 Good afternoon, ladies and gentlemen, and welcome to the Center for Strategic and International Studies. My name is Andrew Schwartz. I'm Senior Vice President for External Relations here, and get to stand in for John Hamery today who is traveling. Just a couple of housekeeping announcements. First of all, we have to do this. This is sort of our smoky the bear thing. If there is an emergency, we have blue jackets outside that will direct you the way out. We don't expect there to be any emergency, but we just have to say that, so it will be very easy to spot where to go if there is. Second, I want to say, at the end of the program today, please stay in your seats until the Secretary can leave, but then, and this is a little bit unusual, please leave as soon as you can, because we happen to have another Secretary visiting here today. It's the Secretary General of the Communist Party of Vietnam who's following, and so thus we have a pretty high-security event here, a couple high-security events in a row, and we do a lot of events at CSIS, as you know, but this is a bit of a juggling act today. With that, it is my pleasure to welcome my colleague, the very distinguished and honorable Sean O'Keefe. Sean is, of course, former Secretary of the Navy, former Director of NASA, and being a Tulane graduate, I feel compelled to say, former Chancellor of LSU, and he's actually wearing LSU colors today, so go Tigers. Sean's also here at CSIS as a Senior Advisor and with the Maxwell School. Some of my favorite people are in the front row here, General Scowcroft, Judge Webster and Mr. Hand. So good to see you all. Thank you for being here. And with that, I'd like to introduce the Honorable Sean O'Keefe. Thank you, Andrew. I appreciate the opportunity to be here to moderate this particular session on such an important occasion. And while some of that may be in reference to this morning's event, which you'll hear a lot more about here from the Secretary in a minute, I think the other thing we need to reflect on a bit is we've just emerged from yet another uneventful national holiday this past weekend with absolutely no incident whatsoever. And yet the reason for that isn't accidental. It's a consequence of the diligence of extraordinary people, thousands of them on our behalf, who dedicate themselves to assuring that freedom to do the kinds of things we did this past weekend celebrating the birth of this nation, and also to recognize the extraordinary opportunities that we have because of what they do. And they get virtually no recognition for those non-events. The gentleman who represents all of them here is a distinguished public servant who has spent a considerable period of his professional life in public service. Having started and certainly is being involved as a professional attorney, he has risen through a number of different positions as the General Counsel of the Air Force, as the Assistant U.S. Attorney of the Southern District of New York, as the General Counsel of the Defense Department prior to becoming the Secretary of Homeland Security. And he is the fourth to occupy that particular capacity. In each of these roles, he has distinguished himself as an exemplary public servant who has focused on the challenges of the kinds of jobs and issues that ultimately have been brought to a head in this capacity, protecting all of us as the Secretary of the Department of Homeland Security. The Honorable Jay Johnson. Thank you very much, Sean. Can everybody hear me? Yes. Okay. Thank you very much. It's great to be back here at CSIS. Thank you for allowing me to speak here today. I want to open my remarks by talking about today's events. The topic of this speech is cybersecurity related to cybersecurity. It appears that today we had system malfunctions at United, at the New York Stock Exchange, and the Wall Street Journal. I have spoken to the CEO of United, Jeff Smyzek, myself. It appears from what we know at this stage that the malfunctions at United and the Stock Exchange were not the result of any nefarious actor. We know less about the Wall Street Journal at this point, except that their system is back up again as is the United Airline system. Cybersecurity is a top priority for me, for the President and for this administration. It is my personal mission, before I leave office, to significantly enhance the Department of Homeland Security's role in the cybersecurity of our nation. Today I provide a status report on our efforts in cybersecurity for the federal civilian.gov world in particular. I also take this opportunity to emphasize the importance of passing new cybersecurity legislation and soon in this Congress. I applaud the Congress for their bipartisan efforts so far. I will begin this speech like I end most of them. I tell audiences that Homeland Security is a balance, a balance between basic physical security and the freedoms we expect as Americans. As I have said many times, I can build you a perfectly safe city, but it will look like a prison. We can build more walls, install more invasive screening, interrogate more people, and make everyone suspicious of each other, but not at the cost of who we are as a nation of people who cherish privacy, value the freedom to travel and associate, and celebrate our diversity. The same is true for cybersecurity. Cybersecurity involves striking a balance. I can build you a perfectly safe email system, but your contact will be limited to about 10 people, and you will be disconnected entirely from the internet and the outside world. This too would be like a prison. The reality is we live in an interconnected, networked world. Cybersecurity must also be a balance between the