Illegally. Cybersecurity is obvious. And protecting the infrastructure from cyber and terrorist attacks. And the fourth priority was i want to do everything i can to make sure secretary jay johnson, who is an honorable man, i want to make sure he succeeds in the mission of keeping the country safe. Lets go to cybersecurity. We have had a number of hearings on this. I ask witnesses what are the top proorities and thinks we have to get done. The top priority is facilitate the sharing of information. And i am talking about threat signatures, vulnerabilities. We are not talking about the meta data. It is just impossible for businesses to have to really try to comply with a multitude of different jurisdicational requirements for data breaches. It is cruci w it is crucial we set of federal standard. Those are the those are the top two priorities. Those should be Pretty Simple to accomplish but it has not been simple because you have a legitimate interests. People concerned about american privacy. The issue i have been trying to make if you as an american or a privacy Advocacy Group if you are concerned about american privacy being lost you ought to be concerned about doing everything we can to prevent cyber attacks. The greatest threat to privacy are these attacks were literally private information of millions of people are being lost with every one of these attacks. We just read about apple pay has been attacking a certain way. Fraudulent activity as a result of the previous attacks. That represents a significant threat. From my standpoint, our 1st Committee Hearing because it was a top priority we have the representatives from microsoft and American Express its a very thoughtful hearing. The witnesses were talking among themselves. We were not that far apart. We can actually do this. Not only does congress think this is an important priority that pres. Obama president obama recognized it as well. All these highprofile attacks certainly is creating the awareness in public and hopefully the political we will for congress in this of ministration to Work Together to find Common Ground. We have a bill moving through the intelligence committee. The senators have come to an agreement. It we will be marked up next week. That is a good starting. We have senator tom carper who introduced his legislative proposal. A little more modest. Than the intel bill. I dont know how this is all going to work out. But one role that certainly the Homeland Security committee can play in this is we can hold hearings and continue to hold hearings. If there is a component of any bill that might eventually work its way to the floor we can hold hearings. And i will tell you one thing i want to make sure of and that is whatever Liability Protection it provides actually works. I am not interested in information sharing in name only bill. We have an interesting letter from 29 chief counsel counsels of major corporations pointing out how important is to get this across the goal line. I will be going back to the chief counsels and soliciting input from others. And my question is based on what is reported from the city and Liability Protection we are evaluated and whatever gets to the floor and gets voted on i want to ask the chief counsels of major corporations and Smaller Companies is the Liability Protection being provided in this bill does this Liability Protection, allow you as the counsel, for the company you serve, is that going to allow you to give the advice to your chief executive in the case of data breach to actually share the information. Any answer other than yes really renders that bill completely useless. So again there will be differences of opinion. It may not be universal but we need a strong show of support in terms of whatever liability we offer in a piece of legislation it has to work. With that i think i laid the predicate and groundwork. Happy to answer any specific questions you might have. Sir . I am Larry Clinton with the Internet Security alliance. Thank you for being here. And i want to say i think i agree with absolutely everything you said. One of the activities we have undertaken is we did a handbook for corporate boards of directors on cybersecurity and we specifically tackled the issues you mentioned which is strength of corporate boards being that they have to be secure but they have to be productive innovative, they need to grow, etc. And the problem is that the economics of cybersecurity are not wholeell understood. We believe that means using voice over and the protocol is Cost Effective along International Supply chains and mobile devices and bringing your device to work. One of the things i heard you say was you were going to take a step back and look at the bigger issues that were supposed to like information sharing, is there any prosspect the committee may hold a hearing specifically looking at the economics of Cyber Security in the broad sense that i just described and we are interested in . Possibly. I want to talk about Regulatory Reform in terms of the economic impact. There is estimates of 100 billion annual. Keith alexander said this was the greatest transfer of wealth in history. People have a sense this is a costly problem. It is true from being a ceo. You want to invest capital in new products. And i think for far too long ceos ignored it. That is the it department. I dont understand it. But make sure we are safe with firewalls and security passes and hire security firms and lets keep ourselves safe. I think a pretty good comment by the fbi director saying there is two types of large companies. Those who know