Complicated. Its great to look back today, 15 years ago, the terrorism threat. When i was at the National Terrorism center we looked at how that threat had really changed to much in the last 12, 15 years, where its more diverse, adapted on the terrorism side. Now look at cyber. All those same features characterize cyber threat. You have increasingly sophisticated actors, criminal gangs at the level of what we thought were at the capability of nation states. You have the nature of those attacks changing from destructive to disruptive, destroying hardware. One of the things we think about now, the offense typically has the advantage. The offense wins. Its a little like transform. When i was at the National Terrorism center, didnt taub about its basically impossible to stop every terrorism attack. Risk management, it applies in the terrorism realm. Youre managing realm but same thing in the Cyber Security realm. You can stop every did you see president obama beat his chest and say our Cyber Capabilities beat everybody els by far. Im interested you rank 1 to 10 and United States 10, where would you put the threats after the president s comments. Are you happy the president said that . I think thats right with our capabilities relative to the rest of the world. A number of ways, offensive Cyber Capabilities, defensive Cyber Capabilities. Overall were ahead of the rece of the world. We do have significant adversaries at the nation state level with china, russia, iran, north korea and you can tick off attacks knowingly attributed to those governments or expected to be those governments, that region. Below that level you have to rank pervasive type of kk are basically criminals that to go on target. That attack quite significant really cost a few thousand dollars in terms of malware available on the internet. Thats a couple years ago. Those groups are increasingly sophisticated. Scale of one to ten next biggest threat. I would say if were a ten, seven, eight area. Given that, i dont know if you have thoughts, susan, in this new world of the ability to create consequences with Cyber Capabilities, another government, cyber grid, ukraine we saw it with stuxnet in iran, centrifuges, whoever made that stuxnet virus, i dont know. When youre at that level, what do you think allegations about russia, hacking democracy, do you think u. S. Government could send a signal hacking chinese, a bureau in putins office. Depends on the affect you want to achieve. Were more vulnerable because were more engaged in cyber. That may not be the way to go. China signed an agreement with u. S. They did it because they want to tamp down the amount of communication and democracy happening in china as a result of cyber so this was to their advantage. Right now its not to putins advantage to tamp down things. We can send signals through quiet channels. I want to move back to something susan and they were talking about. Often we want to think about resiliency rather than reliability. You think about the power grid, its operated on the idea if one generating system is down, the system should work. Resiliency is if a number of them are down it should work. Resiliency, if they go down like we had a situation like in ohio a few years ago that started with a tree and snow barrel. What happens, how do you come up . What are the right ways to build cyber for resiliency. Thats something we have not built in 15 years ago but something we really need to have now. Something im sure your agency owe. With all of you, how vulnerable do you think our National Electric infrastructure is . We are doing such a great job. What is your biggest blind spot. Let me say, im serious saying were doing a good job working with Electricity Sector, that is because private sector are partners in the electricity subsector are very forward leaning and very aggressive. Im leaving to head to new mexico for quarterly meeting for 30 or 40 ceos from across Electricity Sector who come together to meet with us on a very regular basis to talk about how we meet together to improve resilience of electric grid. A lot led by them. Its very resilient. What i will say what we are very mindful fuful of, a great deal built in the 70s before we were cyber dependent. Cyber efficiency tacked objecn. When those go down theres physical redundancy you can rely back on. As we upgrade that ends its useful life and upgrade and move to smart grade, et cetera, much more mindful in a way that prrves that resilience. That wont always be an i. T. Solution. Oftentimes that resilience will come from putting in a hand crank, having paper copies, things like that. And one of the things going back to cash. Susan. One of the things they need to think about. Right now they paying time to go after a target, after season y, if you talk about a hybrid attack on a bunch of systems, they dont necessarily have the advantage. They have to get at the power grid and Banking System or whatever else they are going to at the same time. Thats a much harder job to do than when they go after sony or target on their own calendar, their own instant, which makes us somewhat more secure as a result. Lets talk good guys and bad guys for a minute. I remember we did a talk when sony north korea thing unfolding, lisa and fran and fran lambasted sony. Said there are criticisms all around that can be shared. One of the things, sony did nothing they should along the cyber level and really cast a lot of the blame on the private sector side of that equilibrium. Im interested on the good guy side of this, a public that doesnt want to be ripped off or have its email taken or operation system suspended, what is their responsibility to protect themselves from malicious people and governments responsibility to protect iran, china. Seems to me we talk a lot about companies and what they need to do but they cant match a government. Suzanne. I come at this from the notion of comparative advantage. So weve often talked