basic security of online information and the ability to communicate with and benefit from the networked world. In the meantime, the reach of the internet is growing at an exponential rate. Today, there are more connected devices than human beings on the planet. In just five years, the number of devices connected to the internet is estimated to exceed 50 billion. At the same time, cyber threats are increasing in their frequency, scale, sophistication, and severity. The ranges of cyber threat actors, methods of attack, and targeted victims are also expanding. This affects everyone, both in government and in the private sector across the country and across the globe. Not a week goes by without a news report of another organization being hacked. These threats come from a range of actors, including nation states with highly sophisticated capabilities, profit-motivated criminals, and ideologically motivated hackers or extremists. In the case of the breach of the Office of Personnel Management, a large amount of highly personal and sensitive information was taken by a very sophisticated actor. We have determined that Federal personnel records were, in fact, taken by this actor. DHS, the FBI, and the NSA have also determined that OPM's system containing information related to background investigations was compromised. As required by law, OPM provided notice to approximately 4.2 million people who were impacted by the data breach involving employee personnel records. OPM is still working with an interagency team to address the total number of people affected by the breach involving security clearance background investigation information. The OPM breach also remains the subject of an ongoing investigation. We have strong evidence about the identity of the actors behind the breach. As the DNI said last week, there is a leading suspect, quote-unquote, but we are not prepared to publicly identify those actors at this time. To be frank, our Federal cybersecurity is not where it needs to be. But we have taken and are taking accelerated and aggressive action to get there. In response to the OPM breach, on June 12, the White House announced the establishment of a cybersecurity sprint team comprised of OMB, the NSC, DHS, and DOD personnel to conduct a 30-day review of the Federal Government's cybersecurity policies, procedures, and practices. On a reprioritized basis, we are deploying teams to assess the highest value systems across the Federal civilian government and hunt for and remove adversaries identified in the system. This response to the OPM breach is part of a much broader Federal cybersecurity effort that has been underway for some time. There is a great deal that has been done and is being done now to secure our networks. We do, in fact, block a large number of intrusions and exfiltrations, including those by State actors. But we can and must do more. And as I have said before, Congress can help. By law, each head of a Federal Department or agency is primarily responsible for his or her agency's own cybersecurity. The Department of Homeland Security has overall responsibility for protecting Federal civilian systems from cyber threats, helping agencies better defend themselves, and providing response teams to assist agencies during significant incidents. National security systems, such as those used by the military and the intelligence community, are secured by the Department of Defense and the DNI. There is no one silver bullet for cybersecurity. The key is to install multiple layers of protection to best secure our networks. The Department of Homeland Security's National Cybersecurity and Communications Integration Center, or NKIC, as we call it, is the U.S. government's 24-7 hub for cybersecurity information sharing, incident response, and coordination. 13 U.S. departments and agencies and 16 private sector entities have regular, dedicated liaisons at the NKIC, while over 100 private sector entities collaborate and share information with the NKIC on a routine basis. Given the central importance of the NKIC to the DHS mission, I have elevated it within our structure so that its leaders have a reporting relationship directly to me. The NKIC shares information on cyber threats and incidents, and provides on-site assistance to victims of cyber attacks. In this fiscal year alone, the NKIC has shared over 6,000 bulletins, alerts, and warnings, and responded on-site to 32 incidents over double the number of on-site responses for the entire prior year. The NKIC is also the place where we manage the Einstein system. Einstein is the first basic layer of protection we provide at the network perimeter of each Federal Civilian Department and agency. Einstein consists of three programs. Einstein 1 and 2 sit at the perimeter of the agency's networks. Einstein 1 observes and records basic information about all activity entering and exiting an agency network. It is like a recording camera sitting on the perimeter fence that can be reviewed to determine when or if a certain individual enters or exits the compound. Einstein 2 detects known prohibited adversaries that have entered or exited the fence and alerts us to them. Einstein 1 and 2 detect and identify malicious activity. The NKIC shares that information with all departments and agencies then. This affords those departments and agencies the opportunity to take appropriate actions to protect themselves. By the end of 2005, Einstein 1 and 2 were deployed to protect only three Federal agencies. Today, both protect all Federal civilian traffic routed through a secure gateway to the Internet. Then there is Einstein 3 accelerated, also known as E3A. E3A resides with the Internet service