Tip:
Highlight text to annotate it
X
>>LORD: My great pleasure to welcome you here today.
To this discussion of America's cyber security and what steps the United States should,
And perhaps even shouldn't not take to protect it.
We're very pleased to be teaming up with Google, and appreciate them hosting us here.
[pause]
Our combining Google's cutting edge expertise in information technology,
with our own pragmatic disciplinary approach to examining the national security threats
that our country is facing today. And also is likely to face in the future.
[pause]
Our two organizations, Google and CNAS, chose to co-host this particular event for two reasons.
First, we think it's very important to understand more fully the scope, severity, and complexity
of cyber threats to U.S. national security. The choices our society must make in order
to confront those threats in a judicious fashion. And the specific steps we must take to build
and implement a national security cyber security strategy.
Information and communications networks, as I think we all know, are essential to U.S.
and global economy, national defense, and indeed our everyday life.
Our government clearly recognizes this fact, and has upgraded cyber security as a National
priority. The White House recently published a cyber
policy review and the Pentagon is establishing a new Cyber Command.
[pause]
And I personally have been struck by, in conversations with our most senior military leaders, how
high they place cyber security on their lists of priority.
Even at a time when serious and in many ways, more familiar threats, like Afghanistan and
Iraq are very much on their radar screen. And second, both Google and CNAS recognize
that any successful effort to understand and cope with this threat, and threats to cyber
security will require the active participation of both the U.S. Government and the private
sector. Each contributing their own distinctive expertise,
and their own distinct resources.
[pause]
And this threat in some ways is like so many other threats our Country will face in the
coming years and decades. We have to recognize that no one actor, not
a super power like the United States, not even Google, can confront the challenge of
cyber security alone. And this is a complex and diffuse and multi-faceted
challenge, and it demands a nuance and multi-faceted response by a network of both American and
global actors, from the private, public and nonprofit sectors.
[pause]
The threats posed by cyber attacks across the spectrum.
They include what a non-expert like me sees as being the most likely threats; small-scale
criminal and intelligence gathering incidents that combine to pose substantial costs on
our society over a period of time. They also include far less likely, but far
more severe threats. Strategic attacks against the US financial
system, air traffic control system,
and electrical grids that would damage the very foundations of our economy.
[pause]
And before I begin though, I'd like to very quickly introduce this extraordinary panel
that's joined us today. Their illustrious backgrounds can be found
in further detail on our website. That's www.CNAS.org. But let me just introduce
them quite briefly. Joining us today is Ellen Doneski, chief of
staff of the U.S. Senate Committee on commerce, science, and transportation.
We have Richard Hale who is chief information assurance executive for the Defense Information
Systems Agency. We have Liesyl Franz, vice president for information
security and global public policy at TechAmerica. She is also secretary of the National Infrastructure
Protection Plans Coordinating Council. Philip Reitinger, director of the National
Cyber Security Center. He's also deputy under secretary of the National Protection and Programs
Directorate at the US Department of Homeland Security.
And Christopher Painter, the director of cyber security at the National Security Council,
and he was also a member of the team that wrote the National 60-day cyberspace review.
And then our co-host and moderator today, Harry Wingo, is policy counsel in Google's
Washington office here and he leads the company's work on smart energy, cyber security, and
a range of other Internet policy issues. And this esteemed panel is going to proceed
with the discussion, but I'd like to raise just a few small questions that I hope they
will begin to address.
[pause]
First, how serious are cyber threats? What sorts of cyber threats does the United States
face right now, today? And what sorts of cyber threats is the United States likely to face
in the future? Second, in a period of highly constrained
resources, how should the U.S. balance the need to prepare for both the most likely and
the most catastrophic threats with other national security needs and other national needs generally?
How should our country balance the need to protect openness, privacy, and economic vitality
on the one hand, and security on the other? Does the United States have a secure and reliable
access to the critical minerals and materials that make up our information networks and
also our hardware? And here I have to give a shout-out to a brand
new CNAS program on national security that's working on these issues.
And how and to what extent should the United States engage with international partners
in protecting cyber security? But especially, how should we be engaging
with partners that don't share our views about; censorship, privacy, and oversight?
How should the United States respond to cyber attacks? Whether from individuals, whether
from transnational criminal or terrorist networks or foreign governments?
And for an organization like CNAS, we're very concerned with: At what point should the United
States respond to cyber attacks with force? Under what conditions would the United States
ever use cyber attacks defensively? These are complicated questions.
I have no doubt that our panel will help to address them today, and Harry, I turn the
floor over to you. Thank you very much. (applause)
>>WINGO: Thanks again Kristin. Thank each of you for coming out. For your
time. For your interest. I'm Harry Wingo. I'm a Policy Counsel here
in the DC office for Google. I focus on cyber security issues, energy issues, and a couple
other things. We're so excited to be hosting this distinguished
panel today. This is part of a series we call, "Google
Talks." We have these in our offices around the world and our Google DC talks are something
that we do every now and then to invite the community and also just experts in a particular
area where there are pressing matters, and this is one of the most important things that
we have going on right now, cyber security. So we hold these talks and we're happy to
have each of you here to participate as well. I'll be moderating this session and I'm going
to ask, we're just going to jump right into questions.
I'm also going to have the panelists ask questions of each other as well.
[pause]
So feel free to do that as we go along. There are microphones in the aisles, so our
approach is we're going to actually open it up with questions from the audience and we're
also going to have Google moderator questions that we're going to take at some point and
you can check that out at our moderator page, which is http://EIT.ly/0612dctalk.
With that, we're just going to jump into our questions.
As Kristin mentioned [pause] the 60-day review was finished recently and Melissa Hathaway
did a great job just getting a bunch of stakeholders across the Country involved.
Each of you were involved with that effort, so thank you for your work on that important
effort. And broad input was received from all sectors.
Government, military, business, on the public sector, and I'd like to just really start
off with whoever wants to jump in. What are your impressions about the 60-day
review and particularly what do you think was the most important thing to come out of
that? Or the most important point that was made?
Whoever wants to start?
>>PAINTER: Well, I guess being a part of the 60-day review team, I should start that.
>>WINGO: Chris also, if I would ask that the first round of questions, maybe, if you could
again say introduce yourself as Chris Painter and then after that everyone will know people
are.
>>PAINTER: I'm Chris Painter; I was part of the 60-day review team.
Before that I was in the Department of Justice and have been involved in, mostly cyber crime
issues since 1991. So I've had a long history, and I think partly
that helped set it up what I'm going to say here, because, one thing I thought was incredibly
significant, and this was, the fact that the President of the United States gave a speech
about cyber security really, really was a significant [pause] ground, just game changing
move. And the fact that he gave that speech, a public
speech, not only signaled to the U.S., but around the world, how important this issue
was. That's really different than any other time
in our history. I'd like to just quote one part of that speech
where he said, "From now on, our digital infrastructure, the networks and computers we depend on every
day, will be treated as they should be, a strategic national asset. Protecting this
infrastructure will be a national security priority. We will ensure these networks are
secure, trustworthy, and resilient. We will deter, prevent, detect, and defend
against attacks and recover quickly from any disruptions and damages."
That is a real incredible statement for a U.S. President to make and I think it really
makes a difference. Not just to the community who's been playing
in this area for many, many years, but to the public and to a lot of our international
partners. So I think that it is a really significant
accomplishment of the 60-day study. You mentioned that there was a lot of outreach
in different communities, and I think that's another significant thing in the study.
There was outreach to all the different private sector communities.
There was outreach to the privacy and civil liberties community which we talked to pretty
robustly during that time. To the public and to almost every other group
you can think of. We had forty meetings in the space of that
60-day period, and got submissions from over a hundred different groups that are published
on the WhiteHouse.gov website. As far as what comes out of the report I'd
be interested in other people's perspectives on that as well, but I think one of the things
that's very important about the report, is that it tees up a short term action plan.
A ten point short term action plan. Which is really not just talking about what the
problem is and what the threats are, but taking it to the next level and actually starting
to influence some solutions. Things that are incredibly important.
