Illegally. Cybersecurity is obvious. And protecting the infrastructure from cyber and terrorist attacks. And the fourth priority was i want to do everything i can to make sure secretary jay johnson, who is an honorable man, i want to make sure he succeeds in the mission of keeping the country safe. Lets go to cybersecurity. We have had a number of hearings on this. I ask witnesses what are the top proorities and thinks we have to get done. The top priority is facilitate the sharing of information. And i am talking about threat signatures, vulnerabilities. We are not talking about the meta data. It is just impossible for businesses to have to really try to comply with a multitude of different jurisdicational requirements for data breaches. It is cruci w it is crucial we set of federal standard. Those are the those are the top two priorities. Those should be Pretty Simple to accomplish but it has not been simple because you have a legitimate interests. People concerned about american privacy. The issue i have been trying to make if you as an american or a privacy Advocacy Group if you are concerned about american privacy being lost you ought to be concerned about doing everything we can to prevent cyber attacks. The greatest threat to privacy are these attacks were literally private information of millions of people are being lost with every one of these attacks. We just read about apple pay has been attacking a certain way. Fraudulent activity as a result of the previous attacks. That represents a significant threat. From my standpoint, our 1st Committee Hearing because it was a top priority we have the representatives from microsoft and American Express its a very thoughtful hearing. The witnesses were talking among themselves. We were not that far apart. We can actually do this. Not only does congress think this is an important priority that pres. Obama president obama recognized it as well. All these highprofile attacks certainly is creating the awareness in public and hopefully the political we will for congress in this of ministration to Work Together to find Common Ground. We have a bill moving through the intelligence committee. The senators have come to an agreement. It we will be marked up next week. That is a good starting. We have senator tom carper who introduced his legislative proposal. A little more modest. Than the intel bill. I dont know how this is all going to work out. But one role that certainly the Homeland Security committee can play in this is we can hold hearings and continue to hold hearings. If there is a component of any bill that might eventually work its way to the floor we can hold hearings. And i will tell you one thing i want to make sure of and that is whatever Liability Protection it provides actually works. I am not interested in information sharing in name only bill. We have an interesting letter from 29 chief counsel counsels of major corporations pointing out how important is to get this across the goal line. I will be going back to the chief counsels and soliciting input from others. And my question is based on what is reported from the city and Liability Protection we are evaluated and whatever gets to the floor and gets voted on i want to ask the chief counsels of major corporations and Smaller Companies is the Liability Protection being provided in this bill does this Liability Protection, allow you as the counsel, for the company you serve, is that going to allow you to give the advice to your chief executive in the case of data breach to actually share the information. Any answer other than yes really renders that bill completely useless. So again there will be differences of opinion. It may not be universal but we need a strong show of support in terms of whatever liability we offer in a piece of legislation it has to work. With that i think i laid the predicate and groundwork. Happy to answer any specific questions you might have. Sir . I am Larry Clinton with the Internet Security alliance. Thank you for being here. And i want to say i think i agree with absolutely everything you said. One of the activities we have undertaken is we did a handbook for corporate boards of directors on cybersecurity and we specifically tackled the issues you mentioned which is strength of corporate boards being that they have to be secure but they have to be productive innovative, they need to grow, etc. And the problem is that the economics of cybersecurity are not wholeell understood. We believe that means using voice over and the protocol is Cost Effective along International Supply chains and mobile devices and bringing your device to work. One of the things i heard you say was you were going to take a step back and look at the bigger issues that were supposed to like information sharing, is there any prosspect the committee may hold a hearing specifically looking at the economics of Cyber Security in the broad sense that i just described and we are interested in . Possibly. I want to talk about Regulatory Reform in terms of the economic impact. There is estimates of 100 billion annual. Keith alexander said this was the greatest transfer of wealth in history. People have a sense this is a costly problem. It is true from being a ceo. You want to invest capital in new products. And i think for far too long ceos ignored it. That is the it department. I dont understand it. But make sure we are safe with firewalls and security passes and hire security firms and lets keep ourselves safe. I think a pretty good comment by the fbi director saying there is two types of large companies. Those who know they have been hacked by the chinese and those that just dont know it. That is a paraphrase. Because of the high profile nature and the loss of literally tens of millions of personal information and tens of millions of americans i think people in the board rooms and ceos are starting to realize this is really a problem. From my stand point there are private Sector Solutions for this. Coming from the manufacturing background, we have sprinklers in our plant. It was Good Business because i dont want to see it burn down but the heads are closer together than what i would have designed because the Insurance Company sent in an Inspection Team that said they are ten feet apart and they need to be eight feet apart and if you dont turn them into the that your premium goes up. So there is a private sector model that will work. And let me speak about what president obama said. This is another model it sounds like the administration is working toward and i am glad to hear it. When president obama announced his information sharing bill i got a call from secretary jay johnson telling me about it with a heads up and said and i asked him how strong is Liability Protection and he said it doesnt get better than this. It was unqualified as long as you qualified for it. How do you qualify . You have to be certified to have best practices. Who is going to certify it . If the government is going to do it i have a real concern about it. But there is a private sector model out there. You have the insurance model. The discipline of high premiums. You have an iso model. Iso certified for my plan meaning you have to go through the best practices along a host of different cribpteria and you go through surveillance and every six months they are being improved. So it sounds like the administration will have a Third Party Model and if you qualify you get the protection. It is a thorny issue and not easy. But having governments facilitate information sharing rather than dictating it is going to be a far better model. You can see how impossible it is for the federal government to set the regulations on this. When we had a hearing, a couple congressess ago trying to do cybersecurity, i asked the representative from Homeland Security who is the repostory of the information sharing how long it would take to write the regulations and the answer was seven years and i think the internet is going to be different in seven years. There is no way it can be fast moving forward thinking enough to write the regulations. The only way to stay ahead of the attackers is doing it in the private sector and we have to be reinventing our security measures on a continuous bases and that gives us the best chance. Anybody else . Brian french. Thank you for being here. I am not make comments as a fellow snow belt resident in the response to a few inches of snow. They just dont have the equipment. Or the will. I do want to make a comment regarding Liability Protection and your listening sessions. I think one thing you hear from the general counsel and this is my experience working as a member of the utility organizations. The Liability Protection when it comes to information sharing, what is offered is good but what is missing and concerning for a number of companies is there is no Liability Protection for Companies Based on what actions they may or may not take on the information they have received. That is troubling when you consider the federal trade commission is suing a hotel change and one of the claims is for having Inadequate Security policies is they failed to act upon information that had been shared with them. So it isnt just the fact you may get signatures but it has been the process by which companies can take in that information and make a decision as to whether it is really relevant and that is pointed out in your hearing earlier that not all information shared is good information so companies should have discretion as to whether they need to act on it or not. You are hitting thorny issues. This is where i go back to that perspective. I believe Companies Want to protect their cyber aspects and their customers information. Recognizing this is a very rapidally moving issue here and what is best practiced today is not best practices tomorrow. So from my standpoint i think if you have a certify, and i understand that too. You do need to do your Due Diligence and show good faith and i think if you show you are engaged in the process through an insurance model and passing the surveillance audits at some level of percentage. I cannot give you all of the things but i can think of a common place model that is su sufficient enough but you have to be always updating the standards and being involved in the best practices standard as opposed to being held accountable at a certain amount of time. We were three months away from the audit and new information coming in. Cut us a little slack. I am willing to cut industry slack because i believe you realize it is bad business not to do this. That is going to be an argument and a thorny issue but that is the type of process