Enhance cybersecurity and how the commission came about. Rose and a now fill by Mark Wahlberg and we were joined about the conversation about the patriots day film. If every day you turn on the news or open the paper theres another attack somewhere and we wanted to promote the message love will always win and wanted to come together and unite and how my town reacted in the face of terror it made me proud. Rose and conclude with andy cohen. I think its so egotistical to say my life is so interesting but ive now written three books about my life and have gotten over that thing and to give people a window on it but i write with a lot of humor and selfdeprecation. Look, i call the book superficial. Im trying to get ahead of it. Rose Sam Palmisano, tom don ilon and andy cohen. And by bloomberg, a provider of multimedia news and Information Services worldwide. Captioning sponsored by Rose Communications from our studios in new york city, this is charlie rose. Rose cybersecurity has become one of the greatest challenges facing this country. Last february president obama created a commission to address the growing threat. Earlier this month the commission on enhancing National Cybersecurity announced the findings in a comprehensive report calling for urgent action to enhance american Cyber Capabilities and president obama ordered a review of the Russian Election hacking and joining me is former ibm chair Sam Palmisano and National Security advisor tom donilon. Im pleased to have you both here. First briefly and then well turn to contemporary issues and come back to the report per se how this came about. Well, the president looked at what the challenges were and things that had been addressed in the first seven years of his term and determined there were a number of challenges and essentially what this was was a preparation of a transition memo for the next president. Rose jim clapper the director of National Intelligence has in the last presentations to the congression on the major threats to the United States ranked cybersecurity number one. Its not the case the country has treated it as the number one threat. We have far more resources and emphasis in mine share and attention to counterterrorism which is appropriate and Homeland Security than we were in terms of a range of dimensions really underfocussed on the cybersecurity challenge and there were a number of things to do to enhance it and thats how the commission came about. Rose what did do you . I was the private sector counterpart and looked at areas to focus on. Primarily in broad terms the issues around the security of the internet itself Identity Management and other things and the area where its no longer your phone or computer its cameras and sensors and traffic monitors and health devices. All those things now are potentially devices for a hack or some issue could occur. So in addition to that we were asked to look at government itself and the processes and how government responds to cyber versus counterterrorism and look at International Standards and consumer rose you had hearings . We started in new york with Financial Services and did a Tech Community at cal berkeley out on the west coast. We did the consumer in minneapolis and did a couple in washington. We had six. Rose are most people vulnerable . I think most people that are uninformed are vulnerable if youre aware of the technology that you can do things to protect yourself. I think its very important everyone understand that theres no 100 solution in todays environment for a cyber threat so theres great risk. Now, there are great benefits to the technology whether as the economic expansion, commercial terms, enjoyment, personal life issues what you do as an individual but everybody should be sensitive to the fact theres no 100 technical assurance it will not happen either to the company or individual. Rose tom, you dealt with putin and the chinese. You know something about their record with respect to hacking. Talk to me how you see the crisis we now face in terms of the president ordering an investigation into whether the russians hacked and finding out what was done and why and secondly cluck schumer, john mccain calling for a congressional investigation and have you congress saying they want to investigate coming up when they go back in january 3 and the new congress as well. What do you think is going on . Well, first of all the investigation is fully appropriate at this point last spring and summer you had some private sector organizations saying the russian entities, russiandirected entities that had long history of association with the Russian Intelligence Services were responsible for some of the hacking into the Democratic National committee and we had an extraordinary thing happen in october. Jim clapper who represents 17 intelligence agencies in the government announced publicly in fact the Russian Federation directed from the government itself was connect to hack in the election and the Cyber Commander said at the wall street journal ceo country you have a country that had interfered or tried to interfere in the election to get specific effects. The russians of course deny all of this and say we dont engage in cyber attacks. Thats not true. In my own judgment is that this is again, ive not seen the intelligence the subject of the debate but the broad matter theres no doubt i think the russians had been involved in trying to interfere with the elections here and its part of a broader strategic approach by the russians. This is information warfare. Espionage happens and the