in an approach trade craft by both nation state and nonnation state actors. So what might be the solution . The solutions are a boundary of cybersecurity is good, but not sufficient, therefore, building resiliency into networks and critical capabilities is an absolute necessity and one that at least our company is very serious about. Two, the discussion, frank, regarding active defense and preparing those that would be authorized to perform those functions on behalf of the United States government and or our allies is an absolute necessity. Third, the strategic capabilities that as congressman alluded to those things that we must have but we will not discuss publicly, i wont say manhattan project, i suspect that most of you can identify with those needs. In my opinion, those three capability sets are absolutely necessary to enable the policy on cyber deterrence. Thats an excellent point, and i am glad you brought up the international component, because ultimately, cyberspace by definition, it is its own domain. It also transcends air, sea, land, space, we get all that. The reality is its globally connected. I would be curious what the panel thinks in terms of what whether existing alliances are sufficient. Do we build on nato, the bilats or whether we need something new for cyber. The question is do you make sure that cyber is integrated in all existing policies, organizations and the like, which quite honestly may not be feasible because you have different outcomes of those. Or do we need something new with respect to cyber . Because clearly i think that we have some of the most robust capabilities, but we cant go it alone, nor should we. Quite honestly, not to sound pejorative, but ukraine is sort of they are sort of the canaries in the coal mine right now. What theyre seeing right now i promise you we will see soon. Whereas history may not repeat itself it does tend to rhyme in the words of mark twain. I am curious what we think in terms of alliance here and what the primary international should it be government to government, industry to industry, bank to bank. Well start with you, richard, and then just go down. Yeah, absolutely. We need more integration. You cant do this alone as a nation. I think that we are doing okay in terms of our diplomacy. We are doing okay. We could do a lot better. I think the businesstobusiness relationships are where we need to go. Banks have started doing this and theyre making real efforts right now. Most of these businesses are international to begin with. Theyre multinationals. Most of the corporations were most concerned of are probably not even owned by u. S. Citizens, theyre international. We need to get organizations we would hope that organizations like this will Work Together to develop shared knowledge and also agreements so that one organization does not hurt itself by exposing the attacks that its been receiving. Its a competitive disadvantage. As the way things are lined up very often now a corporation that figures out its being hit doesnt want to share that information because it wants its opponents to suffer as much as it did. There have to be agreements made. Its difficult but i think in the long run if you can overcome the collective action problem, our International Businesses can help each other a lot. Aaron. Ill give a defense perspective. You know, we partner and fight with our allies and alliances in air, land, sea and in some instances space. We do the same in cyberspace. We deconflict targets when flying fighters side by side with any of our nato partners. We deconflict cyber targets with our closest partners in cyberspace. It was good to see, you know, nato declare cyber kind of an operating domain within the past year and come to agreement on that because it helps us plan and integrate our activities Going Forward as part of that alliance. I dont see us getting to the point that we, at least in the nato context, are sharing cyber capabilities, maybe in the offensive side with the total set of the alliance, but absolutely with our closest fivei partners we have been actively fighting side by side against common adversaries in that for some time. I see that continuing to evolve as other nations build up their capabilities in that area. The only reason i brought that up and of course these are you have close allies like japan that live in a tough neighborhood who are dealing with two big one erratic neighbor and one very big neighbor. You have countries like israel who dont fit into nato, who are also living in a pretty tough neighborhood, dealing with some very tough so the current alliances dont necessarily line up. Washington loves to look at the world through its boxes and org charts. The world doesnt care. And congressman hurd brought that up with criminal enterprises. So do we need to sort of rethink that a little wit . And will not to pick on that. Because i love those alliances, dont get me wrong. The last thing we ought to do is undermine whats working at the expense of any of those. Its that plus, its not that minus in my eyes. Will, what do you think . I would start, frank, by saying, as a consummate optimist, i am delighted to see the countries of australia, as an example, being very forthright and transparent about their policy objectives regarding cyber. That tend to align with the u. S. Policy objectives towards cyber. I think it is helpful to see the United Kingdom and the work that they have done that tends to align from a policy perspective with the likeminded approaches of traditional 5i. But i guess, to specifically answer your question, the question of does existing alliances are they sufficient for that which is necessary in the cyber domain, and i would refer to the comments made by australias cyber ambassador tobias fekin which basically said, perhaps not, the approach perhaps might be regional. A regional approach might be a combination of policy and diplomatic efforts between countries like australia, japan and others. So i say that to focus principally on a regional approach, but underpin with the policy objectives of likeminded countries regarding norms of behavior that are hopefully sufficient. Well said, well said. And what about the industry role . So weve launched a couple of track 1. 