tv George Washington University Cybersecurity Policy CSPAN October 17, 2017 5:27pm-6:18pm EDT
to keep the youth, then we will have a state that is young and vibrant and exciting. and full of new ideas. and i think that continuous involvement is what will make our city, state great. >> voices from the states on c-span. cybersecurity industry leaders recently got together to talk about public/private partnerships, critical infrastructure resilience, and the trump administration's cybersecurity executive order, which aims to strengthen federal government networks and critical infrastructure. this is about 50 minutes. >> thanks, everybody, for being here today. my name is christian beckner. i'm the deputy director here, here to give frank a bit of a breather during this morning's conference. we have a great panel before us
on tactical public/private innovation collaboration, a number of the public and private sector issues on cybersecurity. want to also echo frank and thank our sponsors for this event, north rup grumened, and marcus edwards who has been our sort of partner in getting this organizes for the past few months. in addition to his day job, he's also a doctor of engineering student here at george washington university. i don't know how he finds time to do both of those things, but thanks, marcus for all of your work on this today's conference. i'll briefly introduce the panel that we have before us, and then we'll go right into a discussion with some time at the end of the 50 minutes for audience questions. first, immediately to my left, your right, scott aaronson,
executive director for security and business continuity at the edison electric institute. he's been there since 2009, working in a variety of roles before getting his current position. before that, worked on the hill for congressman lantos, senator nelson for a number of years, and has a masters here from gw from the graduate school of political management. and also will be announced early this month, will be a member of the senator's board of directors. finally, to his left, kiersten todt is the president and managing partner of liberty group ventures and also a resident scholar at the university of pittsburgh institute for cyber law. she served last year as the executive director for the commission on the national cybersecurity team led by tom and sam and a number of recommendations in that report which was issued late last year
have found its way into the executive order that was issued in may of this year and we'll be discussing some of those issues in the course of this panel. she's experienced before that in the private sector and also up in congress. and finally, on the far end of the table, chris valentino, director of joint cyberspace program. worked at nortlup grumened for long time in a variety of roles. and for many of their cybersecurity activities, so want to thank all of our panelists for being here, and you know, we sort of talked in the last panel about some of the cyber threats, cyber defense questions, but this panel is much more about the fact if you look at cybersecurity, it's a shared endeavor between the public sector and private sector. a lot of oxygen on those issues in the past decade has been about information sharing, about regulation. i think there's been a shift in the last couple years away from the focus on those two issues.
information sharing still an issue, but legislation has been passed. regulation still exists in a variety of forms but it's not the all consuming issue it was i think now the public/private sector dialogue is much more about how can the public sector and private sector work together, not just on sort of sharing information, passing it over a wall and barely interacting with each other, but collaborating, building, sharing information, working across the intelligence cycle. working together on things like r & d and workforce development and building the architecture for the incentives to be in place for government to be funding the right things, for the private sector to be doing the right things. so i guess turning first in general to the panel to make a few opening thoughts. you know, i guess focus first on the executive order from may.
a key provision there was looking at how the u.s. government provides support to critical infrastructure that's at greatest risk. referring in some cases in the previous executive orders as the section nine critical infrastructure. what's your sort of baseline assessment about how well the federal government, dhs and other agencies are providing support to this most critical infrastructure or the private sector in general against cyber threats. what additional types of support are needed? and where do we draw the line at what's the government's responsibility and where the private sector's responsibility should be? and if you want to take a first crack at that, scott? >> sure. thank you, christian. and yeah, good open ended question. i'll start with the last thing you said first, which is where is the private sector's responsibility end and the government's begin. it's not some bright line. i think it's a really jagged line, and one of the more important things we can do is not just assume that the other half of the equation has it.
