Reaction from capitol hill. Joining us first is representative mac thornberry, a republican of texas, member to have Intelligence Committee and in the last Congress Task force chair on cybersecurity for the spook beer. Mr. Thornberry, when you look at the president s executive order, whats your initial reaction . Guest that its okay. There are some things that clearly need to be done with an executive order, but some things can only be done with legislation. So part of my reaction is i wish the president had put as much effort into getting some legislation passed and then come out with the executive order rather than the other way around, because i guess one of my fears is its going to take it could potentially take some momentum out of the effort to get legislation passed. Host now, how similar is the president s executive order to the Task Force Recommendations that you made last congress . Guest some things in the executive order are exactly as we recommended that the administration do. For example, the federal government being more careful about the computers it buys and having Higher Standards in its, with its purchasing power is a good and helpful step. We talked about having voluntary standards for private industry so that they could know what they needed to do, they could tell how close they were to reaching certain goals, and i think thats the direction that the executive order wants to go. What we dont know yet is the standards that nist will come up with, and theres still some anxiety about the administration trying to do too much about direct regulation rather than voluntary incentives that get Market Forces working to improve our cybersecurity. Host what about in the definition of Critical Infrastructure . Is there agreement there . Guest well, i think its kind of one of those things most of us know what some Critical Infrastructure is; electricity grid, etc. Exactly how the administration chooses to define specific industries and then what comes with that, i think we dont know yet from the executive order. You know, the executive order sets up a process that is just beginning and will take several years to complete. So thats why on its face theres a lot that i think a lot of us think is going in the right direction, but the way its implemented is going to tell us a lot about whether its effective or not. Host well, representative thornberry, we want to play a little of Michael Daniel, the white house cybersecurity coordinator, from last week talking about the executive order and federal regulations. Here is mr. Daniel. Guest if they believe that their regulations or requirements are not sufficient in that area, then they will they could, in theory, impose new regulations or executive actions that would require infrastructure to be brought up to that level. But i think for the most part youre going to find that it will be a voluntary process for companies to participate. Host representative thornberry . Guest yeah. Well, i think what he was referring to is that existing regulators of industries can put new requirements to improve cybersecurity in the industries that it already regulates. And that general approach is exactly what we recommended in our task force report. In other words, you dont need another regulator to come in and regulate the cybersecurity part of the electricity industry. They have existing regulators, and you need to work through them to improve cybersecurity. And i think that is preferable. But i also believe we cant, weve got to be careful about too much emphasis on direct regulation. Remember, these are threats that come at us at the speed of light, and the threats change just about as fast. So the idea that too rigid a government regulation can solve this i si is misguided and wrong. What you need are the voluntary incentives for industries to keep up with it on their own. Theres no way that a government regulatory process will ever be able to do that. Host what about when it comes to liability issues . Guest yeah. The key concern for liability is if an industry has threat information it would like to share some of that information with the government, theres a fear that they could be sued by shareholders or customers for sharing information with the government. So this is one of the areas that legislation is required. Now, you still have to have privacy protections, you dont want to give away peoples personal identifiable information. But there has to be a way for information sharing, the government sharing with private industry and private industry sharing back with the government. Thats the only way that our country can be more secure. But theres going to have to be some changes and protections in the law in order to facilitate that sort of exchange. Host are there limitations on information sharing between companies . Guest sure, absolutely. There are now antitrust laws which limit some of that, liability laws limit some of that. Some of the regulations from the regulators some of that. And, again, this is always balancing act, so you dont Want Companies in the same industry to share so much information that you get into serious antitrust issues. But on the other hand, we dont want to just let, you know, the theoretical be the enemy of the good. So, for example, theres been a lot in the news lately about attacks coming against major u. S. Financial institutions. They need to be able to share that information about those attacks so they can better protect themselves. And so making sure that theres not legal liability or other legal concerns, facilitating that exchange is part of where we immediate to go, i think. We need to go, i think. Host mac thornberry, when it comes to cybersecurity, how do you see the role of the federal government in protecting private institutions such as banks, etc. Guest well, i think thats an evolving question. On the Armed Services committee, i had a hearing two years ago, and i asked this basic question. If a bunch of bombers were coming to bomb refineries, we know what we would expect the federal government to do to protect those refineries from being destroyed. If its a bunch of pacts coming through the internet against the same refineries, we dont know what to expect. So i think the role of the federal government of defending the country in cyberspace especially against these sophisticated state or statelevel actors is, is evolving where i do think the government has to be actively