Viewers this morning. My name is frank salufo. I direct your center for im really excite d for what wil be a rich and long day covering a whole host of issues that our center zeros in on ranging from counterterrorism to Homeland Security to cyber to obviously the integration between federal, state, and local and obviously with the integration between the public and the private sector as well as some of the international issues. Couldnt think of a better time to host this than sunday was the fifth year of our successful raid of Osama Bin Laden in abbottabad in pakistan and obviously serves as a good time to sort of take stock in terms of where we are, how the threat has changed and what sorts of capabilities and capacities we need to be able to get ahead of the curve. Our conference is titled securing our future, and it is meant to be a strategic set of issues that looks across our various portfolio issues. Let me ask everyone to please put their phones in quiet mode and, when you do have questions, please identify yourself and allow time for a mike to find you. I am going to very quickly introduce one of our board members, mike balboni, who will moderate the first session this morning with the deputy secretary of dhs mayorkas. Mike balboni is a longtime friend, coconspirator on a whole host of issues. He serves on our board and, more importantly, has served in numerous roles related to Homeland Security including the Homeland Security adviser to two different governors in the state of new york, a former state senator in new york who really picked up and advanced a lot of the Homeland Security issues from the state assembly. He also resides from my hometown, long island. He represented long island. As you can see i am wearing my islanders colors today. So go islanders tonight. But without further ado let me introduce mike balboni, who is ceo of redland strategies. You see him a lot on our tv screens throughout the country. And mike, the floor is yours. Thank you. [ applause ] good morning, ladies and gentlemen. I dont know if you share my sense of enthusiasm but its great when you come from the hinterlands of the state and come to washington, d. C. , and get a chance to interact with the people who are Decision Makers behind the scenes. You dont normally always get a chance to see them. And thats our opportunity this morning p. Alan mayorkas is a very distinguished individual that you may not really have spent a lot of time focusing on. Yet, in 1998 he was appointed by then president clinton to be one of the youngest u. S. Attorneys out of central california. Then he went to the private sector and, when he went there, the National Law Journal called him one of 50 most influential attorneys in the nation. And of course, the president , obama, put him into dhs for citizenship and Immigration Services where he oversaw an organization of 18,000 individuals and a 3 billion budget. Then he took the big step. In 2013 president obama then said you become the deputy secretary for dhs. Now he runs an agency as we all know, 60 billion, 240,000 employees and he is the number two for this incredibly vast enterprise that has so many of the issues that relate to so much of our personal lives. So without further ado, deputy secretary mayorkas. Plaus plus [ applause ] thank you. Thank you very much. Good morning, everyone. And i very much appreciate the opportunity to share some thoughts with you. I thought this morning i would really focus my comments on Cyber Security in particular, one of our greatest priorities and one of the greatest National Security imperatives that we face. One year ago today, as a matter of fact, one year ago, two men wearing body armor, carrying assault rifles, hand guns and 1,500 rounds of ammunition stepped out of a vehicle and started shooting at the curtis s Caldwell Center in garland, texas. They did not achieve their objective. They were thwarted by valiant and brave Law Enforcement officers who were ready for the attack. One of those valiant officers was shot in the ankle, was able to recover in a local hospital, but no one died. The curtis Caldwell Center was targeted because they had exhibited a cartoon show with respect to the prophet mohammad in protest of the tragic Charlie Hebdo assault that had occurred a month earlier in paris, france. The attack was essentially thwarted successfully because of the fact, in part, that the Intelligence Community had shared information with local Law Enforcement with respect to anticipated attacks on the center, and the prospect of just such an event. And we, in this country, are quite mature and evolved in the sharing of information in the counterterrorism arena. Not only within the Intelligence Community, the federal Intelligence Community, but very importantly and critically with our first responders, through a network of Fusion Centers and other mechanisms we share information in as realtime as possible with state and local tribal Law Enforcement so that those individuals are equipped to protect the public whom they serve. That level of evolution and maturity does not yet exist in the realm of Cyber Security. And yet, it is no less a security imperative. In fact, there is something unique about the Cyber Security realm that really underscores how imperative the sharing of information is in this realm. And that is the ease and accessibility of replication of harm and the replication of an attack. When i was a federal prosecutor and handled at the outset of my career i handled bank robberies. I remember seeing bank robbers who hit one bank and moved on to another. And the ability to execute their particular modus operandi and replicate in one institution the harm that they had sought to inflict in another was actually quite difficult and usually unsuccessful. Here in the Cyber Security realm, as we all know all too well, it is just a click of a button away. When one hits one institution, whether it be ransomware or whatever harm one seeks to inflict, one can easily hit another institution in a matter of seconds if not simultaneously. That calls for the sharing of information in a way that is rather unprecedented in the Law Enforcement arena. Very often in an investigation information is not shared because, number one, the investigation may be conducted in the context of a grand jury. But more importantly, the investigation is seeking to identify the perpetrator and achieve accountability. In a Cyber Security realm, the perpetrator may be an ocean away, may be inaccessible to Law Enforcement and actually apprehending the perpetrator may not necessarily be as important as ensuring that the victimization is in fact not replicated elsewhere. And so, the paradigm that we are seeking to establish in the cybersecurity realm is a much more open and sharing of information paradigm than otherwise exists in the traditional enforcement and security arenas. What we are seeking to accomplish in the department of Homeland Security and across the administration is to treat the cyber threat indicator itself, this unique indicator of the perpetrator, to share that, to no longer consider it a commodity for profit but, rather, to share it as a public good. So that, if in fact one institution is harmed, we share the information as to the nature of the vulnerability and, more specifically, the nature of the exploitation and enable others who may share that vulnerability to patch the vulnerability and protect themselves from suffering the very same harm. Right now we have a number of obstacles in achieving that informationsharing paradigm to which we aspire. It is im not worried about the obstacle of undercutting profit because we know very well that in the Cyber Security realm there are many avenues. In fact, theyre exploding in growth and number, many avenues of making a profit. And the cyber threat indicator, the profit makers do not need to rely upon. But rather, there are different obstacles. Number one, i think there is a general sense of distrust between the Technology Community and government writ large. There is certainly a residue of distrust in the postsnowden environment. And that residue, quite frankly, has been built upon or sharpened a bit, quite frankly, in the dialogue around encryption and the sometimes polarizing nature of that debate. And we have to work through our disagreements. We have to work through the distinct policy positions around critical and important issues and find a level of trust that allows us to protect one another and, therefore, collectively to protect the nation as a whole, number one. Number two, there is a skepticism in the private sector as to what is in it for us. We will share information with the government, but what will we receive in return. Will we, in fact, only be the subject of an investigation, whether our Cyber Security protocols within our institution are adequate to protect our customers, our shareholders, our clients, our students, our patients, whatever the nature of the duty is. Will we become the subject of investigation, or otherwise will it just be a oneway stream of sharing of information. And what we are building in the department of Homeland Security is a mechanism of, frankly, mutual benefit. Our intention in receiving information from the private sector, stripped of personally identifiable