 Good afternoon. My name is Jim Lewis. Welcome to CSIS We're really happy to have this event. We'd like to thank fire I for helping to sponsor it This is the fourth time we've scheduled it every time we've scheduled it something has happened Usually it's been either a snowfall or we had one on February 3rd Friday the 13th That didn't work and today is important because we were doing this remember for the executive order on information cheering These guys have to slow down. I can't keep up with them So we'll probably talk about some other executive order as well today, but the format is we will have Michael Daniel from the NSC Give some opening remarks talk about what they're thinking about We'll then have time for a few probably two or three max questions with Michael. We'll then go to a panel which my Co-hort in crime Denise young will Will moderate and then we'll close up with remarks from David Granis from SSCI on The status of legislation and where we are on the Hill, so it's a pretty full schedule. Thank you very much for coming out with that We have bio bios on the web for people who don't know who Michael Daniel is But let me turn it over to him. Thank you Thanks, Jim. Good afternoon everyone. It's a pleasure to finally be here and they decided to finally move it to late enough in the Calendar that it's actually a good weather day outside. Although it is April Fool's Day So there's something sort of ironic in that So I would also I do want to recognize CSIS is a strong record of leadership in helping us shape and promote really good Cybersecurity policy in the United States and informing the public about cyber security and technology issues So thank you Jim for all that you that you do in that space So as Jim said, I'm Michael Daniel and I'm the Special assistant to the president and cyber security coordinator at the White House So in that in my job there I lead the federal government's development of national cybersecurity strategy and policy and oversee the implementation of those policies So in layman's terms, that makes me the chief cat herder for cyber security in the federal government So today I'm going to talk about a topic that we've spent a lot of time on Recently information sharing and sort of what the administration is doing in that area Obviously information sharing, you know get this room full of people and you know if there's a hundred people in this room I could bring up information sharing and we'd easily have a hundred and fifty definitions of what information sharing actually means But for us, I think that we view information sharing in the cyber security space is a very foundational Element of our ability to combat the cyber threat. It is certainly not the end all and be all of what we need to do because certainly Actually, just the act of sharing information doesn't in fact make anybody better off unless you do something with the information On the other end if the government isn't doing something with the information We get from the private sector or that the private sector is not doing something with the information they get from the government But in order to enable that action in order to enable intelligent and well informed Action you need to have that information sharing going on and so that is why as a focal point We have had many different efforts in several areas to promote the greater flow of information Both within the government between the various parts of the federal government between the federal government and state and local governments between the federal government and the private sector in both directions both the federal government pushing more information out and The federal government getting more information back from the private sector and between the federal government and our international partners because all of these issues take place not just domestically but On in an international context as well So certainly the White House has been very active in this issue even just in the past few months from hosting the first cybersecurity summit and summit on consumer protection at Stanford University And through the executive order that the president signed at the summit the presidential memorandum establishing the cybersecurity the cyber threat intelligence integration center or CTIK and Renewing our push for cybersecurity legislation So, you know, I would say in this space for us in the White House The the good news has been that the president has been very personally interested in cybersecurity And in these issues and the really bad news has been that the president has been personally interested in these In these issues But either way, it's definitely been a really cool and interesting time to be working in cyber So let me talk a little bit about the information sharing executive order that we issued back in February This executive order is really designed to encourage and promote the sharing of cybersecurity threat information Both within the private sector and between the private sector and the government Obviously, you know, this kind of rapid information sharing is essential in several different ways Both I would say at a tactical response level, but also at a more strategic level At the tactical level we want to be able to be sharing this information in order for us to be able to respond more effectively to particular incidents and threats So a particular intrusion into a given company We want more information there and we want to be able to use that information to help us Protect and defend other companies and other organizations and frankly also the federal government's own Assets But we also want this expanded information sharing at a very strategic level You will often hear Phyllis Schneck from the Department of Homeland Security talk about her idea for a weather map of sorts if you will in cyberspace We very much want to create that ability for us to have strategic level awareness of what's happening in cyberspace What's coming over the horizon? What are the trends? Where do we see the bad guys moving where and how can we start to anticipate what that might look like What will be their next move once we take a particular defensive action so that we can be better position to respond So it's both at that tactical and that strategic level that we want to That the executive order is really designed to promote And that executive order laid out a framework for expanded information sharing to help companies work together And to work with the federal government That EO 13691 In particular encourages the development of information sharing and analysis organizations or isles To serve as focal points for cyber security information Sharing in collaboration within the private sector and between the private sector and the government So those isles are intended to accomplish four things First we want them to make it easier for companies to trust each other when sharing information because the isles will Have a sort of defined set of standards for what they're supposed to meet in order to call themselves an isle Companies will have better ability to trust that when they're sharing those information with those organizations They know what those organizations will do with their information Second Isles are will enable the sharing of information across sectors and regions providing a different way to share information than what we have now third they will provide a Partnership structure for dhs to connect with the private sector in a way that is scalable Obviously we we want to encourage as much participation for example Of the private sector in the in kick The national cyber security and communications integration center at dhs But there is a physical limit to how many different companies you can jam in There so we have to create a way that is physically scalable To do the information sharing And fourth they provide a framework for the private sector information sharing That legislation can build on making key legislative steps like tying targeted liability to those organizations much more attainable So this isle structure that we envision is much broader than the existing structure in several key ways And in particular, um, you know the typical Organization that you we talk about today are the isacks the information sharing and analysis centers The isacks have don't have a statutory underpinning where isals actually do they're Enumerated in the homeland security act of 2002 And isacks typically share information within a given sector Such as financial services or energy or health and this kind of sharing is proven invaluable to cyber security And we very much want to encourage that to keep happening And those organizations that are very very strong. We want them to keep going But we want to enable this the formation of structures that are different than that If that's what the private sector needs in order to Fill fulfill its information sharing needs And so isacks are in our view are really a version of isals. They're a kind of isal And in fact, I would actually argue that um, I the isal concept will only succeed if we learn all the lessons Some of them quite hard one of how we have built the isacks over the last few years So Isals can take on a whole bunch of different structures including sharing information across regions and in response to particular threats War to any number of other communities So this executive order is meant to compliment the administration's legislative proposals that we sent forward particularly with targeted liability protection for Improving in cyber security So really this eo is designed to provide the framework for that trust and enhanced information sharing in the private sector so We also have rolled out the cyber threat intelligence integration center or c-tick In in reviewing our cyber security capabilities over the last year the administration Really determined that we face some critical gaps internally To the administration particularly involving the strategic analysis and integration of intelligence related to cyber threats And this is going beyond our ability to assess particular incidents and threat indicators This is about our ability to integrate that information across all of the different information streams that the u.s. Government has To discern the signal from the noise if you will how do we know What threats and risks we have to really ought to care about particularly from the national level Where are the where are our adversaries going? And how should we position ourselves to counter what they are doing? And how do we make determinations about how to improve the cyber security of the nation? So the c-tick has really designed to help us fill that gap and the president directed the director of national intelligence To form the c-tick using his authorities under the intelligence reform and terrorism prevention act to create intelligence centers And in many ways c-tick will serve a function similar to the national counterterrorism center does in Counterterrorism providing that all-source analysis of threats and incidents impacting American national interests and closely supporting the operational work of government cyber centers Making sure that they really have the best intelligence available about cyber threats and cyber actors in order for them to carry out their missions C-tick is really designed to be an internally facing organization. It's not designed to interact with the private sector That's what we have dhs and the fbi and A whole alphabet soup frankly of federal agencies to do So the c-tick is really designed to do that knitting together on the back end To make that back end wiring and machinery work better so that all of those elements can do their job better And for those of you in the private sector Make our interaction with you actually better So if we do it right the private sector will never see the c-tick, but you will see the results Of their work and what they do in enabling us to do a better job of outreach and coordination And then finally, I know that you will Hear from david granis about where the congress is in legislation What I will say is that For the administration side, you know, we kicked off 2015 by submitting a new updated legislative proposal in cyber security That included a cyber security information sharing bill A national data breach notification standard And a bill to enhance law enforcement tools for combating cyber crime And since that time we've been working very closely with all