 Okay, well welcome everyone. We're going to go ahead and get started on time. Hopefully everyone has got something to eat and a beverage in front of them. We've got a great conference today on a very interesting, fascinating and important topic. My name is Rick Ozzie Nelson, Director of the Homeland Security and Counterterrorism Program here at CSIS. We're a non-profit at CSIS, so we're really independent upon outside supporters to make terrific events like this happen. So the first thing I need to do is to thank our sponsor for today's event is Raytheon. With that, I'd like to introduce one of our, the senior, the Vice President for Homeland Security, Brian Segraves. He's going to come up here and introduce our special guest, Mr. Howard Schmidt, Special Assistant to the President for Cyber. He's on a very tight timeline. We're absolutely thrilled that he made time and is scheduled to come over here and give us some remarks. He's going to do about 20 minutes of remarks followed by about 10 minutes of questions and answers, moderated by me. And those of you that know me means it's questions only, no statements. So without further ado, I'm going to go ahead and introduce Brian Segraves and we'll introduce Howard. Thank you. But I get to make a statement first. So first, thank you CSIS for hosting this event and we're very pleased to work with CSIS. As an industry partner in giving visibility to a topic of identity management today. Raytheon works with civil security agencies around the world to address their mission challenges and management of identity. The credentials and access is a core enabler that spans across all the security missions that we help customers with. Border security, immigration control, critical infrastructure protection, you name it. And while we're out there around the world, we're amazed at the functionality that other countries are offering their citizens. For example, single national identity credentials that authenticate for financial services, health services, voting, electronic voting, driver's licenses, and even the physical and logical access within government agencies all on the same credential. And yet across our base, we also see customers confronting a number of overlapping challenges. Challenges in how agencies move to interoperability and a person-centric view from their legacy systems. Challenges taking advantage of advances in biometrics technology and addressing the overload of biometric systems. And doing all these things while protecting privacy and confidentiality. These challenges are compounded in the cyber arena and the WikiLeaks incident actually really underscores the importance of strong identity management and insider monitoring as a precondition to information sharing. And then there is our need to foster trusted identity in cyberspace. As a core member of the Defense Industrial Base, Raytheon believes that the way the DIB address federated identity authentication provides a model that can address many of the broader challenges that we have today. We believe all these challenges can best be addressed through a partnership between government and industry where both critical systems and critical know-how reside. And that's why the United States is fortunate to have someone who has had such a long and distinguished career in both government and industry now coordinating cyber policy, cybersecurity efforts for the White House. Howard Schmidt has had a distinguished career spanning more than 40 years in defense, law enforcement, and corporate security. Since 2009, he has served as the president's coordinator for cybersecurity. And he's a longstanding expert in the areas of computer security, cyber crime, critical infrastructure protection, and business risks related to cybersecurity. Mr. Schmidt was formerly the president and CEO of Information Security Forum, a nonprofit consortium that conducts research and develops best practices in information security, risk management, and critical infrastructure protection. He has held executive roles in the private sector, including Vice President and CISO at eBay and Chief Security Officer for Microsoft. Mr. Schmidt's government service has included previous assignments at the White House, the FBI, the Air Force Office of Special Investigations, including tours as Supervisory Special Agent, Supervisory Special Agent and Director of the Computer Forensics Lab, and Computer Crime and Information Warfare Division. His military career includes active duties with the U.S. Air Force, with the Arizona Air National Guard as a computer and communications specialist, and in the U.S. Army Reserve as a Special Agent, Criminal Investigative Division, where until his retirement he served with the Computer Crime Investigations Unit. Mr. Schmidt is a professor of research at Idaho State University, adjunct professor at Georgia Tech Information Security Center, adjunct distinguished fellow with Carnegie Mellon Sylab, and a distinguished fellow of the Parliament Privacy Institute. He's also received numerous awards and recognitions from government and private industry, including the CISO Magazine Compass Award and baseline magazine's 50 most influential people in business IT, to just name a few. Ladies and gentlemen, please welcome Howard Schmidt. Ryan, thank you very much for that kind introduction, and Rick, I'd like to thank you and CSIS for putting this group together. I think you're opening comment about, you know, these things are made possible because of support that people bring together, but we need more of these, and we very much appreciate you hosting this, and my dear friend, John Hamry, runs a great shop here, and we're very proud to be over here today. I don't want to spend a whole lot of time telling you stuff you've heard before, so I'm going to try to focus my comments