Those negotiations. Then there was of publicprivate platform that as you mentioned is important to differentiate. And the n i s directive is of legal act to the members states not directly to this stakeholders but the Member States. It is to establish competent authorities with computer teams that would react. And also establishes the Member States which is very important because we need to remember were working with 28 different systems. It also establishes certain obligations with the definition of the market operator with that Commission Proposal comprised of the internet enablers and critical and infrastructure operators. It is not proposing to limit that definition and the number of entities to the critical of the structure. So those will eventually find a way and we pulled 30 incidents. Again the parliament has proposed a number of seabirds to insure the scope of reporting is clear with knoll in securities as to what needs to be reported. With fact developing those standards and over 200 organizations participate so we have participation from the Member States and Research Academia and industry. The platform is working on the first set of guidelines and it is also a good forum for the International Stakeholders to be involved we have representatives from the European Commission the when you do a targeted meeting to talk about that platform approach with dissever Security Framework but those that hosted a workshop for us and i am happy to say their actions lee would be participating saskatoon give a sense but unless it means something the first of all,. But i think as a trading nation the fact that they traced the post a prospect that. And reach doctors to there we are period maybe tests that. But we dont have a regulatory regulatory approach but that just means empathy from the public greater private partnership. Bet is but you could take two dash urines and one said that takes you through the various. That i disagree with what it is said from the last panel id do not believe the likelihood the the attack is related to the size of your corporation more likely to the value of their assets and what you offer. Consequently with the game in the big way. With the industrial structure. And how you get affordable security. And spec that phil will since then. We regard that as being a crucial element and we won to increasingly want to see the private sector on that. We have a set tangent background in the u. K. With a competition and lower debt but it is the mechanism for the recovery from an age right to do it all. But with the stage to create the structures that we need need, and can say cascade the information . But not entirely. So i think we go from awareness to a degree of mobilization. But i think were getting there. With this is the important business in a bowler. You can tell a id think says states are to be at 1. 9 dash but now what the scope with the concerns of National Infrastructure with a certain degree of a standard it necessary. But where we are remains thin disagreement which is also an active business decision and particularly in private individuaindividua ls that have the right to know when the data is being preached but we are not requiring what inhibits the initial recovery. So lee talks about the complexities of the legal regimes and cultures but you have to manage all of this. When you provided vice about smart cybersecurity policies what are the Lessons Learned from these experiences . There are probably 25 or so developing countries that are fairly deep in the process of developing a national strategy. And most of these are dealing with cybercrime. Then we have the rest of the world that while most other countries have recognized a need for a strategy and developing a National Approach was they havent really been able to get out of the box to and this includes other groups around the world like the African Union and how they can go about doing this. One thing that we do see increasingly across the industry is that we have a real and growing interest by every country that we have diplomatic relationship with in discussing cybersecurity cooperation and i just came from a dialog and the government just a few minutes before this. It was the latest example this week of every time we have a bilateral discussion with another country, whether scopes in Political Affairs and security, there is a desire to talk about the role of cybersecurity and development. So there is a huge thing out there. One of the things that we have done is to focus on this and training our diplomats to be able to engage on these issues. Particularly with focus on Economic Development aspects of this. And that includes taking the right approach and advocating in terms of cybersecurity, which is going to be a critical step that needs to be taken today to the point where you can really benefit from all the economic benefits from embracing Digital Society and getting serious about this on the internet to help carry out future development. And it helps in a lot of ways with pieces of this and this includes a whole host of issues, information sharing, liability issues, it would be great if it has a much more comprehensive approach, helping countries warn and a smile but what there are certain countries and there are certain things that we would like to look out for the framework and the u. S. Has a unique experience of getting where we got it and its large government structure and dont try to copy is too much, but you can certainly learn from what weve learned. Going through the process of developing this in Civil Society which is really just the foundation of what has to be done in government isnt able to go through that on cybersecurity and other policies. That is good. We would like to talk a little bit about the government to government conversation and also developing policies with documents like the framework. So as we think about moving forward and the next that, what are the right things and where should these conversations take place between government to government. And what are those forms were its really robust industry conversation that should be taking place. We have talked about a little bit of international standards. You guys think about the right ways to continue the dialogue and where should we be looking . To answer your question like that is offered wherein not to start. So that includes not starting there. Dont start with the itu. And that we have a lot of strength and we have an impressive