 Good morning and welcome to CSIS. Thanks very much for coming out, and I hope you all had a good three-day weekend. We're very fortunate today to have Congressman Mac Thornberry, who led the House cybersecurity effort that has just recently put out its report. I was telling the congressman before we came in that the betting was against him when he started this, and we're all, I think, really impressed with what he and his fellow members had been able to do. Congressman Thornberry, at least from the CSIS perspective, is one of the true experts on the Hill when it comes to national security with his assignments to both armed services and intelligence committee, and he's perfectly placed in some ways to think about cybersecurity. So the report will hopefully lead to some good legislation. I'm sure the congressman will tell us about that. We're grateful for all your efforts over the years on national security. You've been one of the real leaders, and we're grateful that you came today to speak. Thank you. Well, I do appreciate the opportunity and the invitation to be here that Jim extended, partly because I believe CSIS is tremendously respected across the political spectrum, and so that enables CSIS to continue to play a key role in actually getting things done. But in addition to that, in this area in particular of cybersecurity, a lot of what we did in the task force drew on work that Jim and colleagues have done here at CSIS over some years, going back at least to the 2008 report that CSIS did, and then followed up by one earlier this year, a lot, you will find a lot of similarities. And so one could even say, we copied the chance to be here. I'm not gonna spend a lot of time talking about the problem or the urgency of dealing with the problem because I suspect everybody here is well aware of that. I will just say that the number one issue in the country, certainly on Capitol Hill, is jobs. And cybersecurity is directly related to jobs because every day that somebody reaches in to some business's computer and sucks out intellectual property, they are sucking out jobs from the US economy. And that is happening with businesses large and small and of all variations. So what we're talking about today is related to the number one issue facing the country, but of course it's broader than that because as you know, not only are people reaching into steal information, it is possible to reach in and destroy information. And if we follow the Stuxnet reporting, it is possible to reach in and manipulate data in a way that has physical consequences in the real world which is disturbing for a lot of people when you think about the ramifications of that. So the way I summarize it is Speaker Boehner had had enough intelligence and administrations, both the previous one and this one have done some things, but it has been very difficult for Congress to act. Partly because it's a complex issue, partly because it has so many cross jurisdictional aspects to it both in the legislative and executive branches of government. So what we've had largely in recent years has been gridlock when it comes to Congress taking action to be taken. So Speaker Boehner's decision was to create a task force and he picked the nine committees of the House that had the most jurisdiction and it could have been more because it doesn't take too much of a stretch to add in some that were not chosen, but he chose the nine committees with the primary jurisdiction and asked each of those chairman to pick a representative to be on the task force. And in addition, he chose three at-large members who were also members of the most relevant committees. And so the task force consisted of 12 of us who were put together by the Speaker and the majority leader. And our charge was to try to develop a framework from which the committees could write specific legislation. And I would say that probably the hardest part was how detailed to get because you couldn't be so vague as to not really say anything, but we didn't have the resources or the charge or the inclination to write detailed legislation. As a matter of fact, we say in the report that the committees of jurisdiction are in the best place to write the details of the regulation and to get those details right, which is particularly important in this case. So our charge was not to write the bills, it also was not to be so general as to not say anything, but it was to kind of find that sweet spot in between that would provide recommendations that helped provide a framework from which the committees of jurisdiction could do their work. And the decision was made to make it a majority only. There was some concern about that at the beginning, but the speaker's view was we needed to get our own act together, the majority party in the house, understanding that when the legislation is written, it will be done by the committees with full participation of all members. And certainly cybersecurity is not one of those issues that has been partisan in the past and there's no reason for it to be in the future. But the idea was we needed to kind of develop this framework to see how the pieces fit together ourselves and then allow the committees to go forth in that, under that framework. So that was kind of the charge we were given, not to solve all the problems in cyber, not to try to develop all the long range recommendations that are really needed in this area. It was what can the Congress pass this Congress that will make a real difference now in cybersecurity. So it will be possible to make a criticism that you didn't answer this question or you didn't resolve this issue or so forth. You know, all of that's true in many respects, but what we were trying to do was to say, what can we pass now in this Congress? Some issues are gonna be controversial and difficult to pass. It didn't mean we stayed away from all the controversy, but again, the charge is what can we pass this Congress as the way it's formulated now that will make a significant difference in cybersecurity in the short run. And so that's what we set about to do. Each of the members of the task force came not only from their committee, but with some