the Relevant committees up on the hill on both the house and senate side And I will say that we've made tremendous progress In this space and I'm actually more optimistic at this point than I've been in a while That we can actually get to a piece of cyber security legislation that can pass the senate pass the house and that the president Will be able to sign From the administration's point of view, you know, we are looking to ensure that whatever we do in this space Actually promotes greater information sharing that actually has the result of of increasing the amount of information that flows Between the private sector and the government And that we don't authorize behavior that actually harms the the cyber ecosystem And that also carefully protects Privacy and civil liberties and preserves the long-standing respective roles and missions of civilian and intelligence Agencies in this area and that has appropriately targeted liability protections So, you know, we're very encouraged by the work that has happened, particularly what the senate intelligence committee Has done and some of the changes they've put into their bill to address some of the administration's concern And so while we still have some issues to work through I think that we're confident that we have a path forward to doing that We've on the house side We've also been very closely engaged with both the house intelligence committee and The homeland security committee on their respective bills And so that we can Again, we think we have a way to work forward with both of those committees over there So we're very committed to striking that careful balance between facilitating information sharing and protecting privacy And civil liberties And we're committed to working with congress to to get there So these are just a few of the information sharing initiatives we Have going on at the moment All of these involve difficult and challenging questions and that balancing act that I mentioned between Protecting privacy and civil liberties Ensuring consumer protection and ensuring the level of information flow that we need to actually provide actionable Information that somebody can do something with to better protect their networks So we're going to continue our push in this area My office will be very focused on implementing the executive order on information sharing on Standing up the c-tick and getting that into a functioning Organization working with the congress and the committee staff up there to get to Acceptable cyber security legislation And many other projects in order to both raise the level of Cyber security across our country to better disrupt what the bad guys are doing And to respond to and recover from those incidents when they occur So, you know, there's very few absolutes in cyber security And there's no No 100 answer in this space as jim knows quite well There's only doing better. So we will continue to strive to do better And I think that we're quite well along on that path. So thank you very much for letting me come and speak with you today Great. Thank you. Um, it is interesting to have sort of a historical perspective on this So I was saying right before we came in if you think about where we were Seven or eight years ago and where we are now there's been tremendous progress Whether it's enough progress is something we can talk about. There's clearly more that needs to be done But um, I think I get the first question Then we'll have time for a couple more from the audience and I Warned michael that my question would be tell us about how you're going to implement the executive order What are the stages here? What are you going to be doing on it? Sure, so where we are right now as we are working very carefully with the department of homeland security in the executive order, they are directed to Carry out a process to identify a non-governmental organization or set of organizations that will identify the standards and best practices for Ice house and so we're in the process of soliciting public comment and understanding And getting collecting input From the community the standards community and others about how to actually go through and make that selection process So that is one where we that's really where we are at this process at this moment We hope to finish that up sometime here in the spring and be able to move out over the summer with actually making a selection Of course the other part of the eo that is a little difficult to understand because it's written in eo but the We also in there fixed a long-standing problem with the industrial security clearance program to enable us to Be better able to grant security clearances to the private sector for sharing of cyber security information I'm always hesitant a little bit to bring that up because We will never clear our way out of this problem. And so we tend not to be focused on that Quite as much but it is a component of what we're trying to do Thank you And let me say too that the there's reserve seats in the front if you're in the back they're reserved for you So feel free to come on up and and and take advantage of them. Do we have any questions? I'm not going to ask a nispom question and no one is allowed to ask a nispom question But I see we have some questions from the floor. Why don't we do these three and then we'll go across the room So in the furrow first, please Wait for the microphone Thank you for speaking on from china daily. Um, china's foreign ministry Spokeswoman Said the day before yesterday that she she cost for the china cost for more International cooperation in the cyber security issues So my question is how do you see this cooperation between china and the u.s. Thank you Sure, I mean obviously the relationship between china and the united states is one of the most important bilateral relationships that we have In the 21st century and it is also an enormously complex one that involves both areas of High levels of cooperation and some areas where We have some differences of opinion and obviously in some of the cyber security areas Is one of those that we've had some differences with With the chinese government over the last few years My view is that despite that This is an area that we have to figure out a way to work better together We're two of the largest economies in the world. Both of us are highly Internet and cyberspace dependent and the chinese are growing only more so Every day as they modernize Their country and I think in the long term it will be In both of our interests to figure out how to combat the cyber threats that we face more effectively Great. Thank you. We had one in the front and then one in the third dollar Hi rich colman if the eye sacks are focused on specific industries Are the eye sales for other industries not already covered or smaller companies or how those two relate? So it would be all of the above so In fact, you know, I would say that again, you know in our view eye sacks are kind of a flavor of eye sal They're one manifestation of that kind of organization that we want to see I think really the the thing that we're trying to promote here is sort of flexibility And the enable the private sector to organize itself Along whatever lines it finds most useful for sharing the kinds of information that they need to So in some instances, we've actually found that there are companies that have told us You know, we actually need to be members of a couple of different organizations one in our sector one in our region and one sort of for our supply chain And so we want to enable all of those to get more formal those flavors and those kinds to get more formal recognition We had one in the back And then I've got one over there Lee under Bernstein Sputnik international news Question about the executive order from this morning targeting cyber criminals with sanctions Could you just talk a little bit more about that? Are there enough suspects that you you can have a designated sanctions list? What countries do you anticipate a lot of these individuals being connected to? Uh, yeah, just discuss the sure So this morning the president issued An executive order that will enable us to target malicious cyber activity With economic sanctions. Um, it's so new it doesn't even have an executive order number on it yet Since the president only signed it at 8 45 this morning um, but essentially What this order does is it enables us to impose economic sanctions on actors entities or organizations Individuals entities organizations that pose a significant threat to the national security the foreign policy The economic health or financial stability of the united states and That meet one of four harms Enumerated harms in the executive order. So An attack or disruption of our critical infrastructure or critical infrastructure services The disruption of computer networks on a wide scale The theft of trade secrets Personal information or financial information or sort of aiding and abetting the knowing receipt of or aiding and abetting those those stolen those stolen goods or One of the other two activities So really this is a new authority for us We don't have a specific set of targets at this time because we felt it was important to get this authority in place to enable us to both deal with any Future incidents that might occur that rise to this level but also to deter Uh as a piece of deterrence for those that Have been thinking that they can hide behind borders where there are weak governments or weak cyber laws or governments that aren't willing to Cooperate and so this is really a tool that's designed for us to be able to use in cases where We don't believe our existing tools of diplomacy and law enforcement and others Or adequate or appropriate It's not one that we expect to be using You know every day but it is one that we Anticipate that we will be able to use in a very targeted in judicious manner The reason it is not tied to any particular country or region Or set of actors currently is because we wanted a tool that was flexible enough to apply to wherever Those actors are and wherever they may be coming from It's also designed to is because of the receipt and Aiding and abetting ideas that not just the actual hackers on the keyboard But those that are bankrolling them and those that are supporting them and giving them their strategic direction for what to go Do so we wanted to build a tool that was clearly Targeted and would be used judiciously and carefully but also was broad enough to actually have An impact in the cyber ecosystem It's really You know the culmination of several years worth of work inside the administration to design this tool And I think it's a very exciting Step forward for us in adding to the capabilities that the federal government has to combat the cyber threat that we face Let me just do a quick follow-up on that one. There's two bits that Leap out from the fact sheet at least and the first is malicious cyber action, which Some people say was a Source of debate within the administration And the second one is the use of the word significant which to People who are familiar with the federal process looks like one of those compromise words that you put in front of everything Can you tell us about malicious cyber action and what the judgment will be on significant? so I think the the The essential framing behind this is we want to be very clear that If you're talking about sanctions, they need to be used in the pursuit of our national level interest and In used carefully in as I said judiciously So the reason for the word significant is that this is not something that's meant to be used to promote the narrow interests of any One particular u.s company It has to be something that actually rises to a level of national concern And that was the use of the term significant very deliberately The term malicious cyber activity we wanted to arrive at a term that obviously denoted something bad That hence the use of the term malicious But we were also trying to enable us not to get locked into terms like attack And other sorts of things that you have a lot of debate about but enable a broad enough definition That we could encompass the wide range of theft and Intrusions and the kinds of bad behavior that is endemic. Unfortunately in cyberspace Um, we have one over here and then one in the back. So can we get this one up front and then I think that'll be it Wait for the microphone, please Raleigh Flynn sing a consulting in Georgetown University. Um, could