To train government and private sector cybersecurity experts at control technologies at Idaho National lab and help them to develop an understanding of what they can do to minimize and mitigate vulnerabilities. So we all know that cybersecurity is going to remain a challenge as far out into the future as we can see. Secretary moniz and i have made this a high priority. Indeed, were going to put over 100 million this year and next year towards cybersecurity of the nations electric grid. In closing, i want to speak directly to the students here today. Can you raise your hands . I understand there are a lot of you. When the president of the United States and many cabinet members and ceos of Important Companies come to your campus, we hope were going to inspire you to pursue careers that give you a chance to find a way to do public service. That can take many forms, and you will blaze your own trails. Indeed, my 17yearold son richard will join you here on campus as a member of the class of 2019 this fall. [ cheers and applause ] its my hope that he will take up this call to action alongside you because we need your minds your talent, your innovation and your energy. The problems were discussing today are some of the toughest that we face as a nation and that makes them the most worth working on. So i encourage all of you to use the privilege of being at this Extraordinary University to find ways that you can play a part in inventing solutions that will help us keep our great country strong and safe. Thank you. [ applause ] thank you liz. That was great. I didnt even know her son was coming here next fall. Thats terrific. In the few minutes we have remaining, i wanted to ask one or two questions. Mark, let me put the first one to you. Youre our cybersecurity expert in the private sector as part of your firm, which is a rapidly growing firm in this area. The Companies Represented up here kaiser permanente, pacific gas electric, American Express are probably pretty sophisticated themselves, Large Public Companies in terms of cybersecurity. What is your assessment of how Smaller Companies, smaller firms are doing in cybersecurity these days . I think its a challenge for everybody no matter how big you are. Its a challenge that you may need more resources, but its the same threats that are hitting Large Companies and Small Companies. Bigger companies, like tony for example, has definitely designated Critical Infrastructure by your organization, but if you go ask a ceo or an owner of a Small Company, they definitely consider themselves critical. So theyre just as worried and concerned about this and rightfully so because they are the subject of attacks. When a Small Company believes theyre not under attack just because theyre not a large company, thats a mistake in assumption, and they need to protect themselves in the process and its becoming evident. This is where Something Like information sharing is very very powerful for Smaller Companies because theyll never be able to bring to bear the resources that some of the Larger Companies can. We all work together, Large Companies, Small CompaniesPublic Private. A lot of information were talking about, that benefit will get to the Small Companies which employ more people across the United States than the Big Companies do so its important for all. Thank you very much. In the 32 31 30 seconds we have left let me take the moderators prerogative to close it out. I want to comment on something my Fraternity Brother said. We talked about constancy of values. Let me say to the audience, particularly the students here, we in Homeland Security recognize and believe and this is certainly true of myself, that Homeland Security, whether its border security, cybersecurity, counterterrorism, means striking a balance between basic physical security and the things we cherish as americans. Our values our values in terms of freedom to associate privacy, Civil Liberties. We cherish diversity in this country. We cherish our heritage and so part of Homeland Security is preserving the things that really make this country strong and great. Id like to tell public audiences we can build higher walls, we can interrogate more people, we can screen more people, we can erect more cybersecurity, but we should not do so at the cost of who we are as a nation. Thank you very much for listening, and thank you panelists, for the terrific discussion. [ applause ] ladies and gentlemen, please welcome the panel on improving cybersecurity practices. Well thank you for having us here today. First of all, i am thrilled to be back on campus. Im a graduate of the law school and the business school, so this weather is not a surprise to me nor a shock. And its lots of fun to be back home. And my other comment about the Previous Panel is i really had no idea that secretary johnson was such a comedian. And im looking forward to asking his Fraternity Brother a lot about his room when they were in the fraternity. Secretaries go back and forth with one another. But, any way, we are thrilled to be here today to talk about cybersecurity and how it affects the private sector. A year ago and a day, our administration released something thats been referred to earlier today called the nist Cybersecurity Framework. Nist is the National Institute of standard technology, which is part of the department of commerce. We knew then when we released the framework as we know now, that cybersecurity remtspresents a challenge not just for Critical Infrastructure which is how the framework was originally created, but also for economic security, and as weve heard for our National Security. We recognized then, as we still do today that the most effective way to combat the growing threats on our cybersecurity space is through a Strong Partnership between industry and government and the civil society. And thats who we have here today. I represent the government, some of our panelists are from industry and some from civil society. So with the recent highprofile attacks that weve had from sony and anthem its clear that cyber risks continue to grow and that we as