, in themy question energy sector, we dont differentiate between physical threats and Cyber Threats. We drill with the assumption that they will probably do both at the same time if it is a sophisticated attack. To be frank, the militarys response in its own protection seems to be focused on isolation as a tactic for dealing with the idea of the grid going down. I wonder if you could talk to that a little bit. As tempting as isolation is as a strategy for response, it also potentially makes security a lot more difficult if you have individual grids all over the place. If you could talk about isolation versus integration. Isolation works at a tactical level for immediate shortterm periods. It is not a comprehensive, sustainable strategy. It is this idea of, i will just shut the network down. It is not that it is a bad thing at the tactical level. If you are looking at a base, an installation as opposed to an entire grid or sector. In the long run, i think the right answer for us is going to be, again, rather than isolation, how do east to how do we do something in a more integrated way . Isolation is difficult as a strategy, particularly if you have high Power Requirements. We have huge Power Requirements so this is something that i pay a lot of attention to. Power is a big concern for us because we are a Huge Consumer of electrical power. I agree with your fundamental premise. The challenge becomes, how can we have a conversation about the right Response Strategy here . Are we really comfortable with this idea of isolation . As a broader strategy, i dont think that is the best response. Thank you. About i have heard some members ask, and likewise with the response in the question about tabletop exercises, say a business is sharing information, using a framework told or a Risk Management tool and they are dealing with an adversary that outstrips their abilities to keep pace. We know that there are partnerships with dhs and other agencies. When would the nsa step in . What is the policy there . Argue that theld most likely scenario is probably u. S. Cyber command. One of our three missions is when directed by the president or secretary to provide capability to the critical u. S. Infrastructure. , our missiono that will be to attempt to interdict the activity before it gets to that u. S. Company. That is our primary strategy. That is what dod brings to this. , ifbset of our strategy is we should fail in that regard, we have also developed defensive response capabilities that we ,an deploy to partner with dhs the fbi and the private sector. It goes to toms question. How do you mediate and mitigate . If you fail, how do you remediate . That is really the u. S. Cyber command side. Is what the president requests the secretary of defense to do. There is a policy debate, a legal debate. It is why in my an initial comments i talked about this as a National Security issue. Viewed as a National Security issue, the capabilities of dod and their application are in keeping with our broad policy and legal structure as a nation. If we view this as a private sector issue, then traditionally, do you really want dod involving themselves in this . Is why i think looking at this from a National Security perspective is important. There will be a discussion about the refocus on critical sectors. Is it any private entity . We have defined approximately 16 segments as being Critical Infrastructure whose loss would have significant National Security impact. What we are developing at u. S. Cyber command is to be prepared to apply capability in those 16 segments after erected by the president or secretary. Thank you. , according toober the department of Homeland Security you may know the chamber has embarked on a outreach campaign. Over the last few months, they have been going around the country. As you can imagine, very different audiences. A lot of us in washington are wellversed in the cyber framework. In phoenix or chicago, some of them hadnt heard of it. We are spreading the word on that. The question is, that is great, that is a campaign. What else do we need to do . You look at the als ice bucket challenge and how quickly that went viral. Jumpstarte do to people paying attention to Cyber Security . Issues, what is the Tipping Point . What does it take when it gets so bad that we finally say, ok, enough . We have to get the legislation, put those partnerships in place. The status quo is not working for us. For whatever reason, it doesnt appear that we have reached that point across society. In no small part, because many of our citizens, it hasnt reached a true pain threshold. So someone steals your account information, steals your credit card data, charges on that card. Right now, if you report this to your bank, we are not paying a price. The corporate sector is assuming liability. They are covering it. The point i think about is, once this becomes something that impacts a broad swath of our citizens in a real manner that impacts their daily life and ability to do what they want when they want, then watch for a whole shift in the way we are talking about this. My frustration is, it shouldnt take a disaster to tell us that you can see this coming. Knows that this is a significant National Security issue that is not going away. It will likely only get worse. We can either deal with this now in a collaborative, professional hit ae can wait until we across the forehead. I dont like to get hit. I find that to be a painful experience. I would much rather we have a dialogue and from the dialogue to the concrete sets of how to make this real and how we can work between the private sector, government, and a broad swath of government one of the comments