End. We talk about a meteor hitting the earth. This time there is a top of a meteoric destroying the earth. One of lincolns friends is certain it is going to happen. Lincoln chide him about it 12 years later. He tries hard to get this job. He fails. It is a good thing. Not counting he is the Republican Party are moving this. He probably never becomes president. He went back to his hotel room. He cannot move. He thought it was the end of his career. As we all know, history has Something Better in store. He ends up leaving washington. He went as though something happen. He arrived in washington in 1847. Today at 7 00 p. M. Eastern. Cspan is like today at the National GovernorsAssociation Meeting here in washington, d. C. A discussion about Cyber Security. Martin omalley will be heading of the discussion. We would hear from the person in charge of Information Security from the web site zappos and the chief Security Officer for the state of michigan. Youre watching live coverage here on cspan. [general conversations, in audible] like the good afternoon. This meeting is called to order. Thank you for joining us. The books were sent to governors in advance and include the agenda and background information. The proceedings are open to the press and all attendees. If you all please take a moment to ensure that your cell phones and other Electronic Devices are silenced. I would like to compliment governor omalley. It is a privilege and an honor to serve with you, sir. Before moving on to state and Cyber Security, we will begin with an executive briefing on the nationwide safety of a Broadband Network. Last Year Congress passed legislation to reallocate the radio spectrum to Public Safety and provide 7 billion to Fund Construction of the first inoperable Broadband Network for Public Safety. This is intended to modernize communications by giving First Responders reliable access to Broadband Technologies like video and email. This also established the First ResponderNetwork Authority to oversee the construction and maintenance of the nationwide network. As they continue to develop and construct a nationwide network, the governors will be required to make the decision of whether to move forward or to offset out and construction there own network that meet the requirements for an opera ability upper ability operability. Mr. Finn has worked here for more than four decades. Beginning in 1960 as an engineer with at t. He won in he went on to serve as chairman from 1988 to 1984. He is currently a Senior Adviser at green hill and has served on several boards. He will be providing an overview of the conceptual design. We will also discuss how they intend to engage was state to ensure the nationwide network is a success. Hes also joined here today by several other members in our audience. Fire chief jeff johnson. New york city deputy chop spoke to the governors about the importance of this meeting. Mr. Ginn, we are pleased to have be here to discuss plans for the network and how states can Work Together to ensure the success. But after know. Thank you. It is a real pleasure to be here. I would like to think nga, heather, and her staff and all of the governors to worse on the passing of this legislation. It actually allocated 7 billion so that we can engineer a nationwide network that is interoperable, secure, reliable, and most of all, local control. If you think conceptually about what were trying to do here, we are trying to put wiffi across your entire state and then you can plug in the capabilities you want and the degree to which you want them and the amount you want them to run your state. It is important to say this. The first question we typically get is this is going to be a nationwide network and we will lose local control and we will not be able to run our own operations. That is that conceptually what we are talking about here. We are are detecting a national network. That is the only way you can get into our ability not only from police to fire to emergency to medical but across state lines. If you send a crew from my home state of alabama to colorado to fight a forest fire, you want the instrument they take with them. The Communication Systems to be able to work when they get to the colorado fire. This takes on a new term here. To do this we are going to need your help and your cooperation. We have a significant Outreach Program that were putting in place that asks you to appoint a state coordinator. We are going to come out and make a number of visits to your state. It is very important that we understand the facilities that you have and the requirement that you want so we can take those back and feed them into a national architecture. When you think about it, this is the Largest Telecommunications projects in the history of the United States. It is going to cover every square meter of land in the United States. It is going to be able to penetrate the basement of manhattan and cover the forest fires in sierra nevada. We have an enormous challenge before us here to construct this network. You have to be a part of its. You have to make sure that we understand what your boots are and we can construct the system to meet your needs. I need to say a word about the board. I could say it is a wonderful combination of people from Public Safety and private equity. On the technical side, you can have confidence in our technical capability. We have people that have built a wireless systems all across the United States. They have a belt systems in spain, italy, japan, korea, and india. And probably a few that i have forgotten. I want you to have confidence that we have the Technical Expertise to deliver this system to you. What you need to do for us is make sure we understand your needs. Another point i would like to make is one that may be not so obvious. This system and biz transformational. This system transformational. You have been pushing for voice transformations. What we are going to do is put a massive data capability right at the Public Service working level. What that will do is allow you to develop services that will lower the cost, and answer your customers better. Let me give you a simple example of a situation in california that happened a few months ago. It was a fire chief in a restaurant. A person had a heart attack and died in the same