They are written for scientists or technologists or experts in whatever the field is whether its mechanics or fluid dynamics or bio chemistry. And the Patent Office actually encourages you not to put too much background science into your patent, but its all deemed to be there. So, when a generalist judge gets one of these patent cases, they have to figure out what the patent means in order for them to figure out whether the patent is a valid claim of an invention and whether the defendants invention infringes the patent. And often thanks to a ruling the Supreme Court handed down close to 20 years ago called markman, they have whats called a markman hear chg is basically a little mini trial before the court, not a jury, where they decide what the terms in the patent mean. Often you have experts testify. Now, usually in federal court when you have experts come in and testify and the judge decides which expert he believes and which expert he doesnt, that is reviewed very deferential on appeal. The patent court for many years said it will review everything for itself. It wont extend any difference to the trial courts on interpretation of the patent. Theyre overarching animating principle is we are the single patent appeals court. We have to make everything uniform. Our interpretation has to be what controls. We dont want different interpretations in different District Courts to decide. The u. S. Supreme court is the final answer on all of these questions will have to decide whether it believes the federal circuits justification for reviewing these things for itself or whether well see a little more deference to the trial courts in patent cases. And in a whole host of cases involving the Software Industry or pharmaceutical industry, these could be these could really change how patent cases are litigated. Because right now if you lose before the trial court, you know that the federal circuit will hear the whole thing over again as if as if the slate is wiped clean once you go on appeal. If that option is no longer there, it may change how these cases are litigated. And the third case is even more difficult for me to talk about than the case that im handling myself because cannon is litigating it. Im here to correct you, willy. Im confident i wont need to. One thing that is a constant of the Supreme Courts quote unquote business docket is securities litigation. And different areas of the securities laws crop up over time, but last term the Supreme Court heard a significant case in which it promised to think about fundamentally changing its approach to security class actions and then it didnt. Perhaps the biggest bust of the business docket last year. But securities class actions often are brought under a provision of the securities laws that requires you to not lie to the markets knowingly, but cannons case, which is called omicare is under a different securities laws which is about false statements to the markets but usually has no doesnt take account of your mental state. Its usually just what we call in the law call strict liability. If you Say Something false in the Registration Statement for your securities, you are liable, period. However, what if its a statement of opinion . You state in your Registration Statement for your securities that we believe a certain thing to be true. We believe that our contracts are in accordance with the law. We believe that our accounting is in accordance with generally accepted accounting principles. And the legal question in this case is basically how do you analyze one of those statements of opinion for truth or falsity . And we and add to that as congress in the mid 90s made it easier for security cases to be essentially kicked out of court based just on the complaint without the partys exchanges documents and going through the process of discovery because that is what makes cases extremely expensive to litigate. So congress made kind of the other type of cases under the first category cases i eluded to easier to kick out on the pleadings especially if you didnt persuasively come in with an allegation that the defendants had knowingly misled the markets. While theres no mental state requirement in the section 11 cases. So will businesses be able to point to the fact that the statement in their documents is a statement of opinion and say, well, you havent alleged that i believe it was false or will the test instead be something more objective, whether no reasonable person would have believed it was false, you know, or Something Else more objective that doesnt require you to allege this guy was lying, that cannons clients are a bunch of liars. Well, i will waive my defense of my clients veracity for another day and turn to laurie since were short on time. Laurie will talk about the very important question of the circumstances of destruction of fish may cause you to run afoul in federal law. You really want me to start with fish . Well, you dont have to start with fish. Its a securities case, after all. Well, all right. I will start with fish. The fish case, otherwise known as yates versus United States. The question the court will consider in this case is whether mr. Yates, fisherman, was deprived of fair notice that the destruction of a couple of grouper would follow within a federal statutes prohibition which makings ate crime for anyone to knowingly alters destroy, mutilate, conceal, cover up, falsify for make a false entry in any record, document or tangible object, obviously such as a fish. With the intent to impede or obstruct an investigation. For context, this provision is part of whats known as the its commonly referred to as an antishredding provision. But in this case, the government was really creative. No offense. Don will have to defend this or his office. Dons argument will be that it isnt an offense. The government was very creative and fisherman tossed three undersized grouper back into the gulf of mexico. You cannot make this stuff up. The court is hearing this case. Yates, the fisherman, says that the term tangible object is ambiguous and undefined in the statute and that unlike nouns accompanying tangible object, it possesses no recordkeeping documentary or informational content or purpose, so goes the argument he had no fair notice that his conduct of throwing back the undersized grouper was prohibited and so that would be a violation of due process clause to convict him. So, this is actually its a criminal case but its actually a Business Case so the u. S. Chamber of commerce has weighed in support of mr. Yates, which is notable. And the chamber argues that consistent with the text and context and the legislative context of this provision, it should cover only documents and recordkeeping devices rather than sweep in the actual inventory of goods. And the chambers brief warns the implications of governments interpretation would have serious effects on Small Businesses and other legitimate business conduct such as routine maintenance and disposal of inventory. Should i offer an opportunity for response . Its fair to say the government has come in for a fair amount of hazing in this case and so, don and so, yeah. You know, thats one side of the story. Here is the other side of the story. That the fisherman is a commercial fisherman. He was out on the gulf of mexico and was visited by a state inspector and the state inspector looked at his load of fish and said, geez, you have a bunch of grouper here that are below the limit that you are allowed to catch. And so i am going to instruct you to put those undersized grouper aside in this box and tape up the box and when you come back to shore, you have to turn it in and well have a proceeding to see whether youre obeying the law or violating the law. And what the commercial fisherman did after the state inspector left was to instruct one of his employees to take that crate of fish and dump it overboard and replace it with fish that were no longer undersized. And employee did that and then he got back to shore and he ratted out his boss. So the boss was essentially prosecuted for statute that we think is basically a statute that forbids the destruction of evidence to impede an investigation, which certainly sounds like what that fisherman did. And so any way, that will be i am so certain there must be a general obstruction statute. This is not a capital case, don, correct . Not yet. Moving on from fish. Thats the other side of the story. Thats a pretty good rebuttal. Moving on to the facebook case, which is my personal favorite on the criminal docket because everyone and anyone who knows a teenager or other marginally irresponsible semiadult should tell them to focus on this case and follow it with interest. This is a case that comes out of the third circuit. Its an interesting case because its at the intersection of constitutional and criminal law, like many criminal cases, but this involves the First Amendment. The case involves a federal law that makes it a crime to threaten or injure another person when you communicate that threat through interstate commerce. And the question in essence in this case is whether threatening is in the eye of the beholder or whether the government has to prove that you subjectively intended your speech to be a threat of Bodily Injury or death to another person. So the facts of this case are pretty interesting. The alleged threats at issue are facebook posts and the defendant, anthony alonis, his life was falling apart. His wife of seven years left him taking their two children. He was a frequent poster on facebook but after this traumatic event in his life he changed his facebook persona to a rapperlike pseudonym from anthony to tonealonis. His posts frequently took the form of rap lyrics that he had composed and sometimes the language he used was very expolice it and violent, not unlike the lyrics of some actual popular rap songs. Apparently, and this is kind of the interesting part to me, he would post disclaimers at the end of his posts explaining that the lyrics were fictitious for entertainment purposes only, that he viewed his posts as kind of therapeutic and a way to deal with his frustration of his life falling apart. But the most interesting thing is that he expolice italy referenced the First Amendment over and over again and at one point even predicted he would be arrested for his facebook posts and would be laughing all the way to the bank when he won his constitutional claims against the government. You dont see many people advertising that they intend to kind of maybe sort of break the law but theyve got their defense already and theyre going to tell you what that is. But one of the posts i just want to read some of this so you get a flavor of this. One of the posts was directed at his exwife, i guess many of them were. And just so you know, i will put a little ellipses around the most expolice it language so as not to cause problems with cspan. Here is one im tone, did you know its illegal for me to say i want to kill my wife . Its illegal. Its indirect criminal contempt. Its one of the only sentences im not allowed to say. Now, its okay for me to say it right then because i was just telling you that its illegal for me to say, i want to kill my wife. Im not actually saying it. I also found out its incredibly illegal, extreme lil illegal to go on facebook and Say Something like, the best place to fire a mortar launcher at her house would be from the corn field behind it because of the easy access to the gate way road and you would have a clear line of sight through the sun room. Insanely illegal. It goes on from there. And another one posted right after a visit from an fbi agent to his home, his prediction coming true, hes getting the attention that he was