specifically around the topic. A couple little highlights, because there's a lot of, I used to comment yesterday, noise going on right now about cybersecurity, everything from legislative issues to some of the threats we see out there in the real world. So I'm going to talk a little bit about some of the things that are going on just to sort of update you as some of the things we're doing. But clearly, the crux of a lot of things we're doing come into the area of identity management or what we call trusted identities in cyberspace. And I think a lot of this, as we've seen technology grow, as we've seen the advances in interconnectivity issues move forward, we've seen a need for identity management like we've never seen before. But on the same token, the exact same things we're using for stronger authentication also create their own set of challenges that we've got to overcome. Part of it is designing the systems that can accept the things that we're working with. So it's been a busy year for all of us, at least in the little group that I work with at the White House and across the U.S. government. I know you all have been very busy, and as I made in a comment during a VTC yesterday, was notwithstanding all the things that we've been talking about that are out there in the risk because of the work that all of you do on a day-to-day basis and Brian and all the folks that are part of companies that keep this thing going, everything still works. And we may have hiccups in it, you know, in some cases I like them then to the disruption that we have during snowstorms, which those of us that live here locally, remember when we used to have snowstorms in January? 65 degrees outside the day. But when we look at the disruptions, we recognize that we were able to recover from them quicker than we've ever been in the past, but we cannot lose the fact that things could get worse. And so we have to make sure that we continue to work to reduce that likelihood. So a little bit about the office. When the President created this office, it's part of the National Security staff. At the time there was the Split National Security Council, Homeland Security Council. We've all merged. We're also dual headed with the National Economic Council. And I think that is one of the things that really sets us apart from some of the previous efforts that have taken place, is we have the focus not only National Security Public Safety, but also the economic components of cybersecurity. The staff, and we are very, very fortunate to have some of the best across government from the Department of Justice, Homeland Security, the intelligence agencies, Department of Commerce, FTC, that help us work on individual problems as we move forward, develop the good policy, work with the departments and agencies to take very discreet views that departments and agencies have. As we were talking before we came in here, there's a lot of hurting of cats involved, and some would say, geez, isn't there a tension between this particular department and this one over here? And the answer is, yes, I hope so. We do want to hear what their expertise is. We want to hear how they deal with a specific issue, but we want to normalize it so we can come up with a good policy that takes into account all the components that we work with. And we've got a good team to pull that together. For those of you that listened to or watched the State of the Union speech last week, the President stated very clearly that the Executive Branch and the White House is focused on achieving these strategic initiatives, particularly with the proposed legislation that we put forth that Congress will be putting a lot of attention here in the next week or two back. We've also done a pretty good job, I think, of actually prioritizing things. I see John Gilligan here and a few other folks that have run enterprises, and nothing is more troublesome than when you say, you know, here's 50 security issues you've got to deal with. Prioritize them, and they're all priority one. That's life in the real world. So we've actually set about and said, okay, what are some of the things, how do we prioritize these? How do we expedite the traditional low-hanging fruit while making sure we're reducing vulnerabilities that we know exist while still building for the future? So it's very important as we do these things that we actually have some milestones and specific priorities that we're looking at. And in this venue today, of course, the thing that we'll be talking about is the effective identity management and all the things we can benefit from that. You know, I could spend some time talking about the threats out there. People talk about hacktivists, nation-states, criminal organizations and everything else. The bottom line is if we had less vulnerabilities, they would be less successful. When I look at the law enforcement community, when I look at the men and women that on a day-to-day basis have to manage these systems from a security perspective, provide the services, whether it's government or businesses, and the things that they have to deal with, clearly we'd like to take a whole lot of that off their shoulders by saying we can stop the threats out there. But I think anybody who's been in this business for any length of time know we're not going to be able to stop the threats. We'll be able to get some small chunks of successes, as we've seen with the law enforcement going after some of the criminal activities that control some of the bot networks, working very closely with private sector, using civil actions, using criminal actions. But clearly, oftentimes we see another group will pop up to replace them. But once again, things that we can control is the vulnerabilities that exist in our systems, who's on our systems and how we wind up better hardening our systems so