Like coming up with an incident response plan. An incident response plan both with government
and industry to actually deal with some of these attacks when they happen or other kinds
of cyber intrusions. Partnering with our international colleagues
to deal with some of the issues, we'll talk more about that.
So there are a lot of key things that came out of that. A public awareness campaign,
education, a lot of foundational elements. It creates a lot of work for the government.
There's a lot of things we have to do. There's a lot of coordination we have to have
in achieving it. That level of coordination and working together,
both within government and that's not always been true, and with the government with the
private sector, which also has not always been true, I think it is a real significant
step.
>>WINGO: Thanks Chris. Anyone else?
>>REITINGER: I'll just sort of emphasize what Chris said at the start. I agree completely
with what he said.
There's a lot of good stuff in the 60-day review, of course.
But, by far the most important part of it was executive attention.
The 60-day review made clear that the status quo is not sufficient.
That we have to treat cyber security as a National and Homeland Security problem, and
that the President was putting his personal focus on this and personal attention on this,
so much so that he gave a speech to the entire Country about cyber security, and that the
White House was going to lead. This was going to be a matter of focus for
him. That is a game changer, and in my experience,
nothing is more important at driving change in an organization or an economy as Executive
attention.
>>WINGO: Liesyl please.
>>FRANZ: Liesyl Franz with TechAmerica. I think from industry's perspective there
are a couple of things that I'd just like to add because I do agree with everything
that Chris and Phil have mentioned this morning. With regard to the senior level, at the highest
levels of the Government's attention to this, the coordination and galvanization that that
60-day process gendered. But the other piece of it I think that was
important and in a way unprecedented was that it was a very public process, and a very transparent
process. Which was really for the first time when we're
dealing with cyber security both from a National security and an economic security standpoint.
And I think that's a very important piece. The President emphasized it in his speech,
Melissa and her team [pause] incorporated it into the process the whole time the need
to access the synergies between national security and economic growth and economic security.
So it's, rather than use the word balance economic security and economic growth, we
use the word synergy between the two. I think that really came out in the report
as well. Not only in the written word, but in the apparent
discussions and input that the team got both from the Government and from outside stakeholders.
So I think that's a very important piece to keep in mind.
>>WINGO: Thank you. Ellen.
>>DONESKI: Ellen Doneski with the Senate Commerce Committee.
I think I'd just add that it's important that the President made this speech and has a focus
and appreciation for the magnitude of the problem at the very beginning of his presidency.
That he's dealing with it through a comprehensive review that he's asked others to work with
him both in the private sector, I agree absolutely with Liesyl that Senator Rockefeller thinks
we need to engage the private sector and work in a public-private partnership to a much
greater degree than we ever have in the past. So that we have an opportunity to build on
the work of the report and for the President hopefully to appoint a very senior level advisor,
we would recommend the Senator Rockefeller and Senator Snowe have legislation that would
recommend that it would be a direct report to the president's cyber advisor, that would
manage this issue too, from the White House down through the agencies and coordinate with
the private sector.
>>WINGO: Richard.
>>HALE: DOD has been worrying about the fragility of the information infrastructure for a long
time. We talk to a lot of people about what to do
about that, and I think, maybe the most important observation from all of this conversation
from within this industry is that once the CEO cares about it, it starts to get cleaned
up. So the point that the CEO of the United States
cares about this now is fundamental and really is a game changer.
The other point is that we've had lots of studies about things.
They have tended not to result in specific action plans.
This one is going to. This one's already got specific actions.
We can debate what the details of those are. We need to debate those, but the fact that
we're reducing this to doing something about it, is also fundamental.
So I think actually one of the big challenges now is going to be trying to figure out a
way to measure progress. Are we getting at the root of the problem?
Is this infrastructure getting less fragile? Are we getting better at interacting with
each other to deal with cyber attacks, because it's got to be a very collaborative process?
So measurement, I think, is going to be one of the tricks.
And again in DOD we've been struggling with figuring out how to do this measurement.
Congress has helped us with this by demanding that we do some of this measurement and that's
actually been very useful. So we're starting to make a little progress
there. We have some ideas there, but I think there's
a lot of work to be done. If we're going to throw money at a plan, are
we actually getting a more resilient infrastructure out of it?
Are we getting better incident response collaborative incident response?
Do we have ways of helping our allies if they're attacked, for instance, cyber attacked.
So measurement is going to be important going forward.
>>WINGO: So thanks, Richard. You're absolutely right about if you can't measure a problem,
you can't manage it. I'd like to ask the panel now, Chris mentioned
next steps and there's an action plan. But as we go forward, I'd like to hear your
opinion on what's next? What are some of the challenges we face?
And how will moving through those next steps being formed by some of the efforts that have
happened in this area in the past? So maybe if we could throw a little history
on this for people. So whoever wants to jump in on that point.
Phil?
>>REITINGER: Chris started the last one, so I'll do this one.
Obviously the action plan for the midterm is [pause] the action plan is identified in
the 60-day review. Lots of different players in the private sector
and the public sector are going to have to participate in that.
I'll tell you what some of my priorities at DHS are.
They flow substantially from the 60-day review. One of them is capabilities building.
There's a lot of things we need to get done. A lot of places where DHS is called upon to
step up its level of capability. So my top priority is continuing to build
capability within the Department of Homeland Security.
Some of that's technology, but a lot of it is people.
We've got some excellent people onboard, but I don't have enough of them yet.
I've got a lot of vacancies. We're doing a lot of hiring.
Please go to USA Jobs. There's a lot of things out there.
If you have cyber security expertise, there are slots available, and we are hiring.
We're bringing on the right leadership team. I can tell you on Monday of this coming week,
the new Assistant Secretary for Cyber Security and Communications, Greg Schaffer is joining
and he was formally the chief risk management officer for Alltel.
And Bruce McConnell, who, a number of you in the audience have worked with, is going
to come back. He is an alumnus of OMB and he's going to
be my counselor. So we will have assembled the leadership team
along with bringing in all the other people that we want to add to the current crop of
great people like Admiral Mike Brown, that we have onboard already.
The other priorities you'll recognize coming from the 60-day review.
We really need to get the public private partnership right.
We've done, there's been a lot of effort. We need to build on the good things that have
happened in the past. But we need to figure out to streamline what
we've done and really focus on objectives. One of the problems with information sharing
and collaboration is we all tend to get together and talk about the importance of information
sharing and then go apart and three months later we come back and we have the same meeting.
That's got to stop. We've actually got to build those operational,
collaboration mechanisms that will drive progress, apropos of all of the discussion we have.
The third area is really the incident response and recovery piece.
I think we've recognized for a long time that while we've got incident response and recovery
plans, if things really go ugly, we don't have a clear enough set of roles and responsibilities
and ways of working together in an actionable way so that we're sure that our responses
would be optimal. Got to solve that problem.
A key action item coming out of the 60-day review.
Two other things I think that we need to work on that are, at least referenced in the 60-day
review are sort of building the underlying pieces of how we could have a more secure
infrastructure going forward. I'd suggest that a couple of the things that
I particularly want to focus on are; identity management. Authentication for people processes
and devices with privacy built in from the very start.
If we want to create the mechanisms for a secure infrastructure, you've got to have
optional mechanisms that are available for people to identify.
So they can make effective decisions about who they want to talk with.
What software they want to run. What devices they want connected to their
networks. And then the last piece is really metrics.
This goes back to what Richard was saying before.
The internet is highly distributed. Any notion that we're going to solve this
problem top down, I think is fallacious. We need broad distributed action.
And that requires that everybody across the infrastructure be able to make effective judgements.
Authentication will help with that in terms of operational activity,
but we need good metrics so that people can say, what piece of software do I want to run?
What practice do I want to implement? What will work for my organization?"
So until we build out that broad base of effective metrics that are tied to actual outcomes,
people will make decisions about security based on religion rather than that.
And we've got to get out of that. We've got to go to a more scientific or database
driven decision making for security.
