Control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. That is why earlier today i signed a new executive order that will strengthen our cyber defenses by increasing information sharing and developing standards that protect our national security, our jobs and our privacy. Host Michael Daniel is the president of cybersecurity coordinator. Mr. Daniel, did the president s executive order of february 12, 2013 he talks about vital infrastructure. How is the white house defining vital . Guest title infrastructure is really defined as that infrastructure that is something really bad happened to it lots of really bad things would happen in the real world. In other words, significant damage to our national security, significant economic disruption and potentially loss of life and specifically in the cybercontext means that infrastructure that something happened in the cyber realm you could have the resulting physical effects in the real round. Host so a lot of those infrastructures though are in private hands come is that correct . The vast majority are in private hands well in excess of 80 . Host will these private Companies Banks etc. Have to participate in the cybersecurity enhancement . Guest well i think for the most part it will be a voluntary and collaborative process with industry for them to participate if you sort of look through the executive order and follow how the framework is laid out, first you have myth leading a collaborative process with the National Institutes of standards and Technology Leading and collaborative process to develop the framework and then the department of Homeland Security will set up a voluntary program to encourage adoption of that framework. At the same time the primary regulators in the federal government will look at their regulations and requirements into system relative to that framework that it has developed. And if they believe that their regulations and requirements are not sufficient in that area, then they could in theory and pose new regulations or executive actions that would require infrastructure to be brought up to that level. But i think for the most part you will find will be a voluntary process for a company to participate. Host participate. Host there are some deadlines in this executive order, 120 days, 240 days etc. Will congress have a role in developing this cybersecurity package . Guest for the executive order that by definition it is driven from the executive branch side. From our perspective, the executive order as a down payment on legislation that we ultimately need to get to. So we view the executive order and the tasks and activities going on underneath it as advancing the cause of cybersecurity and advancing some of the issues that were raised in the congressicongressi onal debates previously but we still have to have Congress Enact legislation in cybersecurity. Host Michael Daniel as the cybersecurity coordinator what is your role in this . Guest i describe my role as being the chief for federal cybersecurity. Its my job to oversee the policy Development Process is in the white house and related to cybersecurity and to work on and ensure that agencies are actually implementing their present policies and directives. There is also big chunk of my job that is really outreach to the private sector and our reach to industry and academia and thinktanks in the state state and there isnt also an aspect of my job iS International in talking to my counterparts and in other countries from Great Britain to canada to germany and other parts of the world as well host also joining us here in the communicators is Gautham Nagesh who is the editor of cq role tall roll call brief. Guest how will the executive order improve cybersecurity and what would the standards due to operationally affect security . Guest would be look at what we are trying to do instead of taking the best practices from the leading companies that really do cybersecurity well ,com,com ma and spreading those out to the companies that dont do it quite as well yet, so really i think what you youll see is the Framework Development taking a lot of the standards that that are at there that are already wellknown and putting them together in a coherent framework that the company could adopt. I think what you will see is that this will enable companies to better clothes known loopholes, have a more rigorous process for ensuring that they know their cybersecurity is actually where they are and what they need to be doing and they think what you will see is a will help close a lot of the known vulnerabilities and the easy access is that the bad guys have right now. Guest those are standards. Are those similar to the types of security practices that federal agencies have in place right now . Guest no, they would be related and i think if you look to the federal government you would see the same kind of diversity they have in the private sector. Some are much further along than others so one of the other priorities that i have is to bring the federal Government Cybersecurity standards raising the bar there as well. You will see a lot of parallels and of course there are differences between private industry has to operate in how the government operates. Exactly how the framework would be applied it would most assuredly be different but i think youll see a lot of parallels there. Guest theres a lot of governs how federal agencies should secure their systems. Has that worked and if so, why and if not what are the failings . Guest so i would say that fisma has worked but it needs to be updated. It was a good piece of legislation for when it was passed and it moves the ball forward for that time period. But now we have a more sophisticated understanding of what you actually need to do in cybersecurity. For example i would say one of the things that needs to be updated is a move away from a compliance model where you only