you comment a little bit more on ctick? How exactly are you going to be staffing it? Will you be pulling from other government agencies? Hiring contractors. I know with the stand-up of the nctc. That was an issue Also, how big is ctick envisioned to become? Sure so Ctick is designed to deliberately Be a streamlined and and small organization So it will primarily be Staffed by detail ease and assignees from other federal entities. Um, although It may well have some permanent staff of its own to ensure some continuity. I am sure that it will also be Augmented to a certain degree with contractors In to support the workforce. Um, our target number is around 50 People for this organization. So not an overly Well, if you're from the national security council staff, that sounds like a very large Organization if you're from a line agency, that's not a very large organization. So ultimately not a very large entity to do this because The goal is to leverage the existing capabilities the very very robust capabilities that we've built At the agencies but to knit them together more effectively so really The it's really that integration and support function that that ctick is designed to do I suspect that, um, you know, we want to We're driving towards, uh, you know having Ctick start producing products, um over the next few months But I'm sure that it's one that we will try some things out and we'll Discover that some things work really really well and we'll decide on some others. Wow That was sounded really good on paper and doesn't work so well in practice and we'll Make adjustments Uh, Michael Eisenberg speaking in my capacity as a member of the aba information security committee leadership Harking back to the remarks at the very end of your statement about selection and engagement with organizations Going back to the start of pcis health care, for example was a challenge because of the diversity Has there been discussions or are there views about the way to deal with Critical sectors that are diverse and I'm thinking in particular about the law and the legal profession which Like health care is not a monolith and presents a challenge in terms of engagement about security practices Sure I mean, I think that one of the one of the lessons that I've been learning Over my time in this job is that In fact, the really really big companies in all the sectors tend to look more alike Than they are different across the sectors and that the really small entities look very different And are actually more similar to each other across the sectors then sort of you know being the same across those sectors And that you know the really large companies tend to have the ability to invest fairly significant sums of money in you know a cyber intelligence unit and That sort of thing So one of the questions that we've been you know sort of wrestling with is how do we promote policies to enable You know sort of the small and medium-sized enterprises You know in those various sectors to You know more effectively consume Information that may be pushed out to the information sharing and analysis organizations and how do you actually create sort of this Virtuous market for the larger firms to provide those services in that sector Looking at and asking working with those sectors trying to develop very deep partnerships with them to say What kinds of information are most useful to you? What do you actually need from the federal government? Where's the federal government's value add in this? space So that we actually are in fact Raising the level of cybersecurity Not just in little pockets, but sort of across the board Final question and i'll do it You've actually put out a lot of stuff. It's it is hard to keep up What's next to the extent you can say what is it? You know you have two years left More or less in the administration What do you want to do? Where do you want to be? Where do you hope these eos will end up? So easy question. Yeah, so um, I think that you know and very you know, we're going to continue to focus on uh, sort of I think really Three very core areas to us. Um, you know, so how do we raise the level of cybersecurity for the united states? Both in the short term and in the long term You know and I put in the long term category one of my favorite passions is killing off the password Killing it dead as a security measure How do we disrupt And counter what the adversaries are doing in this space? Jim one of the conversations you and I have had Frequently as sort of the emergence of cyber as a tool of statecraft That is something that we are going to have to Adapt ourselves to in this space. And then finally, how do we build the federal government's capability? To manage and respond to and recover from cyber incidents effectively They we are no matter how good we get at our doing our defenses No matter how good we get at countering and disrupting what the bad guys do Sometimes they're going to be successful. So how do we actually respond to those events in a very effective way? So we're going to keep pushing on policies. We're going to keep focus on implementing the policies that we've Pushed out. We're going to keep focused on working with congress to get to cyber legislation And we're going to keep looking at policies in those areas that that I laid out so that we can really make some progress against this and And leave the country materially better off Good agenda pretty ambitious, but I like it. Uh, let's join me in thanking michael for his presence Thank you very much Now what I'd like to do is ask denise shung, uh, my compatriot here at csis to come up Introduce the panel if the panel members could come up as well We'll now go to the second part of the Hello, uh, i'm denise shung deputy director and senior fellow here at the strategic technologies program at csis Uh, next is a discussion about an effort that's being piloted In the electric utility sector called the cyber security risk information sharing program also known as chrisp At a very high level, uh chrisp is a voluntary Information sharing program that facilitates the exchange of cyber information between electric utilities and the department of energy It involves specialized sensors Installed on the networks of participating entities that collect and transmit information of real time And it enables the government to share sensitive cyber threat indicators and intelligence back In many ways, this is a new and novel approach innovative approach to Sharing cyber security information within a select community with significant inter interdependencies and that also face advanced cyber threats So our panel is going to discuss this program including its benefits its challenges And whether it could serve as a model for information sharing programs in other sectors And with that, I would like to introduce our panelists Michael smith, uh, to my right, uh, he is the senior cyber policy advisor To the assistant secretary office of electricity delivery and an energy reliability department of energy Tim roxy, he is the chief security officer and senior director for the electricity sector information sharing and analysis center For the north american electric reliability corporation scott erin sin senior director, uh for national security policy at the Edison electric institute Greg no jime. He is senior counsel and director for freedom security and technology At the center for democracy and technology cdt And shame magie. He is the chief, uh, privacy officer at fire eye And so at this point, I would like to invite our panelists to each give brief remarks approximately 10 minutes And then we'll uh do q&a thanks Hello, um I'm the chris program manager. I've been so since uh august 2012 the program was uh kind of uh Floundering at that point and we uh had to come up with a way to get it restarted I think everybody saw the benefit potential benefit and uh, so it took uh At least a lot of hard work over a couple of years to get it up and running again. Um So various legal policy and financial barriers exist to sharing cyber security threat information Security clearances need to know fear of regulatory non-compliance fines shareholder expectations civil liberties and privacy At the at the same time a growing number of companies Are collecting, analyzing, and selling extremely valuable, actionable, unclassified cyber threat information In many cases with attribution The government cannot and should not compete with these companies So given this situation, how does the government make the case? That critical infrastructure owners and operators should share more information What can we offer that these best in class companies can't? Classified government information. So that's kind of the the heart of what we're trying to do with this collaboration So the chris program is a as you've heard described a public-private partnership And I think you all have a handout that at a high level Describes the basic infrastructure and data flow process of How we started I would correct one thing you said called it a pilot still I officially changed the p and chris to program About a year and a half ago when the electric sector decided to Partner with us and take it and run with it. So It's no longer a pilot although we are To fulfill our role is kind of the Improving the program looking for ways to improve it We are conducting a series of operational pilots to test out technologies And we'll talk a little bit about more of that later So The purpose of chris is to collaborate with our sector partners and to facilitate The timely bi-directional sharing of information as close to machine speed as we can that's our goal And develop situation awareness tools that can Help improve our situation awareness and our sector partners So DOE performs and funds the classified analysis And we conduct these operational pilots as I mentioned while the electricity sub-sector Funds basically everything else themselves And that was always the vision of the the pilot was that if this was beneficial to industry and they Decided to move forward with it That eventually it would transition to that type of arrangement. So it's worked out fantastic and NERC The courage it took in the department to Decide to move forward with this is It's pretty groundbreaking partnership The vast majority of actionable cyber threat information as I mentioned is unclassified and it's in the possession of the private sector While the government has classified government information and in all threat intelligence information Um It doesn't get that real-time information from the critical infrastructure owners and operators So what we try and do is To make that value and this make the partnership Work is we call it an enrichment process We take the information that they voluntarily decide to share with us and The department analyzes it Using classified information to see if there are Gaps trends the picture they have of a broader understanding of what's hitting all sectors in the u.s And how we can declassify that as quickly as possible and push it back out to the partners Hopefully at machine speed, but until then at least as fast as we can So by focusing on that last mile of actionable actionable threat information Crisp is not attempting to compete with managed cybersecurity service industry Or duplicate the energy sector expertise that resides in each of the crisp companies And that they're information sharing an analysis center We can't duplicate the expertise in those companies Or the understanding of the sector that the es isack has or that those companies have So The original pilot started with technology Developed at pacific northwest national lab And that's what the nirk and the es isack are are using as they go forward So that allows us to step take a step back and start experimenting Checking other technologies that are out there to see how we can help improve every process every aspect of crisp speed it up Make it as is more useful and Tailored to what the sector needs is possible Now while some energy companies have very robust cyber programs michael mentioned the Vast scale of sophistication that's out there We have the same thing in the energy sector So Not every company has those capabilities of some of the large ones So but almost every company in the sector whether electric or oil and gas Has some type of network monitoring capability so Our eventual long-term goal is to allow companies to come into chris with whatever technology