>>WINGO: Thank you.
>>PAINTER: And I would endorse everything Phil said and just add a couple of things.
I think one of our industry colleagues put the sort of value proposition from these public
private partnerships the best when they said we should be focusing not on process, but
on outcomes." What are the things that we're really going
to get out of this? What does the government want from these partnerships?
What does the industry want, and how do we share the kind of information that would make
it valuable to each of us so we have something, we have skin in the game when we come to this.
And we can actually do things, like build and incident response plan.
You can't build an incident response plan just with the government without the private
sector. You can't get the kind of situation of awareness
of what's going on in the world, without engaging the private sector in a meaningful way and
without organizing the government. So structurally we're trying to organize the
government by having this position in the White House and tying all of these government
agencies together. But we also need the private sector for that.
So I think that's an important part. That's linked, information sharing incident
response and private sector partnerships to me are all sort of linked together.
The other thing I think that's emphasized in the report is the idea of having a public
education campaign which involves both raising the awareness of people about security,
and the workforce development. The bench isn't really very deep in this area.
It's not very deep on the federal space. It's not very deep in the private sector space.
Public attitudes have changed, but they really need to change more.
When I first started doing these things back years ago, people looked at computer hackers
who were taking peoples identities and stealing their money as sort of novelties, they didn't
care that much about it. Now I think with a lot of identity theft and
other things, people are realizing that's important.
I think more needs to be done so people think of security as part of the technological development
that they're seeing makes their days and lives more useful every day.
When they are using these devices, they also think about the security aspects.
Workforce development. Making sure we have trained people who understand
the security element, not just the innovation element, but the security.
They go hand in hand in glove. You can't really have good innovation if you
don't have a good security base because you don't want the thing to collapse later on.
You want them built together. You need to build that.
I think we outlined the reports in ways to go about that, but there's a lot of work that
needs to be done with DHS and other agencies to do it.
Another thing that I think is very important is this international partnership, and really
working, not just without close allies, but with countries around the world to come up
with issues like how do you deal with norms in cyber space?
What are acceptable behaviors? Some of the legal aspects in cyber crime and
other areas. We have been doing this for a number of years.
Phil and I both, and I've been doing it most recently; both chaired something called the
G-8 High Tech Crime Subgroup. We were working on these issues and there
has been real value in that international collaboration, but it must be stronger.
And I noticed we have some of our international colleagues in the audience today.
One from Australia, for instance, that we've been dealing with.
So we need to really, I've said that there's something like fifteen or twenty different
international forums that deal with cyber issues.
It is to some extent, the flavor of the day. Everyone looks at this and they want to do
something about it. Well we've got to rationalize that.
We've got to work together to get the most *** for the buck out of those forums and
really advance things that are going to make the internet safer.
There's more I can say, but I'll stop there. One other thing.
As Phil mentioned, we also have to, as we're dealing with innovation and new technologies
and smart grid and all of these other things that are coming online, we need to bake security
in from the beginning. We need to think about those aspects.
It's a lot cheaper and more effective to do it at the outset than trying to do it overlay
down the line. Again, it helps that innovation.
It is the highway that lets the cars run.
>>WINGO: Thanks Chris. Liesyl
>>FRANZ: Well, I'm not sure I can follow that with too much detail, but what I'd like to
do is at least highlight three things that I think can be done and at least begun in
the near term that build upon a lot of the work that has been done to date.
The first thing we're looking at an action plan and the strategy set forth in the review.
I think, number one; we can look at how to improve the security of the federal government.
We've had a Federal Incident Security Management Act and implementation of that since 2002,
but it really needs some updating. Updating to be more timely and relevant, but,
also, be more effective and actually making progresses in securing the agencies.
So I think there is a vehicle right now to update FISMA in Senator Carper's Information
and Communications Enhancement Act, and I think that is one thing we can look at really
quickly and make some progress right away. Secondly, I want to build upon the [pause]
I think any strategy development that comes out of the review should include an international
strategy, to Chris' point. Again, there has been some good work done
on building partnerships, both in the cyber crime, but also in the cyber crime prevention
as well as in operation and collaboration mechanisms.
But the problem is that they can only go so far without additional leadership and enablement.
We've reached out. We've talked to our international counterparts,
our companies, our multinational companies so they have implications of the borderless
nature of cyber space every day. So we need to find ways to enable us to talk
to our international partners and actually sit down and collaborate with them.
I think there are some ways that can remove barriers to doing that.
And the last, I'll just highlight the public-private partnership with one specific thing that we
have looked for from the industry side for quite some time is building upon the strategic
dialogue that we've had and building an operational component.
We don't need to bring government and industry together just when something happens that
we have to say, oh, my God, we need to do something now.
We need to build in an ongoing, sustained collocation and collaboration between industry
and government on this issue. Neither can do it alone and we can't do it
in the midst of a crisis. We have to do it on an ongoing basis and we
need to build the mechanism to do that.
>>WINGO: Thank you. Ellen, do you have any thoughts on next steps and moving forward?
>>DONESKI: Well, I think that a lot of what folks have talked about, Senator Rockefeller
and Senator Snowe's piece of legislation that tries to pick up on different pieces of what
you've talked about that tries to build in a place a cyber dashboard where there can
be information sharing between the private sector and the federal government about the
presence of threats and in advance of having attacks on private industry.
But I know that there's a lot of skepticism about how that might work when Senator Rockefeller
wrote the bill he was hoping that he would get engagement from the folks in the private
sector to help us outline how we can actually make it work in the real world.
So, I'm excited to have the opportunity to ask people to send us their comments and views
as we try to refine that legislation before we try to mark it up in the commerce committee.
>>WINGO: Thank you. Richard, I want to ask next steps history, something I actually asked
about. If you have any thoughts on that and also, what do you think about some of the
most important things that the military could be doing as far as its role in moving forward.
>>HALE: Okay. So let me just talk about my thoughts as a Department of Defense person.
So we have three fundamental cyber goals in the Department of Defense,
and they don't sound like cyber goals as much, but we need, so DOD has to work when nothing
else will sometimes and so we've got to have dependable mission execution in the face of
hostile cyber warfare. Or cyber warfare by a capable adversary.
And the capable adversary is the important point.
So it isn't just that we're worried about cyber crime, although we worry about that,
but DOD has to work in the face of this threat. Now, a lot of other things have to work in
the face of this threat too, but I'll be parochial just for a minute.
So, back to the sharing with international partners in industry,
this business of defining what a mission is quickly spills outside of the Department of
Defense. Many of our missions are interagency and the
rest of the federal government. Essentially every mission is also a coalition
mission with lots of other partners, either close allies or people we aren't used
to doing business with, the Chinese for instance in piracy or earthquake relief for instance.
So we have-
>>WINGO: And Richard, by piracy you mean on the high seas.
>> HALE: I'm sorry. On the high seas off of Somalia.
Not cyber piracy or stealing Microsoft code and selling it again.
But the other piece of it is that at least the communication infrastructure the department
depends on is 80 percent commercial and so that mission dependability is clearly a joint
government industry problem. We can't do this without close interaction
with industry. So dependable mission execution is job one.
Job two is safe sharing, so DOD has had lots of security roles over the years so history,
we made a decision in the '70s called "system hide," so it was a computer science decision,
but it has shaped everything the federal government has done ever since.
And that is, we'll have separate top secret network,
separate secret network and a separate classified network.
Once an atom of information gets into one of those networks, it's trapped there.
So if it's an unclassified piece of information, but somehow it ends up in the secret network,
it's considered secret in this trap. So this is really an inhibited information
sharing. So the theory was if the security guys were
the ones that cooked up this scheme to make information sharing hard, it had to be the
security guy's problem to fix that. So safe sharing is problem two that we have
in the cyber business. And then problem three is that sort of traditional
security problem. We still want to keep the secret some of the
time and that's also a very coalition oriented thing.
We may want to keep a secret within a particular set of countries.