periodically go back and check every so many years. That isnt really going to work now in the modern cyberspace age it moves too fast. To move to a much more continuous diagnostic approach such that you are as getting information about the state of your network and what assets you have hooked up to the network and what are your vulnerabilities . Have you got the latest patching so you have that information in realtime. I would say fisma fismas shortcomings or more in that area and they need to be updated and then completely replace. Guest one of the main stumbling blocks to legislation on cybersecurity is the industry believes that any Regulatory Regime may eventualleventuall y resemble fisma in that it is more focused on complying then operation of cybersecurity. Guest one of the things we have done is we are in the process of developing the executive order and we had extensive outreach with industry and academia. We held dozens of meetings, more than 30 actually with different trade associations and Industry Groups and companies in one of the things we stressed and that is the process we want to set uy collaborative and really rests on the practices that they themselves the leaders in their industries or already doing. It doesnt really do us any good to put out a compliance model that is that a company cant comply with or doesnt make any sense in their business because the goal is to improve cybersecurity. Just checking the block doesnt actually do any good so i would say that the other thing that you can see an executive order is its designed to be highly collaborative and bring in industry and have been distribute a one thats defining those standards. Host Michael Daniel in section 4 of the executive order cybersecurity information sharing you write, it is policy of the u. S. Government to increase the volume timeliness and quality of cyberthreat information shared with u. S. Private sector entities. Our u. S. Private sector entities required to share more information with the government as well . Guest under the executive order the president can only direct executive Branch Agencies to take action. So under the executive order the only entities that are directed to increase their sharing her on the federal side. We would like to see companies be able to share more information with the federal government and we are working to encourage them to do so and are working through ways to have that happen. I think thats one of the areas that we think we need legislation and to eventually deal with some of the issues that are in that space, to enable more integration to flow back into the private sector into the government in a way that protects privacy and Civil Liberties. Thats very important to the administrations. But we do need to increase that information flow. Host throughout the executive order the word voluntary is used frequently. Guest yes, and when you really look at the issues that we face in cyberspace, if you look at the problems and how the federal government has to deal with them you see that no one agency of the federal government can deal with it. It has to be a whole of government approach. Similarly we think its not just the federal government that has to deal with these issues. Its this federal state and local and it also involves a private sector and has to be a collaborative approach from all the different parts that are involved working together to tackle the problem. So we are stressing the voluntary part of it because we believe the leaders in the industry that we want to come together that really have the expertise and the skills that make the difference want to make host what are some of the concerns you have heard as cybersecurity coordinator from either company such as banks banks and electric companies etc. . Guest you hear a lot of different concerns. Interestingly enough you know one of the concerns we hear and you see it reflected in volume quality and time, great you have shared information about stuff that happened three months ago. But what about now . That is reason why we are trying trying to increase her time is so we are out ahead of the issues and we are making progress in that state. I think that we are over the last year particularly we have improved our ability to share information and factor with the private sector. Also i hear concerns from different sectors about ensuring that the other sectors that they rely on also were increasing their cybersecurity. If you are a bank you are reliant on power and water and transportation to conduct your business. So what i frequently hear it is that all the Companies Want to ensure that all of the infrastructure sectors are moving together to increase their cybersecurity because everything is so interdependent. Host this is cspans communicators program, Michael DanielWhite House Security adviser is our guest and Gautham Nagesh is our guest. Guest you mentioned there were barriers to the government sharing information with the private sector. Why is legislation necessary . Guest its not so much the barriers of the government to the private sector side. Those are really more about policy and how we actually implement it and i think that is one of the things you can see in the executive order. We can ramp that up on the executive branch side and i dont think the barriers are as statutory there as they are policy. In the other direction, i think there are potentially barriers to private companies sharing information with the government based on liability ,com,com ma concerns about the governments ability to protect information once a Company Gives it to the government. There are also concerns about company to company sharing and competitiveness issues and whether or not that anti competitive to share that cyberinformation. So i think from the administrations order they want to have discussions with congress on is are there ways to break barriers to