they have been hacked by the chinese and those that just dont know it. That is a paraphrase. Because of the high profile nature and the loss of literally tens of millions of personal information and tens of millions of americans i think people in the board rooms and ceos are starting to realize this is really a problem. From my stand point there are private Sector Solutions for this. Coming from the manufacturing background, we have sprinklers in our plant. It was Good Business because i dont want to see it burn down but the heads are closer together than what i would have designed because the Insurance Company sent in an Inspection Team that said they are ten feet apart and they need to be eight feet apart and if you dont turn them into the that your premium goes up. So there is a private sector model that will work. And let me speak about what president obama said. This is another model it sounds like the administration is working toward and i am glad to hear it. When president obama announced his information sharing bill i got a call from secretary jay johnson telling me about it with a heads up and said and i asked him how strong is Liability Protection and he said it doesnt get better than this. It was unqualified as long as you qualified for it. How do you qualify . You have to be certified to have best practices. Who is going to certify it . If the government is going to do it i have a real concern about it. But there is a private sector model out there. You have the insurance model. The discipline of high premiums. You have an iso model. Iso certified for my plan meaning you have to go through the best practices along a host of different cribpteria and you go through surveillance and every six months they are being improved. So it sounds like the administration will have a Third Party Model and if you qualify you get the protection. It is a thorny issue and not easy. But having governments facilitate information sharing rather than dictating it is going to be a far better model. You can see how impossible it is for the federal government to set the regulations on this. When we had a hearing, a couple congressess ago trying to do cybersecurity, i asked the representative from Homeland Security who is the repostory of the information sharing how long it would take to write the regulations and the answer was seven years and i think the internet is going to be different in seven years. There is no way it can be fast moving forward thinking enough to write the regulations. The only way to stay ahead of the attackers is doing it in the private sector and we have to be reinventing our security measures on a continuous bases and that gives us the best chance. Anybody else . Brian french. Thank you for being here. I am not make comments as a fellow snow belt resident in the response to a few inches of snow. They just dont have the equipment. Or the will. I do want to make a comment regarding Liability Protection and your listening sessions. I think one thing you hear from the general counsel and this is my experience working as a member of the utility organizations. The Liability Protection when it comes to information sharing, what is offered is good but what is missing and concerning for a number of companies is there is no Liability Protection for Companies Based on what actions they may or may not take on the information they have received. That is troubling when you consider the federal trade commission is suing a hotel change and one of the claims is for having Inadequate Security policies is they failed to act upon information that had been shared with them. So it isnt just the fact you may get signatures but it has been the process by which companies can take in that information and make a decision as to whether it is really relevant and that is pointed out in your hearing earlier that not all information shared is good information so companies should have discretion as to whether they need to act on it or not. You are hitting thorny issues. This is where i go back to that perspective. I believe Companies Want to protect their cyber aspects and their customers information. Recognizing this is a very rapidally moving issue here and what is best practiced today is not best practices tomorrow. So from my standpoint i think if you have a certify, and i understand that too. You do need to do your Due Diligence and show good faith and i think if you show you are engaged in the process through an insurance model and passing the surveillance audits at some level of percentage. I cannot give you all of the things but i can think of a common place model that is su sufficient enough but you have to be always updating the standards and being involved in the best practices standard as opposed to being held accountable at a certain amount of time. We were three months away from the audit and new information coming in. Cut us a little slack. I am willing to cut industry slack because i believe you realize it is bad business not to do this. That is going to be an argument and a thorny issue but that is the type of process i will certainly want to try to insist on. Because otherwise they will not share information and what have we gained . If we dont give Liability Protection and set the process so the chief counsel gives us advice what do we gain . That is a powerful argument to hopefully find common grund to produce a bill that is not just information sharingoge sharing only. We have a question from online. I am concerned we have no solution for a viable cyber warning and solution. Current systems recover them after they attacked. More