so i'm privileged to support the investor owned electric companies here in the united states. but i also serve as a secretary for something known as the electricity subsector coordinating council or the escc. the escc is unique in sector coordinating councils in that it is led by ceos. so woo have 30 ceos from all segments of the industry, across all of north america that get together three times a year under blue skies to do strategic planning. looking just over the horizon, and i'll quote our co-chair, who likes to quote wayne gretzky. we want to skate to where the puck will be. it's about looking just over the horizon. something ceos do particularly well. this in general, they create accountability. they provide resources. they set priorities, and most importantly, in the context of christian's question, they're a draw to other senior executives. that is other senior executives
in other sectors with which we are interdemocrpend and with ou government partners. it's phenomenal. and part of the reason why it's phenomenal is because we have senior government officials from the department of energy, the department of homeland security and the white house, getting together on a regular basis when the skies are blue with leadership of the electric sector. the last month, we have been getting together on a fairly regular basis because of storm response. and so i think, i can draw the position between cybersecurity, the topic of today, and what we have been doing with respect to storms. i think there is this focus on left of boom, before the bad thing happened. how are we preparing, protecting, defending? all really important pursuits, to be sure, but you can't negotiate with mother nature, and frankly, even with in the
intelligent adversary, if we have to be right 100% of the time and they have to be right once, if we're not focusing on consequence management, hoe do we respond, how do we recover, how do we get this critical infrastructure operational again, we're missing an incredibly important part of the equation. i can say for the last five weeks and one day, who's counting, we have been working really closely at all levels of government to leverage the resources and capabilities of both the industry and the government in response to major natural disasters. and the same would be true in a cyber or physical attack situation. so a lot of what we're doing with this blue sky planning is prepare for when these bad days happen. i can say from the last five days of experience, the foundation we have built of government/industry coordination at a senior level that sets those priorities, that creates that accountability, that
provides those resources and brings us together has been invaluable. >> thank you, scott. kiersten, did you want to add anything to that? >> always. thank you very much. and thanks very much for the opportunity to be here and for this conversation. so you asked a lot of great questions, and there are a lot of different ways to look at it. i'll take two pieces to this because you talk about critical infrastructure. one of the key issues that the commission looked at was how do we define critical infrastructure? and the challenge that we have now in an interdepend world, and particularly in the internet of things is how we all rely on each other. so when we define critical infrastructure as it's been defined over the years, it very much has the boundaries around it. scott knows this better than most given the industry he's in. we talked a lot about how technology and innovation can start to blur those lines, and some of you have heard the analogy i used from one of the commissioners who talked about a goal of uber timing the traffic lights in san francisco because they can saturate the roads, but
the last thing he wants to be classified is as critical infrastructure. and facebook as a communications redundancy, the last thing they want to be defined as is critical infrastructure. so we have to evolve the framework of how we're thinking about what is critical to our society and there is honestly no better current event to demonstrate that than the equifax breach. rest assured, equifax was not identified as critical infrastructure, but if you're one of the 143 million whose files were hacked, you're thinking it's critical because it's critical to you. we have to think much more thoughtfully about this definition. i struggle a little bit and i know dhs came out this week to say, hey, we're going to look at how we define section nine. that's a very important step because section nine and what it means has to evolve with the time and the threat. the times that we're in right now and the corresponding threats. and it's interesting because i have -- i agree with everything that scott said about how we look at it. and i think given the industry
that scott's in, and particularly with the unfortunate exercise of what they're going through right now, what i would argue throw writ large in response and recovery is that the challenge we have had with government and industry tends not to be in response. government does incident response really well. we heard from aaron hughes about ppd-41, and that's great. we tend to react when if comes to cybersecurity very effectively or in other places. the other example we use a lot in this is looking at obamacare. we spent a lot of time putting that together and then it failed, and then in 60 days, we got up and running a fantastic system regardless of where you stand on the issues as far as technology and where it goes. so our ability to respond is actually very effective. when we look at cybersecurity, though, the challenge we have is what we're doing beforehand. and if we -- you talk about information sharing, and we joked around on the commission that we never use the term information sharing because it's really lost its meaning. we heard on theprie previous pa
the difference between partnership and collaboration. in the commission, we talked a lot about collaboration. one of the commissioners was adamant it's about industry and government coming together before the event happens to work together to develop the relationships that scott cites very effectively, and because of those relationships, you're then able to respond very effectively. but in a cybersecurity situation and how we're looking at government/industry, we haven't taken the time to develop those richs, to take a page out of the pentagon playbook and talk about deliberate planning, training exercise, and by doing that, and there's a recommendation in the commission report that talks about engaging senior leaders of industry and government, you look at and hold each other to a high standard, and in conversations i have had with several leaders of industry since equifax, part of that value is saying, hey, are you doing the basic cyber risk management actions? are you patching? are you doing these things that everybody knows you should be doing? if you're a part of this group, and i think the groups that scott is a part of are really
