Publicprivate innovations and the public and private sector issues on Cyber Security. I want to also echo frank and thank our sponsors for this, northrup grummond. In addition to his day job at f northrup grummond, hes on the panel for the Cyber Security. At the end of the 50 minutes for audience questions. First immediately to my left, your right. Scott aaronson, executive director for business continuity. Hes been there since 2009, working in a variety of roles before getting his current position, before that work on the hill for congressman lantos, senator nelson for a number of years has a masters here from gw, from the graduate school of political management and also will be announcing this early next month, will be a member of the senators board of directors. Finally to his left, kirsten todd is the president and managing partner of Liberty Group ventures and also a resident sclar at the university of Pittsburgh Institute for cyber law. She served as executive director for the commission on Cyber Security. And a number of the recommendations in that report, which was issued late last year, have found its way into the executive order that was issued in may of this year and well be discussing some of those issues in the course of this panel. Shes experienced before that in the prime sector and also up in congress. And finally, on the far end of the table, chris valentino, professor of Cyber Security prevention. So want to thank all of our panels for being here and, you know, we sort of talked in the last panel about some of the cyber threat, Cyber Defense questions, but this one is more about if you look at Cyber Security, a lot of the action on those sorts of issues has been about information sharing, about regulation, and theres been a shift in the last couple of years away from the focus on those two issues, information sharing is still an issue, but legislation has been passed. Regulation still exists in a variety of forms but its not the all consuming issue that it was four or five years ago. I think now the publicprivate sector dialogue is much more about how can the Public Sector and the private sector Work Together, not just on not just on sort of sharing information, passing over a wall and barely interacting with each other, but collaborating, building, sharing information across, working together across the intelligence cycle, working together on things like r d and workforce development. And basically building the architecture for the incentives to be in place for government to be doing the right things and for the private sector to be doing the right things. To make a few opening thoughts, you know, i guess focus first on the executive order from may. A key provision from there was looking at how the u. S. Government provides support to Critical Infrastructure thats at greatest risk. Referred in some cases in the previous executive orders as the section 9 Critical Infrastructure. What are your thoughts about how the government is or the private sector in general, what types of support are needed, where do we draw the line about where the governments responsibility and the private sectors responsibility should be. One of themo morore importan things you can do imprivileged to support the investor owned electric companies here in the United States. But i also serve as a secretary for something as the electricity sub Sector Coordinating Council, or the escc, and the escc is unique in sector coordination counsels in that its led by ceos. Ill quote tom fanning who likes to quote wayne gretzky, you want to escape where the pucks going to be. The ceos in general, they create accountability, they provide resources, they set priorities and then most importantly in the context of kristens question, theyre a draw to other Senior Executives and there is Senior Executives in other sectors with which we are interidependent. So the coordination between us and our partners are phenomenal. Because we have Senior Department officials from Homeland Security, the department of Homeland Security from the white house getting together when the skies are blue from the leadership sector. The last month, we have been getting together on a fairly regular basis because of storm response, i can draw this juxtaposition from the Cyber Security we have been talking about today and what we have been doing respect to forms. I think theres a focus on left of boom, after the bad thing happens, how are we protecting, defending really important pursuits to be sure. But you cant negotiate with mother nature, and frankly, even the intelligent adversary, if we have to be right 100 of the time and they have to be right once. How do we respond, how do we to leverage the resources and capabilities of both the industry and the government in response to major natural disasters. And the same would be true in a cyber or physical attack situation. So a lot of what were doing in terms of this blue sky planning, i can say in the last five weeks, we have built a level of coorder nigordination at a s us together has been invaluable. Kirsten, did you want to add anything to that . Always. Thank you very much and thanks very much for the opportunity to be here and for this conversation. So you asked a lot of Great Questions and there are a lot of different ways to address it. One of the things the commission looked at was how do we define Critical Infrastructure, and the problem we have now in a particularly interdependent world, is how do we all rely on each other . We have talked a lot about how technology and innovation can start to blur those lines and some of you have heard the analogy i heard from one of the commissioners who said the goal of uber is to be able to saturate the streets in san diego. The last thing he wants to be classified is a and facebook, the last thing they want to be defined as Critical Infrastructure, so part of the frame work of how were no better current event to demonstrate that that the equifax breach. If youre one of the 143 Million People whose files are part of equifax, youre thinking its critical because its the critical information thats important to you. In answering that question, we