Over a period of time or over a broad range of companies and perhaps maybe its only successful once. Nobody wants to be patient zero, but we can reduce the outcome of that. It dramatically increases the cost for a successful attack and it limits the number of actors who can do that and a lot of good things will occur from that. So sharing is absolutely critical and were seeing more and more of it. There are a lot of acronyms flying around, but i think its the nature of getting public sharing. Ctic is a perfect example of that having publictopublic sharing, and then you have ntic. The public to private sharing is extremely helpful. And at the private level, there is lots of privatetoprivate sharing going on. The fsi sac has been incredibly successful for some time. One of the things im very happy about is the Security Industry coming together to do Something Like that. About six months ago ourselves semantec announced something called the thread alliance, which is security competitors coming together to form a security isac. Your isacs have a lot of vertical information that is very helpful. This is a horizontal viewpoint to share among competitors so all our customers can have that. Four new members joined this morning, so were very happy about that. We invite every Security Company to become a part of this for the good of all the customers, and we think these are steps forward. Of course, getting all that information shared as fast as possible public to public, public to private private to private is a good outcome. To do that, it has to be done in a responsible manner. Thats a lot of the discussion here. It would be about how would do that without having Companies Face baseless liability litigation, but at the same time you cant minimize the sharing perspective. Theyre usually boiled down to security versus privacy. Those are not mutually exclusive concepts. There will be difference of opinion on that but were not going to get over those unless we sit down and talk about them, which is the point of some of these summit sessions the administration is leading. I think thats a fantastic thing for all of us, and i appreciate the leadership on this and the chance to be here today. [ applause ] good morning, and its an honor to be here and its an honor to have you with us here this morning mr. Secretary. I want to welcome you again to sunny california where we enjoy the sun, we do need some rain but dont worry, we still drink water around here. Its a privilege to be here at stanford. I didnt quite make it here when i wanted to come, but my wife did, so i feel like im a part of stanford. Its a great school. On a more serious note, this is clearly a major issue for all of us and all of us in the country. And, in fact in the world. Within kaiser permanente, we are a unique organization in the Health Care Industry because i have, in essence, two Business Models inside of my organization. I have a health plan in which we provide insurance and coverage to almost 10 million americans, and then im a comprehensive Delivery System in which i provide care to those 10plus million americans plus the communities in which we exist. The flow of information on both those continuums now in the 21st century sits on the backbone of technology. As a result of that we have pretty much been able to provide realtime information to our physicians, to our caregivers to our members when they need it and what form they need it for the type of Health Decisions that needs to be made between the patient and the physician of the care team. The single biggest concern that our members have about the beauty of the technology and the ability to move information freely is the security of that information and the confidentiality of that information, because the research has shown that the patient information is a much more sensitive issue for the average person than, in fact even the financial information. And that, too, is devastating. We spend a tremendous amount of time inside of our organization doing Everything Possible to keep the bad people out, and god forbid, if any of them get in how to quickly know theyre in there. Which is a twoprong approach that i oversee for the company. I chair the Governors Committee for the organization. I spend at least two times a month in Committee Meetings with my top team. I report to the board about the work that were doing inside the organization. Im spending millions and millions of dollars trying to figure out and make sure we have everything available to secure this precious information on behalf of the american people. And i share that information with any and everyone that i can in the industry to share lessons learned. So there is an infrastructure inside of my organization in which were trying to every day, every night grapple with this issue. Inside of our industry, were coming together in different forms in which were openly sharing what were doing to try to secure the information across all of our organizations in the enterprise. So i view this next extension in question which is the Public Private relationship as a natural. And the natural for me is we all have a common interest, and the common interest, it doesnt matter what businesses we run or are in, we want to secure the information for the good of the people who are putting their trust in our respective organizations, and to make sure that we maintain that trust at all times. So the interest is high from my perspective to be involved and engaged. And the opportunities are high because the collective intelligence that we can bring to the table that benefits everyone, i would argue, is of common interest to each of us. And then finally i would say that there are two incredible opportunities that i think we can have with a Public Private relationship. The first one weve all talked about, which is the ability to share the information of what we know. To demonstrate to you how sensitized i am about the issue i described for you in the beginning, i have to be absolutely clear that i state i am not talking about sharing the actual content that im here to protect. It is sharing what i am learning about people who are trying to get to that content that im trying to keep out. Its important for me to say that because thats a sensitivity that i hear every single day are you sharing my information with the wrong people . But i think together with a Public Private relationship we can, in fact create a forum in which we can continue to share with each other what were learning and how were addressing it. I think the second area that ken touched on