When he gets in the car, he knows what he is going to happen what is going to happen. Tonight, on cspans q and a. Now, Homeland Security undersecretary Suzanne Spaulding talks about protecting the nations infrastructure. She was part of an event hosted by the American Bar Association. It is about 90 minutes. [applause] youood morning and thank for that very gracious introduction. Some of you know and everybody will eventually learn that when you have spent over six decades occupying space, you take on a variety of roles. Way, you it another wear a variety of hats. I will explain to you three different hats that i wear. And currently special advisor to the American Bar AssociationStanding Committee on net law and National Security, we celebrated by 54th birthday, founded aba president and Later Supreme CourtJustice Lewis powell and chicago lawyer. The committee focused on the legal aspects of Security Issues and conducted studies and sponsored programs and conferences and highlights the intersection between law and National Security. On behalf of our current chair, number chief judge of the United States court of appeals, it is the committees honor and pleasure to serve as a cosponsor of this institute. Day job is as executive director of the National Association of attorneys general, the professional westrict of columbia, are working on that acronym. Old, and serves as a ballroom for the exchange of knowledge, experiences and insight on issues of a port of importance to the attorneys general. It is also our honor and privilege to be a sponsor of this institute. Why i am really here and he pleasurable part of my morning, to interviews our first speaker of the day. There are only a handful of real subject Matter Experts that occupied the space often called National Security law. Those whose education, knowledge and experience spans the wide spectrum of what is included in that broad topic category, whether it be intelligence, counterterrorism, weapons of mass destruction, natural or manmade disasters, or the wide bringing suspects subjects and issues undersecretary spalding is one of those few. She has served in political positions on both sides of the aisle, and has a wellearned reputation for cutting through politics and crafting solutions to complex problems. Her professional career is a testament to her lifestyle of service. I was very fortunate when i years ago,er several and she saw something sparked in me and became both by mentor and my friend. Others, i have a better attorney and better person because of her. Please join me in welcoming the undersecretary for National Protection and the department of Homeland Security, Suzanne Spaulding. [applause] thank you so much for that touching introduction. Thank you for your many years of Outstanding Service as a Public Servant and fulfilling so many of the Important Roles that lawyers fulfill in this area, particularly at the intersection of law and National Security, and your outstanding leadership for a number of years. It is great to see you this morning and an honor to be introduced by you. , 11 annualions Homeland Security law institute, it is hard to imagine. We remember the first, it is really terrific and we were member there were were not many Homeland Security lawyers back in the day, and now there are quite a few. Your institute has helped to train them and make sure that we have a fellowship and networking that is so important in developing a field of law. Joshua, terrific to see you as always, and thank you for the groundbreaking work you are doing in oklahoma, in making sure that the expertise and the knowledge and insight dont just stay in washington or come from washington, but in fact draw on the entire country, and the work you are doing at Langston University to help train the next generation of National Security lawyers and our cyber pipeline. As of my greatest honors having been invited to give the president ial address at Langston University. I was made an honorary langston lion. I am very proud of that. For beingall of you here, today and for your participation in this institute. I think it is an important conversation that happens and an important commitment that you are making to this growing field of law. Jim talked about his time on the Standing Committee on law and National Security. What i found out he would introduce me, it got me inking about when i took over as chair of the Standing Committee on law and National Security, i was scheduled to have my first meeting with our outstanding staff director, holly mcmahon, who i think many of you know. Of9 30 a. M. , on the morning september 11, and as i was getting ready to head down to the aba building next to the white house, i watched what and whatin the news, happened, and unfolded over the aning days and weeks was amazing reminder to me, of the incredibly Important Role that lawyers play in this country, particularly in times of crisis. The lawyers all caps together within two weeks of 9 11. Came together within two weeks of 9 11. To talk about the Important Role that law would play in the coming weeks and months. Lawyers do you play that Important Role as counselors, as advocates, as educators, and as leaders in your community. At dhs and the National Program gratefulm extremely for the lawyers that i have a terrific group led by dan sutherland, who many of you know and has been very involved with this Homeland Security law institute. A tremendous lawyer who has put together a tremendous team. Also jamie, the head of my privacy office, and a critic an incredibly important member of our team. Between them and their teams, they are a critical part of maintaining that trust with all of our stakeholders that is absolutely essential to a composting our mission. Their role to accomplishing our mission. Their role has never been more important than it is now. We look at the terrorist threat. Made a lot of september 11. For terroristsay to perpetrate a largescale attack of the kind we saw, that morning, but we are now seeing the rise and a growth of smaller attacks. We used to talk about terrorist directed attacks, then we talk about terrorist inspired, increasingly we are seeing something you might call terrorist justified attacks. Attacks, much smaller they can come out of nowhere. Detect, much harder to and present a significant challenge. That thiscognize means that these threats are increasingly localized. It requires that we make sure we have a robust regional effort, and so we are moving resources from headquarters into our region, we are strengthening our presence and our support on the ground, close to the communities all across the country, that are facing the threat. That is a big part of what is happening in the National Director protectorate program. At the departmental level, the secretary has established a Community Partnership which is focused on countering violent extremism, and congress has given us authority to establish a grant program, starting small with a 10 million fund, to help fund efforts across the country by communities. Help giveat we can them a megaphone, to amplify their messages. The authentic messages for countering violent extremism are going to come from communities all across the country and the role that we can best play is to simply help give them a megaphone for that message to be heard. Our role is to help communities focus on the ways in which they can be more secure and resilient , so we work through our protective security advisers who wanted to avoid across the country, who worked directly with, particularly with our Critical Infrastructure on operators. That includes commercial facilities, so all those venues for the public gathers, shopping malls, movie theaters, outdoor venues, sports stadiums, etc. Our psas are out there every day to help folks understand their vulnerabilities and the ways in which they can mitigate them to provide situational awareness, of the threat environment in which they which they face. We have developed ways to be able to share classified information. We work every day to get information declassified so that it can be shared as widely as possible with those who can