really have to be thinking much more about this definition. I struggle a little bit and i know dhs came out to look at how were defining section 9. Because section 9 evolves as time evolves and the correspondent threats. I agree with everything that scott said about how we look at it, and i think given the industry that scotts in, and particularly with the unfortunate exercise of what theyre going through right now. What i would argue is that the challenge we have had with government and industry tends not to be in response, government does internet response really well. We heard from aaron hughes about dpd 41. We react to Cyber Security very effectively. The other example that we use a lot is looking at obama care, we spent a lot of time putting that together, and then it failed and then 60 days later we had a fantastic system. Regardless of where you stand on the issues as far as technology and where it goes. So our ability to respond is actually very effective. But when you look at Cyber Security, is the challenge you have is what is going on before hand. We never use the term information sharing, because its really lost its meaning, and we heard on the Previous Panel the difference between partnership and collaboration. We talked a lot about collaboration, its about industry and government coming together before the event happens, to Work Together to develop the relationships that scott cites very effectively. But in a Cyber Security environment, we havent taken the time to develop those relationships, to take a page out of the pentagon playbook to talk about training and engaging Senior Leaders of industry and government, you look at and you hold others to a high standard. Part of that value is saying, hey, are you doing the basic Cyber Risk Management actions . Are you patching . Are you doing these things that Everybody Knows you should be doing. If youre part of this group, and i think the groups that scotts a part of are really mole m role models in this situation. So we have to redefine how were looking at Critical Infrastructure, and from a Cyber Security side, we really need to be looking at what happens before the events so when the events do happen, we have all of those relationships in place. I just want to ask one quick follow up to kirsten. So the whole concept of Critical Infrastructure, as we use it within the federal system goes back to physical attacks against infrastructure, back in the 1 0 1990s. Are we really should we really be thinking about, as were thinking about cyber or cyber enabled threats, you mentioned equifax, the impact on the election systems is also a part of this. Do we need to basically be starting over and be rethinking the way we classify and look at different types of infrastructure thats susceptible to digital threats . I do believe so, to your point, the definitions are based on physical attacks. They are not based on what the threats are today. So how do we reframe how were defining it. Its not to say that we dont need support and extra support around those functions that are critical to operations. But you have critical functions that are dependent on noncritical functions. So how do we look at those definitions to honor that. Ill just make a quick point that at the beginning of the commission deliberations, we talked a lot about interdepen si. Like this is about the weakest link, if you can access your Critical Infrastructure through a baby monitor, because theyre all hooked up through the computers, what are we doing to actually look at that and that get s into the conversatio were all having. I do want to react a little bit. I couldnt agree more that information sharing has lost all meaning, but with respect to Critical Infrastructure, i think in some cases were overdesigning whats critical. I like to jux that capos the terms it versus but that is not critical to National Security. Attacks on electricity infrastructure, attacks on communications infrastructure, that really is a national and Economic Security threat. And to i think, i think if were talking about Critical Infrastructure, we really have to think about it in terms of operational technology, to think about the impact that can have on the life, health and safety of americans in their daily lives. In addition to supporting the federal government on this mission, is an owner and operator, but Critical Infrastructure. If you just want to jump in and react to any of this or just jump in and make a dmu few comments of your own. Theres kind of three key points. First and foremost, leveraging in this frame work as a consistent set of standards, and even just the approach of doing an attack link, but shifting from a Risk Management aspect. To build on what kirsten said about the weakest link. In our country, the Supplier Base whether it be their size, their focus, or whatever you might say. So being able to transform that core Supplier Base to the same set of standards and that will then enable the ability to share information in a more effective way, because we dont even have the tools, the technology and the capabilities to accept you dont even have a starting point. So thats kind of job one. Is just to establish the core frame work and then go from there. Either of you want to react to that . So, you know, scott as you mentioned, the response in texas, florida and now puerto rico, and the impact on the private sector. Dhs to assess Incident Response capabilities due to the loss of electrici electricity. Do you have any insight as to where that stands as it pertains to infrastructure and cyber risks, how do we think of these cyber risks on an electric grid, as they relate to manmade or other distribute attacks against the cyber grid . So maybe this is blasphemous, but im kind of threat agnostic, i dont really care why our systems have an out an, whether its a cyber attack, a physical attack, a storm, or act of god, our responsibility at the end is to get the electricity back up and running. Particularly with cyber means, we have all this infrastructure to allow us to be more efficient, to be able to track customer usage, all great, but we operated the grid for the better part of the 20th