 Good afternoon. It is my great pleasure to welcome Dr. Robert Grammer back to our campus. Bob currently serves as Vice President for Advanced Technology for Northrop Grumman Information Systems. In his role, he leads the technology strategy and research programs for this $10 billion sector of Northrop Grumman. More specifically, Bob is responsible for the overall strategy, technology strategy and independent research and development programs, technology and research partnerships, technical talent development and intellectual property management in this business unit. During his several decades with Northrop Grumman, Bob has also held several other senior executive positions with the company. Before joining the company, however, he was with NASA and he worked on the Apollo and Skylab missions. We should have had you give a talk on the Apollo and Skylab missions. That's for another day. With a focus on real-time software for tracking, command, telemetry and communications. Bob holds a bachelor degree in mathematics from the University of Michigan and masters and PhD degrees from the University of Maryland. I guess we can truthfully say all of your degrees are from you of them. So we'll leave it as that. He's a fellow of Woodrow Wilson. He received achievement awards for his work on the Apollo program and for principle investigative research on NASA and no other satellite remote sensing programs. He's a fellow of the Society of Photooptical Instrumentation Engineers and a fellow of AMS. He's also a senior member of several other professional societies. He has served on numerous government and industry advisory boards including the National Academy of Sciences, Department of Defense and NASA. Just to name a few, I've had the pleasure over the last two years to serve with Bob on the External Relations Council for the Internet2 Consortium. Bob was recently named by the Security Magazine as one of the 25 most influential people in the security industry. Please join me in giving a warm welcome to Bob Reddick. Well thank you Farnam and thank you all for coming here this afternoon. I have to tell you I was a little nervous last Saturday afternoon as I was watching the football game and thinking about in 1967 I was a senior on this campus and the football team was not very good and we lost to Indiana. And then in 1987 I came and gave a lecture here on this campus and that following Saturday Michigan lost Indiana. So here I am thinking oh my god I'm going back out to Ann Arbor to give another talk and we're playing Indiana. Well fortunately the game ended happily so and I'm staying over for the game this Saturday and I hope that one ends happily too. Go Blue. Go Blue, right. So what I want to talk about today are two subjects, cybersecurity and global climate change. And so we're going to talk about the relations between them. And so what I'd like you to get out of this talk are a few key points here. First, these are nationally and internationally significant issues. And there are a number of similarities and differences. Similarities, they're both priorities for the administration, politically controversial, a lot of significant policy and economic issues associated with them, very poorly understood by the general public and active research and so forth. So a lot of sort of top-level similarities. There are also a lot of differences. Cyber security incidents can happen at network speeds very rapid whereas climate change is for the most part I think years, decades and so forth. And cyberspace is entirely a creation of humans whereas the climate is largely a natural environment. And of course some of the climate changes is induced by human activity but some of it is not. So there are a number of differences in these issues. Now I think most people would agree that these are important issues but would probably think of them as being very different from one another and not particularly related. So we're going to talk about some similarities and more to the point how these two issues affect one another. And I think one of the points I would like you to get out of this is that Northrop Grumman being a very large system integration firm, we have to think about system issues and system of system issues and often the fact that things you do in one area can have significant effects on others. And so we are forced to take very broad views of things and think about relationships. And since these are two very important priorities in the research program I'm responsible for, I've developed this view on these two subjects over the past some number of years and that's what I'm going to talk about with you today. So these issues compete with each other in terms of priority and funding. The cyber security systems, they consume energy and that energy in turn has an environmental footprint. So the more you do in security measures, the more you are affecting the climate. Furthermore, things that you could do in an information systems viewpoint, cloud computing, virtualization and so forth, which may be very good in terms of energy efficiency, reduction and so forth, can open significant security holes and in effect make our security problems worse. So this is an example of, you know, you try to fix something over here and you break something over there and so you have to keep these issues in mind. And many of the things that we want to do to either mitigate or adapt to climate change will be threatened by failures of cyber security. And so we'll talk about some specific examples. And so at the end of all of this, I want to save a little time for the so what? You know, you could go through all this and say, well this is very interesting, but what does it mean to me? And so I'll talk a little bit about what it