make good use of it to help protect this nation. If we have classified information, we have cleared private sector experts who come in and are able to look at that information that intelligence. We tell them here is what weve got, here is what we have seen, what are we missing . Importantly, help us craft unclassified alerts and mitigation measures that can go out broadly across Critical Infrastructure. They can help us identify what is actionable in that classified information . And do we need to go back say we need this declassified, so that we can make it available to those who need it, to help keep us safe . One of the most important things we do at the regional and national level, working through the Sector Coordinating Councils for each of the 16 infrastructure sectors is to help them understand concert uses of events. That is to help them understand into it interdependencies and the possibility of cascading consequences. That is a unique analytic capability that we bring to bear, that we are able to do in collaboration with the private sector, so that they can help prioritize their efforts. We provide situational awareness, through those intelligence polls and the alerts and advisories in a time of heightened threat environment. We will rapidly pull together our private sector colleagues for calls to share with each other, what they are seeing, what they are doing, the best practices, way in which ways in which they are responding to the heightened threat environment that just occurred, and to find out what we can do and what they need from us. That now happens as a matter of course. We traditionally have put out information to state and local Law Enforcement. It is now increasingly routine that when those alerts go out to state and Law Enforcement, that information is going out to the private sector, a growing recognition that they are True Partners in that National Security effort. We do campaigns across the country around significant issues. Following the attack on electricity substation a couple of years ago in california, the metcalf attack, we did a campaign all across the country to make sure that the electric Utility Companies across the country understood what had happened there, to share the best practices that were derived from that event, and to help make sure that we strengthened the security and resilience of key parts of our electric grid. Following the nairobi shooting in the shopping mall, we did a Campaign Across the country to enhance the security and resilience of shopping malls all across this country. That has continued with training exercises and regular interactions. Following the particularly the attacks in paris, we recognize that the great work we were doing all across the country with owners and operators of commercial facilities we could perhaps tailor more effectively for smaller venues, like the cafes, the smaller venues like the 930 club, across the country. So we went back to our , mitigation efforts, and we set how do we tailor this for smaller entities that not have a that dont have those big robust Security Operations . , we developed the hometown security initiative, and we developed handouts. Connect, plan, train, and report, to encourage those entities, to make sure that they connect not only with the , federal resources that we can bring to their disposal, which is at the National Infrastructure coordinating center, but connect with those Public Safety folks in their own community. So this handout was developed in large part to give the state and local Law Enforcement come up enforcement, to their to put their Contact Information on the back, and walk the beat, and handouts to those small venues so that the First Contact is not one an incident happens, right . But to connect with those resources, to build plans for both preventing, detecting, and responding to security incidents, to train their folks, whether it is the bouncers, the ushers, whoever it might be who you are counting on, to make sure that they understand your plan and that they are trained and that they know where to report. Those are the examples of the kind of work primarily our office of Infrastructure Protection undertakes every day to respond to that security environment. And our office of Emergency Communications makes sure working with those Public Safety folks all across this country, that they have communication to be the most Effective Response, to bring the most Effective Response to bear that they can, such as the training they did prior to the Boston Marathon, around the Boston Marathon back in 2010, the training that was used to get grants, to improve their communication, which made a major difference and save save it lives on the day of saved lives on the day of the Boston Marathon bombing. Our federal protective service is responsible for one of the key Critical Infrastructure sectors, which is federal facilities. They are responsible for protecting over 9000 federal facilities all across the country every day. They assess the security they , stand guard and protect the facilities. Increasingly, they have found that that security cannot just be focused on physical security. Increasingly, they have to bring cyber into their assessments and the protection activities into these facilities. A lot of the Access Controls, the surveillance cameras that they rely upon our increasingly networked, that they rely upon are increasingly networked, which prevented a vulnerability, right, if the adversary can get into the systems and use them for their purposes. In addition, if they do not have good Access Controls to that server room, then the potential for destruction in the cyber or i. T. Information technology and Communications Network is also heightened. The same is true across our 16 Critical Infrastructure sectors. The cyber threat to those sectors, and to their functionality grows every single day. You only need to read the newspaper in fact, you only need to open your mailbox. Particularly for these people in this room, you have gotten those letters, whether it is because of the opm breach or where you shop, almost every american now has free credit reporting as a result, right . As a result of some cyber intrusion into their information. So that is a Critical Mission for the National Protection and programs director. Weve lead the effort to protect civilian. Gov, and we do that by promulgating best practices, particularly promoting the Cyber Security framework, providing baseline tools, intrusion, prevention, and protection, which we call einstein, and tools that go into your network and assess the health and wellbeing and security of your network configuration, and that is continuous diagnostic in diagnostics and mitigation private sector tools that we , make available to departments and agencies. And then automated information sharing. Congress has made the ncic the central hub. This is an incredibly Important Initiative that we have launched to make it harder for the adversary to reuse the same stuff over and over again with different victims because we are , now going to be sharing in real time, machine to machine. So the adversary might be able to get away with something once, but as soon as any knows on this any node on this system of systems, as soon as they detect something, it will go out in milliseconds to all of the nodes who will then have the technology in place to alert and prevent the harm from happening to them. This means the adversary is going to have to keep changing. And as we get more and more sophisticated and develop not just to get your base attributes base way someone malicious activity, reputation scoring, et cetera, we will be able to stop things weve never seen before. And thats a key objective and a foreseeable goal that we can reach here. And then finally on cyber, we are also first responders. So we come in with these that i government or private sector entity has detected malicious activity, and we help them figure out whats going on on their system, kick the bad guys out, and rebuild more securely. The white house just issued president ial policy directive 41, pbd 41, which describes how the government