century without that. It and so as we look at the executive order, at its specific focus on the energy grid and Energy Infrastructure in general, we have been falling back on this Wonderful Partnership that we enjoy with our sector specific agency, the department of energy. And, you know, one of the things that they have at their disposal came from the end of 2015, the fast act gave a grid Emergency Authority to the secretary of energy, declare a Grid Security emergency and then have some extraordinary capabilities to compel action to get operations back up, with or without digital overlay. One of the things that we did, we you know, the question again, going back to sort of the value of ceo leadership, the question came up, are we able to operate the grid today without digital infrastructure. And the answer was sort of. And that was not a good answer for ceos and they said thats not a good answer, were going to go back to the drawing board and we have embarked on an initiative, it goes by a couple of great names, one is supplemental operating strategies or s. O. S. Or the mcgiver strategies. And we got some very smart engineers together who are working very hard and have actually developed some ideas so that we are not figuring this out in the midst of the incident, but that we have some ideas of what we would do in this contingency planning. Question have explained that to the department of energy, that is going to be part of the fast act authority, that the secretary of energy can use, but the idea would be not to figure out these things in the midst of an incident, but to have a menu of options that the secretary of energy could pull from that already have been tested from an engineering standpoint and that cant be handled whether this extraordinary authority is leveled for the first time, the solutions are not being tested for the first time. That goes to one of the points kirsten was making, which is not look left of boom, while we are also preparing to be responsive, which is something i agree with have a centurys worth of experience of and do particularly well. Kirsten, one of the key issues articulated in the Cyber Commission report last year was the incentive, trying to get the incentive structure right to enable publicprivate cooperation. And when we have thought about incentives for the past tfew years, is punishing the target when something goes wrong. But are there different ways to think about incentives, not necessarily the punitive after the fact things, but how do you begin to ensure the right type of Cyber Security, basically create a macroeconomics of cyber behavior. You started to answer the approach that i was taking because i do think when we look at incentives, we look at it in a frame work that hasnt been effective. We look to congress, we look to government to penalize. I was asked earlier this week if we just keep dragging the companies up the hill and talk about what happened and what went wrong, thats clearly not doing anything. And we talk about tax incentives and business breaks. But this is not actually getting at the Business Case or the Business Model for Cyber Risk Management. We have to be engaging the key stake holders and doing so in an effective way that makes Good Business the right answer. I was talking to a ceo of a utility company, who was looking at education and awareness. And we talk about cultural change. And he said he runs every three months a module for every employee to take on fisher iphi. Lets say they lose access for a week, he has a but as an employee, if you lose your salary for a week, thats a much harder hit to manage. And so that type of incentive structure, where people have the consequences and we have talked about putting it into performance reviews, thats the cultural, and the other issue is where are the board of directors on these issues, where are the share holders, wheres shareholder activism. One of the key aspects that got muffled a little bit, was the insurance holder share institute got around and said these members of the board should be fired because theylet this happen. And they put accountability to those individuals. While those directors didnt actually get fired, but the idea that the management is responsible to answer your question about incentives, its got to be the Business Case, and the stake holders to be making the if you fail to do Good Business, youre being held accountable, not by government, but by those who are actually going to affect your bottom line. Northrup grummond studies who is being done on the Cyber Security side every year. The key question is from a taxpayer and citizen standpoint, how do we ensure that, you know, that federal funds are being spent in a way and how does the private sector Work Together with the federal government to ensure that youre just not chasing the same thing from an r d perspective, but some of the harder longterm problems that were facing from an r. D. Perspective . Theats a very good question doing research inside a vacuum or because of any customer rirnlt leads you to things that might not actually solve the problem, our approach is to work closely with our customers and understand their needs and exchange information, Exchange Research agendas and portfolios, to ensure that were not duplicating work thats going on, is really three key areas that we see as the most important things that need to get done, one is resilient, the concept of the threat doesnt go away, its not going to go away, and if you continue to try to build a new hammer or nail, youll do that and continuously it rate until you dont have anything left. So resilience is very important. And from a cyber perspective, to fight through and to be able to recover, rapidly recover, at some ready state, it doesnt mean that you dont have to go back and fix it later, but at least it gets it used to operating. The areas of Machine Learning and artificial intelligence, those are the key Building Blocks that both industry and the government have to work on together because thats whats going to be able to enable you to do Something Like information sharing. It doesnt help to information share if you have one