Publicprivate innovations and the public and private sector issues on Cyber Security. I want to also echo frank and thank our sponsors for this, northrup grummond. In addition to his day job at f northrup grummond, hes on the panel for the Cyber Security. At the end of the 50 minutes for audience questions. First immediately to my left, your right. Scott aaronson, executive director for business continuity. Hes been there since 2009, working in a variety of roles before getting his current position, before that work on the hill for congressman lantos, senator nelson for a number of years has a masters here from gw, from the graduate school of political management and also will be announcing this early next month, will be a member of the senators board of directors. Finally to his left, kirsten todd is the president and managing partner of Liberty Group ventures and also a resident sclar at the university of Pittsburgh Institute for cyber law. She served as executive director for the commission on Cyber Security. And a number of the recommendations in that report, which was issued late last year, have found its way into the executive order that was issued in may of this year and well be discussing some of those issues in the course of this panel. Shes experienced before that in the prime sector and also up in congress. And finally, on the far end of the table, chris valentino, professor of Cyber Security prevention. So want to thank all of our panels for being here and, you know, we sort of talked in the last panel about some of the cyber threat, Cyber Defense questions, but this one is more about if you look at Cyber Security, a lot of the action on those sorts of issues has been about information sharing, about regulation, and theres been a shift in the last couple of years away from the focus on those two issues, information sharing is still an issue, but legislation has been passed. Regulation still exists in a variety of forms but its not the all consuming issue that it was four or five years ago. I think now the publicprivate sector dialogue is much more about how can the Public Sector and the private sector Work Together, not just on not just on sort of sharing information, passing over a wall and barely interacting with each other, but collaborating, building, sharing information across, working together across the intelligence cycle, working together on things like r d and workforce development. And basically building the architecture for the incentives to be in place for government to be doing the right things and for the private sector to be doing the right things. To make a few opening thoughts, you know, i guess focus first on the executive order from may. A key provision from there was looking at how the u. S. Government provides support to Critical Infrastructure thats at greatest risk. Referred in some cases in the previous executive orders as the section 9 Critical Infrastructure. What are your thoughts about how the government is or the private sector in general, what types of support are needed, where do we draw the line about where the governments responsibility and the private sectors responsibility should be. One of themo morore importan things you can do imprivileged to support the investor owned electric companies here in the United States. But i also serve as a secretary for something as the electricity sub Sector Coordinating Council, or the escc, and the escc is unique in sector coordination counsels in that its led by ceos. Ill quote tom fanning who likes to quote wayne gretzky, you want to escape where the pucks going to be. The ceos in general, they create accountability, they provide resources, they set priorities and then most importantly in the context of kristens question, theyre a draw to other Senior Executives and there is Senior Executives in other sectors with which we are interidependent. So the coordination between us and our partners are phenomenal. Because we have Senior Department officials from Homeland Security, the department of Homeland Security from the white house getting together when the skies are blue from the leadership sector. The last month, we have been getting together on a fairly regular basis because of storm response, i can draw this juxtaposition from the Cyber Security we have been talking about today and what we have been doing respect to forms. I think theres a focus on left of boom, after the bad thing happens, how are we protecting, defending really important pursuits to be sure. But you cant negotiate with mother nature, and frankly, even the intelligent adversary, if we have to be right 100 of the time and they have to be right once. How do we respond, how do we to leverage the resources and capabilities of both the industry and the government in response to major natural disasters. And the same would be true in a cyber or physical attack situation. So a lot of what were doing in terms of this blue sky planning, i can say in the last five weeks, we have built a level of coorder nigordination at a s us together has been invaluable. Kirsten, did you want to add anything to that . Always. Thank you very much and thanks very much for the opportunity to be here and for this conversation. So you asked a lot of Great Questions and there are a lot of different ways to address it. One of the things the commission looked at was how do we define Critical Infrastructure, and the problem we have now in a particularly interdependent world, is how do we all rely on each other . We have talked