This discussion is two and a half hours. Good morning, i am the president and ceo of the United States telecom association. I want to thank you for attending the conversation this morning. We have been watching the screen somewhat uncertain if we were going to be here this morning. I am grateful it worked out so we can talk about the Cybersecurity Framework the whitehouse announced this week. We believe it is going to help the industry achieve grating levels of security around Critical Infrastructure. It allows companies of all sizes to adopt policies based on their specific threats by creating a common language or protocol, it will help communicate about shared responsibilities with vendors, suppliers, customers and partners. Our industry takes these responsibilities very seriously. It is my honor to introduce Michael Daniel. A cybersecurity correspondent na and he leads the development of Cybersecurity Strategy and policy. Prior to that, he served with the office of management and budget for 17 years. From 20012012, he shaped intelligence budgets and resolved major policy issues of the chief of the National Security division. Since 2007, mr. Daniel has been involved in federal cybersecurity activities including the Cybersecurity Initiative and Funding Options and the review of federal cybersecurity spending. Please join me in welcoming Michael Daniel who is going to talk about the evolution of the framework and the next steps of Going Forward to improve Critical Infrastructure security. Mr. Daniel . [ applause ] thank you. It is a pleasure to be here at the ustelecom event. I am Michael Daniel and i am serving asspecial assistance to the president and cybersecurity at the whitehouse. But i am just a chief cat herder in the federal government. You have folks following me here like adam and jenny and i see angela and chris and nadia who will all speak more confidant than me on this issue. I am like the warmup band that warms up the crowd so the real stars have an easier time. First off, thank you for all of your work and support on the framework. We appreciate the time and effort you have put into helping produce this. I think it is a product we can all be proud of. A little bit of how we got here. If you can rewind back to the summer of 2012, it was was obvious the legislation we were working on with congress wasnt going to make it out of the senate. We knew we had to shift to alternative paths. We began looking inside the administration for options and over the latter part of 2012 we crafted this executive order. It was the result of a lot of effort from a lot of people who are now in different positions doing differentthi things but contributed to the framework. In february 12th, 2013, the state of the union day, 13626 was signed and that executive order has a lot packed into it for what is a short document especially in washington terms. But it told federal agencies to do three things it said go out and increase information sharing with private sector and push more cybersecurity to the private sector. And create framework and Standards Companies can use to improve the Cyber Security. And protect privacy and Civil Liberties while you are doing that. And it built a lot of things into the process. But i want to focus on what happened with the creation of the best practices. The National Institute and standard of technology is leading the way but doing a role in playing a convening role in the development of an Industry Framework and owned primarily by the private sector. They took the task seriously and poured energy into the effort. I would say it put a real ateam of people on the project. It ran an amazing process if you think about it for crafting such a complex document in just a year. I should say after the executive order came out, a flood of comments came into my office about the yearlong deadline the executive order set were developing the framework. And they were divided about 50 50. Half of the comments said there is no way you can develop that in a year. And the other half said are you lazy . You can do that in two weeks. So i figured we must have hit it right. Adam and the team proved that was correct. It was an amazing effort to pull all of that off in a year. We collected comments from an array of participants and held five workshops. I saw the agenda and heard the stories and i know it wasnt trivial so hats off to those who went to the workshops. 4,000 comments from 300 different organizations is what we ended up with. But you can see how the framework evolved and grew in response to the input. This is really your framework. It represents the best consensus we have among government and academia and others on how to do Cyber Security. And i think that is because the other groups really stepped up. The framework reference will be recognizing standards and practi practices to help organizations understand, communicate and organize their cybersecurity risks. It offers guidance for how organizations can address these issues as an effort to secure themselves. The framework core, profile and te tiers. The framework core is what every agencies carries out. We will use that on the federal side as well. The profile helps them line activities to business requirements. It also helps companies chart the path from where they are to to they want to be. And the ty tiers can help them understand their approach to other companies and standards across the industry. And they can make a better informed judgment about where they want to invest. It is aimed at reducing and managing cyber risks. As we move into using the framework, that process, what is it going to do for companies . It is a baseline for Risk Management. It says here is a baseline that all companies can rely on and they can point to and their cheap Information Security officers point do. It has the advantage of doing that. It will offer a good way for communication with the csweet. I find on the federal side, the ability of the the seniors and people in Senior Management to understand and deal with cybersecurity has increased in my time in this position. But searching for those ways, still, to have the conversations in a language everybody can understand. I think the framework will do a good job of assisting with that. It will enable, i think, better communication with boards of directors of the company. It will enable them to have conversations wabout why you ar managing the way you are. I think this applies to sophisticated companies ahead already in this subject. It can help them as an external mark, a benchmark or something to measure themselves against. If you are ahead, it will provide a foundation and benchmark which you can measure. And they will be able to use it with suppliers and other companies they work with as a way of communicating what Cyber Security requirements are and what they would like to see other companies have in term of cybersecurity. And this is a gigantic Business Opportunity for some. They can provide services and others to the small and Medium Enterprises. It provides a lot of opportunities whether it is small and Medium Enterprises all the way up to those very far ahead. So, in addition to establishing and directing this to actually develop the Cyber Security framework which all of the panels will talk about. The eo director them to establish a program to serve as a coordination point for cybersecurity resources and increase the resilliance by promoting the framework. Dhs created that Critical Infrastructure cyber community. The ccubed volunitary program. We are the government so we can reuse those acronyms anyway. You can say we have a resurgance together and coordinating those crosssector issues to maximize the security resillaniance. It isnt done and we acknowledge that. It needs to be built with industry paritoticipation and involvement. Dhs is supporting cyber reviews so they can provide resources to help organizations assess their Information Technology resilient status. They can be done through facilitation with dhs or on their own. Dhs has conducted over 330 of these at the request of entities nationwide. We are bringing this together with the volunitary program so it is clear the resources are there. They will offer a range of things like threat and v vulnerability. And the industrial system cert. All of these will come together in the program and dhs works with sectorspecific agencies and federal agencies to identify other offerings and assistance we can provide that will be best suited to capabilities and what they apply. They plan to work with owners and operators to develop sectorspecific cases that build out platforms based on the framework and existing standards. And the department of energy is officering assistance through their c2m2 project. I think that we are looking at the volunteer program as one that needs to grow and reflect in partnership what is needed to implement the framework. What is the way forward . At least speaking for the government side in typical whitehouse fashion our reward for the Job Well Done is going to be more work. Afterall, there is no point where we reach a hundred Percent Security and declare ourselves down. We have to manage the risk and this requires staying engaged a little bit over time. I want to talk about the path forward. I will talk about three things. Specifically what is happening with the regulatory direction in the eo that dealt with the regilators, what the future plans for the framework are