obviously looking for. He composed a little rap about her which in part says the following little agent lady stood so close, took all the strength i had not to turn the blank ghost. Pull my knife, flick my wrist and slit her throat, leave her bleeding from her jugular in the arms of her partner. So this stuff is pretty explicit and if not for the context and ill give you more context. He would at the end of these posts they were often based on other rap performances, em nem songs were a favorite parody of his, comedy sketches that he had seen and he would post the links to the original work of art at the bottom of his posts, again with these disclaimers saying this is my way of giving myself some therapy. So the basic question before the court is whether the government had to prove that he subjectively intended to threaten or whether its enough that a reasonable person and probably everyone in this room and including his wife perceived it as a threat. He argues subjective intent is required to avoid a conflict with the First Amendment because otherwise speech that really is meant to be expression thats not a true threat would be chilled and the question before the court is, you know, what does it take to prove a true threat . That one is pretty colorful. Not sure which of those cases is more unusual in terms of its fact pattern. Well, the fact pattern is great. One of the things that makes it great the fact pattern great to layperson and lawyers, it seems to me even the standard hes advocating hes probably toast. It seems like a bad vehicle because it seems like from what i have read that the facts are very government friendly in the sense that the government could prove subjective intent to threaten. Matter of Legal Standard he would still lose. Its interesting they chose this one. The court waited so long to jump into the foray of, you know, inappropriate facebook behavior, you think they could choose a vehicle where the Legal Standard was clearly going to make a difference. And the last one on the criminal docket that ill toech uch on briefly to me, it has fewer implications for the average person, though maybe not. This case involves two men who were driving down the highway in North Carolina with a one brake light that was malfunctioning. And the officer pulled them over and noticed that one of the men was laying down in the backseat with like a blanket over his head and even with the officer standing there asking for license and registration remained laying there in the backseat with the blanket over his head. So, the officer thought this was a little suspicious, asked questions of both of the men and concluded their stories werent matching up. The guy in the backseat was still laying down answering the officers questions. He asked for permission to search the vehicle and surprisingly they agreed. The search uncovered 54 grams of cocaine. A grand jury indicted the guy in the backseat for two counts of Trafficking Cocaine and he moved to suppress on the ground that the stop was not objectively reasonable because as it turns out North Carolina law only requires one working brake light. Who knew. Obviously the officer didnt. Well, this is the crux of the problem. So the officers position and the states position is really who knew because the code actually had a more general provision, the traffic code, that sort of suggests that all of the rear lamps, so everything that came in the rear of your car that lights up has to be in proper working order. So theres kind of a conflict between this general provision and a specific provision that makes it pretty clear you only need one working brake light. And the state argues that that ambiguity basically means that this mistake of law was reasonable and so therefore the stop was legitimate and reasonable suspicion standard satisfied. The other side argues, well, the court has never recognized mistakes of law as justifying, you know, a reasonable suspicion from a violation standpoint. So the court has never said well that doesnt violate the Fourth Amendment. What they have said is that if theres a reasonable mistake of law you might not get the evidence suppressed because it goes to whether that remedy is really an equitable one. This case, too, is interesting. Cannon is the Fourth Amendment expert among us and obviously the sg, but its interesting to me not so much. If the petitioner prevails here, is it a puric victory because under the circumstances of this case it does seem like theres both good faith and kind of objective reasonableness in this officers interpretation of the law, so even if they win the question that its a Fourth Amendment violation, what does it get out of that . I think if theres no issue involving the good faith exception before the court, i have to admit i have not looked at this case its not properly teed up. But there is some talk in the opinion that, you know, it was both kind of good faith and also objectively reasonable because there was this objective uncertainty in the law. So i want to ask the question that i suspect is on everyones minds, why was the guy under the blanket . I dont know. If he had been under a cell phone that could have been searched. You know, the government may have a view and i confess i have not gotten all the way through the United States brief or North Carolinas brief i read the decision below, the petitioners brief. The good stuff is in the footnotes. Thats true. The good stuff in the other case about eminem that was all in the footnote. The petitioners brief doesnt flush out what he was doing back there. Ill have to chase that down. I think we can i all agree that would ordinarily qualify if not suspicious, certainly curious behavior. Which is why i said the brake light malfunction and the experience of being pulled over and subjected to a stop for maybe something thats not illegal, that thats something everyone can relate to and worry about as a risk, right . But not too many of you probably lying in the backseat hiding under blankets when the police are trying to ask you questions about something. Thats usually a good idea to sit up under those circumstances. Thats fair to say. Well, well throw the floor open for questions. We were going to talk about cases that were coming down the pike and i will as moderator exercise marshall law and give the 60second summary. All Supreme Court practitioners and journalists in the world at large are waiting to see whether the Supreme Court is going to wade into the area of same sex marriage and has a number of cases coming up, as all of you will be aware that present the question of whether theres a constitutional right to same sex marriage and we may know as soon as the end of this month will the Supreme Court will decide that issue or potentially decide that issue in the coming Supreme Court term. There are yet more challenges to the Affordable Care act that are winding their way up to the Supreme Court, though its uncertain whether any of that court will get up this term including some cases involving questions concerning the funding of the exchanges on which Health Insurance is now purchased as a result of the Affordable Care act and further issues as joan mentioned concerning the applicable of the contraceptive mandate and the interplay between that and claimed religious liberties. There are cases involving race, cases involving affirmative action. The fisher versus university of texas case that laurie worked on when it was last before the Supreme Court seems to be heading back in that direction. Though its unclear whether that will make it up to the court. Hopefully not since we won in the fifth circuit again. Its still in the fifth circuit. But a panel has once again upheld the texas affirmative action program, so the challengers may take that back up to the Supreme Court. And there are cases involving the availability of socalled desperate impact liability that is liability for practices that while they do not possess a discriminatory intent have a disproportionate affect on minority groups. This has been a contentious issue that the Supreme Court has tried to resolve on two occasions but on both of those occasions the cases settled. So, a lot of very interesting issues that are potentially in the pipeline, but just as its difficult to predict the weather, its very difficult to prediblt what cases the Supreme Court might end up hearing so i think this is just a case of watch this space and perhaps at this Time Next Year youll hear about decisions in some if not all of those cases. With that, since we have 10 or 15 minutes left, well throw the floor open for questions. It will be harder for us to see the folks up in the balcony, youre welcome to ask questions as well. And i dont believe that we have a microphone, so please just stand up and ill recognize you and i will repeat the question for the benefit of the audience and those who are watching on television. Yes, sir in the baseball cap. The question is about gun laws and i assume whether any issues concerning gun laws are likely to end up back at the Supreme Court this term. Any thoughts on that . Well, there are cases kicking around in the courts of appeal, so its not inconceivable, but i wouldnt say its a certainty either. There have been a number of issues percolating since the Supreme Court in the late 2000s first recognized the individual right to bare arms. While the courts of appeals have been mixed on how to approach it, they generally have agreed that theres some kind of higher standard for most gun laws and the most onerous restrictions such as a complete ban on carrying weapons outside the home gets scrutinized very closely but that the core federal prohibitions for example carrying a firearm if youre a felon havent come under any serious threat. It will be interesting which of those sort of next issues beyond the core question whether there is a Second Amendment right for individuals at all will come up next. Okay. Other questions . Yes, in the back. Are there any privacy cases coming up in the Fourth Amendment standard of reasonable expectation of privacy . Do you see that surviving into the future . Yeah. Maybe thats thats a reasonable expectations of privacy are the standard, at least for now. Joan, in the wake of the courts decision on cell phone searches this term, there was certainly a lot of speculation about the potential implications for challengers to wiretapping and in other context involving thing ary gags of data. Do you think thats the next big front of Fourth Amendment litigation . It certainly would be one of them. And i think that a lot of people who have concerns about privacy in the digital age were very heartened by the cell phone rulings because of the awareness the court showed about how much we all expose ourselves now in the digital age through something as small as our smart phone but also all the communications that emanate through our homes that could be collected by government and others and are now out there. So, i think that is the next front and i do think that this cell phone ruling at least showed a real sensitivity to Digital Privacy for individuals. Theres a case from the 70s that said that information that you, for example, share with your banker, you dont have reasonable expectation of privacy. Thats been a basis for lot of the governments arguments about things that you might, for example, store in the cloud. Digital data you might store in the cloud. At least one justice has indicated a willingness to reconsider whether thats that should still be the law in the current digital age. In the cell phone case i think expolice italy reserved questions about technologies like the cloud, right . Yes. We might see another iteration of this sometime soon. Yes. Im