information, so that we safeguard an individual or an institutions privacy interests. We are unique in the department of Homeland Security as having a statutorily created office of privacy and a statutorily created office of civil rights and Civil Liberties. But we will take that information and we will disseminate it. We will disseminate it in automated form, in realtime, not only across the government but, frankly, throughout the private sector to the information sharing and analysis organizations that the president created in his november 2014 executive order. And the idea is, if that one institution shares with us information that other institutions may not be privy to, we will publish that information in a form that is useful from a Cyber Security perspective and not imposing unduly imposing from a privacy perspective throughout the participating private sector entities so that they can understand what the harm suffered was, how it was achieved, and protect themselves from suffering the very same harm. The sharing of information in the counterterrorism space took time. It took time for the government to develop the mechanisms of sharing and to develop the muscle memory, to overcome, to some extent, provincialism that existed, stovepiping, but we are in a place now that is far, far stronger and far, far better than when we the way we were in 2001. We do not have the luxury of time in the cybersecurity arena to develop institutional mechanisms, to develop a culture of information sharing and to build the muscle memory that we now enjoy in the counterterrorism space. The cybersecurity realm, as we all know, is fast evolving. It is exploding. Dr. Eviatar matana, the head of israels National Cyber bureau, described cyber space as the third revolution. There was the agriculture revolution, the industrial revolution, and now there is the cyber revolution. There are more devices connected to the internet than there are people on the planet. And things are moving fast. And we need to move fast as well. Not only as a government. We need to be far, far better in our ability to innovate than we are currently, and were making strides in that regard. But we have to be better as a community. And by that i mean as a publicprivate Community Together, in battling the threat of cybersecurity. We believe in the department of Homeland Security that we are uniquely situated to be the point of the spear in building that community, that community of sharing of information and a cohesive response to attacks that can hit one or all of us together. We have been the beneficiary of critical legislation this past year that affords the sharer of information liability protection. We are a civilian agency, civilian department, though we have Law Enforcement components. We are civilian in nature and, as i alluded to earlier, we have unique protections that afford the interests of the dissemination of information and the privacy in civil rights and Civil Liberties arena. We are working within the administration to publish critical documents to guide the private sector in the sharing of information. We look forward to rolling those out in the near future. We are enhancing our efforts not just domestically but certainly internationally. Our office of science and Technology Just entered into an agreement in principle with the government of south korea. Our office of science and technology has just entered into agreement with the government of israel to pool funding for research and development in the cybersecurity realm. This is a matter where the community is not only a Publicprivate Partnership domestically but a publictopublic and a Publicprivate Partnership around the world. I returned recently from berlin and the united kingdom, where i participated in the biannual dialogue with our key partners in the National Security space. And front and center in those dialogues was the subject of cybersecurity. Of course, encryption arose, but the sharing of information and the development of institutional responses to a harm that we are all exposed to was upper most in our minds and upper most in our discussions. And so i hope that we will be able to Work Together to build a Cybersecurity Infrastructure that parallels the success that we enjoy and that we execute in the counterterrorism and broader National Security structure, and i appreciate your time and i look forward to fielding your questions in the minutes ahead. Thank you very much. [ applause ] permit me, if i may, deputy secretary, to pose two questions. And then open it to the audience for questions themselves. So let me switch to the counterterrorism perspective. So post paris and brussels, what has become very evident is that there have been enclaves of isolated communities within those throughout europe really but specifically in brussels that have permitted the radicalization on a Community Basis of some members, certainly the ability to move in and out of these communities themselves. Given the level of rhetoric in this campaign and the concern that weve seen growing throughout europe, what is it that we can do from the department of Homeland Securitys perspective to counter the narrative of radicalization . Let me say that i appreciate thats the question. Its a very important priority of ours. The countering violent extremism mission. Last year we were very focused on the foreign fighter phenomenon. The phenomenon of individuals leaving the United States, traveling to conflict zones, syria most notably, and the concern that they became or already were radicalized with the intent of returning to the United States to do us harm. That, of course, remains a concern of ours, but increasingly we are concerned about the homegrown radicalized violent extremist. And we had an effort that was under the rubric of countering violent extremism, but we rebranded that effort very importantly and created the office for Community Partnerships because ultimately ultimately the owners of that effort must be the local communities themselves to be able to identify individuals who are on the path to radicalization and to intervene in that path. We, in the federal government, can facilitate and equip them to address this phenomenon. The director james comey has spoken on a number of occasions publicly about the fact that there are approximately 1,000 individuals under investigation in the United States now. There are individuals in every single state of our union who are under investigation. And they may very well not have travelled to an area of conflict, but instead become radicalized in their own communities. We were given funding by congress to equip local and state and tribal Law Enforcement and community organizations, whether they be nonprofit, religious or other types of organizations, to build the lines of communication and to build the apparatus to reach those individuals, their families, their friends, and equip them with the tools to intervene. We are also, of course, involved in transmitting the counternarrative. And the one thing that or at least one characteristic that really distinguishes isil in the radicalizing effort is their very sophisticated use of social media. And we, in turn, are using social media to reach the very same individuals, to ensure that the messages that they need to receive in order to thwart their path to radicalization is in fact communicated. So this is a communitybased effort that we in the federal government very much support, facilitate and equip. I appreciate very much your remarks on the efforts in the department for cybersecurity. And one of the things that is so daunting to the private sector is this array of stovepipe regulation, for the fcc, hipaa, all sorts of real hard penalties associated with that. Yet, when you go to the federal government writlarge there is no law that tells you how to be cyber secure. Its one of the things that a lot of Companies Really struggle with. If you could speak to the private sector for a second. What is going to get the cybersecurity moving at the private level . What are the things . Is it a carrot is it a stick, the sharing of information . What do you think is the right recipe to engage . Because, as you know, the private sector has 80 of the cyber assets. So how do we truly engage in a National Dialogue with the private sector to make them more and more cyber secure . So, there is not a single standard for cybersecurity. In other words, this is the standard of care to which you must adhere and if you fall below that you may be exposed to liability, and if you satisfy that standard you are safe from liability. And there isnt that standard because of the dynamism of the environment and how quickly that standard quite frankly would move. And the opponents articulate that. The standard of care may suit the current environment but the day after tomorrow it may be obsolete because we have learned so much. What we have done in the federal government is actually developed the n. I. S. T. Framework that resides in the department of commerce which communicate the criteria that a private Sector Institution should look to in developing its cybersecurity ecosystem. And so if youre a big company, if youre a medium company, if youre a Small Company, depending on the nature of the jewels that you carry as an institution, you look