role models in this situation. you're actually holding each other to a higher standard to prevent some of the very basic gaps and arguably gross negligence we're seeing right now in the industry. so we have to redefibhow we're looking at critical infrastructure. and from a cybersecurity side, we really need to look at what happens before the event so when the events do happen, we have all of those relationships in place. >> thanks, kiersten. i'll turn to you in a second, but i want to ask one quick thought to kooursen. the whole concept of critical infrastructure as we use it within the federal system goes back to physical attacks against infrastructure, back in some of the work done in the 1990s. are we really -- should we really be thinking about is the, as we're thinking about cyber or cyber enabled threats and you mentioned equifax. the attacks on the election systems are also an example this. is critical infrastructure still the framework that is suited to the times or do we need to basically be starting over and be rethinking the way we
classify and look at different types of infrastructure that's at risk to digital enabled threats? >> i have a policy perspective on this. i would love to hear scott's view on this. i do believe so, to your point, the definitions are based on physical attacks. they are not based on what the threats are today. so how do we reframe how we're defining it. it's not to say that we don't need support and extra support around those functions that are critical to operations, but the challenge is that you have critical functions that are dependent on noncritical functions. that's because of the cyber infrastructure we have created. so how do we look at those definitions to honor that? i'll make the quick point that at the beginning of the collaboration deliberations, we said we have to look at standards for things that are life affecting. driverless cars, pacemakers, then last fall, it's like, of course, this is about the weakest link. if you can access your critical infrastructure through a baby monitor because they're looked up to the computers, then what are we doing to actually look at that? and that gets into the cascading
discussion around incentives and security. and scott. >> jumping in to react. i do want to react just a little bit. i think much like i couldn't agree more that information sharing has lost all meaning, to me, it's information flow, and we can talk about that in a second. but with respect to the question about critical infrastructure, i do think on some level we're over defining what is critical. i like to juxtapose i.t. versus o.t. look, none of the companies that eei represents wants to lose the personally identifiable information or credit card information of their customers, but that's not critical to national security. attacks on electricity infrastructure, attacks on communications infrastructure, that really is a national and economic security threat. and so i think if we're talking about critical infrastructure, we really have to think about it in terms of operational technology and the impact that can have on the life, health, and safety of americans in their
daily lives. >> chris, turning to you. northrup grumman in addition to supporting the government, is an owner/operator of critical infrastructure. if you want to jump in and react to any of this or make a few opening comments of your own? >> relative to the eo and what it tries to establish is three key points. first and foremost, leveraging in this framework is a consistent set of standards. and even just an approach to doing the basic kind of blocking and tackling from a protection standpoint and then shifting from a risk management aspect to what kiersten said about the weakest link. with our industrial base, the weakest link becomes the supplier base which hasn't been held to the same set of requirements and standards that the rest of the industry has, whether it be their size, their focus, or whatever you might say. so being able to transform that core supplier base to the same
set of standards, and that will then enable the ability to share information in a more effective way. we don't even have the tools and technology to accept the information you want to share to create some type of proactive defense or response. you don't even have a starting point. so that's kind of job one, just to establish the core framework and go from there. >> any of you want to react to that? >> so scott, as you mentioned, you know, the response in texas, florida, and now puerto rico, you know, and the impact on the electric sector, one of the provisions of the cybersecurity order requires the department of energy and dhs to assess response capabilities due to the disruption of electricity. do you have any sort of insight into where things stand with that review from the industry perspective as it pertains to
cyber risks? and how do we think about these cyber risks to the electric grid from a hazard standpoint as they relate to manmade or rather sort of other deliberate attacks against the cyber barrier? >> so maybe this is blasphemous, especially as we're talking about cybersecurity, but i'm kind of threat agnostic. i don't really care why our systems have an outage, whether it's a cyberattack, a physical attack, or a storm. act of war or act of god, at the end of the day, our responsibility is to get power back up and running. potentially even without cyber means. we have all of this digital infrastructure that allows us to be more efficient, to be able to better track customer usage, for customers to do more interesting things in control their own usage themselves. all great, but you know what. we operated the grid for the better part of the 20th century without that. and so as we look at the executive order, at its specific
focus on the energy grid and energy infrastructure in general, we have been falling back on this wonderful partnership that we enjoy with our sector specific agency, the department of energy. and you know, one of the things that they have at their disposal came from the end of 2015, the fast act gave a grid emergency authority to the secretary of energy, declare a grid security emergency and have extraordinary capabilities to compel actions to get back and up with or without a digital overlay. one of the things that we did, you know, the question, again, going back to sort of the value of ceo leadership, the question came up, are we able to operate the grid today without digital infrastructure? and the answer was, sort of. and that was not a good answer for ceos. so they said, that's not a good answer. we're going to go back to the drawing board.