and where we are going with incentives. The goal of the administration is encourage harmonization between the regulation and the fra framework. The goal of the administration is not to expand regulation. We want to streamline existing regulation and bring bring that into alignment over time. The president ordered the executive Branch Agencies to review their programs in this area. In may of this year, we will encourage the efforts of focusing on the policies that adopt the framework. Agencies are encouraged to use their process to bring the existing ones into the alignment. We have invited everyone to follow the same process, and some have indicated they are interested in doing so. Well, i have mentioned today, i think the first step is to use it, of course. We need to see it in operation and how it functions in corporate environments and see how it functions in the Government Environment and figure out how we can make it work. That is the first thing before we think about tweaking it. We want to capital on the rollout we had. The engagement in this area and get robust use of the framework going. We have viewed the framework as needing to be a living document. We will integrate the Lessons Learned into the framework. They will hold future workshops to address specific areas identified for further development and alignment. In particular, your feedback on how the framework works in practice is invaluable. They will talk about the transitions ownership to a Nongovernmental Organization of kinds. We have used this framework as something that needs to be owned and operated by industry overtime. Any move to do a transition of the framework is done in the same way and wont happen overnight. But we viewed it would be better if industry could own and continue to drive this. The last area i want to mention is what we are doing with incentive to encourage the use of the framework. We believe developing intent incentives is a key endeavor for us and we plan to keep moving forward. We released a review of potential ones and that is what we have been doing. The relative agencies have described the assistance including cyber insurance, grants, reg lor spring lining. And as they develop, we will have details on how to good engaged in the process. Dhs will use this effort to adopt the policy and we will solicit feedback on the incentives through the volunteer program. I think the government incentives are important to pursue and get right, but it is the market that is going to make the business case. The federal government can try to make the cost lower and the benefits higher, but that is the icing on the cake. If the cake isnt sweet enough, then no amount of icing is going to make the framework really work. That is why we believe we can roll the framework out now and companies can begin to use it, even as we continue to work on the incentives. So i look forward to keeping the momentum going moving forward in this area. I think we have gotten off to a great start. It was an amazing endeavor to watch this framework come together. And to watch it gel out of all of the different versions that i saw as it went along. It was quite amazing. I believe this could be the beginning of a major shift of how the government and industry can talk. We can use this framework to really kick start conversations that need to happen. U. S. Government staff is going to travel around the country to protect the framework and the hope the Telecom Industry can continue the support. Kick the tires, try it out, see where it works, where it doesnt, and let us know about the good and bad. If we can do that, maybe we can lay the foundation for improving our baseline cybersecurity and go after the real bad guy in this area and make the cyber space a lot safer for all of us. Thank you for letting me speak to you this morning. I know you will enjoy the panel. Thank you very much. [ applause ] thank you very much, mr. Daniel for that. I am robert myer and i am involved in cyberSecurity Policy with the Communication Community and other sectors and i think i share membership in the league of cat herders and very proudly do so. I would like to ask the panelist to come up and we will turn it over to the moderator shortly. I think it is fair to see that when the executive order came out and spoke of the deliverry of framework in one here. Year we knew that was aggressive and once the stakeholders were involved with these leaders, it became clear they would achieve their objective and they did it in a way that was remarkable in terms of transparency with stakeholders. Sam samara moore is here and she is partnering the with private sector to address Cyber Security areas for all Critical Infrastructure advisment. She played a key goal in security governance and led to the maturity model. She received a bachelor from Virginia Tech in accounting and information and a masters from george washington. Ari shartz is to the left. He worked previously as a Senior Advisor for the department of commerce and the nationed vid a National Advisor for the task force. He led efforts to promote privacy in the digital age as the Vice President and chief operating officer at the center for technology. Ari won the 2006 and 2010 online trust and alliance award. And in 2007, he was named one of the top5 influential thinkers. He has a bachelor degree in sociology. And we have adam who is the advisor at the National Institute of standards and technology. And he is a member of the Commerce Internet Task force. Adam has led the with colleagues, the newest project, which is the framework we are talking about for the Critical Infrastructure segment. He coordinated initiatives and previously handled cybersecurity and federal information and policy for the senate on Homeland Security and government affairs. In 2008 and 2013 he received a federal award for the contribution to the federal technology community. To adams right i would like to introduce judy. And she is the director of the sta stakeholder division at the department of Homeland Security. Squa there is a statistic that jenny might under that 85 of Critical Infrastructure is owned by the private sector. So those solutions and the things we do to help Companies Need to be something they can support and embrace and use. A natural place to start is looking at the existing policies out there. Having the foundation of what is out there and being clear that the underlying standards are thinks that meet the status. The structure presented there is going beyond the existing practices. So the framework and those underlying standard and the hundreds that exist that nadia can talk about better than i can. But also the overlying structure we developed with the profile and tiers and saying this is something you dont walk away from. It needs to be embraced by the cultural of organizations. So this can allow conversations to occur that could maybe not happen before. That was one of the things we saw throughout the workshop process. We didnt realize how you network unique it was having the conversation and address the challenges and how to work together. We put out a document called the road map that lays things out there. We talk about the processes out there and elevating them and the third key piece is how we work with industry to develop situations and innovation. I think we have heard since the framework came out, from a Large Energy Company that said they are using the framework to talk to their board and have that conversation and they were doing that with preliminary and now the final framework. Top banks in the United States are using it. One of the largest it companies in the country is hiring a new chief Information Security officer and they will judge as a baseline how that person does their job pace based on the framework and whether they meet it is move forward based on the tiers in the framework. So that is giving us a sense it is being used and that is a really good sign for what we thought it would accomplish moving forward. Now lets talk about next steps. Obviously this is the beginning of the process and a key item that was announced the other day was the launch of the dhs program. This is probably a question for jenny. Can you talk about the program and how it will benefit companies this program and we are excited about the cq name, especially when you see the title i have for dhs. One, this is the way we are going to cordinate out and outreach. Some of that is going to be done through sectors and we will leverage the specterspecific agencies and the coordinating councils. We will try to get out to the Small Businesses worldwide. And another important part that we dont talk about as much is state and local government. We have an active Outreach Campaign for them. When you think about the Sensitive Data out there through them and the things they do operating Water Systems and such. So they are an important part. The website is a key part. And you can go out to our website and learn about that and the u. S. Website has far more extensive information you can get. This is a place to bring together the resources we have across dhs and federal partners as well. And we want to expand making it that place to go where whether it is access to get someone to come out and do a visit or we have downloadable version where you can do it yourself. Best practices mapped against the five areas of the the framework. Exercise you can go to and stuff like that. There is not a onesize