We may want to keep a secret very tightly just within a little piece of the Department
of Defense. So coming up with structures that allow this,
again this ad hoc coalition formation and sharing while keeping a secret is another
problem. So, again, the historical technology problem
has been the system hide decision. Just one other historical note
[pause]
I think it's also clear based on events in Estonia and Georgia that cyber warfare is
going to be a piece of the next big fight. So DOD has to take this seriously and it's
great the president's taking it seriously and the secretary of defense is taking it
seriously so we have a chance. So that is different than it has been.
We have a chance to tackle this.
>>WINGO: Thank you, Phil.
>>REITINGER:: Could I take your invitation at the start to sort of have the panelists
take over the panel because I'd like to--
>>WINGO: Absolutely.
>>REITINGER: I want to kick off and make sure we don't drop a point that Chris raised
and that is sort of the human element, the education, the workforce, because these are
all tied together. And we're, in full disclosure, we were having
a conversation about this in the green room.
>>PAINTER: Blue room.
>>REITINGER: Blue room. Right.
>>PAINTER: It was multicolored. (Laughter.)
>>REITINGER: It was a lot of primary colors around this place.
But it seems to me that this is not just a security issue, but also a competitiveness
issue. We're not producing in this county enough
of the security talent, development talent that we need in order to both insure the economic
viability of our key private sector players and their security and the security of our
country. So I think we've got to revamp how we do this.
Starting very early on, catching people when they are five or six-years-old and getting
them excited about the possibilities of going into this space.
Doing coding, doing other sorts of things. Much like, years ago you'd have kids out there
with their moms or dads working at the engine of a car.
It's the same sort of thing You've got to get people excited, move them
up through and make sure that when they go into more development that there's security
education early on when they're in college that if they're taught
how to do development or taught IT, they get the security fundamentals as a part of that,
as Chris was saying.
[pause]
And then once they graduate and go into the workforce, that we have mechanisms that give
them career paths so they can have a full career.
They're not stuck as, oh, you're the security guy.
You're a GS-12. For those of you in the federal government,
you know what that means. There's an unlimited ends.
You can go up through the SES; you can go through the political ranks as a security
professional. I think back, back when Chris and I were both
line prosecutors, in the mid '90s, We had this problem where you'd see investigative
agents in particular. Who would develop considerable expertise in
doing cyber crime investigations? And then they'd be rotated out.
They'd be doing some sort of paper fraud, or something else.
And some of them said, enough of this. I'm going to the private sector where my skills
are in demand. That's changed substantially throughout the
federal government. We've got to go farther.
We've got to make sure that we develop that career path and then provide the workforce
training as people go forward. I'm sure lots of other people have thoughts
about that.
>>PAINTER: And I think it's a career path especially it's something that's really important.
One of the agencies that Phil mentioned, the FBI recently, cyber is one of their top priorities.
And it used to be very much as Phil said, you'd go and do a little cyber, you'd go and
do something else, you do something else again. You can't really understand this field unless
you stay in it and you play in it and the developments are too fast to go away.
And that's not just true in the law enforcement field.
It's true in the network security field. It's true in the policy field.
It's true across the board. They have developed a career path within the
FBI for this where someone comes in; they stay with it their whole career.
They get more and more training, more advanced training.
That's happening in the network security field in government.
It's happening in other places but we really need to accelerate that.
And I think Phil's right. We need to make this cool for kids so they
actually think it's something they want to do.
>>DONESKI: I would just say that on this point, I think there are a lot of aspects of cyber
security where there'll be controversy in Congress I think on workforce development
and training. It's something that there can be congressional
encouragement of through scholarships and training programs,
and that it's also easily something that we can work with the private sector that's already
got its own training. Google has its own training as well as others
in the field. So that's a place where we could come together,
put more resources so that we're prepared for the future and it wouldn't run into any
of the controversies that some of the other big pieces
of this policy might.
>>WINGO: And Ellen, you're right. Google does have training on this, in fact,
for our engineers we continue education but we bake cyber security into everything that
we do. And as Phil mentioned, we were having this
conversation in the waiting room before, and I found it fascinating the idea of actually
getting kids involved. We teach Spanish, French, languages to kids.
Well, why not consider code as another language that kids could start very early
to learn how to do and then you just bake cyber security and awareness on top of it.
So anyone else have comments on the pipeline? I guess we would call this a pipeline issue.
How do we get the cyber security professionals of tomorrow ready today?
>>HALE: So I have one comment. There are some work examples I think that
are models that we can follow. The National Security Agency has their centers
of excellence program where they've gotten a lot of universities to put together a curriculum
on cyber security and teach it. The other thing we have is the National Science
Foundation and the NSA scholarship programs that are graduating first rate kids, who owe
the government a little bit of time, but we found is that they tend to stay in
the government when we can give them good work.
So they're transforming this bottom up. That's an incredibly successful program.
It's probably the best money we've spent so far in cyber security.
So I think we need to do more of that. But the other piece is I do think we need
some curriculum review. This technology is really fragile.
I tried to make this point in the green room too.
Everybody who writes software has to think about security.
You can't be just security people who think about security.
So this business of baking in security really has to start with the people who are doing
the design of things and the coding of things. So every single computer programming class
has to consider security as part of the computer programming class.
It isn't an algorithm class and then a computer security class.
So my analogy is it's like doing civil engineering without worrying about gravity.
Everything in civil engineering is figuring out how do you make buildings stand up and
bridges stand up, and things like that. So, human behaviors are gravity in computer
programming. We've got to consider it in everything we
do. So that's a thing that I think the government
might help influence. Partly, by the way, we fund R&D.
Partly, by the way, we reward colleges and universities with R&D.
You know, we might put some strings on it around curriculum development or curriculum
change.
>>WINGO: Liesyl.
>>FRANZ Again, I'm not going to disagree at all with
anything that folks have said. The only thing that I'd like to add is that
as we look at ways to develop our cyber security professional base over the long term, and
this is a truly strategic effort, right, is to think of it also in a multidisciplinary
way. Absolutely yes.
You have to build up the very technical expertise of those that are going to be discreetly working
on building software projects or systems engineering or architecture,
but keep in mind that all of us in this room now use computers and other devices so back
to what Chris said earlier about the human element
or Phil, both of you probably said it about the human element.
Let's not just look at it as a technical. Not just a technical training but also multidisciplinary
effort to build practices and norms and awareness and the kinds of things that we as individuals
need to do at a very young age as well. Also, I would say that not everyone that's
working on cyber security today has an engineering degree.
So I would like us to think of it in as flexible terms as possible,
not only for the types of people that might be touching cyber security in their company,
or in their government organization.
[pause]
But, those can contribute to a multidisciplinary and ever evolving technological environment.
So let's try to keep some flexibility into it for that evolution as well.
>>WINGO: Thank you. I'd like to get your take on how would that work in practice, for example.
>>FRANZ: Maybe I'll take that as the private sector industry representative here today.
First, I think I touched upon what collaboration might look like in an incident and the key
part of that is it's not just during an incident. It's in the collaboration, cooperation, collocation,
co-analysis. A true partnership from day one, really,
so that when something happens, there is an organic way to response, not a forced way.
You're not just reacting. You've developed a proactive approach to addressing
a problem by working together over the long haul.
With regard to a disconnect kind of proposal as suggested in the Rockefeller-Snowe bill,
I would say that we really need to have a strong dialogue about that kind of thing because,
first of all, it's not something you can just do.
I think in today's technological environment, you can't just disconnect somebody without
either unintended consequences for the services that that network provided,
or the fact that there are kinds of redundant networks and ways that people continue to
do business so even though you might have disconnected one thing,
you've not disconnected another. So you really have to sit down and have a
dialogue about what actually would happen if you did that.
And I would say that perhaps there might be alternative measures to protection and emergency
efforts that might be needed.
>>WINGO: Ellen, I'm absolutely going to give you a chance on this since it's the Rockefeller
bill, Senator Rockefeller's bill. But actually I wanted to get the perspective
from the DOD on this as well as Phil, maybe both of you on this issue of incident
response but also cordoning off private sector infrastructure from other systems and how
does that all play out.