is going to be organized and is organized to respond to cyber, significant cyber incidents. It describes this role for dhs which we lead, which is asset response, which i just described. And we bring other departments and agencies into that effort as appropriate and needed. And then the threat response, which is now lets figure out who did this and bring them to justice. Which the fbi leads. And then the intelligence piece, which gives the broader context for that. So ppd 41, longawaited, describes the role of the federal government. Key to this, really, when i talk to the private sector, is to not view these efforts in stovepipes. Physical secured over, cybersecurity over here. As i described, the challenge our federal protective service faces, and noted that it is faced by infrastructure across the 16 sectors the electricity sector, for example, theyve got to be looking at physical and cyber threats, physical and cyber vulnerabilities, physical and cyber consequences, and physical and cyber ways of mitigation. Sometimes those are going you will bounce back and forth on those. You cannot solve the cybersecurity challenge with just your i. T. Specialist. You have got to bring your Mission Folks to the table. Got to bring your Program People to the table. You should start by figuring out what you most need to protect. Cyber hygiene. That will give you an important baseline level of protection. The you have to zero in on highvalue assets. What are those highvalue assets, how will you figure that out . Disruptwhat can continuity, your business, mission. You will do that by looking at what can affect data integrity, confidentiality, and access. Controlwhat industrial systems, what mechanical, what activities do we have that are dependent. And how can that affect the way in which you do business. So understanding consequences. And physical consequences. Cascade consequences is a physical critical part of Cyber Security. It also means that as you look at how do you address the risk securityificant cyber problem, you may be looking at a physical solution. Might look at having paper backups. Holistic,o bring this physical cyber approach. We are incredibly fortunate that we have both our physical and cyber experts in one organization. What i am trying to do, and some of you may have heard of nppd transition. It is about breaking down the stovepipe. Making sure we have true unity of effort. And as we approach and assist state governments, federal partners, we are bringing that holistic approach to bear and solving their security challenges and understanding their risks and developing effective mitigation. That is at the heart of it. We are an operational component, we are engaged in operational activities. We havent been recognized as such thats a second goal. And we have a name that is horrible. That no one can remember. That tells you nothing. National protection and programs directorate. So i am on a crusade to change our name to something that tells you what we do. I would like us to be known as the cyber and Infrastructure Protection agency. For the lawyers in the room, not cipa, c. I. P. Well be c. I. P. And so, you know, congress is looking at this. The house Homeland Security committee has passed legislation to authorize the standup of a new operational element at dhs. I understand that many of you heard from Mary Beth Schultz yesterday on carpers staff that they, you know, are working closely with us to try to make this happen. And i am optimistic that we are going to get there. Its about bringing a stronger sense of identity, a stronger sense of mission. Very important for the department, very important for nppd. Im going to close by talking about the secretarys effort to do that for the whole department. In lots of ways, a unity of effort initiative. But one of them, the one i want to leave with you today, was the secretarys effort to craft a Mission Vision statement for the department that was simple, straightforward, and that spoke to the identity that has developed across the department, sense of identity, over the years of its existence. He started by soliciting ideas from the work force, from all 250,000 employees at the department of Homeland Security. And he received thousands and thousands of emails with suggestions. And he read through a lot of them. And he looked at and paid attention to the words that kept coming up, right . So this was, again, a sense of the work forces own sense of their identity and their sense of the mission. And so the Mission Statement that he put out just a couple of months ago reflects that sense of mission and identity with honor and integrity. That sense of mission and identity. With honor and integrity, we safeguard the american people, the homeland, and our values. I want to thank all of you for the role that you play every day, as i said, in all of the ways in which you interact with these issues, in helping us accomplish every aspect of that mission. And thank you for inviting me to be here with you today to tell you a little bit about what nppd is doing and the threat environment that we face. Thank you. [applause] mr. Whitley good morning. Were going to move right to our next panel, and this will be our general counsels panel, so thank you very, very much, Suzanne Spaulding, for your kind remarks, and thank you for your service to our country. We greatly appreciate it. Moving to the far left of your political spectrum. Mr. Whitley this is one of the more dangerous panels of the day, in that i am going to be moderating a panel of general counsels, so all of whom are very fine lawyers. The materials really outline exactly what we want to touch on in this panel, which is the role of the general counsel in the private sector as an interface with dhs. What are their responsibilities in terms of Homeland Securityrelated issues in their companies, how they deal with their boards of directors in their companies. Three of the companies well be talking about are publicly traded. How do they balance corporate security and profitability. You could have the most secure corporation in the world but not be profitable because of overreaching security apparatuses that could affect your companys profitability. Im going to introduce panelists in the order that they appear on my left here. Angie chen is the Vice PresidentSecurity Officer at siemens government technologies. Angie before that was chief Compliance Officer at mare net marine, and she did serve as deputy associate general counsel at nsa, so were delighted to have you with us, angie, thank you for being here today. And to angies left is sheila cheston, who is the general counsel of northrup grumman, and prior to that she was general counsel at ba systems. She earlier in her career served as a partner with willmer cutler. He should be at least hes closer to my right, but the next , who iss Ira Raphaelson counseler the general of a few days ago it in nevada. Before that, he was the general counsel of the Las Vegas Sands corporation. He has a long and distinguished career of service in the department of justice, where i used to take his instructions when i worked for him. Occasionally Las Vegas Sands, ira continued to direct me, so today is a great opportunity, ira, for me to get back at you. And then at the end of our panel is chris graham, who is a colleague and friend from atlanta. And chris leads the compliance safety and Investigations Group at Georgia Pacific. He previously was general counsel for invista, also with Koch Industries in wichita. He was a partner earlier in his career with hunt and williams. This panel has spent some time thinking over how we might address the hour or so we have with you this morning, and well leave some time for questions and answers. I did learn that sheila has to leave us to go catch an airplane at 10 00, so if she gets up, its not a protest, its just that she has to get away to take care of her duties. So i want to thank them, and i hope you will think them in the thank applause later, to them for taking time out of their schedules to be here. But just a word or two about when i was general counsel at Homeland Security, one of my main