 So, ladies and gentlemen, this brings us to the last session of the day. And I think this is a pretty appropriate conclusion given the conversation we've had. As you'll have heard me and others mentioned several times, a few weeks ago we hosted Michael Daniel and his White House or the White House cybersecurity team to roll out what's being called the Cybersecurity National Action Plan. And as everyone here will know, a centerpiece of that action plan was in executive order launching a bipartisan commission on enhancing national cybersecurity. It's subsequently been announced that Tom Donilon and Sam Parmosano are going to lead that work. And what we would have loved to have had them here today, they are beginning to ramp up. But we certainly have the next best thing. The guys who are actually putting together the commission who can give us a sense of how that work is going to go forward. On my immediate left I have Cleat Johnson. Cleat's the Senior Advisor for Cybersecurity and Technology at the Department of Commerce. So working with Bruce Andrews, who you heard earlier. Previously Cleat was the Federal Communications Commission's first Chief Counsel for Cybersecurity. And prior to that he was up on the hill as a staff member of the Senate Intelligence Committee. Next to him Kevin Stein is the Chief of the Applied Cybersecurity Division at the National Institute of Standards and Information Technology Laboratory. He leads NIST, Collaboration with Industry, Academia and Government. And amongst his many other achievements in recent years was the guy that led the team that took forward the so-called NIST framework. So Cleat, just to get us all situated, for the benefit of those people who didn't hear Michael Daniels speak, can you just recap on the rationale for creating a commission, particularly at this stage in the administration? Absolutely. And thanks to New America for having us here. We appreciate it. And I think the value of this commission is to take stock of where we are in the government and the private sector after seven years of really intense policy making and partnership building in the Obama administration, building on previous efforts in the Bush administration with the Cybersecurity National Comprehensive National Cybersecurity Initiative, CNCI. And here we are in the last year of this administration. And the value of this commission is to take stock of where we are now that a number of foundational statutes have been passed, executive orders issued, partnerships developed. We need to take stock of where we are and then look ahead. And the specific goal of this commission is for the next administration, the next Congress, the citizens and companies that will still be facing cyber threats in 2017. The idea is to hand over right at the transition of the administration and the new Congress a set of concrete deliverable, actionable recommendations that business leaders, government leaders, policy makers can implement. In some cases it may be improving, course-correcting things that have been developed over the past, let's say the decade that Kevin has been at NIST at the seven years that we've all been working on cyber policy in the Obama administration. And, but specifically short-term action items and long-term, ambitious long-term leaps forward that have a horizon of two, five, ten years. It's this moment of transition that we want to have concrete actionable recommendations that importantly have consensus from a diverse group of stakeholders. And that's the value of a bipartisan commission like this, a third of which will have been recommended by bipartisan leaders from the Hill. So we think there will be some buy-in and consensus behind the actionable recommendations. So this is very explicitly an independent review. But you are effectively the administration's point person for engaging with it. What are the writing instructions you have been given in terms of how the administration intends to engage and sort of assist the commission as it gets going? Well, let me just be a good staffer, first of all, and note that it's the Secretary of Commerce who's named in the executive order. I'm honored and pleased to serve her along with my teammates throughout the Commerce Department. But I'll tell you what her direction has been. And I think before that, I'll just not to be too presumptuous, but I think one of the reasons that the President chose the Department of Commerce and specifically NIST, also named in the executive order, are two things, one a process issue and other substantive. On the process side, NIST has proven through the development of the cybersecurity framework that it not only knows how to do this, but has delivered a successful public-private collaborative effort that has the buy-in of the private sector, that has consensus behind it, that has the trust of the people and companies outside the Beltway that are going to be implementing this. As a matter, NIST is really good at doing just this, being an honest broker and a convener and staffing an effort like this. On a substantive basis, and this is something that I'll channel Secretary Pritzker, who is before she became the Commerce Secretary for the Department that is the voice of American business in our government, she was in many different iterations a business executive. She sees these issues from the perspective of a business executive, a CEO, a board member. You heard Bruce earlier talk about seeing this challenge as a whole of society business government collaboration. I think that Secretary Pritzker would say that the companies, their boards, their CEOs, their IT