This discussion is two and a half hours. Good morning, i am the president and ceo of the United States telecom association. I want to thank you for attending the conversation this morning. We have been watching the screen somewhat uncertain if we were going to be here this morning. I am grateful it worked out so we can talk about the Cybersecurity Framework the whitehouse announced this week. We believe it is going to help the industry achieve grating levels of security around Critical Infrastructure. It allows companies of all sizes to adopt policies based on their specific threats by creating a common language or protocol, it will help communicate about shared responsibilities with vendors, suppliers, customers and partners. Our industry takes these responsibilities very seriously. It is my honor to introduce Michael Daniel. A cybersecurity correspondent na and he leads the development of Cybersecurity Strategy and policy. Prior to that, he served with the office of management and budget for 17 years. From 20012012, he shaped intelligence budgets and resolved major policy issues of the chief of the National Security division. Since 2007, mr. Daniel has been involved in federal cybersecurity activities including the Cybersecurity Initiative and Funding Options and the review of federal cybersecurity spending. Please join me in welcoming Michael Daniel who is going to talk about the evolution of the framework and the next steps of Going Forward to improve Critical Infrastructure security. Mr. Daniel . [ applause ] thank you. It is a pleasure to be here at the ustelecom event. I am Michael Daniel and i am serving asspecial assistance to the president and cybersecurity at the whitehouse. But i am just a chief cat herder in the federal government. You have folks following me here like adam and jenny and i see angela and chris and nadia who will all speak more confidant than me on this issue. I am like the warmup band that warms up the crowd so the real stars have an easier time. First off, thank you for all of your work and support on the framework. We appreciate the time and effort you have put into helping produce this. I think it is a product we can all be proud of. A little bit of how we got here. If you can rewind back to the summer of 2012, it was was obvious the legislation we were working on with congress wasnt going to make it out of the senate. We knew we had to shift to alternative paths. We began looking inside the administration for options and over the latter part of 2012 we crafted this executive order. It was the result of a lot of effort from a lot of people who are now in different positions doing differentthi things but contributed to the framework. In february 12th, 2013, the state of the union day, 13626 was signed and that executive order has a lot packed into it for what is a short document especially in washington terms. But it told federal agencies to do three things it said go out and increase information sharing with private sector and push more cybersecurity to the private sector. And create framework and Standards Companies can use to improve the Cyber Security. And protect privacy and Civil Liberties while you are doing that. And it built a lot of things into the process. But i want to focus on what happened with the creation of the best practices. The National Institute and standard of technology is leading the way but doing a role in playing a convening role in the development of an Industry Framework and owned primarily by the private sector. They took the task seriously and poured energy into the effort. I would say it put a real ateam of people on the project. It ran an amazing process if you think about it for crafting such a complex document in just a year. I should say after the executive order came out, a flood of comments came into my office about the yearlong deadline the executive order set were developing the framework. And they were divided about 50 50. Half of the comments said there is no way you can develop that in a year. And the other half said are you lazy . You can do that in two weeks. So i figured we must have hit it right. Adam and the team proved that was correct. It was an amazing effort to pull all of that off in a year. We collected comments from an array of participants and held five workshops. I saw the agenda and heard the stories and i know it wasnt trivial so hats off to those who went to the workshops. 4,000 comments from 300 different organizations is what we ended up with. But you can see how the framework evolved and grew in response to the input. This is really your framework. It represents the best consensus we have among government and academia and others on how to do Cyber Security. And i think that is because the other groups really stepped up. The framework reference will be recognizing standards and practi practices to help organizations understand, communicate and organize their cybersecurity risks. It offers guidance for how organizations can address these issues as an effort to secure themselves. The framework core, profile and te tiers. The framework core is what every agencies carries out. We will use that on the federal side as well. The profile helps them line activities to business requirements. It also helps companies chart the path from where they are to to they want to be. And the ty tiers can help them understand their approach to other companies and standards across the industry. And they can make a better informed judgment about where they want to invest. It is aimed at reducing and managing cyber risks. As we move into using the framework, that process, what is