i made is, right now we are asking the private sector to withstand the efforts of nationstates against them. That is asking a lot of the private sector. I think you have seen this reflected in what we are trying to do as a government. This is about partnerships. We have to be able to provide government capability and capacity to support the private sector. We need the private sector to provide capacity and capability to make this work. It is not either or. For those that argue it is a , i thinkector function the reality is it is between viewpoints. We have to work this collaboratively. There is no single technology, no Single Source of intelligence or insight that will clearly tell us exactly what we are seeing. It takes partnership to make this work. You have information i need and i have information that could be of value to you. You have not just one of the toughest jobs, you have two of the toughest jobs. Cyber commander at head of the nsa. What do you think your biggest challenge is . Where do you go from here with the Cyber Command . How can the chamber be helpful to you . My biggest challenge is creating a culture and building the framework for the future. On friday, United StatesCyber Command celebrates its fourth anniversary. We are four years old as an organization. In the scheme of things, for years is not a long time. There are organizations that have a much longer history than we do. My challenge is, create that workforce, build the operational concepts and command and control as to how to deploy it, and exercise it with our partners inside and outside the department, as to how to make this work. What you need from us, what we need from you, how to share it, what format. Isnt, i givethis you everything we have. I dont want that from you and i dont think you want that from us. We can bury each other with data. Putting on my intel hat, data is interesting but what i care about is insight and knowledge. I use data as a tool to get there. A is not the and all endall. We have a question here. Wait for the mic to get to you please. The Industry Leaders association. I will stand, sorry. I cant see because of the light. My question is, you talked about the importance of cyber information sharing. We are going to hear later about sharing legislation. One of the big criticisms by some is that these bills allow you to get the information and they would like that how do you get around that . Lets have a very clear definition of what you are providing us. I dont want privacy information. It creates challenges for me. It slows me down. For this mission set, not a good thing for us. Is ai like to have discussion about, what is the information we want to share with each other . What is the value that information generates . Trustdea that you cant fill in the blank, that is a recipe for disaster for us. Among the things we need to address is, the controls and the oversight mechanisms. What is the role of Civil Liberties and privacy . What is the role of inspector generals . Aboute lots of mechanisms oversight and control of information. We need to make that a part of this. Im not interested in anybody writing a blank check for u. S. Cyber command or the nsa. I bet the fbi and dhs would tell you the same thing. Remember, dhs is the leader here. They are theargon, supportive commander and we are supporting them. We work through the department of Homeland Security. We partner with others in the federal government in addition to dhs. Energy, wery, partner with others. U. S. Cyber command, we are not the leader. The National Security agency, we are not the leader. We partner with others. We have time for one last question. Can you wait for the mic to get to you . Politico pro Cyber Security. There have been reports about employees of the nsa working there have been some reports recently about employees of the nsa working parttime in the private sector, former employees going on to the private sector. How is that affecting morale within the nsa . Is there concern about that relationship with the private sector . First, we have a formal set of processes that must be applied when individuals do something in addition to their nsa duties. We review that and when circumstances change, we will say, that is not acceptable anymore. The circumstances have changed. The relationship is different. We do that on a recurring basis. For some, it is as simple as someone with a language background saying, i want to use my language on a contracting basis to increase my skills. Sometimes we will say yes. Sometimes we wont. In terms of the flow of partnerships and information back and fourth, i have been very public about saying for the nsa, i would like us to create a model where members of our workforce dont spend 30 or 35 years working directly for us. It is amazing, the employees that i will talk to. When i say, how long have you been with nsa, 35 years, 38 years. I just said goodbye to an employee after 50 years. Technology,ate of we have got to create a world where people from nsa can leave us for a while and go work in the private sector. I would also like a world where the private sector can spend a little time with us. One of the challenges that we are dealing with, and you have seen this play out, we have talked past each other a lot. We dont understand each other. The nsa culture and experience isnt optimized to understand concerns from our i. T. And corporate partners. Likewise, many of the individuals we work with in the corporate world dont have an understanding of us. I think we should change that. I think it will produce Better Outcomes for both of us. Thank you very much. Thank you for your time. Thank you for all that you do. The