departments, but you'll never let the CEOs and boards off the hook. They are the front lines of our country's defense on this issue in a way that truly no other national security threat in our past has been similar to that. She sees this as a business-led, business government collaborative effort that is inherently market-oriented because it has to work for the market, it has to work for consumers and the businesses that are directly exposed to these cyber threats throughout the world. On a substantive basis, and Bruce laid out the elements that she sees as important in this business government collaboration, first having a common language thanks to Kevin and the team at NIST for facilitating the development of that common language of risk management, second having technical solutions that can be disseminated quickly and efficiently to all who need them in government and elsewhere, and third, and this is something that she hits in particular because, again, as a business leader who is not a technical computer scientist, she knows that business leaders and boards in order to manage this risk need to have, hopefully, eventually quantifiable metrics by which they can manage this risk so that they know that a dollar of cybersecurity investment equals a dollar or more of actual cybersecurity. That goes for the government and the private sector. We need to know what we're spending and why and the measurable effect it has. Those are the elements that she has continued to reiterate through the beginning of this process, and I expect she'll continue to have interest in those issues. But bottom line, business government collaboration is what we think is the guiding principle of this effort. Thank you. Kevin, you're at the front line of operationalizing this. You've sort of been here before within this framework, but this has other aspects to it, which I think make it particularly challenging, but also particularly interesting. First question, just in terms of the work plan, how do you see this, the work of the commission going forward? It's quite a sporty timeline to get a report out by December. How are you going to achieve that? So I think when we look at the executive order and the charge that's in front of us, we really kind of look at it in two large buckets, if you will. One broadly improves cybersecurity throughout the public and the private sectors. Again, a very collaborative approach to address that. Then the second would be really to position us as a society to securely take advantage of advances in technology and management practices in IT service delivery so that we can adopt those both in the private sector and in all levels of government as well, not just federal but state and local and others. That's a pretty tall order. I think as Clete mentioned as well as Deputy Secretary Andrews, the ultimate objective here is to produce actionable recommendations that both business and government can act on, and that's certainly not enough. I think that becomes the end of the beginning, if you will, where then the hard work becomes taking those actionable recommendations, both short-term actionable recommendations as well as long-term, the word Clete uses the right one, I think, long-term more ambitious recommendations, really pushing the envelope in terms of the technology and the use of technology in a secure manner across the digital economy and within the government as well. There's certainly a lot that we learn from the process to develop the cybersecurity framework, and a lot of those same tools are at our disposal this time as well. When you think about this, just from a little history perspective, we've been at the cybersecurity business, if you will, for probably close to four decades, and I think one of the constants throughout our time in this space has been that notion of collaboration, open and transparent engagement with industry, with other government agencies, and then also our partners around the world. So today we have two commissioners, and while we're waiting for the full slate of commissioners to be selected and announced, we're getting our own team in order internally. The commission's going to operate as a federal advisory committee, so there's certain actions that have to happen to get that structure in place, and those things are working through the way through the process right now. We envision, certainly as the slate of commissioners is in place, really going into much greater detail with them on the work plan. Ultimately, this has to be a work plan that will, which they can support and something that we'll be able to charge forward together. So certainly over the next several weeks to month or so, I think there'll be more details that we can share in specificity. What, you spoke about stakeholder engagement, I mean, based on your experience so far, what does that going to look like? Who are you going to be engaging, and how? So that's a good question. So I think when you think about, I mean, the who, when you think about the diversity of the cybersecurity landscape, it impacts everybody, regardless of whether you're in or out of the critical infrastructure, whether you're in government or in industry or academia or whatever the case may be. So there's certainly a need to reach out kind of early and often to a very diverse set of stakeholders. But what we have here, and we had it with the framework development as well, is really a great opportunity to create kind of greater synergy between and a stronger relationship between the government and the private sector. Ultimately, as these recommendations are established with input