it going to do for companies . It is a baseline for Risk Management. It says here is a baseline that all companies can rely on and they can point to and their cheap Information Security officers point do. It has the advantage of doing that. It will offer a good way for communication with the csweet. I find on the federal side, the ability of the the seniors and people in Senior Management to understand and deal with cybersecurity has increased in my time in this position. But searching for those ways, still, to have the conversations in a language everybody can understand. I think the framework will do a good job of assisting with that. It will enable, i think, better communication with boards of directors of the company. It will enable them to have conversations wabout why you ar managing the way you are. I think this applies to sophisticated companies ahead already in this subject. It can help them as an external mark, a benchmark or something to measure themselves against. If you are ahead, it will provide a foundation and benchmark which you can measure. And they will be able to use it with suppliers and other companies they work with as a way of communicating what Cyber Security requirements are and what they would like to see other companies have in term of cybersecurity. And this is a gigantic Business Opportunity for some. They can provide services and others to the small and Medium Enterprises. It provides a lot of opportunities whether it is small and Medium Enterprises all the way up to those very far ahead. So, in addition to establishing and directing this to actually develop the Cyber Security framework which all of the panels will talk about. The eo director them to establish a program to serve as a coordination point for cybersecurity resources and increase the resilliance by promoting the framework. Dhs created that Critical Infrastructure cyber community. The ccubed volunitary program. We are the government so we can reuse those acronyms anyway. You can say we have a resurgance together and coordinating those crosssector issues to maximize the security resillaniance. It isnt done and we acknowledge that. It needs to be built with industry paritoticipation and involvement. Dhs is supporting cyber reviews so they can provide resources to help organizations assess their Information Technology resilient status. They can be done through facilitation with dhs or on their own. Dhs has conducted over 330 of these at the request of entities nationwide. We are bringing this together with the volunitary program so it is clear the resources are there. They will offer a range of things like threat and v vulnerability. And the industrial system cert. All of these will come together in the program and dhs works with sectorspecific agencies and federal agencies to identify other offerings and assistance we can provide that will be best suited to capabilities and what they apply. They plan to work with owners and operators to develop sectorspecific cases that build out platforms based on the framework and existing standards. And the department of energy is officering assistance through their c2m2 project. I think that we are looking at the volunteer program as one that needs to grow and reflect in partnership what is needed to implement the framework. What is the way forward . At least speaking for the government side in typical whitehouse fashion our reward for the Job Well Done is going to be more work. Afterall, there is no point where we reach a hundred Percent Security and declare ourselves down. We have to manage the risk and this requires staying engaged a little bit over time. I want to talk about the path forward. I will talk about three things. Specifically what is happening with the regulatory direction in the eo that dealt with the regilators, what the future plans for the framework are and where we are going with incentives. The goal of the administration is encourage harmonization between the regulation and the fra framework. The goal of the administration is not to expand regulation. We want to streamline existing regulation and bring bring that into alignment over time. The president ordered the executive Branch Agencies to review their programs in this area. In may of this year, we will encourage the efforts of focusing on the policies that adopt the framework. Agencies are encouraged to use their process to bring the existing ones into the alignment. We have invited everyone to follow the same process, and some have indicated they are interested in doing so. Well, i have mentioned today, i think the first step is to use it, of course. We need to see it in operation and how it functions in corporate environments and see how it functions in the Government Environment and figure out how we can make it work. That is the first thing before we think about tweaking it. We want to capital on the rollout we had. The engagement in this area and get robust use of the framework going. We have viewed the framework as needing to be a living document. We will integrate the Lessons Learned into the framework. They will hold future workshops to address specific areas identified for further development and alignment. In particular, your feedback on how the framework works in practice is invaluable. They will talk about the transitions ownership to a Nongovernmental Organization of kinds. We have used this framework as something that needs to be owned and operated by industry overtime. Any move to do a transition of the framework is done in the same way and wont happen overnight. But we viewed it would be better if industry could own and continue