restaurant. Had he known about it he felt he may be could have saved a life. Es went back to his cpr classi and as civilian volunteers if they would volunteer to let a dispatcher know of the location so that when another call comes in the dispatcher can look up and call the closest person to the heart attack victim and essentially have a better chance of serving saving their lives. That is a simple application. My prediction to you is that a decade from now you will have thousands of those applications and that it in your Public Safety experience. It will transform how youve served your citizens, the cost structure, and the service capability. I encourage all of you to work with us, be our partner, help us define the requirements of this system. We know how to architect it. It will be a good job. Thank you, governor, for this opportunity. Do you have any questions on firstnet . This was a big win for this organization. Democratic and republican governors came together with our organizations, Law Enforcement, and First Responders to make sure this was reserved for perce responders so we could finally build out an this. Thank you for this and for the panel you have convened. As i understand, at 7 billion, has that been appropriated or are we using a different spectrum to borrow money to get the 7 billion . Does it cover the cost . Can you give us the time frames. Fit to be a and coulthis, key component to have a sitting governor on the committee it would be a key component to have a sitting governor on the committee. I would do the first part. In response to the funding, the legislation that read all reallocated this it did so. It is not a new revenue. It is going to be auctions conducted by the federal communications commission. The proceeds will be provided as having been a dedicated specifically to fund the nationwide network. There may be additional funds. 7 billion is currently earmarked. They also directed treasury to loan us 2 billion to get the project started until the options came to take place. Are we selling part of that d block . But what are we taking from this . Is a totally different sections. It is other spectrums that will be auctioned for commercial purposes. In terms of representation, although it is not a bad idea, i appreciate the outrage youre asking for. I think that is your request of us today. How do we stay involved in terms of governors . The board appointments are made by the department of commerce. The next time there will be a couple of openings, they are one, too, or three years. This is something that is dependent upon the department of congress. We do not have a current or former governor on that. What we have done is to advocate with the board. They have been happy to work with us. We are on the executive committee for the Public Safety advisory committee. N ga holds one of the vice chair seats. Just to follow up, it would be great to have a governor on the board. In terms of timing, what is happening in the next year . Is it a threeyear plan . Give me a sense of where this is going, at the timing of the state to present grant requests. Is it half now or half later . The grants are handled by ntia. You will be getting funds to organize with in your state to communicate. This has been an interesting experience. I am at a commercial guy. I am not accustomed to working in the government world. It is an interesting experience. We started out with a board of directors that no employees. And no Strategic Plan and no management systems, and nothing. We have been in existence for four or five months now. Were beginning to put those structures in place. We are coming on very nicely. We have the Technical Expertise to get this done. The other thing i want to mention is conceptually we are a company with a board of directors owned by the government with some independence to build the system. I think that is important. I think you are right. The board of directors are in a position to greatly influence this. We are developing requirements. We have a basically architect ied the system. We know what it will look like and now we need to build in the pieces. We should be able to do that within the first year. Thank you. Thank you for that. I think there is a lot to this. I think have their will have heather will have to see how we can be actively involved. To the expense looks extraordinary to me, especially in wyoming, which is one of the most rural states in terms of our population and land mass. When we talked about opt in or opt out, when gov. Omalley worked on the d block issue, and the concept is very important. The details will be important. Our objective is to cover you do not hear me say our objective is to cover every square plans. It is 65 or 70 . If you can do that in wyoming, youre making tracks that have not been made before. It is going to be a challenge. We may do that by satellite. Thank you. Any more questions . With the state and local authorities have control over this in their state . That is part did the criteria part of the criteria. As those this is another part, it because of Broadband Services will be less than the current ones . There is no reason why they should not be. The couple of reasons why he probably you probably pay 5x. We will have failed if we do not build this cheaper than you can build it. As we are building this out, there will still be the expenses that state and local governments have to come with the dollars in order to build up their own. I hope theres some accommodation. If we are going to control this with in the local and state, i hope youll give us the capacity to give us priority to give us the preempt and allow us to raise 7 at local level so we can invest. Could be individual states to do that better in negotiation with at t or sprint or verizon . Could we cut a better deal nationwide . You want to put the savings back into this structure. Which then goes back to the fact we should have a governor on the panel. Ricoaetna she said puerto was included. On behalf of my colleagues, territories are included. Thank you. Lonely are all connected, we will get through these nuances. Anything else . Thank you very much. Thank you for your comment. We should consider sending out another letter. This will be an issue in terms of maximizing the value of this and whether it becomes