real experience and background. Each of us, I know, spent a fair amount of time individually talking with experts, people who could help us to understand what was happening, what needed to happen. As a group, we just met with a handful of people that we could bounce ideas off of. But I will say that one of the most helpful things for us was to sit around the table and just talk and see the different perspectives. Because you would have one committee that had a very different perspective than one would expect. And you really got a better sense for why it has been so difficult to legislate in this area by having that exchange of views. So last week, we submitted our recommendations to the Speaker Majority Leader on time, on budget, which wasn't much. And then we released also last week our recommendations to the public. In essence, what we say is that we believe Congress should enact a menu of incentives to encourage cybersecurity to be a higher priority by private industry around the country. We listed some possible incentives that the committees could look at, not trying to be exclusive, and understanding that one size is not going to fit all for every size business and every kind of industry. But we believe that some encouragement is better than mandates, by and large, although we do recognize that there are some industries that are already pretty heavily regulated. Nuclear power plants would be one example. And we encourage their regulators to make sure that cybersecurity is a high priority in dealing with the range of issues that they deal with, with those industries. But generally, we believe that there should be this menu of incentives to help elevate this issue in the consciousness of CEOs and businesses all around the country. Secondly, we suggest that there should be a new entity created to facilitate information sharing. Now, information sharing is something that's been talked about ever since I've been watching cybersecurity, which goes back to at least 2003. And there was some discussion about whether you really needed to create something new, or whether the existing organizations, ISACs, and so forth, were sufficient. But the conclusion, as a group, we came to, was that we should have a new entity that would facilitate information sharing, where competitors in the same industry could bring their information about the threats that they are facing, where people in different industries could bring and share information about those topics, and where the government could bring in its information. Because a lot of people believe that some of the best capability our nation has to defend against cyber threats is on the sidelines for everything except the dot mill spectrum. And so the idea is if we can create a new entity where not only businesses can share information with each other, but businesses and government can share, that that will facilitate better situational awareness, but also it will assist the internet service providers in having the information they need to take action on their own networks to help deal with malicious attacks. To do that, you're going to have to change some laws. And our view was that you can best get those narrow exceptions or changes to the laws that are necessary if you have a single entity where that information filters into, rather than more general changes that would cover all ISACs. We also have the view that you're more likely to get government to share information with a single entity, rather than government share information with the financial services ISAC and the this ISAC and the that ISAC and different kinds of organizations. So our hope, again, thinking about what is the most likely to get passed, what can we accomplish, is that this single entity to facilitate information sharing would be a major step in the right direction. Third, we recommend that a host of laws be modernized, updated, and going back, of course, to the CSIS report, to the cyber review that was conducted in 2009 in the Obama administration, something like 50-something laws have been identified that need to be seriously looked at to be that are out of date because they were written before the internet and technology had evolved to the point where it is today. Some of those are more pressing than others. Some of them will be more controversial than others. But we list some in the report, and then we have an appendix with about 20-something more of laws that we suggest the committees need to look at and update. Again, some of those updates are going to be absolutely essential to allow information sharing, which I think nearly everybody agrees has to happen to take action on cybersecurity. Fourth, in the area of authorities, we mention a couple of areas where we think some additional clarification is needed. But then we list a lot of questions. And I don't think our country has come to the point where we can answer a lot of those questions yet, such as, what's the role of the military to defend the private sector in cyberspace? What does deterrence mean in cyberspace? And a variety of issues that kind of think about the cyber domain as a new domain of warfare, if you will, with all the attribution problems and so forth that come with that. There's a whole range of issues that we could not answer. And I don't know that anybody can answer. And so we suggest that a lot of further action needs to be done by the Congress to explore those answers. And this takes me back to another CSIS report several years ago. It was called Beyond Goldwater Nichols. And one of the points was made that Congress has got to be involved in as much as possible a public discussion of some of the big challenges facing our country. Because if not, you have the Bush administration for this, the Clinton administration position for that, the Obama administration position for that, you don't have a national position on some of these big complicated issues. And unless until you get Congress asking the big questions and having a variety of witnesses and discussions in that whole messy legislative process out in the open, we're going to be less likely to have a national answer, a national position on some of