legacy of things that you have around the world and i dont think that that Technology Issues in particular are part of that. I think its pretty far out there where we would be able to contribute from a policy and technical perspective because it is largely part of this. And i think that would be duplicating a nonincludes addressing that issue. And so that is what is safe about this. And i guess it depends on one aspect of this we are talking about. If you talking about product assurance, you know, there are some including this criteria were that issue is addressed as well. And if you talk about the Risk Management and the framework and what it does, it depends upon how will this will affect the framework over time and if that continues to sort of be nurtured or whether it takes a life of its own. Do you have any question on that . I was going to kick it back to angela. Certainly, the thought that i would say the framework is inherently even though it was developed as a result of an executive order from the government of the United States, sort of coordinated by this, it is inherent to the International Effort and the substance of the framework is international. So finding the house and the framework that enables it to continue to be that in the substance in its use and it continues to be international and also essential. I cant think of better concluding thoughts than that. Thank you to the participants today and thank you again to the chamber. I think i only missed one of their awareness events and i think you so much. Thank you to the panelists. We appreciate your time. [applause] what we are going to do a 15 minute break. And i would suggest that you just put your things on your chairs so that people can come in and serve the meal and then you can go nextdoor for a little bit and we will rejoin for our keynote speaker Admiral Mike Rogers. [inaudible conversations] more from the cybersecurity summit hosted by the chamber of commerce in a moment. Coming up, mike rogers talks about information sharing and then the governments efforts on combating cyberthreat. We have Dianne Feinstein discussing the ongoing efforts in congress to draft and pass cybersecurity bill. Cyberexperts focus between private Sector Industries thanks to cybersecurity threat. Both the house and the Senate Return tomorrow. The house is scheduled to debate 10 bills, including updating the president ial records act which would allow current and former u. S. President s to continue to restrict access during their time in the white house. The House Republican conference will also host more on thursday and democrats are scheduled on november 18. In the senate, judicial nominations holding leadership elections voting for the next majority and minority leaders on thursday. Watch the house live on cspan in the senate on cspan2. Cspan2 providing live coverage of the Senate Floor Proceedings and key Public Policy events. Every weekend, booktv, for 15 years the only Television Network devoted of nonfiction books and authors. Cspan2 is created by the cable tv industry and brought to you as a Public Service by your local cable and satellite provider. Like us on facebook, follow us on twitter map. Back to the chamber of commerce cybersecurity summit where mark gordon and Admiral Mike Rogers speak about information sharing. This is an hour. Thank you very much. I want to struck by thanking you, the chamber, your proactive leadership is second to none and i think youre doing a Great Service for the Global Community with what you are doing. But i would like to do is provide a private sector view on the importance of information sharing and the obstacles that we face and a call to action for introducing adam rogers. Let me start with something that everyone here can understand, the range of what we can experience is really unprecedented and getting worse by the day, the volume and sophistication of this is only showing signs of acceleration and every published success since we encouraged new entrants and bolder moves. Social activists, and a range of objectives from disruption and intellectual property theft, Financial Crime and destructive intent. Cybercriminal activities in particular have exploded. And while they impact individuals and companies collectively, they represent a potential threat to the country if they continue to build the way that they are building and if they become more frustrated. Imagine the top 10 retailers attacked at the same moment, and the impact on the economy and especially if the capabilities today that are pointed towards financial criminal activity start to turn towards destructive attempt and its a sobering concern for. Each of us in the private sector have a range of controls and capabilities in terms of cyberprotection and i estimate we will probably spend more than 2 billion in the u. S. Across the Financial Sector in cyberdefenses from protecting the perimeter to data loss and we will continue to invest in our capabilities. But i would like to use this analogy when i think about information sharing. Of course we ask about when we are under attack and at the same time it is incredibly valuable to know when someone else is under attack or when the adversaries are so hard. And in my view the single best control than any company can have is transparency about what is happening around us and that includes highest value control is information sharing. And it has the best return on investment than any of us can make in the system of cyberprotection. One companys detected moment can become an entire sector defense work cross sector defense and further no one entity can stand alone, not Law Enforcement or the intelligence community, each of us brings a different insight and i really believe that the ability to protect individuals, we have to work together, privacy advocates, Law Enforcement, intelligence, Homeland Security, working together to protect our customers address, Critical Infrastructure in the country, and further while i do believe that information sharing is in the best interest for each of us in our businesses, i also believe that we have a more moral obligation to try to share and unfortunately some companies to look at it that way. But effectively sharing cyberinformation actually is not easy at all and there is a fair amount of information they get shared but it is slow and relationship trustbased and there are a range of obstacles. The first one is for the private sector, that we are simply in many cases