really concerned about the accumulative records that are being held for kids who turn pieces of food into a gun and all of a sudden they have it in their record that follows them throughout their school life. Thats insane. Those should be teachable moments. And not bringing the police in or kids sitting in principals office. Because those are feelings that are in that childs life. Im eager to have teachable moments where kids learn first of all, up here is not complete. Okay . Theyre still growing in their brain. And its as if they already finished their Brain Development at 7 years old. Its insane. Yeah. Im going to try to transform that into a question involving the Supreme Courts docket because im kind of hard pressed to think of a current case that might bare on that, but maybe this is a general question for the entire panel about the Fourth Amendment and the current courts view of the government and Law Enforcement generally and whether any of you think that that view may be changing somewhat. You know, ill put it this way, when the chief justice was nominated to justice oconners seat. He hadnt written many opinions. One he wrote was the opinion upholding a arrest for a child eating a french fry on a metro platform. It was thought at the time, boy, this is a real law and order type. This is another william wren kwis. Over the last night years we have not seen in his jurisprudence kind of june form sympathy for Law Enforcement by any stretch. And in the even in this sort of kids are different area. But i think there will probably be more zero tolerancetype cases coming to the court in the future but they may actually be under title 6, rather than under the Fourth Amendment, whether School Boards have to have a zero tolerance policy to qualify for federal funding. I wonder the chief being relatively young and father of relatively Young School Age children influences some of his thinking in that area. Yeah. There have been cases involving the restriction of speech in the school context. Right. Which the court has really ducked. Yeah. With the exception of bong heads for jesus case which was number a years ago. I heart breasts. Its another word. Cspan thanks you again. They can take us off the sevensecond delay now. Other questions, yes, sir, in the front and then well go to the back. What, if anything, will the change in makeup of the d. C. Circuit court mean for what types of cases the Supreme Court will pick up. So the question is what makeup the d. C. Circuit might have on the Supreme Courts docket. Thats a big one. Im looking at this general since most of those cases do tend to well what a difference it has made because we just saw most recently last week the d. C. Circuit announced that it was going to rehear the another generation of the Obama Health Care law case rather than have it go right up to the Supreme Court. Its made a big difference that president obama has gotten four appointees on during his first term, he got none on because of the stalling in the senate and all sorts of polarization that were all aware of here in washington but he now has four new judges on that court and its making a difference in these rehearings and it will make a difference down the road. In fact, i wonder if you think of what you had last year in the knoll canning case, certainly decided by two republican appointees. It doesnt always break that way, but i would think that maybe there arent going to be as many appeals coming up, although that circuit, no what thor what it does, i think its the most exciting circuit that we have out there. There has been a shift, though, in the number of frequency with which youre seeing separate opinions, dissenting opinions. I cant remember the last time other than in very recent history before the last couple of years when the d. C. Circuit went on bonk, didnt happen it the year i was there, the year before that. Its so rare. Well have in december the Health Care Case will be heard in the d. C. Circuit. Watch for that one, too. It will be a real shame if the legacy of this case is the perception that the president s appointees to include some of the finest lawyers that practice in washington and who really are credit to the bench if they wind up being tarred as some kind of political hack because of this first case that draws their attention. And i think that senator reed, in particular, has done a real disservice to the country and to the bench by acting as though the outcome of this case is for or dane because of their confirmation. Thats one of the things that is really upsetting about the current political environment. We could probably have a whole panel on those cases alone, but i promised that we would get to the last question which was in the back. Yes, sir. Will the Panel Comment on what you see in the coming term about reproductive rights and particularly im wondering about whether this concept of person hood, particularly the antiabortion groups are trying to push, whether you see that theres any traction in the Supreme Court with respect to it. So the question was about reproductive rights and as i mentioned earlier, abortion has not featured all that prominently with the roberts court. Do we think that is likely to change any time soon . Nice easy question. I think theyre going to stay away from that issue as long as they possibly can. Yeah. I think our last direct abortion was the 2007 case. Abortion does tend to infuse some of these questions, for example, on the contraceptive mandate and on the abortion protest buffer zone we had from massachusetts, but i think this would be in your category cannon of cases theyre not eager to take for sure. At least on the core right, like on the row v. Wade right. Well, well let that be the last word. So please join me in thanking our panel. [ applause ]. The 2015 cspan student cam video competition is underway. Open to all middle and High School Students to create a five to seventh minute documentary on the theme the three branchs and you showing how the legislative or Judicial Branch has affected you o or your community. Theres 200 cash prizes for students and teachers totally 100,000. Go to studentcam. Org to learn how to get started. Next recently Cyber Security. Focussing on new technology, the government and budgets. This is a little less than an hour and a half. I want to thank our guests for coming in this morning. This is one of the best lineups weve had since i joined five years ago. Thank you so much. Thank you all for coming in this morning. I want to move briefly through the introductions so we can let each of them speak and then have time at the end for questions and answers. So, the topic were addressing here is that you have everincreasing challenges securing government networks. One side is agencies have to prepare for the unpreparable and thats these everevolving threats that are hitting the internet, smart phones, refrigerators, cars, anything connected to networks. And then on the other side, you have evershrinking i. T. Budgets. Agencies are getting creative in finding new ways to make sure their Computer Systems are as secure as possible in a costeffective manner. Let me introduce each of your guests from industry, we have Adam Firestone who is with a new division kaspersky labs. Hes been in the industry for years supporting various Government Agencies and is a former u. S. Army officer. And then we have roberta who goes by bobby. And she is the dhs, Deputy Assistant secretary for cybersecurity strategy. And what that means is she works to minimize Network Disruptions in the government, the private sector, so that government, the economy and society can keep on going. And that also means she focuses and spends a lot of time on securing the dot gov domain. Then we have barry west a longterm public servant. He is now the chief information officer. And part of that job involves securing some very sensitive Business Information about pension benefits in the private sector. Hes also worked at dhs and he served as a cio at the Commerce Department and at various other agencies. I should also mention that bobby used to work at disa which is the i. T. Wing of the Defense Department. So with that, ill let each of you go into your roles more indepth and talk about the role you play in forwardlooking cyber initiatives to tie this back to our topic today as well. Would you like to go first . Sure. So theres a long time belief in labs in general, and with me personally, that there really is a bio nar definition of the world. There are people who want to create a safe, Stable Secure cyber environment that fosters, wealth generation that fosters stability and education and there are people who want to break that down. And thats a comfortable place to be for me personally. Because i get to be a good guy. And thats kind of nice, right . But on the way we do that and the way we look at the world is what is the state of Technology Today and why are we here . And when we look at that, we see a lot of net 95 art facts, the internet as it was designed, the internet as it came to be when we first all started using browsers in the worldwide web and thats an internet that was designed for ease of use and ability to get on rapidly and exploit it rapidly to do good things. Unfortunately that design pair dime also lends itself to inherent insecurities. And so the question we ask when we look at what can we do to go forward is what can we secure . And how can we do this in a reliable, affordable you cant rebuild the whole thing. I guess you could, but then that would take many, many, many years. We would all have great, great, great grandchildren around nobody could afford it. How do we do this without boiling the ocean. We begin to look at specific spaces at the front end of security. So much of what weve done in the past and we continue to do is to responsive security what has happened, what is happening, how do we respond to that, but where we start to look now and whats very important for our focus and, again, for me personally as a systems engineer, is how do i build it right the first time . How do i look at where the holes are, the white space, if you will, and start to put solutions in place that respond to those challenges . And i think that as we move forward the big technological imperative will be lets look at where weve gone wrong . Lets look at what allows data to be useful to people who would steal it . Lets address those problems up front and then well start challenging ourselves with the wizbang technologies. We have a lot of basic stuff we can do right now to secure the net. Do you want to go next . Good morning and thank you very much for giving me the opportunity to come and talk to you today. I think this is the second one in this series that ive been invited to. I must not have screwed it up too badly the first time. Ive been with the department of Homeland Security for more than four years now. I came after i think it was 18, maybe 19 years in the Defense Department where i had a variety of roles in the Defense Department to include being the cio of an i. T. Organization, an organization that builds and deemployees i. T. And focussed on this Cyber Security landscape for much longer time than im actually willing to admit. And one of the things that is true and certainly true in what we do at the department of Homeland Security is recognizing that siCyber Security is reallyn unbounded problem. And that unboundedness identifies, gives us the place for innovations. Traditionally innovations have been thought of technical, what technology could be best put in place and im really proud of many of the ones that we have at dhs, including things like the structure threat indicator exchange, and mechanisms to automatically