fits all set of tools that will be help is something we have realizing. There are very different needs across the community. The continuum of maturing of organizations. Some people have been planning for this for years and some are just waking up to this. So we are looking at broadening services to recognize the unique needs of the community. We have something up there we are excited about, but there is a lot more to come for stakeholders business. Stay tuned. We recognize we need to get feedback as we are plaini ing planning to grow and improve. We need feedback about what is not working, what your needs are and we are not meeting, and feedback we will get as we work on things like Site Assessment that we can feed back to them. A follow up question on the cyber review resiliance sector you are going. Do you feel like you will have to provide the needs . We have done over 300 of them. Across the country and the critical sectors. There maybe increased demand and we recognize that. We updated this and we have mapped it to the framework and made the tool available to where you can do it yourself or you can have a vendor do it. We are hoping that will help with the scalability aspect. What tools or options does the administration have to do drive adoption of the framework and Program Participation . We have been looking into different tools and resources we have with our existing authorities to be able to do that. You know, one of them has been just awareness of the framework and we continue to build upon the relationships we have formed over the years in particularly those we have had a chance to work closely with during the development of the framework. But also, we are looking into some incentives in different areas that we can work with the resi resisting authorities to promote use of the framework. Some maybe aware of the Homeland Security, commerce and treasury reports released and each one recommended final analysis. We will get an idea how to develop it as the useage increases. Cyber insurance, grants, liability limitations, research and development, technical assistance, stream lining regulations and public recognition. We have been working since the summer of last year within the inner agency to do some of the further analysis and see what is feasible and what is the time frame and the scope we would like to move forward on. And so in the coming months, we intend to issue a road map or a path forward in those particular areas. There are some areas where we are able to tack action in the near time frame. What jenny describes through the voluntary program talks about the programs in place and those that align with the organizations that want to use the framework. We have agencies that have taken leads in areas. So in the area of Cost Recovery, the department of energy has taken the lead in that area and furthering the work with state organization to see how we can pursue Cost Recovery for certain utilities. And dhs a working with us for workshops to promote and develop this. We believe as organizations use the framework more, we will get more insight into what incentive areas make a difference and increase and promote the use of the framework. But we believe marketbased incentives will be the best drivers for use of the fra framework. I think one of the next key steps we think will help is the framework is designed to be cross sector. It looks at practices that can be used across the 16 different sectors that make up Critical Infrastructure. And we realized there would be additional work to think about sectorspecific needs. So the framework was an effort to make it at a high enough level it was extensive so setting the practices under the five high categories of protect, identify, respond and recover. But there are ways a small or medium could use to begin to think about what they are doing to manage the risk. There is more work we can do to think about the sectorspecific needs and bring it down a few levels for those communities. With telecom that will be the work we do with the folks in the ramsey they understand the unique challenges they have in their environment which might be different from the Energy Sector or other sectors out. That is part of the work we can do now the framework is final. We did that asking the sectors to come in. As well as working with the services that provide the infrastructure we are discu discussing. And i am make another point. One of the points we have heard throughout the workshops and Development Process, and we heard in the ceo panel last wednesday during the rollout event, was the inner dependency we have in sectors and across sect sectors and how it can be used to assess risk within the supply chain. We believe as that occurs that can help to encourage, support, and use the framework overtime. That is something we heard both through the working Group Meetings and the Framework Development sessions can you elaborate on the roadmap you are expecting . Is it going to be ideas or an action plan with a timeline in terms of actually moving forward with implementation of the incentives . Sure. You will see a list of the path forward for multiple areas. Some have been identified with a highlevel timeframe and some might be 35 years. For example, as we look at grants, to influence and impact the grants process, it takes time to build guidance and work that into the process. So the specific plans and path forward for the areas will be shared along with how to get engaged. There maybe request to receive additional targeted feedback on particular areas. And will there be any legislative recommendations as part of this effort . So, again, we are looking to see how the framework is used to target specific ask and request in the legislative space. We want to have a better idea, particularly now that the framework is out, how to best leverage ledgislation to encourage the use of the framework. The incentive piece is obviously important. Folks said without adequate incentives it will be hard to drive adoption and one person said if you dont have the right incentives all of this is a waste of time. I think that is somewhat overstated. For example, the davis thing rolled out and we have Large Companies implementing that one. And another one in the supply chain, which has a domino affect of making sure there is implementation. We are hearing from companies that are committing to do that with their entire supply chain and requiring anyone they make contact with has to use the framework in their Risk Management process and demonstrate how they are doing that. I do think we are moving in the right direction already with limited incentive. More will help. But i think this idea of companies not going to use it we are seeing this is already not true. So you dont think a lack of incentives would weaken the program . If we dont have it you are saying . I think increased incentives will help. That is why we are spending time on it and it is in the executive order. Because of the great work we had from the industry and creating the framework is building it in the beginning stages of use, it is proving not to be as essential as people have said so. He heard from the ceo of lockede, pepco and at t were using the framework and they said incentives were not an important to get them to use the frame framework. The companies publically committi committi committing to use the framework and we will learn more as we move forward and we can figure out where to try get those that are not at the front end of this and move that forward. That is where the incentives kick in. We have a group that is making up the Critical Mass and getting it moving and we will see who are the laggers after that. And maybe we can get things aimed specifically at them. I wanted to ask about the anxiety about the role that regulatory agencies might be playing in this. I want to give you an opportunity to elaborate the role envisioned them and what type of action might we expect them to take and what timeline are they looking at. I will respond to that. For the regulatory agencies, the executive order did have some directives to the executive branch regulators. We had reports submitted on the 12th rated to just that. The agencies have reviewed their existing regulation and over the next few months in may they will submit their actions to address cyber risks as appropriate within their sector. In particularly, they are reviewing along with the framework, and alignment with the framework, and they are encouraged to leverage identified risks that the sector feels need to be addressed. There are some in the incentive areas of streamline regulations and we want to work with existing regulators to harmonize over time. We recognize you cannot flip a switch but we would like to harmonize with them. We have heard from organizations that work with multiple sectors and this would be a value to them. But to underscore what Michael Daniel said we are not looking for new regulations. We are promoting the voluntary use of the program. We worked with the regulatory groups throughout the entire process. We did that because they are a key part of this eco system. We also asked the companies that were working with us what were those regulatory issues that they considered when managed cybersecurity risks so that when we built the framework it would be great for managing risk but impossible to implement. The regulators are not a onesize fits all environment. Regulators will look