to the n. I. S. T. Framework to understand the analytic architecture that you should follow in building your cybersecurity. I will say this, and this is my personal opinion as a participant in this arena but also very much a student in this arena. When i was a prosecutor, federal prosecutor, the standard of care was quite evident. And we did not pursue accountability as a means of defining the standard of care. Because in the criminal arena that would be terribly unjust. I will say, in this space i do see federal lawsuits against companies for deficient cybersecurity, and im not sure that all of those lawsuits are just given the fact that we have a lack of clarity of what is really due care, standard of care. There are cases where the deficiencies are readily apparent. They are patent and, quite frankly, the protocols are irresponsible. But if one doesnt have that, frankly, level of of a lack of care, it starts, to me, to get very difficult to hold companies responsible. And i worry about the use of a stick to build a cybersecurity ecosystem rather than a means of communication and the provision of tools to develop it. Thank you very much. Well open it to the audience for questions. If you want to ask a question, please raise your hand and well get you a microphone. Down here in front, please. Please identify yourself, if you would. Hi. Hi. Rick weber at inside cybersecurity. Deputy secretary, you mentioned critical documents that you are working on within the administration, in the near future youll be publishing them. Are they on sharing within the government or the private sector and how will they relate to liability relief under the cybersecurity law . So with respect to the question of liability, we already in the department of Homeland Security published a number of documents, and we, of course, i think, owe to the public additional education materials. I think that the documents that we are working on, and not to get too far out in front of the administration and i probably already have achieved that but i think it really speaks to how we are organized within the government and how we will use our resources in the best service of the public interest. We have heard from the private sector who are we supposed to call if in fact we suffer a cyber event. We, of course, want to provide clarity in response to that question, and in an everincreasing arena of change, we also have to be well organized and well coordinated within the federal government and within its institutions and our respective roles and responsibilities. And it is on that latter point, i think, that we are focused. Up front. Allen day, retired cia. Was there anything in the 215 data that, had it been pursued, could have been used to head off the San Bernardino attacks . So thats a question that pertains to an Ongoing Investigation and an ongoing prosecution, so i will refrain from answering that question. And as a former cia official, you should well understand my response. Next. In the middle here. Rich cooper, Catalyst Partners and a senior fellow with the gw center. Have you been having conversations you talked about engaging with the private sector. Have you been talking with Insurance Companies as to Lessons Learned, insights that they have . Insurance companies seem to be a great arbiter of changing behaviors in lots of ways. Curious what insights and dialogue youve had. So thats a great question and a great point. The allocation of risk is a phenomenal driver of behavior. We do dialogue considerably with the Insurance Industry. Most importantly, to impart information so that we share what we know with industry so that they are equipped to understand, really, the dynamics that we face, not in terms of schooling, how they choose to allocate risks and build their models. But i do think that the Insurance Industry will be one of the key drivers of cybersecurity standards. In the back. Shes coming. Kim quarrels. Further to the point on insurance. There are Insurance Products available, to your point, undersecretary, of educating the private sector to coordinate with the Insurance Industry, there are products where notification becomes an element of what they are required to do. And if that sharing does occur, the notification process becomes part of the incident process and the incident response. Yes. And thats why i do think the the maturation of the Insurance Industry in the cybersecurity realm will help drive behavior, and i think it will help define the standards of care that are somewhat elusive now and seem to be developing through the crucible of the courtroom rather than the policymaking rooms. Yes. Down here in front. Im from new jersey, so i can really speak out loud. I wont. Cindy faith, deloitte. Undersecretary, im interested in your vision with regard to the information sharing, automated Information Sharing Program from dhs which is sort of a machine to machine level of iocs and sort of how you see small and mediumsized businesses being able to benefit from that given the fact that theres a level of infrastructure and maturity needed to ingest this at the machine speed. So great question. So just for everyones awareness, we committed to developing an automated informationsharing structure where we can receive the cyber threat indicators in a particular format, a sticks and taxis format, in automated form. And in near realtime, essentially strip of it the personally identifiable information that of course carries with it very important privacy interests that are not germane or material to the cybersecurity goal and then to disseminate information in automated form throughout the private sector, something to which i alluded in my opening remarks. We have, in fact, built on schedule the first level of that automated informationsharing protocol. We have 24 Companies Already participating in it, and one of the questions is, as i understand your question, how do we build it so that we achieve accessibility for all, not just the big institutions that can afford the investment. And that is something that we are building towards and dont have just yet. And its its very new. And so we are working on it as a top priority. And this is one of the areas in which we need to innovate. Quite frankly. We are hoping, as a government, to move from a flintstonian model of development to a jetsonian model of development. And for all of you who dont know, that is a literary reference. Ill give you a perfect example. The notion of embarking upon a tenyear contract for the development of a product which, by the time we roll it out, is obsolete, has to really disappear, and we are now increasingly using the agile method of development, the Waterfall Development the waterfall method of development where we move in sixmonth or even shorter sprints and produce product in that way. Weve brought in and this is really the president s leadership digital services, people from Companies Like deloitte, other very cuttingedge companies, to really bring the most cuttingedge Development Models and thinking to the way we not only acquire but execute on contracts. So building the automated informationsharing framework for the otherwise disenfranchised is something that we are very focused on. Up front. John gardeniere, gw alumnus and former Naval Intelligence officer. Following up on your last answer, sir, i wonder to what extent you could address the topic of red teaming, and particularly outside the Intelligence Community of the government. To what extent can you use the dedicated Hacker Community or fraternity in some ways to help you understand and counter vulnerabilities. Let me share with you an experience that i had that brought your question into my life. I was into my life as a deputy secretary. I was speaking at defcon last year, which is a conference of hackers in las vegas, nevada. And there are about 20,000 attendees in the conference, and i spoke to a group of maybe about 700 or so, and i was actually the focus of my remarks was on the issue of distrust and how to bridge the divide. And i was not permitted to bring my personal or work phones into the hotel, whether on or off, for fear that they would be hacked. And i actually mentioned that at the outset of my remarks and told the group of people that i had brought a phone with me and that if anyone made it ring during my remarks i would pay them 1,000. This was at the outset of my remarks, and all of a sudden everyone is opening their backpacks and their briefcases and theyre pulling out equipment and working on things. It was rather stunning. They learned a few minutes later that i had brought with me a motorola flip phone from the 70s, so i was i was secure in my inability to afford paying anyone 1,000. But i said, you know what we need to do . In the course of my remarks, i said, you know what we need to do . We need to actually bring some of you into the government, not just from a redteaming perspective, which frankly we do already. We do and the department of defense does as well. And secretary carter spoke of that publicly. But also so that they understand, they understand what we do, how we do it, and why we do it. You know, its very easy to to distrust from afar, but if you are sitting next to somebody and you actually observe them and the intentions of their efforts and the policies