something that is intercepted by the governments, whether we actually have it so we can in chief interoperability among our First Responders. The next topic which is going to be the balance of this meeting. Were also joined from the governor of arizona and we think her work on these issues. Be we have a number of distinguished presenters here he will be talking to us about the Cyber Security imperative that we face as a nation and as a state. Last month Janet Napolitano warned that a cyber 9 11 could happen at any moment with the potential to cripple our nations technical bridge. There have been attacks on Cyber Networks that have increased the frequency, that have increase in their sophistication and have the potential to inflict more serious damage on our serious infrastructure such as our Water Treatment facilities and so on. Attacks have emerged as one of the nations greatest threat. It requires all levels of government to Work Together. All of our State Governments are the trustees of sensitive personal information. We control services for citizens, supporting a Emergency Response, supporting private sector partners. All of these things require a new level of vigilance in this era where people can potentially enter our networks, is still secret, and also leave back doors and other avenues that we may not have even anticipated in the future. In addition to, i also want to make this other announcement. There is no one size fits all solution. We recently announced the creation of the Resource Center for state Cyber Security. We want to thank our corporate sponsors, ibm, hewlettpackard, a semantic. Working with Public Safety entities in the private sector, it is the hope that this Resource Center will help examine the roles states can and should be planning to ensure the security of state based networks as well as keep Critical Infrastructure that impact the operations of our state and their economies. It is our hope they will identify best practices. We all like to be the best at doing something second. If someone has figured out how that is like accomplishing the research and development for those of us in State Government. We have one other announcement. Tomorrow wall governors are invited to a topsecret briefing from 4 00 to 5 00 p. M. It will build on a session today and will provide governors of information on the current cyber threat environment and how this thread may affect our states. I want to encourage all government urged governors to participate. It happens between our last meeting and when we are supposed to be at the formal dinner at the white house. I can assure you that anybody who comes in a tuxedo we will keep james bond jokes to a minimum when you show up. We have a number of export experts. I would like to ask governor stand of all for many opening remarks he may have on its Cyber Security. I appreciate the opportunity to give these remarks. Cyber is security is attack on the table on a daily basis. It is one of the most pressing issues we face. In addition to storing data, we rely on these to conduct activities including critical Homeland Defense in response operations. Improperly coordinated attack can destroy a multiple state agencies are multilevel some of government, preventing this from reaching our citizens. This past october the National Association of the chief Information Officer sellers bridge officers released a report that the majority of states are not adequately prepared or equipped to combat and respond to a sophisticated cyber attacks. According to the report, while states have made progress, shortages of qualified personnel and resources have left states unable to address the growing number or against nature of the attacks the face. Without proper resources in place, states have had difficulty putting procedures in place to effectively respond to a potential breach in their networks. In addition to compromising personal information, mitigating these breaches could further strain on state budgets. Our success in defending our nation against the threat is dependent on our ability to develop a common sense approach to Cyber Security. We must Work Together across all levels of government as well as with the private sector to identify best practices and eliminate our vulnerabilities. Just as important, we need to begin preparing now to quickly and effectively respond to it and recover from a weak chip a breach to our daily lives. I look forward to hearing from our panel on how we can better respond to an recover from a cyber incident. It is my hope that our discussion will provide governors with the information they need to engage with our congressional leaders as they continue to develop Cyber Security legislation. I welcome our speakers and look forward to hearing from me. We are pleased to have with us our first two speakers. The first is richard clarke. He previously served in the last three president ial administrations as a senior white house adviser including special advisor to the president for Cyber Security and National Coordinator for security and counterterrorism. He also worked for several years in the u. S. Department of state for political military affairs. Heanewe also have with us dan lohrmann, chief Security Officer for the state of michigan. I do believe he is a native of maryland. He began his career as a Computer Systems analyst with the National Security agency and served in a variety of positions in the public and private sector for over 25 years. He served as chief Information Officer at in 1997 for the Michigan Department of management and budget. In october 2011 he was appointed the first Security Officer by gov. Rick schneider. Thank you both. Lets begin with richard. Thank you. Thank you for the opportunity. A lot of press has been devoted to this issue of Cyber Security including the president saying foreign entities had hacked their way into our power grid controls and that they were stealing our industrial secrets. The National Intelligence estimate which you hear about tomorrow has concluded. We can say this in an open meeting that there is a pandemic of a foreign s p not going after our companies, research institutions, throughout the country. Part of the problem with Cyber Security is it is three different issues. People tended to lump it all together. When you lump