Stronger relationships with the private sector. This is about 55 minutes. Thank you very much, joe, thank you for once again taking the laboring war and putting together this very thank you to all of you, who are here today who have taken the time to be here, but who also, i know on a daily basis care about and in many cases work to achieve our shared objective of ensuring safe, secure, resilient communities where our this is like a class reunion. And in many ways it is, a lot of former dhs folks here, a lot of current dhs folks here, but also a lot of you in private practice and in academia and elsewhere, all of whom contribute to the solving, addressing, understanding the challenges that we face. So thank you all of you for what you do. I bring greetings from secretary jay johnson, secretary of Homeland Security who would love to have been here today. Like me, he is a recovering attorney. And we are very, both of us, well aware and deeply appreciate the importance of the rule of law and the role of lawyers. As a vital part of our team as we go forward to accomplish this mission on behalf of the american people. I am aided, as i said by my very able county schedule, i believe youre hearing from later in the program. So were really quite fortunate in our legal counsel. At the department. I want to talk about three key elements of how we accomplish and view our mission at the department of Homeland Security, but particularly with regard to the National Programs director for which i have the honor of being the undersecretary. Joe described a built about what we do, which is good because the name tells you very little about what we do. But our overarch Critical Infrastructure. And we do that in the context of an all hazards approach. So we look at the threats, the vulnerabilities, the consequences and mitigation across both physical, human and cyber. And that gives us a tremendous strength. We are working very hard, each and every day to make sure that we are not stove piping our approach to that mission of the security and resilience of Critical Infrastructure. That folks who are our cyberninjas, who are really smart on the cyber front, and the folks who have gotten really good over the years of and the folks who are looking at Human Security from a biometrics perspective, for example, are all talking together. In looking at these things and understanding their own interdependencies a and thats critically important. Were able to achieve that and get better and better at that each day because we have very talented people at the department of Homeland Security and ill talk a little bit about that. Im going to talk a bit about the role of technology, and thats a particularly important and a challenge for on the legal front, so for those of you in this room, i think youll some of the challenges that i want to talk about there will resonate with you, and im finally one of the most important aspects of what we do which is the publicprivate partnersh partnerships, a lot of people roll their eyes, and have refused to even mention the phrase anymore, but in fact, im here to tell you, it is a reality. That we benefit from each and every day at n ppbd and the department of Homeland Security. Im going to start with my favorite part of this is the we have always had the benefit of being led by people with extraordinary talentalent. I continue to be amazed at the people that we attract. The people in this ram who were there at the creation of the department and folks who have helped shepherd it along the way who have made this an exciting place for people to come to work. We are very fortunate to be led by secretary jay johnson, who in addition to being a lawyer, most recently came to us after having been general counsel at the department of defense. So he brings not only the experience he had in private practice representing businesses, private sector, entities of all sizes, which is again, a critical part of what we do, but he also comes and as brought to the department that post Goldwater Nicholls sense, the importance of the sense of unity of effort. So those of you at the dod know this, about four years after the department of defense was created, the department passed Goldwater Nicholls legislation to bring Greater Unity of purpose to the department of defense. I remind them that it too aout 40 years for the department of defense to get where they needed to get to begin to get where they needed to get on unity of effort. We dont have 40 years to get this right at the department of Homeland Security. But it does help you to keep in mind how young we are, as a department. But secretary johnson has come with a sense of you are generality, to bring the legs sons learned from the department of defense with regard to bringing that unity of effort across those elements of dhs, a very important part of what hes doing. And it is perfectly consistent with what i have been doing, trying to do at mpbd since i came in october of 2011. To bring that unity of effort that i taked about earlier, across npbd, to make sure we are fully leveraging, understanding, data, knowledge, across those es of mpbd and that we are helping to leverage that all across the department. Were also very component head, so he was the head of has moved up to be the deputy and i have to tell you that it really is wonderful to have someone in that position who has led one of the components of the department. And understands