share threat indicators in a way that put in the hands of people who can do something with it, the things they need and get to the people out of the problem as much as possible so we can keep up with that kinds of speeds. Im really proud of so many of those things. But there are innovations in other areas as well that weve really been pushing. There are innovations in how we precure and how we deploy capabilities. We talk about the cost crunches that cios are in and certainly its true of cios in the private sector, its absolutely true in cios in the public sector. You think about the reality that see quest ration caused departments to face and the realities that i know i face and can only imagine you face everyday of being support to a responsibility where all the resources are trying to go towards the responsibility and being asked to transform an organization with not a whole lot. And so thats caused us to think about how to be most useful and most helpful to departments and agencies in the federal government. And if we think of programs, a firsttime ever procurement method for deployment for deployment of capabilities to cios that can be best used by the cio, right . Its not the department enforcing a particular process or structure, its a collaboration between departments and agencies in a really useful way that will provide innovation in business processes inside the department is great opportunities in that way that alleviate some of the burdens and helps them focus. So theres innovations in those kinds of things that we recognize. There are innovations in Business Models that are important and that are really facing us. And one of the really most important areas where innovations are happening and need to be happening even more is in work force. Right . It is that sort of unbounded area where in the Defense Department we always said the enemy gets a vote. You cant forget that the enemy gets a vote, so thats changing. The threat environment is changing. The infrastructure is changing. The demands of our users are changing. The reality of customers, demands of our customers are changing. And were facing a dramatic short fall in professionals who understand this. So we have to have innovations in how we identify, develop and bring into this work force for us as a nation as well. So really another place where interesting innovations are happening. One of the reasons why the department of Homeland Security is such an exciting place to be because we are in the midst of all of that at the same time. Thank you. Barry . Good morning. Thanks for giving me the opportunity to be here this morning. I came back in government about a year and a half ago after a 25year career in the federal government and the military, went off to the private sector and came back and people asked me, whats the biggest thing you noticed thats different. Obviously i think its around security. Its the threat level thats dramatically increased along with the active participation in the cio in being involved and engaged in their organizations cyber threat. I think before it was real easy for the cio or the i. T. Director the give you the organization the reigns to go do what they needed to get down, but today the cio has to be deeply engaged with the siso, with the partnership to really make change around security. Some of the things that have been mentioned here already its really a balance between the innovation piece, how are you bringing new tools and practices and processes around security yet keeping the day to day going . And addressing the needs around security continues to be a big effort. Budget needs, you know, im fighting those weekly where the questions are, well, whats more important right now, security or buying other tools around some of the other areas that you manage in the cio shop. So whats more important to you right now . Its really finding that true balance of what works. The other thing is getting a lot of it is not so much the technology but the processes and the people and getting them really educated and learning to think about security from the beginning. And that has really been a challenge over the years in getting your Business Units to really embrace security and not just look at it as something that the cio is going to handle and its their job. So, the cio really needs to be a good marketing person to really work closely with the Business Units to show them and educate them around the benefits of embracing security early on. Thank you. I should mention that mike walker, Program Manager at the Defense Advanced Research projects agency was going to be here. He had a lastminute conflict. He was going to talk about robots doing Cyber Security. If you want to learn more about that, google dark book grand cyber challenge and you can find out more information. First question here, how do you combine existing legacy systems, processes, techniques with new tools and procedures so that youre not throwing away investments . And this goes for existing contracts, like bobby was talking about, youre changing procurement processes, and also your existing work forces, how do you train them to meet the new demands of the cyber world . You want to go first . Sure. Thank you. So we have the finest acquisitions force in the world. And i believe that 100 . Thats not sarcasm, thats not a joke. The acquisitions capable in the United States government is breathtaking. This is the community that invented Systems Engineering no, standard 498 later became an i triple e standard. And when it comes to buy iing stuff and complex stuff, aircraft, tanks, ships, they do extraordinarily well. Software and cyber unfortunately are an area where taking someone out of the User Community and having them help run or identify the requirements is where the model fails. Are so how do we do that. In my past life, what i found is very interesting. I was working on a weapons system. And the weapons system had legacy components and had new components. And what it also had were developer teams industry developer teams that worked with the Program Office to deliver this cape to believe the the government. And those developer teams more so than the government put the brakes on new technologies. Now, why did they do this . They did this because it was new, it was risky, it was oh my gosh i dont know how to do that and it was wrong. So theres two sets of obligations that we need to look at in terms of innovation. Its less technology. The standards for things for example, Access Control, which was mentioned at the aspen security forrum by senior nsa officials as a way of mitigating and moving forward from the damage caused by the events of last year has been around. That standard since 2004. There have been more than adequate commercial tools available for integration that support such Access Control mechanisms since 2005 2006. Its not a matter of cuttingedge, bleedingedge, untested technology. Its more a matter of changing the acquisitions landscape. We need to do this in two ways. One, we must support our acquisitions professionals with talented and knowledgeable people and whether that means we create a new structure for having cyber aware or technically aware folks do tours with those people, or whether that means we create create a separate career path within the government or military to account for that. That falls into the weeds. Thats implementation. The second part is im coming from industry. My last 20 years 20 plus years, im feeling old. My last 20 years have been in industry and we need to step up to the plate. We need to say its not enough just to know the domain. We really need to put our best foot forward and that means that everybody who walks in has to be the triad. And the triad is domain, technical, process. You need to understand what youre working in, you need to understand and be conversant. Im not looking for experts, right . If i look for experts i would have five people in d. C. Who can handle all three of these. You need to be conversant and you need to be understanding the process and there are many, you need to understand the process by which that technology is applied to the domain. If we can do that, we can start to remedy the acquisitions hole that we fill. And that acquisitions hole is represented today by the fact that our security is done at the tail end. If you look at your engineering teams, youll have people who think about security and say they think about security but more often than not we push that to the Information Assurance folks, again, at the tail end of the acquisition, at the last five minutes before it goes live instead of requiring that security to be built in by our developers, by our systems engineers and to have that security demanded by our Program Managers. So the first thing adams opinion, this and 2. 50 gets you on the metro. Not right now. Is it more than that now . Oh, wow. Is that i work in virginia. But adams opinion is that we really need to start addressing the needs of our Acquisition Community because theres a gulf right now. As a technical guy, as an industry guy, i can sit out here and tell you everything thats broken. If you want to buy me a beer afterward, ill be happy to do that. But thats the wrong answer. The right answer is to say we understand whats needed and we understand where the gaps are, lets start closing the gaps with policy and norms because the technology is there and it will follow. When i was the cio of diso we had a saying and that was legacy meant it worked. Right . I will argue a little bit with the premise of question and that is that its an either or, right . Were in the environment were in, you always have things that have been there, things that are there and things that have to come in. And so, its about for us its certainly about creating the space to have the evolution that needs to happen. And whether that means longstanding commitment on the part of the government to nonproprietary standards based solutions, theres a reason for those, its in large part because it creates that space for sustainment of things that exist and have to exist and the Movement Forward into new capabilities. But it also enables us to get to the as adam rightly points out to get closer and closer to the front end of the problem. Im going to use a really personal example which will make me feel old. When i took my very First Programming class, all my teacher wanted i was in high school. All they wanted me to print hello world on the screen. Thats all he wanted. Thats like everybodys First Programming, right, print hello world. Theres no such thing of boundary checking of my variables, we didnt talk about what a race condition was, no concept. It was print hello world. That was a long time ago. My middle daughter took her First Programming class in high school, her First Program was to print hello world. There was no conversation of boundary checking of her variables, no topic of conversation of race conditions. A couple of decades had happened between those two periods of time. Were smarter now. Right . We have to understand what creates the environment. And find the simple things, because there are a lot of simple things, that could be put in earlier and earlier. Mind you, when she took her First Programming class at virginia tech, it wasnt to print hello world, it was to make a maze but they had a conversation about boundary and race conditions and these kinds of things that create spaces for malicious activity to occur. And so progress is happening and its happening slow. Its a place where progress could happen much quicker. And the kinds of innovations that need to occur need to occur in all of sort of all of these places. And so, one of the most significant challenges we