missions, i felt, was reaching out to those general counsels who were in the private sector, to talk with them and work with them. The organic statute that creates the department of Homeland Security talks about the private sector. And this was going to be some sort of new enterprise, some sort of new type of Cabinet Agency that would not seek to overregulate the private sector, but would work with the private sector in a way that would capture the best of government and the best of the private sector in our capitalistic system in the United States. Certainly, there are other countries around the world where the two are so incredibly blended, you cant tell where one begins and the other ends. And so its a situation not very different from what you might see in china, for example. So what i thought id do this morning is certainly welcome war stories from the panel. Sheila, one of the things that i think about, you know, in your role as general counsel at northrup is just sort of your interface that youve had with dhs and some of the thoughts and comments you might have about that for the group. Ms. Cheston is this on . Can everyone here me . So, thanks, joe. And my apologies, too, for having to step out a little early here. And back when joe was at dhs, he and i used to have lunch together every now and then because of this notion of the importance of the collaboration between the government and the private sector. And in a much earlier life, i was general counsel at the air force and did the same thing with industry. I really profoundly believe in this notion of a shared mission, and i was pleased to hear the undersecretary, just a few minutes ago, talk about the True Partnership, because i think it is the only way it works. Nobody has enough resources to do it on their own, so it is only together that we do it. And i was thinking, as i was driving in here this morning, because i had a little bit of a heads up that joe was going to ask me this question, about some of the concrete ways in which, perhaps, the dhs and industry could collaborate better to progress this shared mission. And if you look around the government, there are all sorts of government industry working groups that get together to address common issues and to figure outside the context of any particular dispute or procurement, just sort of more generally how we work better together. And i think there are some opportunities for industry and dhs to do just that that have not yet been realized. And a couple areas, one is in the area of research. If you look at dod, for example, which i know a little better, there are examples where darpa funds you have got governmentfunded research and Technology Development that is of particular interest to the department. And then youve got industryfunded research. And while the industryfunded research is sort of almost necessarily independent, there are conversations and there are dialogues, and there are things like the defense science board, and there are fora in which there is conversation to help increase the probability that what research the government is funding and what research the private industry is funding dovetail and complement each other and Work Together to help to create greater technological capacity to support the shared mission. So Technology Development and research is one area that comes to my mind. Another area, very different, is on the question of liability and protection from liability. Again, using dod just by way of example, they have something called 85804 authority, which many of you might be quite familiar with, where the government can provide indemnification to industry to provide an incentive and some protection to undertake activities on behalf of the government that are extremely risky. And if you think about some of the areas that dhs is interested in i mean, one area that comes to mind is nuclear and bio detection, where if it wasnt work and something goes wrong, the liability is really significant. So for industry and the government, industry, dhs, and, in this case, Congress Also to Work Together to think about whether there are ways to expand the role of dhs, like other part tof the government have done provide and enable industry to undertake activities that serve the common mission. And then the third example that came to mind and then ill stop talking and let joe ask someone else a question is in the area of procurement. You know, acquisition reform is a constant refrain, and i think the government and industry , together and separately, are constantly learning how to do it better. And in that area, too, i think there is opportunity for industry and dhs to Work Together to figure out some Lessons Learned and some ways to fine tune and, perhaps, make slightly more sophisticated, in some areas, the acquisition process, so as to enable dhs to procure the goods and services they need in a more effective and efficient way that doesnt get bogged down with protests or whatever else there may be. So those are just a couple of areas that i thought were ripe for more collaboration, Greater Partnership to progress the shared mission. Mr. Whitley thank you, sheila. Any comments from the other panelists on any of sheilas remarks . If not, ill move to angie. In terms of, sort of, your thoughts, angie, on working with dhs, some observations youve had that might sort of parallel sheilas, but maybe some different experiences. Mr. Whitley thank you, joe. Ms. Chen thank you, joe. And thank all of you as well for coming out and especially for the honor of being on this panel with my esteemed colleagues, particularly sheila. I went to mention, for many years in my career, essentially, shes served as a role model and mentor, and her remarks reflect a lot of the things i wanted to share today, joe, in terms of my perspective, where i sort of want to ratchet it back a little reframe your query to me, is that its really important for us to focus on the basics. And in that respect, i wanted to share my views with respect to specifically Corporate Governance and the evolving role of general counsels. Because i think those are two touchstones, those two aspects are touchstones that are absolutely critical not just in terms of being able to engage successfully and meaningfully with agencies Like Department of Homeland Security, which carries such a tremendous burden in terms of its mission and what it tries to execute on behalf of the nation, but also in terms of the role that general counsels in particular play. With respect to governance, the reason why i think that a that is actually part of the foundational pillar its not a particularly sexy topic, its not one that people tend to want to spend a lot of time talking about but ultimately, its your Governance Framework that provides the framework in which you can understand, essentially, your situational awareness, your rules of engagement, your ability to interface successfully with your internal and external stakeholders. And i do have a couple of cheat sheets here. By governance, essentially, im referring to the deliberate and inherent order and structure of the organization that establishes the various authorities, duties, obligations , and rights that control and direct the organization. What a Governance Framework provides for you is an appropriate and transparent distribution of responsibilities amongst the various functions and components of the organization to, ranging from the employees to your managers to the leadership to your board of directors. And when executed appropriately, it provides the only hope of having a clear level of accountability across the organization and facilitates more efficient business rhythms and productivity. I dont have to belabor the point that the market recognizes the importance of Corporate Governance in terms of shaping and providing a framework in which companies and industry engage with the government and with its work force and with its management structures. Theres been a tremendous increase of rules, regulations, directives that, essentially, force, if you will, the requirement for strong governance principles. But having a regulation out there