providers serving the Federal Government. E3A has the capacity to both identify and block known malicious traffic. Like the system that protects the Department of Defense, one key value of E3A is that it is an intrusion detection and prevention system that uses classified information to protect unclassified information. E3A was first deployed in 2013. By December 2014, E3A protected 237,414 Federal personnel. Today, E3A protects over 931,000 Federal personnel, or approximately 45 percent of the Federal civilian government. I have directed that DHS make E3A fully available to all Federal departments and agencies and have challenged us to make aspects of E3A available to all Federal civilian departments and agencies by the end of 2015. E3A has demonstrated its value. Since its introduction, E3A has blocked over 550,000 requests to access potentially malicious websites. These attempts are often associated with adversaries who are already on Federal networks attempting to communicate with their home base and steal data from agency networks. Importantly, Einstein 3A is also a platform for future technologies and capabilities to do more. This includes technology that will automatically identify suspicious Internet traffic for further inspection, even if we did not already know about the particular cybersecurity threat. As an additional line of defense, the Department of Homeland Security helps Federal agencies identify and fix problems in near real time using continuous diagnostics and mitigation programs, or CDM, as we call it. Once fully deployed, CDM will monitor agency networks internally for vulnerabilities that could be exploited by bad actors that have breached the perimeter. CDM will allow agencies to identify, prioritize, and fix the most significant problems first. It will also provide DHS with situational awareness about government-wide risk for the broader cybersecurity mission. CDM is divided into three phases. The first phase, which is being deployed now, checks to ensure that all computers and software on agency networks are secure. The second phase will monitor uses of agencies' networks and ensure that they do not engage in unauthorized activity. The third phase will assess activity happening inside agencies' networks to identify anomalies and alert security personnel. To date, we have made the first phase of CDM available to eight agencies, covering over 50 percent of the Federal civilian government. I have directed and we expect that DHS make the first phase of CDM tools available to 97 percent of the Federal civilian government by the end of this fiscal year. I am also requesting authorization from Congress to provide additional funding to speed up CDM phase two. As our detection methods continue to improve, more events will come to light. In fact, OPM was able to detect the recent breach as a direct result of implementing new tools and best practices recommended by DHS. As we are able to see and block more events, we will thereby identify more malicious activity and frustrate an adversary's attempts to access sensitive information and systems. The ANCIC also provides on-site assistance to Federal agencies, as well as to private companies operating critical infrastructure. We in effect make house calls. When an incident like an OPM breach occurs, the ANCIC helps the victim organization find the adversary, drive them out, and restore service. The ANCIC also coordinates responses to significant incidents when other government agencies give them the information they need to respond effectively and to ensure unity of effort. By the authority given to me by Congress in the Federal Information Security Modernization Act of 2014, I can now, as Secretary of Homeland Security, issue binding operational directives to Federal departments and agencies. A binding operational directive is a direction to agencies to mitigate a risk to their information system. I issued the first binding operational directive on May 21 of this year. This directive required agencies to promptly fix critical vulnerabilities identified by our ANCIC on their networks. We know we must drive change from the top. Thus, working with OMB, we notified departments and agency heads so that they are aware of the status of their own agency's efforts to comply with my directive. Office and agencies responded quickly and have already reduced critical vulnerabilities covered by the binding operational directive by more than 60 percent. Next, information sharing is also fundamental to achieving our mission in order to sufficiently address the rapidly evolving threats to our cyber systems. We must be able to share cyber information as quickly and in as close to real time as possible. To accelerate the speed and expand the breadth of our information sharing, we are taking three actions. First, we are supporting the development of information sharing and analysis organizations as called for in the President's Executive Order 13691, which he signed on February 13 of this year. Next month, we will, as directed by the President, select the organization that will develop best practices for these ICEOs. By supporting the development of ICEOs, we want to help companies, regardless of size, location, or sector, share information with their peers and with the Department of Homeland Security. Second, I have directed an aggressive schedule for deployment of next-generation information sharing techniques by the NCIC. DHS itself now has a system to automate our sharing of cyber threat indicators, and we are working to extend this capability across the Federal Government and to the private sector so that we can send and receive this information in near real