>> HALE: So I'm an old guy in DOD now so I have some ancient history stuff that I think
actually might be helpful as we think through some of this.
So when AT&T broke up, DOD said, hey, our com infrastructure is no longer owned by one
company. The country actually said it's a national
security priority to be able to work with industry if there's some problem,
and we've got to be able to work across the whole industry that handles telecommunication.
So there's was an outfit that was formed after the Bay of Pigs, actually was a sort of a
telecom emergency thing, the National Communication System which is
now a part of DHS, but after the AT&T breakup, there is this
National Coordinating Center, I think, was called, and it was actually manned by people
from all of the telephone companies and by DOD people and by intelligence people.
So we actually had a full up operational entity and it still exists.
I think the priority has gone down a little because cyber has overwhelmed this a bit,
but we had a model where we could operate very quickly in an emergency and we used it.
So 9/11 it was used heavily, for instance, to try to figure out how to restore,
the president's priority was safety, you know, rescue people and then get the stock market
running again. You know, the NCC was the entity that helped
coordinate those priorities and coordinate the actions by industry and government so
we're all working together towards those goals. So something like that I think might be important.
Another sharing thing that started is
[pause]
DOD started worrying about its technology secrets leaking out of its industry partner's
networks. So big defense contractors pulled all the
technology data for the department. They were getting cyber attacked as well.
Data was being infiltrated from their networks. So the department started another thing that
I think might be a bit of a model called the Defense Industrial-Based Cyber security Effort,
and we started to wrestle with these thorny problems of how do you have a really tight
sharing relationship with somebody that you also want to compete for business from you.
So this is one of the problems that government has.
So how do you work that, and how does industry respond to that?
We want them to share incident information. They don't want it to be used against them
in the next competition for a fighter plane for instance.
So we have a really robust pilot project right now with about thirty companies where we've
worked through the legal arrangements and we're proposing some federal acquisition regulation
changes to enable the sharing. But the thing that the industry folks came
back with and said, fine. We'll tell you incident date but you've got
to give us something. What are you going to do to help?
So we have always shared best practices through NST or through some DOD entities or through
NSA. But we started sharing threat data,
classified threat data in some cases, and this is a big breakthrough.
We haven't done this in the past and I think we need to grow this model and the government
needs to have, this is a conversation we need to have internal
to the government: how classified does some of this threat data need to be and how widely
can we share it? So can we share it with the banking sector?
They need to understand some of this stuff that's something's coming at them; we want
them to be robust too. So we started this with this defense industrial
base. It's actually been under the critical infrastructure
protection laws. So you know, we think as it may be a model
that can be grown out and inherited by DHS to have this broader conversation.
So I think I only answered the first part of your question but I've gone for a long
time.
>>WINGO: We'll let Phil answer the second part. This is the issue of having a
>>REITINGER: Actually, I want to start where sort of Liesyl left off.
I mean, the first point is there can't just be partnership around incident response.
It does have to be partnership more generally because it's got to be built into the DNA
of all of the different players because when something bad happens; the last thing that
somebody in the private sector is going to do is reach for the three hundred page government
binder on the shelf behind them. That's just not how they work.
They're going to start doing what they do on a normal basis, but scaling in their best
way to meet the emergency. So we've got to build those organic ways of
working together. As Richard said, we don't start from scratch.
There are a lot of models out there; the national coordinating center model which goes back
to the early '80s as he pointed out is a very good one.
And in fact, that particular model of what amounts to a joint operation center between
government and industry is behind a lot of the proposals that you see coming out of bodies
like the NSTAC that some of you in the audience were deeply involved in developing, two in
the front row. So those ideas don't go away.
There's the DIB ___?? model too. We've got to figure out the way that we refine
those and help them to meet what is a broad cross-sectoral issue.
And I'll say, there at least, we can spend the rest of the panel literally talking about
public-private partnership and information sharing.
I'll call out sort of three things that I think are absolutely essential.
The first is trust. You've got to have trust.
With trust almost everything else will work and without trust nothing will work.
So you've got to build that. You've got to start with personal trust and you've got to
move towards organizational trust, where in that, there's a return on investment
for everybody involved so they continue to play in that partnership.
And as Richard said, that involves on government making sure we share the information that
we can share, not overly classifying information.
Or, if necessary, providing the right security clearances to people in industry so that they
can see it, and making sure that we give them information
that's actionable, not, here's some highly classified information.
By the way, you can't do anything with it. So that's not particularly helpful for people
in industry, except to generally inform what they're going to do in response to the threat.
The second thing is agility. You know, we built a lot of mechanisms to
work together, the information sharing and analysis centers,
the sector coordinating councils, the various advisory committees and the bodies
that goes along with them, the national coordinating center.
All of these things and more are designed to work together.
We need to work through them where they're working,
but we also need to have ability either through them or otherwise to bring together the right
people in a very agile way, because you can get unique problems,
you can see a vulnerability coming up that affected three companies and they're from
multiple sectors. And you need to bring together the right people
to solve the problem very, very rapidly. The last thing is clear roles and responsibilities
in sort of a lightweight process for how we're going to work together.
That goes back to point out, nobody is pulling out that three hundred page binder off.
We need to tie down, as part of the incident response plan that should come out of the
60-day review who does what, what are the roles of everyone, how do they
implement that in their existing business processes,
whether those are government business processes or industry business processes,
so that we can all work together without trying to build the plane as we're flying it while
bad things are happening.
>>WINGO: Thank you. Ellen.
>>DONESKI: That's actually a perfect place for me to jump in because I think that the
provision in the legislation, the Cyber security Act of 2009 that Senator
Rockefeller and Senator Snowe introduced in an effort to get exactly this kind of dialogue
going. We didn't envision it as any kind of on/off
switch. Probably the terminology in the draft is imperfect
and we need to change it because we only are speaking to lines of authority.
So that we know what happens in the event of a cyber attack.
So that people aren't guessing. So we don't have the kind of situation and
confusion that we had with Katrina or 9/ll where there's confusion between the national
decision makers and the local and state authorities. It's really about trying to make sure that
organically there's enough understanding of who does what.
And I think we were trying to state the obvious that in an extreme cyber emergency or attack,
that the president ultimately has constitutional authority to protect the country.
It really wasn't meant to go beyond that and this kind of discussion is something that
we've been having in conference rooms since we introduced the bill and is very helpful
in this interim process, that is legislation so that by the time we
get to actually moving the legislation I'm hoping that it will be more warmly received.
>>WINGO: Chris, if you
>>PAINTER: I think a core part of the report too was exactly that,
defining what the lanes of the road are and how these agencies on the government side
work together and how they work for the private sector.
We've known this has been a problem for some time,
but we haven't had a robust incident response plan.
That, of course, is only one part of the public-private partnership.
The way I thought it out, and I really echo most of the sentiments Phil's and others'
that have been mentioned here, but partnership for what purpose?
People throw around the term public-private partnership all the time without any real
content behind it. So what's the purpose of the partnership?
Is it incident response? What relationships do you need to develop?
What do yo need from industry as government? What can government give to industry to make
that value proposition important? Getting people to report to you incidents,
that's always been a big problem. It's been a big problem for as long as I think
any of us have been in this area. But one of the reasons for that is the people
who were asking to report don't really see what benefit they get out of it,
so making that value proposition clear. Which I think is a government and industry
problem. We need to do our part too.
I don't think, to echo Phil's point, I don't think government necessarily is going to pick
up a big cyber incident and get the three hundred page thing off the shelf either.
We need to have defined lanes in the road organic processes so we can come together
and really respond. That's one of the things we're working on.
>>HALE: Can I ask Phil a question?
>>WINGO: Absolutely. Please, Richard.
>>HALE: So DOD, what we do is we plan. We are a planning outfit.
We plan everything. We work out relationships and in spite of
all that planning, what we discover is there's no substitute for practicing your plan.
All those details that you didn't think of appear in that practice.