means to a large corporation like ours and what I think it means to an educational institution like Michigan in terms of research priorities, educational curriculum and so forth. So with that, I've organized the presentation with brief introductory stuff and then we will talk about three areas, political relations, economic and technical. And then we'll get to some implications and have some time for discussion at the end. Martha Grumman today, as you see about 34, 35 billion in sales, 120,000 people, very distributed operation and a lot of capabilities. And as you will see here, I put this list in alphabetical order so that I don't get silly arguments from different parts of the corporation as to who's is more important. But I did highlight these two because that's what I'm going to be talking about this afternoon. We also, in terms of our internal R&D program, it's about 600 million a year in a variety of technologies all the way from very emerging technologies to full scale integration. So the research program at North of Grumman is a very critical part of our business strategy and we allocate resources in a number of different ways. Now in terms of the climate and environment, this is a very important part of our business. Hundreds of millions of dollars a year in revenue in this area all the way from building environmental satellites and different types of observing systems, both satellite systems and airborne systems. We do a lot with data management and software. In particular, we help NASA build the earth system modeling framework by which oceanographic and atmospheric and land surface models and so forth are all tied together in these global climate models that have been used to make predictions about climate change. We do a lot of work in modeling and simulation of various types of climate, severe storms, atmospheric propagation, cloud databases and so forth. And we also spend a lot of time thinking about the impact of weather and climate on people and systems and operations. We have a very large public health unit that's about half a billion a year in public health on a global basis for the Centers for Disease Control and so weather and climate issues, water supply and so forth are very important in that and spread of disease. So these are our issues that we have to think about. Our shipbuilding unit built the U.S.'s high latitude research vessel that operates in the north pole of the summer collecting research observations about the Arctic and the ice cap and so forth. So we really think about climate and environment all the way from the observations through a number of critical applications. Now in the cybersecurity area, I won't drag you through all of this, but our key programs in cybersecurity include, of course, managing our own corporate network, which is a global network itself, a number of programs for federal civil agencies like the Department of Homeland Security, the Treasury Department. We have a responsibility for the security for the Treasury Department's network, the Department of State's network, big chunks of the Homeland Security Network and so forth. These are our people operating systems in their centers, developing technology and so forth. For the Defense Department, we have some very large programs. We're responsible for a lot of the activities at the Army, the Joint Task Force on Global Network Operations and so forth. We do research for DARPA a number of ways and also in the intelligence community a number of classified programs. So our cybersecurity activities are very large and very important and one of the fastest growing parts of our business. We have a number of laboratories across the country, depending on how you count them. This is well over 100 in different areas. We networked them together in a number of ways. And this is not only internal, but as Farnam says, we've been active in the Internet2 consortium. So we tied to the external research community through Internet2 and National Lambda Rail and Defense Research and Engineering Network and Department of Energy and so forth. So we use those networks to help us talk with the research community at large. Now, that's a little bit about us. Now, about these two issues, is there anyone here who wants to debate the point about cybersecurity and climate change being issues of global significance? As if you do, I don't think you belong here, but a couple of quotes from the President. But also an interesting paper published by the Secretary General of the International Telecommunications Union a couple of years ago entitled Climate Change, Cybersecurity and the Economic Crisis. And this was written at the time in the fall of 2008 when the banking system was collapsing around the world. And yet his view was strategic enough to recognize not only the immediate crisis, but also two issues that are affecting communications, information technology and so forth going forward. So there are a number of people here thinking about these issues and that's the good news. Bad news is not enough and so there's a lot more work to be done here. So now let's talk about politics for a minute. And here I want to talk about something that happened about a year ago this time. Pat Gallagher was up for confirmation as director of NIST, the National Institute for Standards and Technology. And he was appearing before the Senate Committee on Commerce, Science and Transportation. That's the committee that has oversight over the NIST budget. And Senator Rockefeller from West Virginia is the chair of that committee. And reading the transcript of that hearing is very interesting because normally NIST is a pretty low profile government agency. It makes standards in a number of areas and this is not considered particularly