person receiving information, thousands of notes, because your workforce cant keep up with the information thats coming in. And finally, all of this is for naught if you cant do it at scale. So the concept of being able to operate at scale, and i think the congressman covered it. The Defense Department and the scale that you have to work on is bigger than any industry or technology would see. And you have to do all in a unified fashion. You mentioned workforce issues and when we think about Public Sector and private sector on workforce issues, its usually about the private sector taking away the Public Sectors star performers right when theyre at the point of their career when theyre having a Significant Impact on work. And congressman hurd said earlier we need to find ways to not only bring on new talent, but revolve people through and back and forth between the private sector and the Public Sector, on these Broader Workforce challenges, what are the and anyone feel free to jump in on this. What are the key, sort of, needs and requirements that we see . How is Technology Changing that, and some of the things you talked about with a. I. And Machine Learning . And for students who are here or who may be watching, what sorts of areas within Cyber Security should they be focusing on . Thats a good question, ill take it first. First we dont perceive it as a competition between industry and government. Its not a race for who gets the best person first. Its really the ecosystem required to create enough talent to enter the system, to Work Together and solve more problems. We have been focused on that for years now, from elementary school, to middle school and high school. Through the cyber education program. One program we have at the university of maryland which is the advanced Cyber Security for students. And the second, cyber scholars or nbc. First and foremost the value of a solid Engineering Education is the heart of all programs. At some point this will become somewhat of a solved problem, hey the talent in the workforce has to have something to do in 20 or 30 years, but being able to think and become able to lead is a huge gap. You often wanted the people who were very smart, do one very good thing, but theyre not able to lead teams to solve the problems. The Technology Areas we talked about, certainly cognition, artificial intelligence, are important from a scientific end, but from a practical standpoint, its just as important to have both students and people who are entering their workforce to retool their skills to have a more technicaltechnically sk. Do you want to react to that . A couple of things, i do think and we have talked about it in the commission wrrks the development of technology around a. I. Does not go in context to developing a Cyber Security workforce, they have to evolve at the same time. Even within the last 6 to 8 months, you start to see that everybodys you cant go to the Eastern Market without an ipad being pulled out, or any type of Street Vendor now uses technology across the board. So it becomes very important to look at both of those issues. I think the second is we have a little bit of a false understanding of what cyber means in the workforce. Its not just about technology, its about psychology and bringing in other disciplines, its one of the most vibrant interdisciplinary major that exists right now, because there is knowledge across the board that needs to exist. So to students who are thinking about this, you dont have to be a mathematician or an engineer to be in the Cyber Security workforce, and if we dont start ball lantsdsing out with those other the third piece to this, and chris mentioned it a little bit. We developed the workforce right now, but we also need to be developing it through the Elementary Education programs, were not doing a great job on that, as a nation, we need to be doing much better at so understanding the Cyber Security capabilities and what that is becomes very important, the way that kids can then grow up around these issues. And then the fourth and talking about your issue with government and industry, i appreciate what chris said, but from the private sector side, i think what government will say, well, you can say that because you can lure in with benefits, with salaries, with location, there are a couple of consulting firms in d. C. Who have nice locations where they send their employees for a weekend. Those of us who work in government know youre looking for the greater good which can be a hard sell when youre trying to get somebody out of college. Were looking for an Exchange Programthere were a few commissioners who were running very Large Multinational Companies who said, you know, i actually would love to take somebody whos got that experience, bring them into my organization for 6, 12, 24 months and then bring them back into government. I think thats also general human behavior, we do better when we take what we learn and put it in different environments. One of the companies is actually putting together an Exchange Program that will do that and also offer loan forgiveness. And to chriss point, not make it competitive, but make it more collaborative. Thanks. The only thing im going to add, i think kirsten and chris gave wonderful answers. It and the idea of an ecosystem thats interchanged, the sharing of resources that go to both government and entity goes to the broader theme of what we have been talking about, particularly as it relates to Critical Infrastructure. We ought to be finding ways to share the expertise that makes all of us more secure. One of the things we do, the work that we do is youre seeing it with storm response right now, you see military operations for lack of a better way to put it. And we have a program called troops to the military, were getting people out of the military and giving them jobs at electric companies. Its been incredibly valuable because the requirements are so similar, the rigor, the commitment to public service, and thats true for a line worker, whos out there working in the field, but as we look at the Cyber Security needs questiwe have for the sector. Well take a few minutes of