it together you cannot solve its. I suggest you start by did abrogating it and realizing it is three Different Things you are dealing with. One is cyber crime. It is the same as any other type of crime. People still money by hacking into systems and writing themselves checks. The second phenomenon is s p not. This is not a james bond. It is someone in china hacking their way into a company and stealing any information that company has that is of a value or into a research lab. This is a pandemic. It is a quiet pandemic. Billions of dollars, 300 billion, it would cost the United States in lost research and development. That means lost jobs. You cannot be an American Company in compete against a Chinese Company it all the money you pay for research and development if they get for nothing. They get all of it for nothing. Whether it is taxpayer money or stockholder money that pays for it, they wait until its is done and they steal it and use it to compete against us. The third is you is cyber war pure issue is cyber war. It does not happen that much. It has been demonstrated that it could happen. Instead of blowing something up with a bomb or missile, and you blow it up with a Cyber Command. It is not science fiction. It has been demonstrated. The United States did it to iran, blowing up 800 Nuclear Centrifuges with a Cyber Command instead of dropping a bomb overhead. We also demonstrated you can do it two electrical generators. You can do it to pipelines. You can do is to trains. You can do it from the safety of your Little Office in shanghai or pterotehran. Worse than that is that this knowledge is now faltering down below the state after level to the nondate after level. We saw 30,000 computers in the saudi case, 30,000 computers completely wiped clean, all that said god, not recoverable, and one very quick attack. Three different issues, crime, espionage, a war. What is the role of the state . There are five rules the state and hartley has that apply here. One, you are a corporation. You read peoples checks. Youll credit card numbers. Just like any corporation, you have to secure that data. Secondly, you are a regulator at the state level. You can regulate the power grid and trains. The cause them to have higher levels of Cyber Security than they have now. You are an emergency responder. The gloomy to know what you would do it the emergency was not a hurricane or tornado or something he recognized. What if it was a cyber attack . Would you know what to do that have exercised a cyber attack addax probably exercised a snowstorm attack . As you probably exercise a snowstorm. You are a Law Enforcement organization. At the state level it can help companies that have beenhacked that sometimes not all the attention they need from the federal level. You are an educational organization. You run universities and colleges. The big gap isnt trained personnel. We created something called scholarship for service. If you pledge to work for the government, we will pay for your education. I have a longer list the things you can understand. I have this all on the web site. You need to begin with a strategy. Figure out what you think you mean to do and what you think the role of government should be. Where do you want to go on this issue . Through a gap analysis of what is the difference between where philosophically the state ought to be and where it is now. Do a path of getting from where you think you are thought to be in a state strategy from where you are now. A few states have started that. The sharing of best practices is a great idea. Do not rush out and start programs. To begin with a strategy that represents your philosophy about what you think the state ought to do against these three distinct problems, cyber crime, espionage, and cyber war. Thank you. Thank you. Thank you for the invitation. It is an honor to be invited to speak on this important topic. Let me begin by emphasizing the state of michigan in Government Faces a barrage of unauthorized attempts to authorize access our systems. We removed over 31 pieces of mao where from incoming emails. 31,000 pieces of malware from incoming emails. We see it daily in michigan as every other state in the nation. What can be done . What are we doing now in michigan . It offers seven actions the governors should take. They go right in line with what mr. Clarke was just mentioning. Governors must make Cyber Security a top priority. Gov. Schneider led the charge by establishing Accountability Authority in visibility of governance. Michigan is centralized by i. T. We have now merged into one cohesive program. The chief Security Officer provides riskmanagement and Security Associated with assets, property systems, and networks. It also leads the development and the implementation of Security Strategies from all Michigan Technology resources and infrastructure. Each state needs a plan for Cyber Security. Following this framework, and guidance to be provided, each state must implement a level of defense. Gov. Schneider brought together this across the nation. This lays out a comprehensive strategy and safeguards are in data. Our plan can be seen at michigan dot gov. Provide nextgeneration awareness. In every state employees are our weakest link against cyber attacks. These are the number one cause of breaches. In the past, this quickly became outdated and was a failure. We now covered the training. We call it 2. 