behind their efforts and, in my humble opinion, the nobility of their efforts in government service, thats the best way to eliminate the distrust. And so we red team in the department of Homeland Security. There are red teams outside the department of Homeland Security, specifically in the cyber space. I think bringing in that community actually has other collateral benefits to which i refer. Down front, please. We red team internally as well, by the way. Deputy secretary, fred rosa with Johns Hopkins university and also senior fellow here at the gw center. Would you take a moment to comment on your sense for the maturity of the departments Risk Assessment process, particularly with respect to obviously there is a wide, scary dynamic threat spectrum much different than we have had in the past, and there is a daytoday necessity to make decisions about establishing programs, allocating resources and so on, and they need to be risk driven. Would you offer your perspective on that, please . So thats a very, very good question. I would say i would answer it in this way, in all candor. I think that we are more mature in our ability to assess risk with scientific rigor in some areas more than in others. And let me let me give, as an example, the let me harken back to the question that you posed with respect to extremism. The radicalizing of individuals in the United States. In my visit in the u. K. , they have a very sophisticated architecture of intervention and developing and disseminating the counternarrative. And it is empirically based. They have analyzed the risk and the underpinnings of their efforts are scientifically based. I think that our development of that Scientific Foundation is not quite as mature, and we are working on it. Frankly, our office of science and technology has funded incredibly Important Research projects, but we need to do a better job of integrating those Research Projects into our operational workings. And so i would say it depends in what area of our vast mission one is speaking of. Were better in some areas than others. Were very were very mature in the Border Security arena, something that we have been very dedicated quite dedicated to and, frankly, countering violent extremism is a relatively relatively new phenomenon as compared to, for example, a Border Security. So with that i believe we have concluded this part of the session. Deputy secretary, thank you very much for your remarks. Thank you. Thank you all very much. Continue with the mission. Thank you. [ applause ] [ room noise ] well, thank you. And now were going to move into our panel on publicprivate sector coordination on cybersecurity. Weve got an Amazing Group here representing a whole host of Different Actors that have to be part of the solution set. I will just literally give titles and let and if they want to expand during the q a in terms of their backgrounds, that would be great, but i want to maximize time. Starting all the way to my right. Im rarely on the far left but starting all the way to my right is eric goldstein, whos a Senior Adviser at the Cyber Division at the department of Homeland Security. Next to him is an old friend of mine, general reynold hoover, a Major General in the National Guard and is also very active in our active Defense Project that were doing here at the center. Kiersten todt, who is leading the president s commission as the staff director for cybersecurity. So thought it would be really insightful to get a sense of where the commission plans to go. Scott aaronson, who is at e. E. I. And has done a ton of work on Publicprivate Partnership and Grid Security and cybersecurity, and i think the sector as a whole has really raised its game in terms of cybersecurity. Given the recent Cyber Attacks in the ukraine, think there could be some very valuable lessons in terms of the implications here in the United States. Last and certainly not least is scott kaine, at delta risk. He is a newly appointed ceo there, so congratulations on that. And thank you for helping sponsor our event. Sure. What i thought i would do is jump right into questions. We want to save time for the audience to engage in a q a as well. Kiersten, i thought wed start with you. Since the president recently concluded there was a need for a commission to examine cybersecurity issues, obviously the scale and scope is quite broad, but what are the priorities that you guys are looking at . What is it you hope to accomplish, and what is it you hope to accomplish in a relatively short order of time . Right. So i think that the short order of time, as i have said, works to our benefit. Ive said its the marathon within the sprint, the sprint within the marathon. Either way its fast and requires a lot of effort, but the end result is a report thats going to be delivered to the president on december 1st, and the key here, as the president outlined and as the commission has repeated, is this is not intended to be a culminating document of president obamas administration. Quite the opposite. Its intended to be a document that looks forward and that hopefully the new administration that comes in can use as a transition document on cyber. And the general strategy approach to this commission is looking at the Digital Economy and its looking at the role of the government as well as the private sector in the Digital Economy. How these two elements and entities Work Together and what they can each do in order to look at creating a secure Digital Economy three, five, ten years down the road. And our sort of the way that i would define specifically what we are looking to do is to set forth in december a series of shortterm practical recommendations, ones that, as soon as that report is done, can actually be used and implemented immediately for ways that can help and secure what were trying to do as well as longterm ambitious recommendations, so that were ensuring that innovation is a part of this. When we look at those and look at the different themes, that theyre both possible, and how we do that is measured by taking best practices, Lessons Learned that are out there. What were working with right now is looking at what are the models for how were going to draft the recommendations. Its a combination of whats already out there, best practices, Lessons Learned. It also could provide an opportunity for things that are working but dont have a lot of visibility and to raise the platform and the visibility of them on a national level. And then not most importantly but i think very very importantly is the innovation, being able to pull in innovation around this country on these initiatives and efforts in a way that, again, puts forth a Digital Economy that were looking at three, five, ten years down the road. Thank you, kiersten. Eric, why dont we go to you in terms of trying to get a sense of where we are, whats working, whats not. Can you shed some light on where the nccic fits into some of the Publicprivate Partnership initiatives and then well turn to general hoover and then well hear from the private sector. Absolutely. I should begin by noting that cybersecurity in the u. S. Government is, of course, a team sport. So we have Law Enforcement agencies that of course have to identify, attribute, interdict our adversaries, we have the military defending d. O. D. Networks and combatting our adversaries in cyber space. My agency, dhs, our role is to protect. Our role is to actively protect federal civilian agencies and help the private sector and help state and local, tribal and territorial governments better protect themselves. With that, were pushing forward very urgently on a few lines of effort, the first of which is congress was kind enough to pass the cybersecurity act as this audience assuredly knows, last december. As part of that act our National Cybersecurity and Communications Integration center, or the nccic, was established as the u. S. Governments information sharing hub to exchange cybersecurity threat information between government and the private sector. This past march our secretary certified that our capability to share information in realtime between government and the private sector is operational. What we need to do now is build the base of companies and agencies participating in this activity. The act of last december really removed a lot of the disincentives that were stymieing sharing between government and the private sector, for example, the possibility of civil liability, foia exceptions, et cetera. So we now feel that the disincentives have been wiped away by this new act. We at the nccic now need to figure out what are the positive incentives. How do we in the government show added value from cybersecurity information sharing such that companies will see benefits to their security and to their bottom line to participate. I would also note, building off the point on the president s cybersecurity commission, we see ourselves as having a significant role in promulgating best practices across the nation and figuring out how should Companies Best evaluate their relative cybersecurity posture and measuring progress thereto. And of course our foundational document for that is the n. I. S. T. Cybersecurity framework. We need to figure out how Companies Use the Cybersecurity Framework to measure reductions to show