questions from the audience. Please identify yours and wait for a microphone, well start over here and then go over here. Jim mccartney. Kirst kirsten, you were talking about the incentives, how do we create the right incentives, having worked on a couple of things with the government, i would say that the government is really bad in trying to project or foresee what good incentives look like in the private sector. Often times the more they do it the worse it gets in terms of prohibiting. I would say that the government may be better suited to create the environment where things like you talked about can exist. But i guess my question comes down to, if those are not systemic, how do we create a place where, yes, theres some negative consequences, but how do we then 2ur7b that around to make them positive results for companies for new event innovation to come and under cut what a lot of the to eliminate some of those problems. I think it does go to what happens before. And its about creating those cultures of security and creating the business indication for doing so. And as long as we just focus on the consequences and the punishment to your point, were always going to be kind of reverse engineering and always kind of understanding what the assets are, what the risk is for companies and whats important. I want to pull out something that scott said, because it was a great point about the ot and the it, and this idea of what were securing for National Security purposes. I think the challenge right now is in an era of Cyber Security of information, of infrastructure, where everything is about data. Understanding who is actually critical and what your business responsibilities are beyond your bottom line. Is something that the government does potentially need to step in on. Because while, you know, data and information may not in the first degree where harmful to National Security, that is how we get breach and that is how we create vulnerabilities and exposure. I think we again have to focus on, scott was talking about this left of boom, this prevent for boomers and all of that, see when we get to this place, the punishment to management and as long as we focus on the backside, were never going to create that culture of security for businesses and industry. And they wont take the responsibilities themselves. Rick weber, inside Cyber Security. This is for scott, so your comments about what the Sector Coordinating Council is doing under executive order seem to the executive order is about a cyber attack. Sure, yeah, i dont want to make it sound like were not looking, ill just keeping the boom continuum, left of boom. We absolutely are focusing on a couple of themes i guess escc focus. First is tools and technology. The government has some pretty interesting toys and we want to use those for our systems. So there have been some great examples of national lab developments, one is known as the Cyber Risk Information Sharing Program or crisp that was developed in an International Lab and commercialized and is now deployed in the Electricity Sector covering about 75 of all customer meters in the United States. Its a Great Success story of government innovation being used in the private sector. Next, ill continue on that theme of information sharing and i hate the phrase too. Its information flow. Making sure the right people are getting the right information at the right time. And what we mean by that is, a ceo, for example, needs a certain class of information so that when their chief Security Officer runs down the hall and says mr. Or mrs. Ceo we have a problem, the ceo doesnt say who the heck are you, get out of my office but is aware of the threats that are out there and can make informed Investment Decisions in order to protect their infrastructure but can also make informed decisions for or response to cyber incidents. Cross sector coordination. Everybody likes to look at the Electricity Sector as the most critical. We dont have water, we cant generate steam or cool our systems. If we dont have telecommunications we cant operate. We dont have financial services, we dont have access to capital markets, we cant trade our products. There are a lot of ways to impact the Electricity Sector short of attacking a control system for the Electricity Sector and that goes to a point its hard to have a bright line between i. T. And o. T. Because an i. T. Breach can have o. T. Consequences and i think thats something that we need to better understand about our attack surface and our network topographies and our exposeures both within our company, within our broader sector and within the broader infrastructure of all our sectors. I think that sort of highlights were not just looking at what do we do when the bad day happens but how can we limit the impact of a bad day by solid preparation on the front end. Thanks. Are there other questions . Marcus, over here. Thank you. This question is directed towards kirsten. I really liked your concept around Business Models and having Business Case, strong Business Case for cyber and cybersecurity. You made a comment about having a Business Case for Cyber Risk Management. I wanted to see what you envision that being . What are the one or two or three things you would sell to a ceo to say, you know, this is the Business Case for Cyber Risk Management and thats open to the panel as well. Arent you working on your doctorate . I did write that down. Its a great question. Its a great question and i think actually one of the most straightforward ways to answer that is to actually start looking at small and medium size businesses because if youre going to understand wheres the lowhanging fruit, what are the things that every Company Needs to be doing, if we felt that our industry and that our business government or business infrastructure was really sophisticated and mature, then i think we could break that out but because what were seeing is that theres not a lot of disparity between the capabilities when it comes to Cyber Risk Management of the Big Companies and small companies, ill use more accessible language which is how we look at small and medium sized businesses. We