controversial or politically hot subject. However, NIST is very active in both cybersecurity and climate change. And what Senator Rockefeller was telling him is that we recognize those are both your priorities, but we got to do something first about cybersecurity. And so you see this cybersecurity issue is constantly imminent. Your other big subject is climate change, but to be frank about it, in the short term climate change is much less of a threat than cybersecurity. Cybersecurity is potentially next week. Tomorrow, a year from now, climate change is not. So he's saying we'll get to it when we get to it. However, Senator Rockefeller is a very smart guy. Over the long term, if we don't do some climate change fixing, then the rest of this won't matter. So he's telling you we recognize these issues, but this is one example of these two issues. Competing for attention, funding, priority on Capitol Hill and in the administration. The second issue that had some political consequence was something that's called climate gait. And some of you may have heard this, but last year somebody, and it's still not known who, hacked into the email system at one of the UK universities and exfiltrated a large volume of email traffic between climate scientists. And so there was a lot of argument about the interpretation of some of these messages, some allegation over whether some of the climate data was being falsified in order to push political agendas and so forth. This has since been reviewed by a number of committees. In fact, a report was released on this just last week, which said that a lot of this was taken out of context and yes, there were some things said in email messages that probably shouldn't have been said, but there's no indication of manipulation of the data or any sort of material impact on the integrity of the scientific process. And here's the political implication from this. A group at Yale University released a report in July where they analyzed the public opinions and found significant declines in the perceptions of the public at large. And in particular, the results demonstrate that this climate gate incident had a significant effect on the public interest in this issue. Well, of course, that in turn has a big impact on what attention the Congress will give to an issue like this, and in fact the climate change legislation has stalled completely. And the administration has decided in the press of other things not to push it. So despite the fact that this was a high priority when the new administration came in at the beginning of the year, things can change rather quickly in terms of political aspects. So this was a case in which the lack of cybersecurity had some significant political damage for our attempted addressing climate change. Now I want to talk about the economy for a minute. The energy area, which of course is very tightly coupled to the climate change activities, is a definite priority for the administration. And so if you look at the stimulus funding that was made available, you can see some very large volumes of data were provided for modernization of facilities, billions of dollars for federal buildings and so forth, and some of this actually affects one of the contracts that we got, which I'll talk about a little later, and a number of other areas. So there was some serious money put up for clean energy industry. The president made this announcement at a small company in Colorado that builds these solar arrays. And so even though the climate change stuff has sort of cooled off, so to speak, the interest in energy conservation and so forth is still getting a lot of attention. But it is an economic issue. So now, if we look at nuclear power, I'm going to give you a very short history of nuclear power in the U.S. The 1950s, our friend, the Adam, you know, I had this book when I was a kid, and I read it, and the tagline was, you know, nuclear reactors, and there was some hope even of controlled fusion reactors in those years, and electricity would be available and it would be too cheap to bother to meter it. It would, in a sense, be free. Well, it didn't quite turn out that way. 1979, Three Mile Island, the U.S. hasn't built a nuclear reactor in decades, but now, President's State of the Union, all about creating jobs. We need more of these clean energy jobs. We need more production, more efficiency, more incentives, and that means building a new generation of safe, clean nuclear power plants in this country. The Nuclear Regulatory Commission has now 17 active applications for building new nuclear generating systems. And of course, it will take decades to get these done, built, operating, and so forth. And that, by the way, won't fix our climate problem, but it will certainly, if those facilities are actually built, then that would have a significant impact. Today, the United States has about 100 nuclear facilities generation, but they're all old, and the nuclear industry has survived basically in this country by maintaining the existing facilities and not by building new ones. But there is the hope that, on their part, new facilities can be built. Of course, somehow, it's clean, safe. You know, we still got the problem of where do you get the nuclear fuel and how do you dispose of the nuclear waste, which, by the way, is also an environmental issue. But anyway, that is the political dialogue now. However, if you look at what DO, Department of Energy, is pushing, is the smart grid concept or the integration of advanced information technology into the power grid. And why are they doing that? Well, reliability, efficiency, and so forth. And this is wording from one of their documents. Contribute to the climate change strategic goal of reducing carbon emissions. So