Now, im not going to let my government colleagues off the hook, because we also used to see a lot of senior government officials on the Government Coordinating Council side of the house engaged frequently in that business. Ive seen a diminishment of senior level engagement over the last decade. We need to fix that problem in two ways. Ceos and coos need to get supportive of this, so do senior government officials. We need tough decisions and risk outcomes to be decided and thats not going to happen at the gs 14, 15 level. Its got to be higher than that. If were going to solve some of the nations most critical problems, like aging infrastructure, and the impacts of climate change, thats not going to be done at the level we currently are structured to deal with those kind of things. Its got to be a high order type thing. I also want to say, that at the state, local, and federal level, tremendous difference in terms of private sector engagement in Emergency Operation centers and Information Exchange than we had a decade ago. Im seeing seats in Operation Centers at the state and local level, and at the federal level for people from electricity, from water, transportation, privately owned. Thats very good. And those that arent there physically, are virtually connected. So theyre builtin to the incident once its in motion in many places in the country where we didnt have that previously. But we lack private sector engagement in the risk analysis and planning process in front of any particular incident. We havent made significant progress to my satisfaction in helping our state, local and regional partners integrate key private sector editees into the Fusion Center world of intelligence sharing, where that rabbit meets the road with critical struct protection. Until we do that and overcome some of the remaining impediments to having those with a physical presence or virtual connection into the state and local intelligence Fusion Centers, were going have a big gap in terms of information they can provide for the intelligence picture and those that need to take front line action based upon what an emerging threat might be, are out of the picture until its too late. I think considerable effort still needs to be made in those areas. Overall, ive become an optimist since i left government. Im no longer a pes mist. So i think overall, the report card is really strong. But were at a critical juncture now to take the whole Publicprivate Partnership concept to the next level. And in a resourceconstrained environment, im very afraid of what might happen if we dont continue to focus on this, given the fact that our adversaries are continuing to focus on this in ever more challenging ways. So thats kind of the parting message i leave with you and i look forward to your questions. Thank you. Kirsten, did you have a few comments on the way forward . Sure. So i mentioned some of them and of course its always a pleasure to be on panels with alan and bob, because generally i can just say what they said and that covers most of what i was going to say. But i do think some of the points that have been stressed, so we continue to see this moving away from contractual relationships. As bob said, whether its planning, alan gave some examples in the arc types, we also see where the legal construct concerns arise, less in the publicprivate interface, and more in how the private sector is organizing to interface with the public. So, for example, the airports some of you might know, have some great mechanisms to provide mutual aid to each other. The western airports and the southeast airports both have organized around disaster operations groups, called west dog and east dog. The way in which they did that is interesting. Because the legal questions arise at that entity level, and then its that entity representing the private sector that interfaces with the Public Sector during disasters. So its a kind of a oneoff legal question. Its not the actually ppp, where some of the legal questions or organizational questions are arising, but how the private sector is organizing to do the interface. Weve also seen the private sector, for purposes of liability, for purposes of concerns about investors and competitiveness, they have chosen to engage with the Public Sector in the form of foundations. So ups is one of the older ones. The Ups Foundation was created in 1951, but its mission is to increase Community Resilience and that is done through the foundation, as opposed to ups at large. And lastly, just to take on something that both bob and alan mentioned with the threat picture the way it is, the hyperconnectivity, the increase, or complexity of interdependencies and dependencies, and potential for cascading effects, i think what were seeing are new roles emerging in proboth the privated Public Sector which underscore the need for that flexibility, but lead us to unique Publicprivate Partnerships. Just a couple examples. I grew up in florida. One of the things you learn early growing up there, i had to run away from alligators. When a hurricane is coming, its just as important that your neighbors sandbag, as it is that you sandbag. If your neighbor doesnt sandbag, your house will flood. Youre only as resilient as your neighbor is. But with new threats, enhanced threats, such as cyber, we see that more and more. One corporate entity is only as safe as every connection point they have to every other entity. So the question, what is that role, who can better determine the