i will certainly want to try to insist on. Because otherwise they will not share information and what have we gained . If we dont give Liability Protection and set the process so the chief counsel gives us advice what do we gain . That is a powerful argument to hopefully find common grund to produce a bill that is not just information sharingoge sharing only. We have a question from online. I am concerned we have no solution for a viable cyber warning and solution. Current systems recover them after they attacked. More than 80 of the attacks after they happened. You want the information shared in realtime and that is what the department of security is trying to setup with the nkick. I am starting to understand these acronyms. That is really what again,i think it as a very good faith effort to understand there is sensitivity if we have intelligence agencies gather and be repository of that. It isnt perfect or easy but that is the attempt. Getting the threat signatures and vulnerabilities shared at computer speed and have a system setup for there is spread out to Information Technology professionals throughout the nation. There is a real Strong Network of it professionals that we can very rapidly send out the information. We will not be able to prevent any attack but a lot of them if we can share threat signatures in realtime speed. One of the interesting outcomes of the hearing is how long hackers are in the system before you figure it out. It is months where the hackers are in there maneuvering around to find the backdoor and get the personal information finally. It takes that long. So once you understand this is how they did it and you can share that and sharing that information can prevent a lot of harm even in nonreal Time Computers because you might have weeks or months to protect yourself because it take as while once they are in to do the damage. Your counterpart on the house side mr. Mccall, is working on a bill and his approach is mir mirroring the administration in terms of centering the Liability Protection around dhs. The Senate Intelligence folks took a broader view of the types of sharing and avenues that should be protected. What are you thoughts on that . I am sympathetic for both. Where we have strong relationships between industries and regulators and they are sharing a lot of information why do away with that . At the same time i understand the concerns of sharing information with you know lets say the nsa or Intel Community or department of defense i understand that sensitivity and they would rather it be a civilian agencies. Maybe you can have a hybrid form. It is computers. You can ping it from here and ping it to there. I dont know what the final solution is going to be. But i am sympathetic with both positions. What i view my role as is lets see how the intelligence bill winds its way. It will me marked up in committee. Lets see the reaction as more people evaluate it. The comments. I have the ability to hold open hearing on these issues. If in some point and time we have bills combined with what the house is doing and the senate intel is doing. I am happy to play that role. The more components we can pass it better. Sharing threat signatures is one thing and preventing attacks is another but we have to solve the crime. We need a capability of going after the criminals and hackers and shutting them down and bringing them to justice and that requires personal information and threaded the attacker identity information. So again, let me leave you with this note again. Just to emphasis my point. If you are concerned about loosing your personal privacy you should support a bill that prevents this is allows the government to solve the crime. I would like to ask the next guest to come up. So in the interest of beverty i am not spending a lot of time on the bios. They are in great detail you provided here. I am here with u. S. Telecom. We have an exciting panel today beginning with remarks ari e makes who is the whitehouse director of cybersecurity and i think many of you know has been involved in Setting National policy in cybersecurity and most recently on information sharing. With that we have the assistant Vice President for Global Policy for at t who is very active in a whole series of national and International Issues of cybersecurity. And the current partner at aikin gump and many of you know in a former life he was the bureau chief for the federal communication Public Safety and Homeland Security bureau. And finally last i will introduce the moderator who is the editor of a very important publication in washington inside cybersecurity. Thank you, robert. It is a pleasure to be here. I have a suggestion to make. A year ago i walked on ice and my kids school was canceled and the if you could think about april next year. Just a suggestion. Thank you. We have a hurricane that is later in the year. But point taken. I want to start briefly by talking a little bit about the administration the obama administrations work in this area. A lot of this goes straight to the top. President obama upon taking office said Cyber Threats were one of the most serious Economic Security challenges we face and made confronting them a priority of the legislation. He renewed that pledge with each action taken moving this issue forward in a public consciousness in particularly at Stanford University month where the president confirmed his commitment again. Let me recount things that have happened along the way so people understand where we are and where we ended up. Four years ago the administration promoted legislation in this area. Covered areas including standards for Critical Infrastructure reforming Government Agency security standards, now hiring authorities for Homeland Security, information sharing and Liability Protection for information sharing and data breach National Data breach notification standards. Two years ago it became clear congress would not be acting in these areas as quickly as anyone would want. They passed two of the provisions last year and then we were pleased to have them move forward. But two years ago it was clear that information sharing and moving forward on standards for Critical Infrastructure were not moves as fast as anyone would like and the president signed an ex executive order to promote cybersecurity standard for Critical Infrastructure. There were two pieces. One was to share information from the federal government to businesses and the other was the private sector framework development. The Cyber Security framework has been the key to the success of this effort. And the work of groups like u. S. Telecom and its members and other associations and companies and other stakeholders led for the framework to become a truly successful document in terms of creating voluntary framework that could be used by boards and executives to make decisions on Cyber Security. I think at the Cyber Security summit we heard about the success of that effort and how it is starting to change the consciousness of u. S. Industry and of organizations around the world. I heard that the best analogy i heard was it being said cybersecurity frame work is the Rosetta Stone for Cyber Security. That is what it intended to do. Mirroring the other sets of standards that have been done and making it so we can read them across the sector have coverage, and are moving forward in different areas. That is what we wanted and that is where we ended up. It is due to groups like u. S. Telecom so i thank you. We are having Real Progress in understanding where we need to get to and growth that needs to happen. Another space the Administration Spent a lot of time and effort is on Incident Response. We heard the government needs to participate better and give the tools for industry to be able to respond to threats. We have continued to work with many sectors in this space. The Financial Sector worked to respond to threats and we continue to move them forward. One other area that was Just Announced last month is the Cyber Threat Intelligence integration center. A lot of discussions going on about relating to information sharing. I think for the government it relates to information sharing. You can think about how it relates to industry response. There is not a public face between industry and Cyber Intelligence integration. It will be more of the way government is going to pull its information and pull the intelligence together that exist out there. This new center is not gathering new intelligence it is pulling the intelligence together and taking the analysis out there and insutegrating so it can get out to steak stakeholders. The industry with interface remains the same whether it is working with dhs, secret service, Treasury Department fbi when there is an incident or other sectors and specific agencies that will continue to be the face for the incidents. In terms of integration we will have a place where that can happen quickly more than it has and does today. Next on information sharing. Efforts in this space. We have been promoting the idea of moving forward legislation in this space. But while that is happening we continue to make efforts to get more information sharing from the government to the private sector. The executive order two years ago did this. Among private sector entities and the private sector to the government. We continue to work in those areas and trying to move those efforts more quickly than in the past. For example, we have beyond the executive order after the executive order from two years ago was signed and we changed the default from sharing to say we want the default to be to share unclassified information and make more information and declassify more information and make sure it is shared with the private sector and move in that direction. I think in my discussion we have seen the marked difference in the type of information and the amount of information they are getting from the government. In terms of private to private sharing we are seeing efforts. On antitrust, the largest barrier for companies sharing, the department of sexed justice and the federal trade commission put out guidance saying if you are sharing cybersecurity threat information there should be no real barrier to antitrust. I mean from antitrust concerns. We have seen or heard of sectors now being able to share among each other in ways they could not past because that concern has been taken off the table. Number two. We have teen from the department of justice they published guidance on sharing information in the aggregate and making sure that does not run into barriers from the electronic communication privacy act. We think that has been