these big national security issues. It was a point that was made in a somewhat different context, but it really was brought home to me as we grappled with some of these issues involving privacy and what role the military is going to play in protecting domestic networks or domestic businesses and so forth. I think that a lot of the responsibility falls to Congress to help work through those issues. Now, the report also has a number of other recommendations on issues, some of which are longer term. Everybody agrees we got to do more about education and training and so forth that we identify. The importance of working internationally is obvious in a domain that has no borders. So there are a number of other things that were listed there where we have suggestions or at least issues that Congress needs to continue to pursue. Frankly, I've been pretty pleased with the reaction from Democrats, Republicans, interested groups, experts, have had to our report. As long as people keep in mind it's not supposed to be the end all be all, it's supposed to be what can we do now that will matter. Understanding that cybersecurity is going to continue to be a challenge for our country and for other nations as long as we all shall live, we will have to continue to work on this issue. But if we could do at least this much, then our view is that it would be a good start. So the next steps are that the committees now have this framework from which to operate. I think in the next few days you will see a number of additional bills being introduced because people have been drafting on legislation but wanted to wait until the task force recommendations came out before they introduced their bills or pursued them. And so I think you'll have more legislation coming out. The Speaker's Office is going to be coordinating among committees but believes that the normal legislative process with amendments and again, all the messiness that is attendant to that is the best way to proceed. How's it going to go from there? I don't know. As you all know, the Senate majority leader has been working to assemble a bill for some years, more of a centralized sort of approach. If the House is able to pass different pieces of legislation, the Senate is working to put this single bill together. How are the two going to mesh together? I can't answer that. Obviously, the leadership is going to have to sort through legislative vehicles once you get to that point. But again, I think that the strong preference in the House is to work through the regular committee process, try to get the details right, and then hope that working with the Senate and the White House, of course, that we can actually do something and not continue the sort of legislative gridlock that has come with this issue for far too long. So I'm hopeful. I am very grateful not only to the members of our task force but to the staffs on the personal offices and the committee offices, but also a number of people who have contributed to our thinking and provided expertise, which has made our job much easier, including the institution where we all are now. The challenge now is to take all of this good work and actually do something with it. Don't let it just sit on a shelf, and that's going to be our goal. Thank you. Thank you very much, Congressman. And thanks for coming. We have time for a few questions. So if you would want, I think we have a microphone, so it'll be roaming around. If you can hold your hand up, please identify yourself and then ask your question. So we have one right up here in the front, right off the bat. Thanks. That saves me from having to. Thank you, Congressman. It's Paul Scully-Power from the American Registry of Internet Numbers, commonly known as Aaron. I think it's a very good move in the right direction. However, I'd just like to point out what I think is one of the big Achilles for the legislation. And that is it's becoming harder and harder now for people to relate the internet addresses. As you know, when you go online, you get an internet address. It's becoming harder and harder to relate that to the person using that address. And the reason for that is that for many years, as you probably know, the internet has been self-regulated by industry. And we do have registries. But there's no legislation to enforce that they be kept up to date. And so more and more they're not being kept up to date. What this means is for the folks who have to deal with crime on the internet is even though they can trace to a certain internet number, they cannot align that to a person and therefore they can't prosecute. So I think one of the key issues for Congress, it's fine to have all these framework, but at the end of the day, you know, as I say, the crooks go where the money is. And so I think we need some folks to sort of focus on that issue of ensuring that we do have a direct link between what an IP address is and who's using it. Well, I appreciate the suggestion. Certainly one of the things we specifically talk about is updating criminal laws so that they can more easily be used to address real criminal behavior that is occur on the internet. But as you know, part of the challenge that we all face is as you mentioned, the internet has largely been unregulated, self-regulated. And that is part of the attraction that it has, but also part of the resilience that it has. And so I think those are the sorts of issues that certainly ought to be discussed on an international basis, how you can tighten down and prevent and make it easier to trace back to criminal behavior, but it's gonna be a challenge to tighten down in a specific kind of regulation in the way you talk about. Oh, we had one in the front. Hi guys, it's Ron Marks from George Washington University at the New Orleans Homeland Institute. Quick question for you from a business standpoint, there's been some concern in the community chamber of commerce and others over whether or not we're heading towards some kind of Sarbanes-Oxley in the sense of you're gonna have a minimum standard that if these corporations don't meet it, we have a federal standard, excuse me, that these corporations need to meet. And you