interdependencies, the places where the threat indicators can be introduced . Is there a call for ate Publicprivate Partnership around the emerging threats and roles . We also see some traditionally, inherently governmental functions, perhaps with increased focus on the private sector. One example there is the alert and warning system. Fema, as you know, has been working for years on the integrated public alert warning system. But that started with a recognition that the private sector had the technology and resources that were needed to disseminate the alert and warning messages. So perhaps traditionally, an inherently governmental function is delivered from the private sector in the form of a partnership. And the role of city as i mentioned previously continues to increase. Again, a more traditional, inherently governmental function such as Situational Awareness during a disaster, we see that Situational Awareness being put together through information from individual citizens. From twitter feeds. From social media. Its quite interesting, when you look traditionally and you look today, as bob gave us a great articulation of where weve been and where were headed, the role of that individual citizen in providing information and playing a role in Community Resilience. We also see that through the rockefeller foundation. Thank you very, very much. Alan, were just about over time, but maybe you could say one or two sentences to bring us to a close. Ill take the opportunity as someone who practiced law in the private sector but was never an attorney in government, to issue a charge to all the folks who are attorneys in government in this area. And that is, be proactive in this area, in thinking about in thinking about Publicprivate Partnerships. Youve heard a lot of great information from everybody on the panel. But understand that many of your clients may say, i dont think we can do that because the lawyers wont ever let us do it. So, i would say, understand the legal landscape and to take advantage of the tools that are being developed by susan and the group that she is leading. Think creatively and imaginatively about authorities, barriers, and solutions, and become part of the solution. Be proactive in working with the client to figure out new and different ways of using Publicprivate Partnership tools to approach problems. Thank you very much, everybody. And thank you for being here. Were out of time, but we hope that we can talk to you after we close here in the next session gets started. Thank you very much. [ applause ] campaign 2014 has one outstanding race yet to be decided. Louisiana senate. Mary landrieu is up against republican congressman bill cassidy in a runoff election. Join us for the final debate monday live at 8 00 p. M. Eastern on cspan 2. Congress is in recess for the thanksgiving holiday until monday. When they return, lawmakers will work on extending government funding past december 11th, when the current deal runs out. Theyll also be considering how to proceed on immigration. In the senate, votes are scheduled on nominees to be ambassador to adjace ambassadors. Live coverage when Congress Returns monday at 2 00 p. M. Eastern, the house on cspan, and the senate on cspan 2. This thanksgiving week, cspan is featuring interviews from retiring members of congress. Watch the interviews thursday at 8 00 p. M. Eastern. I was elected in 1980, came in 81. If you look at my newsletters from 81 to 84, theres no mention of human rights and religious freedom. Congressman tony hall, particular democratic member from ohio, and my best friend. He asked me to go to ethiopia during the famine. And i went up, just got on appropriations, said can i go to ethiopia. Sure. I got on an airplane by myself, and flew there. It was a very bad famine. I got in a camp run by world vision. The embassy didnt want me to spend the night. The guy from world vision said if you spend the night, ill spend the night. Right next to his camp was a camp run by mother teresa. It rained the next day and the plane couldnt come back. It was a lifechanging experience. In the morning, people died. And we saw things that just that trip, and then in 85, tony took me to romania. They were bulldozing churches and i saw people persecuted for their faith. Those two trips are book ends. Human rights, the poor, the hungry, and religious freedom. Since that time and also on thursday, thanksgiving day, well take an American History tour of various native american tribes. Thats at 10 00 a. M. Eastern following washington journal. Then at 1 30, attend a groundbreaking ceremony of the new diplomacy center. And Supreme Court justices clarence thomas, alita and so sotomayor. With live coverage of the u. S. House on cspan and the senate on cspan 2, we complement that coverage by showing you the most relevant Public Affairs events. On weekend, its the home to American History tv with programs that tell our nations story. The civil wars 150th anniversary, visiting battlefields and key events. American artifacts. Touring museums and Historic Sites to reveal what information can be revealed. History book shelf, with the best known American History writers. The presidency. Looking at the policies and legacies of our commanders in chief. Top College Professors delving into your past. And our new series with educational films from the 1930s to the 70s. Cspan3, created by the cable tv industry and funded by your local satellite provider. Watch us in hd, like us on facebook and follow us on