So, Phil, what do you think about how we ought to work out,
we have some legislation that defines some lanes, but how should we really work that
out in practice?
>>REITINGER: Sure, Richard. I agree with you completely.
One of the reasons DOD exercises and practices so much is because the idea is that one is
not in war normally. So you want to train and practice to what
you're going to do. In some way, cyber security is a little different
because one is always in that environment. We are, every one of us, all of us, are always
under attack. So we are in a slightly different place and
events happen all the time. For example, telecom companies, they get cable
cuts all the time because of a (VACO) that just dropped somewhere.
So what they need to do and what we all need to do is to be able to scale rapidly to address
situations that can be much more severe than what we do on a day to day basis,
and in cases where it's a really an uptick ck, maybe that's a difference of kind and
not like. So we actually do need to,
even if we didn't want to, we do need to exercise to plan for that.
We've done a series of exercises over time, cyber storm one and cyber storm two and cyber
storm three is in planning, plus there is a whole series of exercises
in both government or government and industry to make sure we're getting ready for future
events. We need to do a couple of things.
One, we need to first off continue to do those things,
make sure they're not too burdensome so they keep people away from doing their day to day
job, but make sure we do them and do them to the
right way and get the private sector, where appropriate, involved from the very
start so we are in fact training to the goal and bringing in all the people in who need
to play. Second, we need to make sure that there's
a cadence around those exercises so we are using them in concert with our policy development,
and testing the things that we actually want to use.
So as we go forward on exercises, we want to make sure those align with the incident
planning and response processes that we're developing,
and that we've got an interim cycle, much as DOD has always done, so exercises inform
plans, we exercise plans and we actually loop through around,
and included in there is sort of future planning. What do we think we're going to need, what
capabilities will we need in three years and five years?
Design the plans to address those, the capabilities to address them, exercise and loop around
for a cycle of a virtual cycle effectively.
>>WINGO: At this point, I'm just going to ask one more question but I'd like members
in the audience, if you'd like to start lining up at the microphones,
we're going to take questions and also from Google moderator after I ask this one last
question. A great point was made, I think Chris and
someone else mentioned, what's the flow back to the private sector?
In other words, sometimes, there's a question, we give up information.
If you're a business and you say, what's in it for us, how do we share, and so it's great
to hear that the folks are really thinking about how do we provide that value,
how do we send information back and figure out a framework that we can work together
to make sure that that's working. My last question for the panel before we take
questions from the audience and Google moderator is what do you think in a concrete sense we
can do to really get the word out and involve citizens just
in the sense that there is, of course, a criminal element to cyber security and the problem
as well as small businesses, the impact, you buy and expensive computer.
Maybe you have several, if you're a small business person, and they're fried.
You can't use them and then just, this is, people are becoming more aware but what's
the role for this really public facing, consumer side of this effort?
>>PAINTER: I think one of the chapters, a full chapter of the report was based on both
the education, but also the public outreach and a real public outreach campaign that is
supposed to educate the public about how important this issue is.
And one of the things I've seen is that you know, a while ago at least,
we had to change the culture. A lot of people, kids growing up think that
being a hacker might be cool, attacking things might be cool, there's not
really anything wrong with that. It's different from someone breaking into
your garage next door because it's in cyber space and they look at that differently.
I think that's changing. We need to accelerate that change.
With small businesses and other businesses, in terms of reporting the intrusion, not just
the law enforcement but to the network security experts,
I think as they see these really impact their bottom line, that's something that becomes
important and they understand that by contributing that information,
they may not be the only victim. There's a whole lot of other victims and you
can only get a sense of the problem and do something about it if they come forward.
What we have to do is convince them of the capability we bring to them.
That we can actually do something for them. And I think there is, not just in the law
enforcement side, but the network security side and the policy side.
And especially dealing with things that maybe they can't do like deal with our international
partners since these always have an international dimension.
>>WINGO: All right. We're kind of running out of time so unless there's, Phil.
>>REITINGER: Briefly, this is something that's sort of a hump problem, right,
because what we've got now is a collection of people who did not grow up with IT sort
of embedded in the infrastructure and everything they do.
Now people grow up and by the time they actually take their drivers test,
they've been around cars and seen people driving forever.
They've taken driver's ed in high school probably. So there's an entire, the entire community
informs them, educates them about driving form when they're very young.
We'll get there eventually if we do this right. But we've got to get over that hump.
We've got to get to that point. And that's where the recommendations in the
60-day review are so important. This is not a blank slate.
People have been doing great work, like the National Cyber Security Alliance in this space
for a long time, but we do need to step this up to another
level. We, if in fact, as I believe, this is a national
and homeland security problem, then we have to treat it that way.
And we've got to make sure that we devote the resources and the effort to really educating
the public down through kids, through individuals, through small businesses,
and through corporations as to what the threat really is and what they need to do to protect
themselves. So this is, it's not a mystery what we need
to do. We just need to execute.
>>WINGO: Thanks, Phil.
>>PAINTER: And that ties back to the president's statement. This is a national priority.
>>WINGO: Right. Now we can take questions from the audience and our Google moderator.
If you could please just introduce yourself and then ask your question briefly.: Q: I'm
Michael Nelson of Georgetown University. I think this has been a very useful panel
and very encouraging. You've laid out the right issues.
There's a lot of agreement on this panel about what needs to be done.
But I've been a little frustrated that we haven't spent enough time looking at how to
make the infrastructure itself more secure, and particularly I wanted to pick up on Phil's
point that we need to have, at its foundation, an infrastructure that has good authentication
built into it with privacy protection built into that authentication mechanism.
When Phil and I and others were working on cyber policy fifteen years ago in the Clinton
White House, we all knew that we had to have better authentication.
And fifteen years later, we have more problems with online identity theft.
We have more problems with phishing. We still haven't solved that problem.
There have been dozens of private-public partnerships. To highlight some of the specifics in this
area, I'd like each of the panelists, or whoever wants to take it,
to tell me why you think we haven't made progress on this fundamental issue in fifteen years,
and what we need to do going forward, industry, government, Congress.
>>WINGO: Richard, do you want to
>>HALE: So what I'd say is, being old again I got to watch all these technologies develop.
All of these technologies were developed with the notion that everybody was benign and they
were all developed with the notion of anonymity. So the network is completely anonymous.
There is essentially nothing built into the technology infrastructure that makes it less
so. So in the department, we have a goal, underlying
some of these higher level goals I mentioned, of driving anonymity completely out of our
internal networks and with as many mission partners as we can.
So we're struggling with the privacy problems. We've decided things like social security
numbers can't be part of that. We've also decided that technologies can involve
long, lifetime secrets. And again a social security number somehow
turned into a long, lifetime secret. When I was a kid, we printed them on our checks.
They weren't secret, right? The Privacy Act made them secret.
So we've pushed aggressively in technologies that don't require us to reveal authenticator,
yet allow us to authenticate. So we have a big public infrastructure on
the unclassified networks and we're rolling it out.
And we have a big one on one of the classified networks and we're rolling it out on the secret
network this year. I think those kinds of technologies have to
become much more ubiquitous, right? We've got to drive out the anonymity.
The other thing we struggle with, and back to the "it's not just a technology problem"
point, is as you drive anonymity out, you still need to figure out how to establish
enough cues so that people trust others that they've just discovered.
So now, I know its Richard Hale, so what? Do I want to do business with him?
Do I want to interact with him? So the other structures that need to come
around, learning other things about Richard Hale, in a dependable way, and this is the
trick, right. It can't be easy to mess with that information
either, so you can make a business decision around Richard Hale.
So what I'd say is I think there are technology pieces, parts to start to solve this problem.
Again, we've worried a lot about privacy as part of doing this.
I don't think we've solved all the privacy problems,
but some of this business of not revealing certain information in order to authenticate
is part of it. But I think the pieces are there.
We just haven't had the economic reason to do it, except in places like DOD.