they have in place If they have some type of network capturing information that they want to share with us Whatever fashion we hope to bring them in so that we can protect the companies that are connected to the larger Sophisticated companies in some way, but do not have their resources The full and successful implementation of crisp crisp is an ongoing enduring program will require both industry and government To address and mitigate all of the sense of sensitive legal and policy concerns that we've been addressing for the last two years It's it's not a one and done Issue we have to continuously look at ways to minimize the data that they're sharing autonomically remove PII or private information and focus it as fast as possible on True cybersecurity information. So that's that's kind of what we're we're searching for and The transition from our small pilot to nirc and their companies coming in Was a perfect example of how bringing their lawyers and their expertise to the table to work through these issues strengthened every protection and and issue that we dealt with and the beginning of the program To protect privacy and civil liberties Better than in thought of things that we did not think of at the pilot phase And that's that's what exactly what should have happened and those protections are are very well thought out and spent a lot of time on negotiating those So I guess the key takeaways I would say is that the current crisp privacy and civil liberty Liberty protections are robust and reflect hours of coordination among the interagency and with our private sector partners But we need to keep working harder to make sure that we can even improve that DOE is committed to this partnership and will continue to investigate ways to enhance Chris information sharing and reduce cost as much as we can for the private sector Thank you Thank you and tim roxy So I am tim roxy. I am the chief security officer for nirc And i'm the senior director of the esi sec. So nirc is a private sector entity. We're not for profit We have roughly 1800 to 2000 registered entities which are in compliance with the nirc cip standards And we also have many others within the electric sector who are not members of of nirc itself But our members of the esi sec. We are north america wide To include uh, oh conus Areas as well and we integrate with the other friendly five eyes and other isacs around the club So it's a big dang deal for us to be involved with the chris program We are seriously a public private partnership We are embedded with various public community agencies such as dhs and doe among others And also very tight relationships with a variety of private sector companies to include other sectors as well We we hold daily Inner isac calls. So we coordinate on a daily basis the tempo of tactical information sharing between all critical infrastructure um I kind of want to say that chris is designed to to address or partially address one of the more difficult challenges in cyber security that you hear Discussed in a variety of different ways Sometimes you hear a statement that says it's almost two years or it's 208 days or it's pick some time frame It doesn't matter before you're actually aware of a compromise From the time you trace it back and realize that you were compromised So the way a friend of mine paul stockton would frame this it's left and right of boom Our lives are are a series of events left and right of boom left of boom. You're on vacation. You're fishing You come out to the parking lot your tires flat. You didn't prepare for it. Now you got to deal with it So crisp now is designed to be that detection function right in the middle. It amplifies it enriches Through classified networks and it also enriches through a lot of open source intelligence information The information that a particular single entity may be seeing When you take that single entity information and pass that detail of whatever they're seeing back into the company It helps the company improve their training their ability to respond and to mitigate these issues However, as we know Typically one company is not the only one suffering a particular piece of pain It's shared across many many companies So what the isack does the value add here is that we will actually take that information back Strip attribution and parse the information into a protected portal Encrypted in some cases so that the vast majority of the other companies in the electricity sector can participate in And fixing that the details are Pretty pretty intense the information sharing device basically captures packets Uses four different types of technologies to evaluate that each of these technologies has a data protection privacy Descriptor with it that says even though this technology can take this kind of data The collection that we need is only going to take these few pieces All the rest is going to be dropped at collection. So it does not even go into the national labs We scrub it as hard as we can before we even pass it up there the initial An analysis of this is actually performed by a series of very sophisticated algorithms And then the basis of those algorithms when they when they start to generate the report function It goes to a system of a network of human analysts who tear down through the information And put context open source sometimes sometimes classified context to it All with the intent of creating a package of information to go back to the entity Who had the isd system that gave you the data to start with But also to horizontally integrate that information across all the other classified and unclassified networks we have and then to share it across the sector So the esisack again would be the the functional vehicle through which all the electricity sector would be sharing this information And we are targeting to try and move to taxi and sticks framework for anybody who's familiar with those And that would be a machine-to-machine Framework and we also use from doe the cyber federated model which doe uses which is also a machine-to-machine heavily encrypted Always so the the information is always in motion heavily encrypted And that's where we are the The actual document which is shared amongst all the entities is about 60 70 pages long that describes in Exquisite detail every field that the technology can capture And the requirements for privacy concerns associated with every field and which fields are needed and which fields are not They're simply not collected Thank you Thanks, tim Scott Thanks, tenice and thank you to csis for holding this today and thanks to my colleagues who are up here I think we're going in exactly the right order so Mike and doe And the government helped to develop this technology NERC and tim and the electric sector information sharing analysis center are helping to Manage it and my members the electric utilities around the nation and the and canada as well are Benefiting from it. So what I want to do is sort of explain how we got to where we are and then what the industry's Perspective is and sort of why we have bought into this the way that we have. I think it's an instructive Viewpoint for other sectors who are looking to as michael daniel put earlier Really deal with the most foundational thing that we can do As a nation dealing with cyber events and that is to improve the sharing of information So in addition to my day job as a member of eeis government relations department I am actually 95 of the time the secretary of electricity sub-secret coordinating council I'll give a little background on what the ecc is and what it does and how it relates specifically To the crisp program and where we are today Without too much history lesson nyak the national infrastructure advisory council Has put out a bunch of reports over the years about how can We improve our security posture to protect that critical infrastructure that primarily is owned and operated by the private sector But which has a critical component to the life health and safety of americans traditionally a really government focused perspective But obviously we we the critical infrastructure owners and operators have a little something to say about it and do with it so In 2011 nyak wrote a report about electric and nuclear sector resilience. They said There ought to be a senior executive dialogue between CEOs and senior administration officials We said yes, there should be that and wrote a letter to the president That first letter was ignored We wrote a second in may of 2012 and that one was responded to the intervening event was fukushima And the administration saw that the japanese government was effectively setting policy in the middle of a crisis I am very fond of quoting my engineers. That is suboptimal So We got commitment to work together and we are now working together at a very high level on a very regular basis at a very fast pace Uh, the ecc is comprised of 30 ceo's and trade association heads Representing the entire electric utility industry if you think of the electric grid It is one big machine with thousands of owners users and operators We have to work and play nicely together. We have to keep this this this big machine operational So The ceo's who have a lot of value to this, you know people joke the ceo's don't do work No, they don't but they set policy they set strategy. They provide resources They are themselves a draw that brings other folks to the table that help us to do more better faster In this particular case that was bringing senior administration officials to the table When the folks in the corner office both industry and government care about something you can do things quickly And the deployment of crisp is an example of that and i'll go into a little bit more detail The ceo's about two years ago now With the with the administration said we're going to focus on four things. Here's what we're going to work on Information sharing making sure the right people are getting the right information at the right time Tools and technology the government has some cool toys. We want those on our system Improving incident response to michael's point and others. You can't protect everything from everything What do you do when something goes wrong and then cross-sector coordination? No one component has A monopoly on good information and frankly if you think about the electric utility system Everybody likes to focus on us as the most critical of the critical everybody relies on us If we don't have water we can't generate steam or cool our system if we don't have telecom We can't operate if we don't have transportation or pipelines We can't move our fuel so on and so forth the interdependencies across the sectors are profound And so we are focusing on that as well If you think about crisp and the and the description that you've heard from tim and mike It effectively addresses in one component or another all four of those missions tools and tech Well, it's a tool and a technology developed by the government managed by nerk and deployed by the industry Information sharing it does information sharing and it does it at a machine to machine or will be Hopefully in the future doing it a machine to machine level at the very least it's getting toward machine to machine Incident response gives us a sense of when we're going to be to use tim's language right of boom And cross sector it is a platform if you look at some of the other sectors who have done some interesting things in this space They are developing you know think financial services and the sultra edge project We can benefit from that they might be able to benefit from crisp How are we and tim is at the center of this sharing information across the isaac's through the n kick bilaterally among the interdependent sectors Again crisp is a facilitator of that So that's how we got CEOs and senior administration officials to say about a year ago now Deploy it not a not a pilot anymore. It's a project We want it We want the isaac to be at the center of this and we need these tools and technologies to help improve our capabilities and improve our situational awareness people often say that Relationships are complicated legal ones more so And when you think about the entities that are A part of this now legal relationship contractual relationship The department of energy and the government more broadly nerc and the isaac Dozens and growing numbers of utilities who are deploying If you think about and greg is going to get to this