helpful for companies to understand what information they can share clearly today and where there are issues. Also at the cybersecurity summit we had the release of a new executive order, signing a new executive order from the president focused on information sharing and analysis organization. We used the term taken from the Homeland Security act directly. We used that term because it is the broadest set of organizations out there. There have been folks on Information Sharing Analysis Centers and we still support that and information sharing analysis under our information sharing analysis organizations by definition but the centers happen to be sectorbased. We are talking about sharing across sectors as well. Regional sharing, threatbased sharing, and other ways of coming up with new ways of sharing information, not just tide directly to a sector. The sector work that has been going on for the past decade has been instrumental in demonstrating how information can be shared and for building up to standards and best practices in the space. It is that kind of work we think needs to be put into a real standard private sector led agreement standards body which is why we promoted the idea of dhs setting up and granting new funds to a private sector body to stand up in this space and we think it will help to drive efforts in this way. The way the executive order does it is it is Market Driven. We think that will be enough. We have seen enough new information sharing organizations that want to startup but have trouble with the resources and understanding of what they need to do to stand it up. We think this will be the best way from a Market Driven way. We have said in our legislative approach if we can get organizations to self assert they are following this we think that will help to move this area forward. We are not talking about certification. We are just saying organizations would self assert they follow these practices and we think that is enough to drive the marketplace today considering there is a demand for mark sharing and new bodies to form. It is this type of information sharing legislation we would like to see move forward. We think it is essential that all of the efforts we have done today we feel we are continuing to do. There are barriers that exist where we need legislation today. We think we can have targeted Liability Protections that make it clear how companies can and should share information in a way that protects security and privacy through civilian channels which allow us to do government oversight of our own work. We think it is possible to get through the balance and we should do it in that way. And we have had good response from the private sector and stakeholders in moving this idea forward. We are open to having further discussions and look forward to that and hopefully we can have some of that today on this panel. [applause] hello, everybody. I want to thank us telecom for holding this event and the whole series throughout the framework. I think it has been valuable to the dialogue and Public Discourse on cybersecurity. So thanks and i hope we have more and hopefully one in may. That would be grit. Chris and david, can you speak a little bit to the the state of information sharing that is going on right now and how the executive order is likely to affect the current environment . Chris, you want to start off with that. Within the communication sector we have an Organization Called the com bi sack that meets regular to discuss and the Companies Companies themselves meet to talk about the various issues. There is information sharing going on today but the could be more. And i think the legislation provides a key aspect of what could be done in the future. In terms of how the executive order does it remains to be scene. It is interesting and we will see what happens over the next several months. My understanding is they will be grandfathered in or used as the standards to develop the new ones. If the existing ones provide leadership and provide examples of things they do and they can apply that and i think that will be effective. I think we are are optimistic at this point and see what happens. David . I think the communication Sector Companies have something to gain from this process because while they can control through contract some of the supply chain issues if they are successful they may want vendors who would not qualify and participate in this to ensure they are getting the best information as well to defend against Cyber Threats. I think one of the questions in addition to the very important question of Liability Protection is going to be whether the information sharing that is proposed in congress in that the president incorporated into his executive order meets the president s test. The president noted that the private sector needs to defend itsself. Government cant do that. But it said there needs to be a partnership because government often gets a good and Important Information that the private sector doesnt have that would be important to defense. And so i think one of the questions that will determine the success of the sharing arrangements is whether business feels like it is not only providing information but getting good information back that makes it have greater success in defending against Cyber Threats. There has been some view that that is a challenge and sometimes that kind of information hasnt been received. And i think the process with the nkick that was outlined is going to try to improve on that and deliver on the president s recognition of what is necessary. How quickly do you think the private sector will see a tangible difference in the quality of the information it is getting from the government side . From the governments side i think over the last two years we have heard that companies are already seeing a difference in the amount of information. In terms of the quality it depends on how fast we can get the Cyber Threat Intelligence integration system up and running and seeing that analysis. And i think making sure we can prioritize and keeping that information unclassified that will help with that. It depends on how fast we can get it setup. Our goal is very quickly. I think as with anyone having to do with organizing the Intelligence Community there is always a lot of questions about how it will work and we are working with congress on the details and make sure there is a strong understanding of that. But i think people will see over the next few months that body gets stood up and people get there working and they will start to see quality of information improve as well as the amount of information. Sure. Chris . I want to add the point david and arie are making are critical. The Mutual Exchange of Information Processing is valuable. This is sharing with government and sharing within the private sector. I think there is the potential for there to be a lot of information shared if the isao takes off you can see the information being dumped on folks so making sense is critical. Mutual exchange and making the intelligence available for companies will provide value. This is the importance of the move to auto mated information sharing. Because so much of the information sharing today relies on folks to take action. Everyone wants to join an information sharing organization to get the information but they are not thrilled about put it in there. If we audit it and you will know what you are sharing because a certain set of fields get share based on the incident and that is shared automatically you will see more information and there will be more certainty of it. And in some ways the move for isaos and having the policy overlay as we built the technical standards that go underneath it will help people feel more comfortable moving to the process. In the administrations legislative proposal you structured the Liability Protection around the act of sharing with either the nkick at the department of homeland or with the new isaos. Why is it limited to interactions with those two entities . Isoa is a very broad term. We are not talking about individual companies or a small number of companies but that is not true the way it is setup the term means anyone that is sharing with one or more individuals. We want to make sure there is rigor to who it is if you are getting the Liability Protection. In this case you are raising your hand and following under the Liability Protection. In our draft you are raising your hands saying we are following the best practice, but there is some basic commitment to doing something in order to get the Liability Protections. The reason we want it coming through the civilian portal is because we need some kind of oversight. If we are overriding all of the privacy laws that exist in government today in order it make sure that information is being done and it is being shared in a way that then can follow some set of guidance that is going to come in the future from the attorney general secretary of Homeland Security the way to do it is to make sure it flows. And then as david said it can flow out to other part of the government right . But the keypoint there is we have the oversight, right . That is on top of it makes sure when it comes in it is actually cyber threat information and that privacy rules have been put in place and confidentiality rules are in place. And to get that oversight you cannot have the public overstock market you need if that is happening in the intelligence commit community. How does the intelligence folks feel about that . Would you like to expand who you can share and know you get Liability Protection . I would say that is probably true. We appreciate the administration putting a proposal on the table and we have been trying get legislation passed for several years so the administration putting a proposal out there is helpful and something we can work obn going forward. But we think the concept of tying this back to the framework is limiting. The approach i would prefer is Something Like senator fienstein is working on and the approaches being taken in the house. Bit this is going to play out over the next several months and we look forward to working with boat sides. We think information sharing should be balanced appropriately with privacy. I dont think we are that far apart on the issues. I think we can Work Together and hopefully come to a reasonable conclusion. We are open to ideas and feel we need to follow the basic framework it needs to come through a civilian place to make sure we have the oversight, privacy is being protected as it happens, and Liability Protections are targeted to sharing. If we could stay in that framework