than 80 of the attacks after they happened. You want the information shared in realtime and that is what the department of security is trying to setup with the nkick. I am starting to understand these acronyms. That is really what again,i think it as a very good faith effort to understand there is sensitivity if we have intelligence agencies gather and be repository of that. It isnt perfect or easy but that is the attempt. Getting the threat signatures and vulnerabilities shared at computer speed and have a system setup for there is spread out to Information Technology professionals throughout the nation. There is a real Strong Network of it professionals that we can very rapidly send out the information. We will not be able to prevent any attack but a lot of them if we can share threat signatures in realtime speed. One of the interesting outcomes of the hearing is how long hackers are in the system before you figure it out. It is months where the hackers are in there maneuvering around to find the backdoor and get the personal information finally. It takes that long. So once you understand this is how they did it and you can share that and sharing that information can prevent a lot of harm even in nonreal Time Computers because you might have weeks or months to protect yourself because it take as while once they are in to do the damage. Your counterpart on the house side mr. Mccall, is working on a bill and his approach is mir mirroring the administration in terms of centering the Liability Protection around dhs. The Senate Intelligence folks took a broader view of the types of sharing and avenues that should be protected. What are you thoughts on that . I am sympathetic for both. Where we have strong relationships between industries and regulators and they are sharing a lot of information why do away with that . At the same time i understand the concerns of sharing information with you know lets say the nsa or Intel Community or department of defense i understand that sensitivity and they would rather it be a civilian agencies. Maybe you can have a hybrid form. It is computers. You can ping it from here and ping it to there. I dont know what the final solution is going to be. But i am sympathetic with both positions. What i view my role as is lets see how the intelligence bill winds its way. It will me marked up in committee. Lets see the reaction as more people evaluate it. The comments. I have the ability to hold open hearing on these issues. If in some point and time we have bills combined with what the house is doing and the senate intel is doing. I am happy to play that role. The more components we can pass it better. Sharing threat signatures is one thing and preventing attacks is another but we have to solve the crime. We need a capability of going after the criminals and hackers and shutting them down and bringing them to justice and that requires personal information and threaded the attacker identity information. So again, let me leave you with this note again. Just to emphasis my point. If you are concerned about loosing your personal privacy you should support a bill that prevents this is allows the government to solve the crime. I would like to ask the next guest to come up. So in the interest of beverty i am not spending a lot of time on the bios. They are in great detail you provided here. I am here with u. S. Telecom. We have an exciting panel today beginning with remarks ari e makes who is the whitehouse director of cybersecurity and i think many of you know has been involved in Setting National policy in cybersecurity and most recently on information sharing. With that we have the assistant Vice President for Global Policy for at t who is very active in a whole series of national and International Issues of cybersecurity. And the current partner at aikin gump and many of you know in a former life he was the bureau chief for the federal communication Public Safety and Homeland Security bureau. And finally last i will introduce the moderator who is the editor of a very important publication in washington inside cybersecurity. Thank you, robert. It is a pleasure to be here. I have a suggestion to make. A year ago i walked on ice and my kids school was canceled and the if you could think about april next year. Just a suggestion. Thank you. We have a hurricane that is later in the year. But point taken. I want to start briefly by talking a little bit about the administration the obama administrations work in this area. A lot of this goes straight to the top. President obama upon taking office said Cyber Threats were one of the most serious Economic Security challenges we face and made confronting them a priority of the legislation. He renewed that pledge with each action taken moving this issue forward in a public consciousness in particularly at Stanford University month where the president confirmed his commitment again. Let me recount things that have happened along the way so people understand where we are and where we ended up. Four years ago the administration promoted legislation in this area. Covered areas including standards for Critical Infrastructure reforming Government Agency security standards, now hiring authorities for Homeland Security, information sharing and Liability Protection for information sharing and data breach National Data breach notification standards. Two years ago it became clear congress would not be acting in these areas as quickly as anyone would want. They passed two of the provisions last year and then we were pleased to have them move forward. But two years ago it was c