involved in defending us. And in a secondary role is the federal government facilitating the kinds of protection and defensive measures that we can take for ourselves and that companies can take for themselves. So i think those are the two roles; protecting against the sophisticated actors and encouraging a higher state of cybersecurity and preparedness for everybody else. Host i want to play a little bit more of Michael Daniel from last week talking about the private sector. Guest one of the questions that i think were currently wrestling with is exactly what is the governments role in providing cybersecurity to the private sector. At what point does the government intervene . Under what conditions . I think all of those are still questions that, um, while they are much more well developed in the physical realm, were still trying to figure out what those rules of the road are in cyberspace. Host so how will those rules of the road be developed, mr. Thornberrysome. Guest well, the only way they can be developed is in consultation with congress. There is a good deal of thinking and effort going into this area. The administration has been talking with us. We also have to talk about what is the military role versus what is the civilian role, the department of Homeland Security, etc. , and theres a lot of complex issues to work our way through. I guess my point is no administration can sort this through on their own. They have to work with both parties in congress, and its going to take a lot more consultation, working through in order to really get us closer to where we need to be. At the same time, we cant afford to study this to death because the threats are coming at us every single day. And it is a serious Economic Security and National Security issue for the country. Host what kind of conversations have you had with the white house and mr. Daniel, the cybersecurity coordinator . Guest i have not met with him. I have met with some of the National Security staff on what their thinking is especially for the role of the military. And i have regular conversations with Cyber Command and others in the military and intelligence communities about their role. But, again, its not just a military issue. Homeland securitys involved. So you get several agencies, you get a number of industries, lots of interaction. And, again, then the threats come a at us at the speed of light. And thats part of what makes cyber so challenging, is it crosses so many barriers and happens so quickly, its not the sort of thing that our government and our systems are set up to deal with. Host the cybersecurity order emphasizes the department of Homeland Security. Are you in agreement with the emphasis on dhs . Guest i think dhs has a very important role, absolutely. And defining that role, what that role is and especially how department of Homeland Security relates to other regulators, as we were just discussing, is a key part of this discussion. We cannot let, in my opinion, the department of Homeland Security become a second or even third regulator on a lot of these industries. Itll bog everything down so much that we will never be able to get where we need to go. Host mac thornberry, what about the report that came out about china i i tacking the attacking the u. S. And u. S. Industries . Guest well, it was very disturbing, because it gave a great deal of specificity to a number of, to a largescale effort by china to steal information from u. S. Companies. And i think youve seen people in the administration and in Congress Talking about this going on for some time. The hand yang report, i think, gave more specificity to it, named names, and so that made it, i think, more noteworthy. But it is a snapshot ofs what is happening now of what is happening now. I guess the point id want to emphasize is its getting worse, its not getting better. So as disturbing as that snapshot is, it is, this threat to our country, to our National Security, to our Economic Security, stealing jobs away from us, that threat is only going to grow in sophistication and probably in overall quantity in the future. Host well, some of the push withback that weve seen in the press regarding private entities and cybersecurity legislation or regulation is some of the private entities already have Higher Standards than the government, and then theres the reporting standard and whether or not they meet the threshold. Guest yeah. Theres no doubt that some private industries have much better cybersecurity than others. I think most people would say who are knowledgeable in this area that there is no industry that cannot be penetrated by sophisticated, statelevel actors. So it seems to me only by having a true voluntary partnership between private industry and especially the private industry involved in Critical Infrastructure with the government can we really protect the nation and our jobs and our security in the way that we need to. If everybodys not working together and working together voluntarily, were just not going to get the job done. Host as a subcommittee chair on intelligence and member of the Armed Services committee, at what level does cyber threat become cyber warfare . Guest i think people are grappling with terminology, and i dont know that theres an agreement on that. Certainly it is possible that through cyber you could have physical consequences. You could destroy a building, you could destroy infrastructure, you could affect the safety and even take lives through, just through the internet. And so clearly when youve got physical consequences or when you destroy data, for example, reach through the internet, destroy data in another computer, that has physical consequences. I think most people would say thats a form of cyber warfare in some situations depending on who it is, could be cyber terrorism. But a lot of this terminology is still in flux, and theres not agreement on it. Host and finally, representative thornberry, we began this conversation, but mentioned legislation. Do you foresee legislation in the 113th congress, and if so, whats the process . Guest yeah. I think so. In the house we passed four bills last year dealing with cybersecurity and had hopes that the senate would be able to pass them or its own version. Unfortunately, the senate was not able to. I think were going to go back in the house, were going to take another look at t the four bills we passed last year. There probably may be