and translating that into reality, from a practical standpoint, this is where general counsels, essentially, can play and do need to play a key role. The role of the general counsel, clearly, has changed over the times. We live in a very troubling and challenging world. Not only do general counsels still have to Pay Attention to the traditional areas of litigation, regulatory compliance, intellectual property, mergers and acquisitions, but now, we have to encounter the fact that the companies, our clients or organizations, are in a very, very much changing and Dynamic World environment. Its not just the micro and macroeconomic trends that are changing, its also the fact that we are now dealing with asymmetrical threats. Were dealing with risks that previously were really only the purview of the government. National security, Homeland Security these are things now that general counsels of all organizations and all sectors need to take into account and be aware of and understand how to affect our core responsibility advising clients on how to prepare, how to detect, how to respond, how to survive and, essentially, remediate when any of these threats potentially impact or potentially influence the aspects that drive our business or our business activity. Part of this would essentially come out, for instance, in terms of your ability to craft an appropriate and effective Crisis Management plan or Disaster Recovery plan, Business Continuity plans. You cant do that unless you have a very broad and deep understanding of the Governance Framework. Not just, frankly, of your own organization, but those of your partners. So sheila mentioned procurement and supply chain. You need only google very quickly supply chain security, and you can see many, many, many challenges there with respect to making sure that you have secure and reliable products and services both to service your own business, as well as to incorporate into your products and services that you provide to your customers. You cannot, essentially, have a strong, reliable Governance Framework for your organization alone. You must have an understanding, as well, of how to push those same principles and practical effectiveness through all of your partners, including your supply chain, your subject Matter Experts, the people who you reach out to help, both internally and externally. Communication is key in this respect. Governance demands you have Clear Communication of those rules and responsibilities, understanding, essentially, how to inform your board of directors, so they can affect their fiduciary duties to manage and oversee your corporation. These are all key touchstones. And in all of this, general counsel can play, again, a critical role. So you need to realize that in all respects theres an opportunity as much as there is risk with respect to being able to address these things. So in closing, i just want to sort of emphasize that, you know, we heard from undersecretary spaulding, that it is a changing world environment. We cannot do this alone. All of our interfaces be it dhs, be it the fbi, be it the government, be it peers, be it academia needs to be done as a community and with a good understanding of even as we try to adjust and be adaptable, you have to have a very strong governance principle and philosophy that will drive your compliance, your strategy, your interactions on a daily basis with your peers and with your partners. And so those would be my remarks , too, in terms of how to try and be more effective. Mr. Whitley thank you, thats really helpful. Your background is so perfect for what you just described. Youre dealing with compliance all the time. The corporations youve been part of. It is very meaningful because so , many of our audience are people who have served in government or academic institutions, and we hope to grow our attendance from the private sector, because its so critical that they hear this audience hear your remarks. Ira, one of the areas that youve dealt with has been a corporation thats in many places in the world. Gambling is a phenomenon that ive engaged in. I think i may have even, when you were general counsel at scientific games, i may have done one of those scratchoff cards. And its a phenomenon that you think, well, whats controversial about that, in terms of at least it being something people like to do. But have talk about some of your interaction, if you could, with dhs and other security apparatus. Mr. Raphaelson well, from your perspective its gambling. From the houses perspective, its just gaming because mr. Whitley yeah. Mr. Raphaelson we set the odds. Or [laughter] my employer used to set the odds. One area where we dont set the odds, though, is vulnerability. The company that i most recently worked for, unfortunately, experienced two of the kinds of episodes that were just referenced by my fellow panelists. In february of 2014, i and the other executive team woke up to turn on our computers, and rather than have the secure login screen show up, pictures of all of our properties on fire showed up. And so, we resorted to an older form of communication, a phone, and quickly ascertained that we had been the victim of a cyber attack. We dealt with it. We learned quickly, and then the public learned, through the decision of the government to announce it, that wed been the victim of a nationstate attack even before sony was. I dont know how helpful the announcement was, but it did raise a question that i think sheila raised, and that is you sort of have the challenges as general counsel of preparation and all of these very highly publicized attacks that were designed to Gain Customer data. Ours was designed to destroy rather than exfiltrate data, but the exfiltration of Customer Data becomes the bugaboo. Boards get worried about it, you have to communicate, as general counsel, to boards about the level of preparedness. The board gets into an immediate blame game. The gentleman from the National Association of attorneys general is gone now, but the attorneys general are very fond of jumping into the blame game, even if youre pciacompliant and have sent out the requisite notices to your customers. Not all retailers thought that was a good idea, but we send out the requisite notices. They immediately want reports. And it becomes a little bit difficult, even with a former Law Enforcement perspective, to understand why it is the victim is being blamed for the act of a nationstate. And yet we somehow were. And there is, at one level, a sense of helplessness that you need to convey to a board. Ultimately, three weeks ago, an International Consortium of police, including representatives of our own government and the agency the department were talking about today, affected the arrest of six individuals who, across a Narrow Strait of water, were pointing a missile at one of our buildings in singapore. We learned about that in two ways. One way was to read about it in the newspapers. That wasnt particularly satisfying. The other way was for a very small group of us to be aware of an Ongoing Investigation by governments, because we have arrangements, through our head of security, whos a former Deputy Director of the secret service and who may still have clearances that allow him to communicate in a way with government that mere mortals are not allowed to. He was aware. And so, the board of directors reads this in the newspaper, they go how could we be uninformed on the topic . And then you have to inform the board of directors, well, its not that we were entirely uninformed. One of us knew, and a second one of us sort of knew. Well, whos the one who sort of knew . That would be me. Well, how do you get to sort of know . Well, i get to sort of know, because i can sort of read in i f want to, and the government wants me to, and theyre satisfied with an arrangement whereby im neither fish nor fowl, im neither readin nor readout. But im aware of whatever liability we need to protect against, because thats the arrangement the government informally made with us. Have any fisa rules been violated . No. But has the government authorized information in a way that the company can