to drive this. The last area i want to mention is what we are doing with incentive to encourage the use of the framework. We believe developing intent incentives is a key endeavor for us and we plan to keep moving forward. We released a review of potential ones and that is what we have been doing. The relative agencies have described the assistance including cyber insurance, grants, reg lor spring lining. And as they develop, we will have details on how to good engaged in the process. Dhs will use this effort to adopt the policy and we will solicit feedback on the incentives through the volunteer program. I think the government incentives are important to pursue and get right, but it is the market that is going to make the business case. The federal government can try to make the cost lower and the benefits higher, but that is the icing on the cake. If the cake isnt sweet enough, then no amount of icing is going to make the framework really work. That is why we believe we can roll the framework out now and companies can begin to use it, even as we continue to work on the incentives. So i look forward to keeping the momentum going moving forward in this area. I think we have gotten off to a great start. It was an amazing endeavor to watch this framework come together. And to watch it gel out of all of the different versions that i saw as it went along. It was quite amazing. I believe this could be the beginning of a major shift of how the government and industry can talk. We can use this framework to really kick start conversations that need to happen. U. S. Government staff is going to travel around the country to protect the framework and the hope the Telecom Industry can continue the support. Kick the tires, try it out, see where it works, where it doesnt, and let us know about the good and bad. If we can do that, maybe we can lay the foundation for improving our baseline cybersecurity and go after the real bad guy in this area and make the cyber space a lot safer for all of us. Thank you for letting me speak to you this morning. I know you will enjoy the panel. Thank you very much. [ applause ] thank you very much, mr. Daniel for that. I am robert myer and i am involved in cyberSecurity Policy with the Communication Community and other sectors and i think i share membership in the league of cat herders and very proudly do so. I would like to ask the panelist to come up and we will turn it over to the moderator shortly. I think it is fair to see that when the executive order came out and spoke of the deliverry of framework in one here. Year we knew that was aggressive and once the stakeholders were involved with these leaders, it became clear they would achieve their objective and they did it in a way that was remarkable in terms of transparency with stakeholders. Sam samara moore is here and she is partnering the with private sector to address Cyber Security areas for all Critical Infrastructure advisment. She played a key goal in security governance and led to the maturity model. She received a bachelor from Virginia Tech in accounting and information and a masters from george washington. Ari shartz is to the left. He worked previously as a Senior Advisor for the department of commerce and the nationed vid a National Advisor for the task force. He led efforts to promote privacy in the digital age as the Vice President and chief operating officer at the center for technology. Ari won the 2006 and 2010 online trust and alliance award. And in 2007, he was named one of the top5 influential thinkers. He has a bachelor degree in sociology. And we have adam who is the advisor at the National Institute of standards and technology. And he is a member of the Commerce Internet Task force. Adam has led the with colleagues, the newest project, which is the framework we are talking about for the Critical Infrastructure segment. He coordinated initiatives and previously handled cybersecurity and federal information and policy for the senate on Homeland Security and government affairs. In 2008 and 2013 he received a federal award for the contribution to the federal technology community. To adams right i would like to introduce judy. And she is the director of the sta stakeholder division at the department of Homeland Security. Squa there is a statistic that jenny might under that 85 of Critical Infrastructure is owned by the private sector. So those solutions and the things we do to help Companies Need to be something they can support and embrace and use. A natural place to start is looking at the existing policies out there. Having the foundation of what is out there and being clear that the underlying standards are thinks that meet the status. The structure presented there is going beyond the existing practices. So the framework and those underlying standard and the hundreds that exist that nadia can talk about better than i can. But also the overlying structure we developed with the profile and tiers and saying this is something you dont walk away from. It needs to be embraced by the cultural of organizations. So this can allow conversations to occur that could maybe not happen before. That was one of the things we saw throughout the workshop process. We didnt realize how you network unique it was having the conversation and address the challenges and how to work together. We put out a document called the road map that lays things out there. We talk about the processes out there and elevating them and the third key piece is how we work with industry to develop situations and innovation. I think we have heard since the framework came out, from a Large Ener