know all the business in terms of the financial obligations, et cetera. I wonder if you could comment on that just a little bit. Some sort of amendment to Sarbanes-Oxley, was one of the suggestions that was made to us. In other words, the question is what can be done to elevate cybersecurity in the eyes of the CEOs and the people running these corporations? And if you've got to make a filing with the SEC or you've got to have some other sort of thing that really does affect your bottom line or your public perception, then that's the kind of thing that does elevate the issue. Now, we didn't say, yeah, we did not recommend yes, there should be an amendment to Sarbanes-Oxley that puts in this word. But it is among the incentives, if you will, carrots and sticks that we think needs to be considered. Now, you can get pretty quickly when you're talking about Sarbanes-Oxley from an incentive to a mandate. And our view is that except for the highly regulated, limited circumstances that we mentioned, that things work better when you got government and business working in the same direction with the same sort of incentives and encouragement to achieve a common goal. And it's also our view that it is really hard to regulate in this area because it changes so fast. So what can government ever mandate that would be applicable a week from now? That's part of the challenge. But we do believe that there ought to be a whole menu of incentives looked at, but they ought to be incentives. Emily Rutherford, Defense Daily. You said in the next few days that some bills will be introduced. And I'm wondering if you can share anything about how they would be broken down by the recommendations in the report or by sort of the obvious jurisdiction of the committees and what might be expect from the House Armed Services Committee? And let me clarify. I'm not planning on introducing a specific bill, but I do know of members of the Task Force and others that have been working to draft legislation that are consistent with some of the recommendations that we have. I don't know of anybody that's trying to do it all, but some of it. And I think you're right. To deal with, to implement some of these recommendations, you're gonna have a bill referred to more than one committee and sequentially, probably, but that's the reason, I think, that you're gonna see the Speaker's Office very involved in trying to coordinate with committees as far as the steps ahead. Again, part of what we were asked to do was to come up with a framework that every single committee signed off on. They didn't want to be a month down the road and somebody put up a red flag and say, oh, we're not for that. So some of the negotiation was rather painstaking, but where we are is at least consistent with this framework, every one of the nine committees has signed off and agreed to it. You still could have trouble with the details, I understand, but I think it's kind of on that basis that things will move ahead. Speaker's Office will help coordinate timing and so forth, but I'm reasonably optimistic that something along this line can really happen. Hello, Congressman, thank you for your remarks about the complexity of this problem on the legislative side. I'd like to ask a sense of the Congress question because you are obviously sitting across all of the committees in the Task Force. We're facing some pretty steep budgetary cuts in intelligence, in defense, in homeland security. Is there any possibility that due to the urgency of the cybersecurity problem, the Congress would consider a fencing of initiatives here? A couple of things. One is it's good to have an appropriator on your Task Force because anytime somebody comes up with an idea, he'll raise his hand and say, how are you gonna pay for that? And there's lots of ideas that cost money, so that was an element in our discussion. One thing that we strongly recommend is increase education and awareness starting with members of Congress. So in this Task Force, we were able to have some classified briefings. Most members of Congress have not and it would be important, I think, as people make decisions about how to spend money and what the issues facing the country are to have a fuller sense of what we face every day in cyberspace. Having said that, it's also true that there are trends that go through national security and lots of labels get stuck on stuff just to try to attract more money. So I don't know that you would see a fence on anything that is labeled cybersecurity because as I've watched the budgets of the services and other organizations in recent years, lots of things get put with that label. So part of our job is to look beyond the label and see, but I am hopeful to get to the bottom line is that whatever, and I'm not for cutting a lot more money out of defense, but I do hope that we can make sure that we put enough priority on getting this right. And partly for this reason, I've been struck several senior military officers, just ask them out of the blue. What's the thing that worries you the most? National security, you know? And several of them have identified cyber not necessarily because it is the most dangerous, but because they believe that the state of the threat is so far advanced from where our policies and thinking is that the gap between the two is so great. So it is, I think, a serious national security issue that we have a lot of catching up to do. Part of that's money, a lot of it, as I mentioned, is intellectual policy making. Why is this side of the room so quiet? Good morning and thank you, Congressman Terry Morgan. The question comes from the end of your report when you talk about the FAR and the DFAR being used to leverage the direction of technology yet in the previous paragraph, which is supply chain management, you're talking about the international supply chain and working internationally. And just would like to hear your thoughts because you can almost see a contradiction of capability versus technology. Are we going to force the FAR and the DFAR into driving the direction of technology? And I think there's a lot of concern about how that plays out. Yeah, and I've heard some