about roles or responsibilities and kind of were going to dictate that in a command and control way that comes out of the military context, which is not appropriate here. We do need to come to the table and understand what each of us in the private sector and all levels of government bring to the table in terms of comparative advantage. So we have a comparative advantage with regard to deterring state action. We succeeded in doing that on the agreement we reached with china on economic espionage and companies have the comparative advantage with respect to the immediate protection of their systems and networks. We have to Work Together on response and were now developing with the private sector additional play books and an ex response we have to understand, again, what resources each of us brings to the table and how were going to work. Im with suzanne in terms of relative advantage. The challenge is, to your point, steve, we put a lot of burden on the private sector in a way going back to the analogy to terrorism, we would not say the same thing about responsibility to protect themselves against terrorist attack. If you think about terrorist attack, physical attack against a facility or company, its pretty clear what the u. S. Governments role is. Its better organized than it was 15 years ago. Were getting there with cyber to understand what is the responsibility of private sentor, whats the responsibility of the u. S. Government when you have a nation state undertaking attack against u. S. Company on u. S. Soil. Going back to before, its very difficult for companies to be able to defend themselves against the level of cyber attack we face from sophisticated actors like north korea. Im going to go to the audience, whatever youre going to say, youre thinking about cryptography, what were beginning to see on the bad guy side of the equation is going dark, the inability theres now a reaction out in the druglord world, and isis world, nefarious networks going off the grid. Let me ill take that, let me just add a little bit, my colleagues have known for years anything we dont want on the front page of New York Times or Washington Post we dont put in email. Sony executives didnt seem to know that. Sony films had been leaked to places not like youtube anymore that doesnt show those things but before being shown in movie theaters for a long time. So i completely agreed with matt and suzanne that a company cant withstand a nation state attack. Maybe a Large Company in the Defense Industrial base. Youre saying we should live with a little bit of fear about what we do. Theres certain precautions that arent there. The fbi has been talking about going dark for the last 20 years. How have thingd changed in the last 15 . In 2001 we had what happened. We had change in export controls that allowed companies to put in strong cryptography for export, made it easier for skrong cryptography domestically. Here is where i lambast computer companies. They didnt do that until post this is not completely true, google beginning change with cryptography but post snowden era. If you look to the extent weve gone if you look at the session, communicating electronically, we all carry smart phones, computers in our pockets. 80 communication of smart phones. Also blackberry has gone out of business essentially. Blackberry had a secure communication system, smart phones have not. What we had to the extent the government was playing two sides. You could use cryptography but the fbi kept saying they are going dark. What ive seen quite clearly is that the nsa and defense side of the government has said cryptography, obiquitous cryptography i wish we had an hour or two. Im with her on the value, its a real problem in the terrorism front. There are misunderstandingses occurring between isis fighters that are encrypted and we cant see. Thats a real serious problem. Youre telling us we really, really,ually cant see. That is a real problem. I have some thoughts but lets let me open up the floor for questions and comments real quickly. In the back im being directed. My apologies well do our business. Im with tpc global. I have a question more along the quult r cultural societal aspects of this conversation. What is it going to take as far as an attack to get more political pressure on lawmakers, the government to start taking actions that are more preventive for cyber attacks. For instance, if an armored van went up to the office of Personnel Management and drove away with a bunch of records or the same thing happened at dnc i feel like there would be a lot more pressure. Got it. Whats it going to take . Concept too abstract to grasp. Were short on time. Appreciate the question. About 30 seconds. Here is the thing. When you buy a computer and leave it there and dont onanything with it, its no good a few years later. Its no good cass its easy to hack and so on, so forth. One of the things lawmakers have not understood in order to provide proper security we have to fund maintenance. Maintenance is just as important, more important than initial funding. Thats a serious thing. The other thing is we havent gotten responsible about Holding Companies responsible. When theres a data breach and i got two years worth of Credit Report for free thats not enough. To be fair to his question, what can you do to bring pressure. One of the obvious questions is at what point does this ethereal cyber stuff that seals so distant become kinetic, where you see thing happen in the tangible world. Thats what youre happening. Do you need that to happen, a disaster to happen, thats physical and things can be seen and felt as opposed to theorizing the fact. Last two days before christmas last year, there was a cyber attack on the electric grid that brought down power for quarter million people. This is not academic, not ethereal, not ukraine but it did happen. Weve made great progress getting this into the board rooms, across the country. Congress