different at this based on how they consider security risk. They understand the framework and the key part of the next steps is to think about how they viewed the framework and how they look at the Security Capabilities in the framework. It is more about how are you meeting the goal instead of what are you doing. That will be the work that we look at next. And we will bring them into the conversation more as we think about that. One of the challenges before the administration is how you will measure the effectiveness of this because it is voluntary. Have you put thought into that . Yes, we have thought about that. We are doing had cyber reviews and we get an idea of what is going on and what is the posture within the organization. We can see how many people are downloading and using the tools and using the websites. We have sector associations that give us information about the adoption within the organization. They are sectors that all of the members agree to abide by. And obviously working with the proi provider community. A number of industries are rolling out services and tools and hopefully they can give us an idea how much of those things are being used. We have the paperwork reduction act that makes it difficult to survey even if people chose to respond. We will leverage all of the partnerships to get an idea of how broadly that implementitation. We welcome suggestion because metrics are tough. Jenny said it just right. We have been talk about this for quite some time. We started to identify indicators of success and jenny addressed many of the ones we have come up. But when you look at how the framework and the many ways it can be use. We are shooting for management of cyber risk. We want to strengthen how we are m managing the cyber threats. Some organizations might use the framework and have robust Cyber Protection but they are using this to aid in communication with Business Partners and boards. How do you capture and measure that . Some will use it to communicate cyber requirement and expectations with their supply chain. So were looking at different indicators of success. The feedback from the community is part of it clearly. The ability, i talked about, of scre streamlining and harmonizing over time. If we start to see sectorspecific guidance aligning. Are we aligning federal programs to support the function outlined in the framework. We have identified indicators but we will look for feedback and we are seeking to hear that as we work through there program. Okay. Well i am going to turn to the audience and see if there is anyone in the audience a question. If you can identify yourself before asking the question, we would appreciate it. Anybody . I do have a couple online questions. If no one else is ready to jump in i will read those for you. The first question is will following the framework be mandatory for Government Contractors . So we have the report that was done jointly by gsh, General ServicesAdministration Department of defense, on government procurement. Dot. What they can put in to help. Can you talk a little bit im sorry, can you talk a little bit about what the government is doing to encourage information sharing in the absence of legislation . Certainly. So in particular within the executive order section for, an attempt on a permission sharing. Bynum within the executive order you stated the policy to really improve our were sharing information in the private sector and to do it in a more timely manner in the way it is relevant for the needs of the recipient of that information. And so within the federal government we have been working diligently to improve some of our internal processes and how we do that. For example, developing some instruction subset we can share more timely and relevant classified information but also recognizing that while it helps to share more information at an unclassified level there is still the need to share some classified information. And so we have worked on improving our prices eased to our great clearances to Critical Infrastructure. Actually the next really hit on ginnys area, so do you want to speak to that . Sure. Thank you. Yes. We have made some great progress is the implementation of the executive order and information sharing. Enhanced Cyber Security program. What that is is really where government shares classified indicators with icy t provider so that they can use that information to protect their customers networks. So the program is built upon what was started with what was referred to, the executive order with a lavish program. It was transferred to be made available through those icy t provider stall 16 Critical Infrastructure sectors. So we have been working since that time. The program is available to all 16 Critical Infrastructure sectors. There are all sorts of policies and procedures in activities that need to take place to make that happen. We have increased the frequency of the in formation, the indicator sharon with the providers. Were getting more government permission. We have a long list of providers to my initial providers. We have well over a Dozen Companies from other sectors im sorry, from other components of the eyes ct community that have expressed an interest in the provider that has signed memorandums of agreement with us we also have, i should say our partners, our eyes ct Community Partners now have customers outside of the Defense Industrial base sector. So it is a program that we look to continue to grow and expand. We think it is an opportunity for market innovation of how can the icy d. Community use this classified information recognizing the importance of keeping its secured to protect their Critical Infrastructure customers the reason were going to continue to work both with the providers and the customers to try to expand that program and make it as valuable as possible. Two other important areas that i will mention briefly, the clearance grabbing to give you a tangible realworld example of how that has been put into place. We have a private sector claridge program for a long time, but it has taken a long time to get to the process. Our partners in the office of ever structure protection that run that program came up with a streamlined process where they recognize that if you are a person in an industry and theres a briefing you need to attend we really needed to have an expedited track to get you to the front of the line so that you can participate in that briefing. As an example, a couple of weeks ago we had a request from the real sector saying these are very specific things, we would like to receive government briefings of a classified level. Heres a list of cio is from the rails that we would like to attend. Some folks said clarence is, some did not command would also like to have our canadian Rail Partners a chance. Those folks at canadian parent says. All were able to do was to get people expedited through the process. Some of those folks actually got there clearances to participate in the meeting within a couple of weeks. Ban i know. I see jaws dropping. Within a couple of weeks or it will to get the canadian folks clearances past. There were able to receive a briefing on the list of intelligence requirements that they had better include briefings, d. H. Yes, office of intelligence and analysis also fbi. Also the National Security agency provided briefings. So it was a great example of bringing those capabilities for permission sharing together. One last thing i will mention, Cyber Security information sharing and collaboration poor grammar we share the sensitive but unclassified indicators with partners from across all 16 Critical Infrastructure sectors of the continued growth buried at think we have 70 organizations, both individual and Information Sharing Analysis Centers from across all the sectors that are participating in now where we share aberration out. Machine readable, they share permission back with us that then goes up through the group. We also use that to do poorly analyst collaboration exchanges, classified and unclassified. So lots of progress. Do you believe that there were necessary . Charlie mitchell, inside Server Security. I will defer to my colleague. The answer is yes. We think that the legislation is necessary. We have seen an increase in information sharing and totally in some sectors, but some sectors there is still hesitancy, and we are trying to up map why that is the reader still supportive of legislation in general. We had a their package that went to the hell in may 2011, the administration. And we have been continuing to work with the industry and congress try and figure around where the problem is holding up legislation. Really the key issue that is outstanding and seven security legislation. There are a number of others. Any other questions . Executive and independent agencies have submitted executive order section 10a reports. Well, these reports enjoy the same level of openness and transparency that every other aspect of the executive order and from work process have enjoyed. Further reports that were submitted this week in response to the directive in section 10a, those reports are used for internal deliberative purposes only and our plan is not to make those reports public. As agencies move forward and their actions, we are in the process of coordinating. We just received a ten a report trouble we are using those for the liberal purposes. [inaudible question] those are the agencies reporting for