measurable reductions in the cyberSecurity Risk. Were focusing in the private sector for increasing our capacity in these two key areas. How do we demonstrate to the private sector the value of automated cybersecurity threat information sharing and how do we actually promulgate and measure the effectiveness of best practices being adopted across the private sector and in particular across the nations Critical Infrastructure. General hoover, when you think of the National Guard, they embody the citizen soldier. We can all look back to major crises and recognize that the role that the guard plays in mitigating the consequences of these sorts of attacks. Where do you see the National Guard fitting into our overall cybersecurity equation . And what more can or should companies and state and local authorities know about the guards role here . Sure. So i think there is a couple of things. First, the days of putting a lot of money into cyber to build a wall are over. We all have to kind of get our arms around the you mean we cant firewall our way out of this one . No. The firewalls are a think of the past because, you know, a company, a private sector, or the federal government, will spend millions and billions of dollars on building the wall, and it only takes one person on our side of the wall to do something really stupid to take down your system. So i think, as we think about cyber and what cyber means from whatever perspective youre looking at it, it really needs to be a whole of government initiative, and it needs to be a Publicprivate Partnership, and we need to think about active defense, and we need to think about Risk Management in the cyber arena. We think that the guard is uniquely in a unique position to support that effort through our citizen soldiers out there, and as part of that as part of that we have were fielding Cyber Protection teams in all the fema regions, in each of the ten fema regions, both on the army and air side. We should have those teams in place by fy 15. Or 19. These units are in state activeduty status, so theyre under the control of the governors in all 54 in the states and the District Of Columbia and territories they will be available. Theyre there to augment the d. O. D. Commission and the army cyber command. More importantly, they are an unique asset. As we think about whats the future for cyber and how do we do that in partnership, i think the guard has a unique opportunity to bring to the table. I want to pick up on a couple of those points in a bit. Scott, how Many Companies went into business thinking they had to defend themselves against foreign intelligence services, nationstate threats . How do we translate the nouns into the verbs . What is it e. E. I. And the companies you represent doing to try to make this real . And do we need to is it about consequence, is it about perpetratoractor . What are your thoughts . There are a bunch of things that general hoover said that i want to pick up on. You heard the phrase or the word partnership over and over. Thats exactly the way that were looking at this. We as the electric sector, to your point, frank, we cant do this alone. We dont have intelligence gathering capabilities for the most part. We dont have Law Enforcement. We dont have a National Security mandate. But we are a target. So what we look at in terms of partnership, theres a northsouth partnership. Government and industry working together. I am privileged to serve not just at eei but i also serve as the secretary for our coordinating council which just yesterday brought 30plus ceos together with senior government officials. We do that meeting three times a year not to pat each other on the back and say doing a great job but to actually do things that are advancing the cause of security. Looking at deploying tools and technology that the government has. The way i put it colloquially, the government has some pretty cool toys, we want those on our systems. Improving the sharing of information. Making sure the right people are getting the right information at the right time. I talked about northsouth, government and industry. Eastwest is incredibly important across the sectors also. We, the electric sector, because everything runs on us, are often looked at as the most critical of the critical. We dont have water, cant generate steam to cool our systems. Dont have telecommunications we cant operate. Transportation or pipe wlooinz cant move our fuel. There are many ways to attack the electric grid short of attacking the electric grid. So tools and technology, information sharing, partnerships, response and recovery. So much we get, like you said, general hoover, we cant firewall our way out of this. You build a higher wall theyre going to build a higher ladder. What you want to do is make the adversary build the ladder but we understand security is not just protect, detect, defend. Its also respond and recover. And what can we be doing today to make sure that bad day, because its coming, does not become a catastrophic one . How do we manage the risk . How do we put the risk in a box . How do we ensure we have a short outage as opposed to something more catastrophic . Scott, i dont want to before the i dont want to belabor this point. But if everything is critical, if we have 16 designated Critical Infrastructures, does that mean nothings critical . Or how do we actually get to the point where we rack and stack, prioritize . I mean, obviously the energy and electric, i mean, it is the most critical because without the lights we wouldnt be able to be here today. So how do we start thinking about that . I think people are. There genuinely are different terms of art. Theres lifeline sectors. Theres strategically valuable strategic infrastructure sectors. The National InfrastructureAdvisory Council knocked it down to five. Electricity, not energy broadly. Electricity. Transportation, water, finance, communications. And i think theres a lot of wisdom in that recommendation. I will say the three sectors there is not a knock on the others, but that have probably become the most mature because they have been the subject of attacks for so long, are going to be electric, finance and communications. And i can say, just because of counterparts that i have in each of those sectors, those partnerships are developing at a really rapid rate, to the benefit of the security of each of the sectors. So looking at interdependency as well. Sure. Between our various infrastructures. Scott, looking at it from a private sector perspective, by very definition youve got to be able to provide holistic responses. Where do you see things playing out today, and where do you see your greatest focus being in terms of making sure you are meeting your clients needs . From a personal perspective i have been fortunate to be in the private and Public Sector side. What i would say is the real issue is in the midmarket. In other words, the Midsize Companies on down need help. They dont have the resources. They dont have the assets. My company is privileged to work for the department of Homeland Security to monitor via an rva program and do vulnerability scanning of critical assets but for mid to Small Size Companies that are important. Utility companies, small banks, county governments and so on. And so what we typically find is that my guys within four hours, theyre in the door and owning the keys to the kingdom. So you hear this soft underbelly concept, but its the truth. Which is, if you were to take a look at where the most risk is that exists out there, the Big Companies have the assets, they have the resources, they have the funding, and by and large, from what i have seen, i know eight of the top ten banks work effectively with the government, with the intel sector, with the department of defense, with dhs. There is always that issue with classified information, wanting to be brought over to the private sector and there are the issues with scrubbing and so on, but the real issue, from what i see as relates to publicprivate is that the Public Sector is trying to keep up with monitoring the security and risk associated with the midtier companies out there and they cant keep up. And so the program that we have is we work on behalf of dhs and were not able to go after the list and Energy Companies that need our help to scan because we have to wait for some dhs supervision to support us to go out in the field. So what ive always thought was if you look at the overall risk where the Public Sector i think can assist the private sector is in the mid tier and instead of just assuming that one individual from the government can supervise lets say contractors in the private sector to take care of their own there needs to be some type of deputization meaning theres not enough folks to do the job of keeping watch over those companies. If its a National Guard leveraging the assets in the field that would do a Great Service to this country in that if you take a look at what you are going to attack it doesnt take much to figure out and the easier ones plugged into the big ones and like before you know it we have a much bigger problem. Incident after incident after incident highlighting. I would say finance and banking. Those are the folks that control a lot of monies. And not everybody bank there is but the