a nation need to do more to strengthen our cybersecurity. Thats why Congress Must pass information sharing and data breach legislation and update our criminal code without delay. Thats why the department of commerce is working with other federal agencies and with our educational institutions on something called the National Initiative for cybersecurity education, which is aimed at filling the 210,000 open cybersecurity jobs in the United States today. Thats why president obama made cybersecurity a priority in the state of the Union Address last month, and thats why our administration has convened this summit. So our panel today is focused on the perspectives of leading american businesses and their ideas on helping firms to align their policies, their technologies and their daytoday operations to better protect themselves and their customers from Cyber Threats. All of this room all of this is about the urgency of the problem that we know exists today, yet a recent Price Waterhouse cooper survey found that only about 35 of ceos are extremely concerned about cybersecurity threats. I have to confess, im amazed its not 100 . But our nist Cybersecurity Framework creates a common language to discuss Cyber Threats and a way to measure success for Senior Executives and their it professionals. The goal of the framework is to help companies organizesations institutions protect their it from security threats, ensure their confidentiality, safeguard their privacy and Civil Liberties and capitalize the cybersecurity marketplace in the process. At its core, the framework serves as a bridge between Business Leaders and Information Security professionals within their own organizations. It is through the framework that we designed, you know, with Critical Infrastructure in mind. Any business, though can use this framework to help manage your cybersecurity risks and many are already doing so and were going to hear from our panelists about that. Im someone who spent 27 years in the private sector so that i know, as all of you in this room know that good Risk Management is essential for a successful business. And thats why companies from a variety of sectors are using the framework to help manage their cybersecurity risks, including probable cause ter probable causecter gamble, walgreens, qvc, kaiser permanente, all of them are here with us today and its also why major auditing firms like deloitte and Price Waterhouse cooper are using our services today. The fact is its in our society, our businesses and our daily lives. As we know, there are 3 billion households worldwide and somewhere between 7. 5 and 10 billion items, from toasters to thermostats to phones, all on line. And the preliminaryimplications of the cybersecurity threat given those facts are vast. So our discussion today is going to explore how Business Leaders and their boards are moving cybersecurity concerns to the forefront. This is an opportunity to learn how this critical issue is part of Corporate Planning part of corporate communications, part of Corporate Governance part of corporate operations. So i am really thrilled today to be joined by a number of Business Leaders. Brian moynihan, who is the ceo of bank of america. Asha banga who is the ceo of mastercard, peter hancock, who is the ceo of aig renee james who is the president of intel. Leo connor who is the leader of technology. So lets jump into this. My first question renee, is for you. What is your vision for how technology can create a more secure environment and protect data . Thank you. We have been working on improving the baseline of security and computing for about the last decade. Billions of dollars of investment. So our vision is really wed like to get just get a baseline of security for everybody, and to that end weve made significant investments in the security industry, but more importantly, are moving forward with initiatives like giving away free mobile security, putting in multifactor authentication into all new computers, things that we really think will help consumers if its just there and its available for them instead of forcing them to have to go out and make decisions about what security what they should put in what are these crazy things. Just make it easier for them and just raise the baseline so we can get everyone. One of the statistics that was most concerning to me even just two years ago, more than half of the computers in the world that go out go out with the security turned off, basic firewall, basic virus scanning, so those are the kinds of things weve taken a lot of steps in our technology and in the industry as part of the security industry, as part of the computing industry to move that forward, to get a baseline. Does that mean then, that as im buying a new piece of equipment that im going to be able to have my security just know its there or does it mean we have a long way to go still with the technology being ubiquitous and protective environment for our information . I would say i would give us a half in intel speak which is to say in the next generation were lucky to have a lot of collaboration from the software industry, from Companies Like apple, like microsoft, others that are actually putting in security thats you know, you can opt out, of course, but its there. Like us putting in mechanisms in hardware so its a lot harder to break makes the transaction safer. Im sure the gentleman on the panel will talk about some of that as well. But we still have a long way to go. Its not complete. Its measurably better in this next generation. I think the Telecommunications Companies are doing a great thing in pushing security onto the devices because mobile devices have been a big target zone. But to say that we were there would be, you know, a mistake at this point. I think we have a lot of work to do. And i do think that, you know, the conversation on information sharing, the conversation on the Public Private partnership is a big piece of moving that forward. So ashe let me ask you a question. There are numerous high profile and damaging cybersecurity incidents in 2014 affecting a broad