that relationship and how important that is between department of Homeland Security headquarters and its operational components and really appreciates the kinds of things that need to be pulled up and really centralized and managed from headquarters and those things that really need to be distributed out to the components. And as interesting as i watch that, because it is the same sort of lessons that i take back to mpbd, as i look at the relationship for what i am, at mpbd which is headquarters and our sub components and have the same kinds of discussions about what needs to be centralized and what needs to be distributed to create a really effective, agile, dynamic and effective organization. So that is happening, so we are seeing changing at the departmental level. In an effort, as i say, creating that unity of effort to enhance effectiveness and efficiency. The challenge that we are facing on a daily basis is to make sure that were in sync with each other. But it is in large part thanks to the great leadership that we have at the department. And within mpbd, so we were increedingly excited to recruit our cyber deputy secretary. Quite a while ago now, she can no longer play the im new here card. So for those of you who dont know phyllis, she comes to us from the private sector, she was the chief Technology Officer at mcafee. Someone who comes with the understanding already of the importance of policy because she was chairman of the board at info guard, which was a private sector Outreach Group that was really managed by the fbi. And also with that terrific forensic analysis effort up in pennsylvania, outside of carnegie mellon, the center for republican sick and Technology Si analysis as its called. Shes outstanding andshe also helped us to recruit for our assistant secretary for cybersecurity Education Officer u eat one that brings great technical but again, an understanding of the inner agency because he prior to joining us was at the white house, working with Michael Daniel at the National Security counsel. And he has come in and provided some really outstanding leadership along with his deputies greg and bobby. We have got just an Outstanding Team in place in the leadership of cs c. And they continue to attract the best and the brightest. We have turn over, which is to be expected when youre recruiting really top talent, particularly in the cyber sector. Its not surprising that the competition would be able to lure them away at some point. Its always a los, and were always sad to see them go, we just lost a couple of our key leaders, but we know that we have top talent lined up and ready to come in and join the fight. That is really a wonderful feeling, to know that we will continue to be able to recruit the best and the brightest to join us in this really important mission. We have great leadership across mpbd. And i just want to quickly highlight Eric Patterson, whos a retired air force general, who leads our federal protective service and they are increasingly, those are the folks that watch federal facilities all across the country. They are in charge of security at over 9,000 facilities across the country, and they do work very similar to what our protective Security Advisors and our office of protection are doing for the private sector. They assess security at federal facilities, they provide recommendations for reconciliation. But then they also manage the guard force, the private Security Officers that stand guard at those buildings, day in and stay out. And the lessons we can learn, the insights we can get from that day to day interaction to see how these mitigation measures actually play out when theyre implemented, is something were working to bring back, in our private sector to help enhance the work that we do at the private sector. So our cyber folks have responsibility for the dotgov. Fbs is the sector specific a gt si for federal facilities. So again, one of the things were doing is saying, this is a really powerful combination, we have federal asset systems and networks, physical and virtual, that we have responsibility for protecting, and we are increasingly looking at that in a hole listic way. H how do we leverage those insights on a daily basis, not just to ensure the continue knewity protecting the people who work and visit those federal facilities each and every day. But to be able to bring that knowledge in, whether its from what were skiing in our dotgov tools and programs or what were seeing in the physical realm together to provide those instilgts to our dotcom stake holders. That gives you an insight into what we are, when i talk about unity of effort at mpbd, thats what were talking about, how do we bring all of these things together to help all of our stake holders, by leveraging more fully the kinds of things we are doing, and Eric Patterson is doing a great job leading the federal protection service. We have got great leaders at our office of bioidentity management. They are taking a leadership role across the departments how can we utilize buy owe metrics. And our newest entity which is the office of cyber infrasfrur and analysis, which is a real institutionalization of that looking across cyberand physical. And that group is doing glaet work, bringing together, our cyberninjas, particularly those who have unequaled expertise in understanding Industrial Control Systems. Together with the physical people who can say the so