Community Banks that own a lot of assets the brokerage houses that manage billions of dollars on a daily basis have basically no infrastructure in place or no support to do anything so while they worry about the audits theyre not adequately protected and thats where the program that dhs has today is helpful and ill tell you theres a lot more folks that need help. Its just a resource issue with getting the calvary out there to support it. From a Public Private perspective the big teams dod intel and dhs at a high level and the high level Financial Sector and the Energy Sector they do as good of a job as you would expect in terms of information sharing if someone has a problem there doesnt seem to be an issue with picking up the phone and calling their countier part on the other side and for the mid market forget it, theres a very vulnerable exposure in this country and whether its dhs, whether its the National Guard, i believe there needs to be a stepped up effort to support them and theyre begging for it. I might note even the most critical of our sector, swift allegedly had its credentials compromised through a central bank in bangladesh so its getting down to the supply Chain Third Party vendors with target and many others. Swift is as secure as they come. Ive been in this industry for many years. Its a hard target to get and they got it. So at the end of the day the mantra is if they want you theyll get you. Thats what happened there and at the end of the day it wasnt a technology issue. It was someone making a phone call that didnt get received and went ahead without a approval to cause the whole mess. I think scott raises an interesting point looking at Cyber Security and initiatives we often think large companies. We often think where the resources are but any successful effort if you look at the missed frame work and what our intent is with the commission is to look at the small and the medium and the Large Businesses because when you talk about supply chain and just in general where Critical Infrastructure resides it doesnt always reside at the largest level and if youre a Small Company at the middle of the country youre critical and arguably more critical than a lot of the Big Companies at that point. Which is a reason why the National Guard is this tremendous resource with the citizen soldier to look at how it bridges the day job with the government and we have this access point here around education awareness and knowledge that we could be utilizing a lot more effectively when were talking about where our Cyber Efforts are going to be in the public and the private sector. Go ahead. I was just going to add the other thing is not only pie vat sector but the Public Sector we see a bit the small agencies and departments that need help as well so whether its determined today in terms of certifying the private sector can support. The manage Security Service model is very common in the private sector. What it comes down to is instead of me hiring a staff ill outsource my security. Five years ago it was bad to do and nowadays much more receptive to doing it and i think theres a flip side to it so while there might be mid sized companies in the private sector at the minimum do an assessment to tell them where their problems are. In the Public Sector i i encountered a need for the smaller agencies and departments within the government to consider looking at the private sector to help manage their security. You have to have certifying process and body to ensure that whoever this Security Service provider is can ensure that they meet the standards necessary for the government but its something that the feds ought to consider in that the big folk versus what they need. The smaller folks are trying to do what they can and the private sector might be helpful in that regard as well. Im not sure even the big folks have exactly what they need. I was trying to be nice but i take all of your points and i think theres another level that were just missing and it goes back to my opening comment about what is cyber . And cyber is whatever you see it as from the when you think about the elephant, everybody has a different view of what the elephant is to describe it and theres another segment out there and maybe many of you in the audience are just like me who lost your data through opm breach so cyber to the individual at home on their computer working on their Bank Information got hacked or their private emails got hacked, i mean, its an issue for them as well and thats why when we think about this Cyber Defense or active Cyber Defense it has to be a partnership and it has to be a whole of government approach and it has to involve the private sector because were all in this together and were all facing the same things and thats again, you take it back to the guard we have hairmen and we have soldiers who in their day jobs do cyber for a living. And then when they go for their weekends they put a uniform on and we think theyre uniquely qualified to partner many that state status to support the governors and support dod and army cyber and air cyber in the mission but it is a huge whole of government. Public, private partnership but down to the individuals sitting at their computer at home with Online Banking or using a Smart Appliance that all of a sudden starts talking to you and walk into their house. I think you raise a very important point here and i want to touch a little bit on the threat. Not all intentions are the same and not all capabilities are the same. It doesnt come in a one size fits all. It comes in various sizes shapes and forms. In terms of understanding thread actors how would this group prioritize and rack and stack where we ought to be thinking about from a capability standpoint and then also from a likelihood standpoint and a little bit on the ttps or Tactics Techniques and procedures and we seem to be chasing somewhere and ddos. Issues seem to come into flavor and out of flavor but if we were to actually start looking at the thread actors and some of the ttps theyre engaged in how would we rack and sack that . The point of view of dhs one really interesting characteristic of most of the major Security Breaches from opm on down is they actually exploited known vulnerabilities and very common ttps in order to breach the organization and trade or degrade data. Even ransom wear, its infecting the Host Computers is through the same vectors that we have been seeing malware deploy for years. Its taking an agnostic approach because what we have seen is even our most sophisticated adversaries are still breaking in using the most simple and common issues. Theyre exploiting users who click on spearphishing emails and theyre exploiting unauthorized privileges for privileged users so at dhs what were trying to evangelize is that organizations deal with the basic blocking of security thats going to invest in more complicated attacks and if we can devote our Cyber SecurityHuman Capital to combatting those sophisticated attacks and just deal with the rest by doing basic Cyber Security hygiene that will put us in a much better place. I want to pull on that because i think youre spot on. At the end of the day in most cases you dont have the attribution or smoking keyboard that were all looking for. So you dont know who is behind that whether youre dealing with the nation state or criminal or disgruntled employee or someone with an ax to grind. But if we can get to the point where we can devote limited resources that the government has to the high end threat spectrum Everything Else below that domain in the private sector. We can calibrate that. Do you see that happening any time soon. Certainly the direction that were trying to go in and were really going in that direction in two ways. We will continue focussing on the Critical Infrastructure that can lead to physical manifestations or significant degre nation of National Security or National Economy and were trying to segregate the systems that could lead to the effects but of course as scott noted the inherent inner connection and dependencies within sectors make that very challenging so we now need to go really to the sub asset and sub Southern Land level and actually understand what are the vulnerabilities internal to a Critical Infrastructure that could lead to these effects. Within government were taking a new approach to how we prioritize our Cyber Security interventions. In the past we have taken an agency approach. We are now transitioning to a new approach and were really focussing on the highest value data sets, systems, assets, and if degraded the opm data bases is one example that if dedpraded would lead to especially severe consequences. The Cyber Security capacity of dhs or any given organization is finite. So we have to focus on the most significant consequences first and in so doing we would have the likelihood of the most significant or catastrophic events from happening. Scott this gets to as many conversations as we have had in the past in terms of impact and lets do this also as an opportunity to enlighten some folks on some of the Lessons Learned in the ukraine . I mean no state actor worth their salt are going to send the muddy footprints back to the kremlin. Its rare that you get them sitting on the same stage effectively finishing each