twitter. This part of the american bar association, looks at security risks for air and rail transportation. Its about an hour and ten minutes. Thank you, emily. Thanks, everyone, for being here today. This is the transportation and security screening breakout session. Glad to see we have a soldout room here for this discussion. My name is jeff surl. Ill be the moderator of todays panel. And just to reiterate by way of brief introduction, i did serve at the Transportation Security Administration for a couple of years and then at the department of Homeland Security for the secretary. Three years in total with the administration and im thankful not only to have survived the experience, but im actually thriving. So im excited today to have our panel, five experts in supply Chain Security and operations. I was looking over the bios last night and noticed that four out of five of them, their last names start with f. I dont know if you noticed that or not. So i was trying to come up with a clever name for our panel, maybe the fteam. But that leaves larry out. So okay, we can certainly insert an f into your name. But thats not a very complimentary name for this auft ear group. Ill introduce them, and then theyll want to introduce themselves to you in their opening statements. The format today will be a panel discussion. Ill open with a brief statement, setting the stage for the issues well be discussing. Then each of the panelists will give a five to seven minute statement themselves. And then ill aggressively crossexamine each no. I will delicately toss questions to the panel for about 15 minutes. And i think that based on their depth of knowledge and expertise in these areas, well have a vibrant discussion of the issue. And then im going to open it up to you all for questions. So i expect some good questions from you. Get ready. As the Panel Description states, threats to transportation sector and supply chain continue to require government and private sector efforts to reduce Financial Risks and logistical vulnerabilities. Cyber warfare present new difficulties this panel will review the currently legal and Public Policy issues facing these Critical Infrastructure sectors, including legislative and regulatory efforts to reduce risks that impact businesses. For example, over the past year, 18 months, some of you have followed this issue for a number of years before that. But theres been an increased activity in on the government side in particular, the president s executive order 13636, the missed framework of development and publication and adoption. And several bills in congress, two of which have passed the house of representatives, both of which placed dhs in the position of gobetween between the private and Public Sector on cyber threat information sharing. And so the discussion will also address the effectiveness of current transportation and cargoes Security Programs. The status of the publicprivate cooperation information sharing and the implementation of the nhtsa framework as i mentioned. By way of brief introduction, fay is the leader of the boeing commercial cyber 1 team. Developing and coordinating a Publicprivate Partnership between the Aviation Industry and the u. S. Government in order to establish an aviationinformation sharing analysis center, isac. They still havent changed that name, have they . Something a little bit more catchy. Where he leads work on Cyber Security insurance and Risk Management and support of imelementation of the president s executive order. Prior to that, he served on the house Homeland Security committee. Tom farmer is assistant Vice President for security at the association of american railroads. Tom and i had the pleasure of working together at tsa and he still agreed to help me out here today in his current role, he coordinates the development of Railroad IndustrySecurity Policy among other duties. And at tsa he served as the mass transit lead. And larry leads and manages projects in the field of telecommunications and security for acom. Im sorry. Global architecture and engineering firm. He will give some insightful remarks on how Cyber Security affects certain modes of transportation. I caught a presentation that larry had given regarding airports and Cyber Security, which i found fascinating because i dont think theres much out there. I think you come up at the top of the google list. So im looking forward to your comments. And then andrew farly is the cofounder of c. T. Strategies. Which provides strategic advice to clients seeking current innovative insight into Border Management and supply chain challenges in the u. S. And around the world. Hes a former customs and Border Protection official. Certainly physical security and resiliency play a significant role in protecting transportation in the supply chain sector, as well as the Critical Infrastructure as a whole. Over the course of several years and i spoke to the moderator of this panel for he moderated the panel for the last several years, i mentioned to him Cyber Security. He said weve been migrating from the physical to the virtual and talking more about Cyber Security. And i thought that, you know, particularly looking at chronology of events after 9 11, we certainly focused on physi l physical relooking and reevaluating security for Critical Infrastructure. And over that course of time, i think theres been tremendous strides made, not only on securing the Critical Infrastructure, but on resilience, Publicprivate Partnerships, but one