work . The agencies that have submitted other reports to the white house. Any other questions . A question on the regulatory agencies, the executive order encourages but does not require independent agencies to also look at this. Can you elaborate on where that is . At think Michael Daniel mentioned that there are some independent agencies that are interested. So, we have colewort, reaching out and engaging. Adam mentions some of the independent regulatory agencies have been involved and of Drama Development process. And so independent regulatory agencies are invited to engage. We have heard some interest along those lines. If we cannot direct but we are in discussions with them, and they are looking into how the framework, you know, could be leveraged within the area of responsibility. Let me just underline that again. Independent regulators to have participated in our process. We have panels with independent regulatory agencies do a particular relevance for this community with the fcc. In a different way and have different tories buried at think its also a mistake not to leave out the other parts. If you look get the international, what other countries might do. So i think. Effectively managing cyber risk. The Broader Community including those pieces of it. You may have touched on this. In terms of the actions that are called for in the executive order for the regulatory agencies to take, will it be expected to include rulemaking and if so what is the timeline and agencies are working with for that . So, the Cyber Security regulations determine the rulemaking is required or necessary to harmonize and align with the framework that will be done. Any particular time when we expect . So the agencies are all very different. The process these may be different. Again, with the framework is being issued the agencies are beginning the process again, voluntary use of the framework. Whoever, if that is determined that it is necessary it will go to the process. Generally that involves engaging with the Industry Partners in this process. So i cannot really provide a specific timeframe. I think its important to say that we dont expect and the white house has said we dont want to regulations. This was said earlier as well. If you do see Something Like that it would be streamlining, especially across Different Industries that might fall across different regulatory boundaries, making sure that they align and youre not havent different regulatory authorities. The will be the only place you see Something Like that. We have to do time for any other questions from the audience one or two more. In terms of what the transition from the draft to the final framework is, a year whether there were any significant differences. One issue that came up from a lot of industry commentaries was the concern about the privacy language. And so if you could just address that and how that was addressed and any other major changes. Sure. I will start. The privacy experts can correct me if im wrong. The file, again, as we talked about throughout, this was an open process and we receive comments multiple times. In october we presented something called the preliminary framework which was not even the first draft. We put out a draft in the summer. Our first full draft in the summer which was the basis for our fourth workshop in dallas. But the freemarket we got just over 200 submissions. And by our count that was just under 25 separate comments. The changes that we made our throughout the document. There are a lot of people were saying things like it would be helpful if he had an executive summary that made these highlevel points. Every executive order that is to be. It is not onesizefitsall. Within the framework, the context of profiles. Within an organization. Better mappings, the standards that we mentioned. One of the key differences, the privacy section, and what happened with that section is initially we had a separate section that was meant to encompass privacy and Civil Liberties. And we did that for two reasons. Not only as you heard from michael is it a key part of the executive order, but it was something of the stakeholders asked for. If you go back to the questions we asked when this started in february of 2013, people identified privacy and civil liberty. Specifically for this effort the privacy to the privacy and civil liberty considerations when youre building strong Cyber Security programs. So the feedback that we got for the preliminary remark and leading up to that we had, you know, really good panel at our last workshop with my colleague, with Michelle Richards from the aclu, which appears in. It was about this topic. Will we ended up doing for the final version, i think stakeholders when youre growing a Cyber Security program and the rest of it could be out there to privacy and Civil Liberties when those programs are being run. As we go in the section. That is all still there in the document, but his but in the context. Theres a section. The Server Security program, the really important link some those things. You cant really have. So the other thing that we have done and we did this throughout, another big change with the document, we separated out, its always about areas for us to improve, work with the stakeholders to improve and not for the Critical Infrastructure committee to improve. That was sort of the start of things that we realize that we would need to do more work to develop the best practices, to develop the standards. So that section became separate and we put it out there as a road map that we released on wednesday along with the framework that lays out some of the things that michael talked about. So if you look at that road map, with the needs are there. They got back together and asked how we make progress, there will help organizations. Take a back a little bit further. Just when the executive order first came out one of the things that we really pushed was to say were going to need a lot of involvement on privacy and that privacy is extremely important in this process. Were working on a methodology. This is something that has not been done before and we need help from the stakeholders to do that. We did receive some stakeholder initiatives with some stickle their involvement in that process. And i think that that was ending up reflective of the original appendix b that was in the draft and a preliminary version that came out and i think will work that was done there is really interesting. Almost more in an academic sense that is put forward. Really it was a good mapping of the technical standard approaches, internationally that have been done a private space. What we heard back from the stakeholders when that came out i think we got a lot more involvement of privacy when that came out. What was and what was picked up on, the key points to five and this was touched on a little bit , number one, that the approach had to be much more tied to Cyber Security, clearly tied the Server Security and that that was not the case. It was more generally about Data Protection and other related issues to that the could be used in a Server Security context in other contexts as well. And number two, that these international, there were not widely used by industry at that time, which is part of the issue about the areas for improvement. How do we get these International Standards that are being used more widely. So because of that this section was changed to be much more functionally oriented. I think we did hear from a lot of different groups that we still needed to give the basic principles. Tried to keep those in as well and move this into the how you use this document section so that the whole rest that it was tied clearly and directly to how you use a framework to clearly tighter Cyber Security. The issues. It is a much more focused methodology now for privacy and Civil Liberties than it was before, and we have heard very good things from industry that they do plan to use it. I think that we have heard some criticism from privacy groups, as lee around the fact that it is voluntary, which as we have been hearing is an issue for the entire framework. How you get people to use the framework. We are hearing that people are planning on using the privacy section. And that is something that has to be monitored as we monitor use of the entire frame work. And some of the privacy groups have said that it planned to do that. The plan to see how companies will use the privacy section. Think there will be useful feedback for us. I think will end there. Please join me with thinking this panel. Very helpful in answering a lot of questions. Thank you. [applause] [inaudible conversations] okay. Thank you very much for our government partners participating. Now like to ask the industry participants to, to their panel. I will make the introductions. So we have a very distinguished group of Industry Leaders here. These are the folks who have put in a lot of the effort over the last year to see the framework come to fruition. We are hoping to hear some very interesting perspectives in terms of what their views are on the framework and especially issues and opportunities and challenges Going Forward. Hubbell keep these brief, more detailed. Biographical information is available in the program. To my immediate right is bartow. Ninety is the utilitys telecommunications council. I hope to have that correct. Senior Cyber Security strategist comanche is impossible for helping you