we have embarked on an initiative, it goes by a couple names. both of them are fun. one is supplemental operating strategies or sos, and the other is the macgyver project. how can we hold the grid together with bubble gum and duct tape to operate, maybe not in an efficient way. maybe in a degraded state, but so we can continue to provide the product that is important to the life, health, and safety of americans. and we got some very smart engineers together who are working very hard and have actually developed some ideas so that we are not figuring this out in the midst of the incident but so that we have some ideas of what we would do in this contingency, it has some contingency planning. we have explained that to the department of energy. that is going to be part of the fast act authority that the secretary of energy can use, and the idea would be not to figure these things out in the midst of an incident but to have a menu of options that the secretary of energy can pull from that are
already tested from an engineering standpoint, that already can be handled, and that way when this extraordinary authority is leveraged for the first time, the solutions are not being tested for the first time. and i think that goes to one of the points that kiersten was making about looking left of boom while we are also preparing to be responsive, which is something i agree we have a century's worth of experience of and do particularly well. >> kiersten, one of the key issues articulated in the cyber commission report last year was the issue of incentives, trying to get the incentive structure right to enable public/private sector cooperation. when we have sort of thought about incentives over the past few years, for the most part, we have been thinking about punishing when something goes wrong, and then we have seen that in cases with target and most recently with equifax. but is there -- are there different ways to think about
incentives. not necessarily just the punitive after the incident, but how do you build incentives from the beginning to insure the right type of cyber behavior, basically create a microeconomics of good cyber behavior within a company and in collaboration with the government. >> you started to answer actually the approach that i was taking because i do think when we look at incentives, we have typically looked at it in a framework that hasn't been effective. we do look to congress. we look to government. we look to penalize. i was asked a question earlier this week of, you know, if we just keep on dragging the companies up to the hill and talk about what happened and what went wrong, that's clearly not doing anything. and we also talk about tax incentives or business breaks, but this is not actually getting at the business case or the business model for cyber risk management. we have to be engaging the key stakeholders and doing so in an effective way that makes good business the right answer. i was talking to a ceo of a utility company who was looking at education and awareness because we talk about cultural
change and what's the incentive for the business case. he said he runs every three months a module for every employee to take them fishing. if they fail, they lose system access for a certain period of time. we had this conversation about risk management because the argument there is as a ceo if he loses an employee let's just say for a week, they lose system access for a week, he can manage that. he has a resilient infrastructure to catch that, no different than someone going on vacation. but as an employee, if you lose your salary for a week, that's a much harder hit to manage. so that type of incentive structure where people have the consequences and we talked about putting it into performance reviews, but that is the cultural. the other issue is where are the boards of directors on these issues? where are the shareholders, shareholder activism? one of the key lessons that got muffled a little bit from the target case was that the institutional shareholder services got around and said these members of the board should be fired because they let
this happen. and they put accountability to individuals and while those directors didn't actually get fired, the idea that individuals were accountable from a structure within the business was the first time we started to see that. so i think to answer your question about the incentives, it's got to be the business case and the stake holders have to be making the business case so that good business is really the only option and if you fail to do good business, you're being held accountable not by congress, not by government, but but those that are actually going to affect your bot i did line. >> thanks. chris? north of grummond invest significant amounts of money in r&d relate ed cybersecurity and parts of the federal government and invests in cybersecurity on the defense side, civilian side and i guess a key question is how do, you know, from a taxpayer and citizen standpoint, how do we ensure that the federal funds are being spent in