earlier with his great example about the cell phone and text me sayssaging. In the Health Care Industry, wellintentioned regulations were written for a certain period of time in which it is now irrelevant in the day in which we live. We need to have a form in which we have a collective conversation about constructive change that will, in fact advance our effort but yet assure, in this case, the american people, that their best interest is being protected. I think thats the second area where the Public Private partnership could be tremendously helpful. Thank you very much. [ applause ] dr. Sherwood randall. Good morning. And thank you, jeh, for your leadership on these critical issues. Jeh and i met the day after the election in 2008 when we joined the Obama Transition Team in washington. And, indeed, i came to that team from stanford where i spent 12 wonderful years based at the center for International Security and cooperation. And im thrilled to be back on the farm today with all of you. [ applause ] so many friends in the audience. Im just delighted to be here. What has kept me away from this magnificent place that i love so much has been the opportunity to work on some of our most difficult National Security challenges, including modernizing and securing our electric sector which powers our nation. As you know innovation that was born here in Silicon Valley has enabled our grid to do more today than ever before through interconnected Information Technologies and industrial control systems. And while this has empowered us to do so much, this convergence of Wireless Communications and digital controls also creates huge new vulnerabilities. So i want to highlight two aspects of this of the electric grid in which vulnerabilities are introduced by this intercon activity. One is our industrial control systems, and the other is in supply chain vulnerabilities. Industrial control systems including what we call supervisory control and Data Acquisition systems or scada systems, are the backbone of the Energy Sector. These systems allow users to monitor, gather and process data in realtime as well as send commands that power the grid. We can send commands, for example, that will open and close fuel pumps or water pumps in remote locations using these systems. But obviously, this offers opportunities for our adversaries who would want to do us harm. Second, the supply chain of the electric grid is vulnerable. Electric companies dont make the parts and software that support what they do for us. Their suppliers are diverse and much of what they procure is off the shelf. So, for example, a company could be taking great care to enhance its cyber defenses but fail to fully audit the potential vulnerabilities of new software. In fact, the amount of time and money they would have to put into doing that would be impractical. So supply chain and integrity management has to be part of our cybersecurity protection. As leaders in government, we dont have the opportunity just to admire a problem, we actually have to figure out what to do about it. So one of the reasons president obama called this meeting today at stanford is to talk with you all about what we want to do to identify practical solutions. The partnership that is highlighted at this summit between the federal government and the private sector is at the core of what we must do in government working with industry. And with brilliant people at universities like this across the Energy Industry to address cyber vulnerabilities. President obama pointed out in his 2013 policy directive on Critical Infrastructure and security resilience that energy and Communication Systems enable all other infrastructures to function. So if we dont protect the Energy Sector were putting every other sector of the economy in peril. At the department of energy were the daytoday coordinator with industry on matters of security resilience, Incident Response and planning. In government speak, were called the sectorspecific agency for the Energy Sector. And that brings me to the core of this discussion, which is the Public Private partnerships and information sharing mechanisms that are indispensable to meet this challenge. Getting started as deputy secretary just a few months ago, ive made this one of my highest priorities, and indeed, i chair our Department Cybersecurity council. The fact is the Energy Infrastructure is largely not government owned. About 90 of it is privately owned. And so that means we have to work with owners and operators to rapidly elevate and sustain their cybersecurity capabilities as well as ours. Tony earley mentioned one of the most progressive partnerships we have is our Energy Sector coordinating council. Ceos in the esc meet serl timesveral times a year and already ive met with them twice in my months on the job. Our efforts are information sharing measures and assessment tools, as tony noted. And ive also emphasized that its critical we coordinate with other sectors. Tony mentioned this as well with the oil and gas sector, with the transportation sector, with the communication sector. One of the big challenges here is speed given the dynamic breadth that we face. And the eo the president has issued today reflects this. We have to have a government process that does not take too much time to share information about threats. We cant wait for regulations to deal with these new cyber attacks. We would be perpetually lagging behind the threat if thats how we deal with it. And so our solution is to work to provide tools and information to companies in realtime so they can be aware of the risks that you noted government may know first. Although honestly you may see the information first on your systems and need to report it to us so that we can make others aware of whats happening. As soon as its identified. In addition, our department of energy has a number of Extraordinary National labs. One of them is here at stanford, the stanford linear accelerator. We do Cutting Edge Research on cyber and physical challenges to our Critical Infrastructure at a number of those labs. Over the last several years, 80 of the worlds control system vendors have been tested through governmentfunded assessments at our Idaho National lab for example. This testing is followed by design reviews and mitigation discussions with the vendor. Indeed at idaho, which i visited last week a 900squaremile grid scale test range exists which enables us to do Real World Testing of the interdependencies of modern grid technologies and the evolving threat we face to Critical Infrastructure. We also conduct