what of cyber. So ow Industrial Control System folks can say, heres all of the ways that somebody could hack into you know, status systems and Industrial Control Systems, and the processes that are controlled by those systems. And then the physical, the folks who understand how to model and simulate and understand those interdependencies can say here are the consequences from that. And that is a critical part of prioritization, right . All of us understand that we have limited resources, limited time, and we have got to make decisions about how we prioritize the allegations of resources. Will its a superstorm sandy, a cyber attack or a physical sabotage. Something on the scale that we at the Homeland Security department are worry to keep generators going, and it is the folks at npbd that says, theres a Communications Hub that people arent paying attention to, that if its running out of fuel in our generator, International Communications up and down the eastern seaboard will be avblged, we got to get fuel or generator help to that facility. Thats the kind of dynamic prioritization that our folks in ocia, the office of cyberand instruction analysis do. So the growing expertise at npbd is actually increasingly being recognized by outside observers. For example, i mentioned phyllis snek, and bob stanley, they were recently recognized as two of the top 50 it professionals in government. Our colleagues have won major awards from organizations like the and the Information Systems security education. Phyllis i think has been particularly pleased to gain an expeer in the private sect , sectorshe had said time and time again that she had never worked with smarter people than she has here. We recently got the most recent kudos from our stake holders out there, from a company that we had sent one of our sert teams out there to assess, who wrote back and said that he had never worked with a momore professional and talented team. For those of you again who. My second point that i want to talk about is technology and how that impacts our mission. As we have talked about, we are increasingly at risk, our nations Critical Infrastructure. And the technology, as technology advances, it challenges and opportunities for the folks who look at vulnerabilities, who look at threat vectors and who look at consequences of litigation, but its also a challenge for the lawyers and dan and i have frequent conversations about how this presents increasingly challenges for us. Because our adversaries are not slowing down in their evolution of technology and techniques, and we have to be equally agile. In the cybercontext, when people ask me to summarize the nature of the threat, i typically draw a matrix, right, so on this edge of the graph is destructive intentional and on this angle is capacity. Those who have the greatest destruct ty sbrnt at the moment, have the least capability. I always point out that this top those who have les capacity today are constantly gaining kpas capacity. And this bottom point, depends on whats happening in the world and at any point could flip up. So thats the threat picture, its very dynamic, and were aware that its very dynamic and we never get too complacent and a lot of that is because of technology, just as our adversaries are taking advantage of the advance in technology, the department too is looking at and making Great Strides in terms of the kinds of technology that our Department Science and Technology Director has some very innovative programs under way, both in the cyber context, and also in the physical context. So those of you who are familiar with the metcalf electricity substation out in california, understand the importance of transformers and that they are a long pole in the tent. Our science and Technology Director has for some time now been working with their private sector colleagues to develop transformers that can be as i said, thats a significant vulnerability and a long pole in the tent. Our colleagues at ice, who are also involved in our cyberactivities and do terrific work on forensics, to uncover and prosecute criminal activity online are constantly innovating and using technology to get faster and better at the ways in which they are able to do that forensic activity. Secret service is closing complex International Investigations and they are crippling International Crime networks and again becoming increasingly innovative, not only in the ways in which they do prosecution, but also maybe really working hard and rolling up their sleeves in the way they can carry out a successful prosecution while sharing information with us to share to our private sector and government stake holders as quickly as possible. And that is a real challenge and something that has bedeviled in the past. We have terrific stuff going on in our cyber ops center, the National Communications and Cyber Community integration center, the nk, its our 24 7 ops center, it has sitting on the floor of that ops center, not only our colleagues across dhs, but also our colleagues across the interagency including Law Enforcement and the Intelligence Community, and programs most significantly our colleagues from the private sector, who come together and with increasingly sophisticated tech until and tools are able to provide us with stational awareness in the event of incidents, but also understanding how to detect and stop and block those technologies. Who are developing the tools