a way and how does the private sector work together with the federal government to sort of ensure that you're not just all chasing the same thing from r&d perspective, but you're working to solve problems that are, you know, some of the harder long-term problems we're facing from an r&d perspective? >> that's a very good question. first, doing any type of research in a vacuum or absence of customer need or customer quorum lead to do things that are interesting but not actually solve a problem. our approach is to work closely with our customers and understand their needs and exchange information, exchange research, agendas and portfolios to make sure, "a," we're not duplicating good work going on but we're contributing to that work. there's really three key areas that we see. the most important things need to get done. one is resilience. you know, the concept of the threat doesn't go away. right? it's not going to change. and if you continue to try to build a new hammer for a nail,
you'll do that and continuously iterate to a point you won't have anything. so resilience is really important and from a cyber perspective to be able to fight through and recover rapidly. at some ready state. doesn't mean you don't have to go back and fix it later, but at least it continues to operate. the areas of machine learning and artificial intelligence, those are the key foundational core building blocks that both industry and government have to work on together. that's what's going to enable you to be able to do things like information sharing and do something useful with it. it doesn't help the information sharer if you have millions of notes in the case of the federal government where you can't do anything with it because your workforce can't keep up with the information that's coming in and to apply some type of responsive activity. and finally, you know, all of this is for none if you can't do it at scale. so the cost of being able to operate at scale as congressman heard had mentioned.
the scale in which you have to operate on is not that any industry or any enterprise would ever see. so being able to fly these technologies capabilities at scale and you have to be able to do all that in a unified fashion. >> you mentioned workforce issues. when we think about the public sector and private sector on workforce issues, it's usually about the private sector taking away the public sector's star performers right when they're at the point in their career and federal agencies when they're having a significant positive impact on work and congressman heard earlier talked about finding ways to sort of, you know, not only bring on new talent but sort of revolve people through the back and forth between the private sector and the public sector. you know, on these broader workforce challenges, what are the -- and anyone feel free to jump in on this. what are the key sort of needs and requirements that we see?
how is technology changing that in terms of some of the things you talked about with ai and machine learning? and for students who are here or who may be watching, what sorts of areas within cybersecurity should they be focusing on? >> it's a good question. i'll take it first. first i'll say we don't perceive it as a competition between industry and government. it's not a race for who gets the best first. it's really the eco-system required to create enough talent to enter the system to help work together and solve problems. so we've been focused on that for many years now through middle school and high school and through the collegiate activities. i'll call attention to two programs we have one at university of maryland which is the advanced cybersecurity experience for students and the second program which is the scholars program at umbc. first and foremost, the value of an engineering is solid
engineering education at the heart of all those programs. i mean, at some point this will become somewhat of a solved problem. so "a," the talent in workforce now has to have something to do in 20 or 30 years. but "b," being able to think and being able to lead at the most foundational core is a huge gap. right? you often want people who are very smart. you want a very good thing. but they're not able to lead teams to solve problems. so that would be one area. and the technology area we talked about, certainly cognition, artificial intelligence, machine learning technologies are important on the scientific end, but from a practitioner standpoint, it's just as important to have both students and people reentering the workforce or retooling their skills to be able to have technical skill sets. like people and incident response for government and commercial industries. >> thanks. we'll open up to audience q&a in a minute. but do you want to react first?