range of industries and companies. How have your customers expectations about cybersecurity evolved, and how are you promoting what youre doing . So a lot of customers are people like the bank, so brian is a customer. Brian the individual also carries a mastercard around. There is the consumer customer there is the Bank Customer there is the merchant, there are telecomm companies in all parts of the spectrum. The fact is whether you pay with cash for stuff or youre paying with a card or foreign or biometric print, you want safety and security in the transaction forum. You dont want to make sure something coming at you would steal stuff that is yours. We want to interact in the last three years which is completely different from the past. Technology is changing the way people do business and shop and buy and the way things are done and everything else. Along with all those changes, the thieves are changing too. Theyre figuring it out, how to break into these security. The first one is stop trying to make me remember things to prove i am who i am. Because [ applause ] too many things to remember and by the way, these darn passwords because of security change are on a different day of the week. If youre working in a company and youve got nine passwords to change on nine different days and you cant use the same password nine times which basically means you write it down on a stickie and stick it on the computer, which is the worst form of computer. The password is gone. Its gone. What they really want is to identify in other ways is going that direction. The ones look at the heartbeat of you which identify wearing a bracelet and you tap the computer and youre fully live and connected, or you open your car with it and it starts and sets your map to your office, and on the way to Dunkin Donuts to buy coffee and pay with your mastercard automatically thats where its going. That takes away the pain of remembering the password to converting to who you are. I think that will be where this will end up finally. There are challenges of privacy there are challenges of a lot of information about you which you may not want, and those are real topics to be discussed which we began talking outside with our presenter, but the fact is thats the first one. The second one is you can use data and analytics in a clever way and a smart way to create a safety net. Its one of the things theyre launching to be able to protect wrong transactions that come through by them being fraud because of what they are. If you have enough data and enough analytics, you can do a lot with that. Thats the second thing going on. The third part is something we launched with a credit union to a number of employees in the Silicon Valley firms where youll be able to use a combination of voice biometrics and scans to get telecommunication remotely. If you do those three things together going beyond Digital Payments which has already been announced. This is the next stage of stuff going on. Is there really data that is not something that can be discovered . So the measure of the data we get is i dont use your name when i get your card. I get a card number, a dollar value, the transaction and a merchant call. I dont know its you. But could i, through collaborating with brian or someone else, find a way to try to get back to you . Probably. But you chose to have a relationship with bank of america and you took the card. You didnt choose to have a relationship with me. Brian chose to use a mastercard. My perspective is play the role with the consumer the consumer chose to have with you. If you chose to have a relationship with the bank or the merchant you deserve to know its secure. I dont deserve to know that he does. Im very clever with where my role is and where his role is and together we can make a lot of stuff happen and the merchant community. So, brian, the multistake multistakeholder process was used to protect the nist framework, and i think its been a big success but i dont think we have multistakeholder engagement going on. Im concerned that policy debates that affect the digital economy, including cybersecurity, too often occur in silos. What do you think is the role of the Public Private partnership, and how do you break down these silos and who should lead . I think nist had a framework, and i think if you look across the industry in our company, you see people who are looking at it and studying it people are adopting it. Were in a phase where we think its good enough and it gives you a common dialogue. Initiatives like that are important and collaboratively important. The thing i agree with you is we make distinctions about large and small, we make distinctions about a Critical Infrastructure or not, we make distinctions about all that. The answer is everybody is in a tent because they all have access. The university has tremendous Computing Power that can be used to attack other people, so they have to be in a tent. As does mastercard, as does bank of america. I think the issue of getting everybody in and the information sharing i think they talked about on a prior panel is very important, and we have to figure out the liability structure and thats to do still as to how you have the liability. That will take a lot of change. Think about it. If everybody is in the tent, its a comprehensive view and then you protect the people who share the people who use the information to use it the right way. You actually can then get that collaboration that will help do it. Then you get to the individual consumer behavior, and thats the type of thing ajay talked about, the data and communication and things like that. But i think were still a long way away from the collaboration we need from the parties. We were better a year ago, better three years ago better five years ago but its getting pushed around the room and it has to be collaborative. Where should the collaboration occur . I think it should occur with the government because at the end of the day, a terrific amount of the information is going to be coming through that information cycle, and its got to occur in things