there is lots of ways that information can be shared as long as we hit those key holes the administration is going to be supportive of the legislation. We focus more on the private to private side. Whu talk in private to government the issue is should it go through civilian agencies or intelligence agencies and our view in the past has been the legislation that was coming from the senate the previous version since the 2014 version, would have had it run through dhs. We were generally okay with that model as long as it didnt dis disrupt existing relationships. As long as it would have allowed for the preexisting relationships to continue we would have been okay with that approach last year and we supported that. This years bill is a little different but heading down the same path i think. When it comes to private to private we think forcing everybody to be the same might be limiting. If they are grandfathered in maybe it will be a nonissue but we will see how it plays out over the rest of the year. I would just add that one thing we also have to be mindful in setting the criteria to get Liability Protection is the differences between big businesses on one hands and small meeting size businesses on the other. To the extent we want this to be realtime we have to take account of what their capabilities are in terms of managing information, stripping out information that may raise privacy issues and we need to make sure that we require privacy to be a principle consideration and protected. But we have to make sure a reach from trying to share in a timely fashion and depending on what the information is doesnt result with capital punishment. There are three distinct legislative initiatives there that all have privacy at their heart as policies. Can you say how this fit together . Does this all add up to a uniform approach to the issue . We are actually talking about a few different types of privacy there. On this information sharing proposal we are talking about we have a definition of cyber threat information sharing. That definition is a limited set of information tied to certain kinds of Cyber Threats and has limited uses inside the government. But government. But when you share that information you have this broad ability to share that information that with any other provision of law overriding a panoply of existing sections that are already in place and replacing it with guidance outlined in the legislation but is really still to be written into the future. We are talking about kind of and most of that is for Government Agencies and how they will use that information. We are giving companies the ability to share that information into the government or a much themselves with a set of new privacy protections that we hope will be strong. Creating the information sharing Organization Standards and sharing with the government will happen through the guidance from the attorney general and the sec. Of Homeland Security. You have this kind of new regime that will come into place for that type of information. Now, that type of information is excluded from that consumer advocacy bill of rights. Because that already has a regime through this other proposal we have, and the hope is you have cyber threat information sharing in place with this kind of definition and an exclusion. Now the bill of rights is focused on the privacy issues that we see with new types of online and Electronic Commerce issues that come up where information is shared because in the United States we have an Industry Based privacy regime. You dont you dont have the basic safety net in place to protect information across different kinds of efforts and industries. The idea is to work those would still be in place and this builds the safety net for areas that do not have privacy protections today. This would be exempted. There is is the privacy engineering effort focused on the fact that a lot of Government Agencies and other stakeholders have seen that when new products are being built privacy has come in afterwards. There is been a question of of how we go about thinking about this. Looking at the risks involved and looking at the benefits that could come from decisions earlier in the process. Nist is working on a completely voluntary a completely voluntary effort that could be used to make these decisions, help Government Agencies make these decisions and you would help Companies Might learn at that, to have learned something, as well. It is looking at these efforts in a way that relates to building new technologies and how to go about doing that. Thank you. Before we move on i want to make one other comment. A lot of people talk about information sharing being the thing were trying to achieve, but it has become a term that encompasses a lot of different issues. I dont want to lose sight of why we support information sharing legislation. Today when we try to stop the cyber threat it involves getting lawyers heavily involved in determining what we can do. A big aspect of the information sharing bill that is not talked about as much is the actual authorization component. Specifically authorization for companies to do things like monitor networks or take actions to stop attacks in the last panel brian asked the question about Liability Protections. Those are critical aspects because to us with that would do is provide a clear Legal Framework a more clear Legal Framework under which we can apply and act on Cyber Security. A lot of the reasons why we have been supportive of this type of legislation is it clears up that legal overhang and would allow us to act more dependently and streamline processes around security in addition to the information sharing component. We appreciate all proposals and are willing to talk to all parties on the issues. We could improve the authorizations peace. Without that just having information sharing by itself will not move the needle on security in my opinion. I just add in addition to having been bureau chief for Public Safety and Public Safety and Homeland Security, i am of former assistant deputy general. It is clear that it makes a difference in terms of lowering costs and improving performance. It is important sharing of past loss information and the like and we will be true, i think, in connection with Cyber Security. I think it holds the potential to raise the cost of conducting successful breaches for the bad guys and lower the cost of defense. On the privacy. Of view, i think the senator was absolutely correct when he says that we all need to care about both of these issues. With the threat and the breaches that we have seen improve Cyber Security, improved data connection means enhanced privacy as well done correctly. Great. Lets talk about regulators here. [laughter] sure. The fcc charged a new working group of about one year ago with coming up with a new paradigm around Cyber Security security, and i no you and david have been closely involved in this. The final draft report has been completed. Tell us, what is an new paradigm around Cyber Security . What is the goal and what has been accomplished . What is the state of play within the fccs working group . Let me set the stage for that if you will. I am not on the working group, and the report has not been publicly released. It we will be on march 18. We set this up when i was. Achieve about two years ago and it was very much coordinator with industry. What we recognized was Cyber Security framework would be issued by nist in february of 2014. And then working and then working group for which was going to flush it out and give it meaning specifically for Telecom Industry was going to become active and spent the next year trying to develop a report issue information that would make it applicable and usable in positive ways by the communication sector, and i think is what we are looking to. If. They have had more than 100 people involved in a very intensive effort. I think we will see a report that moves the needle and helps establish the Telecom Industry as one of the leaders in making use of the nist framework and trying to make it usable. I have not read it so i cannot comment on the outcome. I think it has been a very positive process. I can give a few highlights as to how the working group has done over the last year. The chair of the working group i i chaired the wireline group. We have five subgroups for each one of the segments. It wireline, wireless cable, satellite, broadcast. Five segments and. Five segments and five feeder groups. Metrics and measurement group. We had ten different groups they were working on it. Over 100 members have been working on it for the last year. The report that will be issued in march is about 300 300 pages, goes through an audit detail. I dont want to go into a lot of detail because it has not been officially released but we try to prioritize and reform the framework for communications Critical Infrastructure. We secure Critical Infrastructure, if you look at the Communications Networks and you understand that it is an interview dependency for things Like Financial Services and electricity and water, how do we secure that and make sure that that infrastructure is secure that was a big part of it. And that was the big focus of the working group. And i think thats an example of how our sector partnered with the commission and others whether its going to be a solid situation going forward. We have a question from our online audience. Will they make information sharing possible two. First of all i think that we havent seen worries i have an seen Net Neutrality or i think it isnt out yet. And so, you know, i think that i would want to refrain from now. One of the things we are refraining from giving a judgment on that, one of the things that is in play everywhere from the federal courts where the linden case was argued, this has been the federal trade Commission Jurisdiction to enforce under section five of the federal trade Commission Act privacy and data breach standards and the subject of some uncertainty and some attacks to the fcc where in october they did the first major data breach case and also the legislation that has been proposed. I think in some cases it delegates to the federal trade commission much more clearly and i think some of this legislation under this enforcement. So what we are seeing is a lot of uncertainties with the standards, who is enforcing them, and how they apply. I think that we need to take a look at what comes out of the fcc and the Net Neutrality before we draw any conclusions about it. And i am pretty sure that the fcc is going to want to make sure that information sharing is not inhibited. I think that the kind of