>>PAINTER: And I'd take off that statement. I think one of the reasons you haven't seen
it is the business case has been made to the industry or to the public in terms of as it
is today. Now, people are losing their identity and
they see the identity thefts and these data breeches.
I think it brings it more at home to them. I think the other issue is how do you build
in the privacy and civil liberties into this debate?
And I think it's very important. I think that there are some purposes where
you need anonymity, and some where you need more authentication.
In fact, if you have good authentication, you really do this right, you're enhancing
privacy. You're protecting people's data and you're
making the pie larger, rather than doing a zero sum game.
And I think that's important too. One of the things that I think really was
unprecedented about our report and the structure going forward is the civil liberties and privacy
person is going to be a part of the NSC directorate that's dealing with this,
with all these issues. And so we're really going to have that kind
of dialogue to make sure we balance the equation correctly.
But I think there's a lot in this area that can be done that would really help get a lot
of the noise out of the system and make us more effective.
>>REITINGER: So, since it's my point, I'll say something, specifically on why I think
the problem is. The problem is policy.
It's not the technology. Technology's been there since 1995 or well
before. First off, I would disagree perhaps slightly
with Richard that I don't think the point is driving the anonymity out of the system.
The point is making strong authentication available for places where it's appropriate.
That may be on a DOD network everywhere. But on the internet it's certainly not.
And we have to recognize vis-Ã -vis Chris' points that anonymity is not only highly socially
valuable, but constitutionally protected for a lot of
the stuff that happens on the internet. So we have to keep that very much in mind,
but at the same time, making it easier to have strong authentication.
Why we haven't made progress is, I think, it's not a public good problem.
It's a bit of a collective action problem. Too many pieces need to move together at the
same time for this to have happened organically. Maybe some industry, or some entity in an
industry, wants to use strong authentication, but because there's not a broadly available
way to do that, they've kind of got to roll their own.
And it's not worth their economic dime to do that.
And governments never really provided the ways to optionally authenticate online if
you want to do it. And so there's just, the people that could
act, don't really have the incentives to act. What, where we've got to get is we've got
to get to the point where, if you don't want to use things like a user name and password,
a set of shared secrets, they may be shared, but they're not really secrets, you don't
have to use that. You can use some sort of credential that provides
you much more authentication or much greater degree in security.
If I want to see my thrift savings plan, or my IRS information or something, then I've
got a strong means of authentication, so I can have the security to do that.
I can optionally do that. And so I think how we get there is find those
places where we can catalyze action by government or industry and spiral outward from it.
>>WINGO: Liesyl?
>>FRANZ: I think we addressed the first part, which was how do we get more use of technologies
that are available already. I think if truly there is a place where the
market hasn't met a need, then perhaps we can look at a way for another
public-private partnership to bring resources of government and the resources of the private
sector and whomever else needs to be involved together for a specific project that might
address more fundamental things where there isn't a current technology or it isn't a current
system to adjust your infrastructure point, Mike.
>>WINGO: Thank you for your question. Over here.: Q: My name is Steven Gramson (sp) with
Terrorism Research Center. This may be a question for Richard.
We've received some reports recently through cyber security experts testifying on the Hill
that China has developed its own secure operating system and it's been developed in the past
six years. And they just started deploying it in 2007.
Is this something that the DOD is doing? The reason I ask is it seems like we're kind
of on the reactive instead of the proactive here.
The DOD has spent over $100 million apparently in the last six months on cleaning up cyber
security issues and what not. Do you think going forward we can continue
to partnership with some of these private entities where their focus may be more on
business developing and really not security in some of their products?
Should we be developing our own security software like the Chinese have done?
>>HALE: Oh, man, this is another old guy question. So back in the system high era, the DOD did
make the decision that current models for operating systems,
in particular, were not sufficient for this problem of both handling multiple classifications
in a single machine, but also just for general resistance to cyber
attack. So we wrote a guide book on how to write an
operating system that was more resistant and then handled the labels and access control
based on the labels. And we had a public-private partnership thing
going on. We had a really, really great one.
We had every operating system vendor in the world essentially, except for Microsoft, build
one of these operating systems, and then we massively non-adopted them.
So now we've burned industry. People looked at that and said, "I'm not spending
money on that again. You guys promised that if we made these, you
would make a market for them." So I think there are a couple of lessons there.
One is, yes, the government does have to be more active in demanding an infrastructure
that's more robust. The government is going to have to pay for
it. Now, so if we can use our collective buying
power, the government is still a big information technology customer.
We can actually help nudge the market at least. We can't completely shape it anymore.
So I think we have to be much more serious about using our buying power to harden up
some of the commercial things. And yes, there are places we're going to have
to build our own special purpose technology. We still do it with cryptography, there are
going to be some other infrastructure pieces the government's going to have to build itself.
>>WINGO: Okay, next question. We have fifteen more minutes, so what I'm
going to do is try and move through as many questions as we can.
I'll probably take two more, and then go to a moderator question for the panelists.
I may actually cut off after one or two, but if we have extra time,
please keep in mind the questions you want to revisit.: Sir?
>>Q: Brian Rowe with Public Knowledge. When I hear the rhetoric of "we're under attack
at all times" and security, along with my geek background, it's very difficult
for me not to associate those things with warrantless wiretaps and telecom immunity,
or mandating that printers print out information in the pages that give up individual's information
about who printed that information. So what is going to be done, not just lip
service to privacy, but to ensure that these programs are open and transparent?
So that we the citizens can decide whether we want to give up those rights in the name
of this war that's being put forward.
>>REITINGER: I'll just start by saying I don't think you should be asked to give up rights.
I think we ought to find ways to move forward. I don't want to sound just like lip service,
but I really mean this. We need to find ways to move forward and protect
security and privacy at the same time. There will be places where there'll be push
points, but I think in a lot of areas we can do that.
We obviously need transparency to the greatest extent possible so that we can provide oversight
from the public about what we're doing. The last thing I'd say is that, as Chris pointed
out in response to the question earlier, the 60-day review specifically said on the
team, on the cyber security team, in the White House there's going to be a privacy and civil
liberties person present. And so we've got to institutionalize the perspectives
that we need in order to protect privacy. I think you would find that during the course
of the 60-day review, that the outreach that was done broadly by the team that did it,
under Ms. Hathaway's leadership, was extremely broad and included the privacy community.
And I think that was a very light on fact for a lot of people in the community.
>>PAINTER: And that's absolutely right. We've met with many of the civil liberties
and privacy experts several times. And they were delighted by it.
They said that's something they really didn't have that experience with before.
So it's really more than lip service. This president has made transparency a bedrock
principle of his presidency and something that we take very seriously.
We want to make sure that when we're looking at all of these issues, we're building that
in.
>>WINGO: Brian thanks for your question. Here?
>>Q: Hi, my name is Ian Crone. I'm representing the Center for Advanced Defense
Studies. I'm curious in a situation in which we have
civilian, military, and private networks all running on shared operating systems, and not
just our own networks, but also those of our potential adversaries.
How do you build that relationship and that balance between a potential offensive capabilities
with the military in developing and researching offensive applications?
We have this new cyber command. How do you balance that against the need for
defense? If we discover vulnerability on one side of
the public-private divide, especially on the military side, how will that information be
shared? Should it be shared?
So do you patch vulnerability or do you keep it secret to exploit?
>>HALE: Is that one for me? Yes, thanks. (Laughter.)
So I think it's a great question. Right now we tend to share the vulnerability
information we find. So I can't talk about some of how these processes
work because they aren't public processes. But there is a vigorous debate process inside
the, actually inside the whole federal government, it's not just the Department of Defense, about
how this should work. And, in general, the way it works is we choose
to share the vulnerability information and fix whatever the vulnerability were,
at least encourage to fixing the vulnerability. We do have a very active program to do that.
And we've also tried to catalog these things and share them as widely as we can.
There's something called the National Vulnerability Database that is run out of the National Institute
of Standards and Technology, where a lot of this vulnerability sharing
is done.
>>WINGO: Liesyl?