0. Brees interactive lessons are develops. Feedback has been overwhelmingly positive. Even sharing the information on family members at home. A stafford is sensible training. In 2012, we launched the michigan cyber range. It provides a secure environment for Cyber Response and the latest in a Technical Response for the public and private sector. The tax can come from anywhere and anytime. We can ensure confidentiality ends this. Michigan is in the process of Security Operations centers and never speak. We are working to develop a report using new metrics. What if there is a major cyber incident in your state . Are you prepared . What if there is a breach . Build a Cyber Response plan. State governments become very good at the responding to natural disasters. The same level of discipline must be applied to cyber incidents. We are developing a cyber plan to map out a clear strategy. States should align these with president ial order. Cyber destruction plants might be disruptive. Allstate should be testing the plan to ensure resilience. Michigan is benefited by participating in all global exercises as well as 2012 which focus on its Cyber Response. We are testing the cyber protocols. Perhaps most importantly we must establish this. The cannot be done on an island or it will fail. We must Work Together to share information and coordinate and coordinate a response. Michigan has strong partnerships with the National Response come at the u. S. Department of common security, at the fbi. The multi state analysis center. Michigan state police. This must be a key for each state moving forward. Cyberspace has revolutionized the government. They are doing this for good and evil at the same time. Each state must further protect their investments. I look forward to answering your questions. Can we break for questions that are a good . It is a pleasure to make this from a Nevada Company that i get to interview. I am glad we have the chief Information Security of zappos. Com. To his role, a he served as chief officer for a leading Contract Organization where he implemented the Security Strategy to protect and secure confidential data. Pryor, he worked at equifax where he was instrumental in building the engineering operations and compliance teams. He helped build one of the largest and most important data Loss Solutions as well as the highly regarded programs. Welcome. Thank you. Session four heading up this committee. Welcome. I am honored to be geared to speed about something i am passionate about. It is nice to hear that a lot of these are similar. We asked to come in here and talk to you about what we do after. We were told that previous comments is spent time on threats. From this conference and happy to do that for you. And going to give you a framework for some good questions from those who are responsible for security within your organizations. I want to get a little bit of a framework. There has been a lot of breaches the last couple of months that are out there. I will spare repeating the names. More importantly we know there are more that do not know theyre being attacked today. They have not decided to publicize for what ever reason. I want to focus on a few common things you hear. I have gone through all of the press releases. I want to use it as a frame of what im going to talk about it. You will hear a statement similar to this. We were victims of a sophisticated attack. We are aware of the attack and are launching a full security practices to make sure we can prevent this in the future. Take a moment to think about those things. Im going to tell you some facts about that the bridges. We can take these lessons and start asking additional questions. Assertions are always been nice. Data tells us that most breeches are the result of unsophisticated attacks. 96 were not highly difficult according to the 2012 data reports. 97 of the breaches were avoidable through a simple or immediate controls. There were no vulnerabilities that people did not catch or provide controls for. It is important as you think about what you are doing. As i discuss it here, it will be about action. Knowing this, one of the key things you should do after a breach, it is not rocket science. It is not a secret. It is almost common sense. It is harder than it seems. What you need to do is follow your Response Plan and take actions you have already deemed necessary to learn from it. It is that simple. The do not have them, that is a different story. This is no time to think about what needs to happen. You have to react and think about what needs to be taken care of. Time is precious. You have to understand and contain those particular events. It is not have a matter of if but when. When you going to be attacked . It could be today would not even know it. You need to prepare for that. Companies and organizations seem to have so much time after an event to spend looking at the security programs. Why are they doing it before something happens . The two most important things to focus on during an incident from my experience our communications and executions. You have to keep people informed. You have to enable your teams to go execute what they are supposed to do in order to contain the breach that you had. In order to do that, and makes sense to focus on a few key things. These are questions you should be asking about a data breached or incident that gave confidence in your security program. Here are some key questions. Do you know your environment . As come any incidents have been reported asked how many incidents have been reported this month. Either you do not have the technology to detect the attacks are the people that you have to not know what an attack looks like. Just read the newspapers. All the evidence is there. You are being targeted. Defying the rules. Whos in charge of security . Do they know this . Is it really just your cso or dba . Or even the data owners out there. It is very dangerous when everybody thinks someone elses responsibility someone else is are responsible. Do you have the right people . We have heard this echoed. People are the greatest asset that we are lacking here. Youre not going to do anything without the right talent within your organization. You can have all the greatest technology and processes but if you do not have people who know what to do in the event of incidents, and how often do you test your security measures . Answer is, we really havent im not talking about desktop exercises. Im talking about getting something unannounced and going and seeing what you can take from a thirdparty, because you want to see see how your team is reacting. You want to understand, are things working, so you can make adjustments before they are too late. And what do you have that others want . Without understanding that, how do you know what to look for . Only you can answer that question, what is the data you have. Whether it is a straight strategy plans do you know where it is, do you know who has access to it . You will be surprised of who has access to your data. You have to be able to detect suspicious activity. 