of the things that i thought it was missing, or at least hadnt been fully baked, was the Cyber Security. And now that were see interdependent on networks and communicating and operating systems using open networks, as well as closed networks, i thought that there were certain vulnerabilities that even me as a novice were thinking about. So i thought that todays panel, we could focus a little bit more on the siper side of things. Certainly dont want to leave out new developments or news regarding the physical side of the equation. But i do want to focus on the cyber side. That seems to be a theme for this conference overall. So i look forward to hearing the panelists comments. Why dont we get it started with you, larry, is that okay . Thank you. Good late, early morning, everyone. Thank you to jeff and to the institute for the opportunity to come and speak before you today. Once again, im larry javi. I work for a Company Called ae com. I like to think of us as the Biggest Company youve never heard of. Were architects, engineers, Construction Managers and operations and maintenance personnel. On the operations and maintenance side, we operate and maintain a couple of large buildings, large facilities for the government and for private industry. On the Construction Management side, you may have seen us or a Subsidiary Company on the pentagon renovation, wedge one. We were the Construction Managers on that and also on the World Trade Center reconstruction. But my group is part of the design and engineering portion of ae com. And we focus mainly on roadway, bridges, tunnels, mass transit, sea ports and airports. We also have we also work in the energy sector, as well as transportation. The Public Sector, and we do a lot of Critical Infrastructure protection, in terms of water systems. And arenas like that. My group specifically, i work in the technology area. I provide all the technologies that go into these facilities. The telecom systems, the audiovisual systems, radio systems, as well as the Security Systems that go in there. And i provide some of the Cyber Security aspects of these systems. So control systems, like the Security Systems or the Building Management systems, so you know, you walk over in the back of the room and somebody hits a button on the wall and the lights go to a certain brightness and all, thats a Building Management control system, also the ones that control the h vac in the building, or perhaps ones that maybe if youre an industrial facility, the valves that control the flow of chemicals through the pipes, in a refinery, for example. Those are control systems. In the transportation arena, positive train control and signaling. Also, to some respect, were dealing with things like variable Message Signs that you see on the side of the road. The intelligence Transportation Systems that are out there. I know ive got a commute on the way home here that im going to pass through a lane that switches direction. In the morning, its heading into d. C. In the evening, its headed out of d. C. Ive always wondered if somebody got a hold of the controller and flipped the signals, somebody who wasnt driving that road every day could go the wrong way and cause some trouble. And if Something Like that were to happen at the same time we coordinated that with some bad weather. We could be in for a whole mess of trouble there. But what i find interesting about these operational technologies, i want to spend a minute talking about the difference between operational technologies and informational technologies. We have laptops and cell phones. This is the kind of stuff that weve all known has been around since the 40s and the 50s. And from a Cyber Security standpoint, weve been doing a lot of work in that arena, for information technologies. So the pcs, you have at your desk and the servers in your employers servers room, the cloud, if you will, the thre internet. A lot of time has been spent securing that infrastructure. How good its going is another story. But theres been a lot of effort in that respect. Operational technologies are more of those control systems or systems that manipulate physical things. Okay . As i mentioned, the lanes of traffic that go back and forth. The Industrial Controls out in refineries and chemical plants, traincontrol systems, as i mentioned. Whats unique and different about these systems, first off, they control physical things. So if they go awry or someone were able to control them and set them up in a way that could be detrimental or harmful to personnel, to physical assets, to the environment, these are the things we want to Pay Attention to and unfortunately there really is very little with respect to theres very little going on in the realm of Cyber Security in these physical, logical systems. With respect to whats going on in i. T. , weve been doing this for decades. On the o. T. Side, not so much. The Operational Technology systems, they were oneoff devices. They were in areas nobody saw. They were specialized. They were often physical relays and things that had to physically move in order to make these controls happen. They were almost never networked together with any other systems. And it was a very, very small group of people who really understood them, knew how to program them, or design them. And that was the case really up until just a few years ago. Most recently, i got a bill from my Electric Company that told me to go to the website, and they showed me day by day how much electricity was