information we are talking about sharing is you know not at the core of what they are necessarily trying to protect against and i think i will leave it there. To be have any other questions . Okay, we have a second question here. We have had a really Good Relationship with this sector in particular. They have been very supportive of the cyberSecurity Framework. We have had in our plan is to work closely with the moving forward in terms of response in trying to make sure that they are getting the information that they need to be able to respond quickly and the information that we have from the government among themselves to get this information in terms of the response more quickly. Obviously there are a lot of Different Things. And i think that the 80s thing to say that youre working with energy. But if you can work sector by sector it makes sense to us. To move through those. So we are looking forward to doing that. In terms of how they also have existing information sharing today and this effect has been growing and is becoming more effective the oil and natural gas has been more effective and we hope that we can make that move more quickly as we move this process forward. Thats great. I really want to thank the panel. That is terrific and i thank you all for your contributions. [applause] we will ask our next group of panelists to come up. [inaudible] very good. That was an excellent panel and i think the you have heard them talk about the seminal nature of the framework and i think that we are very fortunate on the panel today to have adam sedgwick. He is one of the architects of Rosetta Stone. And that is quite an accomplishment. As many of you know hes president of the Internet Security alliance and someone that has been an outstanding advocate of the framework for quite some time. He has a lot of experience in the cybersecurity policy arena, we are happy to have him join us. He is the security and preparedness manager for the American Water works association, one of the Critical Infrastructure structures, thinking about it as it relates to his sector. We are happy to have jesse ward with us who is the policy analysis manager with a broadband association, he is also helps to address mullen Medium Businesses. With that i would like to introduce david, who is with us. Im ahead of myself, introducing adam who will speak. Thank you. I will go through these are marks pretty quickly so we can have that discussion. Thank you again to u. S. Telecom for having me. These events are very helpful for us in terms of hearing what the industry is thinking and also the Telecom Sector as well and we have a number of different sectors in the audience as well. So thinking about this event and the title of it which is gaining traction or falling behind. So i actually wanted to go back and look at some of the things that youre saying, we could go back many years but i chose to go back two years ago when we were taking this off under the cyberSecurity Framework. And i found that there was testimony that we gave were that my boss gave on what we intended to do. That testimony was almost exactly three years ago, on march 7 2013. So i decided to give that a quick look to try to understand the market and the expectations that we have set out. It was helpful to look at this and think about some of the language that we were using and how the approach had been developed and if we were moving the mark in terms of what the expectations were on this executive order. One of the things that we had and this was a heading called why this approach. Because at the time we had to do a lot of work to convince people that this was an approach that would have an impact. Under that heading this multistakeholder approach leverages the strength of the public and private sectors and helps to develop solutions in which both sides will be invested. It does not dictate solutions to industry but facilitates the industry coming together to offer and develop solutions that the private sector is embracing. Two years later i think that we are seeing a lot of evidence of how industry and government can come together to help develop those solutions. Not only through the process of developing the framework that we had engagement from industry but through groups like this, which i can tell you is the communications and Security Council on the working group of cybersecurity and best management practices. And that coming in, we think it will really help provide guidance to the Telecom Sector. To really think about meaningful implementation guidance receptor that is not only critical but broad and diverse. We were really pleased that we can participate. Our chief cybersecurity advisor there throughout the process, we were really happy to contribute our thoughts about how the industry could develop these products. So in addition to work like this for that sector we have seen other sectors come together and certainly we have seen the electric sector and the Financial Sector provide guidance. We have also seen a lot of other examples back in what the gentleman was talking about with industry coming together to offer and develop solutions. So we have seen things Like Technology companies coming together to talk about products and services that could be aligned with the framework we have seen the community thinking about the framework is an auditable standard that they can provide to their constituency. They have begin to offer policies promoting it among policyholders and we have seen states leveraging the framework including in many cases the foundation for the state Emergency Management agency in this helps to capture and share that. A lot of this was discussed last month at the form that the present is that in stanford where our panel of ceos is at. So in terms of what that means for us and how we can help in her work for the ongoing year i hope that we can get this back on the panel. We are going to continue our efforts to raise awareness on this, including working my other organizations and associations like u. S. Telecom and others today. A lot of that awareness will not only be focused nationally but also the international audience. One of the Top Priorities is to develop and share information that can advance use of the framework such as how illustrations and organizations of different capabilities are using and employing this framework and the ability for organizations to look over each others shoulders and to understand this. And then also putting it up for comment on how this is aligned including making sure that we can integrate Risk Management with the broader way in which these organizations think about it. Thats something that our stakeholders said was important it would be a lot more to deal with. And that includes as you think about what the framework effort was about to Critical Infrastructure developing a structure should so it could be used more widely. The third piece has always been the next step when we release the framework we talked about the roadmap and priority projects ranging from Risk Management authentication and privacy standards those are all things that we continue to work on and show information about with the hope that in the future as this continues to be through these experiences and projects that we can have a richer conversation about the priorities moving forward to be able to react to the priorities of the people that manage the cybersecurity risks. In all of these efforts there will be a priority for us to conduct this in the open and collaborative manner in which the framework was developed. But again going to the title of the event, are we gaining traction or are we moving behind, theres a lot of work to do and how do we know this. Based on the advice we have gotten from the private sector on how to make this effective our immediate focus has been to continue to raise awareness and not only this and producing whisks but they get about the first step getting to effectiveness and we know about the spat and how to get to the effectiveness because its much like the efforts that we have seen to improve quality. Concerned about cybersecurity and risks need to be integrated into each organization. There is no single definitive universal and point for improving quality or cybersecurity. We are recommending that organizations do a serious evaluation of their current cybersecurity practices and develop plans to improve their capabilities, ideally through the use of the framework of some other tool. That process will take a lot of time. Because the framework is voluntary. Monitor these survey ises on the pr o to understand the effectiveness through workshops the we tend to have with meetings like this and all that information may think about how to help the stakeholders to approve future versions of the framework. And looking forward to this discussion i think robert and u. S. Telecom again. [applause] ims ever security with politico and i am your moderator. We have a great panel, we have all agreed in advance who will be direct, it to the point. So lets get to the first question to talk about this ever Security Framework scope. We have to utilities on the panel so perhaps both of you could address, do you envision this as something that is applied just to your Core Infrastructure . How do you define that . What about the surprise ascites systems that you also control . Applicability beyond just Critical Infrastructure, and particularly Critical Infrastructure as its defined in the executive order which is a pretty narrow definition. So what we actually tried to do in this working group is really thread the needle. As robert mentioned, i coled with susan joseph from cable labs the small and mediumsized Business Group within that District Working Group and, again, we were just looking at small and Medium Business issues. And what we saw is that although many smbs small and midsized businesses, may not fall under that strict definition of Critical Infrastructure that the eo supplies, that doesnt mean that they cant adhere to the same spirit of this assignment. They could keep the scope the same but really just scale it appropriately for their operations. So what we were looking at is having each small or midsized business really define for themselves whats core or Critical Infrastructure. So, for instance one of for ntcas membership when youre talking about small and Rural Telecommunications companies, it might be that one of those Telecom Companies defines their switch as Core Infrastructure. Because without that there wouldnt be communications taking place within that local area. So, again, i think that there is applicability beyond just how the eo