wherever the threat comes from, the likelihood of success is reduced. So, zeroing in a little bit, I want to just take a few minutes to talk about the NSTIC, the National Strategy for Trusted Identities in Cyberspace. Jeremy, I saw you walking, there you are. Jeremy came in a few minutes ago. We were very fortunate to lure him away to run our program office at the Department of Commerce on that. When we rolled this out at the U.S. Chamber of Commerce last year, it was a true testament to the amount of support we had on this. We had the President's National Economic Advisor, we had one of the most informed and vocal senators, Senator Mikulski, as part of it. We had the Chamber hosting us for, so clearly a recognition there's a lot of moving parts to this Trusted Identities in Cyberspace. The basic vision is to build an identity ecosystem that provides individual with an option of using a federated, user-centric, digital, credential to conduct transactions with more security. Simply stated is we have a choice. If I want to just do a small transaction, I can choose to use one identity over here. If I have something more robust, I have the ability and also the institution I'm working with has the capability providing me the ability to have a higher level of assurance. To move away, what I think all of us recognize, the static user ID and passwords should have been declared dead years ago. A matter of fact, I remember another CSIS event probably in about 2001 that we had that same discussion. Here we are almost 11 years later, and I think we're finally making progress on this. We're finally having a mechanism to move this forward. But the other thing it wants to do is we want the private sector to give us the capabilities. To be able to draw on a marketplace of identity providers, both public and private, to say, here's the choices you have. I was trying to explain to someone what a OTP, one-time password, was on a mobile device. They understood what we call a smart card because it resembles an ATM card. So they said, well, why would I use something that I don't know about when I have this card here thing that I can use? And that's the thing we're trying to do is provide options for people. But on the same token in these options, we want to make sure we're not sort of reliving the problems we had in the past. Pen and chip technology, great technology. But people have since figured out how to break some of the encryption on there. They've looked for the man in the middle attacks. So we know that now. So we should not say, OK, the answer is here's new pen and chip cards, and everybody go out and use these because they're different than what we've been doing. We have to build these things with the ability to say, here's what we've done to make these better than what they are now. To understand there's likely to be a man in the middle attacks. To understand you're likely to be operating from a computer system, at least for now, that's likely to be compromised. And how can we still operate in that environment? And that's not something you're going to get five people in the government say, yeah, here's the answers, go forth and do this. It's going to take the intellectual capital that we have in the private sector in the security community, in the VC community, entrepreneurs coming and say, here's a better way to do this. That's easy to use, cost effective, and gives us options. The next thing is looking at that interoperable framework. That's why it's very important that we've got commerce and NIST working with private sector saying, what are the standards that we're looking at? Meeting this morning with one of our international, my international counterpart. And we were talking about trusted identities and what they're wrestling with at their government. Everything from taxing to services they provide for health services. It makes the same thing we're doing. And when you look at some of the great advances we've made and we still have a long way to go, it's what VA does now with the big blue button. The ability to consolidate this stuff. One of the things that I probably shouldn't say but I do is, just before the lighting ceremony in the ellipse last year, there was an email that went out that says, any of us, we can put in for this lottery to actually be there on the grounds when the lights get turned on. And I thought, wow, that was really neat. Click the link and it took me to a website that I had to create an account to be put in for a lottery in my cynical manner said to be turned down and had to create an account with a user ID and password. And the good news is, next year I can use that same account if I remember the user ID and password. Because as a security professional, we tell people, do not reuse these things over and over again. So I try to stick to that as much as I can. Not perfect, but as much as I can. So I'll never remember that next year. So we need to have a mechanism with a framework that's interoperable. As a matter of fact, we just released a memo from the OMB in my office telling government agencies, stop creating these accounts, stop trying to manage this, stop being the help desk for every citizen in the world. Use outside credentials. They exist. And we have the General Service Administration or GSA working with NIST and working with Homeland Security to make sure that these are ones that we can use. So you shouldn't have to have, in the case of some of us, a half a dozen or so government logs-ons to find out what your VA benefits are or to find out what your tax liability is or what your social security benefits are. And we have other options to do that. And varying degrees of assurances we move through that. So from the government's perspective on this, we will be a facilitator. We'll bring the people together. We can help convene a lot of