see with Critical Infrastructure owners and operators who want to focus on cybersecurity with Government Departments and agencies who are really trying to do the right things and put in place the kinds of layered defenses that are necessary and design activities that are necessary, is that that sort of hump they have to get over, that initial investment they have to get over to focus on that. And thats really where weve got to find ways to get that bar as low as possible so that that initial investment is not so insurmountable that they dont take that step. And so, you think about one of the principles we use in designing the programs that we have to support departments and agencies and so port owners and operators is to sort of identify that particular problem and articulate that in a way that can be useful. I would say without losing sight of the legacy systems because as bobby mentioned, theyre going to be out there unless you have a clean slate and youre at dhs and just starting snt or nppd or Something Like that. Yeah. You want to focus on the new tools and processes. You want to really get clearly articulated requirements. You want to look at the inner faces into the legacy systems from the new tools and processes and i think you also want to look at agile. I know more and more organizations are having success with agile it rative processes and building the security around agile and its proving successful. So i think there are some of the things you also want to do. You also want to leverage existing technology. Lot of good, shared services that are out there now in the government, the manage services in the cloud, you definitely want to try to leverage those as you bring in new technologies in your organizations. I think thats really interesting because one of the opportunities that all of that creates is an opportunity to rearchitect the business process and the technology at the same time, which increases security, right . The cloud movement, which is a really powerful movement is a moment where its not just a Technology Movement and you can really rethink where your data is, what its doing and if you do this sort of hoe listically, these drivers can really do more than just absolutely. One step improvement. Right. Im really glad you mentioned agile. So agile is not just a project management tech neeg for Software Development. Can you talk a little more about what agile is. Sure. So agile came about, gosh, it must be ten or 11 years ago when a bunch of Developers Got together and said, you know the way we do software is wrong. And hold that thought because i want to go back to that in a second. The way we do software is wrong. We assume today that were god. So everybody in the room lets try to test you. Okay . Everybody in the room who knows exactly whats going to happen with every project they have three years from now raise your hand. You are amazing. How do you know whats going to go on three years from now . [ inaudible response ] okay. You would be the first person ive met who has ever known that in advance. Thats pretty impressive. So the reality is that you dont. What these guys and gals who got together said we dont. What we do know is generally what we want to achieve and we do know we have an idea of some of the stuff, most of the stuff weve got to do in order to do that. Lets make a list of everything. We also know that people dont work well for long periods of time under pressure. So i guess you can get those five developers to work 90 hours, 100 hours, 150 hours for a week, two weeks, three weeks but by week three theyre crashing and their productivity tanks. So they sat down and they said, how can we come up with a technique where we understand what happens, we can prioritize what we need to get done first. We can identify in easy terms what these things we need to get done are in terms of functionality and then we can get them done, if i have this much, i will allocate this much to this twoweek period and this section to this twoweek period and work my way down. And as things change, i will have a managed process to work things back into that list called a product backlog of things i need to do. And in this way, i can have a continual and governed work flow that allows things to get done rapidly, itertively, and thats how im going to do it. And i having done agile, having introduced agile to three different programs and watched the difference in productivity, not just in Software Development but in engineering, in project management, and a bunch of other nontechnical disciplines, it really works. Let me talk for a second about agile and how we would implement agile in the delivery of our systems, our technology. Let me start with the premise that software is broken. Software is delivered broken. How do i know that software is delivered broken because every couple of weeks or every week or so when i take down my computer, it doesnt shut down. It tells me i need to wait. Its doing stuff. What stuff is it doing . Its down loading updates. What are those updates for . Those updates are to fix the problems that it shouldnt have been delivered in the first place with. Think about this in perspective of your car. If i sold you a car and said yeah the Steering Wheel only goes 260 degrees, you would think i was crazy. But dont worry because in two weeks ill send you a new Steering Wheel it will snap right on, but thats literally what we do in the software world. We make the users today the beta tester. So the question is how do we turn around and push that problem into an agile model where we push the problems up front back on to the developer. And thats actually a technical tool. Thats a technical question. We can and the tools exist today apply agile techniques, not only to the actual Software Development but to the methodology of the Program Management for Software Development. We can adopt things like continuous integration, continuous test, Continuous Monitoring as we develop and think about what this means. There you are, youre a developer. Youre pushing the new code in. And that code is tested before it hits the trunk. And we dont only test it like we do for the most part today functional tests, we look at the other four areas, four years, we look at performance, skapability, interoperati interoperativabili interoperativability. You dont get create for it and it never goes out to the ultimate end user. Its a question of more of less about what software am i delivering than the mechanism by which we deliver software. Its about changing the thought process in terms of Program Management for Software Delivery and project development for Software Delivery. So agile in terms should be adams opinion, whatever 4, hit me on the metro, adams and 4 gets you on the metro right now, is that we need to think with agility in terms of how we think, but we need to implement agile both in terms of our Program Management and the technical methodology by which we develop our systems. Im going to pass it on. Well, the next question building off of what each of you have hinted at is if you train the work force, retrain the students how to think about security from the getgo, if you build the software in a more flexible manner, than you might not have to pay as much to fix problems down the road. So can you talk about how innovations in technology, training, contracting, deployment can actually bring down the costs of cybersecurity . One thing ive noticed is the cost and because, you know, we have matured some of the costs really havent come down that much because the threat continues to increase. And what im finding is that its really about the labor costs that you have to put around security. In my organization, were spending a tremendous amount of time and effort around the security controls, the nis controls that are out there and so they kind of overshadow the cost of the actual tools themselves. I think the cdm program as it matures will help quite a bit with the cost of the tools, but thats not really matured yet. But i think it will over the next 24 months. I think youll see a lot of price advantages off of that program. But, again, i think until a lot of for example, the new rev 4 came out for 853, that is going to require a lot of thats like the cybersecurity bible for the federal government for federal i. T. Systems. Yes. Go ahead. While you may see some of the decrease in the tools themselves, im still seeing a lot of labor costs that go around supporting those controls. One of the things that we see is its a bit like your cell phone bill, right . Its been 40from the beginning a month but youre getting more for your 40 now than you were at the beginning. And thats a bit of what were seeing in sort of the Technology Landscape here is that where as maybe the license costs for cdm is a great example. The license costs are a volume activity. Youll really getting more than just a particular technology, a Single Technology for the dollar, and thats really important because as weve been talking about, it has to be a layered multifacetted situation. And so there isnt a single the Silver Bullet doesnt exist here. There is not a single tool you can buy, a Single Person you can hire, a single process that needs to be put in place, its a multifacetted situation, so the cost is one figure, value is another and we really try very hard to look at both of them as were Going Forward because you have to have that trade. I think i would add on to that and say that the third thing besides cost and value is maintainability of your systems. So, im going to date myself again and say that i was really i was a journeymans system engineers when Service Oriented architecturing became very popular. And the principle behind so is really not all that different weboriented projects or whatever theyre calling it today and the idea is that i develop and deploy my systems as collections of reusable think legos. I can pull out the red brick with six length of six connection points and replace it with a blue brick and theres no problem. My Lego Construction doesnt care. They only care about what the infer faces look like. In terms of reliability and maintainability, one of the big cost drives right now for our legacy systems is the fact that they are these tightly coupled interconnected systems that means if i fix something here, i break something there. And the cost of that maintaining that goes up exponentially, to the point where the cost of maintenance is equivalent to or this is the old stuff, right . This is the cost of maintenance is equivalent to or exceeds the cost of new capability acquisition. Ill date myself again. So when i transitioned from m 60a 3 tanks in the army, youre smiling so you just know. One of the problems that was cured by the m1 and was demanded by the army when they acquired it was the ability to pull pieces of that ability off and replace it one for one with a new part. That simplified and shortened and made significantly less expensive the maintenance cycle. You didnt have to pull it all off. You could pull a pack on that vehicle in under 90 minutes, complete power pack, pull out and replace. Software systems are evolving to that point. Among the things that you pointed it out earlier, among the things that happened in the government is the more ready adoption of open standards. To that extent, open Source Technologies which use those standards which lowers acquisitia acquisition costs and lowers mantd innocence costs which in terms makes your longterm investment in the system significantly less expensive. Why does that matter . Because the dollars i save today doesnt mean i dont spend those dollars. It means i can turn those dollars around and apply them to the hard problems to include the