I assume the privacy implications of all of this We spent the first part of last spring Just figuring out what we had to do The CEOs then led by tom fanning the CEO of southern company Threatened to lock us in a room until we got it figured out That kick in the pants is what we needed and we were able to actually Get everybody to the table weekly calls working through every element of this legal relationship that was going to allow us to Deploy this technology with the isaac at the center of it with a classified component of it And a government project that Developed project into the hands of the private sector so that they could use it in a way that honored the privacy concerns That were not insignificant And the privacy of the companies and the and their And their employees Things again that were not insignificant We created a memorandum of understanding and what we effectively have now is a boilerplate that every company that Wants to deploy crisp is able to sign on to Create a scope of work unique to their company and deploy in what has become about a six to eight week process So if you think about where we were with a five Excuse me a five company pilot a few a few years ago And to where we're going where we're hoping to have tens dozens if not more Companies in the future we had to make it as simple as possible, but not simpler Um That's where we are legally today and that is how we deploy this technology Tim throughout the number 1900 there are 1900 Utilities who make up the bulk electric system. They are called registered entities. That's the term of art We will never get 1900 companies. That's okay What we want to do is get a good cross section regionally by The type of company I represent investor owns. There's cooperatively on there's municipally on there's canadian How can we get this Into the hands of a good cross section of people and then once we've done that how can tim shop Use the information That is gleaned from the dozens of companies that deploy and socialize it and put it into the hands of all owners User and operators some who choose not to participate some who simply can't afford to participate That is the model that we have created for the electric utility system And one that we think works well for us clearly other sectors will have other approaches But again, these were the pitfalls and sort of issues that we had to cope with in order to make for a more streamlined and effective deployment what we think is a very valuable tool to Excuse me improve the situational awareness of cyber threats for the electric utility grid. So with that I'll look forward to your questions. Thank you Thanks Scott now we'll turn to greg Hi, i'm greg nojain with the center for democracy and technology cdt. My organization is a nonprofit organization We're based in washington. We have an office in san francisco And we have folks in brussels in london and we like to say that we're dedicated to keeping the internet open innovative and free My organization has been pretty deeply involved in the debates around cyber security information sharing legislation Because of the privacy implications that we see In the proposals that have come I have to confess I don't know as much about the chris program as the other panelists who have gone before me And I would submit that that's not a good thing Not good for me And perhaps not good for the idea that the program might be translatable into other sectors One of the things that I think a lot of the privacy community What have concerns about is the extent to which The program and programs like it are transparent so that people actually know What are the privacy protections that have been built in? And are they effective and exactly what information is being shared? How is the pii being stripped out? These are all things that are being discussed actively now in washington There's a lot of folks who are very sensitive to that information And I would just submit that More transparency about that would be a good thing For um for this whole program one thing that um I like is the idea of finding approaches to solve And deal with the issues that come up when the government gets involved with the cyber security information sharing activities In the legislative context those have mostly well they have Often centered around When personally that personally identifiable information is shared as part of the cyber threat information shared So that people can help protect each other from cyber threats Um, it will necessarily include some pii Uh personally identifiable information and it will sometimes include personally identifiable information that isn't necessary to share How is that going to be dealt with? And what steps are taken to minimize the sharing of that information? Those are the concerns that really I think are coming up a lot in the in the debate around the legislation And um, it's good to hear that um panelists are concerned about that When that information goes to a governmental entity Additional concerns come up. How will that entity use it? Is the entity? In the intelligence area where um, let's just say Some agencies have been rather promiscuous in their gathering of information including information about persons in the united states Will it be turned to non-cyber security? purposes such as criminal prosecutions now, I don't know what the rules are for the chris program, but I would suggest that Rules that prohibit non-cyber use Of the information being shared would be a good thing It's also it's also not entirely clear to me What data is going back to FERC Back to the department of energy And what data does not go what data is scrubbed out and does not go and I think some additional clarification would be Useful in that regard We're also we've also been asked to think about whether the model that's been discussed and described Could be applied outside of the energy sector Um, I I think it might be appropriate For some other sectors, but I don't know if it will be appropriate to what I would call The public-facing sectors the sectors that are going to deal with a lot of um personal communications consumer communications as opposed to um, what might um be shared within the energy sector I'll stop there and hope to continue learning more Good afternoon. Um, I'm Shane McGee. I'm chief privacy officer for fire. I And that's just in the last year prior to that. I was general counsel for a local security company here called mandiant Uh, I am as a chief privacy officer I think I'm in a unique position on this panel because I'm both from a company and executive in a company that sells Information sharing services and products including those that may be involved with this program at some point But being the cpo. I'm also a privacy advocate, which means I'm an advocate for our customers And protecting in charge of protecting their information the confidentiality of their information So I I try to to balance the the two extremes in this discussion And I think probably the best thing I could do here is to go through and explain Why I think uh that this program the chris program is Probably one of the better if not the best framework that I've seen in terms of balancing both the privacy and the security issues on information sharing So let me just go through some of the points that that I have and including some you saw me tapping while the others were talking So I think anything that reduces direct Collection by the government of information is hopefully going to and greg I look forward to getting some of these details too In the q&a. So I'll try to keep my comment short so we can get to those questions But I think that any program that limits direct Government access to the raw data is the only type of program that's going to really pass muster from a public standpoint and those with privacy advocates the arguments that I've heard On including those on the hill this morning in a meeting about another information security or information sharing bill is the the privacy advocates are Disturbed mostly by the government have using this as a backdoor to collect more raw data about its citizens So I think that the the ability to send this to keep this in a private public partnership But in a privately owned framework is incredibly important and is unique to this chris program The There has to be in the process At least one probably more Times when we're going to be able to scrub personal information from This data stream and that was something that mike and others focused on and that's a I think another great point about this program What we can't do though is What a number of the privacy advocates have come out and suggested which is to Have kind of a strict liability in terms of any company that's providing information Even if some incidental personal information gets by if you have any type of liability associated with That then there's not going to be enough participants in a voluntary program like this So there has to be some sort of Compromise there and to think the bill that we were talking about this morning talked about reasonable efforts to remove personal information And I think that's that has to be standard going forward both for this and for others Now greg you said transparency I couldn't I couldn't agree more we have to absolutely include privacy groups From the bottom up in the planning and implementation of this program of The legislation that's being written elsewhere It the my experiences at at fire. I have been Largely trying to convince A large customer base that they have more to gain from having us On their network with pretty extraordinary access to their network Then they do by Not having a company that's looking out for their security. There's always that balance There's that natural tension between privacy and security you have to give up a little privacy to get the security that we need these days So I think that's an example there where you you have to make that argument and you have to include the privacy advocates and Convince them of that and the only way you can do that is to involve them from the very beginning What you can't do when you're talking about personal information Is to Broaden that definition to include data that we really do need when we talk about information cherry I'm talking about ip addresses mac addresses things like that Whereas if we applied for example the european unions definition of personal information Then we would be restricting ourselves from exchanging absolutely vital data data that we really can't effectively Create a program like this without trading And then we also have to do I think this goes back kind of to the question about government collection When the government is involved in receiving any of the raw data, there are legal regimes in place that require Big scary banner ads. Would that be the technical term mic big scary banner ads? Yeah, we need to have I think by and by making this a privately owned privately run program You can get away from some of the bureaucracy Around information collection and sharing and I think that's also a good thing And finally again, I think probably the best point here is that privacy is advanced and promoted by programs like this At mandiant now by fire at fire. I we see time and time again Serial compromises over and over again by the same groups using the same tools tactics and procedures They compromise one company to use the same malware and techniques for the next company and then the next Whereas if those companies down the line not a but bcd and e Had been a part of a robust information sharing program They would have received information About that particular compromise early on and it would have prevented a number of additional compromises Thank you. So before we take questions from the audience, I wanted to just pose a couple questions to the panel Um So we've heard that one of the major impediments to improved cyber security information sharing is The potential for the information shared to be used for regulatory purposes in this case. It's kind of unique, right? So nerk is the industry regulator. Well the industry self regulator. I guess you could call it but You have utilities sharing directly To their regulator So my question is, you know, has this posed any unique challenges? I think somebody had mentioned that there are currently five Companies who are signed up for the program. Has this created any challenges in terms of getting folks to sign up? How have you