of those concerns, but just to step back for a second, federal government buys a lot of stuff. The federal government ought to use its buying power to elevate the level of cybersecurity across the country. Now, that does not necessarily mean that if the federal government sets a standard, Microsoft will respond like that with everything that it produces to that standard. I don't mean we're that big, but still there's some buying power there that ought to be used. And my personal view is, by the way, that anybody who gets a federal grant ought to have some sort of minimum level of cybersecurity. We got to look for a whole variety of ways to elevate the awareness, but also the reality of security around the country. A variety of people have told us that you could get rid of a majority, I will say, of the malware out there with just basic hygiene stuff. So part of what we grapple with is, okay, what can we do to improve the basic hygiene and thereby reduce the clutter that some of the more sophisticated actors hide in? So using the federal government's buying power to elevate security is one of the things that we believe needs to be included. But I fully acknowledge supply chain is a big, complicated, difficult issue where we will be cutting off our nose to spot our face if we make it where our companies cannot compete internationally. And so there's a lot of work to be done in the whole supply chain area. Again, we couldn't come up with all the answers on how to thread that needle, but we did identify it as a significant concern. Joe Mazafro, I'm curious about the single sharing entity. And I'm thinking, as you said that about in the U.S. law in 2004 with the establishment of the ODNI and all that, that we had a PM for information sharing in the government. And are you essentially, is the task force's view that that's a failed effort and something new needs to be done? The idea of sharing, as you said, is certainly not new. And the only place it seems to have worked in the post-911 era is at a place like NCTC, which is all governments. Curious, I get the idea that it's a framework and it's in the details, but... Yeah, that's true, but I'll say that, remember what we're talking about is not only sharing information with government but with private sector and bringing it all together. And our view was that you needed a new place to do that. And partly you needed a new place to do that that was away from government. But because of the privacy concerns of government looking at your stuff coming across. So having an entity that is not a government entity where now government may have to pay part of the bill or there may be some funding deal. But something that is separated from government and yet secure enough so that government would feel confident to bring its information there as well as the legal protections that are needed for business to bring its information there. We felt that was the best way to go. Now, there are different models for this. And as you know, for example, the White House would have much more centralization in the Department of Homeland Security, much more kind of reviewing of an industry or businesses cyber security plans saying whether that passed muster or not. We have concerns about that and think that, again, what can we pass in this Congress given all of the concerns associated with this issue? We have a better shot of having a new entity separated from government with the legal protections necessary to make that information sharing possible. I know up here in the middle. Nona de Borger of CSIS, the prosecution of two wars, namely Iraq and Afghanistan, was almost entirely dependent on cyberspace. And I was wondering from what you've learned whether a potential enemy could really disrupt what we're doing today through cyberspace. Sure. I can't quote you the exact figures, you've probably seen them. Virtually all of our military communication runs in the same pipes, if you will, as the commercial internet traffic. And our military, as you point out, is very dependent upon cyberspace. And then you have people even bringing up issues of if our electric grid is vulnerable, what could not somebody shut off power going into a military facility of some sort. And so the vulnerabilities also extend to our critical infrastructure upon which our military is also dependent. There are clearly very sophisticated, very dangerous threats that are out there. I will not say that if our recommendations are completely implemented that all of those threats are solved, they're not. But at the same time, we have to take some steps in the right direction. And if we can do, as I mentioned, reduce the clutter with all of the kind of more easily handled stuff, have the sort of information sharing, including about some of the more sophisticated threats that are coming about, and thereby get some of this government capability engaged in defending the broader country, I think that's a step in the right direction. But as I mentioned, we still have tough issues to deal with in the future, including the role of our military in defending something other than the dot mill sort of space. And we haven't really gotten those answers yet. What in the back? Hi, Mr. Thornberry, it's Jennifer Martinez from Politico. Going back to the information sharing clearinghouse, I guess, how would, since government may pay part of the bill for this clearinghouse, and I'm sure industry will likely be paying for the other portion of it, I guess, how would you encourage industry to buy into this organization when it's kind of uncertain, it may work, it may not, may fizzle out a couple years down the line if they think it's not working for them? So yeah, how would you address that? Number one is we would change the laws to allow this sort of information sharing to take place. And one thing that came very clear is that existing liability laws, privacy laws, maybe even antitrust laws make the sort of information sharing that we think is essential impossible now. So, you know, we change the laws, it's showing we're serious about it. And so I think that's step one. Secondly, if you talk to the internet service providers, they