involve in threat nature that barry pointed out. Anything else you want to add on that topic . Okay. Lets turn to a technology now. You have the likes of antivirus companisy man tick, the maker of norton antivirus saying that antivirus is dead. What does that mean to us . Am i not going to have scans running in the back of my computer slowing down my system . And what is it technological replacement . So, i was looking at the guy from kaspersky because thats where the company made its bones. So there was a time when a pair metric concept of security was adequate. It is not anymore. Security in the cyber world as the world becomes more connected and if you look at middle ware companies today, middle ware Companies Drive the whole internet, okay, they drive your systems integration, they drive everything, but if you look at their business message, their business message is connected business. And what that means is that this is an integral part as a whole and it means i have to worry about this and worry about the servers that support it and stuff in the cloud and also got to worry about the ipad, the iphone, the android, everything. So i still have to protect this with some form of end point security. That doesnt go away. But end point on its own is no longer the answer. So if were looking only at the perimeter, i have to tell you the perimeter is burning and it aint going to hold. However, if we look at the perimeter and the interior and at the same time and apply the necessary security parameter, we solve the majority of our problems. I will tell you two very quick stories. When i say we solve the majority of our problems, you cant solve everything but you can make so it that you can accomplish your mission. When we used to design battleships in this country, by the post dread knot era starting about 1914 or so, we designed our battleships with a premise called all or nothing. And that meant that we put armer around those a lot of armor, a lot of armor around those parts of the ship that were absolutely necessary for it to continue operations. And the parts that were not super necessary or could be done without until a ship could be repaired, we left those relatively unarmored and we need to make those tradeoffs in the way we design things now. Today just saying we have end point is like saying we have armor everywhere and its a fantasy. End point plus enterprise is security. Now, the last sorry. The second story and then ill turn it over to my fellow panelists that i want to leave you with is this, i grew up in brooklyn, new york. I grew up in brooklyn. And i grew up around the corner from this guy named anthony. Im going to talk to you like i was talking in brooklyn a few years ago. Anthony, he wins the lottery. What does a guy named anthony do when he wins the lottery in brooklyn, do you know . He buys something. What does he buy . What kind of car. He buys a ferrari and he tells the world that this ferrari is safe in his garage because hes rebuilt the entire garage. He has put the best garage door and the most secure and has chains to tie the car in every night and tells the world about this and he says he sits on his stoop and thats just the way it goes. Five weeks later he comes down in the morning to unchain his car, car is gone. Not only is the car gone, but the chains are neatly coiled around the steel ibolts he put into the poured concrete. The door hasnt been forced. Theres no scratches on the locks. The car just vanished into thin air. So anthony goes into mourning. For about three months. One day he comes downstairs and sort of gotten past that stage of grief when youve come to accept it and the car is there. Theres only one thing thats different. On the windshield is a note. And the note says, if we want it, well take it. You cant defend against everything. What you can do through a combination of end point, enterprise and understanding what your own vulnerabilities are, i guess thats knowledge, is you can understand and defend against the 95 case. That 5 case, you can work toward it, you can make it much more difficult and hope they go on to the next guy who is an easier target. So remember, you never achieve perfection and because you can never achieve perfection, dont let the best be the enemy of the good. Remember what you can achieve and security is all about that. Its all about assessing your risk, saying how can i mitigate this risk most effectively. Im never going to get to zero, how can i continue my mission within that security paradime. So one of the really important functions we have in dhs is to help people understand their vulnerabilitievulnerabili understand the threats and understand the consequences in that situation. And im intrigued by sim antic statements or others out there because in each of those areas what were dealing with is an environment of scope, scale and speed that is sort of atypical of other threat environments. And so, i agree with adam that theres a breadth of things that have to occur, right . Theres a breadth of activities that have to occur. Whether it be something that you put around the most important of your data inside your environment or something more broad. You have to understand whats going on inside your environment. You have to have a sense of what your users might be doing, how all of that comes together. And were in this evolution time in the Technology Landscape as well, right . Its happening in cybersecurity, its happening in other places, too, right . Were applying Business Intelligence to all of the data that we have and gaining insight out of it. And then applying that insight back into the problem, collecting more information about it, its sort of this cycle. So were applying that in cybersecurity as well and were really when you think about the your comment about cdm, the einstein program, the other program activities, the clthrea indicators that we share is influxing as much information and providing capabilities to provide insight for cios whether they be Government Cios or commercial entity cios. And so i expect as a citizen that the u. S. Economy will grow. One of the ways i expect the u. S. Economy to grow is i expect industry to innovate. And so that innovation will then be something we take advantage of in government and other entities take advantage of. And so im really excited about the prospect of Companies Like simantic and others pushing the envelope and looking at whats necessary in this environment and involving and innovating there, recognizing that the problems were facing are ones of scope, scale and speed, which will require a combination of legacy or Current Technology and future capabilities. Were getting more than one i think the current statistics, were getting more than one virus per second that are hitting our networks on a daily basis, which is really mind boggling when you think about it. So while the virus signatures are important, theyre not the end all. And theres a lot more that goes into it when you take a holistic approach around security that today you need to take into account. So i think thats where the statement was made. Its not the end all around the antivirus. Okay. And when youre talking about the viruses hitting your systems, youre also talking about new viruses that these systems dont understand, so you have to have the other controls in place that you were talking about. Correct. I think thats that comment about whats happening in the environment, how much of it is something weve seen before and know and how much of it is something that we as a Community Need to learn from and share more broadly, just reenforces the need to collaborate between government and industry between industry and industry, between governments in order to reduce the unknown as quickly as possible. And to bring forward that knowledge and insight and put it in the hands of others. So, i think thats really one of the places where innovation has occurred and where innovation can occur as well as how do we create that collaborative opportunity for all of us to move forward. We think about think about our ops floor, the inkick in the National SecurityCommunications Center which is a place where industry, government, Law Enforcement intelligents all come together and look at things in a common place, common vernacular which is a really a useful thing when were talking about the need to respond and protect activities. And information sharing, not only will i second that, i want to take that further because information sharing fostered by the government and with the assistance of the government is good, right . Thats great. Im glad it happens and its important. But the life blood of the American Economy is small and mediumsized businesses and enterprises. And we do not yet do an adequate job of sharing information among ourselves. So, if you think about 18 Critical Infrastructure sectors 16. What we see now is an attack against sector a or sector 1 and in sector 1, call it retail, everyone talks. Okay, great. We know uptown, vertical, everyone talks in retail. But then they dont talk to transportation. And they dont talk to health care. And they dont talk to the other 15 sectors. And so we find ourselves we can watch this and have a roll of these attacks just go across the National Infrastructure sectors because the sectors have not yet learned to adequately discuss this across themselves. And anything we can do to foster that, to foster that crosstalk, to make that security knowledge permeate those barriers would add tremendously to our ability to respond. Does that have anything to do with the suspected chinese hackers going into Energy Systems and now all of a sudden we see whatever 4. 2 Million Health records accessed by suspected chinese hackers using some of the same techniques . You know, if you learn to ware your seat belt, if you learn to take this corner at 35 miles an hour instead of 30 miles an hour your going to wipe out. And you tell your neighbor and your neighbor doesnt wipe out, thats what were talking about. Were talking about nuts and bolts sort of information at the Operator Group working level. So one of the things that we are acutely focussed on in our inkick and through a range of p with a number of points of coordination across sectors is vital. It is ex clues youvely taking the single indicator and providing it. There translation. The best analogy i use, if you are going to break into a law firm, you wear a suit and tie, if you are going to break into a power plant, you wear a special suit and hard hat. It is important to bring them together in a way that folks who are experts in the sectors with those technologies can help with that translation point. But it is one of those things we are acutely focused on where we can get the information turned around that get us to us from one sector or another or create the avenues so we dont have to be in the middle of it. And collaboration in a way that people are collaborating and establishing trust between organizations and between organizations and their government. So that we dont have to be in the middle of the conversation. How they can collaboration with each other in a way they are more comfortable doing and so that we can then get that threat information, the very easily to identify Technical Information that can be a value and create that, distribute that in an automated way and both consume and produce and provide in an automated way. Were really excited with some of the work, the financial sector, and taking our work taxing even further and the bulletins we released out of the end cake are distributed within an automated fashion and are anxious to take that to the next level as well. Working with other sectors and other organizations. I think we are