a lot about how technology and innovation can start to blur those lines and some of you have heard the analogy i heard from one of the commissioners who said the goal of uber is to be able to saturate the streets in san diego. The last thing he wants to be classified is a and facebook, the last thing they want to be defined as Critical Infrastructure, so part of the frame work of how were no better current event to demonstrate that that the equifax breach. If youre one of the 143 Million People whose files are part of equifax, youre thinking its critical because its the critical information thats important to you. In answering that question, we really have to be thinking much more about this definition. I struggle a little bit and i know dhs came out to look at how were defining section 9. Because section 9 evolves as time evolves and the correspondent threats. I agree with everything that scott said about how we look at it, and i think given the industry that scotts in, and particularly with the unfortunate exercise of what theyre going through right now. What i would argue is that the challenge we have had with government and industry tends not to be in response, government does internet response really well. We heard from aaron hughes about dpd 41. We react to Cyber Security very effectively. The other example that we use a lot is looking at obama care, we spent a lot of time putting that together, and then it failed and then 60 days later we had a fantastic system. Regardless of where you stand on the issues as far as technology and where it goes. So our ability to respond is actually very effective. But when you look at Cyber Security, is the challenge you have is what is going on before hand. We never use the term information sharing, because its really lost its meaning, and we heard on the Previous Panel the difference between partnership and collaboration. We talked a lot about collaboration, its about industry and government coming together before the event happens, to Work Together to develop the relationships that scott cites very effectively. But in a Cyber Security environment, we havent taken the time to develop those relationships, to take a page out of the pentagon playbook to talk about training and engaging Senior Leaders of industry and government, you look at and you hold others to a high standard. Part of that value is saying, hey, are you doing the basic Cyber Risk Management actions . Are you patching . Are you doing these things that Everybody Knows you should be doing. If youre part of this group, and i think the groups that scotts a part of are really mole m role models in this situation. So we have to redefine how were looking at Critical Infrastructure, and from a Cyber Security side, we really need to be looking at what happens before the events so when the events do happen, we have all of those relationships in place. I just want to ask one quick follow up to kirsten. So the whole concept of Critical Infrastructure, as we use it within the federal system goes back to physical attacks against infrastructure, back in the 1 0 1990s. Are we really should we really be thinking about, as were thinking about cyber or cyber enabled threats, you mentioned equifax, the impact on the election systems is also a part of this. Do we need to basically be starting over and be rethinking the way we classify and look at different types of infrastructure thats susceptible to digital threats . I do believe so, to your point, the definitions are based on physical attacks. They are not based on what the threats are today. So how do we reframe how were defining it. Its not to say that we dont need support and extra support around those functions that are critical to operations. But you have critical functions that are dependent on noncritical functions. So how do we look at those definitions to honor that. Ill just make a quick point that at the beginning of the commission deliberations, we talked a lot about interdepen si. Like this is about the weakest link, if you can access your Critical Infrastructure through a baby monitor, because theyre all hooked up through the computers, what are we doing to actually look at that and that get s into the conversatio were all having. I do want to react a little bit. I couldnt agree more that information sharing has lost all meaning, but with respect to Critical Infrastructure, i think in some cases were overdesigning whats critical. I like to jux that capos the terms it versus but that is not critical to National Security. Attacks on electricity infrastructure, attacks on communications infrastructure, that really is a national and Economic Security threat. And to i think, i think if were talking about Critical Infrastructure, we really have to think about it in terms of operational technology, to think about the impact that can have on the life, health and safety of americans in their daily lives. In addition to supporting the federal government on this mission, is an owner and operator, but Critical Infrastructure. If you just want to jump in and react to any of this or just jump in and make a dmu few comments of your own. Theres kind of three key points. First and foremost, leveraging in this frame work as a consistent set of standards, and even just the approach of doing an attack link, but shifting from a Risk Management aspect. To build on what kirsten said about the weakest link. In our country, the Supplier Base whether it be their size, their focus, or whatever you might say. So being able