booktv member utilities address Cyber Security challenges from policies and standards to practical implementation. To her right i have we have Christopher Blair and chris is the assistant Vice President of Global Public policy at at t services worry is responsible for developing and coordinating the companys Public Policy positions on issues impacting emerging services and technologies with of focus on Cyber Security. And to chris is right we have doug johnson. Dougie is the american bankers associations Vice President and Senior Advisor of Risk Management policy where he is involved in a variety of Public Policy and compliance issues. Currently leads the associations enterprise risk physical and Cyber SecurityBusiness Continuity and resiliency policy and deterrence efforts. Angela mackay. Angela is the director of Cyber Security policy and strategy at microsoft for she is responsible for addressing complex global challenges related to Critical Infrastructure protection and Information Assurance across a wide range of topics including strategic and operational Risk Management information sharing, incident response, Emergency Communications and Software Security and integrity. And to her immediate right we have Catherine Carmelo who is the director of National Security for century link. Catherine is also the current chair of the Communications Sector coordinating council which represents five segments, wireless, wireline, broadcasting, cable, satellite. The former media pasture the sharing Analysis Center were a lot of the operational edge activities for Communications Corporation nations in this government taking place. With that would like to introduce Charlie Mitchell who many of you read about on a daily basis. Charlie is the Senior Editor at insight Server Security, an exclusive Service Report has ever Security Policy from inside washington publishers and addition to cyber policy charlie has extensive experience covering congress, energy, and the environment, health care, other policy areas and previously served as editor in chief of rollcall newspaper and is managing editor of the National Journals congress daily. All right. Thank you. I just would like to start off and thank u. S. Telecom and the folks who put in so much work putting together this event. I believe that Cyber Security is really the policy issue for how the government and industry will interact in the 21st century. And the people that we have had on these two panels are the ones who are going to make that work. Some not to put any pressure on anybody here, but it is a huge challenge. And this is a terrific panel of people who are just right at the heart of what is going on in this area. Let me start out and ask a really basic question. Is this framework a useful tool that companies will embrace . Will it improve the nation Cyber Security . Thank you. I believe it is a useful tool. It is useful because for the first time in history Cyber Security is communicated in plain english and not in that technobabble the Cyber Security practitioners communicate and. So by saying these things that some of us know and simple words the rest of the public and understand, and provides a useful translation mechanism, provides vocabulary in the toolbox that people can congregate around and work with in implementing good Cyber Security practices throughout the Critical Infrastructure. Yeah. As we heard from some of the government speakers this morning, in terms of weather will be embraced, we have seen a lot of Companies Step up and basically talk about how they are generally applauding the use of the framework which includes at t. They spoke wednesday. I think there is general support for the framework. I think as to whether or not that continues, the key is really will the framework be used as intended. Anon regulatory Risk Management tool. If it continues down that path there will see a fairly widespread use the mocks the private sector. As for whether not the framework is actually going to improve Cyber Security, its a harder question the answer. Clearly the framework is intended to raise the bar for Server Security and make it more difficult for attackers which is something that it could potentially help with, especially for the businesses. The reasonable expectation for Server Security being an ongoing issue. It will not go many times and. I would like to echo what nadia was saying because i think one thing that i have seen about the common language, a lot of times when i have a board of directors at a ba, the conversation, before they start with me they say and was pleased. And i think having some common language is a really important thing at this juncture. Its incumbent upon us to really take the advantage of that and develop a mechanism to really talk about cyber and a way that is understandable to that group of individuals that make these key decisions. The standpoint of governance or the expenditure of resources. That is important. Im sure we will talk about the supply chain and other things as well as we go forward, but one of the things that i have seen in conversations, particularly with andrew, when we have to travel and we have met with them by bankers are said this is a process which we actually already utilize within our financials titians. The words may be a little bit different. The charges may be described a little bit differently, but its a process which i think a lot of our institutions are going through. I think one thing that can be really helpful is to take that one step further and talk to our supply chain partners about that and get them in some places a place to start because a lot of times is difficult for companies from the Cyber Security standpoint to know have a structure this within the organization let alone talk about it. So thats my key observation. Bridging through those points out what kind affects security. We will be useful, yes. Fundamentally allstar with the point that it is flexible Risk Management guidance. While the differences between la the stand yesterday as a lot of the firm worked hard about the outcomes by doing that because the flexibility to involve and innovates security practices to me. It does not get stuck in the how. They tend to be focused on the how. This really does bridge the technical communities that have been dealing with the standards with the Business Community that wants to know if im secure enough, are we detecting incidents. It provides a translation function between as to. Will it be embraced . Think it will be. As we have heard about, there is Critical Infrastructure organizations across all 16 sectors. The critical s infrastructure and what theyre doing. Think that this is an opportunity that will be embraced to say, hey, what is the right thing to do here. Does that mean that we dont need incentives . No. Does that mean that incentives are required to advance progress, no. I do think that this will raise the bar of security across the critical eye for structure committee. I dont think that it will end up necessarily fully addressing the full range of National Security risk facing our critical of the structure and thats a conversation that we will need to keep evolving on. It will raise the bar on the important progress toward the highlevel security necessary for critical of a structure. I can certainly speak from a century lange perspective on this one particular question. And when an attack on to will it improve the nations Cyber Security, i think that this entire process is already been him as a successful there read it has done it in the common vernacular being talked about. Let me drive down. Is now we got there. The weathers bad. Tornadoes, floods to whatever. We essentially a very accustomed to customers going, i have done my Risk Management. I need to have circuits that i no will keep coming up. A Service Level agreement, redundancy and diversity. Up until about two, three years ago that i have very many customers coming to me and saying, you know weve been stressing a cyber rest and we are wondering what we do out you cant tell you that that is kept. That has stepped. And the fact that we now have some form of common tax. There already. Did you could help us out in the deep tech d3 . That is huge. That is huge. So, yes, i mean, it is new. We are trying to raise the bar, particularly for some of the companies that have not had the opportunity to really think about things from risk assessments are orientation, but speaking as someone who likes to think of themselves as a company that is fairly sophisticated and can provide support for many of these elements, yes, this is already a huge success. It is now becoming part of the vernacular, and customers are asking us, what can we do to mitigate. What start at this end. Just a followup on that, does the structure of the framework and the language in the framework speak to all of the audiences that it needs to . We talked a little bit here about supply chain. Does it talk to the executives at the corporate level that you deal with and does it speak to audience is going down within the company and within a big Company Supply chain . I know at this sector level we worked extensively to review the language. Lets face it. Here in washington. We tend to speak more executive policy language. We got it. It took some time. But more importantly, at least at this sector, we spent a significant amount of time talking to their risk managers in the companys. To you read it, do