addressed these challenges? Um, how have you guys overcome that? So the NERC is indeed a regulator. It gets its authority from FERC, which you mentioned. He's doe by the way Um, I just want to make that clear It gets its authorities under section 215 of the federal power act if you look at section 215 of the federal power act It said go find an euro and give that euro the ability to create standards and do compliance management and enforcement Well, if you go back to 1990 a At the beginning of I'll get the number wrong ppd something or other 63. I think it was That came out of the executive branch Right and when you come out of the executive branch, you don't have the same legislative authorities that you have out of the legislative branch to impugn sanctions and penalties, etc The regulatory function. However, you do get the information sharing function. So when you follow The hspd7 PPD whatever it is and I'm sure you folks can track this much better than me But out of the executive branch you get into hspd7 you get into the nip you get into the public private partnership framework And you start the conversation around I sacks and to michael's point earlier We are actually an isao as well, right because information sharing analysis organization So when you come into that framework, then you do not have the regulatory component So the es isack does not have the regulatory component However, it receives section 215 funding for the boots on the ground and the equipment of our fingertips In order to clarify this the board of trustees has written two different policy statements that isolate The es isack from all compliance management and enforcement information Which means I don't do names at all I do security. I do not do names. I won't tell you how many are in the program I won't tell you who they are I won't tell you the kind of data that we're collecting and analyzing or who i'm sharing it with Because I don't want even the implication That my team or myself is talking to compliance management and enforcement even in circuit to shrouds So with several sets of board of trustees and they're my boss's boss, right? So that's the people at the top. They have Discussed this openly in the public amongst all the utility Asset owner operators. They've discussed it in front of FERC all the way across the line There is now a barrier between the section 215 funded regulatory aspect and the executive orders and hspd7 public Private partnership coming out of the executive branch that creates the isao and isax. So this this is a non statutory Mandated function out of the executive branch ergo. I am not part of the regulator now That took a little bit of education took a little conversation around the industry But I think we are pretty much down that path People tend to trust us quite a bit with sensitive information So I'll echo something tim said Yes, denise there was a problem and we had to educate a bit Um There Is concerned with sharing information that could be held in use against you in regulatory proceeding The fun metaphor that I like to use is you wouldn't go to marriage counseling with your attorney So you want to be in a place where you can share information freely and openly for the benefit of all And we needed to prove to people that in fact The isaac which is a unit of nerk But is its own separate entity was not in fact breaching that trust and Tim and his team have done a lot of work to Socialize that message and to do the things the basic belts and suspenders that need to be done To isolate the information that they are collecting And to isolate themselves from the broader compliance and enforcement functions that nerk Also does That is ongoing and in fact the escc Is undergoing a review of the isaac And one of the things that is being looked at is how can we even do a better job of ensuring That trust because the second that that trust trust is breached This program goes away because every company that is a part of it will say I can't trust it the things that I am sharing are now going to be held in use against me I'm done and then this crumbles under its own weight and that's terrible and tim and his team understand The existential threat and are doing everything that they can and should be doing to ensure that that never happens So I think this this discussion actually leads to some of the points that greg and shane made about privacy and transparency And it sounds like you know tim you had mentioned You're not disclosing who's participating or even you know what type of information has been shared At a detailed level. So how do we get the transparency we need to assure people that that their privacy is being protected While addressing these other concerns Actually the person who could probably do the better job with that would be either scott or mike but in in In my world as we were going through Recruiting the initial group of folks entities The privacy offices of each of these entities was part of this conversation the general councils of each of these entities was part of that conversation I don't know if you've ever tried to write a contract with 25 35 45 general councils all talking about nuances associated with these various places But it's it was an exceptionally difficult challenge So I think that that would be something that scott would probably take on Future tents in order to figure out the appropriate level of transparency around The privacy concerns on the technology Because once we capture the data, it still has significant Screwtiny and involvement associated with making sure that nothing gets into that data stream So the technology can be configured in a particular way based on the privacy concerns within the data sharing agreements, but additional Transparency would have to come from outside of my organization because I I'm internal to the organization So Before we even started working with nirk and the esi sec and the industry guys to Migrate to the where we are now I've worked with our privacy officer of the department of energy a journey Hanley He's the the lead across the department. He oversees all of our intelligence activities for the intelligence organization In addition to every other other projects. So I've worked with him for the last two years And have gone through three privacy impact assessments I had to redo them each time we changed the configuration of the program So for the original pilot, I had to do a pia and we developed and signed and then when we Brought in and partnered with nirk and the esi sec We had to do another one and then when we had our first operational pilot with norse and fire I we had to do another one separate one because that was again a different process a different flow So each one we had to do an updated pia pia for each of those But so we've worked very closely with with our privacy office through the whole process I'll real briefly. Um, I think tim hit it on the head future tense We are all getting comfortable with on the industry side This framework, uh the information itself In working with the attorneys. I learned another little phrase General counsel's offices are the business prevention department Apologies to the attorneys in the room, uh, but There were obvious concerns for the companies themselves and their liabilities and exposure There was concern about Their employees And the folks who would have to affirmatively say that they understood that the network they were operating on was being monitored The banner language was one of the hardest problems to solve During this this whole negotiation. Uh, and so to tim's point, I would simply say I think we recognize the benefit of transparency in this space But would need to feel really comfortable about what it was we were being transparent with And it's something I would have to go to the owners and operators and users And make sure they were comfortable with what we were ultimately disclosing So in terms of what ought to be disclosed, I I don't think that The public needs to know the name of every participant in the program. I don't think the public needs to see Classified threat indicators What I think people need to know is kind of the class of entities that are involved What the relative role of the government is to the other entities that are involved and Information about the information being shared that is Detailed enough so that technical people can look at it and say This is what needs to be shared and this might not need to be shared And and and again these these things They're they're reasonable. It's not that privacy should be an impediment To to a program that works. It's that a program that works can work Together with the privacy concerns Resolved and a couple things to to what chain said earlier When it comes to removing pii in in The legislative debates right now I think virtually all the privacy groups accept the notion that reasonable efforts are good enough And that there's a duty to look for it That's part of being reasonable But a reasonable effort that is unsuccessful is good enough Because you can't guarantee an outcome at least we we would say that you can't guarantee an outcome in this space and the privacy groups that are actively engaged all recognize that's that Pii that includes ip address for example Is going to be necessary to be shared in order to describe a threat? And we get that and we we wouldn't have We wouldn't have a leg to stand on to say no, you can't share that which is necessary to describe a threat So I think that you know the debate has kind of gotten beyond those things and moved on to some other things example Do you have to look for The irrelevant pii in order to scrub it out or can you just say well, we didn't know We we we we took a look we weren't sure so we passed it on That's really where we are at this point. Yeah. Yeah, and and I I do appreciate that A lot of the groups do have that opinion and I think that's a that's a very reasonable and strong opinion Some some still some holdouts on terms of the breadth of the pii I also want to say that again education here is absolutely key and When I've had these debates previously I've actually sat down and I've pulled out a stack of indicators of compromise and I've put them on a table I said these are chosen at random find me a piece of personal information It's not there. I mean we had nobody has any interest in collecting it in the first place It's not relevant to this type of intelligence I think that the more we include people in that process and have the privacy advocates Actually on hand to see that. I think the the arguments are going to fall away very quickly and this will be accelerated So I think we have time for a couple of questions from the audience Up here in the front. Just wait for the microphone Hi there, james grithaus from industry canada How does chris currently deal with international partners and what are the future implications for international partners? we've been We've had several calls and conference calls with Canadian entities in the north american power grid and we all hold it as a goal to Bring a partner in is if we can It's obviously raises some difficult things of the the classified enrichment piece How would that happen with a canadian entity? But we've had numerous at least three or four conference calls with the right canadian government and private sector representatives And they're thinking about it and looking at it and we will Continue to pursue it if we if it means that the canadian intelligence community would have to serve that function So be it and we could partner with them directly rather than us doing the enrichment for canadian entities Let me say real quickly. I'm excited about chris not Just so that chris could be expanded but as a proof of concept I think this structure this framework is it has a whole lot of promise to it And I think if it works in in this context We can start up and in other places not necessarily an extension of this program But other programs that are modeled on it I think we had a question here and if I could just to respond The canadians are already participating because they're members of the esi sec They actually see the reporting that we generate in the sanitized way in the portal It's just not identified in the portal is coming from chris. It's just things that we post Hello, i'm megan from obsidian analysis and kind of going on that proof of concept while the Utility sectors had a lot of struggles and Sorting this out