u. S. Chamber of commerce looks forward to working with you and your team. We hope you will come back. I thank you for taking time from very busy personal and professional lives to be part of a dialogue it wont be just today, next week, next month being part of a dialogue about what we ought to do to address a foundational challenge for us as a nation and for our friends and partners all over the world. Cyber does not recognize geographic boundaries. The idea that we are going to deal with this in america, i dont think that is a winning strategy. We can learn great insight internally, but also from our partners overseas as well. It all starts with our willingness to have a dialogue with each other and a willingness to be open. Of,starting from a position you are in the private sector, you are all about money, i dont know that i can trust you. Or the private sector saying, you work for the government, i dont know that we can trust you. That is not going to get us where we need to be as a nation. That is not going to provide the protection that our society, the private sector, government, us as private individuals, that is not going to generate the outcomes we need. This will take all of us. It starts with an open relationship and a willingness to be transparent with each other. I thank you very much. Have a great day. [applause] thank you for your warm introduction and for inviting me to your annual Cyber Security summit. We benefit greatly from your leadership, especially in promoting the chamber of commerces role in National Security. In establishing an annual gathering focused on Cyber Security challenges, the chamber of commerce demonstrates commitment to keeping our nascent secure and lowering barriers for businesses to compete fairly in our global economy. The fact that this is your third annual summit is a testament to the growing magnitude of these threats and your commitment to making Cyber Security central to your business plans. This is an important issue. One that i know the chamber has emphasized as part of its national Cyber Security awareness campaign. In the campaign roundtable events, the chamber has stressed the importance of cyber Risk Management and reporting Cyber Incidents to Law Enforcement. I couldnt agree with these recommendations more. Todays of event, it is our opportunity to discuss how to best protect ourselves and our nation. Cyber security threats affect us all. They affect our privacy, our safety, and our economic vitality. They present collective risks and disrupting them is our collective responsibility. The attackers we face range in sophistication. When it comes to nation states and terrorists, it is not fair to let the private sector face these threats alone. The government ought to help. We need to do more. At the National Security division, we focus on tackling Cyber Threats to National Security. In other words, those posed by terrorists and nationstates. Later,talk a little bit, about how we have restructured our divisions to focus on bringing all tools to bear against these threats. Likewise, Chamber Members have an Important Role to play. You are living through these consequences with alarming frequency. Of fortune 500 companies have been hacked. Price water cooper house released a report finding that the number of detected Cyber Attacks in 2014 increased 48 over 2013. As fbi director james komi has noted, there are two types of companies in america, those who have been hacked and those who dont know they have been hacked. We are on notice. I would venture to say that everyone in this room has in their professional or private life been affected by a Cyber Security breach. At best, a minor inconvenience, a reissued credit card. At worst, devastation to your companys reputation, loss of Companies Trust and injury to your bottom line. Steps, itking proper is a question of when, not if, a major breach will occur. With that, we will come to questions about whether you did enough to protect your company, your customers and your information. Ahead to theght of day when you will have to face your customers, your employees, your board and your shareholders . When you have to notify them that someone has infiltrated your company and stolen your most valuable information . If that day was today, could you tell them that you have done everything in your power to protect your companys future . How do you warn them of the risks . Would you be able to say that you have minimized the damage . Do you have a plan . It is a pretty daunting scenario. It is knows a prize that surveys of general councils around the country identified Cyber Security as the number one issue on their mind today. Surveys also show that over one order of fortune 500 companies a quarter of fortune 500 companies dont have a response to cyber intrusions. This is Risky Business and we know that we will never achieve impenetrable defenses. But you can take steps to mitigate the risk, protect yourselves and your companies, and the Cyber Security of the United States. We have identified four essential components of cyber Risk Management. First, equip and educate yourself. Make sure you have a comprehensive and comprehensible cyber Incident Response plan and review it. I have spoken with many ceos and general councils who say they have not reviewed or cannot decipher their companys plan. We must do better. Uite risk cs management decisions and you cant manage Corporate Risk if you dont understand it. Make sure your plan addresses who, what and when. Who is involved and who needs to be notified in the event of a major breach . What will be exposed . When will you notify clients, Law Enforcement and the public . Second, know that your business