>>FRANZ: I think an important aspect of that is the ongoing dialogue that I mentioned between
the various parties on an ongoing basis, not just when something happens.
And there's also the notion of responsible disclosure that has been worked on over time
between government and industry about how to disclose something,
at least publicly that at the right time, when it allows people to take action to defend
themselves, but also doesn't subject the environment to being exploited and without some protections
being put in place. So I think there's a lot of dialogue required
and a mechanism for that on a consistent basis. There's going to be times where there's tension
between a disclosure or not. And that just needs to be worked out as quickly
as possible. There have been instances where the traditional
ways of disclosing have been overruled by the dialogue that took place.
>>WINGO: Thanks. So I'm going to go to Google moderator now.
Actually I might combine the first two questions. How will the lack of international law by
treaty or precedent on cyber warfare affect U.S. development of cyber defense capabilities?
And then also, has the Defense Department outlined a moral framework for offensive cyber
warfare? Could concepts like preemptive war and mutually
assured destruction apply to cyber space? Anyone want to jump in on that one?
Richard, we could let you also off the hook. So why don't we hear from someone else that
got, unless you want to jump in?
>>HALE: We're lawless. I'm not a lawyer. So I say one of the lawyers should (laughter)
>>FRANZ: I'm not a lawyer either, but I would just say that I don't think we need to wait
for a treaty which might not be optimal anyway to start,
to work on defensive protective measures.
>>PAINTER: Right and I would say that one of the things we talk about in the report
we need to do is to work with the international partners to try to define what some of the
norms are in cyber space. But one of the things I think that's also
clear, when we look at all these events that have happened,
is there is a fundamental thing we need to do, no matter what the attack factor is.
And we have threats from criminals, from nation states.
There's a whole range of threat actors out there.
We still need to do certain core things. One of those things is to harden the targets,
make sure we have the defensive measures in place,
and make sure we have the incident response plan in place.
Make sure we have the partnerships in place, both internationally and in the private sector.
Those are all core no matter what because attribution is still a big issue in this area.
We don't always know who's doing what to us and we need to get better at doing that too.
>>WINGO: Just real quick, Richard. I want to mention one thing.
We talked in the waiting room, a bunch of us, about maybe a loose analogy,
which is not the same case, but for piracy on the high seas.
It's also an international problem that's age old.
Just in the spring, the Maersk, Alabama, 350 miles off the Somali Coast was attacked by
pirates. Richard and I were both in, have Navy connections.
I used to be a frogman. So that was ended with ended with the application
of force by Navy SEALs, but the development of international norms,
cooperation, and also the private sector. I was just watching a documentary on what
happened and the procedures that these vessels have.
They share amongst themselves best practices. I think one of the first things they did was
call some antipiracy center in the UK, when they were being attacked.
So on this question I thought it was interesting. You've talked about history quite a bit during
this, so Richard, what are your thoughts on this question?
>>HALE: Well, at least for now, we've been trying to cook up as many ad hoc relationships
as we can. Some of them are very enduring relationships
with our closest partners. Those relationships have been in place since
before World War II, for instance, and we've used those relationships to expand
sharing around cyber stuff and around incident response.
We've succeeded in some of the cyber emergencies in putting together ad-hoc coalitions and
that's partly what DOD does for a living is put ad-hoc coalitions together and figure
out how to get something done around some of the cyber emergencies in other parts of
the world. So, I do think we need a better; there aren't
social norms here yet. I do think we need better notions of what
those are, where the boundaries are, and again, maybe
this is back to the roles and responsibilities conversation.
We need to figure some of those out with our partners, so it's not all ad-hoc.
>>REITINGER: One quick point. This is another area where we need to go sort
of farther, stronger, faster. As the 60-day report makes clear, this is
inherently an international problem. We have to solve it internationally.
This is something no one government can solve. Let's not, while acknowledging that we've
got a lot farther to go, let's not pretend that nothing has happened.
Both Chris and I have served time chairing the G-8 Subgroup on High-Tech Crime and many,
many years ago, in internet time, probably a century ago, the Council of Europe
developed a Cybercrime Convention, which was the first sort of major international instrument
and is a very effective way for law enforcement around the world to work together on a very
rapid scale to solve crime. Now, that needs to be adopted much more broadly
internationally. One of the things the Senate did a few years
ago was to ratify that convention. That was a very good thing.
We need to find ways to build on those successes, but successes they have been.
>>Q: and it seems like there needs to be some kind of incentive to prevent that from happening
because it's a systemic flaw in the software design process.
Do any of you have any insight into how you might approach that?
>>PAINTER: I think incentives are one thing we're obviously looking at.
I also think the market is changing to some extent too.
If software is more secure, it might demand a little bit of a premium because people don't
want their information taken and they start relying on this information every day.
So I think it's a combination of incentives and also the market actually valuing this
more. I think on the government level, it's actually
having the security people in the same room as the innovation people when we consider
these issues. So they're not two separate camps, but they're
integrated, and they're exchanging information at the outset.
>>DONESKI: But the government could help drive the innovation in the private sector if it
offered substantial incentives. And I think that's something that the folks
in the Congress really are very interested in doing, and I think that it's something
that might be, take the form of a tax incentive.
We're looking at all those options.
>>REITINGER: If you want to bring the market to bear, you've got to have the ability for
people in the market to make effective decisions. So you've got to let them make decisions based
on data. And if you can do that, then you're going
to bring a lot of additional incentives to bear too.
>>WINGO : We can take one more question. A quick thought
>>HALE: Let me finish that thought. The government still has a lot of buying power
and if we band together, we can actually make a market for some of
this stuff.
>>WINGO: Thank you, one last question.
>>Q: Thank you. Shannon Kellogg with EMC Corporation. One quick point and then a question on the
international front. The quick point is I agree with you on the
authentication identity management issues and I think Mike's question was an important
one. One thing I would throw out there on that
front though is that there is a lot of focus on what's happening in government.
There are sectors like the financial industry that actually have, for a number of reasons,
some of it because of threat, financial loss, some of it because of market conditions,
and then also even the government push, if you will, have actually gone out and adopted
based on risk of those transactions a broad set of authentication methods.
So I'd encourage you to look at what the financial industry is doing on that front.
But the question is, I agree with what you've been talking about in terms of the importance
of international coordination. But going back to Phil's point about competitiveness,
and Ellen, perhaps this is something that you might want to start off because I think
it ties into the legislation that Senator Rockefeller has introduced, and that is what
about the international implications for what we do here at home, okay?
And so there are different legislative approaches that are out there.
There are different procurement requirements and strategies that are out there.
There are a number of things that we're looking at doing in the context of the cyber review
that could have an impact on how we're perceived internationally and could give some governments
who are already starting to go in a direction and putting additional requirements on big
companies and other multinational actors who are important to the American economy that
are putting these requirements potentially on us that would restrict our ability to compete
abroad. And so I'm just wondering, as you think about
this challenge internationally, are you also looking at how policies at home can impact
our competitiveness on the global front?: Q: I agree with that point, but one implication is that there are governments abroad who are
also looking at what we're doing to give them an excuse to actually go down a path that
would be very harmful to us.
>>PAINTER: Well, and that's what it's going to get to.
It's a flipside too. It's what we do here, but what is happening
on the international community that affects businesses in the United States.
And we need to; part of our international engagement strategy is to bring industry along.
Phil's absolutely right. We've made huge strides in some areas like
the Council of Europe, which is still, that treaty is still a cornerstone
of our foreign policy, getting other countries to adopt that.
We've built a lot of networks on some levels, but bringing industry into a lot of these
discussions we're having with other governments to make sure that we have all this multicity
of forms dealing with these issues. We're actually making use of them in a way
that helps all of us together achieves the competitiveness you're talking about.
>>WINGO: Thank you. So Google takes cyber security seriously.
We look forward to working with others in industry, members of the public, but definitely
with the government as well. And we're attacked every day.
It's a serious issue. I'd like to thank each of you for your participation.
This is a great panel. And to everyone in the audience, thanks for
your time and your interest. (Applause.)