time. One agency is already receiving cyber threat information via this automated system over a month ahead of our original schedule. We expect that multiple agencies and private sector partners will begin sharing and receiving information through this automated system by October of this year. Third, we are working closely with other agencies of our Government to stand up the Cyber Threat Intelligence Integration Center, or CTIK. This new center will help us better understand the various threats and provide more actionable and timely intelligence to the NCIC to share with our private sector partners. Finally, there is more Congress can do. Congress has a role in cybersecurity to ensure that we have adequate resources and budget and the legal authorities necessary to pursue our mission. Last year, in addition to passing the Federal Information Security Modernization Act, Congress gave us additional authorities to hire cyber talent and codified the role of the NCIC as the Federal Interface with the private sector for cybersecurity. But there is more Congress can do, as I said. The recent breaches in cybersecurity demonstrate the urgency of acting now, and we appreciate the good bipartisan work on cybersecurity legislation now underway in Congress. We believe there should be three basic things in any cyber legislation. First, Congress should expressly authorize the Einstein program. This would eliminate any remaining legal obstacles to its deployment across the Federal Government. The House has passed HR 1731, which accomplishes this by ensuring agencies understand they are legally permitted to disclose network traffic to DHS for narrowly tailored purposes. Second, we must incentivize the private sector to share cyber threat indicators with the Federal Government through the NCIC in a manner that provides protection from civil and criminal liability for private entities that share threat indicators with us and protects privacy. Third, we need a national data breach reporting system in lieu of the existing patchwork of state laws on the subject and enhanced criminal penalties for cyber crime. In the meantime, as I've described above here, we are moving forward. As we improve our defenses, cyber adversaries will continue to improve their own efforts to break through them. This problem is not unique to the government. It is shared across the global cybersecurity community. Our adversaries are constantly evolving, and so must our tools to combat them. We cannot detect and stop every single intrusion. That is not news. So often, the most sophisticated actors penetrate the gate because they know they can count on a single user letting his guard down to enact of spearfishing. But my message today is we have increased and will continue to increase the instances in which attempted intrusions are either stopped at the gate or rooted out from inside the system before they cause damage. We are taking action. We are aggressively strengthening our defenses. We are accelerating the deployment of the tools we have and working to bring new ones online. Thank you very much. Thank you, sir. I appreciate that. That was the most... Thank you, Mr. Secretary. Thank you, Mr. Secretary. I appreciate the opportunity to... Secretary of the Navy is a lot cooler job. Yeah, but you've got the Coast Guard. I mean, shoot, that's... I didn't have aircraft carriers. That's one of the tops of my book. There's no doubt about it, the Coast Guard. And yeah, I owe them a great deal. Sean, can I take a liberty and just acknowledge Admiral Scowcroft and Judge Webster? I was at the FBI yesterday. I saw your portrait, Judge, and your conference room. So good to see you. Thank you for being here. Outstanding. It's a great pleasure to see you. Absolutely. Thank you all for being here. It was a really extraordinary commentary, Mr. Secretary, that you offered on a variety of different elements of the cyber challenge. How would you characterize the nature of U.S. vulnerability right now to cyber? Well, part of it is what I said at the end. What amazes me when I look into a lot of intrusions, including some really big ones, by multiple different types of actors, it very often starts with the most basic act of spearfishing, where somebody is allowed in the gate, penetrates a network simply because an employee clicked on something he or she shouldn't have. And the most sophisticated actors count on penetrating a system in that way, which means that a lot of our cyber security efforts have to be rooted simply in education of whatever workforce we have. Second, there are some really sophisticated actors out there with varying different motives. I think we all know them. And we have right now underway what I consider a very aggressive effort to raise the number of instances in which we are successful in blocking the efforts to infiltrate the system. As I said in my remarks, we are not where we need to be. And I've made a personal mission of getting us to raise that bar and get us to a better place. Part of the commentary you offered, too, though, I think in terms of trying to mitigate against this, is to act as the primary federal department agency for the purpose of broader coordination of information. The Einstein system is a terrific example. That's a, again, great coverage here in the course of the OPM incidents of how so many of your team have testified to how that works and how effective it is. And it's been a very, very broad press coverage there that I think has educated the public more broadly to understand what the scope of that system is and how useful it can become. But beyond the point of just simply coordinating this important information that then