have they has their recent success proven to be a motivator for Other sectors that are much more behind such as the oil and gas sector as they're kind of interlinked and secondly in addition to Being a motivation just you know for their own security. There are any other motivators out there say insurance companies showing their due diligence to insurance companies So i'll take i'll talk to you both of those just a little bit I always hesitate to say that any of the sectors are behind I sort of go at all the sectors are different and have different needs and different goals that said I think the the right word is proof of concept and there are other sectors who Again, I sort of bristle at this notion But who are ahead who are doing some unique and interesting things themselves that we are also learning from So a big component of what the escc is doing is looking at this in terms of cross sector and interdependencies as effectively the Common interdependency for so many other sectors We are foisted into the middle of it and to the extent that other sectors can benefit from our experiences We think that's a good thing and we are socializing what we have done And in a lot of cases not to name names Other sectors are looking at what we've done with intrigue The second question was Is that a judge leader? Insurers and all of that yeah, yes Not specifically as it relates to crisp, but as These different projects that are really linking government and industry get more publicity And help to do the in some cases help to provide more information and underwriting tools To the insurance community to the credit markets to other places We are seeing an interest in Them learning from again these experiences and the information that's flowing and the security posture I also think and this just comes from recent experience in talking to some of the credit rating agencies There is this increasing recognition that you cannot protect everything from everything So one of the benchmarks for Uh how Mature are you is how capable are you of degrading gracefully and responding quickly? And again crisp is one of the things we can point to that facilitates that I think we have time for one more question over there Hi, uh randy sabbat from coulee. Um, this has to do with the discussion of trust that was going on And for those of us who have been in This area of standing up these communities of interest for many years trust is the biggest issue And it's difficult to force trust And in fact with a lot of groups, they're only successful because of exist, you know, pre-existing trust relationships that might be in place So the you know, that's true of the the fsis act to some extent. So the the question here would be how much Of uh, pre-existing trust existed amongst the crisp members And is that something that you see that the lack of that trust as a potential barrier for other participants Thank you thanks, uh no, um Trust is always a barrier and actually this gives me a good a good place to talk about something I've neglected to in my original comments and That's that This is not the only answer. There are communities of interest there are That are forming around a lot of different tools I have companies who are part of various operation centers virtual that they're working together and it's a very it's based on this trust model Um, and so my point here is we don't want to say that crisp is the only answer for information sharing across the Electric utility sector It is one tool in the toolbox and its particular benefit is that it socializes the information to the non-users as well through the ISAC we're particularly proud of that. So that's that's one part of it second is as trust relates to crisp um I'll just say this As we negotiated the original contracts with a core group of companies trust was developed What we are doing is taking that core group of companies and using them effectively as proselytizers to help others in the industry understand Nothing to fear here. The ISAC is not a regulator Uh, here is our success Here is how we view the benefits and help to onboard these new companies And then hopefully what we get is this critical mass and as you get, you know dozens Then maybe you get tens of dozens because everybody else recognizes That uh, well, okay, there's nothing to fear there the leading edge of folks that have gone forward and they haven't gotten killed So we we can follow now and uh, the other part of it that we haven't talked about a whole lot is the more companies we have It socializes the cost and actually reduces the cost for some of the Smaller companies who might not be able to afford it otherwise And that also helps to deploy in an even broader community Well, I I wanted to take this time to just thank our panelists. This has been a really great discussion It's it's um, it's really great to see a lot of experimentation happening in the Sort of cyber security information sharing space We've we've seen a lot of sectors try different things and at csis. We actually had a project looking at this across sectors and What we found was that sectors that sort of share common goals trust similar types of threats and that like Greg said are not consumer facing in some ways or user facing That that deal with a lot of personal communication tend to have an easier time sharing than than others Anyway, I think there's a lot of lessons learned from all of these different programs And I really want to thank our panelists for for sharing their experiences today. Thank you Uh people from government and a big question we heard over and over again was when is congress actually going to get something done So let me let me give you the the good news up front I'm talking about the process on march 12th the senate intelligence committee reported out a bill on a 14 to 1 vote on cyber security information sharing That's kind of remarkable. It's hard to get 14 to 1 votes to say today is wednesday in the u.s. Senate These days, so we we took that as a very positive accomplishment Two weeks later the house intelligence Committee and the house homeland security committees both put out bills that are very similar to ours and And plan to to merge the two in in some way that makes sense on and house procedure We are talking about the probably last week in april or thereabouts being the week where this all actually happens when the The senate and the house take up legislation with the goal of Merging bills together and getting something to the president's desk by around memorial day There's still a lot of work that needs to happen We still have as michael said up front We have a lot of discussion that needs to go on with the executive branch as greg said There's a lot of interest in continuing to uh to to hear out changes that that can be made to legislation To make sure that it's got as much support as possible Let me talk a little bit About the substance of of the legislation And let me start by saying that I was very encouraged by a lot of what I heard in this panel because A lot of what is going on in the crisp program is the kind of thing that we are trying to incentivize in in federal legislation One point to note up front the legislation that we have drafted really needs to apply across the board It's voluntary But we want to make sure that it applies as well to the energy sector the financial sector who are both fairly well advanced But also to a mom and pop shop that has happens to have been the victim of a cyber attack and wants to share some information Or to learn from from what others have Have had to share themselves so So while we could legislate and i'm sure they don't want to because they already have a program that's working We have tried to take a pretty a pretty broad stroke The legislation that the senate intelligence committee reported out Fundamentally does three things it authorizes Number one the sharing of information and that information is limited to cyber threat information and to defensive measures that companies can take A among companies within the private sector with no government involvement Or b from the private sector to the federal government And there's a whole Big chunk of the bill that that deals with with saying exactly how that can happen Secondly the bill authorizes companies to implement Defensive measures on their systems And third it allows it authorizes notwithstanding other laws Companies to monitor their own systems for cyber security purposes Those latter two things that that our legislation and the house legislation Uh does is absent from the white house proposal So i expect that as we go forward there's going to be a bit of A bit of discussion there our view is We need to remove as many impediments real or perceived as possible in order to improve cyber security in the private sector And therefore with the federal government as well so We really Have approached this In the spirit of removing barriers and those barriers take the form of legal barriers There are laws on the books today that prevent the sharing of some information or monitoring of some Of some type for cyber security Barriers in the form of regulation the previous panel talked quite a bit about the concerns about sharing with a regulator And our bill actually Basically outlaws the the regulatory use of information shared for this purpose with a narrow exception And then removing cultural and technological barriers as well All of this under again the premise that the government Can't do this can't protect cyber security And and therefore needs to do a lot more to empower The private sector and also to encourage and incentivize sharing a lot of that obviously is done through liability protection Let me let me talk about that For a moment. This is the third bill that Has gone through or been produced by the senate intelligence committee has been a lot of legislation and other committees as well the first The first real approach Culminated in 2012 there was a comprehensive bill in the senate that was led by senators Lieberman and Collins And we had written a an information sharing piece of that That bill got to the senate floor after a few days of debate And it failed to get closure because we had one republican vote to to move the bill forward and the bill died Essentially because it lacked private sector support a lot of that because of of what was seen as leak weak liability protections In the next congress the the past two years the senate intelligence committee put out a bill That addressed that problem had quite strong private sector support Didn't even make it to the senate because it lacked support from the privacy side So this is our third bill and I think we've hopefully finally learned the lesson encouraged by a 14 to 1 vote That you need to work with the private sector. You need to work with privacy groups you need to work with the other parts of government and And if no one's getting everything they want but everyone can live with it, then hopefully we've we've basically struck the right balance So there's A lot that's going to need to be done From to a certain extent. This is the easy part and it's taken us four or five years But putting in a system that's going to allow for the kind of sharing that we want and that is Either modeled on or building heavily from chrisp Is going to take a lot of work. First, there's the technical part As our bill is structured We are envisioning and encouraging real-time sharing of the type that does not quite exist today And where it almost exists is is very narrowly Implemented Which will require building the pipes and drafting the coding so that data whether structured or not Coming into the government from any number of places to any a number of places Can get where it needs to go broadly among federal agencies in real time Um Moreover The way we see it once that information gets to the government whether it's the final destination is The end kick at the department of homeland security or the department of energy or yes the fbi or nsa or any number of Appropriate federal agencies that in our mind actually need to have information because they have a role to play in cyber security Those places have to have the wherewithal to be able to Ingest Analyze and act on that information also in real time or at least at machine speed Because god knows if we've got bureaucrats or even well-intentioned analysts on the government side who have to Act on and interpret everything that's going on We are