from the broad set of stakeholders in and out of government and industry. Those that input, those experiences that feedback, and this is spelled out in the executive order as well. Those are going to inform the commission and the recommendations that come out as a result. Our approach has always been to engage early and often the full gamut of stakeholders. Really encouraging folks to contribute and be a part of the process. We want them to be heard. We want to take that input much like we did with the cybersecurity framework process and have that inform the commission as they make their, kind of deliberate, make their recommendations to the president. What we found with the framework effort is that as valuable, that stakeholder engagement is extremely valuable. It takes a lot of effort to do that on both sides. But it certainly leads to greater reception and certainly in the case of the framework and we think it will here as well. Greater reception of the end result and really support of the end product to the point where those recommendations that come out of the commission become things that the community as a whole can embrace and act on accordingly. And again, as I mentioned, we have a lot of different tools at our disposal. I mean the executive order specifies a few that the commission could take advantage of in terms of public meetings, in terms of original research or commissioning other studies and things like that to help inform them as they chart through this process. Which leads to the question, what does success look like? I guess at some levels that sort of will prove of the pudding will be in the eating, but as you start this process, you've begun conversation with the chair, the vice chair. What do you think you will be happy with come December when it comes to sort of producing the final report? So on December 1st, our very initial success measure will be we will have a set of recommendations to provide actionable recommendations to the president from the commission. Well, that seems like a fairly easy success measure. It's certainly not enough. For this effort to be successful, we have to have the immediate support and adoption or action around these recommendations by leaders both in government as well as in industry and that's where a lot of that stakeholder engagement throughout the process as we've seen in other engagements will pay off as folks are participating in the process, contribute to inform the commission as they develop their recommendations. There's a greater sense of ownership and action that comes from that. We'd like to see kind of creation of constituencies around different recommendations, whether that be new bodies or new coalitions forming around a particular recommendation or two that makes sense to them and seeing some immediate leadership in those areas or existing bodies, existing organizations, multi-stakeholder organizations, for example, that can take some of these recommendations and fold them into their current work processes to help them mature in that way as well. I'd like to see, you know, greater advances in kind of the collaborative approach to addressing cybersecurity across all of society. We'd like to see kind of that culture of cybersecurity kind of be ingrained in, you know, not only the hearts and the minds but the actions of not just government agencies and companies in the private sector and academic institutions, but really individuals, the consumers in the world as well all across the digital economy. Now, to say the last one, and this is certainly something that we saw as an output, kind of an added benefit of the framework process, was really that, you know, the recommendations and the process to develop these recommendations really being a positive influence on kind of that cyber dialogue across the country, not just within an organization from kind of the C suite and the board of directors to the bits and bytes folks and also with their partners and suppliers, but within sectors, across sectors and really reaching, you know, tremendously far across, you know, all sectors and segments in the digital economy. So two last questions from me, which linked to the two themes of our conference. The first question is around diversity and inclusion in the workforce. Two sub-questions. Firstly, when as you're putting together the commission, what level of confidence can we have that sort of diversity will be an opportunity taken there? And secondly, in terms of sort of workforce issues more generally, is this something that is going to be included in the work of the commission? I'll take the first and then turn it over to Kevin for the second. I think to go just to the text of the executive order, substantive diversity is built into the executive order about the qualities that the president will be looking for in naming commissioners. So I fully expect, as Kevin said, only the chair and vice chair have been named at this point. There were before I recommended by the hill and the six more by the president. I think we can expect those to be in place and announced when within weeks, not certainly not months. And we fully expected that in every way, the full slate of commissioners will represent a broad and varied diversity of expertise of perspectives of what this challenge looks like in America. And I think this is speaking as a citizen who voted for this president. I think he values above all else not having echo chambers where there's group think in one direction. He wants to have a diversity of perspectives. I think we can expect that will be the case for the commission as for the workforce