let's make the power grid more efficient. The current power grid is very inefficient about the electric power generated by the power grid in the United States is only about 1% of the energy that goes into it. So the efficiency of it is pretty bad. And so if we can make it more efficient, that would obviously help. However, NERC, the North American Electric Reliability Council, this is the consortium that provides oversight for the reliability of the power grid in the United States, just completed in July an assessment of these smart grid concepts. And you notice reliability impacts of climate change initiatives. And so they're saying, well, let's be careful here. And one of the things they're most concerned about is the cyber and physical security aspects of the power grid. And so let's not take a situation that obviously needs fixing but do something to make it worse. And then this happened. These reports came out in the past couple of weeks. A worm called Stuxnet has received a lot of publicity. And those of you in the security business will know something about this. But this was a worm very specifically targeted to a class of industrial control systems developed by the Siemens Corporation, which are used in a lot of industrial areas, but notably in the control of nuclear facilities. And in particular, the nuclear site in Iran was believed to be one of the targets there. And so this is an article from the New York Times published a couple of weeks ago. This global alarm over the deadly computer worm has come many months after the program was suspected of entering the control system from the nuclear power plant, perhaps on a USB memory stick. You know, little thing like that could cause a lot of damage. And this is a very sophisticated worm that can reprogram the control of parts of the nuclear facility and in effect damage some of the centrifuges made by Siemens and make them fail in a way that would be undetectable and seriously damage the control of the power plant. So something like this could, you know, a few of these incidents could slow down a number of these plants or applications and so forth because of concern over control of these. You know, in effect another three mile island or Chernobyl and so forth. So the economic impact from these cybersecurity problems can be significant and this would be a considerable risk going forward if we don't come up with the right ways of securing these systems. So this is a wide open research area. A lot of work being done in this area by us and by others. But we have a long way to go in terms of addressing this on the scale that really matters. And then another approach to addressing energy emissions, controlling the process and so forth is referred to as cap and trade. And really what this means is that energy caps or emissions caps for a given operation would be imposed and then if a company wanted to exceed that limit, they would have to buy credits from somebody else who may have some of this and not using up all of their quotas so they'd be in a position to sell something. And Europe has set up an emissions trading market to implement some of this and the hope would be that this sort of market trading would help provide economic incentives for people to address the emissions and reduce the impact on the climate as a result. However, these are quotes from an article in The New York Times in August. The integrity of these processes is really questionable. And in fact there are a number of controversies now and some allegations about faking the credits and stealing certificates and just, I mean, think Enron. I mean this is the sort of lack of integrity in the energy trading business led to some significant damage. We have similar problems in the European exchange. And so what you see here is controversy over offsetting is the latest blow to emissions trading which has been racked by a spate of problems in Europe including cyber attacks, tax fraud and recycling of credits. So if we can't get the kind of cybersecurity solid infrastructure for trading markets this concept is going to go nowhere in the United States. There are enough ways to criticize it but without the right kind of security to maintain the integrity of the process this has no chance of getting enacted in this country. So let's move on now to the technical issues. Major focus on data centers. In 2007 the Environmental Protection Agency was required by the Congress to produce a report on the impact of data centers on energy emissions and the use of electric power. I mean people have been observing a rather rapid growth in the use of electricity for powering data centers. And in fact some of this data motivated proposal coming out of here for energy efficient electronics and some of the data about the growth of electrical consumption and so forth was actually used as a part of that proposal. This was a 2007 report and it observed that data centers use about 50 times the energy per square foot as normal office space and what was really getting people concerned was data center power consumption was on a path to double every five years. So even though you might say well it's only one and a half percent of the electricity in the US that's actually a fairly significant number and if that doubles every five years if we don't do something over a decade or two this is going to be a very significant issue. And for an IT manager you know what a lot of the guys have found is that you know the fraction of their expenses which used to be dominated by the computing and communication is now being dominated by the energy requirements. You know one of the guys told me says I spend about half the energy budget powering these systems which heat this place up and the other half on air