to transform that core Supplier Base to the same set of standards and that will then enable the ability to share information in a more effective way, because we dont even have the tools, the technology and the capabilities to accept you dont even have a starting point. So thats kind of job one. Is just to establish the core frame work and then go from there. Either of you want to react to that . So, you know, scott as you mentioned, the response in texas, florida and now puerto rico, and the impact on the private sector. Dhs to assess Incident Response capabilities due to the loss of electrici electricity. Do you have any insight as to where that stands as it pertains to infrastructure and cyber risks, how do we think of these cyber risks on an electric grid, as they relate to manmade or other distribute attacks against the cyber grid . So maybe this is blasphemous, but im kind of threat agnostic, i dont really care why our systems have an out an, whether its a cyber attack, a physical attack, a storm, or act of god, our responsibility at the end is to get the electricity back up and running. Particularly with cyber means, we have all this infrastructure to allow us to be more efficient, to be able to track customer usage, all great, but we operated the grid for the better part of the 20th century without that. It and so as we look at the executive order, at its specific focus on the energy grid and Energy Infrastructure in general, we have been falling back on this Wonderful Partnership that we enjoy with our sector specific agency, the department of energy. And, you know, one of the things that they have at their disposal came from the end of 2015, the fast act gave a grid Emergency Authority to the secretary of energy, declare a Grid Security emergency and then have some extraordinary capabilities to compel action to get operations back up, with or without digital overlay. One of the things that we did, we you know, the question again, going back to sort of the value of ceo leadership, the question came up, are we able to operate the grid today without digital infrastructure. And the answer was sort of. And that was not a good answer for ceos and they said thats not a good answer, were going to go back to the drawing board and we have embarked on an initiative, it goes by a couple of great names, one is supplemental operating strategies or s. O. S. Or the mcgiver strategies. And we got some very smart engineers together who are working very hard and have actually developed some ideas so that we are not figuring this out in the midst of the incident, but that we have some ideas of what we would do in this contingency planning. Question have explained that to the department of energy, that is going to be part of the fast act authority, that the secretary of energy can use, but the idea would be not to figure out these things in the midst of an incident, but to have a menu of options that the secretary of energy could pull from that already have been tested from an engineering standpoint and that cant be handled whether this extraordinary authority is leveled for the first time, the solutions are not being tested for the first time. That goes to one of the points kirsten was making, which is not look left of boom, while we are also preparing to be responsive, which is something i agree with have a centurys worth of experience of and do particularly well. Kirsten, one of the key issues articulated in the Cyber Commission report last year was the incentive, trying to get the incentive structure right to enable publicprivate cooperation. And when we have thought about incentives for the past tfew years, is punishing the target when something goes wrong. But are there different ways to think about incentives, not necessarily the punitive after the fact things, but how do you begin to ensure the right type of Cyber Security, basically create a macroeconomics of cyber behavior. You started to answer the approach that i was taking because i do think when we look at incentives, we look at it in a frame work that hasnt been effective. We look to congress, we look to government to penalize. I was asked earlier this week if we just keep dragging the companies up the hill and talk about what happened and what went wrong, thats clearly not doing anything. And we talk about tax incentives and business breaks. But this is not actually getting at the Business Case or the Business Model for Cyber Risk Management. We have to be engaging the key stake holders and doing so in an effective way that makes Good Business the right answer. I was talking to a ceo of a utility company, who was looking at education and awareness. And we talk about cultural change. And he said he runs every three months a module for every employee to take on fisher iphi. Lets say they lose access for a week, he has a but as an employee, if you lose your salary for a week, thats a much harder hit to manage. And so that type of incentive structure, where people have the consequences and we have talked about putting it into performance reviews, thats the cultural, and the other issue is where are the board of directors on these issues, where are the share holders, wheres shareholder activism. One of the key aspects that got muffled a little bit, was the insurance holder share institute got around and said these members of the board should be fired because theylet this happen. And they put accountability to those individuals. While those directors didnt actually get fired, but the idea that the