defines the framework. I would also say in the working group what we looked at you referred to the [inaudible] yeah, im sorry. Is that the framework also has applicability at the enterprise level. So thats good Corporate Citizen shep thats a citizenship thats Good Business practice and, of course, every Company Wants to be more secure right . As much as they could look at that the working group seemed to go out of its way to actually not discuss enterprise i. T. Systems out of a fear that that might, as i understand it, give the fcc some additional leeway in regulate what it doesnt regulate . From our perspective on the smb group, if youre a company with ten employees, youve got extremely limited resources, right . Youve got one, perhaps, technical officer whos the cto hes the chief security officer, he looks at new business opportunities, and if hes got limited resources, where should he prioritize that . And what we said is that he should look at core and Critical Infrastructure first. But all of the associations the Network Operators on there agreed that this is a Good Business practice. So if they can, yes, it should be applied at the enterprise level as much as they can. Kevin . Yeah. So if i could add to that so we have actually kind of embarked on this process a little bit before the executive order came out and had been anticipating the need for a sector based on some work we had done clap rah tyly with the department of homeland collaboratively with the department of Homeland Security years ago. We run the gamut from some very small Rural Communities to washington, d. C. And new york city. So we had to be cog cognizant of the scalability. And part of that effort, you know, theres been a lot of activity and i think folks can get their hands around some of the Enterprise Business systems that are operational and the types of things that are done there, and theres been less talk in the past on process control systems or Industrial Control Systems which is where some of these standards that are embodied in this framework are kind of focused on. So not perhaps unlike what [inaudible] did, we developed a process to make the framework more transactional for our minutes, understanding that a lot of them arent they dont have cios, right . And so putting into terminology and how they apply the technology in a prioritized manner given limited resources where should they focus their time and efforts . So weve created a prioritization tool to help them work through implementation, application of the principles in the framework to try to change that behavior and institutionalize it as i think weve heard from some of the other speakers today. So i think the answer is, yes. Yes. [laughter] so that ideally plays over into the enterprise system as well. So adam, are we going to be changing the name of the cyberSecurity Framework for Critical Infrastructure or anytime soon now that weve established its not just for Critical Infrastructure . Well, so i think you posed your question in terms of how do companies evaluate Critical Infrastructure within their entities and then can the framework be used more broadly. And that was one of the discussions that we had actually, in the development of the framework. I think as jesse was saying, different entities view it very differently. Some entities will treat how they deliver Critical Services and theyll manage that separately others take an enterprisewide view and are leveraging the framework in that way. You could set up a series of profiles within your organization, but we are seeing people that are using it large to small organizations at least based on the feedback were receiving. Weve received theyre getting more utility from the broad or application where you can kind of look across your entire enterprise. And that is the sort of things that the auditing and Insurance Community also likes to see. They like an approach that shows that youre managing all of your risks for all of your networks. In terms of other organizations using the framework even though it was developed for Critical Infrastructure, i mean, thats something we talk about if you look back to our very first rfi, we said given that critical we talked about using, we used the term generally organizations. One of the reasons we kid that was we had an expectation that Critical Infrastructure also evolves as organizations businesses check and they get Different Services and they move up and down in the market place. So we always wanted and as we come from the department of commerce, we thought about about doing in this in a way that could doing this in a way that could be broadly used and, of course worksited that it is being used by organizations that may not traditionally be considered Critical Infrastructure. Lets get some other folks involved. So larry youve talked a lot about the need for the federal government to follow through on a portion of the executive order about developing Cost Effective measures. One thing that mist Officials Say a lot of and private sector or executives as well and that is that the framework is infinitely flexible because every company is a special snowflake and, therefore, what constitutes Cost Effectiveness necessarily must vary from company to company, therefore there can be no federal government Cost Effectiveness standard or guide or what have you. Well, i think [laughter] the reality is that if were going to have a voluntary system in a capitalistic economy, it is going to have to be Cost Effective. There is no other way to deal with this. And this is what every single study that has looked at cybersecurity tends to find. Csis pricewaterhousecoopers cio magazine, the list goes on and on and on. Companies make decisions based on Cost Effectiveness. And the one modification i might make building off one of adams comments were we need to integrate the frameworking to how if you risk thats true but really we have to hi, i think, closer to what senator johnson said at the very beginning. We need to integrate the nist framework and other security steps into profitability. Into growth. Into innovation. These are all one and the same things. Now, as to whether or not we can offer any guidance on this, this is what we do with everything we do in the private sector now. Companies look at environmental regulation or activity or disabled regulation or activity and they make a Cost Effectiveness askerration. And so were asker isation. Now, my guess is we could come up with some fairly useful guidance because, frankly, electric utilities dont look very much like i. T. Companies. Defense companies dont look very much like some other manufacturing companies, etc. I think we could do some useful studies, and we have proposed this be done in a collaborative fashion, integrating the sectorspecific agencies with the Sector Coordinating Councils to jointly come up with a mechanism so that they can together determine what would be the most Cost Effective way to implement the framework within their particular sectors. And by the way, we at isa have gone further and found that various sizes of Companies Even within the category of Small Businesses find Different Things to be Cost Effectiveness. So we have looked at companies with one security percent knell such as jesse personnel such as jesse was pointing out, and we have found there are certain things that can be done in that small a company that are not necessarily the same thing as if you have ten security people. So the reality is that if we are going to get truly broadbased, voluntary adoption of the nist framework, we are going to have to address this at the economic level and integrate this into the Overall Mission of our economy which is growth, innovation security profitability all tied together. So guidance by industry sector and guidance by industry size. Well, those are two of the most obvious, in my opinion, ways that we could subdivide these sorts of things. Im sure there are lots of others, but id be happy to start with those. So individual companies arent as special as they like to think. Well, we are all individually special [laughter] but every single one of us probably does well if we exercise, watch our diet, a variety of things that are Health Effective for us Cost Effective for us. Were probably all pretty good notwithstanding our individuality if we study and coour homework as students do our homework as students etc. Etc. I think there are certain best practices that can be applied across the gain, and i think that the grain, and i think thats probably true with regard to the nist framework. Brian . First, i would like to note that im morally opposed to exercising, dieting and [laughter] studying and typing my home work. [inaudible] yes, i know. Live long to 42. You know its very interesting, building on larrys comments and building on senator johnsons comments, you know the framework can be extremely flexible. I do think it is an excellent representation about how companies can begin to start to think about cybersecurity. I think the number of people dedicated to cybersecurity internally is a bit misleading. Or and focusing on that in terms of how useful the framework would be. If you have 1, 10, 500 or 1,000 10,000 etc. You still are all being breached at any given moment right . So its not messily about necessarily about preventing the event, about recovering and managing that risk as much as anything. When it comes to cybersecurity and the utility of the framework. And i think in my opinion looking at the framework and looking at it for Critical Infrastructure etc. , i dont think that the framework came as a big surprise or as something truly innovative for the larger utilities or the larger companies, etc. And thats not in any way, shape or form to denigrate the great work that nist has done and what adam has done. I think theyve done a fine job. I think its very helpful for the smaller and mediumsized businesses that really just sort of have no clue where to start when it comes to cybersecurity. You usually get the answer, well, should we unplug from the internet . What firewalls should we buy etc. , etc. And so, you know, i like to look at the frame awork from that perspective. The other thing that i think is very important to note too and ive seen adam make comments on this before as well, a lott of times when a lot of times when people talk about the framework, they talk about well weve adopted the framework. We have fully integrated it into our systems, and then we will see comments in the media from lawyers mostly who say if you dont adhere to the framework youve violated a de facto standard of care and thats the benchmark for determining