like the Financial Institutions that ken talked about earlier that we share information, so there could be a private sharing among that, but there is an amount that has to go on outside. Also an ability to warn us whats coming and an ability for us to find out what is at us has been used before and can be defused faster. Things like that that are very touchy i think are very critical. The government spent the money and they have the authorities of powers and capabilities and they see it across everyone. So i think you have to have the government, although we can do tremendous work as we do in the Financial Institutions sharing information, but i agree there are still a small amount of stuff that goes into that sharing than the amount of stuff that comes at you. The president , as you know put out proposed legislation on a cybersecurity legislation that addresses the issue of not just notification about data breaches but more importantly, offering up Liability Protection for corporations that share with the government. And thats one of the debates that weve had is to make sure that there is enough protection so there is meaningful sharing so that we can really collaborate between government and the private sector to address bad actors and bad actions without violating peoples privacy. But instead trying to get at the threats. And thats the tricky thing. And it ultimately will take legislation in order to create the kind of protections. The example is if someone comes into a bank and tries to rob it we dont ask a lot of questions about why theyre there and everything else, we stop the robbery. To get into issues in cyberspace we start to get into that that we have to think through. Its difficult but if theyre bad actors theyre bad actors. We dont have to sit there and figure out why. So peter, whats the role of insurance in the whole issue of cybersecurity . Well, i think its evolving. This is an industry thats been around for a long time, and some things just dont change. I was visiting a business in italy not long ago and i was doing insurance and i saw an industry of policy. We geeks will do all sorts of things for amusement. Here was a policy dated 1670 for marine cargo. What was that insurance policys purpose . It was to reduce the fear of sommer chant exe some merchant exporting to another country. And that has not changed. So when i look at the potential of the use of data to innovate has, its as profound as International Trade was back then. And the role of insurance is to mitigate fear, to empower the economy. And to quote fdr what do we have to fear but fear itself . Insurance can at a margin, mitigate that fear. And today we insure about 20000 businesses and about 20 million individuals against cyberbreach and identity theft. Weve been doing it for about a dozen years. Its still a tiny, tiny business. But through the early learnings from the breaches, the claims i think that there is a feedback loop of innovation where the Insurance Industry working together with government can help the adoption of standards, including the nist to better security data. But the concept of insurance as a Risk Transfer is certainly one part of the role. Its the advisory part, the feedback loop where we choose to insure only people who put in robust controls, only people who have the right Corporate Culture to put an endtoend view of where the weakest link in the chain might be in terms of securing their customers data. So part of what youre doing is if im running a business, youre helping me do a better job at my own cybersecurity, so then you feel that your risk of loss on your policy is less because im a more sophisticated actor . Absolutely. There are many many consultants and advisers who are much more technically able than we are on this topic. The difference is we have skin in the game. If you get it wrong we have to pay. So the nature of our advice is very much in a practical way what statistically tends to be the result . And as ajay said, its often a yellow stickie note with a damn password. Its not that complicated where the vulnerabilities are. Getting these simple things right significantly reduces the frequency and severity of loss events, and thats where i think we can really help spread the word and be a catalyst for a more secure data environment. Is it your perception that as the fear level continues to grow, weve seen what happened at anthem and other major corporations. Is it the fact we have insurance that people arent that worried about it, or do you really feel that there is a new level of fear that needs to be addressed . I think that the insurance is still woefully underutilized. I dont think people are becoming complacent because theyve got insurance, i think theyre complacent because theyre not aware. And a lot of people are reassured by their technical advisers, oh its absolutely watertight. But thats maybe watertight in one silo but it may not be the technology, its human error thats the problem. So having enterprised Risk Management that expand silos is the critical ingredient to being secure. So if youre running bank of america, your running mastercard or youre running intel, you have Large Organizations that manage this. If youre running a mediumsized business and i come to you of insurance, what kind of guidance will i get on how i do this when i dont have the large resources to grow with the challenge . To be honest for these Large Companies, our ability to provide sufficient capacity for them is really limited so it really is the smaller median companies that we can help most. So we have a lot of Online Training and we have tools which we deliver with our Technology Partners to provide information sharing on threats. So its really making it affordable for Smaller Companies who have rich data sets. Its very critical to their future, but they dont have the resources to fund all of the Security Apparatus that a larger firm might have. I think the nist framework actually opened that, because by creating Different Levels of Companies Based on the low level of sophistication you create a benchmark process that