issue. I think on the commission itself, though, I think the diversity of thought and perspective is going to be key when you think about the scope of the cybersecurity challenge and the technology issues, the people and the process issues, having a diversity of experiences to be able to inform the activities of the commission and really providing input into the recommendations that come out and then the action on those recommendations will be tremendously valuable. In terms of the workforce, that's something that is near and dear to our heart at NIST. We actually lead the program office for the National Initiative for Cybersecurity Education and one of the tenants of that initiative, the acronym is NICE, if you didn't know that, is really to focus on addressing that cybersecurity workforce pipeline need of the future and to be able to do that, we have to encourage a much more diverse workforce to be able to fill that pipeline need, not just in terms of minority populations and underrepresented populations, but others that come from different life experiences, whether it be veterans or others kind of returning, maybe folks doing kind of career shifts, if you will, career changes, mid-career or late career, as well as looking at different strategies and tools or capabilities to get younger folks excited about cybersecurity as a profession and get them into the workforce with valuable skills earlier in the process, whether it's not just requiring a two or a four year degree, but maybe certifications coming out of high school or shortly thereafter. So there's a lot of different strategies to not only address that pipeline need, but also do that in a way that's taking advantage of the demographic diversity, but also the diversity of experiences and thoughts as well. Final question from me and I'll open it up briefly to the floor. Our other theme today is securing the future cyberspace. So as Tom Fanning, one of our speakers said earlier, skating to where the puck is going to be. As he put together this commission, how do you future-proof it? How do you ensure that this really is going to be, in fact, as the executive order says, looking out over the next 10 years and giving us some activities, ideas, recommendations that take us to where the puck is going to be? So I think in some ways, the value of reaching out to organizations and industry is going to be, what is your technology roadmap look like? What are the things that you're planning for over the next 2, 3, 5, 10 years and beyond? They're thinking about that now, really soliciting input from them to say, okay, what are the technology trends you're seeing? Where are you putting your engineering resources? Where are you putting your money, basically, in terms of where that is going? Understanding those trends, understanding and then trying to unpack those trends in terms of what are the policies, the practices that we need to be putting the pieces in place today so that when those trends go from future trends to current activities and actions, that we have a lot of the pieces in place to be able to support those in the most secure and usable way across the board. Cool, I'm just going to take one or two quick questions if anyone has anything to ask. Gentleman Center, sorry, Dave. Hi, Dave, prayer from Politico. So how much money do you want to bet that the next administration just ignores this? Clay, I think actually that gets to what is success here, and I'll channel something that Bruce Andrews and Kevin and I were discussing on his way out and our way in. Think about the 9-11 commission, which unfortunately happened after a great catastrophe. But the way they set up the 9-11 commission was with deliverables that were actionable and could be and help people accountable, government leaders, congressional leaders, the intelligence community throughout the government. And there's some value to Kevin's point about what success looks like. If there are actionable recommendations that have the buy-in of a broad diversity of business and security leaders and through this year-long process at the point of transition is kind of handed over to the next Congress, to the next administration, and importantly to the business leaders and market leaders in early 2017. The success may come in the form of, are you doing these good ideas? Are you implementing these short-term recommendations? And are you aiming at these long-term leaps? And if not, why not? And I think that's what we're aiming at in terms of building, not just buy-in, but as Kevin said, advocacy through this process of developing these consensus, broadly supported actionable recommendations. So I'm not going to make any bets about what the world looks like in January, but I think that our goal will be to hand over actionable, achievable recommendations that have not just buy-in and support, but advocacy. So it will create a sense of accountability among business leaders, you know, political leaders and policymakers. That feels like a perfect note to end on. And, you know, Washington can be a very cynical town, and, you know, there are, as many people in this room know, a long history of cybersecurity commissions, some of which haven't been listened to, perhaps avidly as they have done. But just to say, you know, citizens accompanied the announcement of the NIST framework, which I think has subsequently been shown to be a great success, at least in terms of the process that got us to where we are now. So, you know, we at New America look forward to supporting the commission anywhere we are. And good luck over the next 10 months. Thank you very much. Okay.