are already doing a fair amount to try to limit the malicious traffic on their networks. And many of them, by the way, don't feel like they're getting enough credit for what they're already doing. But they are limited by the information that they have and by probably some potential liability concerns. So it, you know, me consumer at home, I am attracted to the idea that if I go to internet service provider A and they can reduce the malware that is coming to my computer, that's a value to me. And that is a value to the internet service providers. It is something more they can offer their customers. And particularly if you're talking in the business context, if you're company A and you can, and one internet provider offers this sort of more active defense and another internet provider does not offer it, I'm probably gonna go with the one that helps defend me better. Because particularly as I understand more and more the threat to my intellectual property being stolen or some malicious activity on my network. So I think my point is it is a value for the internet service providers to offer this sort of service, but they're gonna have to have better information in order to do it. Hi, Greg Nojian from Center for Democracy and Technology. I think that a lot of people in the privacy community are gonna welcome the report when they contrast it to the White House approach. It doesn't have a lot of information flowing into a central government hub. There's nothing about giving the government shut down authority over some communications. But they will ask one question. And that is how do you protect privacy in this new information sharing entity when the government isn't at the driver's seat? How do you go about ensuring that the rules that are adopted are protected of privacy and that they're enforced? Yeah, one of the suggestions we have is that there should be a privacy board, privacy associated with it, looking after that particular concern. So step one is this is not the government directly, this is separated from the government. Number two, you got these privacy overseers that are there watching what information is shared, what use is made of it, whether it is sanitized or aggregated in some way before it goes to the next step. So hopefully you can build some trust but because if an internet service provider wants to participate there, there are reputations on the line. And so again, part of their self-interest, the self-interest of the market will be that this information is not abused or used improperly. But I think we would be very interested in working with the privacy community to see how to set up those safeguards in the way that people feel reasonably comfortable so that the entity can still operate but that you still have those safeguards that are watching how it operates regularly, not just at the beginning, but regularly monitoring it. Ellen. Ellen Nakashima from The Washington Post. The Pentagon has the information sharing pilot going on now with the defense industrial base, you're well aware of it and they are saying that anecdotally it's quite successful and defense firms are reporting good results. How do you all view that model? Do you see it as having potential to be expanded to other non-defense sectors and how do you view that vis-a-vis the clearing house model that you just spoke about? I think that they are very similar. As a matter of fact, one could look at what we suggest as a way to expand the defense industrial base pilot program to cover critical infrastructure and others because what happens in the dib pilot is that the companies voluntarily agree to participate, share this information and can act on the information but also the internet service providers can act on information to help protect these companies but it just applies to those limited number of defense companies and they've got to go through 47 hoops to give permission for all of this information to be shared in that way and one of the things that came to the task force is that the expandability of that concept is gonna be limited unless these laws that I mentioned are modified in some way. So the idea that you have an entity that is not the Department of Defense but separate from the government where that sort of information sharing can occur and where action can be taken on the information that is shared is kind of the thrust of what we're talking about and I think that is perfectly consistent with the dib pilot in kind of the next stage hopefully. Finally from that side. Hi, Amanda Paleski from Inside the Pentagon. What you talk about having this bigger clearing house sort of along those lines what role would the Pentagon play in that clearing house? Government, including the Pentagon would share information that it sees inside this information sharing entity but it would be limited so that hopefully information that is now classified could be shared and acted upon. Again, part of our thinking was you're gonna be more likely to get government to share information if it's to one discrete entity with entities that it has maybe worked with before rather than expecting government to share with all the different ISACs or all the other different information sharing entities that have developed or could develop. Some people are saying well new information entities will spring up. Well it's possible but again our view is the more likely scenario to get something past is to have it more limited, more focused with legal protections separated from the government and then not only can you have government bringing the information there but the private entities as well and it may well be that properly sanitized you could have aggregated data that would be useful to both government and to Symantec and McAfee and others who are out there trying to make us all safer. We've got time for one more question if we've got one. No if that's not the case. Let me say I go to a lot of these cybersecurity events and at this point it's a real pleasure for me to have somebody who not only knows the subject but has some new things to say about it. So it's just, it's been such a pleasure listening today. Thank you very much for coming.