94 of companies are told by others they have a breach. They could not even detect it themselves. Someone else let them know about that. Connection is not enough. It is about prevention. Detection is not enough. It is about prevention. The average time a hacker is involved is 416 days before they are detected. Really . You have to ask yourself, how effective are your programs . Dont be fooled by false security. Sometimes i encounter things that people are talking about. We talk about Security Risk management. I want to make one point on that. Just because you know about a risk and you have excepted it does not mean it goes away. As a security person, i keep it simple. Im not going to come to you with something complicated. I will say to you, this is the issue. If we do not do anything, the risk will stay the same. Who would sign off on that . It is still there for someone to take advantage of to do harm to you and your organization. The audience here is really important. How do we share data . We heard from the panelists about sharing data. How do we do more than just share data, operate together more effectively . We are duplicating so many things. We are taking resources from each other. How do we Work Together to manage that better . It is a challenge for other people to go out there and try to figure out, what about shares resources . Shared resources . What is so private about the actual networks that you cannot find trusted partners to share those resources . We do have a shortage in trade resources. That is an area i want to challenge you into. We have Great Schools and universities. We need to get people excited about security. Without these components, you would not know who to communicate with any would not know how to assess the impact of the event. Spend your time now and validate the information you receive from your teams. It seems odd that we have plenty of time and resources to fix issues once a breach happens. Why dont we have that same opportunity before so we can prepare for it . Hope those questions give you a good framework. I look forward to the conversation we will have. Thank you, all. Im sure the members will have some questions. Let me ask richard clarke, in your handout, which was excellent this is been passed around to everyone, the 12 steps. Number three, you say, receive regular security briefings from Cyber Security including state employees and contractors responsible for protecting information assets. Regular briefings from the department of Homeland Security. So much of our ability to set priorities and get people focused on the things we can and must do, and the followup depends in our ability to ask the right questions. What are the things that you would advise those of us that served as governors to ask for as a template in these briefings so they are not a show and tell, there is an actionable 12, 3 . Flowing from that strategy is a plan. With metrics and milestones. There are 12 things or 20 things you want to get accomplished. You know when you want to have the accomplished by. You could get briefed every quarter for half an hour or so and how that progress is being made. There are all sorts of things you can decide are your priorities in this issue area. Education, Law Enforcement. New ideas, new programs. And then you get briefed every quarter from an Advisory Board, may be an government Advisory Board and an outside government Advisory Board. Sometimes your employees are not as willing to be frank with you as some of those on the outside. Get refund progress on implementing the plan, briefed on progress unemployment in the plan. What has happened lately, what have the attacks been like lately . If they tell you we have got it under control, fire them. Good point. Questions . Thank you. I came into a situation in my state in which the capacity for even our departments or divisions within departments were utterly incapable of talking to one another. Pardon my 20thcentury century approach. I actually believe in talking. This had in normas consequences for a system on a fiscal basis. In normas consequences for our system. We found five files, six files, all separate, all silo from one another, incapable of cross referencing. I wanted to change that. We found that we stopped counting after 736 different systems. 736 different methods, techniques, infrastructure. I found three people i cannot fire, because they are the only people who know where to go on ebay to get the parts for the computers they were using, which contained all of the information in certain areas. [laughter]i found somebody who had been using the computer for 36 years and was very smug about it. Not everyone is in as bad a situation. We had no chief Information Officer. We got a chief Information Officer to try to put all this together. I give you that preamble because i am thinking to myself that everything i thought i was planning, they come to naught. [laughter]you talk about centralizing. Wouldnt that make me form more vulnerable more vulnerable than less vulnerable . If there are 600 different ways of doing things, maybe people will leave us alone. Maybe we ought to do singles or something with morse code. Is there a danger in getting to sophisticated too sophisticated . My goal is to yank us into the 21st century. But am i setting myself up then for a failure, visavis cybersecurity . I can start. I think if you bring together your resources the chief information said, let me explain what is happening. We published the hotel peru and. Where we being attacked why we being attacked . You have a reduced number of pipes so you can watch those pipes. The apartment of Homeland Security has a similar process that is happening in the federal government. There is a large number of tools. The question is, are you going to have 20, 30, 50, 800, whatever number of security groups not communicating with each other. As you heard from david and others and also richard clarke, theres is a shortage of qualified staff. Bringing them together, i think we have shown in michigan not to say we have had no problems i believe you can be more effective. It is been shown by and large in industry and other states as well to be more efficient, better use of taxpayer dollars and overall better security program. Maybe its my lack of sophistication in this, by centralizing everything, i thought i was making everything more efficient. But am i making it easier for people to get