5 discussions with close allies here, and the one thing i have noticed is its not necessarily capital to capital, meaning washington to you name the the National Capital in other countries, but its also going to be the banking sector. When we talk about cyber, we tend to lump everything into the same. The reality is not all Critical Infrastructure is equally critical and not all Critical Infrastructure is equally ready. I mean, if you rack and stack its financial services, telecommunications, energy, electric and and telecommunications. So, others that are really critical to Public Safety that maybe arent up to snuff such as water. But where do you see the private sector fitting into all of this . And i am starting to see where there is much more comfort bank to bank than there would be government capital to government capital. Quite honestly cyber will be led by the private sector. It kind of goes to what i was saying before about these corporations having to Work Together and starting to do so. But it comes down to a matter of trust. You have to be able to trust the industry that youre working with, industry partners. Thats difficult because youre competing for the most part on most levels, so you have to develop the institutions that can allow trust, whether thats trusted third parties which can arbitrate or internal organizations such as bank of america and others are working to develop right now. You have to build trust. I dont know what current statistic is, but i would say the predominance, upworts of 80 , 90 of network sfraur, domestically and likely globally is privately maintained and operated. The onus will fall on private industry, again, in communication, conjunction with u. S. Government to defend those networks. I think what weve seen with vulnerabilities that have been identified in power plants, Water Treatment areas, that dimension of Critical Infrastructure, those are private companies. They need to make sure that they understand the threats to those systems and, you know, with great expedience try to mitigate those threats. Thats what our adversaries will target as we progress through the levels of conflict. We already see areas where some of those elements are being held at risk. It absolutely will fall on private industry, again, in conjunction with the government to protect those elements. It needs to be an active partnership, you know, through state, local department of Homeland Security, all of the above. I would just say briefly, first and foremost, private industry must be part of the conversation. Regarding the support to policy objectives. I will echo a point made by miss hainsworth earlier, which is its really about Mission Partnerships. And whether you think that the previous constructs between government and private industry will attempt to advance the policy objective regarding that which is necessary for the future, i think is a question that we should probe throughout todays dialogue. The principal response is, first and foremost, Mission Partnerships between private industry and government. And secondly, such that private industry is part of the conversation regarding the required solutions that are necessary to advance the objective. A seat on the National Planning table. I think the time is right for that, and without that we are kind of doomed for failure. I am going to start with you this time, will, and then were going to open it up to the audience. But do you think we know what an incident how would we trigger and how would we know when an incident requires a greater level of response, and not only the Incident Response . We know, thats complex in itself, what the governments role is in that in particular. But if the events we saw play out, i would imagine and i would be curious what your thoughts are. I would hope you agree. If what we saw play out in the ukraine happened in the u. S. , attacks on the grid, what would that trigger . What should that trigger . And do you think we have the plans in place now, or are we going to be building this airplane midflight when its a little late . I guess i would start by saying its probably not sufficient for me to speak to the adequacy of the plans. What i will say is, if you think about lets just think about the sony attack as a case study. And what was central and i would be curious about aarons perspective, was first and foremost from an intelligence perspective, was a clear understanding and appreciation of attribution of that act in this case by a nationstate. And it is its important to not trivialize how challenging that is. I would ask you to speak to some of the colleagues that are participating in todays discussion about the challenges associated with it. However, it is a necessary component for informing, one, whether the attribution of the activity crosses a policy threshold that then determines that that activity constitutes something associated with an act of war. And obviously, as was observed with the sony attack, you know, the critical part of the response, as aaron said, the department of defense had options. I suspect the state department had options. I suspect that treasury and department of justice had options. And others. But at the end of the day, i think its important for us to elevate our thinking that at the end of the day its about the political objective and the policy objective and whether, good, bad or indifferent, while there were several options available to the government at that time, the government chose to pursue a legal and diplomatic response. Two points. Attribution, hard but necessary. Second, whole of government interaction to be able to define that which is necessary. Aaron. There is a bunch in your question there, but one of the points i took out was the