>> a couple things. i do think and we talked about this in the commission, the development of technology around ai and machine learning, it does not go with cyber workforce. and that we talk about the definition of cyber workforce. even in the last six to eight months you start to see everybody is part of the cyber security workforce. and those boundaries don't really exist. you can't go without an ipad pulled out or a street vendor now uses technology across the board. sorry about that. and so it becomes very important to look at both of those issues. i think the second is that we have a bit of a false understanding right now of what cybersecurity means from the workforce. it's not just technology. it's about policy. it's about bringing in. it is bringing in other disciplines. it is one of the most vibrant probably interdisciplinary major that exists right now because there is knowledge across the board that needs to exist. your question about students who
are thinking about this, you don't have to be a math me tigs to be on engineer. and if we don't start balancing out those with aptitudes we're going to be in a great deficit. and the other third piece to this, we develop the workforce now but developing it organically through the elementary education programs and we aren't doing a great job on that as a nation. we need to be doing much better at the elementary levels. you know, we're giving out ipads and getting funding for chrome books, but we're not teaching students what that actually means. so understanding the cybersecurity capabilities and what that is becoming very important. the way that kids can then grow up around these issues. and then fourth and talking about your issue with government and industry, i appreciate what chris said, but from the private sector side, i think what government will say, well, you can say that because you can lure in with benefits, with salaries, with location, with, you know, there are a couple of
consulting firms that have universities and nice location where is they send their employees for a weekend. those of us who have all worked in government know the government is not those. you're looking for the greater good which could be a hard sell when you're trying to get somebody out of college. but what we're starting to see from the private sector are exchange programs and understanding that, hey, your government service is actually really valuable to me. there were few commissioners who were running very large multinational company who is said, you know, i actually would love to take somebody who's got that experience, bring them into my organization for 6, 12, 24 months and then bring them back into government. i think that's also general human behavior. we do better when we take what we learn and put it in different environments. so one of the companies is actually putting together an exchange program that will do that and also offer loan forgiveness. but i think that interchange between government and industry can be a very effective way to build a workforce and to chris' point, not make it competitive but make it more collaborative. >> thanks.
>> the only thing i'm going to add, i think they gave great answers so i'll leave well enough alone and simply say i agree with all of that. the idea of an ecosystem, interchange sharing of resources with sharing and industry. the broader theme of what we're talking about with critical infrastructure, if this is a shared responsibility, we have to find creative ways to make us more, all of us more secure and a plug for the electricity sector, one of the things we do. the work we do is very -- you're seeing it with storm response right now. these are military operations for lack of a better way to put it. and we have a program for those folks coming out of the military getting them into jobs in electric companies. it's been incredibly valuable because the requirements are so similar. the rigor, the commitment to public service, and that's true for a line worker who is out there working in the field but also as we look at some of the
cyber and physical security needs we have for the sector. >> thanks. we can take a few minutes of questions from the audience. please identify yourself and please wait for a microphone. we'll start here and then go over here. >> jim mccartney. you talked -- you were talking about the incentives and how do we create the right incentives. having worked on a couple of the things with the government, i would say the government is really bad at trying to project or foresee what good incentives look like in the private sector. oftentimes the more they do it, the worse it gets in terms of prohibiting. i would say that the government may be better suited to create the environment in which things like you talked about can exist. but i guess my question comes down to if those are not systemic, how do we create a place where, yes, there's some negative consequences, but how
do we then turn that around to make them positive results for companies for new event innovation to come in and undercut a lot of what the current activity is to come up with new ideas and transformative ideas to eliminate those problems? >> i think it does go to what happens before. and it's about creating those cultures of security and creating the business case for doing so. and as long as we just focus on the consequences and the punishment to your point, we're always going to kind of be reverse engineering. and really understanding what the assets are, what the risk is for companies and what's important. i want to pull on something that scott said because i think it was a great point about the o.t. and the i.t. and this idea of what we're securing for national security purposes. i think the challenge right now is in an era of cybersecurity of information, of infrastructure
where everything is about data, a understanding who's critical and what your business responsibilities are beyond the bottom line is something the government needs to step in on. while it's not always national security, that's how we get breached and create vulnerabilities and create exposure. and so i think that we again have to focus on, you know, scott was talking about this left of boom, this pre-event for businesses and all of this so when we get to this place, the consequence management and the punishment is actually aligned with the actions that have been taken ahead of time. as long as we just focus on the backside, we're never going to create that culture of security for businesses and industry. they won't take the responsibilities themselves. >> the front here. >> hey. rick weber. this is for scott. so your comments about with the sector coordinating council is doing under the executive order seem to be emphasizing recovery. so can you talk a little bit about what you guys are working on in terms of prevention? i mean, the executive order is about a cyber attack.