others sentences. These are the kind of issues you need to be more provocative. So general hoover talked about this, what does it hook like . Well, sure i care about business side of tax and my companies do not like the Reputational Risk or what happens to their customers if credit card data or personal data is breached. We fight to prevent that from happening like every other business in the United States is doing. What im focussing on both on the Sector Coordinating Council and with my day job on behalf of the industry is looking at the Operational Technology side. So the elephant to me looks like those things that are Cyber Incidents that have physical implications. And one of the conclusions we came to although i am glad that cyber has gotten everybodys attention the security of Critical Infrastructure is important and can be done from a keyboard across an ocean really what we are looking at is youre never going to have a cyberattack that doesnt have a physical implication and youll never have a physical attack that doesnt have a cyber implication so i look at it a lot more wholistically and in this 24 or 72 hours following an incident you may just not know. So so much of what we have to do is understand the implication power is out. Response. How do we respond to that . Now to bring it into what happened in ukraine people wanted to make the ukraine incident. This is an eye opening experience for the north american utility industry. It was not an eye opening experience. We knew this is the kind of incident that could happen and had been preparing for many years. Now thats not to say that were not going to take this incident and learn really good lessons from it but it was not some moment where oh i didnt know that could happen. We absolutely did and we have been preparing accordingly. The biggest thing is ukraine had some benefits but also draw backs. A much different grid than here in the United States. We do have mandatory and enforcement standards so to the point that eric was making the nuisance attacks are the kinds of things that the electric grid in the United States and north america is particularly good at. What they had in ukraine is the ability to operate manually on some level almost blind to the Security Risk we were creating. Now it is good that we have automation and gives us better Situational Awareness but also increases the attack surface. Are there things that we can be doing today to go back to my original point . Are there things we can be doing to be able to operate manually. To go to a degraded state to keep the power running and understanding its going to be in a less efficient way. Those are the Big Decisions that were taking as a sector and partnership to begin to do planning for those in a longer term on the grid. And this is an experience coming out of ukraine. We have a culture and you have seen it all over the country. And can we learn some lessons and the culture in the cyber space and in fact we are building out a cyber mutual resistance regime has a sector and we cant do it along and goes to the staffing issues and theres going to be a National Guard component to it. Theres a Law Enforcement component to it and bringing the whole of the Community Together for response to cyber incident is a great lesson. The physical cyber c convergence and growing exponentially we and baking security into the design of architecture becomes that much more important. Secure coding and the like and i might note that one of the greatest deturnts and i have been an outspoken krit k that we havent articulated a strategy and i think that we in essence blamed the victim. We blame entities rather than put pain and cost on the perpetrator but thats a longer conversation but maybe one of the best deturrants is to bounce back quickly. And emphasis in planning. If the adversary realizes that the impact is not going to be as catastrophic as they want it to be theyll go somewhere else. You wanted to pull on that earlier. I want to say something. I think that this idea of education and awareness we have i think it still exists which is a false notion that the right technology is going to prevent something and were not looking at it as effectively as a pyramid and on the base of the pyramid is people given policies that educate them on what to do and the technology is brought in to assist the policies and the people and at the core its the people and if you look at what happened to google we were talking to somebody and related to the commission and the reason why Facebook Says they didnt get breach is because they pulled all of the operation systems out of the wall when they found out what the vulnerability was. How many of those exist in major organizations today. I can tell you that theyre still a lot for the public and private sector that still carry that operating system thats known to have that vulnerability and in different ways as we look at these things. It is an opportunity for the government to play a model in both the public and private sector. What tony scott has proposed with his Modernization Fund and this approach theoretically makes a lot of sense which is take the functions that are shared across all the agencies that are not agency specific. Hr, payroll, email provision. And create a share platform. That is resil gent and what youre trying to do is youre not going to be able to prevent everything and this idea that theyre more sophisticated, if you create an infrastructure that prevent what is should be prevented, blocks the low hanging fruit. Theres very basic things we can do but understanding that youre not going to get ahead of every attack its how do we create that infrastructure that is strong to manage what happens and get our systems up and running as quickly as possible and that is an approach at the public and private sector. And to the point that she made earlier is there is a simple vulnerability that we had that we are not doing enough to address and i know that one of the elements that were looking at in innovation thats happening in the government as well as the private sector is how do you ensure that it is a lot easier to do the right thing . Its very difficult to do the wrong thing and if you do do the wrong thing its contained and it doesnt spread to a system in a way that takes it down for a long period of time. So we have to be looking at all of these elements. The people, the policies and the then the technologies in how theyre integrating together. A good segway. I think kirsten hit it spot on. Its a three legged Technology Policy people work force and you mentioned this earlier and the need to empower the work force. How do we translate into a strength. What should we be thinking about because attend of the day the talent doesnt grow on trees. Theres general Cyber Security awareness capabilities that can be brought to bear. Theres two tears. Theres people with resources and people that dont have the resources so youll tackle both a little bit differently. With the People Process Technology support. For the big folks, you know, to try to take a stance here, im not a big fan of the lets throw our hahns up in the air. Im a coach in girls soccer. I dont sit there and plan well when the other team scores lets figure out how were going to come back. Thats a necessary part of the game. Theres a preventive element. Young kids soccer. 57. Were playing the football roles while theyre playing soccer games. So i guess my point is is that for Larger Enterprises the way we tackle it typically from client side is be preventive. Its not a bad word. It doesnt mean you have to plug up every gap but theres a couple of things. Dont be the slowest person that the bear is chasing. Just do enough to just get beyond that so i dont want to be the last person but i want to make sure that im not the last person. Okay got it but the bigger piece is that on the preventive side you had talked about the thread actors. At the end of the day its not that difficult to see whats going on. As a previous life i worked as the president of a thread intel company. It doesnt have to be monitoring the dark web. Theres social circles where you can take a look at threat actors and they have their patterns of attack. Such and such Companies Start showing up in bad places and blogs and so on and some of the Message Boards and so on and now i know. Such and such companies or this industry is about to be attacked. Well instead of waiting until they hit lets take a look at how they typically attack folks and make sure that the companies in that particular industry or the fed groups in that particular industry are prepared, right . So hey we know john and the bad guys typically operate this way and your name showed up and within the next three weeks youll be on the targ list so get ready. Thats not a very difficult concept. On the people side what we typically do on the Large Enterprises is our exercises so using the soccer anlage you don show up at game time and figure out what to do so most of the folks when you run them through scenarios the boards, the ops folks and i. T. Folks and Development Folks that do the code you bring them together and run them through scenarios that are relevant to the threats in their particular industry and most dont do well so what ends up happen as good you find the