into our systems, are not . As dan said, youre making it potentially easier but also potentially easier for you to defend it. You have limited resources, limited trained people. Rather than having 12 state department or agencies or however many you have all tried to do this you know they cannot all do it have one organization at the state level that is the chief Information Security officer for the state. Have one Operations Center for this kind of thing. And maybe have one cloud operation. You can actually make things more secure in the cloud if you do it right. That is counterintuitive to some of us, the cloud. It is an extension of this observation. Rather than trying to secure a bunch of different physical locations, you put it in the cloud and the cloud can exist in multiple locations if you do it properly. You do not put everything in one data center in one place. You have two data centers in key of different states two different states. Everyone who is involved in security is looking at that one target or i. It is easier to try to defend than try to defend hundreds. Being one of the older people in the room and having used that system, i would say if you still have that working, keep it. Nobody knows how to attack it. [laughter]that is what i got told. They came in and said, we have three in full girl three e employees. When i came into office two years ago, i started trying to prepare my budget and i found out all of our state agencies, we had 76 different pewter software programs. I was trying to match apples and oranges and figure what the agencies did Computer Software programs. I was trying to match apples and oranges and figure out what the agencies need. We brought them all together, started combining the information like governor abercrombie has been talking about. We have a saying in oklahoma that we are running our technology on an eight track technology and ipod world. We were running off Old Technology when we needed to come up together. We have a backup separate system to i. If i ask, how do i make sure it is secure you mentioned something about resource kits that you did in michigan. What are you referring to . Sure. You can go online and see those. The efforts in michigan have not just been about state employees. It is also looking at the schools, looking at universities, looking at how we can work across public and private entities and coordinating. Clearly the private sector has their own independent authority. Whether it is the family, the home, the school, small business, what are checklists they can use of helpful tools they can use and actions they can take to protect their individual entity, school, business, whatever. When we brought although Services Together and had our chief Information Officer in charge of all these different agencies and branches and their it. T. Functions, we were able to save 86 million in i. T. Costs in the state of oklahoma. What do you believe is most significant cybersecurity threat facing the states . I think i would distinguish between the most significant threat and the most likely. The most significant threat would be an attack by either a State Government like china or iran, or a nonstate actor, like hezbollah, that took down the power grid. Or cause pipelines to go up or cause trains to derail. Blow up or cause trains to derail. The Emergency Response that you do for those kinds of things is similar to hurricanes. There are some distinct differences. I think knowing what you would do and exercising it is very important. Knowing what authorities you have in those situations, and knowing who the right people are, and who to call them and what they will do. That is the most significant threat. The most likely threat is happening every day, and that is people are hacking into your networks and writing themselves checks and stealing you blind, and you dont know it. Would you care to comment on that question, gentlemen . I would agree, and to the folks out there, think about your infrastructure. You are always going to see a computer terminal somewhere. Everything that is out there is susceptible to attacks. The only way youre not going to be successful is havent disconnected. Even that is not 100 . Attacks come through other means, unfortunately. It is anything that can stop all your critical operations. It would be highly detrimental to any government out there. I like the way richard framed it, they are taking whatever you have that is valuable. It is happening right now. Whether it is enough information to do Identity Theft, whether it is enough information to understand how you award bids and then manipulate that system anything out there that is critical and secret to yourself. If it is connecting and you are not protecting it, you dont even know how someone would use that information against you. It is happening right now. At the same time that all of us are trying to do more of our services online, and facilitate consumer transactions online. As the head of a state network, who are the people you in the federal government to help you with the exercises . Are there resources we can call on as governors to help us do a better job of protecting our networks and information . Absolutely. We work with the department of Homeland Security very closely. We also work with the multistate sac. Ci this is daily we are talking to them, ongoing operations. Describe for us what the isacs are. In the case of State Governments, there is a multistate isac that works with the 50 State Governments. There are sector specific plans for each individual. For the water sector, for transportation, you can go to dhs board, the National Infrastructure plan, and that lays out the sectors Pacific Plans for each individual Critical Infrastructure sectors specific plans for each individuals article infrastructure. We work with the fbi, criminal justice organizations, department of justice as well. Has anyone offered a regimen of training exercises and drills that are useful and valuable, or is that something we are still working to create . I know after the attacks of 9 11 there are a lot of people rolling out drills and exercises. Some of them were so expensive, none of us running cities could afford to do them without a huge amount of federal help. When we were one of the lucky winners that would be