using in my home. Thats because and i can get on excuse me. I can get online and i can look at all kinds of different statistics on my energy usage in my home. And thats because the meter on the outside of my house is in some way, shape, or form, connected up to a web server somewhere, that i can then access. So if i can access that web server, and that web server can access some way that meter on the outside of my house, so im wondering, is it possible for someone now to go turn off the power to my house . Now imagine that, times 100,000 homes or businesses. So we have that as one difference between the Operational Technology side and the Information Technology side. Whats also interesting about the Operational Technology side is that these systems were built, many of them, 30, 40 years ago. And they were designed and engineered to operate 24 7 for decades. Okay . One thing you might notice on your pc at the office, every tuesday, well, once a month on tuesday, your computer reboots itself in the middle of the night. This is microsoft sending down a patch to your computer to fill any holes that theyve discovered over the last month. Sometimes its more often. Sometimes its twice a month. And your internal i. T. Department may do it once a day or even more often. And thats because we can turn off your computers for a few minutes and its really not a big deal. But i really cant turn off one of these positive train control systems. Or a refinerys plumbing. I cant turn that off. It may take a day or more than a day to restart that equipment. So the opportunity to patch known vulnerabilities in these Operational Technology systems is very limited. And so that causes us to have to do a bunch of other mitigations to get around that problem. And thats where some of the work i do comes in. [ inaudible ] where this comes in. Back in 2003, might have heard of csx had an issue, one or more of their systems was infected with a virus. I believe it was the sobig virus. And in cleaning that up, as a matter of prudence, they shut down or took off line some of their operational systems just to make sure there was no impact to them. And indeed that caused, you know, some ability for them to halt traffic around and even spilled over onto amtrak schedules. More recently in 2008, in poland in the city of luj, a young fella, 14 years old, sat and watched the light rail train system that went through the city. He figured out im not quite sure how, but he figured out that the trains used infrared signals, what you have on your Remote Control tv at home. Thats what they use. The trains would send a signal on the grounds to move them from one track to another. He figured this out, went and bought some Remote Controls, had them record the signal and was able to play it back to the switches, and he was actually able to control the switches throughout his town. One thing led to another, and he did manage to derail four cars and cause about a dozen injuries one day. They found him and im hoping they have since changed to something other than infrared. We all know about the metro train collision that occurred here a couple years back. That was caused by a faulty piece of Operational Technology equipment. Thats not really a Cyber Security event per se. But had wamada had a Cyber Security program, specifically focused on their operational technologies, they might have tested the equipment more often and realized this was a piece of equipment that had actually been failed for quite some time. So while these Operational Technology systems, they originally grew up as standalone, kind of obscure systems, whats happening now is that they are indeed getting connected to the internet in one way, shape, or another. And they are communicating between them, originally with some custom protocols that really was very obscure. But now were starting to use more common protocols, internet protocol, ip, youve probably heard of that before. And that is part and parcel to the issue. Not only now do we have systems that are connected to the internet and using commonly available protocols to do it, but the our adversaries have learned about this, they know about this, and theyre taking much more interest in it. Now, about once a year, verizon comes along and does a big metta study. This last year, they looked at about 63,000 security incidents across the country, across many industries. The good news from that is that the Transportation Industry had a very, very small amount of reported incidents. Not to say there werent more. But of this large sample, there are only 24 incidents reported in the Transportation Industry. What i found interesting and different than all of the other industries were reporting, is that the highest percentage of incidents in the Transportation Industry, were of the cyber espionagetype. And with a small sample like that, its hard to make an extrapolation, but it gets you to raise your eyebrow, why potentially could our state adversaries be interested in our Transportation Systems . So thats something we need to look at. And the other thing that, you know, in other systems, as well, are also getting connected. Airport badging systems, for example. You see the pilots and the folks who work there, they have their badges and theres been a lot of regulation involved around badging people at airports and ports. And so that regulation has caused us to sort of make these badging systems super badging system. Weve had to separate them out and make them standalone