Senator kelly ayotte delivers the annual reading of George Washingtons farewell address. At age 25, she was one of the wealthiest widows in the colonies, and during the revolution while many her mid 40s, she was of considered an enemy by the british who threatened to take her host aage. Later she would become our nations first first lady at age 57. Meet Martha Washington tonight in the First Program of cspans new weekly series, first ladies influence and image. Well visit some of the places that influenced her life including colonial williamsburg, mount vernon, valley forge and philadelphia and be part of the conversation about Martha Washington with your phone calls, tweets and facebook posts. Live tonight at 9 eastern on cspan, cspan radio and cspan. Org. Host and beginning with his state of the Union Address earlier this month, president obama began laying a framework for enhanced cybersecurity protections. Heres the president from earlier this month. We know Foreign Countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid. Our financial institutions. Our air Traffic Control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. Thats why earlier today i signed a new executive order that will strengthen our cyber defenses by increasing information sharing and developing standards to protect our national security, our jobs and our privacy. Host and Michael Daniel is the president s cybersecurity coordinator. Mr. Daniel, in the president s executive order of february 12, 2013, he talks about vital infrastructure. How is the white house defining vital . Well, vital infrastructures really defined as that infrastructure that if something really bad happened to it, lots of really bad things would happen in the real world. In other words, significant damage to our national security, significant economic disruption, potentially loss of life. And specifically in the cyber context, it means that that infrastructure that if something happened to it in the cyber realm, you could have the resulting physical effects in the real realm. Host so a lot of those infrastructures, though, are in private hands, is that correct . Guest the vast majority of them are in private hands, well in excess of 80 . Host will these private companies, banks, etc. , have to participate in the cybersecurity enhancement . Guest well, i think that for the most part it will be a voluntary and collaborative process with industry for them to participate. Um, if you sort of look through the executive order and follow how the framework is laid out, first, you have nist leading a collaborative process with industry to develop the framework. And then the department of Homeland Security will set up a voluntary program to encourage adoption of that framework. At the same time, the primary regulators in the federal government will look at their regulations and requirements and assess them relative to that framework that nist has developed. And if they believe that their regulations or requirements are not, are not sufficient in that area, then they will they could, in neary, impose in theory, impose new regulations or executive actions that would require infrastructure to be brought up to that level. I finish but i think you will find its going to be a voluntary process for companies to participate. Host there are some deadlines in this executive order, 120 days, 240 days, etc. Will congress have a role in developing this cybersecurity package . Guest well, for the executive order thats something that sort of by definition is trifn from the executive branch side. I think from our perspective the executive order is really just a down payment on legislation that we ultimately need to get to. So well, we view the executive order and the tasks and activities that are going to be going on underneath it as advancing the cause of cyber or security and advancing some of the issues that were raised in some of the congressional debates previously, but we still actually need congress to act and enact legislation in cybersecurity. Host Michael Daniel, as the white house cybersecurity coordinator, what is your role in this . Guest i often actually describe my role as being the chief cat herder for federal cybersecurity. Its really my job to oversee the policy Development Process within the white house and related to cybersecurity and to work on insuring that agencies are actually implementing the president s policies and directives in this space. Theres also a big chunk of my job that is really outreach to the private sector and outreach to industry and academia and think tanks in this space. And theres also an aspect of my job that is international in talking to my counterparts in other countries, you know, from Great Britain to canada to germany and other parts of the world as well. Host also joining us here on the communicators is Gautham Nagesh who is the editor of cq roll calls Technology Executive briefing. Thank you. Michael, can you tell us, please, how would the cybersecurity executive order improve cybersecurity for the businesses that take part . What would these standards do to operationally improve security . Guest sure. So if you look at what were really trying to do, its really taking the best practices that are already at stand from the leading companies that really do cybersecurity well and spreading those out to the companies that dont do it quite as well yet. So really i think that what youll see as this framework develops is its really about taking the standards and practices that are already well known and putting them together in a coherent framework that a company could adopt. I think what youll see is this will enable companies to better close known loopholes, have a more rigorous process for insuring that they know that their cybersecurity is actually where they are and what they need to be doing, and i think what youll see is itll help close a lot of the known