conditioning cooling it down. I mean this is a terribly inefficient process. Well so a lot of attention was put into it but here we are in 2010. This is a report a few months ago from the Gartner Group and data center power cooling in space is still a problem. Frankly we haven't made a lot of progress with it despite a lot of talk about it and the biggest issues faced by data center managers were power cooling and space problems and so what are people trying to do about it? Well virtualizing servers consolidating data centers. I mean these are sort of natural things to try to do. Well these are causing problems. Information system architecture changes anytime you make a significant change like that you better think about the security implications of what you're doing. Here's an article that I think articulated some of the issues fairly well. It came out of one of the security publications last month and it quotes another Gartner study that says that 60% of virtualized servers deployed in the next year year and a half will be less secure than the physical servers they replace. Well this is not progress. I mean they may consume less energy they may take up less space but if you do this at the expense of creating security holes in your network I would argue that you need a better approach. Virtualization of course is a big chunk of the cloud computing and there are a number of companies offering cloud computing services and a number of guys like us saying hold on you know there are a lot of security issues associated with cloud computing and that's true whether it's public clouds or private clouds and so an industry consortium called the Cloud Security Alliance has been formed to try to come up with some standards and processes and so forth to address these security issues and we are a member of this alliance along with a number of other companies and we are trying to grapple with these issues because you know if you could solve some of these problems some of the cloud concepts are good you know by the information technology infrastructure you know on a usage basis as opposed to everybody building their own data center analogies have been made to the electric power industry we're in the 1900s or the 1800s a lot of companies started building their own generators and eventually utilities formed and made electricity a service now I would argue that that's a poor analogy because you know electricity is basically a one way thing from the utility to us I'm not storing my sensitive private information in an electric generator so I don't think the analogy works for me but the fact is that you know a more efficient way of managing IT infrastructure would be would be a good thing for a lot of reasons but you know one of the things I thought was interesting out of this article was that just consolidating federal data centers has been tried before and in the mid 90s the Clinton administration tried this for cost reduction and at that time the feds had about 200 data centers and they said well that's too many we don't need 200 we got to reduce the number today there are about 1100 so this was not a wildly successful initiative and so they're trying it again but again if we do this in the sense of increasing security vulnerabilities and so forth then we haven't done it right so the objective of addressing the cloud architectures and reducing the energy consumption, reducing the impact on the climate and so forth is certainly a very good objective but you can't do it at the expense of decreasing the security now at the micro level there have been some research concepts to change computer architectures to improve security and one of these is called dynamic information flow tracking and there are a couple of papers here including one by Serenity DeVos who's at MIT in their department of computer science and you know I don't really have time to get into all the details basically what this says is put some extra bits on the word length and use those bits to track the information as it flows and then you can detect what information is being used in some unsafe ways and we did some initial testing of this on some titanium chips because they had a way of using some extra bits on their speculative execution but extra bits for security purposes consume energy and so you want to be sure that if you're going to you know lengthen the word or increase the word length and increase the processing that implies some additional overhead that will consume energy and that will add to the problem that we're trying to fix so what we've been trying to do is trade-offs there if I change the architecture of the chips and by the way this would be a long-term thing because Intel and IBM and others have not done anything about this yet this is purely a research concept but if we had a success in terms of some of the research then we would probably make an arrangement with those companies to produce chips that would have such an architecture over time maybe that would do us some good so the architectural changes even at the micro level raised some of the same kinds of trade-off issues now on a macro level we just want a large contract to build the system at the new headquarters building for the Department of Homeland Security and this is in downtown Washington at the location of the former St. Elizabeth's Hospital St. Elizabeth's was a mental hospital and that came up a few times in the course of writing the proposal but you know setting that aside our contract calls for us to build the IT infrastructure and secure the operations, the access control and provide a number of services but DHS and the administration have placed a huge emphasis in this area the smart building and green management systems they want to minimize the use of