and technology, we have the spopt for. Gov. There we have employed our intrusion prevention technology, but also continuous diagnostics, which is going to revolutionize and assess the health of our government networks. Right now under the federal Information Security management act, this produces every three years ago, a big, fat, binder thats a compliance checklist. What cdm will do, and within a matter of hours, scan your network, assess your network being government networks, assess the health of those networks, and tell you where youve got problems and help you bri prioritize what youve got to assess first. In that you have got to have real time sense of the health of your network, it is really remarkable. And an example again of the ways in which the department is taking advantage of technology to try to stay ahead of the game here. The mkik. Is again an illustration ill talk about in a minute in terms of Publicprivate Partnership. Since 2009, they have responded to nearly half a million incident reports, and they have put out over 26,000 actionable alerts and i will tell you, these actually they are making a difference. We just got word from a private Sector Company that they had gotten an alert from our mkik, some of the information from that alert came from the secret service, we put that information out through our mkik and this private Sector Company got an alert about a possible mall ware and they said to their tech folks we have got to figure out if we have got this, and they looked and indeed they did, and they were able to take mitigation measures. That is exactly what we are about. We are all about getting that information out, making sure it is actionable. And trying to prevent, mitigate the consequences of cyberand physical intrusions, cyberis impacting the law as i spoke about earlier. As you can imagine, we are dan and his famiteam are dealin with a number of cutting edge issues in the law but a number of them have to do with technology. And the reason you all understand this, is that there is really a disconnect, still, between the incredibly rapid pace of technological change and the intentionally deliberate speed with which the law changes. All right . The law is intended to be thoughtful, careful buildup over time, whether youre talking about the development of law through the judicial process which can take a long time. Or the development of law through the conference, which can sometimes take forever and which often runs the risk of being outdated as soon as its enacted. So this is a huge challenge, it is one with which we wrestle and what you wind up doing is that youre going to laws for legal guidance that were written that lie behind those legislative enactments, youre familiar with the number of questions with which this takes place, speed is one of the issues, quantity is one of the issues that we are increasingly confronting and that youre seeing increasingly play out in lower court cases. Are we in a blase where a difference inspect quantity becomes a difference in kind . The amount of information that Technology Allows us not only to gather, u but to understand and make sense of so its both the citizensing and the sense making part of technology, that has presented some interesting new issues for our courts and our lawyers as they look at those issues. The balance of the bucket in which these international or foreign and domestic. Between nation state actors and nonstate actors, between criminal actors and nation state actors. And these lines that have served us pretty well in the past to try to understand who has the authority and how that authority is going to be implemented achkd how just exactly how the Fourth Amendment applies, et cetera, those things are being challenged as we know. And that debate and those questions are being asked and we, you know, were looking at do we need new kinds of buckets, how do we make sure that our legal framer is keeping up with the real the changes in the world. And one of the ones we deal with on a daily basis and that is roles, particularly the role of the government and the role of the private sector. Those of you who like me came up in the traditional National Security world, you will remember, that we basically if we interacted with the private sector, it was generally in one of two contexts. They were either a contractor providing you a specific good or service pursuant to a particular good or contract. So this notion that the department of Homeland Security was in part stood up to implement and treating and recognizing the private sector as a full partner in achieving that security and resilience that are is our fundamental mission, that is a new concept. Again, despite the fact that we have been talking Publicprivate Partnership it seems like forever now, its actually a new way of thinking for traditional National Security folks. And i have watched as negotiation have sort of begun to get their head around it. But it is something that we, again, work on day in and day out, at the department of Homeland Security and that we go to the traditional National Security table, you know, having to constantly remind our colleagues that the private sector actually is part of the security solution. So, for example, we have a private sector clearance program, where we can clear folks on the private sector, not pursuant to a contractual relationship, but pursuant to this partnership, and so we can