vulnerabilities and the easy accesses that the bad guys have right now. Host now, those sorts of standards, are those similar to the types of security practices that federal agencies have in place right now . Guest so they would be related, and i think you would i think if you actually looked at the federal government, youd see the same kind of diversity that you see in the private sector. Some agencies are much further along than others. So one of the other priorities i have is sort of bringing the federal Government Cybersecurity standards, raising the bar there as well. So i think youll see a lot of parallels. Of course, since there are differences between how private industry has to operate and how the government operates, exactly how the framework would be applied will probably well, almost assuredly be different. But i think youll see a lot of parallels there. Now, there is a law that governs how federal agencies should secure their systems, fisma. How has that worked, and if so why . If not, what are the failings . Guest so i would say that fisma has worked, but it needs to be updated. It was a good piece of legislation for when it was passed, and it moved the ball forward for that time period. But now we have a more sophisticated understanding of what you actually need to do in cybersecurity. So, for example, i would say one of the things that needs to be updated is a move away from a compliance model where you only periodically go back and check every so many years. Um, thats not going to really work now in the modern cyberspace age, right . Things move too fast. So we want to move to much more of a continuous diagnostics approach such that you are always getting information about the state of your network and where what assets do you have that are hooked up to the network, and what are your vulnerabilities . Have you done the latest patching so that you have that information in realtime. I would tell you that fismas shortcomings are more in that area, that it needs to be updated than sort of completely replaced. Now, one of the main stumbling blocks, as you are aware, to legislation on cybersecurity is the industry believes that any Regulatory Regime may eventually resemble fisma and that it is more focused on complying than operationally incolluding security. How would you mollify those concerns . Guest well, i think that one of the things that weve done is we were in the process of developing the executive order, we had extensive outreach with industry and academia, really held dozens of meetings more than 30, actually with different trade associations and Industry Groups and companies. And one of the things that we stressed in that is the process that we want to set up is one that is very collaborative and really rests on the practices that they themselves, the leaders in their industries, are already doing. It doesnt really do us any good to put out a compliance model that is not, that companies cant comply with or that doesnt make any sense in their business environment, because the goal is to actually improve cybersecurity. Sort of just checking the box doesnt actually do any good. So i would say that the other thing that you can see in the the executive order is that its designed to be highly collaborative and really bring in industry and have industry be the one that is defining those standards. Host Michael Daniel, in section four of the executive order, cyberrer security or information sharing, you write it is the policy of the u. S. Government to increase the volume, timeliness and quality of cyber threat information shared with u. S. Private sector entities. Are u. S. Private sector entities required to share more information with the government as well . Guest well, under the executive order the president can only direct executive Branch Agency to take actions. So under the executive order, only entities that are directed to increase sharing are on the federal side. We would like to see companies be able to share more information with the federal government, and we are working to encourage them to do so and are working thruways to have that happen. I think thats one of the areas that we think we need legislation in to eventually deal with some of the issues or that are in that space to enable more information to flow back from the private sector into the government in a way that protects privacy and Civil Liberties. Thats very important to the administration. But we do need to increase that information flow. Host throughout this executive order the word voluntary is used frequently. Guest yes. And i think the point behind that is when you really look at the issues that we face in cyberspace, if you look at the problems and how the federal government has to deal with them, you see that no one Agency Within the federal government can deal with it. It has to be a wholeofgovernment approach. Similarly, we think that its not just the federal government that has to deal with this issue, its federal, state and local governments all deal with this issue. And it also involves the private sector. And really this has to be a collaborative approach from all the different parties that are involved working together to tackle the problem. So were stressing the voluntary part of it because we really believe that its the leaders in the industry that we want to come together, um, that really have the expertise and the skills to make the difference that we want to make. Host what are some of the concerns that you have heard as cybersecurity coordinator from private companies such as banks, electric companies, etc. Guest well, you hear a lot of different concerns. Interestingly enough, i think, you know, one of the concerns that we hear and you see it reflected in why we set volume, quality and timeliness, okay . Great, youve shared information with us about stuff that happened three months ago. Yeah, but what about now . So thats