the adequacy of our plans and coordination. One of the things we were able to codify and get president obamas signature on before the end of his term was really formalizing the Incident Response framework and the Cyber Response group and the roles and responsibilities of who would be convening members of that, what would be the asset responders, who would be the threat responders, who would provide kind of the analytic perspective. I mean, playbooks in place for understanding severity and raising through more senior levels of policy discussion, providing recommendations for action. So, in terms of coordination, i do feel comfortable. I am assuming that mr. Bossert and rob joyce are still leaning heavily on that work that was done prior to coordinate through some of the malicious activities that have happened over the course of the last nine, ten months or so. So i do feel comfortable in terms of our plans and ability to coordinate on a rapid fashion. Other part of your question related to if ukraine happened here. Specifically the grid. There have been a thousand incidents in the ukraine. If there were an attack on our grid. The cynical side of me says that we would have been a bit paralyzed, we would have been caught up in the attribution conversation. We would have wanted to have with a very high degree of certainty before we responded to make sure it wasnt some sort of technical failure. So i do believe that we would have been paralyzed, if were going back to 2015 when ukraine happened. Now if its 2017 and we have seen what happened with the election last year, what else has happened elsewhere, perhaps if it happened in 2017 we might lean a little bit forward. But the 2015 ukraine, i think we would have been unfortunately paralyzed at that time. I started out saying deterrence works. Were pretty good at being able to deter this sort of electric attack on the grid right now. Given that is a problem anyway, but let me look at this in a different direction. Usually our opponents or adversaries stay below the threshold which would evoke some sort of response from us. This means they have operations which are Long Duration. Over time they do immense damage. Theyre more like termites thrown at your house than somebody shooting missiles at your house. How do you respond to termites . The first thing which has already been brought up is you have to attribute it. How do you attribute these things . Even if youre 80 sure but there is a 20 chance its not really china, its actually north korea pretending to be china, right . So you have to be really sure. So there is a lot of things we can do, but the most important thing is you have to be aggressive with your intelligence agencies to figure out who is doing this. You cant just be defensive. You have to attribute and be aggressive with your intelligence. Second thing we need to do and i dont hear this talked about very much is we know that these attacks, these longduration attacks are doing immense damage, but we dont have a way of evaluating or valuing the damage that theyre doing. We need to really get busy funding programs to figure out what the real cost is that we are paying that their longterm programs are doing. Until we do that we wont have a good idea how to respond. The third thing is at the end of the day, if you need political will, that comes from the American People. The American People are not aware and not only aware at an intellectual level but at an emotional level whats going on. If you dont expose whats going on, if you dont talk about this publicly a lot so the American People are behind you, you will never get up the will to respond to these low threshold but Long Duration attacks were experiencing. So attribute, value and expose. Those are great takeaways on that. I might note, attribution, i think we owe the private sector a debt of gratitude as well. If it went for the fire eyes. The crowd stiek strikes, and on the list goes, we may not have had the ability to have the sorts of discussions we are today. And im not sure all the private sector based on execs i have spoken to are going to continue. It hurts their business by attributing. We have questions. Please identify yourself and wait for a mike. Good morning. I am with the National Foreign pub for private collaboration. You referenced partnerships. I want to make a distinction between partnerships and collaboration. Collaboration can happen between the public and private sector without a contract. When we talk about partnerships, we have contracts historically for a long time with the government and the private sector. Those are partnerships. My question is about acquisition reform. One of the problems with our partnerships is that we get into the partnerships and there is no ability to for adaptability within those contracts. So as threats change and opportunities to actually serve the taxpayers change, the contracts need to be able to be adaptable for those things. This is true in the private sector as well. Its not just a unique thing in the public sector. I would like to ask you about acquisition reform and how it would support adaptability as threats and opportunities to serve the taxpayers change. Making the connection with the business and the cyber, by the way, i just did. I hope you understand that. By no means was i in an acquisition role in the pentagon, but i think we need to be more nimble and get the right capabilities to the war fighter at the right time. I think we have seen ill speak to my time in the pentagon. We saw the secretary lean very hard on undersecretary kendall and from the at l perspective on how to access nontraditional performers. Weve seen diux stay in touch with rod shaw and what hes done with other transaction authorities to get, again, nontraditional capabilities in the hands of war fighters, not only on the cyber front but in more traditional domains. I dont know necessarily if that requires a change in the codification of law, acquisition law, or if we just need to make