bring in Critical Infrastructure, owners and operators, with top secret clearances, show them all the intelligence that we have, and say heres what we think we see in this intelligence, heres what we think this is saying, what do you see . What are we missing . And most importantly, help us to craft the unclassified alert that we can put out through our appropriate channels to all of our Critical Infrastructure owners and operators across the country, so they can take action, tell us what in this classified information, you would really need to know as the chief Security Officer of a piece of Critical Infrastructure, or as the chief Information Security officer. And that gives us ammunition, then, to go back to the eater the Intelligence Community or the Law Enforcement community saying this piece of this is what they need to be able to take the action that we look to them to take, as our partners, in addressing the security challenge, thats a really powerful combination and just one example of the way in which that plays out. Which leads smoothly into that next topic, which is that Publicprivate Partnership, because we really do recognize that we are not going to achieve the security and resilience of Critical Infrastructure. We are going to do everything that we can to assist the owners and operators of that infrastructure, whether theyre federal facilities or private sector or public seccor utility owners and operators to make weisser Risk Management decisions. So traditionally, that meant that the government would you know, would provide the threat information. All right . And we still do provide significant threat information as i just described. But increasingly, particularly in the cyber context, the private sector is developing threat information and in some cases, better and more threat information than the government. At least certainly with respect to whats coming at the private sector. So we are in a situation where, again, were having to think about this in a very nontraditional way. Not just threat information,. That task is made easier for me at the department because we have a statutory privacy Security Officer and i have an mpbd, my own Privacy Security counsel and she has a team, emily andrew and her team, they are a full part of our team, they are with us at the development of programs, we dont go to them afterwards, we have built this program, now tell us how to make it consistent with our privacy, they are right there from the getgo to bake it in from the beginning. Not only do we have some legal obligations to make sure that we are complying with privacy laws, but our Privacy Counsel helps us to focus our efforts, and again in a time of scarce resources, we want to make sure that were focusing on the things that really matter. So they are helping us accomplish our mission of str n strengthening our security in Critical Infrastructure. That close relationship and doing this right is essential to that trusted relationship that we have with the private sector. That is, again that is our reason for being, we are only here to assist our stake holders in that security and resilience of critical infrasfrur mission. And we can only do that if we have the trust of the critical structure owners and operators of american people. So we are extremely grateful to have this team helping us with the privacy and civil rights civil liberty issues from the getgo and all the way through. The importance of our private Sector Partnership is reflected in the National InfrastructureProtection Plan for 2013, and i system a number of people in this room, and so you know what a huge undertaking and what a huge challenge it is, always, to develop this document. We have tremendous collaboration and input from the private sector. Folks who worked incredibly hard and for whom this was not really their day job. I do have other things to do, but who rolled up their sleeves across our Critical Infrastructure sectors and helped to make sure that we got this right. So subtitle of that National Infrastructure to strengthen the security of Critical Infrastructure. And it reflects the lessons we have learned and continue to learn day in and day out as we strengthen those relationships and that interaction. So, im going to wrap it up, you kn know, the bottom line of my message is, were from the government and were here to help. And thats a pretty guaranteed laugh line. But it really is true. And i think increasingly, our stake holders are coming to see that we really mean it and that in fact that we have a lot that we bring to the table to help in what is increasingly seen as a shared mission, to preserve the functionality of those services, and goods, that under lie our way of life. Thans when we talk about Critical Infrastructure, thats really what were talking about, were talking about all those things, that go into our day to day, that we depend upon to sustain and enrich our ways of life. Thats Critical Infrastructure. This is that broad. And traditionally, 85 , we say 85 of it is owned by the private sector. One of these days well figure out whether thats true. But its somewhere around that number, in any event. The vast majority is owned by the private sector. So that relationship is very important. We have things we bring to the table. So as lawyers out there, those of you in this room who work with clients in the Critical Infrastructure owneroperator arena, lawyers are always