talk about cultural change. Youve got to have investment in cybersecurity from the top down and bottom up. It has to be a cultural move. You look at what your team is and how youre structuring it and if you only have four people but youre definitely going to have your h. R. Person, h. R. Is the first interface to the people coming into your organization and thats the first opportunity to create that cultural shift. Its a part of position descriptions and also a part of how youre evaluated. The third is looking at basic actions. Its software, its access management. I think whether or not equifax truly calls into question identifying proofing or identification now would be interesting to see because its clearly something we have been struggling with but its fishing. The argument around the fact that phishing breaches most companies and if we just address the education and awareness around that we would preserve or create a more resilient infrastructure is absolutely out there and so we dont have to be very evolved in how were looking at this. It doesnt have to be Senior Executive language for fortunate 500 because what were seeing is these Large Companies are failing to do the basic. It would be a very basic one to start with. Thats a high class problem. You go to what comes next. The fact that after wanna cry which was a patching issue. U. S. Actually called them up and say, do you know about this patch and they said, yeah, its not an issue. In this day and age for a company of any size to not be doing that particularly a company of what youre talking about is inexcusable. Weve still got to start with the basics and we need to be developing a basic program. I will just say whats important is im not offering a compliance checklist. Its important that its a Risk Management approach. Its really evaluating whats important to you as a company, how youre looking at your assets and how to secure them and making those decisions appropriately. I think theres another question here in the front and then well go back there. Rebecca kauffman. We have spoken quite a bit about securing data and Critical Infrastructure and industries and those are all tangible targets and our approach has been effective with respect to some cyber threat actions that target those things. What approach would you recommend for such cyber threat actions as russia, for example, that is perhaps the most sophisticated cyber threat actor according to multiple intelligence officials, russia has a very unique cyber doctrine that prioritizes psychological aspect as well as technical and they target things along with the tangible things, things like the human mind and our Decision Making process whether thats the human mind of the u. S. Voter or the human mind of our policy makers, what approach do we use to secure those things in your view . Thank you. Anyone want to take that . Ill start. So i guess the best way to talk about it is in terms of threat actors and capabilities and im reminded of what john brennan the former cia director said, those who want to attack us in a particular way can and those who can dont want to. And that was true when he said it. It may be a little less true today but regardless i think we have to look at apt, advance persistent threat in a thoughtful way. I think one of the most thoughtful ways from an electric sector perspective specifically is to understand that apt, it goes back to what i said, we have top right 100 of the time and the adversary has to be right once. We have to acknowledge that the adversary can, in fact, be right and that goes to the value of preparedness. The understanding of what the motivations of a threat actor might be and how they would comport themselves in a threat. Somehow weve gotten through this entire discussion without mentioning ukraine so i will start it now and to say that particular incident, incidents, end of 2015 and 2016, are particularly useful lessons for the sector that i help to represent because it is an indication of what an attack likely would look like on electric infrastructure and that gives us an opportunity to prepare ourselves, do the thought exercise. What would we do here in the United States if a ukraine style attack impacted our systems and i can tell you that that has been a primary focus of the Sector Coordinating Council for quite a while. I think we have time for one more quick question back there. Hi. When we think Public Private we often default at least in d. C. Of thinking the public side of that being the federal government, but clearly states and cities have an increasingly Important Role in this so my question is, what should we be expecting from states and cities in their role as either owners, regulators of Critical Infrastructure or enablers in terms of education policies, et cetera and what can other stakeholders be they the federal government or private sector be doing to help and enable that policy formulation . Id say in our efforts we both done education and academic programs from a start medium enterprise. Its one without that we wouldnt be successful because it provides you the undercore and underpinnings of infrastructure required to have things like a Technology Incubator thats executed by professional organization thats in concert with the state and building the ecosystem and the environment for which people can be successful is certainly comes down to state and local level versus just the federal government activity not to say our federal partners arent important. When you get down to the economic development, down to the job level, its really the State Government that helps drive that. Were out of our allotted time. Please join me in thanking the panel for their comments and for joining us today. [ applause ] well take another short break now. Well reconvene, start the next section promptly at 11 45. Be back in your seat by 11 40 so we can start the next session on time. Thank you. Good morning. Good afternoon. One bit of housekeeping information. Tom bossert is duty calls. Hes responding to obviously the devastating effects in puerto rico and since his job is to be head of Homeland Security, cyber, counterterrorism, hes