sure we are adhering to the principles that are already in there. As Frank Kendall used to push back on acquisition is hard, he would always say, tell me whats broken because he felt like he did have the flexibility to ensure the right performer got the right contract to provide the right capability. Anyone else want to touch on that . Other questions . Please identify yourself. Up front there. Preston frazier, northrup grumman. I have a question for the panel. We talked about our Critical Infrastructure being vulnerable. Private industry owning most of the Critical Infrastructure. To the panel, what are your recommendations of how Government Works with private industry to harden those vulnerabilities . Is it through a regulatory process, legislative . I wanted the panels thoughts. Preston, i will start the conversation. I will start the conversation by referring to a recent statement made by secretary mattis which basically concluded that, to be able to address the National Security challenges that we have currently and in the future, that our current approach specifically between government and private industry is, you know, perhaps not sufficient. So his point was, and i think part of the discussion today should be the solution set associated with a different model that is agile, flexible, that capitalizes on collaboration and Mission Partnerships between government and private industry, not within the traditional rules that were familiar with but Something Different. We cant speak to what that Something Different looks like. But its clearly necessary and has been highlighted by our leadership. So we look forward to your thoughts. Ill take that. There are two types of Critical Infrastructure. There is the type that the government owns. Say, for instance, our jets, our trucks, our ships, right. Government military Critical Infrastructure and there is civilian infrastructure. Usually we just focus on the second. In regard to the first, i think we need to create requirements. When we contract as a government we need to create requirements for security built into those contracts so the corporations are then liable for protecting that infrastructure. And the bigger problem, perhaps, is the Critical Infrastructure on the civilian side, and we dont have a lot of say over that, right. Thats privately owned. Thats up to congress to figure out how to perhaps create liability rules. Because if Congress Gets too much into private business, theyre going to create very static sorts of requirements which dont change with times and with the threats. Congress is not very good at that. They have to be flexible. Flexibility usually requires Liability Laws which make those organizations liable. So if you lose 140 million records, right, there has to be some sort of penalty. If there is no penalty for it, of course, you know, no company will spend a lot of money trying to protect itself from something thats not going to cost it any money. It costs the American People, the victims, quite a bit, though. Thats the kind of Liability Law congress should be thinking on and chewing through i believe. We have time for two more questions. Three if we do them quick. There, there, and then there. Rick weber, inside cyber security. The ndaa is going to conference as chairman hurd alluded to. There is deterrence language in that bill. Can the panelists speak to whether that language is adequate . If not, what would you like to see in terms of developing a deterrence policy . I have not reviewed the draft language, so i cant speak to it. Neither can i. [ laughter ] its actually its a great question, but but yeah. No. That is something that i think you also had it in the executive order that tom bossert will speak to today. The question would be in addition to the ndaa, do they line up, does the intent between executive and legislative branch line up. Good question, rick. Jim mccartney. My question is for dr. Andres. The war colleges are good at looking at the past and seeing strategy and policy and seeing that interaction and seeing how those play out over time. I would argue in some senses were just looking at, while a new space, we are looking at the same problems at a much higher velocity, to your point, frank, history doesnt repeat itself but it does rhyme. As you see it, what work are the war colleges doing to try to help bring some of those lessons from the past to help us think about if not what the answers could be but a way to get the answers, because i would argue that many of them have to be an evolution of what they have done just because the velocity is so fast. Strategy is eternal. The strategy of competition between human beings. The characteristics of that competition changes but the underlying competition is the same. The same things apply that historians wrote about and apply here. What the war colleges have been doing is putting more money into looking at how cyber interacts with these. Over the last few days i have been to conferences of war colleges across the country that theyve put on and its exciting to see the strides that are being made at carlisle, at National Defense university, newport and elsewhere as we start to integrate these things in. There is a lot of work to be done. We always need more money, more attention, more resources, i think that we are making some progress. That is a great question, because i think a lot of people admire the technology and admire the problem when technology changes, human nature is pretty consistent. So i do think that war colleges play a huge role there. Last question here. Thank you. Patton adams. We are one of fed intelligence vendors you alluded to earlier along with crowd strike and others. My question is, what is the role of that community in the context of deterrence and especially the attribution part of that . Unless the question seems too selfserving, how do you mitigate potential conflicts of interest where vendors may want to overblow a threat, overstate a threat to their business