information was acquired and made public for certain purpose. Now, i cant judge the intent with specificity but clearly some intent was intended with respect to the elections and its part of a broader kind of confrontation were having with putins russia. Rose so theres no doubt that clapper is responsible they report to him and he reports to the president , correct . Correct. Rose theres no doubt in their mind there was hacking by the russians. Right. Rose what you have today is difference whether the intent was to help Donald Trumps election. Reports in the press say the fbi has not reached that conclusion but the cia has. I have no way to judge it at this point but the clear point is thats why there needs to be an investigation. Its an extraordinary thing. A foreign power in my judgment a power thats gone hostile to the United States since putin came into office in 2012 has attempted to interfere with the election in the United States. And we should find out exactly what happened, what the intentions were and what the effects were. Rose john bolton, for example, who may be trump appointed, the former u. N. Ambassador saying when the question came up about Hillary Clintons server had been hacked saying we dont know but the russians if they did it are smart enough now to not leave evidence. How are they so sure. Did they leave evidence on one side but not the other side . I dont know the details but i do know this is a process that takes into account all manner of information that have you access to and you put it together in an analytical judgment. Its not inconceivable the director of National Intelligence would say with high confidence the Russian Federation attempted to interfere if they didnt have a good case. Again, this is why the country needs to know the answer to the question. Rose its regardless of the motive the question is important if they can hack into the government. Were not debating the outcome of the election. We had an election and were Going Forward but its important for the country to know what the vulnerabilities were here from a technical perspective and its important from a Strategic Perspective to know whether or not the Russian Federation at puttin puttins direction off the direction of his people were directed. Rose you want to Alert America to the dangers of not being prepared for cybersecurity the question is how do you do that . Theres multiple effects and we need to meet with the president elects team and take him through the recommendation. There are steps in here any administration can do immediately and others will take time but theres things that can be done immediately in terms of establishing an initiative around at the public and private sector on Identity Management to make it harder to attack you and government can be the best practice and the internet of things so if you have a thermostat in your house or fitbit the security is designed and you basically and how to remove the vul neshtnerabilitie people who are sloppy with pass words and then theres the government itself and theres roles for government and ill talk about what they can do with the technology and tom can address the roles of the government and first consolidate the network and much like the militarys already consolidate and make it secure so that its very difficult now to get access into the government system through the network itself. Long term they need to fix their systems but in the short term they can make it harder to get in the systems. Theres recommendation what the News Administration should do. Rose and the conflict between Silicon Valley and the white house back then the Justice Department was to backdoor entry all kinds of things with the security for devices. If you think about it pragmatically and theres issues around Law Enforcement the only way to solve it is if the technical community, a lot of Silicon Valley, and the government come together. The big Research Universities but thats the only way to solve the problem. Rose whys it not been done . Why dont they come together. Because everybody realizes theres a problem with balancing security. The Silicon Valley and the mind set if you go back to tom watson senior who founded ibm they just want to be left alone. Now we have a Technology Version today and social Media Companies their preference is leave us alone. Thats their preference. So when things occur they dont want to be burdened by of the requested from the government that information they may have in their systems so they have a bias to leave me alone. The other bias is theres been situations to defend them for a second whereas the information they shared for whatever sets of reasons is used in a way that hurts their companys brand. We can share the information with the appropriate Government Agency and talk about information sharing but doing it in a way so brands are protect and doesnt impact their customer and revenue bases. The point were making it starts with collaboration, charlie. The key for the incidents when they occur is put the Network Providers as well as the Network Companies to share information in a way to do it in a secure way and a way that protect the companies from litigation, trial lawyers, etcetera and allows the government and appropriate authorities what they need to do their jobs. Rose Large Companies are hit theyll time in terms of people trying to attack them. But theyre better at it. Rose at the defensive measures . Yes. Exactly. Financial services as much focus as they have on them Technology Companies ideally are extremely good but then you put