systems. In doing so, weve had to connect them to the internet to allow people to register and to do ncic checks. So its becoming a more interect canned world in the arena of operational technologies. And the problem that were seeing is that there just isnt a whole lot of attention being put on it by the operators. We know that in the energy sector, theyre probably the most advanced, they have the most regulation and rules about how and what you have to do to protect from a Cyber Security standpoint, the Energy Systems here in the u. S. But as you go down towards transportation and water, those are much less developed. So thats the area that were trying to focus on now, trying to help these Transportation Industries get more up to speed. So i think thats if for me. I want to thank you all again, i want to thank the institute for this opportunity. Ill turn it back over to jeff. Thank you, larry. Fascinating. Tom farmer. Thank you, jeff, very much. Thanks all of you for taking time to join us for this forum. Our organization represents the major freight rails that operate in the united states. Bnsf, kansas city southern, csx, norfolk southern, union pacific, and canadian rails, amtrak, alaska railroad, hundreds of short line carriers and a growing number much commuter railroads. And as a real credit to this industry, in the immediate aftermath of 9 11, the industry came together, brought in subject matter expertise in the areas of intelligence, counterterrorism, and focused on developing an integrated security plan that would be applied across the board and adapted by each participating railroad within the context of its unique operations. That plan took effect in early 2002. And literally there was still fire burning at the pentagon when this group convened a focused effort. Looked across the board to assess risks. Broke it up into five teams, hazard accounts material transport, life cycle of a train, where potential vulnerabilities, communications and cyber technology, and Critical Infrastructure, assets throughout the network. What that produced by early 2002 was a security plan with four alert levels that called for increasing security measures in those areas, as threat levels escalated. So before you had a fully functioning Transportation Security Administration, before you had a department of Homeland Security, before you had that colorcoded system that was initially used to evaluate the threat level in various sectors of the economy. They developed a plan along those lines. Its in effect today. Its updated based on Lessons Learned and theres a Continuous Improvement effort dedicated to ensuring were maintaining the right capabilities and processes and effective coordination in government to make sure that plan remains viable. Theres a lot that can be talked about in that plan. The commodity we focus on at our association as we help manage the overall Security Program is information. And so at the association of american railroads, we operate with whats called the railway alert network. Thats a means why which we provide intelligence, security information, across the industry, to sure were informing awareness of potential security concerns. That includes a good communication with government, driven by priorities weve agreed with, to make sure were putting forward the right type of information and maintain the level of preparedness that we need to, based on evolving threats. Now i think that many problems in life can be better understood by analogies to baseball. So if youll indulge me a couple moments im going to do that here. One of the most iconic moments in the game, october of 1951, the culminating event in the national league. Bobby thompson hits a threerun homer in the bottom of the ninth inning, propelling them to the win and the pennant against the dodgers. The dodgers had a lead in august of 13 1 2 games. Giants were perceived as dead and buried. People said, the giants, are they still in the league . They were. They won 38 of the final 45 games and finished the season in a tie. Call it came down to the finale in new york at the polar grounds. Many things happened at the polo grounds. That was the home field of the new york giants. Tight game. 11, seventh inning. Don newcombe leans over and says, im spent. I got nothing left. And Jackie Robinson said, you go back out there and pitch until your arms fall off. That brought two more innings. Dodgers take the lead and newcombe gives up a single, single. Now its second and third, score is 42, and the manager knows that his pitcher is spent. He goes out to get him. He makes a decision on who to bring in the game. Brings in ralph blanca. He throws one pitch for a second. Second pitch hit into left field for a threerun homer that prompts the giants announcer to exclaim, the giants win the pennant. The focus is on that moment. Thats the moment that is etched in the history of the game. Thats the moment that if you ever see a program talking about key events in baseball, thats always in the top few. Thats the consequence. When youre considering things from a security perspective, the consequence matters. But far more important is setting yourself up to deal with that and trying to prevent that consequence, is how to happened. So lets take a look at what he should have known when he d disregarded that decision. Bobby thompson was the best hit ner the game when the giants came from so far behind. His average of 110 points higher than it had been in the season up to that point. He was the reason the giants were in the playoff. On deck, they had a base open. It was second and third. On deck was willie mays. Hall of famer. But willie mays in 1951 was a rookie. In that same stretch, his avera average plummeted. 