information sharing coming back from the government and between companies . We want to be very careful in this space. One of the things i discovered as i worked on these issues is that when you actually begin to get down to what the real statutory barriers are they are often more limited than appears at first blush that we want to be very careful that we dont overshoot any sort of legislation that we pursue. Guest you bring that up because the cybersecurity executive order and the administration encourage increased information sharing by companies between each other presumably also in the government. What if anything has changed as a result of the executive order that would allow companies to come together . Guest i think what it really does is it directs agencies to put in place the foundation to ensure that we can for example deal with information when it comes into the government to protect privacy and Civil Liberties so for example one of the key pieces of the executive Order Information practice principles into everything we are doing and cybersecurity. I think that will give the private community and the outside much greater levels of assurance that the government can protect and properly handle information whether it be cybersecurity when it comes in. So i think that should help encourage people or companies for example to have confidence we can handle the information on the federal side. I think that really this is going to be continuing conversation between he administration and congress to work out how to lay the Legal Framework to make that happen more efficiently and effectively. If that happened now, its just that you have to negotiate a lot of the Agreements Company by company, sector by sector at a time consuming and laborious process that really doesnt scale to the level that we need. Host michael finn you what kinds of concerns are you hearing from members of congress about this executive order . Guest acts that would save the reaction has been very positive and i think most of the members certainly on the democratic side and even on the republican side i think we have seen a very great willingness to talk and open it up to discuss how to actually move forward with this and to help ensure implementation occurs as effectively as possible. Host section 7c the Cybersecurity Framework shall include methodologies to identify and mitigate impact of the Cybersecurity Framework and associated Information Security measures or controls on business, confidentiality and to protect individual privacy and Civil Liberties. How do you envision protecting businesses privacy, individual syllable civil liberty . Guest a lot of that has to do with when you look at the way that information needs to be shared, its about making sure that only the appropriate and necessary pieces of informatiinformati on gets shared when you move information around within the federal government so we establish the rules and the clear criteria for when specific pieces of information will be shared and under what conditions. And i think that for example what that means is in many cases for a lot of parts of the government you dont need specific names or attributiattributi ons to specific individuals. You just need the broad outlines of the incidents that have occurred. So in those conditions only that information would be shared. In other cases Law Enforcement to respond they need that information but they have a longstanding practice and procedure to protect that kind of information once its part of an investigation. So i think really this is about sort of substantiating a lot of procedures that are already present in the government of making sure they are robust and actually function efficiently. Host Michael Daniel as you well know a lot of new stories in the last couple of days in washington and around the country about china and the headlines are often, china has attacked. A big cover story in bloomberg as well. Is this policy directed toward china . Guest no, its not directed at anyone specific country. Its really directed at the broad range of threats that we face in cyberspace that stem from any number of frankly domestic and overseas actors. So its really not targeting any one individual country. Host when we see the headlines saying china attacks, what does that mean . Who is behind that . Guest well, its hard for me to speculate on what might be behind some of that. I think its undoubtedly true that we have seen actors that are based in china carry out activities. But we have seen that in multiple countries around the world and the attribution problem continues to be difficult in cyberspace. So i think from the administrations side, we try not to focus as much on those sorts of headlines. We really focus on improving our cybersecurity defenses acrosstheboard so we cant afford whatever actors are behind the intrusions and try to reduce it as much as possible. Host Gautham Nagesh do you think the Security Company which generated many of the headlines and they have traced it to a building in shanghai that they believe is controlled by the liberation army. What point do the attacks appeared to be rise to the military threat particularly if they target Critical Infrastructure or defense contractor . Guest that is actually very good question and one we are continuing to sort through and try to source of a lively debate both with the government and the industry in the private sector. If you has to take a step back, one of the questions that i think we are currently wrestling with is exactly what is the governments role in providing cybersecurity to the privatesector . At what point does the government intervene . Under what conditions . I think all of those are questions that, while they are much more known in the physical realm we are still trying to figure out what those rules of the road are in cyberspace. Guest when does the government intervene