gaps and you fix it so thats the way that you get prepared is that if youre talking about people theyll do what they have to do but if you practice youll do a lot better at game time so we usually advocate that. Its just let the experts do it. Do the things you need to do. Do the hygiene piece but consider having someone else come in as the pro. I would highly recommend entities that dont have the capability to spend a whole lot of time. Thats pretty tough neighborhood. You have to have some real capables to be able to engage in that and i think that youre spot on. You make the big mistakes in the practice field and not main street usa and game day and i think youre starting to see a pretty big trend to even the Financial Services sector where you have small and medium sized banks looking to their providers to provide security and the cloud for example. I think youre going to see a big trend in that direction where they don have it to throw at this problem. Theyll tell you where theyre going. Theyre looking to leverage the cloud more and more. Because its easier, faster, better stronger then the threat comes with how do i keep tabs on the folks that im having my kids live with. So what is happening is this is becoming enormous. Keeping tabs on the Big Companies providing these services. Youre not going the get the Big Companies to allow you to start rummaging through and making sure that the security protocols are in place but theres ways that the mid sized companies can use certain not that expensive technologies to work with their partners to keep tabs. Its a big thrust in the commercial World Without question. Awesome. I want to make sure that we have a little bit of time for audience q and a. So we have about 7 to 10 minutes. When you raise your hand identify yourself and wait for a mike. So andy over here. You mentioned the active defense word. Im wondering if you could describe for us your sort of vision of active division and get other Panel Comments about where that is headed. So back in the early 80s who thought back then that we would be watching tv on our cell phones . Who thought back in the early 80s that you wanted to watch tv on your cell phone . But today everybody is doing it right . The speed of technology is changing so fast and outpacing the victims to cyberattacks and i know that youll find this hard to believe but the government moves rather slow to all of our policies and processes and the things were trying to do cant keep up with that and thats where the active defense comes in and thats where you need a layered approach to Cyber Defense. It has to be Risk Management based so you have to accept some risk because as i said at the outset you cant build the firewall anymore because it takes just one person on your side of the wall to do something really stupid and it will take down your system and if youre in the private sector you cant afford that. So we have to all be in this together so when i think of active defense i think of the Risk Management combined with a layered approach and the motion of the Public Private partnership and we partner and theres a pathway forward to us that we can be collectively together. Youre not suggesting to people to turn off their firewalls. Youre just suggesting that the perimeter of defense is insufficient. Thats correct. Please dont turn off your firewall but at the end of the day it is insufficient and i dont know what is inside and outside of the network anymore so its all blurring and traditional ways of thinking of just building higher walls aint going to cut it and the question is theres a lot of policy space between hack back and walls and thats the emphasis of the study we have on going as well so one more question. Please identify yourself. Quick questions. Im a student at the university of pittsburgh. I have a question for eric on the left. The previous speaker was also from the dhs and he was talking about how important it is to share information with the private sector and the Public Sector. But you hear about these vulnerabilities like target got hacked by i think it was their point of Sale Technology and theres a bunch of old vulnerabilities on windows xp. How do you know when enough is enough . Are you afraid of sharing too much information and creating more vectors of attack . If i could build on what impetments there are legally if any. Absolutely. This comes down to the sophistication and capacity of the recipients. Building on the point that scott made for a large enterprise, a major corporation, a large federal agency, our current approach is that we should share as much as possible as fast as possible. Because they should have the sophistication and automated tools to be able to use that shared information to better their own security. I would differentiate and our current focus right now in the automation space is on sharing threat indicators as quickly as possible we believe they should be a commodity. Their indicators should be published and shared across the enterprise in real time. Our goal would be when an adversary uses a single ttp, a single spearphishing email, the First Organization that detects that in their firewall they capture that and put that in a shareable format and we share it with the world and the adversary can only use that a single time and its blocked everywhere else. I like the idea. We are nothing if not optimistic. But its only the case that some organizations will have a hard time differentiating the signal from the noise or they will need additional help to figure out what is most important . What indicators do they use first . Were building into our system the capacity to put in reputation or confidence scoring that will actually tell the recipient when they receive a cyber threat indicator how important is this . Is it something we have seen used elsewhere with significant consequences . And that will help organizations that dont want to just take the pipeline of indicators from dhs and use it all to differentiate based upon our confidence that is actually significant and the importance there of. Looking at some of the initiatives which a number of companies is initiating its a grey marketplace and it allows for the white hat hackers and grey hat hackers to be able to share information of zero day exploits and unknown exploit bfrs they occur. The government can help drive that marketplace with the private sector or no. You can offer in essence it would be providing incentives or no disincentives. So certainly the dod already launched their hack the pentagon effort where theyre paying for hackers to have public facing dod webwebsites. There is a model here. The traditional model is other agencies coordinate with white hat researchers to provide vulnerabilities and we work with the developers to bring that vulnerability to resolution. Obviously theres a significant market now for this service and if the government wants to receive these vulnerabilities along with the vendors and developers there is a model where the government sets up the frame work where this is easier, simpler and lower risk and theres a model as shown by dod where the government is a participant in a Financial Market for vulnerables particularly on government owned and operated networks and software which is when well see it first. Time for one last quick question and quick answers. Mark peters. I had a question for you. The National Guard has appearance, many years of experience with response and disasters for example. Youre gaining experience in assisting with response. Have you given any thought into how you might have to think or act differently in either preparation or response when you have both involved simultaneously. Thats a great question. Part of our capability whether its supporting a domestic response or cyber event is the value we bring is were right there and were able to set conditions for the governor in advance of other federal services or other capabilities that fema might bring to the table so i think that our response as we think about a Cyber Response is really to set conditions for other responders then to come in but it is a great area of exploration in terms of how we continue to support it. Ill second that. I think we must met 20 minutes ago but i think thats the wave of the future and i speak from our company we have about 45 employees all in the National Guard or the air force and all of them are cyber folks and theyre distributed all over the country so the limitation is because of certain physical locations. National guard is everywhere and theyre private soldiers so the way our team plays out is they work with us during the course of the week. On the weekend theyre Cyber Warriors so theyre totally prepared to support the mission out in the field all over the place. You have a bank and you have a National Guard representation with folks working day jobs in the private sector that are fully capable of supporting that mission. And the National Guard seems to be the right organization. And coupled with the talent pool they already have. A lot of these folks are already in the Cyber Security in the private sector doing their day job. The weekend job becomes having more fun helping someone else out. Thank you scott. On that note please join me in thanking our panel. This could have gone on so much