supported, we came late and said, that was a lot of time. Im not sure how much more we learn from that than from a tabletop. I would think in this sphere that there should be a way to do this in both the Cost Effective way and also in a way that where you truly do learn something without it costing you a small fortune as a state. I agree. The cyber storm exercises did exactly that, across state lines. They also work with other countries, allies around the world. In addition, i know the National Exercise 2012 they are out there. There are exercises. I would agree with you that states should really take advantage of those opportunities to test their systems. Richard . You can also apply for fema grants. While there is still fema money left [laughter]you might want to think about applying for that. It is expensive to do the big field exercises, but it costs almost nothing to do a tabletop exercise. While they are not as valuable, they can be very valuable for you and learning who does what and what capabilities. What about our National Guard . That would be a great reservoir of expertise. Have you found that is helpful in michigan . Absolutely. We work very closely with our michigan National Guard, working tabletop lance with him , scenarios tabletop events with them, scenarios. Would you say that most all of our National Guards have some cyber capacity . It varies around the country, but i certainly believe that is being built up and i think it is a way of the future. It is an opportunity for all of the states to look at beefing up their capability in that area. That would be a way to institutionalize it. With the National Guard, it is always there for you to call upon. Governor sandoval . Thank you. The question was asked, what is the most likely vulnerability. Dont share it on television. [laughter] i do all the time. When you ask what is most likely vulnerability, it is almost like, where do i begin . All of your databases can be breached. Anything in your databases, any information. Social security numbers, credit card numbers, any records that you have. The ability to hack and and write checks, make yourself an account payable and get paid, the fbi has discovered a number of cases like that where small corporations have discovered they were writing checks to people who were actually in the ukraine. The check does not go immediately to the ukraine. It goes to a local bank account and then hops several times. The most likely is cyber crime, Identity Theft, and monetary theft. That is happening all the time. The president said in the state of the Union Address something we have known for a while that has been secret, that foreign entities are now in the control grids, have hacked their way in , Water Systems and other critical utilities. You have the power to regulate at the state level. Sometimes better than the federal government does when it comes to utilities. You could establish cyber regulations for electric power, for example, that would make an even Playing Field for all of the companies so there would not be a case of one company having to spend more money to achieve security. Everybody would have to do it within your state. I think if you have the power and the federal government doesnt power and the federal government doesnt to regulate your utilities, you want to do it. Ought to do it. Employees clicking on links. Phishing attempts, spearfishing an email that looks so friendly from a bank or a government focus, and they click on that and then it creates Identity Theft people send in their credentials. That is going on in every one of their are states right now. Which then dials of the importance of the training. There is been a shift over the last 10 years and most of the attacks are now coming through individuals in these phishing incidents, rather than the old method, which was to have it to rectally at the mainframe directly at the mainframe. You have to think of it in terms of whatever folder ability is easiest. That happens to be people. Vulnerability is easiest. That happens to be people. Where are you getting Security Awareness training . Where are you learning about these types of things . If you study attacks, because of the Way Technology is, they are mass using systems. They are getting independent peoples systems contaminated. We have to do something about educating folks on security so they do not participate in that. Well it is not difficult, it is getting harder at the corporate level. We are getting better. Just as we insist people show up for work, we need to start insisting that people get this training on a regular basis. Anybody that uses a computer in our State Government we require Police Officers periodically have to make sure they qualify at the range. What is it, 86 of them are now coming at individuals who click on these innocuous emails. That is where 86 of the attacks are coming through. I would think that all of us need to adopt policies that insist that our employees get the training regularly so they do not do that. There is technology that will train them for that. We had training in the past. Quite frankly, michigan failed earlier miserably in this area because our employees but it was a waste of time an. Gentlemen, thank you. I want to add one thing. There is a dirty little secret about security, and it is the nonsexy part. The reason that there is vulnerabilities is because people are not doing their jobs. If the vulnerabilities are there and we know about it, why arent they getting fixed . It is not hard. It is timeconsuming. It takes effort. He goes back to execution. You have got to be doing things. Are you talking about individual users . System so they take advantage of. That they take it vantage off. If youre a system administrator, there are patches. We need to wrap up. It occurred to me, virtually everything you have been saying to this point was somebody outside coming in. One of the things i discovered very recently, im sorry to say , is people who are already inside state employees you mentioned for the abilities of privacy and Social Security vulnerabilities of privacy and Social Security. People looking people up. See richards go geres tax returns or Something Like that. Lets see Richard Clarkes tax returns. Lets find out how hes really doing. We are going to get him. [laughter]