do what it can to protect itself . Yes. I agree wholeheartedly with sheila, that we need more of that. We need mechanisms whereby the government allows business to do business in an informed way, because we live in a country where the plaintiffs bar knows no bounds. That is, we will, as victim, be liable for whatever it is we, as private industry, will be liable for whatever it is that cyber criminals or terrorists or opportunistic criminals decide to do to our businesses in a way that violates the countrys sovereignty, the dignity of our businesses. And so, as much communication as we can have between our head of security and Law Enforcement, that goes on. As much communication as we can get back, we operate huge not just houses of gaming but we operate huge hotels, we operate huge shopping malls, and understanding that we are a an attractive target, we need as much information as we can as to how to train security in order to have the best chance at avoiding the next disaster in a public facility. So i think all of those are opportunities or munication with government, in terms of communication with boards. Boards get trained all the time right now. It is your responsibility to oversee the compliance program. There are also trained, of late, that they needed to micromanage the Cyber Security risks. And, at least in our house, there is for the general counsel, and up until sunday i supervised cybersecurity, but its schizophrenia. Because if you let any really good chief information Security Officer loose on a board of directors, you can have an incredibly humorous session, whereby the cyberSecurity Officer speaks jargon, and the board tries to speak english. So if you are a general counsel with a somewhat twisted sense of humor which i was, i confess you just let that go. And then near the end of it, you weigh in and go, what the cyberSecurity Officer is trying thats great. So many things you brought up but i will safe for later. Thank you very much. Chris graham, in terms of Georgia Pacific, its a different entity, sort of organizational process when youre privately held, i suppose, right . So i know you experienced some deficient things but you also interact a good bit with the nhs and we were talking about chemical Facility Protection and those are the things that we some of us lose sleep about it at night knowing that we are doing a great job, better job, but there may be some gaps in the process, but anyway, without talking much more about my thoughts, what are yours on some of what you just heard and what you can you add to the discussion . Well, what i thought id do is offer maybe caucasianary tale to those in the private industry here and those in the government talking about trying to get greater cooperation from the private sector based on experience that we had. Now, i must say that, you know, joe said it delicately, we make toilet paper. [laughter] and you should always use angel soft. I will leave that as it is. [laughter] im going to talk about a facility near baton rouge, makes fine paper, toilet tissue and paper towels. Its the flip of what you were talking about because we want to be included more. I want to talk about reaching out government government and getting assistance which was valuable to. We worked with the fbi but they were creating with dhs, chlorine dioxide, and when it comes to talking, but im not an it specialist but this is an it case. Our it guys like to call it the valentines day massacre. As general counsels dont like people to talk in those terms, weve asked them to from a careful communication perspective called it the valentines unpleasantness perhaps. On valentines day, a friday, over that weekend, starting on that friday night, into that weekend we had our dhcp, i have no idea what that means, dynamic coast configuration protocol went down at the facility and, of course, the it folks that were working on it thought that we just had a program with dhcp. The problem is that it sends out leases at ip addresses so anything tie today dhcp, shipping protocols, our forklift trucks, all of those things went down when they tried to relog in and couldnt get an ip address. Of course, i asked the question that somebody who doesnt know it did you turn it off and turn it back on, and, of course, i was met with very stone cold response with it folks. What they thought we just had a problem with dhcp and had a hard key in, ip addresses for all of the addresses, everybody thought over the course of the weekend that it was done. During the course of the next week, however, we started to have access into our system, fire walls were being shut down and connectors at the facility were either being shut down or passwords changed, we started to think, hmm, this is something more sin ter, more problematic than just a system going down. Well, what i didnt say also on valentines day it was a friday unfortunately for this gentleman, a 15year it employee was let go. He was let go at about 10 00 oclock in the morning and unfortunately for the facility by about 1 30 they shut down access in the Computer System at the facility. When he was let go his access was taken away, computer was taken away, his key fob that would allow him access was taken away but what became clear was during that very short window he accessed the system and he knew i mean, he was the guy who basically did facility infrastructure, architecture had set up the entire facility and knew how everything was wired from an it perspective. He on his way out of the door said, you guys are going to want me back and prior to that instance, a few weeks prior to his termination told somebody hey, if i ever get fired people are going to regret it. Now, unfortunately from a clients perspective and general counsel perspective wasnt shared with the organization and candidly we wish it had been. After they began to suspect foul play our it guys did a good job of collecting logs and figuring things out and trying to determine, you know, who was responsible for this and they had some specific ties that they could point to with this former it professional and this is where the cooperation piece comes in. I like many people in the private sector are reluctant to get the government involved because you think you can handle it yourself and sometimes when you get the government involved, things are taken out of your hands. Once we start today see real ties to an individual and we thought that somebody was involved and becoming fairly costly for us for shipping being shut down and other things shut down, we contacted the fbi, local folks in atlanta, ultimately they passed it along to the cyber office which was very excellent, but and here where it gets sticky, the individual who was interested in causing havoc back up, we contacted the fbi 24th of february, three days later on the 27th, maybe because the havoc wasnt significant enough this employee accessed process controls at our facility. It went from just being it infrastructure stuff and maybe some business conty continuity stuff. And has High Pressure and significant potential from a catastrophic perspective if not run correctly. Basically the operators for a period of time till they shut down safely the equipment were flying blind. No controls, he shut them down. And so, you know, within 24 hours of that happening because of the potential impact, the potential arguably terroristic impact they served a search warrant on the gentlemans house, were able to secure computers that indicated access to the facility and hes awaiting sentencing at this point, has already pled guilty in baton rouge. The point of all of this theres lots of Lessons Learned ant i dont want to get into all the Lessons Learned. But for us, one of the key things was that getting the government involved early, we could have gotten them involved earlier put us in a good position because they were they were able to act quickly particularly when something became evident that there was potential of catastrophe when he accessed the number six paper machine. The last thing i will say is critical to the people in the private industry here, insiders, clearly insiders could be potentially