liability when it comes to cyber risks. And i just dont think thats the case. I dont think that the framework represents a standard of care. Those lawyers charlatans . I would call them shillers. Or so and im not above schilling. So im more than happy to to shill to get work but its not necessarily that theyre charlatans or what have you, but i think its a fundamental misunderstanding about what the frameworks intended purpose is sort of to understand your risks and maybe how to generally organize yourself, but its all in the implementation at the end of the day, you know . Its like a golf swing. I can watch a video of well the old tiger woods as many times as i want and try to mimic it but im never going to pound it 340 yards down the middle of the fairway. And i guarantee you thats never happened in my life. Usually takes me three shots to get 340 yards down the fairway. So when were looking at the utility of the framework and were talking about expanding its use beyond Critical Infrastructure to enterprise, etc. , i think we have to understand that its one piece of the puzzle. Just like information sharing is one piece of the puzzle. Its, you know, were talking about threat signatures or indicators of compromise etc. , thats all well and good but its not going to provide you with complete Cyber Security just because youre getting threat information. Theres a lot of good information, theres a lot of bad information, and theres a lot of useless information. And so its all about how you actually execute at the end of the day. And while the framework will be helpful in some context it really comes down to how does that company implement . And thats where the rubber meets the road. So i guess this brings up a question about how do you measure that. Or are we measuring it . Theres been a lot of talk about measurement. Theres been a lot of talk that because the framework is individually implemented a universal set of measurements isnt possible or could measure the wrong thing. But weve heard that sectors have commonalities. Business horizontals like size, have commonalities. There is Common Ground for some kind of measurement, isnt there . You adam . Okay. Well, im going to take this opportunity, you said to keep this brief, our responses brief. And i will do a little bit of schilling myself. One of the things that we recently put up was a frequently asked question, a very lengthy one. Other questions from future forums you can use from here saves me from doing my homework. Exactly. So will met me just read the response we put here. Framework effectiveness depends on each organizations goal and approach in its use. Is the organization seeking an overall assessment of cybersecurityrelated risks, process and policies . Is it seeking better management of cybersecurity with its suppliers or greater accomplishments in its assurances to customers . Accordingly, the framework leaves specific measurement to the users discretion. Individual entities may develop quantitative metrics for use within that organization or its Business Partners but theres no specific model recommended for measuring effectiveness of use. So is thats where we are, thats what weve heard from our stakeholders, and thats our overall thought on that issue. Its something we can certainly study and discuss and work with our partners to think about what these common measurements and metrics are, and i think that is something were very interested in seeing as people use the framework, have other Risk Management tools than the steps they put in place to help evaluate and measure how theyre doing the right things. Lets just go down the line. So i just want to jump in really quickly to agree, again as i usually do with my close friend adam on issues like this. And i think that thats exactly right. Not only can these things be measured following the outline that adam just laid out, they will be measured. Every single corporate we do a lot of work with the National Association of Corporate Directors focused on the framework, we endorsed that in the publication we did for them. Every singling one of single one of these corporate boards comes to these decisionses, and they want to operate based on metrics. Now, can an individual company come up with their own goals and determine their measurement for achieving those goals . Of course. Thats what every Single Company does with virtually every single business decision they make; where should we open a new store, what new products should we launch should we use an International Supply chain or a domestic onesome all these things are looked at carefully measured and measured both in terms of their effectiveness and their cost. And unless we integrate both of these as im telling you the companies will then were going to miss the boat. What im saying however is that we could do a substantial solid, we can do a real favor for our private Sector Companies and in particular our Smaller Companies if we gave them some metric some samples that they could work from. If we could say, you know, we did a study of small water system as opposed to large water systems, and we found out that this set of best practices was most Cost Effective and this one is not, people will then look at that. Now they know where they can go to implement the framework for their own particular use in a way that is most likely going to benefit them. And by the way, they will then study it on their own to see whether or not that was true in their particular case, and they will make adjustments moving forward. Thats how we integrate the flexibility of the framework which is one of its major pluses with the inherent obligations of these businesses which are weekly charged with maximizing shareholder value. We have dual stresses here. We have security and we have profitability. We must integrate them. And as i mentioned in my question to the senator johnson thats really difficult in the digital age because lots of the things that we do to drive innovation ask productivity actually undermine security. So were going to have to look at these pretty carefully study them and come up with ways to move forward. Yeah. So again, kind of playing off the points that adam made and other speakers have made on the individual nature and the flexibility, i think thats the beauty of the framework and the opportunity it provides entities, Water Utilities, electric Companies Telecom to apply the practices that are applicable to the operating environment. And in the studies that we have done with our members in looking at their operating systems and architecture, theres a significant amount of variability in the types of things that i do. And so the controls that are applicable to this particular utility maybe only half of them are applicable to the other because of the way they operate. And theres no way so the aggregation of that data outside of an individual use becomes kind of, its kind of apples and oranges. Its a fruit medley right . Theres no way to come up with a measurement to see how midwestern Water Utilities so heres the question. The question back right is what are we trying to measure . Are we trying to measure that i tie my shoes and put my shirt on lefthanded or righthanded first . Is that what is important or is what is important is that the entities are taking the appropriate Risk Management activities through application of the principles in the Risk Management framework that are laid out in the guidance that weve designed to help utilities apply the nist framework . And so, you know, theres different measures of activity whether its processrelated, i think thats good at the individual entity. Thats how they can do their internal bench marking. But at an aggregate level were really just trying to see a change in how its integrated into the Business Practices and thats through some form of adoption or to use that term loosely of the framework. So thats how we have approached it in our sector. Id agree with what kevin said. I mean youre looking at an aggregate level have companies utilize the framework. Is it improving their Security Posture . Is it succeeding and better securing Critical Infrastructure, their Core Networks . Making sure the network is still available. When you look at it at a, in terms of the framework at a subcategory control level, it doesnt, you know, what one company does compared to another might be very different. For instance, if youre a small rural telco and youre serving defense contractors, the security that you might need for your network is going to be very different from a small rural telco in Middle America who has different customers, different anchor institutions, different needs. So i also think were having a discussion about metrics but the framework in d. C. Circles, weve been talking about the framework for two years. Its something were very familiar with the language but when you talk about the framework,s this is still a real nascent concept to those outside the beltway. For instance i spoke about this just a few weeks ago and i used the term nist, and i had to define nist for the audience. So i think its really early to be having the conversation about measuring. What we really need to be focusing on is awareness and education. Because, again from my perspective, our members are 900 rural telcos from across the u. S. Theyve been doing security for many, many years, and all of them want to be more secure, right . Thaw want to protect their core network. They want to protect their customers data and personal information. Its a question of assisting them with doing that more effectively and efficiently. So when youre talking about metrics with respect to the framework, i think, ultimately it comes down to a critical point which is that the framework is about Risk Management not risk elimination. Every company has a Corporate Risk manager. They dont have a Corporate Risk eliminator. Why dont you have one . Because you cant eliminate risk. And so then when you start applying the framework at the individual corporate level, you have to utilize it in sort of a couple buckets of threats. You need to define the threats and the type of malware and attacks, etc. , that you can suffer that you can protect against, you might be able to protect against and those that you cannot protect against. And that last bucket is nationstate attacks, for instance. Nobody in this room not even the federal government can withstand a concerted nationstate attack. And so when youre looking at metrics from a framework context, its more about Incident Response. When youre in that fuzzy middle area where it may be a nationstate, where it may be organized crime, its