40 points lower in his production. Runs batted in was way down. Ralph blanca had been a sterling pitcher when the giants had the lead. But lost 7 of 10 decisions when the giants made their run. Giving up more than two runs per game. Most telling of all, of the dozens of pitchers that Bobby Thompson had faced during the season when he stepped up to the plate, he had 29 home runs. Six of them against one man, ralph blanca. Out of the dozens of pitchers he face, more than 20 of the runs came against one guy. Shirley povich, who is memorialized at nationals park, his headline item the next day in writing for the washington post, the art of fiction is dead. The theory being that what happened is so inconceivable as to have been fiction. But i submit to you what he should have known, he made the wrong decision. That was a foreseeable consequence of ignoring the intelligence he had available. What does that have to do with what we do here . Physical and Cyber Security, very often we focus on the consequence. Sometimes focusing on the consequence, you can lose sight of the fact of the means you have at your disposal to narrow the chance the consequences will come about. Its important to step back and say, what do we have at our dispos disposal . How can we take what we have already and put it to better effect to ensure were informing preparedness at the right levels. A very important aspect of that is intelligent and security information. The plans i talked about, they do depend upon an awareness that situations are developing, that necessitate elevating threat levels. We have a very Good Partnership in physical and Cyber Security through the transportation and Security Administration that has really changed the dynamic. So we in the industry proposed to tsa, a set of priorities for intelligence, both in physical and Cyber Security. We focused on, dont spend so much time telling us what happened. Focus on how it happened. So what it is, in the course of the london bombings in july of 2005, its important to know what happened that day. From a security perspective, what was going on in the months leading up to that event . Were there opportunities for security to make a difference . Tsa focused the shift, and allows us to walk through the preparation time and see opportunities to make a difference. Theyve allowed us to take that information and bring it further to other constituencies where many of those indicators that precede terrorist attacks are more likely to be observed. The likelihood that a train crew member is going to see a terrorist in the act of committing an act or some reconnaissance is very small. Its more likely a local Police Officer working a community will get a report, a complaint, or happen to see something. And we want that see something to trigger a reaction. So as an example, in the months leading up to the london bombings in july 2005, there were a whole series of indicators of concerns in leeds, about 200 miles away. Where the bombers had holed up. They were in an apartment. Undertaking their preparations for the london bombing. We take that analysis, delineate those indicators, to inform training of our employees and share them with local police, so that as they go about their jobs, if they get a complaint theres an odd smell coming out of this apartment that was not there until these people moved in, or as happened in leeds, of all the plant beds outside the windows, only these two are dead. And its odder still they put up this opaque coating. And they used to dress as muslims, but then changed in western outfits. Now any one of those things may not be sufficient to trigger concerns, but maybe trigger a question taking a look. Similarly on the cyber side, its important to know when you suffer an attack that disables 30,000 computers, what happened that made that event possible . Similarly, weve gotten them to shift their focus to that sort of analysis. Help us understand the tactics used to make that happen, the protective measures that were lacking, the vulnerabilities that had not been addressed, so we can take that information, look within our own networks and ensure we are narrowing the possibility, whether its attempt to get into operational systems, which are secured in our industry, or in business systems, for espionage, that were narrowing the opportunity because were using information in a far more effective way. Doing great work in this space and putting out indicators to the private sector of terrorist tactics, of cyber tactics. Putting out information based upon the assistance they extend to private sector entities that have suffered intrusions. Weve asked them to take a next step with that information and look at that body of work, hundreds of thousands of indicators and draw from that the sort of information that can very well inform Risk Management decisions in our industry, in the transportation sector. Weve asked, from that body of work, what are the tactics you most often see . What are the vulnerabilities most often exploited . What are the protective measures found lacking . And a real purpose of the executive order that the president s issue is not to solve Cyber Security. Its an insolvable problem. But you really want to begin to narrow the risk profile. And so where the window