energy in this building at the same time they want a highly secure facility so we will be doing the sort of trade-offs that I've been talking about between energy efficiency and increased security on a very large scale for DHS as we work the architecture and eventually the operations of this new headquarters campus so this has the opportunity of being an absolutely state-of-the-art leading edge program balancing high security requirements with high environmental impact requirements and learning how to do that on this kind of scale is a very important objective now I'd be remiss if I didn't say something in Michigan about the automobile industry and so certainly this industry has a huge impact on environmental impact transportation industry is responsible for burning most of the petroleum in the world and the road transportation is the biggest part of that there are now about 600 million cars around the world and so the energy efficiency of those cars is a big deal modern automobiles are very computer intensive most of the new ones have maybe a hundred computers some of them even more than that and there are some internal networks or buses that have been designed and a lot of the objectives are to improve the efficiency of these automobiles reduce the cost, improve the maintenance increase the gas mileage and so forth all of those very good objectives however they were all designed with no attention whatsoever to cyber security issues and so now a group University of Washington and University of California at San Diego has established their center for automotive embedded security and published an interesting paper a few months ago called the experimental security analysis of modern automobile and they didn't, you know, they did their testing on a couple of cars they declined to say which cars they used because they said we could have done this on any car so we didn't want to pick on anybody but here are a couple of quotes from that paper it is possible to bypass rudimentary network security protections within the car and they did that and they have demonstrated the ability to take over the car they can control the brake system they can disable the brakes on the individual wheels they can stop the engine or control the accelerator and the driver would have no way of controlling this at all moreover they got in to some of these cars through systems like the on-star so they could communicate not only hitting one car but communicate the virus malware to others and so if you had an implant say at a maintenance facility the diagnostics port in the car is just a USB port that's totally unprotected or if you get it in through some wireless system on a large scale and if you imagine the right kind of sophistication in the malware sort of like a Stuxnet for cars you know three o'clock Thursday afternoon every car in the United States goes nuts well this would be a terrorist incident on a massive scale and I mean God forbid something like that should ever happen but we are continuing to build systems on a large scale that do not reflect any attention whatsoever to security issues and a lot of this is being done because we're trying very hard for energy efficiency cost reduction and so forth well again I would argue we have to think about the whole problem here and these connections keep coming up over and over again so in conclusion what does this mean to industry well to us we have to look at everything we do through a cyber security lens we build some very large information systems for critical national applications so we crawl all over these things to make sure as best we can we've addressed the security issues not that we're making any claims to have solved all the problems we can't do that neither can anybody else but we sure think about it and do the best we can with it and this by the way there are a lot of legacy systems that are out in the field and these were put out there years before these threats were recognized and yet they still have these vulnerabilities and whether these are defense systems or civil systems and so forth there are a lot of very vulnerable systems out there so we have to do that and we have to do that in a way that recognizes critical lack of trained people in this area there's a very good report issued in July by the Center for Strategic and International Studies about the workforce issues associated with cyber security and the fact that we don't have enough trained people and we are not you know in our current course in speed we are not going to produce them for a while either so we have increased our own internal training programs for establishing relationships with various educational institutions and security certification companies and so forth this is a big deal issue for us and I would argue that it ought to be a big deal issue for a lot of other people and what about academia well I would say that both energy efficiency with the climate implications and cyber security should be taught at some level to all of the students not that everybody needs to be an expert in this stuff but there needs to be a broad awareness so that we don't have this sort of political uncertainty and lack of understanding of the public at large on these issues that we have today and then I would say that every student in science and engineering needs to have a very good understanding of the cyber security and energy efficiency issues we can't continue to design systems like cars with no security defenses at all and that's just one example power grid anything else so this ought to be part of the educational curriculum at all of our universities and it's by no means any longer just a computer science issue it's gone way beyond that and so when you're talking about power systems