unable to share cyberinformation due to legal liabilities. As we have shared in good faith and by acting to cause some harm. And that includes not acting on that. Liability from a risk perspective completely stands in the way of Material Information sharing. Theyre just too many and frankly its a bit chaotic and tartly incomplete. And this includes Fusion Centers and company to company, treasury, Homeland Security, all of those occur in some moment or another, they are well appreciated from the private sector but sometimes they are conflicting and other times very inconsistent and almost no information sharing happens real time. And the third obstacle that i would date from the private sector perspective is the government over classifies and will be shared at the secret level is very rarely actionable. And not enough have clearances above this or more of this tends to reside. Bennett yesterday wouldve seen a new watering hole attack that has been out there and we get what is called an indicator of compromise and last night we had an open store context about the new reported and what comes with the open source as factional Intelligence Briefings that. Things we can do something about them thats not relative to what we hear from the government sector. So i will close with a different call to action on the private sector and to support the legislation that is out there and it is the highest roi opportunity in cyberdefense. And one is that there should be Liability Protection for acting and not acting and i think that that that is important to two sides of the coin and the second thing is that i would raise the very clearly information can and will be anonymized and theres no reason not to anonymize it. And also for the private sector if youre not in one of these, and i think that you all know what those are, you should join one. And if youre not coming you should be very act. Theres a very uneven level of contribution across this in terms of information sharing and we need your insights and we contribute actively and i would call upon you to do the same. For the public sector, call to action from my perspective is passing the information sharing legislation in all though we need a Better Process to get private sector quinces either to make shared intelligence more actionable and more poorly what we really need is a systematize construct for how information is shared. And coordinated across Homeland Security and intelligence agencies and the private sector. And if in april of this year, i assume the poised post of commander in chief of Central Security service. You have this in your package but to summarize prior to this current post as the cybercommand as the fleet. Since becoming a flag officer in 2007, he has also served for the chiefs of staff and command with over 30 years of service and has extensive experience in intelligence gathering and Information Warfare and i actually met him in 2012 very briefly at a Cybersecurity Conference and west point and the theme of the conference was actually public and private collaboration and the role of each sector in defense of the nation. And my impression of this was formed as we actually sat right next to each other for the morning of that event and i would try to convey this sense that i took away from that short moment and i would tell you that not having have a lot of private sector experience, shes very inquisitive and asked a lot of questions and was a very active listener. He seemed to have an appetite to learn about challenges faced in the private sector and to contemplate the opportunities for collaboration. Also conveying purpose and eight home sense of command. And i think that its committed to public and private partnerships and partnering with the private sector and so pleased that me introduce you to mike rogers. [applause] how is everyone doing today . I apologize, im going to speak while youre eating, but please keep eating. We have about 50 minutes or so and what i will do is give you a few thoughts from my purse active and im interested in the exchange of all of you. Im curious to the perspective that you bring to this issue. So why is apple why is he tag to the chamber of commerce and the private sector about the idea of cybersecurity . As you have heard from mark, one of my takeaways in the 10 years that i have been here within the department as that cyber, it is the ultimate team sport. For going to make this work its about creating an integrated team and a set of partnership that would make this a reality. Theres no Single Technology that will enable us to guarantee security of the system. Theres no one single group or entity that has all the answers nor is there one single group capable of executing the solutions that we need to do. And it takes all of us working together. So let me thank the chamber very much and more importantly that over time you have been a part in helping to facilitate. Because this is all about trying to talk to each other. Thank you very much for your kind words so as a Senior Business leader i would like to thank you for your openness to consider partnership for your sense that cybersecurity is of direct impact and concerned to the leadership of corporation and i will play that i can always run it. Whether it is a private company that im talking to, i can tell with organizations have readership and those that do not. And so when you dont have leadership, you are fighting with one hand tied behind your back. It is leaders its up to us to try to drive the change that i think that we need. And traditionally in our nation we have tended to view the private sector in one arena and the government in another and National Security is something that is apart from that in some ways. My argument is that cyberblurs the line between those viewpoints. Im viewing it as we face as a nation and i view them as a National Security issue for us and how are we going to address the challenge that is not going to go away. If we think that this is a shortterm phenomenon of short duration or a relatively minor impact over time, i would argue that you have mixed emotions. I would see this extending for significant time and it will have greater and greater impact on us in the corporate sector everyday there are groups and individuals in nationstates and you might ask yourself, what is an admiral during talking to us . A come wearing two different hats, both related and both applicable to this idea of cybersecurity and the first we have