also see morgue of a shift from just the protection to the detection and the response. Especially here off the last two years. Also, i think more of a security indepth approach and also using more Behavior Analysis and looking back and seeing, what are the bad guys doing. What are their patterns of behavior and really using that more as weve learned security more into our enterprise. Okay. Last question from me, and then well let you guys ask the questions. So the four of us are sitting here three to five years from now. What new types of technologies and processes will we be talking about. And will the costs have gone up or will we have the more, you know, bang for your buck with the verizon price plan that you were talking about. What changes are we going to see in the landscape, with ideally would you like to see . Wow. Id like my car to fly. Oh, you want my to talk about this. Po there are two that come to mind. And were working on it now. I would like to see it realized. An understanding of what normal is. A normal meaning, what is a baseline for my network. What is a baseline for this application. What is a baseline for this user. And if we can understand that in a reliable way that minimizes false positives and false information, once we know what normal is, we can measure current activity against that normal. On a regular and recurrent basis. And so if were doing that, we know that when 32 gigabytes of information suddenly starts flowing out to a user who downloads who megabytes within any given timeframe that there is something wrong. We know that when given processes start doing things they shouldnt be doing, or we understand what shouldnt be doing is. So understanding normal on a regular basis across the board. For enterprise. For individuals. Is something id like to see really fully realized in three to five years. The other one that i think is interesting, is we need to look at the way we grant access to our resources. And data and Data Loss Prevention are a big difference these day, especially Insider Threat and malicious penetration from the outside. How do we insure that everyone has the information they need and, you know, you can think of any number of domestic and International Incidents that arose from organizations having information but not being able to effectively share it. At the psalm time, we protect it against inadvertent spillage, and at the same time, attacked. I would like to see our data structures and resource Access Controls structures being built in such a way that we really do control access to that data in such a way that everyone has access to what they need, at least the parts they are authorized, at any given time. Today we do a lot of all or nothing access. And data storage to account for multiple levels of security and both of those things are tremendously expensive. I mean, the numbers for having multiple redundant networks based on just classifications range from 4 billion to 14 billion annually. We can address that significantly, not entirely, there are policy and legislative issues that are difficult to surmount. But we can address the significant amount of it through technology. And thats security issue along with everything else. So if i could dream a little, what id like to not be talking about in five years is fishing and spear fishing and botanists. We have been talking about these for a long time. I remember the first email i got from the nigerian prince. We all got it, right . But if i had the opportunity to sort of create that call, it would be nice to be talking about Something Else. Not because we are tired of talking about this and we cant seem to get past it, but because weve actually figured out how to have it not be as significant a problem for our infrastructure as it currently is. If i had to forecast as far as the first part of your question around cost, i think the individual cost of products will probably go down. But the overall cost of security in general will continue to increase, especially around the labor costs, the support security and the various tools that need to be needed to support it. I think you will see a great growth around mobility in the next one to five years. Also, around cloud, big data and big enkripgs and our data will increase and also as mobility and cloud increases our band width will need to increase. So we need to make sure were protecting our Networks Even more in the years to come. Okay. Thank you. Thank you. I want to let well, i think we have, back there, if you have a question for any of our panelists, raise your hand and they will come and get you. I was going to use my man voice, but ill go with the micropho microphone. So how do you foster information without reliance on private sector to support for dhs. And adam, how do you, first decide, foster innovation without sharing the proprietary secrets, that we give you a Competitive Edge over other Government Solutions or Antivirus Companies that support government. So, thats an interesting question. Theres be a easy answer, right . Private companies have always been in the business of fostering innovation without the assistance of other companies or the government. If i can interpret your question a little bit, how do i make my innovation available to the government so that they can use it. Again, companies have been doing that for a very long time. The nature of your contract, you can provide a product and have a license agreement like everyone else does. Or if you develop your capability at the behest of the government pursuant of a don tract, the government owns that just like they would own anything else. I think thatcdon tract, the government owns that just like they would own anything else. I think thaton tract, the government owns that just like they would own anything else. I think thatcontract, the gover that just like they would own anything else. I think that the more interesting part of that is how do we apply that innovation. Thats a question back to partnership. Really. Its an issue of how do you bring what you can do to the table. And make that available. And thats an information sharing. We have this capability. Does that work four . And in general, i think that it gets harder and harder, especially when you work in a Public PrivatePartnership Capacity to adjust true proprietary capability. Microsoft handed over microsoft 7, and maybe 8, too. But for 7, to say, heres what we have, and thats a trust issue. So working with the government, the private sector will continue to do what it does. I was at black hat two weeks ago and i met up with a bunch of guys that came up with the next generation, or what they thought, was the next generation enkripgs solution. It starts where the es leaves off. And they are giving away a bmw to anyone who can crack their inkrepgs. But the point is, what we want do is work with the government. He want to give them the solution and work with them to secure what needs to be secured. And we understand that we have to share a significant amount of our technology to do that. But were okay with that because the government understands that the flip side of sharing that technology is a trust issue of deserving the proprietary nature of that technology. Making sure they arent damaged in working with the government and make sure the government gets the best value and that industry is fairly kpen stated. By the way, my comment about the best acquisitions in the world. Anyone who has had their eyes bleed reading the fonts, raise your hand. At one point or another all of us hand. The reason they are there, and they are effective pieces of legislation, is to allow that part to take our place. They may be painful to sort of get through your head. But we have a really strong basis in the United States for fostering that sort of partnership. So im going to say thank you first. Because rarely do i hear people use the word innovation in the government. The prevailing ethos is were not innovative. Its wrong. We are innovative. And have you to be when you look at the pressures that were understand. In this situation. Thank you for acknowledging. I appreciate it. As does all of the folks who work with me as well. One of the most important things that enableets us to be innovative is a willingness to collaborate. I find, and it may be true for others, but i find that best Solutions Come when you bring together diverse perspective. And then you find the thing that you didnt realize existed in that space. Until we try very hard to create the opportunity for those with conversations about when you look at the operating model we use both from a partnership perspective, the National Protection plan which talks about how we establish a 20 partnership that can help handle the threat were facing in the 21st century. It is about recognizing that we dont all have exactly the same value transition but we all have to be in the room together. And we can bring all of our different perspectives together and drive to a different place. I think about the operating model our end cake uses. I think about the operating model we use with state and local governments in helping them handle inoperable communication issues. It is really about that, creating that collaboration space. Bringing the engineers together. Bringing the policy people together. Bringing the business focus together. And helping work through all of that. I want to thank you all for sharing your perspective. Youre validating my existence at the food and drug administration. Hi, my name is nick thaker. Im a policy adviser for the center of radiological help. The thing that keeps me up at night, other than my kids, is medical device, cybersecurity, and cybersecurity of the Public Health sector assets. Were in the process right now at the fda of setting up a collaboration of which all of you have mentioned in your session discussions. About medical device cybersecurity. And im sure youre familiar with it in that and weve been approached about this. What i want do is put a shameless plug in for this opportunity for all of you to participate in a public style forum. It will be come out through the federal register and thats about all i can say right few until this comes out. But the question for all of you is with regard to fostering innovation, what are some of the ways that you can perhaps allow a regulator, like such as myself, to foster that innovation. What are some what are some tidbits that you could perhaps offer me. Im in a unique position in that the companies i regulate are even more weary of sharing their technology. Because not only are they worried about my inadvertent sharing it with their competitors, they worry that if they were to share something about a vulnerability to me, i might turn around and say, this is ground for regulatory action. Clarity. Right . Thats where it has to start, in what is the outcomes youre trying to achieve and clarity in the conversation. I find that trust is eroded when people dont have sort of a common understanding of what roles and responsibilities each of those partners play. And so when someone switches from one role to another, that just undermines it. So it is one of the places that i think we have to start. I would add so i spoke on another panel in las vegas and they were talking about the sieper security framework. What is the cybersecurity the framework that came out recently that says heres the way to start, if you want to look at security and how to mitigate your risk and manage your cyber risk. And everyone is talking, how do with we get people to adopt it. How do we get the industry to adopt it. Im not really a big fan of regulatory push. On a variety of levels. But my point that i made at that, was that as a former trial attorney, i