damming from a cyber perspective as outsiders or insiders that are corrupted by outsiders, thats another possibility. Sensitivity to collecting evidence, you hear to being careful with the logs, not to erase because my recommendation could have caused significant issues if it hadnt been handled correctly. We had employee access to make things simper simpler that wasnt subject to other fire walls. We had back doors that it set up to make it easier to Access Facility when they needed to the remotely. So we have gone through a fairly significant process organizationally to make sure that weve closed all of those loops organizationally and, you know, if you think about it 300 facilities, many rural throughout the United States where big paper mills are, we had local it guys who were in charge of this and the mapping wasnt done well at all facilities, some was done very well and so weve gone and really work to do that better, so that we can feel better about what we are doing. Thank you, chris. Each of you have encountered this classaction litigation, taking the right steps for Business Continuity purposes, what about that in terms of talk about litigation and how these things happened, maybe not per say in the Homeland Security context but maybe when something doesnt work you have litigation as a result. At the end of the day, theres going to be a business judgment defense on all of this. You cant spend 100 cents of every dollar on security. You have to spend some amount paren reasonable close paren, whatever thats going to be viewed as. To the extent youre getting input from government, thats great. The government help during cyber rehab was extraordinary, the fact that our building didnt get blown up is really nice too. I mean, really nice. [laughter] but by the same tone we end up in the cross hairs of the plaintiffs fire in the United States no matter what we do. We end up in cross hairs and we knew something was going on in singapore but the week before the arrest an employee came forward that one of the security guards had posted on the facebook site the fact that he had gone to afghanistan, had gotten training and pledged himself to isis. Hr was concerned that thus was a breach of singapore privacy law and u. S. Dol limitations on the ability to use social media, the ability for employers to use social media. The hr department, Security Department came to my office at what we call logger heads over whether to use this information and pass it to u. S. International Law Enforcement or not, and about three minutes into the presentation of hr, i said, im sorry, theres a practical aspect here and that is fundamentally we are not going to get sued per violating social med media policy except by dol and we will deal with that and god forbid this guy blows something us theres just unlimited liability and we will deal with it on that basis and i think thats the challenge biggest challenge for general counsel, there are going to be conflicting sets of obligation, you have to deal with them and you have to assume that youre going to be assumed no matter what you do. So dealing with the litigation at the end of the day, thats just the cost of doing business. Thank you. In the end just do the right thing and protect security and safety of people and then you deal with the consequences. I think also in addition to financial liability, perhaps for us even more important is the issue of reputation and the issue of trust. Whether its your customers, your employees, the communities in which you operate or your investors, so the question of taking appropriate precautions for all kinds of security whether its fiscal security or cybersecurity, protecting people, protecting our information and ability to do business, protecting our customers information is hugely paramount first and foremost from the issue of trust, i would say. Thank you, angie, any thoughts . I would simply echo the key thing is always to do the right thing and to cut through sort of the endless debate from an analytical standpoint. First and paramount is the protection of the people and make sure you get to the right place from a practical standpoint. In addition to that, though, to echo the comments that youve heard is the necessity for being informed and making a sound decision and aware of, in fact, the risk from a liability standpoint hire in the United States but also internationally particularly for larger corporations or even for smaller corporations that deal with international partners, you need to be aware, in fact, of what laws maybe competing or conflicting because ultimately you can stand up and make the right decision but at some point you will have to answer to it via to Board Directors or management or to unfortunately before a judge or in front of a jury and thats where you will be judged and you may win on the reputational portion or may not recials of what the intent might have been with respect to doing the right thing but you always want to be able to make sound call. And many of your employees travel internationally. Its a scenario that ive encountered recently. In terms of International Travel they may be traveling with computers and other devices, Cautionary Tales from advising your executives that theyre carrying trade secrets, that they be careful of things that might fall into the wrong hands, inside information that could result in, you know, someone with bad interpretations, terrorist organization getting access to that information, angie. I think from a logistical standpoint, its not just commodity that youre taking out of the country even for personal business use but also the data on but then comes the secondary analysis and awareness you have to have that even though they are traveling overseas, well, smartphone, the mirror access to the email essentially sort of you know, you may have dealt with one of the more obvious risks but you still have the risk in terms of accessing data overseas. We try to get very practical advice, you should just assume that, in fact, you will have your assets opened to potential compromise, leaving your laptop in the hotel safe is probably no guaranty when the back with be opened. Never connect to public wifies always be aware of that. Make sure that you have an ability to call to your it folks in case something does happen or you suspect anything happens, so, you know, the risk is always there. You cant really eliminate it but come to come up with Practical Solutions because you cant cut off your employees or your management from being able to be connected to the company. Thank you. And another theme that sort of shared this morning by each of you is on the outside looking in at dhs and we will have a panel from dhs coming up, dhs Counsel Panel which is another highlight of our conference, some of them have the benefit of listing and maybe talking about some of your thoughts but safety act is something that was a degree of Liability Protection that safety act affords and i was wondering that, chris, safety act touched you or other regulatory apparatus including safety act, something towards Georgia Pacific . It has not yet. I sat through the panel that talked about it yesterday and found it interesting as a company like gp, i think the only things that we would be looking at safety act for is the protocol that we have for facility security. We are not at least at this point in in the innovation space where we would be making innovation that is finds applicability in that area. I found it very interest to go hear about levi stadium and other locations that are doing it on a broader scale. So it has the potential. Thank you. And the other panelists, ira, anything . Our head of security is actively involved with both Industry Groups and Law Enforcement, not only domestically but internationally because we are just a prime target for certain categories, so yeah. We do innovate from time to time, we just dont they innovate from time to time its just not announced. Right, thanks. Joe, one of the things and i found it interesting about the travel piece, we are struggling a little bit as an organization in addition to the the intellectual property