>> sure. i don't want to make it seem like we're not looking left of boom. we absolutely are focusing on preparation and detection and defense. so a couple of sort of themes, i guess, of the escc's areas of focus, first is tools and technology. you know, the government has some interesting toys and we want to use those for our systems. so there have been some great examples of national lab developments. one is known as the cyber risk information sharing program or crisp that was in the lab, quote unquote, commercialized and now deployed in the electricity sector covering about 75% of the customer meters in the united states. it's a great success story of the government innovation used in the private sector and next, i'll continue on that theme of information sharing and i hate the phrase too. it's information flow. making sure the right people are getting the right information at the right time.
and what we mean by that is, you know, a ceo, for example, needs a certain class of information so when their chief security officer runs down the hall and says, we have a problem, the ceo doesn't say, who the heck are you get out of my office. but is aware of the threats that are out there and can make informed investment decisions in order to protect their infrastructure but can also make informed decisions to thwart or respond to cyber incidents. cross sector coordination. everybody likes to look at the electricity sector as the most critical. we don't have water, we can't generate steam or cool our systems. we don't have telecommunications, we can't operate. we don't have transportation or pipelines, we can't move our fuel. we don't have financial services, no access to capital markets, we can't trade our products. there are a lot of ways to impact the electricity sector short of attacking a control system for the electricity sector and that goes to a point kirsten was just making about it's hard to have a line between
o.t. and i.t. because an i.t. breach can have o.t. consequences. and i think that's something we need to better understand about our attack surface and our network topographies and exposures both within our companies, broader sectors, and the broader ecosystem of all critical infrastructure sectors. i think that sort of highlights that we're not just looking at what do we do when the bad day happens, but how can we limit the impact of a bad day by a solid preparation on the front end. >> thanks. any other questions? marcus over here? >> thank you. the question is towards kerstin. i liked your concept around business models and having a strong business case for cybersecurity. you made a comment about having
a business case for cyber risk management. i want to see what you envision that being. what are the one or two or three things you would, you know, sell to say this is the business case for cyber risk management? and i was open to the panel as well. >> is this part of your doctorate? part of your thesis? it's a great question. so it's a great question. one of the most straightforward ways to answer that is to actually start looking at small and medium sized businesses. if you're going to understand where is the low hanging fruit. what are the things that every company needs to be doing. if we felt that our industry and that our business government -- business infrastructure was really sophisticated and mature, then i think we could break that out. but because what we're seeing is that there's not a lot of disparity between the capabilities when it comes to cyber risk management of the big companies and small companies. how we look at small and medium
size business. we talk about cultural change. you've got to have investment in cyber-security from the top down and the bottom up. it has to be a cultural move. you look at what your team is and how you structure it. if you only have four people but definitely have an hr person, hr is your first interface with people that are coming into your organization and that's the first opportunity to create that cultural shift and so understanding that cyber security awareness and education is part of positions and how you're evaluated. the third is looking at basic actions. so it's software. it's access management. it's identity authentication and management. i think whether or not equifax truly calls into question proofing and authentication now will be interesting because it's something we clearly have been struggling with. but it's phishing. i mean, the argument around the fact that, you know, phishing breaches most companies and if we adjusted the awareness around that, we would preserve or at least create a more resilient infrastructure is absolutely out there. and so we don't have to be very
evolved in how we're looking at this. this doesn't have to be senior executive language for fortune 500 because what we're seeing is that these large companies are failing to do the basics. so the program i would pitch would be a very basic one to start with. and if they're like, i'm doing all those things, then it's a high class problem and you then go to what comes next. but the fact that after a patching issue happens and then you see equifax which says u.s. cert called them up and said do you know about this patch. they said yeah, yeah, yeah, it's not an issue. in this day and age for a company of any size to not be doing that particularly a company of what you're talking about is inexcusable. so we've still got to start with the basics. we need to be developing a basic program that these companies need to be saying, yep, i'm doing these things. now i'll move on. i will say what's important is i'm not offering a compliance checklist. it's important it's a risk management approach. so it's really evaluating what's important to you as a company,