highlights vulnerabilities to each federal agency, when you look at the full scope of all of the federal interests that have ascribed a role in the cyber security challenge, ranging from the intelligence community and the defense department, of course, but also through the Treasury Department, through the FBI, a wide range of different agencies that all have a stake on its. How do you coordinate that wide-ranging set of efforts beyond the information sharing? Well, that's on us to do. That's on DHS to do. And you're correct that there are a number of federal departments and agencies with a cyber security role. Each agency and department has its own cyber security responsibility with respect to its own system. But there are a lot of federal agencies and departments that have the broader cyber security mission. And it's on us in government, most prominently, the intelligence community, DHS and the FBI and DOD, to coordinate our efforts to effectively partner. And DHS is the civilian interface for cyber security. FBI has the law enforcement investigative mission. The intelligence community has their mission, obviously. But the way we see it and the way we're setting this up, DHS and the N-Kick, in particular, is the primary portal for the civilian private sector and for the federal civilian got-got world. And it's on us, and I've encouraged our people to do this, to effectively work with and partner the other agencies who have a role in this process and coordinate the efforts. The N-Kick is essentially a multi-agency entity. And as I mentioned in my prepared remarks, one of the things that we're doing with considerable urgency is getting to near real-time information sharing. So when something comes in the door, we can do the proper vetting for privacy and so forth and get it out in automated fashion to the players that need to have any information. And your final comment, too, on the role of Congress in this, I assume, is in part to highlight the fact that we're consistently looking for authorities for the Department of Homeland Security to be able to direct those priorities, be directed to the appropriate challenges. Is that a fair assumption as well? Yes. We got some cyber security legislation at the end of last year, which was good. But there's a lot more we can do. I am encouraged that there's a lot of bipartisan support. The House bill I mentioned in my remarks asked by a wide bipartisan margin of, I think, 350 votes in the House for a difficult subject. And so I'm encouraged by that. And there's a lot of activity right now in Congress. I'm hoping that we get cyber legislation. And it really is to codify our legal authorities and to encourage information sharing by the private sector. And a very significant component of that, which the President supports, is limiting potential criminal and civil liability for those who share cyber threat indicators with us. And so that was a big threshold across. And we support it. We think it's good. For my corporate lawyer days, I know how boards of directors think. And so limiting liability for sharing cyber threat indicators is meant to be a strong encouragement and inducement to help us in the cyber security mission for the country. Before I open up the door for other comments and questions, I want to just follow up on that last comment you made. Because you're far more aware of this than probably anybody. Industries, companies in various markets, in widely diverse markets, have been progressively making elective choices of their own to erect their own defensive cyber security systems. And they should. Before they go down the path to expand the enormous amounts that it takes to do that, because often it's varied and it's uniquely positioned and so forth, what would be your best advice to any CEO, any board of directors prior to making those investments on how they ought to think about going about structuring their own defensive response? Well, I'll start with an observation. One observation is that in the private sector, there are companies and sectors that are very sophisticated when it comes to cyber security. And then there are others in the food chain that are not and need a lot of help and a lot of learning. And there are ways for some of the more sophisticated players to encourage the less sophisticated to do that. My advice would be invest in the latest and best technology. There are lots of cyber security firms out there that are in a position to advise. There's some good ones. But also the key to cyber security, even if you have the best technology in place, is information sharing. And that's where DHS can come in. That's where ISEOs, which are part of the private sector, can come in and play a role. Information sharing is key even among the most sophisticated actors. You can't act in a vacuum. You don't want to be out there all alone. And effectively partnering within the federal government and with the federal government. And those are the three tenets as I see them. Excellent. Thank you. Please, let me open it up. One other thing I'd like to add, Sean. He gets to call. Sorry. You touched on this in the beginning of your remarks about July 4. Very often in public reports, we see a lot of concern expressed about specific events. Eminating from statements made by us in government. But very often we don't finish reading the entire paragraph or the entire sentence. And so I gave a statement the week before July 4. And it was consistent with many statements I have made, which is that public needs to continue to be vigilant around holidays, public events. But we encourage people to continue to go to public events, celebrate the country, and not be afraid. We're