that goes to foreign locations. We are working really hard to know where people are. Thats sometimes easier said than done when you have a lot of people who are traveling internationally on a regular basis. Not only from from, you know, a potential location if there is a terrorist act. We had an employee that was in brussels when the explosions occurred. Weve also had instances of virtual kidnapping in mexico and really trying to track down and making sure who is flying to mexico city but who is flying to el paso and san diego and crossing the border there is critical importance to know where the folks are with the risks associated with that. Thank you, its a great panel. We do have a few minutes left for questions and if not i will direct a couple more questions to the panel, but i would love to have somebody come to the microphone. Andy ferdy. Hi, pleasure. Follow up up some comments that angie made about governance about cybersecurity, ira made comments about jargone and security experts. It seems to me, angie, that it seems to be lost on a lot of board of directors that they own risk, they own risk of all kinds, including security cybersecurity privacy, everything. And so one of the beauties in this framework thats something that can be used as a risk analytic tool by ceos, have an idea where they are and what they need to do about it. I just want to get your comments. I think its true that its something that boards struggle with, the National Association with Corporate Directors and a number of directororiented associations are really highlighting this. The fact that most directors actually do understand that they have a fiduciary duty to understand and manage risks and to help management understand and manage risk as well. So i think as part of that, any good Governance Framework is going to have that training available to your directors, to your board as well as your management folks and i think this is why general counsels in particular because our whole business is about understanding and managing risk and providing advice on it, we can serve as a translator of sorts, and if we cant translate, know who can. Find someone who take the Technical Details which are paramount because you miss one piece and as chris was mixing, we get it wrong, nobody is going to ask me how do i fix the dhcp and what do i do tcp protocol. I think thats a key point to emphasize with your board and if it doesnt have a Risk Committee or audit committee, that doesnt mean that they ignore the risks and put their heads in the sand. I might just add to that because i think most major corporations have a fairly sophisticated Enterprise Risk Management process. The processes vary a lot from one company to another. But in general you have everything from the the folks within the organization who own whatever the risk is and the management of that risk and you have Compliance Officers and executive teams that oversee Risk Management and you have board responsibilities and different committees and what goes to the full board and then perhaps the final piece which is how you communicate to shareholders and i think increasingly most major publiclytraded companies in the risk factors of their 10k and 10q, one of the risks with fec guidance that they talk about is Cyber Security. And we have maybe one more question from the audience, perhaps, okay. Thank you. So along those lines, what would your advice be for companies that dont have the resources that you guys have . I can tell you that in my last company which made about as much money in a year as was gained yesterday in macau, you really dont have a choice. That is and at some point the general counsel just has to insert her or himself into the process with the cfo, with the head of internal audit and you would be surprised between those three how sophisticated an Enterprise Risk Management analysis you can come up with. You dont have a choice if youre a Public Company, you have to conduct them periodically anyway. The hardest part, i think, of erm is at some point the d the department or unit managers are sophisticated enough to know that its a play for dollars. All right, so if it is riskier than security or riskier Money Laundering risk or cpa risk, then youre going to get more dollars to deal with that risk. I think thats where the general counsel, the cfo, head of internal audit have to be sensitive to filtering the information for upper management to the board but at the end of the day, as a general counsel i always want transparency in my board and educating the board to being more sophisticated. Simply because the it security said 100 of all aftertax dollars should be devoted to upgrading the it system, doesnt necessarily mean thats what we need to do this year or that the head of fiscal security thought we not only need 100 cents of every dollar but we need to bar row to boost fiscal infrastructure. Erm process is critical. It can be done on a shoe string but its a wonderful analytic tool for businesses to go through and and frankly in todays day and age it doesnt matter how big or small a Public Company you are, you to devote the energy to it. Angie. To sort of echo the two questions, i think larger corporations or corporations in certain sectors have a luxury of having those types of resources but the reason they have those resources is not just because theres some type of law or regulation that mandates that they have title or function, its really a recognition of the things that have transpired and evolved over time in the business community. Our biggest challenge right now is that that environment is changing so rapidly and in ways that are so much out of our control in terms of one business and one individual in a company. So i think for smaller and Midsize Companies that do not have internal audit or may not have a board that has the luxury of being well trained and having resources or even able to afford membership, which is pretty hefty, i think the best that we can do as a community is understand again its not just the general counsel, because we are trained in Risk Management, we play a key role in seizing the opportunity which is to go out and learn, get smarter, troll the internet and find out, assess what is credible information so you can keep up to date, read all of the Law Firm Blogs because law firms are often extremely helpful and motivated to try and get pertinent and current information out to you, but then make yourselves one of those individuals as thought leaders and change agents within your organization, small, midsize or large that translates these risks so that you can accelerate the ability to do what you end up having to do anyway, which is when something bad happens, whatever it is, you should be part of the team, if not the leader in responding. Angie, thank you, chris any final words . I think the one thing i would add to what angie said is there are a lot of general councils out there that are working hard to manage that risk as best they can. Unfortunately, i think they do the Economic Analysis of whether they need to outsource it to a law firm and people like joe are always willing to help. They are trying to evaluate whether that means a headcount or not based on the amount of work they have in each category. When you meet with those sole practitioner gcs, i think they are nervous because they dont have the resources that we are fortunate enough to have at our company with flush expertise in many different areas. Its definitely something that probably keeps those folks up at night and clearly i would be hopeful that regulators recognize that when theyre dealing with companies that are trying really hard to manage the resources that they have. Unfortunately we are out of time, may be beyond time. We have a break coming up. I ask you to give this panel at right round of applause. Thank you very much. [applause] Congress Remains in recess for another week. Lets look at what they are tweeting about today. Mike thompson toward a local manufacturing facility in his district. N away. Ted, blow kno West Virginia senator is reminding West Virginians the state of emergency for eight counties has bee