watched an organization i did product liability, i watched organizations make the choice to say, i can fix my production line. That will cost me 5 million. Every year. Or i can assume im going to pay 750,000 a year in lawsuits. And im going to pay the 750,000 a year in lawsuits. So without proper incentivization. You dont get industry to play the way you want it to play because it is a dollars and cents game. And the incentivization doesnt have to be a stick, it can be a carrot. I would say that one of the first things i would look at if i were in your shoes, or how can i encourage this information sharing and make it a positive experience for them and one, foster the trust. Make them aware that no bad thing will happen to their intellectual property, but also make them aware that if you come in under this, no bad thing will happen to you, a safe harbors concept. I know that on the legislative level, safe harbors in general has been something banded about for the last couple of years. It hasnt gotten places for many reasons. But i would say, if you have the freedom of action within your sphere, to create a safe harbor capability, i think you will be pleasantly surprised by the degrief participation you would get from industry. If i could just sort of do a little plug for the Cybersecurity Framework, more than a year ago the president signed an executive order on cybersecurity for Critical Infrastructure. I think thats one of the things weve been talking about over the course of the last year. And in that, asked to convene a series of collaboration between industry, government and others, with the output of which designed to be a framework. What does it mean for there to be sieper secure effectively. Really powerful set of discussions, if you want to all of, and i think you got a tshirt, but Cybersecurity Framework is published earlier or late last year. And dia handful of really meaningful things. If you havent read it, here is the executive summary. First thing it says is cybersecurity is an important risk and must be managed in your Enterprise Risk Management activity. So it moved cybersecurity from being an i. T. Server room problem in a company to being a board room problem. Big steps there. It said, you must understand, as you do this, here is a way you might think about how to incorp right there risk into your mold. And there is a list of a way to think about Cyber Security from identify and protect, protect and respond, and here are a standards and activities that really detail all things cyber secure. Including [ inaudible ] so thats the framework. And what weve been doing, what weve been doing in the department of Homeland Security is working with owners and op righters, working with departments and agencies to help them go through this journey of understanding and adopting the framework. We strongly believe that we can that working with these owners and operators that folks will find a way and we have illuminated a part of the confusion that might have existed. It is a very voluntary interaction. Weve been very, very confused with the kind of results weve had, ranging from companies who are very secure who can find themselves in the framework who have been doing this all along, to those who arent really sure where to start. With a focus, an important focus on small business. And one of the small and medium businesses who are in many instances, critical instra truck tour, how do they find themselves in this framework. And move to themselves on their cybersecurity journey to managing risk that level. And not putting it in the concept of risk conversation, really helps with trust building. It helps with roles and responsibilities. It helps put more clarity about the decisions. Because it really enables cybersecurity to be a dinner conversation. Getting the cio information they need, giving department and Agency Leadership the information they need. Information anizations are, our fourth speaker who was supposed to be here, proily would have had good feedback as well. There is also private Sector Companies that focus in those areas where you do have that test bed andern environment where you can feel comfortable in try doing i think what youre trying to sell. Goodene morning. Im jean with ibm. I wanted to thank you all very much for your insight this morning. You talked about the growth and mobility in the next three to five years. And with the implementation of the dhs car wash, final mobile applications and dod having their own certification process. How do you see greater collaboration and adoption and sharing evolving in the future. In that area of certifying mobile applications. Wow, i hadnt thought about that very much. So give me a minute. So the point youre making is that we have to be more collaboration and cross organizational understanding, an engagement. So that there is opportunity and a viability path or mobile apps to come forward. And we have do that. One. Things that we also have to do is understand that the landscape and the federal landscape in particular is not the same from one department or organization to another. And so we have to find a path that enables us to manage both. One of the more successful, i think, is the accreditation path and thats a viable model for that kind of thinking and i think i would encourage that as a method. When i looked up what weve done over the years, weve today build enough momentum between different departments and agencies in order to get to that point. And it feels like we are on the crux of that right now. With the certification work that we can do something of that sort. Youre talking about fed grant for uninitiated, for clouds in cybersecurity certification. Risk when you outsource your data to, amazon, for example. They are talking about this same sort of modeldpsh. Instead of having each department doity own certification, we included it in a joint model that enables all of the models because they are very niek Department Requirements into the situation and find kpon ground. Common ground. Thanks. I think adding on to that, there is a Technical Area as well. I alluded to it earlier. The mobile app tends to be rhett me rephrase. Right now the same as for your big apps. Your Big Development project. So i spend four years developing the best software known to mankind. And it requires you know, a cluster of high end Blade Service to run. The process that i use to certify that today, is the same as the process that i use to certify mobile apps brwritten ia week and a half. Thats much smaller. That make this thing hum. The volume of mobile apps is significantly greater. One of the technical things i look at is how to push the accreditation back on the developer and it becomes almost a question of again methodology. A combination of agile and testdriven development so when you finish developing your app, it is certified by virtue of the environment in which youve developed it being certified. Doing that and in innovation in terms of both the Development Side and how do i accredit things for use within the particular environment, and at the same time, how do i provide a Hardware Software methodology or mechanism, do you think, to do that, becomes very interested. And i would encourage i would encourage industry in general to look at inowe vietive ways to solve that problem. Create a Development Environment that can be certified and by virtue of that environment certify the things coming out of it. I think we have time for one more question. Hi. A few of you have mentioned how important small and medium sized businesses are in this effort and theres been traditionally a bit of an attitude of, when it comes to cybersecurity, if i outrun someone else and someone else is an easier target that im off the hook so we have seen how interconnected everyone is. Everyones favorite story. How bad guys got to a target, through a vendor. How you bring up the little guys may not have resources, access to information sharing. How do you bring them up to a level so that everyone is safer. We im going to get my time here. But about three and a half months ago, maybe four months ago, we issued an rfi to collect information and sort of a mechanism for us to structure collection of information about the challenges of small and medium businesses have, and hear from them specifically. So were not inferring what their challenges might be p. And to talk about what that kind of solution might exist in order to enable them to be successful. Because it was important for us to sort of have an open and direct dialogue in that space. We got a lot of feedback. Both from small and medium businesses and from i. T. Industry partners who are focused on them as a particular customer and constituency. It was a really interesting dialogue. I think the first time in meaningful way both parties in the room together talk about what the realities are. And the process of gleaning through the information back from that. But one of the, i think, one of the most important insights to me was that they have some of the exact same needs as well as some i had not appreciated. If there is not as much, i thought they would be more aware of what some of the cybersecurity threats are. It feels like we talk about target a lot. Or there was not as much of a broad awareness as we expect and to really focus on trying to help engage and outreach in a language thats accessible to them as one of the easy first steps. And then certainly, continuing to encourage the provision of solutions and capabilities that are accessible to them as well. I think the good news is the small mediums are much more agile and can do things quickly and can change their policies and procedures much quickly but also leverage larger company, protege programs and access one of the larger requirements, around security would be my suggestion. So from the industry perspective, specifically the Security Industry perspective, let me say first, in my organization we focus primary, again, Government Contractor constellation structure. But the Greater Organization as a whole, and especially the u. S. Based Lab Organization is very supportive of education, adoption, integration of the framework for small and medium sized businesses. And is uniquely positioned due to its significant footprint in the small and mediumsized Business Community to promotedcation about the framework. And in fact, thats one of the companies goals and mission. So from a perspective of security, it only helps everyone. I mean, whether its because thats your business or you have a government yall view on it. So we push that. I dont want to say push that. But we make our partners aware of that in every chance we get. Okay. And with that, i want to thank barry, bobby, adam, all of you for coming. I think they might be sticking around for a little bit if you want to come up. But you are all free to enjoy the rest of thisaugust. Thank you very much. [ applause ] with live coverage of the u. S. House on cspan and the senate on cspan 2, here on cspan 3, he can compliment that coverage by showing you the most relevant congressional hearings and Public Affairs events. On the week ends, we have television telling stories. Including the civil wars 150th anniversary. Visiting battle fields and key events. Artifacts, touring museums, to discover what artifacts reveal about americas past. Best known American History writers. The presidency. Looking at our nations commanders in chief. Lectures in history. Tough College Professors delving into americas past. And our series, real america. Featuring our educational films from the 1930s to the 70s. Cspan 3, watch us on hd, like us on facebook, and follow us on twitter. No, educational secretary arne duncan discusses the common core