some other legislation even that we can pass. And i hope that we can take cybersecurity in bitesized chunks so we dont have to solve all the problems in a single 2,000page bill. We can take narrower slices of the problem. I think thats more politically feasible, but also it probably means that were going to do a better job in writing the legislation when we dont try to do everything at once. So i hope thats the approach we take. Weve got to act. We cant just continue to do nothing because, as i said, the threat is youing, and it endangers us is growing, and it endangers us. Host representative mac thornberry, republican of texas, thank you for being on the communicators. Guest youre welcome. Host senator Jay Rockefeller joins us to talk about cybersecurity. Thank you for giving us your time. Guest thank you, pedro. Host the president now has an executive order out on cybersecurity. What did you make of what he put out . Guest it was good, and, you know, he did it out of frustration that the congress wasnt doing anything. And he put that out, and it was, it was very, very good. But what he cant do is provide kind of a Legal Framework for all that you have to do in cybersecurity. Theres a lot of congressional action that has to take place. And we actually passed a bill in the Commerce Committee unanimously that was a full cybersecurity bill which is still the basis of everything that were doing and was the basis of his executive order. But the president can only do so much. The legislature has to come through, and we didnt. We got dragged down many chamber of commerce politics and politics, and it was sad. This year weve got a new crowd, new enthusiasm, less partisanship to begin with, and im hopeful. Host what is going to help you satisfy that hope into something that passes in the senate . You had this effort, senator mccain and others turned it back. Whats different this time around as far as your procedure and what you want to get from it . Guest politically, i think the chamber of commerce will, may be less involved. They were almost wholly responsible for the fact we couldnt get anything going. They were very, very negative. And it was very much against the national interest, but they didnt seem to care. This time i think their power is diluted somewhat, and secondly, look, its been around for a long time, cybersecurity. And we finished talking about it, we finished kind of wondering whats going to happen because things are happening every single day that are destroying our intellectual property, which are taking away from our future, and people are very casual about it. Newspapers are casual about it, everybodys casual about it. But were not, and we cant afford to be, so weve got to come through in the congress. Host so when things like minimum Security Standards that are voluntary in nature that come up from the industry at least some saying concerned about those voluntary measures becoming mandatory, how do you satisfy those concerns . Guest you never satisfy concerns before something has happened. People always assume the worst depending on where their point of view is. But there have to be there has to be standards. In other words, you cant just say just go dow what you go do what you wallet. Ive met with businessmen who i know very well and who i like very much and whose companies i know very well, and ive known them for a long time. And i ask them about cybersecurity, and their sort of certitude of their position of safety of doing the right things is not credible. I can tell it by body language, i can tell it by the way they talk, and i can tell it by their lack of sort of, apparent lack of interest. And when that affects a ceo, you know that youve got a problem with, in this case, a huge company. Host was the republican side concerned, more concerned about the fact of these becoming regulatory standards . Guest yeah. Everybody wants to look at the worst Case Scenario. Host uhhuh. Guest and the worst Case Scenario has nothing to do with the republicans or democrats. The worst Case Scenario is that the chinese and others simply bankrupt this countrys Financial Services or shut down our air traffic control, unleash dams that are computer run, affect our water system, affect our electric grid. That is what people should be scared of. Everything else is secondary to that. So because of the danger of that, the fact its the number one National Security threat and has been for the last three years as defined by all the intelligent military people, we have to have standards. There have to be standards. And thats why the National Institute of science and technology known as nist, they are very good at getting together with the private sector and bringing their Public Sector entrepreneurial perspective. I mean, theyre loaded with nobel laureates. Theyre a really smart agency which is not a regulatory agency. Its just, it helps. Its an enabler of legislation. And so they, theyve got to get involved in this. Weve got to have standards. Host so, and the other aspect guest we have to have standards that stop people from being able to hack us. In other words, theyve got to be not just standards, theyve got to be sufficient standards. Otherwise theres no point in going through it at all. Host well, to that effect companies, industry saying, look, part of this is you want us to share information particularly about cyber threats. How do you set up a standard where companies will share and not be afraid or at least concerned about the information theyre sharing and putting out there . Guest its in their own selfinterest, and the more we get into this, the more theyll understand that. Weve been through the same thing in the world of intelligence. We actually had to pass a bill right after 9 11 allowing the fbi and the cia to talk to each other. I mean, its embarrassing, but its true. Its the first bill we passed after 9 11. And still people are loathe to leave their jurisdictions and their properties. Host so from the legislative aspect, what assurances do you provide . Guest we cant provide assurances. What we have to strive for is a level and standard of excellence and worry less about who feels like theyre being stepped on and do whats right. Host our previous guest, mac thornberry, said on the house side they passed four or five pieces of legislation on cybersecurity. Talk a little bit about what the house is proposing on this. How does it match up with efforts