how you're looking at your assets and how to secure them. then making those decisions appropriately. >> i think there's another question here in the front. then we'll go back there. >> rebecca kaufla. we have spoken quite a bit about securing data and infrastructure and industries and those are all tangible targets and our approach is effective and has been effective. respect to some cyber threat actors that target those things. what approach would you recommend for such cyber threat actions as russia, for example, that is perhaps more sophisticated cyber threat according to multiple intelligence officials. russia has a unique cyber doctrine that prioritizes
psychological aspect as well as technical. and they target things along with tangible things, things like the human mind and our decision making process. whether that's the human mind of the u.s. voter or the policy makers. what approach do we use to secure those things in your view, thank you. >> big one. anyone want to take that? >> i'll start. i guess the best way to talk about it is in terms of threat actors and capabilities. and i'm reminded of what john brennan, the former cia director says those who want to attack us in a particular way can't and those who can don't want to. and that was true when he said it. it may be a little less true today. regardless, i think we have to look at apt, advanced persistent threat in a thoughtful way. one of the most thoughtful ways
from an electric sector specifically is to understand is that atp, if the adversary has to be right once, they can in fact be right and that goes to the value of preparedness and the ability to operate in a degraded state. the understanding of what the motivations of a threat actor might be and how they would comport themselves in a threat. somehow, we've gotten through this entire discussion without mentioning ukraine, so i will start it now and to say that particular incident, incidents, end of 2015 and end of 2016, are particularly useful lessons for the sector that i helped to represent because it is an indication of what an attack likely would look like on electric infrastructure and that gives us an opportunity to prepare ourselves. the thought exercise, what would we do here in the united states if a ukraine style attack
impacted our systems and i can tell you that has been a primary focus of the sector coordinating council for quite a while. >> i think we have time for one more quick question back there. >> ian from new america cyber security initiative. when we think of public and private, we default to thinking the public side of that being the federal government. but clearly, states and cities have an increasingly important role on this. my question is, what should we be expecting from states and cities in their role as either owners, regulators in terms of education policies and the federal government or private sector be doing to help enable that policy formulation? >> in our efforts, we've done
both in education and academic programs along with economic development from a small enterprise business, the partnership with state and local government is one without it wouldn't be successful because the underpinnings of the infrastructure required to have things like the technology incubator that's created sponsor and by professional organization. that's in concert with the state and building the eco-system and environment for which people can be successful is certainly comes down to state and local level versus federal, not to say federal isn't important but down to economic development, the job, state government helps drive that. >> thanks. and we're out of our allotted time, so please join me in
thanking the panel for comments and for joining us today. [ applause ] we'll take another short break now. we'll reconvene, start the next section promptly at 11:45. please try to be back in your seats by 11:40 to make sure we start the next keynote session on time. thank you. join us tonight when president trump is expected to highlight his tax reform proposal. he's expected to speech at the heritage foundation annual president's club meeting. 7:30 eastern on our companion network c-span. then coming up tomorrow, attorney general jeff sessions will testify at an oversight hearing. the senate judiciary committee hosting that event. coverage at c-span, c-span.org or listen with the free c-span radio app.
sunday night on afterwords -- >> over 90% of sexual harassment cases end up in settlements. and what does that mean? that means that the woman pretty much never works in her chosen career ever again. and she can never talk about it. she's gagged. how else do -- contracts which make it a secret proceeding. so again, nobody ever finds out about it if you file a complaint. you can never talk about it. ever. nobody ever knows what happens to you. and in most cases you're terminated from the company and the predator in many cases is left to still work in the same position in which he was harassing you. so this is the way our society has decided to resolve sexual harassment cases. to gag women so that we can fool everyone else out there that we've come so far in 2017.
>> former fox news host gretchen carlson talks about sexual harassment in her new book "be fierce: stop harassment and take your power back." she's interviewed by "washington post" columnist sally quinn. watch afterwords sunday night at 9:00 eastern on c-span2's book tv. leaders from the fields of government and business arts and science gathered for the annual washington ideas forum for a conversation on a range of domestic and international issues. this hour and 45 minute event was co-hosted by the atlantic magazine and the aspen institute. >> good morning. >> good morning. great to be with you, senator. i know we're going to get into this russia stuff and high crimes and executions ahead and those kinds of things, but i know you're the richest man in the united states senate. so does the trumpax