may have been open this wide, some of the efforts talked about through that order are aimed to narrow that, perhaps chase away some of the actors because the task is not as easy as it was before. And to make the actors who were good before, get even better. One of the sat realities, the means of intrusion is often simple. Its sending a phishing email asking you to click on a link. Its sending a file attached to an email that you click on and introduces a virus into your computer. Often these emails have indicators, that if you spent 15 seconds, youd see theres something ought abodd about thi. Ive never gotten an amaemail saying read this article. This email address is different. We have committees that con convenience once and twice a month and predate 9 11 in its operations and activities to coordinate industry Cyber Security. One of the emphasis we place on that, dhs has that good program, we had to pause. Pause and look at an email. If theres something odd about it, from a source youre not familiar with, take a look. You can scan it and get a pretty good idea whether its the type of communication youre used to receiving or whether theres a basis for concern. Theres a lot to be covered. I wanted to bring to your attention, the efforts of our attention in partnership with government to address these types of concerns. I can say with pride, particularly in the transportation sector, theres been a real effort between tsa and the various representatives of the transportation modes to put a Publicprivate Partnership, a term often used very expansively, to put that in practical action. In some of the areas, they are areas when first proposed was, we just cant get there. And weve gotten there, result of a Good Partnership. Happy to take questions on that as we proceed. But ill turn it over to the next speaker. Thank you. Thanks, tom, fascinating. Last night on the drive home from the baseball game, my wife asked me what a walkoff run was. And so i fumbled through the explanation. Were not big baseball fans, but have become recently with the nationals leading their division. So part of your story scares me, because we certainly want the nationals to win, but boy is she going to be impressed with my knowledge of baseball history when i get home tonight. Next speaker, andrew. Thanks, jeff. Good morning to all and thanks, tom, as a lifelong dodger fan and family whose love of the team dates back to brooklyn. Always nice to have the salt in that wound. So well get started. Its a pleasure to be here. When jeff asked me to participate, there are a number of ways to go with the discussion. My background, my quick background, not that i love talking about myself, but its particularly relevant to this discussion, im about a year out of customs and Border Protection. I did a number of different stints within the organization, but key to this effort is, i was the director of targeting programs at the National Targeting Center for passenger and cargo programs. And you know, theres a real push in customs to start moving even more to advanced data and using private Industry Data to help make better risk decisions, from the Border Management perspective. Companies have been doing it forever. Customs often times gets late to the game when they have these different efforts, but the plea id like to make to everybody in this room, particularly in your profession is to be really creative. These ideas, when it comes to the government use and the security use of data, these ideas are moving very quickly. And theyre certainly moving faster than the nprn process, you know, the number of times i was in my office at the targeting center, being told that we had to wait for a rulemaking to get the data that we were looking for that would stop the next attack, or that would better facilitate cargo through the border, i would hear that daily, i would hear that weekly. And it was it was frustrating. Because, you know, for me, im an attorney on my resume, but not real like you guys, i had to believe that as industry evolves and rein vents itself, there had to be a way for the federal government to keep up and to really adapt their processes, their Data Collection and their efforts that moved, if not at the speed of business, maybe one generation behind, instead of several. And often times the greatest catalyst for change in the security jirenvironment, id li to say its creative thinking, but a lot of times its a threat. Ill talk about examples. The threat piece, the example i can give you, you all probably remember in 2010, in october, where there were explosives found in the printer cartridges over in the uk in dubai. The response to that was a great example of what im talking about now and should serve as the model for programs to come. It was what had come to become the advanced air cargo screening. And what happened was in the immediate aftermath, i mean the absolute immediate aftermath of that threat, customs and Border Protection, tsa, dhs, and the express consignment operators, all got together and said, the regulations right now for advanced information, coming into customs and Border Protection and to tsa for International Shipments come way too late and theres not enough. What do you have available . What can you have right now . What can you provide voluntarily that will help make better risk determinations and help to move the action that can be taken in the supply chain further out, you know, before an event becomes, you know, a catastrophe or a tragic event