on the senate side . Guest it doesnt match. It doesnt p match with efforts on the senate side, because they only really do one thing, and that is information sharing which is really important. The Public Sector and the private sector to disclose to each other or industries to disclose to each other that they have been hacked into. Look, at one point i got so frustrated about this that i called up Mary Schapiro at the the security and exchange commission, and i had no right to do it except that i did it. And i said just put on your web site, require on your web site that anytime a company is hacked into that they simply have to report that theyve been hacked into. And thats of interest to stockholders. Its like mine safety. People have to know that youre running a safe mine. People have to know that youre running a cyber secure or operation. That affects the bottom line whether they invest or not. And thats had an effect, i think, on the whole situation. Host so as far as the information sharing side, you said one thing, whats missing then on the house side . Guest whats missing is all the rest. That is the standards host standards and following them. Guest standards and training. We really have a complete lack of adequate numbers of people in math and science in general, but particularly in the area of cybersecurity. We just dont have a whole lot of people who really know what theyre doing on this. I dont mean to denigrate anything. Host uhhuh. Guest but we have that lack. Its just part of the American Education problem. And one of our witnesses at our hearing today said that we should start in kindergarten, in element ri School Teaching people about cybersecurity so some will get into cybersecurity and be able to set those standards and do it without being defensive about it, but doing the common purpose of protecting america. The silly thing is that everybody benefits by doing this cooperatively, and everybody loses if we end up fighting and not doing it. Host you mentioned cooperative. What about the international community, especially now that we have stories about the chinese over the last couple weeks. How do you get them involved in this, and what role do they play, if any . Guest they may a huge role in it, and probably a major role in it, but theyre not alone. On the other hand, there are people from within the united states, within russia, within estonia, all kinds of places. Anybody who can work a computer can find a way to hack. Host how do we make the case to them . Guest its a hard case to make. What you have to do is to have standards that protect you from those attempts, because the attempts will never cease. Each people just for their even people just for their amusement will do it. Theyll never cease. So you have to have standards, walls that are secure enough to keep your intellectual property safe. Host have you had a chance to talk with senator mccain about where you are with cybersecurity and his interest in working ahongside you on this issue . Guest ive been in many, many meetings with him, and, you know, he gets, he gets he was overwhelmed as, unfortunately, everybody seemed to be by the chamber of commerces absolute resistance to doing anything at all. And if you were a republican, it was really hard because the chamber of commerce said were going to score this vote. If you vote for this, you know, were going to come after you. And hopefully, thatll disappear. I think mccain, you know, itd be natural for him to be interested in having the u. S. Government cyber secure and having private industry cyber secure. This is no good side to being up up unprepared. Host so as far as your game plan Going Forward in this, in this session do you see a bill coming out . Guest i think theres a possibility of that. And maybe well just do part of it. Maybe well do people training, maybe well do information sharing. But i would much rather go on all of it. Because if we segment ourselves into little compartments, then you lose the momentum for the big picture which is setting standards. Host so youd rather see a whole approach than a piecemeal approach. Guest absolutely always. And its not, its terribly complicated, but there are not that many pieces to the problem. But each piece is hard to solve. But the standards of security in the government level, Public Sector level and in the private sector level are absolutely critical. Host have you heard the argument that now that we have an executive order, why dont we leave it there and not legislatively . Guest its nonsense. It leaves out all the standards, it leaves out all the training of people, it leaves out making americans aware that this is a terrible problem that were facing and trying to get people onboard. What he did was really good, but it was wholly insufficient. And he knows that. He was trying to get us going. Host and so the one thing you would have seen, at least the version you would have liked to have seen what have included what . Guest what our bill had, basically, and that is standards. National institute of science and Technology Getting together which is not a regulatory agency, getting together with the private sector and the Public Sector and with Homeland Security to a certain extent and discussing this is what we think we should be doing for our sectors, you know, Energy Sector or water sector or transportation success to have or aviation sector. This is what we think we ought to be doing. This should be enough. Or thats a good start, but it didnt quite enough. I mean, there will be a lot of debate and cerebral conflict, and there should be. Host and well continue on conversation as the month goes along. Senator Jay Rockefeller from west virginia, the chairman of the commerce, science and transportation committee, thanks for being on the communicators. Guest thank you, pedro. Cspan, created by americas Cable Companies in 979 1979, brought to you as a Public Service by your television provider. Coming up next, a panel on protecting consumers from debt relief and collection scams. And then well be live at the transportation policy conference on issues including funding and Passenger Rail safety. And later the u. S. Senate returns 2 p. M. Eastern for general speeches followed later with debate and possible votes on two judicial nominations. Live gaveltogavel coverage here on cspan2. And now, a Panel Explores debt relief and collection scams and what consumers can coto protect