interests but give them a role within that policy making sphere and also the response in the case of Critical Infrastructure attacks . Can i add a footnote to that. The Cyber Threat Alliance. Where does that fit in, which i think is getting to private Public Partnership with real attribution. Its having significant impact. Ill speak to the first component. I can say this now as a private citizen. There have been plenty of times where the government has been able to come to an attribution decision but there is a then a policy decision to not make that public. And it has been again, now as an outsider its good to see private Cyber Threat Intelligence vendors go forward with that attribution because that sometimes has the secondorder effect that the government maybe would have not been able to do for whatever other policy considerations and still has that deterrent effect on that nationstate actor. To the degree where there can be some, you know, collaboration or coordination on that, i think already as some of those channels exist for probably more sensitive outings of certain intrusion sets, but selfishly, it definitely met some of our objectives to see that Vendor Community go public when the government was either unwilling or unable to. I guess to your question, i think its exciting to see the work by the department of Homeland Security and also the department of justice in tightening up the synchronization between that which private industry and organizations like yours can routinely provide in the interest of all. So, in the interests of government and in the interests of private citizens. I think its important to amplify the point that frank made regarding the Cyber Threat Alliance and the degree of maturity that youre starting to see revealed as part of that. I suspect that there is an opportunity to broaden. There is an opportunity, i think ill refer to aarons point when he was still within the department of defense that, you know, our approach to those types of incidents, you know, we just cant stumble through them routinely. So yes, there should be routine National Security exercises where private industry is part of the planning, part of the execution to specifically increase our effectiveness in that space. Two seconds you want to add . The rule is very important. I would say the 2013 New York Times report probably did more good for diplomacy than anything that we have done through official diplomacy. The final point is, if you are one of these companies, please do not let Chinese Companies buy you out. This is not good. [ laughter ] please join me in thanking the panel. [ applause ] we have a short break and well go from there. I will turn it over to christian. Thank you. Join us tonight when President Trump is expected to highlight his tax reform proposal. Hes scheduled to speak at the heritage foundations annual president s club meeting. You can see it later today alt 7 30 eastern on our companion network, cspan. Tomorrow, attorney general Jeff Sessions will testify in an oversight hearing. The Senate Judiciary committee hosting that event. Live coverage starts at 10 00 a. M. Eastern on cspan, online at cspan. Org or listen with the free cspan radio app. The cspan bus is traveling across the country. On our 50 capitals tour. We recently stopped in charleston, West Virginia, asking folks, whats the most important issue in their state. Hey. My name is isaiah smith. Im a prelaw major here at the university of charleston. And i think the most important issue for West Virginia is somewhat twofold. An issue of poverty which also ties into our drug epidemic. Lack of jobs, lack of opportunity, just makes the drug epidemic worse. And its just a cycle that builds upon itself. Im a senior Political Science major at the university of charleston. And one of the biggest issues in West Virginia right now is the governor is pushing a road bond for a special election that is going to supposedly pump millions into our infrastructure, which sounds really nice, but when you look at the big picture, its going tohurt my generation and millennials in the future. Its not going to raise taxes, its not going to be a problem, but if you look down the road, its just going to screw West Virginia long term, and thats not something we need right now. Speaking of the house, and in West Virginia, weve had some very difficult Economic Times over the past five or six years, particularly in the coal industry, and really one of our Top Priorities is to improve our economy and be able to put people back to work. We have done a great deal of different steps to do that, and thats what our priority is right now. My name is lauren. Im a senior here at the university of charleston. I am double majoring in english and Political Science. I actually did my senior project on West Virginias what we would consider to be a well known issue is our opioid dependency issue. Determining a perspective to look at it from, whether it be a larger perspective or more individual perspective, and determining an issue that would be more effective individually for patients. My name is danny jones. Im the mayor of the capital city of West Virginia, charleston. I think the most important issue for us is keeping young people here because if we plan things around the youth and were able to keep the youth, then we will have a state that is young and vibrant and exciting. And full of new ideas. And i think that continuous involvement is what will make our city, state great. Voices from the states on cspan. Cybersecurity Industry Leaders recently got together to talk about Public Private partnerships, Critical Infrastructure resilience, and the trump administrations cybersecurity executive order, which aims to strengthen federal Government Networks and Critical Infrastructure. This is about 50 minutes. Thanks, everybody, for being here today. My name is christian beckner. Im the Deputy Director here, here to give frank a bit of a breather during this mornings conference. We have a