kind of a mix between Incident Response and do fences. And defenses. And then there are the threats you should with able to you should be able to protect against, malware etc. But ultimately, again its how the individual company is looking at the risk and how are they utilizing the framework to appropriately protect themselves. Whether to stop it at the principle ther the or to try and minimize the loss thats associated with a cyber attack. One quick thing i wanted to add, too, is actually to an article you wrote david, about a month or so ago that were dancing around a little bit here talking about some of the responsibilities of Software Developers as well. You wrote an article about google potentially releasing zero days after a certain time frame, that they have come to discover. Thats an important point to will be as well. As much as the companies can do to protect themselves whether its through perimeter defenses or Incident Response, theres lots of moving parts here. And part of the problem that we have to confront is that a lot of Times Companies are receiving so the ware, utilizing software that have unlimited vulnerable and theyre not going to be able to discover them all on their own. So this is a shared burden throughout the entire supply chain, and you have to look at that holistic picture if were actually going to get closer to truly managing this risk. Audience questions. I just want to [inaudible] chris. Yeah. Actually more of a comment than a question but i wanted to feed off the comments about the metrics that were going on, and i think jesse made a very good point that the focus ought on the on education and awareness especially outside the beltway totally agree with that. On the metrics piece one thing that us frustrates me about the conversation is people focus on how do you measure the status of using the framework. The real question is what is the outcome the framework is driving, because its really metrics should be focused on outcomes, not activities. Nobody says, were you business this year, yeah, we all were, but thats not really an outcome. Companies are using it is almost irrelevant. Are they using it as an effective tool to drive an outcome, thats why we focus so haughly on things like heavily on things like integrity and how quickly can we recover from attacks because to brians point about, you know, response activities, those are actionable outcomes as opposed to just activity. We have a question from the online audience here and ill read it out. Probably this is directed to you, adam, but anyone can jump in. Considering the vast amount of devastating breaches that have occurred and are known through the media and also taking into consideration the breaches that are not publy sized publicized, how confident are you that awareness and use of the cyberSecurity Framework within the public and private sector will help reduce the number of incidents in the future . Well so on the awareness front i would agree with our colleagues that that still continues to be a priority and making sure, to jesses point, that we communicate to people what were working on here why it matters to them how its voluntary, how everyone can use it. In terms of the other part of the question, in terms of minimizing incidents, one of the things we talk about quite a bit is, you know, there are those unknown unknowns that companies arent going to be able to prepare for. So the reason why we talk about Risk Management and we talk about resiliency a lot is in some ways were trying to have folks understand that you cant prevent every incident from occurring. And a lot of that were focusing on the framework. The reason why we have those five functions and we talk so much ant respond and about respond and recover is we think from the Security Community there is a wide understanding that you cant prevent incidents. But that understanding hasnt always made its way to Corporate Leaders and to policymakers. So having the response the processes in place to respond and recover from an incident we also see are critically important. And then i think to the point of the question i think we have to remember if you go back to aris presentation earlier in the day, this is one element of many that are going on that industry is undertaking, that the federal government, that the state government, International Governments are undertaking to help manage this problem, and we think together we hope that, obviously, it will have the approach of making things better out there. David, if i could just build on adams comments and i agree with him and particularly the last one about how many things we are dealing with here and you know in thinking about the title of the event as to whether were gaining traction or losing ground, i think we are both gaining traction, and we are losing ground. The problem is so complicated and the bad guys have all the advantages. Attacks are cheap, easy, profitable, defense is hard after the fact there is virtually no law enforcement. And jesses comment about having to go out into the community outside the beltway and do more awareness and education, thats so true. I mean this past weeks mr. Clapper said that cybersecurity is a bigger threat to our nation than international terrorism. And i think that thats probably true. But the spending be our government which by the way does get it and is expert or is about telephone times more on ten times more on terrorism than cybersecurity. All the efforts that adam and other people and those of us in the room are making in this space are not nearly enough. We need much more efforts, we need much more funding we need much more investment we need much more thinking about this otherwise were going to continue to fall behind. [inaudible] sir or, last question. Real quick. David lee from [inaudible] corporation. Small company here in virginia. I couple comments. I mostly disagree with the panel on metrics. Chris, i agree with you, its measuring outcomes. With the framework being Rosetta Stone, it is the ideal framework for measuring progress and outcomes among different organizations. Even though they do it differently. And if you want to know how, there is one measurement that everyone ought to be measuring which is how do they respond how fast do they respond and do they respond to those priority indicators of security breach. [inaudible] because if they dont hold on if they can detect them. Well most breaches there are indicators of compromise. Almost every. Target had two times they could have prevented it. To there are indicators so there are indicators. We miss em. And it goes back to what mr. Finch said, process control management the cyberSecurity Framework is great. You want to talk about i hate to do this but for time, if you have a question okay. Thank you very much. Come talk to me about how to measure it. Thanks. [laughter] could i just ill just respond to the comment because i think theres one thing, one point that i would make is if you think about a lot of our efforts, it is about reducing complexity. But the goal of getting these things out there is not to administer guidance add more guidance to add more paper for people to go through but to help make these conversations a little easier because we all understand where were coming from. That is the role of standards. Thats why we think a lot of these efforts are really important. Thats one of the things that we think will be really helpful in the long run even in terms of reducing costs when these products and services and standards guides are coming in there, we think we can have a much richer conversation. When please join me. [applause] all right, folks, im going to say thank you all for attending in person. I want to also acknowledge all the folks who are, who attended via live stream. I will want to thank all the panelists who were involved today. I thought it was a very excellent and informative set of panels and discussions. And i want to also announce that we will have a you heard a lot today about the work of sisrik working group four. On march 19th u. S. Telecom will have another National Policy cyber forum to talk about that event, so look for that on our web site, and well be pushing that information out as well. Thank you and have a great day. [applause] [inaudible conversations] the Ferguson Police department in conjunction with the municipality saw traffic stops stops, arrests, tickets, ha as a revenue generator as opposed to serving the community. And that it systematically was biased against africanamericans in that city who were stopped, harassed, abused c alled names, find it was structured so they would be caught up to pay more fines they could not afford to pay or that made it difficult which would raise the additional money they had to pay. And it was an abusive situation. So the conclusion the Justice Department arrives at is the steps that are now to be taken is the Justice Department has admitted evidence to the city of ferguson they have to decide to they dispute the findings of the Justice Department . And my comment on that would is striking about the report it was just using emails from the officials themselves. It wasnt like they were just making it up. But now they make the decision will they enter into some sort of agreement with the Justice Department says clearly broken and racially biased system, or if they dont the Justice Department has the capacity to use is the city to sue the city for the rights of fergusons. Tomorrow the president will either commemoratives ceremony recognizing the bloody sundays Voting Rights march from alabama. You would see what they will saw as a kid that washington was a large man. Very robust and madison is a skinny little guy. But his ability to form partnerships with the ability of the era. But it alludes to his gift of country with his talents and what he was able to do to create the first self sustaining constitutional republic. A familiar face senior White House Correspondent also a the author of several books including a celebrity in chief. Here is the cover of the book you write american president s only after the advent of the mass media that increase the power and reach of the presidency under fdr but then the u. S. Became a true superstar. Where did you get that idea . I have written seven books and fdr i think is the first modern president. Not only did he gain power as president in a modern sense but he understood the importance of the mass media at the time radio and newspapers were the dominant media but typically with the power of radio. Sanders said they could enter their homes as they wanted to be
comparemela.com © 2020. All Rights Reserved.