the banks up there with them. Theyre very very good. Our vulnerability is the Midsized Company and they need to create a standard for cybersecurity and adopt the same standards the large guys use. Its very uneven in the United States and we try to identify the coming trends. Sam referencing the internet of things and the physical world and cyber world have converged. And we are trying to get security at the front end in these devices and simple things for consumers which is to tell consumers in fact here are standards and this device has met standards through an abling an fda sort of thing. When we were growing up if you had an appliance with an ul signal on it an independent organization you had confidence it was a safe device. We dont have that in the soft world or internet of things world and try to anticipate trends. You ask why it hasnt been done the incentive of the company is to get its product to market as quickly as possible. So what we are trying to do is put together structure and incentives and when the internet first came on it wasnt about security so were trying to get big trends right from the start. There was a big focus on energy and a star for devices think of it as a cyber star. Well have a cyber star so you as a consumer or Software Consumer will have a star you know it competes at some level of a standard of security and that would help educate the People Associated with that. The incentives are interesting. We debated this at length on the commission because we thought there should be marketdriven approaches rather than regulated because stuff moves too fast and what is the balance of the right level of incentives. We all agree including the private sector and the folks representing the government all agree we need to design it from security day one. Thats the most important thing. Educate the user and design it day one. Dont have it be an after thought as to products to be cleaned up later by the i. T. I did an interview and he said to me at the time what is in fact nsa doing and things about what were being accessible in phone calls and all that stuff he said to me at the time theres so many stuff about individuals out there and so many people have access to it its remarkable what you can find out. This is why we say you were aaware of aware of that you would take precautions like you do with your credit card. Of course you protect your credit cards. It should be the same thing. You can say well its hard to use. Its not. You swipe it and you click it with the chip. It can be simplified but the consumer we have a whole section of Consumer Awareness to educate the consumer to address these kinds of vulnerabilities. Number of things we talked about is trying to make the devices so that it is easier for the consumers to act in an appropriate secure way. Were trying to do deeper work to make devices easier to work and more natural for the security to use in a secure way. Rose do we have significant collaboration with the Tech Community . Yes, sure we do. I guess there were incidents along the way but at the end of the day i believe theres a good working relationship between the Tech Community and the government and in my old world you take dod or homeland or National Security theres been an excellent relationship and continues to be. Theres more to be done. One thing we called for is deeper and faster sharing and provide more incentive for companies concerned about certain vulnerabilities to give them more incentive to share with the government and some of the things now is the password. Our evidence shows if you look at the last six year most the major breaches were related to a flaw in identity. So there are offerings out there that can protect you. Authentication and we called for a process to get to that. Rose people saying do it now. Thats right. We call to develop the best authentication technologies you can and start with the government. The government has mass consumer citizens facing portal irs, health care, v. A. , we should set an example saying if you deal with those portals, those interfaces you need stronger authentication. We should make every federal contracted employee using it start moving that through. Its is an incredibly solution and if youre not doing it your making yourself vulnerable. Rose so when you travel to moscow or beijing do you use your cell phone or computer . No. They would give me a new one when i return. Clearly they were replaced. I also knew i was trained never leave the computer in your room someone can take your hard files. I lived in asia almost 35 years ago. I was trained back then not to do these things. Some of us were trained decades ago not to do these things. Rose when you were ceo of ibm theyd wipe your computer and phone and whatever else. And have a new software load, system cleaned up and secure. What they would do is and you can do it here but when you click on your phone theyd put software on your phone to monitor whats going on and once you come back to the United States and youre behind your fire wall theyre in the system at that point. Thats how they used to do it. Rose isnt that what happened at sony . Exactly but its much more sophisticated today. What tom referred to is much more sophisticated. Its hard to find out who it was for some of the incidents because theyll hijack somebodys server or i think they hijacked a server in japan or something and though it probably came from north korea but they hack a server and come in that way so if you track the server trends or the trails its hard to find exactly origination of it. Theyve