one reason why were trying to increase our timeliness so that were out ahead of the issues. And were making progress in that space. I think that were over the last year in particular weve really improved our ability to share information faster with the private sector. Um, i also hear concerns from different sectors about insuring that the other sectors that they rely on also are increasing their cybersecurity. You know, if youre, if youre a bank, youre reliant on power and water and transportation to conduct your business. So what i frequently hear is that all the Companies Want to make sure that all of the Critical Infrastructure sectors are moving together to increase their cybersecurity because everything is so interdependent. Host this is cspans communicators program. Michael daniel, the white house cybersecurity adviser, is our guest. Dpaw that many nagesh Gautham Nagesh is our guest reporter. Why is legislation necessary . What are those legal obstacles or otherwisesome. Guest well, its not so much the barriers on the government to private sector side. There those are really about policy and how we actually implement it, and i think thats one thing that you can see in the executive order is we can ramp that up on the executive branch side, um, and i dont think the barriers are as much statutory there as they are policy. In the other direction, um, i think there are potentially barriers to private companies sharing information with the government based on liability, concerns about the governments ability to actually protect information once a Company Gives it to the government. I think there are also concerns about companytocompany sharing and competitiveness issues and whether or not thats sort of anticompetitive to share that kind of cyber information. So i think from the administrations perspective one of the places we want to have discussions with congress on is are there ways to remove some of the statutory barriers to information sharing coming back into the government and between companies. I think we want to be very careful in this space. One of the things ive discovered as ive worked on some of these issues is that when you actually really begin to get down to what the real statutory barriers are, theyre often more limited than what sort of appears at first blush. And so we want to be very careful that we dont sort of overshoot any sort of legislation that we pursue. Well, you bring that up because the cybersecurity voter and also the new administration tragedy for combating trade secrets both increase information sharing by companies between each other, presumably also with the government. What, if anything, has changed as a result of the executive order that would allow companies to come to the government. Guest i think what it really does is it directs agencies to really put in place the foundations to insure that we can, for example, deal with information when it comes into the government to protect private and Civil Liberties. So, for example, one of the key pieces of the executive order is to really bake in the fair information practice principles into everything that were doing in cybersecurity. Um, i think that will give, you know, the privacy community on the outside much greater levels of assurance that the government can protect and properly handle information related to cybersecurity when it comes in. So i think that should help encourage people, companies, for example, to have some confidence that we can handle the information on the federal side. Um, i think that really this is going to be a continuing conversation between the administration and congress to work out how to lay the legal foundations and framework to make that happen more efficiently and effectively. It does happen now, its just that, um, youve awive got to youve often got to negotiate a lot of those Agreements Company by company, sector by sector, and its a very timeconsuming and laborious process that doesnt scale up to the level we need. Host Michael Daniel, what kind of concerns are you hearing from members of congress about this executive order . Guest actually, i would say in general the reaction has been very positive, and i think most of the members, certainly on the democratic side and even on the republican side, i think weve seen a very great willingness to talk and openness to discuss how to actually move forward with this and to help insure that implementation occurs as effectively as possible. Host section 7c, the Cybersecurity Framework, shall include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated Information Security measures or controls on business confidentiality and to protect individual privacy and Civil Liberties. How do you envision protecting businesses privacy, individuals Civil Liberties . Guest i think a lot of that has to do with, um, when you look at the way that information needs to be shared. Its really about making sure that only the appropriate and necessary pieces of information get shared when you move information around within the federal government. And so we establish the rules and the clear criterion for when specific pieces of information will be shared and under what conditions. Um, and i think that, for example, what that means is that in many cases for a lot of parts of the government you dont need specific names or attributions to specific individualings. You just need the broad outlines of the incident that has occurred. So that and in those conditions only that information would get shared. In other cases, you know, Law Enforcement to respond to things they need that information, but they need but they have a longstanding, longstanding practices and procedures to protect that kind of information once its part of an investigation. So i think really this is about, um, sort of instand shading a lot of the procedures or that are already largely present in the government, but making sure theyre