you get it . Deal understand it . You happy with it . To your implemented . Most importantly, you have to drive it down to the very operational level. Once again, we were fortunate because we have such broad representation and frankly people were very generous with their time to have practitioners, people who would actually have to put in the aclu, put in the filter, whatever it was. Dealers speak a little bit more operational. That question to my cspan2 of the reasons were so successful, yes, we could meet those sort of band width of all three of them. They both came away now theres still more work to do. Another suddenly at the sector level we will be working with all the various trade associations to be able to for their flesh out the framework in such a way so that is at least in our work more Communications Sector specific. Of work initiatives within the sector, some with the ages, some not, essentially industry theyre very much focused. If you are doing this, that sort of falls into that. So there is a quick short and so that no matter what the level you are at, whether theyre putting in the filter, putting in the protocol, creating the plans, looking at it from more policy and strategic in board level, i can understand how i could read and interpret this from the Communications Sector perspective. So so far so good. I know that vhs struck about the fact is you have to do education average and feedback. Think of a course of this coming year the feedback will be too vague, communicated, and used to invoke the process. Right. Angela, you have customers to microsoft as customers at every possible stage of maturity in terms of their Cyber Security posture. To you do you think that this provides that, in taxonomy, that common language that you can use in talking to these customers . Im glad you asked that question because it builds on catherines point. As part of the firmer Development Process we engaged in side of the company across the different types of audiences that exists inside the company, everybody from the person who is doing coding and particular feature up to the senior level Decision Makers are talking about resources security. So that was the interim conversation. Does this meet all the Different Levels. To your followup question, the same conversation with the bunch of extra customers. And that is to what catherine was saying earlier. We have people who are coming to us and saying, what is this from work. Can you help us figure out what we need to do with this . And so i think it has it does start to head the language that matters to different communities they are still going to need to have some work done on that zero of the volunteer program because it is of 45 or so page document. It does have language that speaks to everyone. As al qaeda says rolls out as voluntary program they will have to think even more about customizing and specifying various messages for the audiences. But overall i think it is driving a conversation inside of organizations and between i tea companies, communications companies, and our customers about how to drive this culture of Risk Management. And in that context it is a wind. Doug, does it give Senior Executives the type of the affirmation that they need in no way that they can use it to make investment decisions. Has to do with the fact that over time we saw on migration and the language. We saw cleaning above definitions. So we do have some ability to use that. I will go back to our conversation. For their boards and in part of that mission, one question i get a lot of everything was okay. And that does not that should not be the end of the conversation. The question being asked, because if you went back to that question was not even necessarily being asked sufficiently with in the Senior Management suites of the organizations. And so when you get to the point where, when like so before you have those eyeballs, what did those eyeballs gravitate to . And might gravitate toward regulation, but regulation frankly a lot of cases can be quite technical. Some overlying document that a manager can look at the really did to the right questions this is in going to the conversation. I think this is going to be continuing to morph best time goes on i think the hsn the National Security staff, as they migrate more away from this than toward a more collaborative, increasingly collaborative environment based, we have already done. So i think we have a good basis to start. And does it speak to an audience at a very sophisticated companies such as yours as well as again at a very varied audience is a you had three of very large supply chain. I think that it does. I think that this will be the best effort. Rabin trying to bridge the gap between technical standards and Cyber Security. Realistically is still up 30 to 40 page plus document. An usher russia executive global document but it has a lot of good information. I think there will still be challenges in breaking it down in simple terms. It is the best effort i have seen yet it will be useful. We have a pretty robust Cyber Program in place today. We will certainly be using it to see how it complements our existing program. I think that from an executive perspective in gives you an idea of where you stand a different practices and if you have a more desirable level, where a mine now, where do you want to be in the future. And your of the huge ec is very varied. Lots of different types of companies and utilities within there. Is this something that youre going to be able to use to communicate and talk to route all these Different Levels . Absolutely. If one looks at the collection of utilities a responded with various comments at the various stages of the framework ecs Huge Companies in anything in between. So utilities definitely take an effort of interest and enforcement and as a tool that will be useful for them in things that might and might not have been able to be in the past wednesday, the rollout, using the framework to speak. This is certainly a useful thing that they can use. I would also like to know that the is not sever security people by and large but technology practitioners and utilities who dont use ever security day in and day out which is the key audience of the framework that we have not fully ts doubt. Again the compendium, the folks who buy, employment, and maintain technology who dont overtime that need to use this tool, these tools in the toolbox to communicate across the organization with their Cyber Security colleagues, with their eye teeth colleagues, with all over the place. I think it does speak at that level. Why dont we continue and take on a question that the last panel addressed about the metrics for success here. How do you determine if this framework is successful . I guess the program is all. I think the framework is already been successful. To talk about this, it has been all over the news. My friends have nothing to do, thats a good thing. It is positive. All kinds of opinions. In the utility sector i think success will be issued when we know in a certain weight they have implemented some sort of security practice. It really doesnt matter because the firm market compasses. So when we see that there is some sort of an adoption of some sort of Cyber Security practice, i think that is success. And in particular in the Energy Sector were lucky. They have a great role in putting it together and bring in up to the world. So we can actually tell that things are happening. Great. There will probably never be a victory parade in a Server Security space, but how do we determine that we i guess how do we determine that we are on a successful path in using the framework . I kind of want to piggyback. But there has definitely, been through the Server Security discussions here for years in washington, we were talking a couple of years ago about elevating Server Security. The framework and some of the discussions lawyers they accomplish that. Their conversations going on and companies and higher levels than we ever had before, companies from Senior Executives. It is a confluence of issues and was slated conversation, the framework, the press reports said,. I think certainly Server Security has been elevated to a higher level than the past and as an offshoot of that companies are looking at their cyber practices. They should make us more secure than we were a. As far as the framework itself goes, the easiest way to measure success, the reason i say that is because the framework is inherently voluntary. You are presuming that there is some value and companies are looking at it, the business value, the use of the firm mark it rita making a decision to use the voluntary framework in the businesses. I think it is widely used session in the companies are presuming that there is some value and provide some security perspective. That should mean that the bar is being raised to some degree of security. That is so i would look at how successful its been right now. To you think that we and the government will have the ability to measure whether it is being widely used . That remains to be seen. There at some sort at the end of the day. The see them moving away in terms of the adoption. But i think that one of the things that we learn from the from the environment, helpful in this environment. A quantitative measures, of a qualitative measures would be there. I think frankly overtime. That is how well can we measure what we stopped as opposed to