makes it possible for companies smaller than medium to try to live up to the benchmark, makes them impossible to rewrite because of the benchmark. I think thats a critical part of what the framework does. I want to get back to the framework in a minute. There is a perceived tension between privacy and cybersecurity. I mean, do you think this is the case and how are you dealing with this . Well i do think its the case that a lot of people think that is a tension. I wouldnt agree there actually is. In my time in the private sector, we saw privacy and security two sides of the same coin. You cant have good privacy without a good security system. You cant have good protection of your data without knowing data is secure. You cant have good cybersecurity if your employees arent well trained, if you dont have the right practices and principles. We built a great team here that know how to merge those two mindsets and two corporate values. At amazon we call data an issue of Customer Trust and customer respect. Its about respect for the individual. Its their data, its their dignity at stake. And this kind of always on always connected world, we are all sharing data. Im sharing data right now. Im proud im going to get all my fitbit numbers in today, so somewhere in the cloud the computers are watching what im doing. Im incredibly proud of the great work the Technology Sector has done on these issues. But we have to know as customers, as citizens, as individuals that our data is going to be protected, its going to be kept secure, its going to be treated with the respect when we do business with these communities and its not going to end up in the hands of the federal government for no purpose at all for a kind of reckless and wanton collection of data. Although we respect the fact that there are National Security issues and real threats to this country. The whole collection of data in the hands of the federal government is not the solution. I work at this Great Organization the center for democracy and technology, and we believe there are solutions. There are ways around encryptions, there are ways to deidentify and really protect the data and still achieve the ultimate needs and ends we have to get to for cybersecurity in law enforcement. But is there a limit to what the individual wants by using the data versus the privacy they want of feeling, hey, my device is not giving away my not giving away my whereabouts or my invading my personal space . Well, i hear that dichotomy a lot. Obviously consumer control, individual control, and the control that Good Companies are already building into their devices, exists and we want customers to take advantage of them. The argument that, well, just because i put all my data on facebook doesnt mean i want any privacy, thats not a legitimate argument. I should have the right to engage in a fully engaged digital self, digital world, without feeling like i should be spied on by my government. Its not just the government. Youre vulnerable also to folks that are trying to breach all of these folks businesses to get at information. The other issue is really one about, as i am as a user, customer and product, and how do you reconcile the fact that my data becomes a product that youre selling, but im also a customer. Im not sure i and i know that when you push agree on the button, youve agreed to all of these things. But is that, you know, we dont have an optout system. Should we have an optout system . I think its more than the discussion is so much bigger than opt in and opt out. The state of stewardship that i think really good Companies Like the ones here today are engaging in thinking about the respectful use of information, the legitimate use of information, to serve their customers needs to create new products. This is part of the ongoing dialogue. I really want to encourage, were thinking about this issue and people around the world are thinking this is no longer property rights, my data is something i can barter and sell and trade. Although the companies have legitimate interest in them and we want to engage in this fully digital world. But were thinking about this in terms of the digital self. This is part of me. Latin americans have the concept of habeas data, my data myself. I think this is the way we need to start thinking about data transactions in the digital world. This is about my individual space in the online world. I choose to be there. I choose to communicate. I choose to transact. But at the end of the day this is my personal data. Some of the most intimate data flowing through the systems of these Great Companies now and it should be protected. So i want to return to the issue of the framework and ask you, maybe starting with brian, about do you use the nist framework and how do you use it and is it helpful to your company . As i said earlier, my observations are colleagues and institutions are people at Different Levels, some sort of figuring out and were sort of of in the implementation on a framework which helps us think through some of the Management Practices going to the commentary that ajay had earlier. I think people use it because people are looking for especially boards of directors are looking for frameworks of how to deal with companies. And interestingly enough, last week, the board giving my review and its not that were not good at cybersecurity. Thats the process where they can remain engaged without getting into the details about whats going on and frameworks using this as a series of principles and how you think about things are things that you can then use to say, okay, if you do this you ought to be covering enough but let the professionals really do the work. You know, on a daytoday, handtohand combat stuff. My observations, people are adopting it, people are using it. And people continue to look for ways to say, am i doing this well enough that Peters Company will insure me . That i can protect myself and ive done the Industry Standard in some court of law or some proceeding or regulatory proceeding. That benchmark you get when you get the common frameworks is