a free society. We, as I said, cherish the freedom to associate, the freedom to travel. And we should continue to do that. The Homeland Security threat is definitely there. But I don't want to see people run and hide. And I don't want to see people stay in bed all day. I think we need to and should continue about our daily lives, participate, support large public events. One of my best lines is that terrorism cannot prevail if people refuse to be terrorized. And I've seen just in my time in office, 18 months, when an attack occurs, Americans, whether it's Oklahoma City or Boston or the United States military or any place else, come back even stronger. And I think that's part of who we are as Americans. We need to continue to do that. So thank you for what you do. That's very helpful. Turn me over to questions. Yes, ma'am. Yes, the two. Thanks for your speech and discussion. Jennifer Chen reporter with Shenzhen Media Group, China. I just want to, in a recent concluded S&ED, U.S. and China agreed to further explore initiatives to carry out good communications and coordination on cyber security issues. So what are the initiatives from U.S. perspectives? And is there any concrete ideas for next round cooperation between the two countries? And what's your expectations on the cyber security issue discussions when President Xi Jinping's visit, September visit? Thank you so much. Well, I went to Beijing myself in April. That was a number of Chinese government officials. And I have encouraged us to find common ground where we can in terms of information sharing. And in my time in office, we have done that to a limited extent. But it is also a work in progress. I think that we have differing views on a lot of fundamental issues and a lot of fundamental understandings about the nature of cyber security. So it continues to be a work in progress. But I think that a dialogue can be good and is good. Yes, sir. The Acquisition Advisory Council, I have to agree with all your statements, especially the one about the urgency for bringing in these latest technologies, especially in the networks that are much more secure than the antiquated systems. My colleagues at the ITAC have discerned that the impediment to that is the acquisition process, which caused FITARA to be signed, the Federal IT Acquisition Reform Act. Can you talk to us about DHS's efforts to speed the need and removing barriers to this? The answer is yes, we are doing that. As part of our Unity of Effort initiative on my watch, which I announced and created last spring, we are reforming our acquisition process. And we have an initiative to do that, to remove a lot of the barriers. Part of the initiative we have taken in acquisition is actually consult the private sector. In my professional life, I actually have lived most of that professional life in the private sector as a service provider, meaning a lawyer. And so we have an acquisition reform initiative underway right now. It was recently formed. We have a terrific new Undersecretary for Management, Russ Dio, confirmed by the Senate by a vote of 95 to 2, who is my former client. He used to be the Executive Vice President for Administration at Johnson & Johnson. And in many ways, J&J resembles DHS. It's a large, decentralized conglomerate of healthcare companies. And Russ was the VP for Administration and oversaw a lot of their aspects of their business. And so he's with us now. He's come out of retirement, take on this job, and acquisition reform is part of his mission. Yes, please. Yes, sir. Thank you. Dana Goward with the R&T Foundation. A number of senior DHS officials have identified the susceptibility of the GPS signal to jamming and spoofing as a cyber problem and have called it a single point of failure for critical infrastructure. Could you tell us about DHS's efforts to limit that vulnerability? That's a good question. I'm not an expert on that particular topic. I do know that we spend a lot of time, we have an Assistant Secretary for Critical Infrastructure, Kaitlin Durkovich, and we spend a lot of time interfacing with critical infrastructure, those businesses we consider critical infrastructure, on single points of failure and the like. So we are in a collaborative discussion and exercise with critical infrastructure on these types of vulnerabilities. Yes, sir, way in the back. Yes, Mr. Secretary, Mike Posner with Senator Mark Warner's office. As you mentioned, DHS has the responsibility for protecting the dot gov, especially now it's prevalent in light of the OPM breach. But what would you say in terms of the authorities that you have? Now, I know that you got some last year, but in terms of the department's ability to implement countermeasures, issued directives to agencies who may not be up to the minimum standard in terms of cybersecurity, could you use more? Yes. Legally, each agency and department head has the responsibility for their own system, legally, and I stress that to my colleagues. We have the responsibility for the overall protection of the federal civilian dot gov world at sort of the baseline. And as I see it and as we see it, where we need help in protecting federal cybersecurity is legal, making express our legal authority to receive information from other departments and governments. Occasionally, we encounter an agency lawyer and I used to be one that says, well, I'm not sure I can share that with you. That's sensitive. And we encounter that a fair amount and it gets in the way. And so we want the express legal authority to make it plain that when we utilize things like Einstein 3A, those other agencies are authorized to share information with us to give us access to our