very cautious and i think appropriately so, thats what we get paid the big bucks for. But i want you to know, that we do come when we come and knock on the door and offer to do a vulnerability assessment. When we respond to a call that says we think we have seen an intrusion or breach, those of us who are coming from npbd, were coming for no other reason than to help you, we dont have a Law Enforcement mission our colleagues in the secret service go after organized crime and financial crimes. But in npbd we dont have a Law Enforcement mission and we dont have an intelligence collection mission, our mission is just about helping strengthen the security resilience of Critical Infrastructure. So i would encourage you to encourage your clients to feel comfortable in reaching out. The information is protected under the protected Critical Infrastructure regime and we have never had an unauthorized disclosure of information that was protected under that regime, that was stet up when the department was i have been working with the American Bar Association to try to see if we cant get a more clear statement about the responsibility of lawyers that are doing Due Diligence in mergers and acquisitions to include Cyber Security in the risks they are assessing and analyzing. Acquired companies and later find out after they have connected all their networks and systems that that company they acquired did not have good cyber hygiene and was riddled with problems that have now infected the entire network. Lawyers need to help with that. Auditors need to help with that. Venture capitalists, sayingive youre invested in a company, youre investing in large part in that intel lek k4u8 property, and if you havent done your due dpil negligence you are throwing your money down a rat hole, because that intellectual property is going out the backdoor. Attorneys in this room and your colleagues work with these folks on a daily basis, i need your help in spreading the word. The more security any of us become, the more secure the rest of us are. This is a working collaboration and only by working together will we meet this challenge. But i am confident that those of you in this room understand that, thats why youre here today, thats why youre going to be here for the next couple of days, and i thank you for the work that youre doing and for all of your help as we tackle this significant changes. Thank you very much. So i talked longer than i meant to for which i apologize. But i am happy to take a few questions. I see david wolf in the back of the room, which reminds me, you should never sort of thank people oreck nice people in your organization, that i certainly meant to call out among the talented people that we have in npbd, our assistant secretary, for the office of Infrastructure Protection and has really been with npbd since its inception, if not the day of, or shortly photograph brings tremendous expertise to that role and energy and passion. And david wolf who works with her as the head of the infrastructure security and compliance division, which is the office that manages cfacs. And david and kaitlin have done an outstanding job of turning around what was a very troubled program that was that had a very difficult time getting off the ground. And im here to tell you that within the last two years, they have with their team gone from having approved zero, no sight security plans for highest risk chemical facilities across the country to having just signed the 1 ,000th approval, so they have gone from zero approvals to 1,000 approvals within the space of two years and they are on a great trend line to get through what became a pretty significant backlog of plans to be approved to raise the security for the country with regard to his highest risk chemical facilities, they are making a difference every single day. Questions . Yes. We have a microphone up here, please come up to the microphone if you have a question. Im not shy, let me ask a question if i could. Suzanne, i know you cant look into a crystal ball right now and think about, its been more than 10 years since the department was created, if you could project ahead what you might be seeing in this sector in the next ten years. I think you have touched on that already in your remarks. Im going to ask a multipart question, this is always the thing you get sometimes with questions like this, but im thinking about the international piece, the second piece, the international, when i worked for tom ridge, one of the comments he made to me as he was going out the door, he wished he had spent more time on the international piece. So much of this is domestic, but if you could toich on the projection ahead and the international piece. Thats great, joe. Ill start with the international piece and i appreciate you bringing it up because its a critical part of what we do, and our folks are very much counterparts across the globe. We have a particularly rich relationship, of course, with our what we in the Intelligence Community refer to as the five is manifests itself in the critical five, the ottawa five and any number of forum in which these folks come together. But also dealing with the eu on these issues and folks, as they say around the world, on both the general Critical Infrastructure protection across all hazards in the counterterrorism context and of course in the cyber context. And in the cyber context, in particular, we have very strong