what actually has gone into our systems. I think on the front side we do that very well. In Financial Services there is no way for us really to justify the management our expenses and fraud mitigation unless we can measure what we mitigate. We prevent it from occurring in the fraud environment. And so we have done a pretty good job of defining what they should look like, how you measure that he really had done that essentially says 1997. Increasingly we are in measuring that an electronic environment. By way of example, if we continue chanel was about to say that we have many will adduces 1997 for fraud and the cyber incident verses brief space i think we have done well. In 1997 we stopped within the environment and lost a dollar. In the last year for every dollar fraud now we lost we actually get 10 from going out the door. So those of a kind of quantitative measurements that think we should be able to develop over time to measure a level of success and individual institutions as well as the industrys overall. That might be a helluva way to think about it. Interesting. When i think about success, success sounds like a very finite place. Electoral all arrive at success. We have to manage expectations, what we would think about success looking like. And the way i think about the success, the framework and a volunteer program is if we can move forward with a phased approach, the phase that we are in right now is we have just released a document todays ago. There arent a lot of additional incentives out to bring people along who of not necessarily been doing things already. What we have in this space is the opportunity to touch people to drive that cultural change that i think this remark really does want to affect. As we move further down we can then think about as we said earlier, the target audiences, are we reaching the right people , one of those common challenges and the Critical Infrastructure space has been really defining what is critical as we move past the average and awareness phase i of the things i would encourage us to think about is whether right target audiences. What were your challenges . And so those were at least two initial phases. I believe as the incentives get billed out and we start to get feedback and on how this is being used we will have more information to feed what does metric should be. Will we dont want to be sitting around counting incidence. Were still going to have major data breaches. And so in addition to measuring success we also have to the continue having the average. This excess counted particular numbers might not be. The framework. What companies can apply. Just an evolving conversation. I think that we will find it to have been a success. The Communications Sector the physical events. Have the same number of customers also have some factor in there. I think it will be a success if the culture as successfully permeated that there is no such thing as being at home without anti virus and some sort of protection under on computer. And i think that makes it a huge success. Then you kind of got a safety net. And then allows us to really put resources and time and effort in pinpointing on what that critical point is, that most critical 20, where we apply the resources of the we are automated, repeatable, adaptive, all that. So much about this remark in my mind. And i think in the sectors mind was about raising the bar. And if we raise the bar and it manifests, cyber fl ways and everyone has the stuff on their home computer, thats huge. Thats huge. That allows us then to redirect resources for some of the harder things. Right. Well, lets plow right into incentives, which angela raised. What do you think of the most important incentives that the government can provide here and how does this fit into the process . The government needs to provide incentives to use the framework. That has to be the cheapest thing on earth. Really. Okay. Forty pages. And they think really we struggled so hard to make sure that it was readable. And for any company that does not read it, okay. Im good. Preserving their business, the brand, the customers confidence , no matter what company iran. That is highly costeffective. I think that is an incentive. It was made simple. That is the mainstream. There are going to need to be some incentives, particularly in the Communications Sector where we have been more sophisticated. There probably things that we, as a collective sector, could do that are more what is the word they use, repeatable and adaptive to better protect not only our networks but our customers use of our networks. And that is in the legislation. We will have to see if that helps. That will be an incentive. It gets kind of building, and catherines point which is different incentives going to matter to different people. And so the things that may matter to my organization are going to be different than those that iran not be his constituency. For example, i would say that microsoft security and privacy guidance is already consistent or security and privacy Risk Management is already consistent with the Guidance System of the framework. We had Market Drivers and incentives for years going back to the ugly days that you guys might remember in the early 2000s, the bugs that have the first name. So were already doing this. That said, there are going to be incentives that matter to other people here, and nothing that is really important. Again, focusing on the target audience, where im trying to affect change in the incentives that are going to matter to them. Two things that i will say for those organizations who are doing a lot already are going to be the procurement preferences, particularly really driving supply chain effect that we have all talked about which is if you have organizations or contrasting with the federal government, requiring them to use the framework and then pushing now through the supply chain, i think that will have a significant effect on the marketbased incentive to drive improvement. On the other one and i will raise, and this is definitely from a Global Company pointed you, one of the incentives that we really think is important is working toward harmonization of these types of approaches to cyber Risk Management on a global basis. So as we have conversations, both industry and government with their partners in the European Union are working on the network in Information Security directive also thinking about the right things to do to improve Cyber Security, working toward harmonization is another significant incentive on the demand side. I had one of the last one in which is the supplyside incentives. Michael brought this up when he kicked off on the discussion. There are a lot of organizations, particularly in the small and midsize businesses were going to look at this and say this might be something that i do. How do it . I dont have the people. I dont have the capabilities. Maloof concerned about resources, and that challenge is going to come back again to those of us to provide services it may be able to offer Cloud Based Services to help fulfill the functionality that exists across different parts of the framework. And so you have to think about a from both sides. Those things that may either request or in some people to do action and those of the things theyre going to say, hey, what would i want to offer customer bases to help them in this . Doug, what do you think . We have relied from everybody on this first panel. I think that is really going to be the primary driver said. I will give you a couple of examples. On the insurance side we have already seen insurance carriers going to larger institutions and as the specific question, what are you doing about implementing the seven security framework. Essentially those conversations are already happening within some of our larger financial restitutions. Notwithstanding insurance there were looking at it in large part anyway, but the Insurance Industry looking at how this all fits together and that they might be able to factor the utilization framework into the pricing and a long term, not today, not tomorrow, but the long term. That is really starting to happen as well. I think another thing in the insurance from is the fidelity association, the folks that essentially right the policies that come to us and said, well, we are about to write or rewrite our computer foreign policy. Essentially how we factor in the mist framework in a particular process as well. So i think there is good thinking already by business in terms of how this might end up working the way forward. And i take the points that were brought by the government panel. Those are the kind of things that need to happen. Because if it is not marketdriven it is not going to succeed. Were not going to have an opportunity. Now i will deal with the one that is really dicey one. The two pieces of Liability Protection that had been talked about as part of this discussion ive had quite a few of these discussions with greg johnson, particularly when he was with Senate Intelligence supporting senator rockefeller over there. I know how much she loves the safety act. And can be market driven. That is where government is going to have to play a thoughtful role in terms of trying to figure out brin since what existing programs in dhs might have relevance to give Liability Protections to the extent that events occur and what kind of clarity can be given by government and specifically what identical