network. As I mentioned in my prepared remark, I issued what's called a binding operational directive in May pursuant to some authorities we got late last year, which was quite helpful because that's basically a direction to another agency. Here's your vulnerability. You must tell me how you're cleaning up your act within a certain number of days. And that plus educating people at the top of the agencies, I think was pretty effective. This was a good exercise. I'm going to do a lot more of these because we saw that agencies were able to clean up something like 60% of the vulnerabilities we identified in a very short period of time. That's fantastic. You may not think like folks over here. Yes, sir. Way on the far end. Yes, sir. Yep. What drove the difference in the way that the government has responded to the two incidents and how do you think about how response can serve as a deterrent to future attacks? Good question. And I think the only thing I could say is that there are many different factors that go into whether you are at a point at which you can and should identify the actors who you think hacked you. And so as I said in my statement, the DNI said we have a leading suspect, but we're simply not prepared at this point to identify who that is. The Sony situation was a different type of situation. So there are a lot of different factors that go into the calculations. And it was in many other respects a different type of episode of a different character and different nature. Yes, sir. My name is Martin Apple from the Council of Scientific Society, President. Can you clarify in your mind or in verbal form what constitutes the difference between somebody invading from outside the country, dropping something that damages us very significantly, and we consider this an act of war versus somebody coming the same way doing more damage, but it's in the cyber realm and us not being able to define what it is. Either for a long time, define the actors, know what to do about it. Are we going to leave this quay area undone or are we going to actually start formulating something concrete around it? From my DOD lawyer days, my view is that when you're talking about overseas acts, when you're talking about acts that involve state actors, it is less significant whether or not we characterize something as a quote unquote act of war, more significant that the response be proportionate, not necessarily of the same kind, but proportionate. That is a basic law of war tenant. And so I don't know that we necessarily need to put the label act of war on something in order to respond proportionally to it, but I do believe that appropriate responses are important. I'm Mitzi Werth. I'm with the Naval Postgraduate School and I had the privilege of working with Art Zabrowski when he created the whole IT thing at DOD. I have two questions. One is, what's your relationship to cyber command at DOD at NSA? And more importantly, does your acquisition reform affect all of government or just you? Because by God in the Defense Department, we were buying computers, we were buying aircraft carriers. Our acquisition reform, my acquisition reform is for DHS. So you haven't done it for all of government? No, I'm just DHS. No, no, no. I get that, but I guess. I'm not all of government. The whole question of all of government is so much a part of the IT. Absolutely. We can and we have, when it comes to cybersecurity, at DHS recommend various cybersecurity tools for other agencies as part of our mission. And I think we, in fact, sometimes even buy them for them. But that's in the realm of cybersecurity. If you're asking about DOD acquisition, don't get me started. But that's a different story. But think about the size and the time and for people to understand what the costs are going to be as things get better and you have to keep repeating it. And you want everybody to be doing that, not just you. Well, there are smart ways to do acquisition in my view, not beyond our reach. And I'm a big believer in not necessarily going with the biggest, most expensive tool. Sometimes the actor who's a little smaller, leaner, a little hungrier, could do the better job for you. I know that as a service provider. And we, you know, my department is only 12 years old. And in many respects, and I've said this publicly, in many respects, we are far too stove piped the way the Department of Defense used to be. And then they had Goldwater Nichols in 1986, almost 40 years after their creation. I'm trying to get DHS to a place where we, in a more collaborative, joint fashion function in terms of our acquisition decisions, our budget decisions, in a more centralized way earlier in the cycle, earlier in the process, now in our 13th year, and not wait 40 years. And so that's what our Unity of Effort Initiative is all about. Final question. Yes ma'am, right here. My name is Anne X-Line-Star, and I have, I'm formerly with the Office of Inspector General for USAID and the Special Inspector General for Afghanistan Reconstruction. So I have experienced both the .mil and the .gov systems. However, I may be descending from the sublime to the ridiculous with my question. You had mentioned private sector partners and gateways, and how people tried to intrude upon various gateways. And I'm wondering if DHS has communication with eBay, because it appears that eBay has numerous, numerous, numerous attempts at spearfishing, and I myself was a victim of that a couple of days ago. Thank you. Well, if we, if we are not, then we probably should be. So that's my answer to your question. Okay. Ms. Secretary, on behalf of CSIS and all of us here assembled, thank you very, very much for being with us.