going to be continuing to play defense rather than actually being in in the position of Preventing or at least mitigating some of the attacks we're seeing Uh, that's the technical side, which is probably easier than the policy side Um, and so all of the legislation that's been drafted, uh, on capitol hill over the past five years has required Uh, the promulgation of some set of of policies procedures and privacy protections that govern the Receipt the dissemination the use and the retention Of of the cyber threat information that is going to be coming in in potentially very large, uh amounts so Our approach, uh, which is similar to what the houses has done Is to establish some of those in legislation and defer a lot of that to the executive branch We have 180 day requirement for the attorney general to put in place procedures Everyone in the room knows that you know, the executive branch can't do much in 180 days, uh, let alone Set policies of of this, uh, complexity But some of the things that are going to need to be worked through How do you make sure that privacy interests are not sacrificed when companies are sharing the information? Especially given that the very companies that we are hoping will participate are the same companies that hold vast amounts of third party data How do you balance the benefits from having, uh, the cyber related information shared broadly across the government Including with various three letter acronym agencies Um Because they have roles to play while also addressing the concerns that the fbi, for example Is going to go use this information to prosecute or the nsa is going to use it to collect domestic intelligence, which they can't Um, how do you preserve existing working trusting trusted relationships like chrisp like the many isacs that are out there While trying to create a new portal that goes through the department of homeland security under the the basis that centralizing and streamlining information sharing is going to ultimately Lead to the benefit of all but understanding that every different information sharing relationship is Is is Driven by the particulars of the company and the agency involved You'll be pleased to know that we do have a narrow exception in our bill that regulated entities can share with their regulators Outside of dhs and still get the same kind of liability protection that otherwise would require going through dhs How to how how should we how should the government? Simultaneously protect companies for the voluntary sharing of information that we are trying to incentivize Without providing protections that would actually prevent Prosecution or other review of potentially very nefarious or or problematic Sharing when up front it's going to be very difficult to identify What what's going on? So like I said, some of those are dealt with directly in our bill a number of them We punt because that's how we get legislation done And i'm happy to sort of Go through any of those In in q&a I will say that the bill places a premium on flexibility. All the sharing in the bill is voluntary And really the only rules are one when sharing companies are limited to sharing cyber threat indicators and defensive information We are not interested in pii. We are not interested in them sharing Speculation or contextual information in this mode. There are great great ways to do that, but that's not what we're talking about here Secondly that when companies are sharing information They do take the kind of steps that were discussed earlier to strip out pii that that's known to be included and to and to And or to implement practices that are going to have an automated review for that kind of information. So restricting fields Whatever it is. We don't want to define what it is because the problem with all of this is What if we try to legislate to specifically we will be outdated in in years if not months So we're trying to put in place parameters that are going to work Let me say one last thing before closing We do recognize that Just like with the department of energy in the chrisp model. There is a Greatly increased role that the government needs to to to play here and it should not be Information from the private sector to the government or private sector to private sector The government has a lot of information at its disposal on Both cyber threat indicators that have not been shared and also useful information about what foreign cyber actors are doing That are useful for companies And so the first thing that our bill after giving itself a short title and defining some terms Is to push the executive branch into sharing more information out Whether that's unclassified information Declassified information or classified information that that needs to be shared consistent to the the appropriate protections With that, let me stop. I am happy to take some questions And you both both here and and afterwards as as desired We've got one in the back there Thank you tall copen from politico pro cyber security I'm curious. What are the odds of the various committees in the house and senate actually pre-conferencing a bill together Before anything hits the floor versus trying to conference something after Right, um, so there will not be any sort of official Pre-conferencing and to explain the goal is not going to be to sort of wire this such that the house and senate go into the process With with the goal of producing the same thing so we can skip the step Before sending it on to the president's desk the The legislation on both sides is quite similar the the differences are not structural They have to do more with exactly how you require or permit Or shape different things So I expect and and In I I know for the senate, I believe for the house There will be a fairly open amendment process. So once you once you get there any kind of agreement you've got We'll go out the window anyway because the the the senate will will work its will Um I I think what is most likely to happen is The both chambers will pass a bill. There will be discussions to see whether or not it'll be possible to come to an agreement Um, and then send it back and forth outside of formal conference But the goal here is to get the best product at a reasonable speed. Um, so Like I said goal of memorial day that may be optimistic The president has not yet said that he would sign this legislation if it reaches him, which we certainly are Are hoping for So so with everything else flexibility Maybe I'll cheat and ask a question That you can dodge if you want, but there's some other bills that are coming up In the next couple months At least for people to think about or talk about One is the FISA of course One is the Sections of the patriot act like 215 that are involved perhaps in surveillance activities Do these particular debates have any overlap with what you're trying to do in information sharing? Will they complicate passage? What do you what do you think about the relationship? They certainly won't complicate passage at all. No no no chance whatsoever. Um, no that's that's blatantly It's a relief So we view these as very different things From from the intelligence committee perspective, we view FISA as a Lawful means for the government to gain access to information that it is basically Affirmatively seeking for foreign intelligence purposes cyber security We see as information that the government ought to be pushing out and that companies may voluntarily share With no compulsion whatsoever I mean we have we have an entire section of our bill that says everything the government is not allowed to do in order to Keep this from looking like it is anything other than voluntary conditioning of contracts regulation limiting, you know law enforcement, etc etc All that said The intelligence committees in both houses are taking lead roles in drafting both pieces of legislation And and so that will raise eyebrows and the three provisions that expire from the foreign intelligence surveillance act expire on June 1st. So the timeline is similar We we intend and hope to keep these separate There are people who would like to say that the cyber security information sharing Legislation on in both chambers is a surveillance act. I think we've got very good Reasons for arguing back that it is not The foreign intelligence surveillance act is a surveillance act And and I think that we will be able to make Make the case to members of the senate who will undoubtedly be concerned About this and this being a backdoor and this being an attack on that neutrality and lots of other things Other boogeymen's you can throw out there that that what we are doing is in fact Uh limited and should not be confused with that brush Michael eisenberg here in my a b a capacity Just wondering if uh in the course of the development of the legislation Any uh assessment was done or any experience developed about The private sector provisions in section 214 of the homeland security act that provides for Protection of information going from industry to government Was that looked at on what was the reason for uh re-enacting that that approach? For the protection of information, I'm This this may not be a perfect answer to your question. And if it's not, let me know for So what we're trying to do here is increase the flow and Clearly by the nature of the problem from the homeland For over the past 12 years since the homeland security act was was passed There is a problem. Um, and and there needs to be The creation of additional incentives or protections to to increase the flow of information We do mandate that companies take Appropriate steps to safeguard the information that is shared with them or that they are sharing as you would expect I That has not been a significant point of debate because Everyone recognizes that that needs to happen and companies, you know Agree that part of their part of their business right now is is the protection of information Whether they generated or are involved in the sharing of it We have not So the the 2012 bill that I spoke about earlier had a lot more mandatory aspects to it to include protection of information Development not only development, but implementation of standards for protection That Didn't get there. So the thought has been to disaggregate some of the legislative approaches and the goals that that we might all share Data breach being another one that is not In in this legislation And try to tackle these more as bite-sized chunks rather than than handling them all In a part Okay, um Greg Denise mark. I'm gonna call on people any of you guys have questions No, well, we've oh, we have one. I'm sorry one last question. This will be it I couldn't resist before you say goodbye. Hey, uh, jason miller federal news radio. Um My question deals with the fact that the administration who has Been frustrated to say the least over the lack of movement on capitol hill over a bill They continue to executive order what they can and how does that impact effect change? What you guys are doing with your bills all the information sharing executive order now the one today Does that change what how you guys work? um, well first of all Resist comment commenting on the other side of pennsylvania avenue. Um, the by and large, um The the executive orders that the administration has put in place are Um Important and necessary but not sufficient. Um in in far as information sharing as well as The range of other things they've done on executive order to include the the sanctions piece introduced today We would like to have had legislation In in years past, um, we would like the executive branch to More strongly Support the tenants of the bill that we are working on right now But there's a limit to what especially in information sharing there's a limit to what the president can do By executive order he cannot provide liability protection and he cannot waive the applicability of other statutes so While the information sharing executive order is is good as far as it goes um We we have been engaged in a number of conversations with all parts of the executive branch Including some who are surreptitiously represented here today In order to try to get final passage of of something that that moves the ball even further Well, if any of the surreptitious members want to stand up, please know Thank you for a very frank discussion of legislation. Please join me in thanking davis Okay, well a great event. Thank you very much for attending. Have a good afternoon