good. Peter do you have a thought on this . Well, weve helped contribute to the developing of the naic, and so we certainly believe that in the effectiveness of the ideas there. Theyre a great foundation, a necessary but not sufficient condition. I think that an important element that we have implemented for ourselves is the appointment of a chief Technology Risk officer reporting to the enterprise chief risk officer as opposed to being part of a technology organization. Because i do think that sitting within technology, you cant help being coopted by your own procedures. So this provides some objectivity that looks across the organization at the weakest link in the chain. And we also incorporate the nist framework in the underwriting questions that we pose to our potential insured. So we hope through that thats going to really create some standardization, some benchmarking, as ajay said. Ajay and peter do you think we need framework 2. 0 . Absolutely and three, and four and five. Its going to have to be iterative. Evolving all the time. You have a risk road map and you have created what i would call a storm for everyone who talks the same language. Where a little while ago in cybersecurity we were not all talking similar language. Its a really good first step but if we sit on this right now the other guys are moving way too fast. The guys youre trying to protect from are moving every day. Every minute. Right now there are people trying to hack into our companies. Right now. And one of those idiots might succeed. Thats the fearful part. And what you have to be careful of is that you are being able to stay agile enough to protect yourself, and not think that theres one framework to solve every piece. Thats the over all issue, is that with just a number of agencies and internal parties, external parties, this things moving very quickly. And so where on the real cyber threat attack transactional fraud, information stuff like that, is sharing information has to move at a pace, and the dialogue has to move it is a bit different than you can think harder about the use of information as a company having date stay and were stewards of data and we take it very seriously. Thats something we can think about awhile and make sure we kind of get it right. The reality is with the amount of hacks go on intrusions and phishing weve got to be able to move fast. No framework can keep up with that. But the concept of forcing and sharing of dialogue will. I have been are begun to talk about there is in the way that likens it to the development of the road infrastructure in the country. It is a public collaboration. We built roads this one, interstate, that one the parkway, that one you cant go through. Heres how you turn, theres where you dont go. Thats where the speed limit is. Heres where you get the license. And theres law enforcement. Our new digital super highway is going to need some rules of the road, with no pun intended, and the rules of the road are going to evolve as the quality of the cars and the trucks and the methods of moving keep improving. And private sector should feel free to innovate as much as it wants on designing the cooler car and a cooler truck and a car that listens to peters voice and starts playing, you know, the music that he likes. Thats fine. But its got to have four wheels and move with a certain set of safety rules, driven by a driver with a license. And preferably not 51 different rules for 51 different states but a federal license would have been great. Now do you think about it. Right . This is all history. We have chance to do this the right way. If you learn from all that we did in the physical infrastructure, and thats my only point. To do that then nist 1. 0 is the beginning of nist 2. 0 and 3. 0 and right. It should be evolving. Many others. I think its an interesting analogy on this pace of version release in other areas in driving regulations, and building regulations. Both of which we watch closely. And in superstorm sandy, we had to pay over 2 billion of claims to businesses and infrastructure that got damaged. And there had been a flood in the same area 40 years ago, and the Building Code changed about 2007, about 22 years after the first flood, and to move mechanicals from the basement above the flood line, and underwriting guidelines can change much more rapidly than the regulations can. So we can perform an interesting bridging role between version releases. To feed back the learning and the constant litany of daily claims. We have claims every day that teach us something. Well, in fairness, were not government is not getting that kind of daily feedback loop. But we can get the feedback loop from you and then revise the frameworks. Exactly. Knowing that the adoption right now were focused very much on adoption because as soon as we can have, using as you said the Rosetta Stone the same language where it becomes u ubiquitous then you begin to say what are the rules and regulations that ought to exist there. How do you judge whether the return on investment of your cyber investments . Is this an unlimited pool of money that needs to be thrown at this problem . How do you know youre doing the right amount . I dont think any of us is doing enough. The guys at the other end are doing much more than all of us do. If youre a bad actor at the other end is the mafia group versus a young kid versus the state government. None of us can spend enough money individually. Thats why this Public Private partnership is so important. The federal government and resources that are used in many different aspects that we could benefit from and we could benefit from innovation of what the federal government could do. I dont think any of us spend enough. So theres no way to say im actually spending enough. I dont sell digits i sell a Global Network that people use because they rely on security and safety. How much money is enough to protect that . I dont know. As i mentioned people ask this question, theres 230,000 people in our company and i can any day know exactly where every one of them is and how much they cost and everything else. The one thing i never ask is the group that protects us, what theyre going to spend because at the end of the day they have to spend what is done because the rest of the company doesnt operate if you have a problem. So is it a lot of money . Is there a return on it . Yeah, were open today and were operating and we protecting our customers data. Were protecting the Financial Services system. Were protecting trust in the public and the Financial Services system. 