three missions. One of which is applicable, the first is defending network, and the second is to generate the cyberforces and the cyberteam of the department is going to use to execute it over time and the third one that really brings me here today as if directed by the president or the secretary, the u. S. Cybercommand is passed with providing protection and support to attacks against critical u. S. Infrastructure. So it will have to be ready if i can order and if theres one thing that you learn in the military, you do not wait until the day of the crisis to suddenly say to yourself i guess you better do some training with each other. And i guess that we better understand what our partners need and what they dont need and what is effective for them and what is not that the. So we are in the midst of working collaboratively in the department of Homeland Security with ourselves and other elements of the government in the sector and in the process of partnering and how we will work the details of how he will exercise and train with each other so that when we are in the middle of that crisis we can really make this work in a timely way. And the second half that i wear is a National Security Agency Getting a lot of attention has to the missions and we have talked with one of those. In the cyberarena we use the foreign intelligence capability to attempt to understand what the nationstates and individuals are doing in the cyberarena against the United States and the other initiatives that they also have your is Information Assurance and the nsa is tasked with other Information Assurance missions not only defending the department of defense as well as helping to develop the standards we do with the federal government and increasing increasingly we find ourselves called upon by the dhs to provide capabilities from our cyberexpertise to support the private sector. That is going to increase. You can pick up a newspaper and you can get on your favorite website and you can log on this including what you think is the best sort. And this is not a shortterm phenomenon. And i think that the role that they are playing this role but helps the private sector deal with a legitimate concern. And i think that that is critical and i think that many of you in the private sector director of the fbi in a private life he has the largest Brokerage Firm and i will often ask him when you were a lawyer who working with the board, what was your recommendation . What kind of advice were you given, and he doesnt hide the fact that i would always tell him to be very mindful about the liability that you have to be very careful and if youre not careful potentially we are going to be setting ourselves up for major financial liability. And potentially impact the market share business and we have to help ease the legitimate concerns and a least lease rest them. Because in the end what we have to get through this realtime Automated Machine to machine interface. And we need to clearly define and advance just what information are going to share. And quite frankly it creates problems for us. And anytime they start doing what privacy information we have specific ideas and tight controls. So my input is that we do not want privacy that will slow us down, thats absolutely not what the focus of cybersecurity is. What we need to share with each other is i need to be able to provide from the government standpoint what i ought to be able to provide as actionable information that you can use the gives you insight as to what is the mal ware youre going to see and how it will come at you, what are the indicators that you have been looking for in advance that would suggest to you that activity of concern is coming who is coming after you. What i need from all of you is that im not in your system and what you wanted to be. Many donors and what have you done with your System Configuration that works and what does not work. What did you anticipate them what to do not anticipate and collectively between us we need to shared across the entire sector and as you heard mark say, which i agree with, the insides of one can translate to many. That is a great value and we need to come up with a system that enables us to do this in a realtime way. And the only way to do that in my mind with was the legislation that we will be talking about and sitting down and walk into what elements of information youre comfortable sharing and what do you feel you need from us as the government and likewise that like to have the same conversation as you and heres the information and the elements it would help us and heres what we are comfortable with. Rather than im going to classify this in a level that really makes it interesting. Thats not going to help anybody. So we will be working our way through that process and the key to it is going to be dialogue. The sector construct developed over time is very powerful. If you are not engaged in the construct in whatever area of business you are in, i refer to you to consider doing that. It helps us from a governmental standpoint within a particular sector that we can deal at. We have tried at times to simultaneously work across the sectors and i will tell you that has proven to be complicated and what is applicable in one area is quite frankly a different sector and its interesting but it doesnt apply to me or im not particularly interested in that and thats not really how we are constructing. The sector piece has been powerful and i think one of the things we need to do is we have to simplify that. So as a part of that we are telling the peers at the senior level that we have created a stroke of structure that its incredibly cumbersome and difficult to understand. But for honest with ourselves. But its not because people are working hard and its not because theyre not motivated do the right thing but because we have tended to do this incrementally over time. And i think we need do it is a fundamental look as to how do we structure the government side in a comprehensive way that makes it easier for you and at the same time it makes it easier for us. Many times i now this information is based upon personal relationships and personal knowledge and limited awareness and i dont know what else is out there. And we have to try simplify that. And so that is one of the areas that we will be working on and what that what i would really like to do is take any questions to try to make some broader point and im much more interested on what is on