acted in an impossible fashion to north dakota five or six Cyber Security legislation including very importantly automated information sharing, Liability Protection for companies that sign up for machine, readable machine to machine near realtime shark of cyber indicators. That required congress to down around tricky and they enacted it. We do have the attack, do have attention and congress is taking some action on this. Theres a lot more to be done. Last word. Ill go back to terror analogy and bring it back to the anniversary of 9 11. There are all the tools of national we can bring to bear. Cyber responses are one way to respond. Theres a whole realm of other ways from diplomatic to intelligence to Law Enforcement to prosecution. Theres a range of tools we can bring to bear when we attribute an attack. I do think as much as cyber legislation, information sharing was great start, it is just the beginning i think to your point. I wish we had a couple more hours. This is fascinating. I want to ask you where you guys dream about these disaster scenarios. Were going to end there. I want to thank you poly tech institute. Matt, iron, i do like the name. Young lady, next time up here, you get the first question. Please welcome former senator Joe Lieberman now Senior Adviser to counterextremism project and mike rogers, host of something to think about. Here to lead the conversation, please welcome back mary louise kelly. Hello, again, everybody. Senator, congressman, welcome. I have to say ive been really looking forward to this session because you two are both out of politics, which means you can tell you what you actually think. Did that ever stop us before. You were just telling me that the last time you all were up on stage you got into a fistfight. We can only hope for a repeat. We were joking. More of a spat. Senator lieberman, lets start with you. You may not recall this but you and i both had occasion to meet in 2004. I showed up at your office on capitol hill, Pretty Spring day. I showed up because i was working on a story about ttick . Anybody remember . Blank faces. Terrorist integration. It was predecessor to nctc. Up and running a year. A guy named john brennan was running it. Whatever happened to him. So long ago you war democrat back then. Wow. You told me on that pretty april day that you feared ttic and other reforms were, im quoting you, potentially calamitous. Your concern as i reported on npr the next morning, you feared we were creating these huge beaurocracy that would work at crosspurposes and still not really talk to each other. So my question to you is have we created all these huge beaurocracies that work at crosspurposes and still dont really talk to each other. I actually remember that conversation. I believe had to continue will probably be reflected on all panels, nothing is perfect but we made great progress in that remember. Ill use the word disaster, we experienced the National Disaster 9 11, 15 years ago. One thing it did is to wake us up notwithstanding the truck bombing at the World Trade Center in 93, bombings at the embassies, uss cole, et cetera, that we were in a new kind of war. That was the first thing. Second, we did act. Incidentally we acted on a very bipartisan, nonpartisan basis, created department of Homeland Security. The whole purpose was to bring people together. Incidentally, the big battles in that legislative experience were motte between republicans and democrats, they were between people close basically arguing for a given agency that didnt want to be blended under the department or in the intelligence reform that followed 9 11, the 9 11 commission. So you think weve made great progress . What would you point to . Together the department of Homeland Security creation and reform of Intelligence System in response to the 9 11 commission constitute the biggest changes in our National Security apparatus sin the late 40s, which was the beginning of the cold war. So we were beginning a new era of conflict. I just say every day at the ntct, director of national intelligence, department of Homeland Security, various agencies of the federal government are sharing information, working together. These are big beaurocracies and a lot of people involved. Is it occasionally inefficient or top heavy . They are recognizing the embassy and talking a lot more than they did before. I guess the bottom line i would say, believe this for my own review but also 9 11 commission, if the reforms that exist today existed on 9 11, the 9 11 attack could not have been successfully launched against our country. Congressman, ill let you jump in here. What have we gotten right since 9 11 . We are better integrated. It was really a Leadership Event as much as organizational event. I think organizational events were important because it started driving innovation in a way we couldnt do when they were separate. Do i think theres lots of room for reform yet . I do. One of the things we got right, we started dispatching nsa analysts down range. Heifer really did that before. So the nsa is a big signals collection intelligence agency. It was separate freddie combat environment in a way that probably wasnt helpful prior to 9 11. Troops and combat in iraq, afghanistan, other places in the world. They started to do this. This wasnt done integration, legislation effort, they had a chance to do this, dispatched analysts down range. Sounds like a small thing. Get them out of ft. Meade. Get them out of ft. Meade, put them in afghanistan, putting them in other countries around the world. Putting them in countries like iraq in ways they arent done before. So had all the Intelligence Services sitting in the same room looking at the same problem set. All of them could pick up a phone to the mother ship, how do we get the right resources, answer, apply the resources we have to solving particular intelligence problem. We saw huge benefits almost immediately. Weve seen