23 we lose the confidence in the mobile phone we dont have people to actually process the transactions that go through that device today. We have to go back and hire 50,000 people probably to do it. So how much do you spend for that . Its really not something that you can sit there and say, okay, if i spend a dollar, get 1. 50 in return. You say i spend it because its the whole infrastructure. Renee i have a question for you, changing the subject a little bit. The intel commercials about scientists and about technicians are just some of my favorite, and we, the Skilled Workforce is a priority of the department of commerce. What do we need to do . How do we train people to fill the open cybersecurity jobs . What are the good ideas . How can you help us inspire people to be interested in this area . Thank you, madam secretary, for the easy question. I was going to tell you how we implemented the framework and i was so excited. Well, you can tell us that, too. Exactly, then ill have background and stats and half of them are going to be women. So, before i go into that [ applause ] before i go into that, i want to we have to remember we have students here. Exactly. I want to inspire them. We have jobs for you. Please stay in the Computer Science department. Like the gentleman on the stage is talking, both were all intellectual Property Companies in the end, and so we have all collaborated on the framework and ajay talked about this a lot. One of the things that i think uniquely were all in different phases of using the framework and the common language is super important. We published a white paper because were actually through the other end of an implementation of it which i think can be a blueprint for others so i wanted to put that out there so other people knew that we, this week, published you know what actually we did with our sevenmonth journey, and how it worked, and the framework. And the other thing weve done that im very proud of the team for doing is we wrote in to our supplier agreement on a Going Forward basis and we have a Supplier Network as you can imagine, 7,000 suppliers around the globe that we want them to consider the framework and all of the extensive intel thats the first step on the journey of needing to implement the framework. Separately well probably work with our insurers. On the topic which is a very, very serious topic if you look forward for how people use technology and information certainly with analytics and new business opportunities, we need to continue on our journey on s. T. E. M. Education and increasing the capabilities in math and science. You know you hear everybody say it. We all say it. Were not making enough progress. So, we are doing our part. I know bank of america is doing their part. Mastercard, aig, were all doing our part. But as a collective we do need to have even more dialogue and probably more partnership with the government on this. This is a serious issue. And it will become a competitive issue for us. Is this about deciding that i want to be in Computer Science in fifth grade or fourth grade . Or is this something i can recover from if im 16 or 18 or 20 . I think theres varying opinions on that and i welcome the other panelists point of view. But what our you know, what the data has suggested is that if you dont have the right math and Science Education from k through 12 and especially through, you know, high school and in the early you know, if you dont go to college, if you dont have that basic math and science foundation, its hard to recover from. You dont have to be a computer scientist, but the basic analytical skill, youre going to need. And so we spent a lot of our intel teach which has been a 25year foundational effort and intel on teaching in the classroom as part of our community effort. We send our own engineers out to teach k through 12 and to really teach teachers how to be better math and science teachers, and also teach classes as part of their community service. And i think were just we just have to continue to extend and extend and really get focused. We also know that math diversity is one of the big initiatives for me, but we know that young girls drop out in middle school for math and science. Thats the other big focus area for us. You know, half of the workforce, we need to keep them interested in math and science. Let them know that theyre cool jobs. Theyre not boring jobs. You know. That kind of thing. One of the things ive often thought about, and this is a question for all of you, is how do we make it real at a young age for how cool these jobs are . What can you do . And that do i have to be, you know, the aplus math student throughout high school you know and have taken college math at 16 in order to be eligible . I mean, i think theres too much ambiguity about what does it take to be eligible. And i also think theres not enough of a collaborative process or i mean we go and we lecture to women and young girls. But the question is can they really feel that this is a fun thing as a group as seventh or eighth grader that i want to be a participant in . And how do we make more of that happen so that its not im the outlyer in my group doing this . And im more the norm. Im living the dream as a mother of a middle school girl and a Junior High School girl and an Elementary School girl. And youre right, theres all this data around k through 12 education. I was also a teacher before i went to law school. But theres also the societal kind of attitudes around whats cool and getting your kids into coding camps and coding class and my friend cameron who runs code. Org trying to get coding