your mind. Lets have a moderated discussion, we have selected questions earlier. We collected some from the audience and we will go to the audience as well so get your questions ready and we have a microphone will come to you and if you can come to yourself before you ask your question, that would be great. And one of the things we will talk about is how we talk to those bad actors were committing crimes and some of them are really becoming more vocal about the need to actively defend themselves against cyberattacks in the absence of state support. Is this something that they should talk about enact. We have a Legal Framework. We have seen five individuals from the nationstate indicted, we have the Legal Framework for how we as a nation address criminal activity areas and i often get asked this question about cybermercenaries. Should we go out in higher individuals to conduct what they call offensive operations to try to stop in the use of tools and nation states and individuals from conduct in attacks against us. And again, that is one thing that is a broader policy issue and we work our way through it. And i would say be very careful about going down that road. The potentially opens you up for a range of complications and if you think you have legal liability concerns sharing in part i can only tell you about the legal implications of this. And so in general i would just urge you to be very careful about going down that road. How do we do attributions with that . That is where partnership becomes very powerful. Because that information sharing between us, based upon our confidence and knowledge about, what are the options available to us in the information sharing and increased knowledge gives us a greater range of options to consider. Another question is talking about definition and we have the different definitions. And does that constitute the use of force in cyberspace and will that be the same for activities in cyberspace and other nations as well . Okay, we have a Legal Definition under the law of this Armed Conflict and thats what is a military act, if you will. We are working our way through a broader policy debate about the extension of those rules to the cyberarena area and we have definitions for what is a defensive responsive action and we have definitions for all of that. And this is a society that we are trying to come to reps with. Please you all of this directed against corporate networks, governmental networks, private individuals. What is the right response and the broader issue is what is the right response to this. And what i hope we can conclude is a set of rules where we have a much better deterrence. And if you are a group or an individual, must come to the conclusion that this is incredibly low risk and theres little price to pay for the actions that they are taking. And i believe that most look at but it could be pretty aggressive and that is not in our best interest in the longterm nation to have that and we need to try to change that over time. Folks, if you have a question, raise your hand and we will bring a microphone to you. We have one right over here. Please bring him a microphone. Okay, one of the things that we were talking about this morning was it was mcafee that conducted a survey around the globe and they asked americans who do you fear most and the americans said the chinese and asked everyone around the lobe and everyone said americans. Im just wondering what your thoughts were on that. What we have articulated as a nation is like every nation in the world and we used a broad range of tools to better understand the world around us and the Biggest Issue that we have raised and that includes the power of the nationstate to use it as a tool to gain insight into foreign private competition to share with the private sector to gain a competitive advantage because we do not do that in the United States. Many other nations in the world do. Some publicly knowledge it and some do not. We have been eerie vocal but their chinese counterparts that this is a concern to us and its a behavior that is incompatible with the relationship that we want. As we continue to work from a policy perspective and received the legal action we have taken and my only argument would be i certainly understand it and i would only tell you that we are subject to more oversight and rightfully so because it is the way that we are structured. We have more oversight congressionally and legally than most of my counterparts around the world and thats not a complaint. It has served as a nation incredibly well. And as a nation we want to be comfortable. Thank you. Im a former Navy Lieutenant and its great to see you. I knew that you are a good man. In the sector i think that we do have a very good ceo led effort going on with the department of energy and Homeland Security and we are focusing on tools and technologies and i think that we have a lot of good information sharing going on until i believe in the latter one, since you are from the military and i think the one thing that we dont do all that while baby in the private sector is the actual exercising of plans. Im wondering if you could give your thoughts about how we might be able to do that morning. And obviously with the participation of our sister agency, its very important as a part of the equation. Im going to do that in two parts. One of the things out here in the power sector and i was just down in san antonio talking about this last week, as a matter of fact. One of the challenges that i think in the power segment what i often hear from Corporate Leaders the need to understand the constraints that we work under and we are a regulated industry to generate income to make some of the changes that we feel that we need to do we have to go to a regulatory body and make an argument. Few of our citizens are interested in increased power rate as a vehicle to address cybersecurity and our regulatory bodies sure this. So my thanks to the power sector within those constraints trying to push this as hard as we can. And i have some real concerns. And i think one of the things that i have said within the department of defense and those that i deal with, is that we have to move from a focus were almost all of the resources the focus from someone penetrating networks to an acknowledgment that there is a likelihood that despite our best efforts we are going to fail and remediation and mitigation starts to become
comparemela.com © 2020. All Rights Reserved.