or automobiles or transportation and so forth everything we're in this rush to computerize everything and for many good reasons in terms of cost savings energy efficiency functionality and so forth but we can't do this without the right attention to the security implications of this and there is a critical shortage of qualified graduates and so we're looking for them and so are a lot of other companies but we need to be sure that we're producing the graduates in a way that they are educated to step into responsible positions in companies like ours so I think this is the what does this mean to academia I think we need to think very hard about the curriculum in various ways and to recognize some of the changes that have to occur in order to address some of these challenges that we have in the 21st century and I think with that I will stop and throw the floor open to any questions you want to raise Bob I'll start while yeah let him warm up a little bit I was wondering what fraction of U.S.'s current energy needs are met by nuclear energy and what do you think that level should be I think today it's about 20% 20% yeah the nukes they operate continuously and they're usually at the bottom of the stack for the power companies but it's not anywhere near what coal is which is probably closer to half then you have natural gas and some other sources but whether nuclear power becomes a larger fraction than the current level or not I think is a very questionable issue right now I mean there's certainly more interest in it we see that reflected in the applications to the Nuclear Regulatory Commission but whether those will be approved whether there'll be enough concerns over the security issues and so forth whether those can be addressed in ways that satisfy people I don't know I think that's an open issue but you mentioned that a number of essentially security issues that you mentioned are all related to SCADA systems having infrastructure controls do you see a much more willingness on administrations part to fund essentially academic research for those types of security as opposed to internet security and cyber attacks? yeah most of the cyber security stuff right now is going toward computer networks and but I would argue in five years that this could flip entirely that there may be more attention there should be more attention to the infrastructure networks and I think right now most of the government agencies are trying to figure out what to do with this I mean I see a little interest at DOE in this I see some interest at low levels in other agencies but it's not much right now and you know I've talked to some senior research managers and some of the government agencies they say well this really isn't my problem but most of the critical infrastructure in the United States is is not government owned it's owned by private industry and they had to go fix themselves so we don't have a national consensus on what to do with this problem yet very serious it's certainly something that is very much on the line yeah they this is a new found religion and the NERC tried to address this shortly after 9-11 with some new security requirements but it's been pretty slow to roll out across the across the industry on any scale those protocols for the SCADA systems are pretty much wide open free tax they're not encrypted and a lot of these sensors are set up to allow maintenance I mean when the electric power industry says security they have traditionally meant what we would consider what I would consider reliability they want to keep that power available that's the priority and so things like you know weather incidents and so on they're used to dealing with those issues and they handled them by and large pretty well but every once in a while we see a massive blackout like we had in August of 2003 in the northeast which are really needs to be modernized in this country and you're right over the past couple of years there's been a lot more attention paid in these utilities to these issues but getting that rolled out and implemented on a wide scale in the country is still still a challenge go ahead Igor it seems very difficult to quantify security in a particular system especially we're trying to formulate the minimum required levels I wonder if there's some sort of organizational infrastructure that would allow them to do it well you're right there's no natural units unit of security that we can use you know what's a yard of security we don't have a metric for it and that's been part of the problem security is how you value it you know how you would trade off an investment in security as opposed to something else there are a number of attempts now at security economics and there is an annual conference now on the workshop on the economics of information security that is starting to produce some results this is still a problem and attaching the right level of risk to certain types of vulnerabilities is a challenge so still a research area a number of people working on it and so over time it will improve but at the moment the economics would suggest that you somehow try to figure out what your biggest risks are and deal with those first and you can't deal with everything all at once you don't have the budget and the staff to do it so you have to have to tackle the biggest problems and do the best you can with it but yeah it's very ad hoc and not quantifiable at all right now any other questions well Bob it's rare for us to see a presentation that covers both technical and policy issues let me thank you again for visiting with us today join me in thanking Bob and he's going to be around for the next half an hour so you're welcome especially our graduate students who want to chat with them come forward and meet Bob