these things. But the government will also be a customer of these. And I think there's nothing better than having some identity that I use in an e-commerce environment. I can use that same environment in the government. So as a consumer, the government is very important as saying you build it and we'll use it as well. And we have to actually put our money where our mouth is. And I know, Jeremy, we made sure that the funding is there to actually do some of these things that we need to do. The other piece is when we are looking to streamline the customer experience. I mean that's tremendously frustrating. Private sector is spent a lot of time and a lot of effort trying to make sure the user experience is as positive as possible. It's a business thing. They want you to come back as a customer. And quite honestly, if they give me a good experience, I'll be back. Whether it's an airline, hotel, whatever it will be. But the bottom line is we have to have a mechanism to do the same thing in the government. And that's what the government is looking to do. The other thing we need to do is set up a governance framework. Once again, the comment we had this morning, we were still in some cases running around with 18th century laws and 21st century technology. So when it looks to identity management, we look to the private sector to build this. But how do we wind up dealing with some of the things that just are a normal part of business? A company may be our service provider for whatever reason. They go out of business, they take a wrong turn somewhere. And how do we protect people against that? What is the governance mechanism in place that says, okay, companies out of business and their value in their company is the data that they've got about us? How do we deal with that? We've seen that a couple years ago with one of the Trusted Traveler programs. We saw it even a few years back with a child's website that had tremendous amount of information and went up in receivership and the bankruptcy court says, yeah, the only value you have is this information to all these children that we as parents, as grandparents say, we don't want that being sold off to the eye as bitter. So these are some of the things that we have to build in this identity ecosystem to better protect us because we don't want to have someone go out there with 99.9% legitimate businesses out there. And at point one it says, it's a good way to commit identity theft and credit card fraud. Open up a company, collect all this stuff, take advantage of all these people, then shutter my doors and move away. We have to have a mechanism in place to be able to deal with that. We also want to make sure we have a system that does not have sort of this one-size-fits-all identity. One of the criticisms many of us have had for a long time is I have a single logon that gives me access to everything in the world. That means if and when it gets compromised, everything I own and everything I have access to is then compromised. And that's a choice that we get to make. And that's a choice that we have to have the system designed and built to to have to deal with. So when we look at some of the things we're looking to solve, first and foremost, deal with some of the issues of cybercrime or online identity theft, financial fraud, online theft of intellectual property, all these things that we deal with, we're looking to solve some of those things. We've seen, while a lot of people may recall these things, advanced persistent threats, some of us don't think they're that advanced. We think they're very determined. But when you look at the sort of the analysis of how these things really happen, oftentimes starting with a spear phishing email or a phishing email with a piece of malware attached that then gives you a backdoor to find vulnerabilities and escalate privilege, that's pretty determined. But some of the things that we can do identity management would actually be able to resolve some of that, including the ability when I get an email or any of us get an email, the owner should not be on the end user to figure out is that real or is a piece of malware. But that's what we do today. Most things get through unless there's a signature out there that says this is known bad. It goes through and somebody says, yeah, this is my 2012 benefits, pay raise, holiday schedule, and you can bet most people will click on it. We've seen some states that have tried some pilots where they send emails out as part of an education system. And 86% of the people click on it because it appears to be legitimate, even though they send it from an outside email address. Good identity management should resolve that problem for us so the end user is never confronted with this. And whether you call it certified email or whatever term you want to associate with it, that's some of the things that we're looking to solve. But let's take it up to a more critical issue and that's critical infrastructure, whether it's the energy sector, transportation sector, financial sector. The bottom line is we basically have seen the same thing happening in that environment. So having better trusted identities, having strong authentications into these systems and more specifically in industrial control systems that many generations have been built, never designed to work in a networked environment, let alone a network environment that's connected to the internet. So as we look to do trusted identities while we think about individual interacting with a machine, we also have to understand the machine-to-machine interaction and build identity management into that as well. That gives us the ability to do authentication, gives us the ability to do encryption, some of the things that we really need to do on a regular basis. The other piece of this when we start looking at some of the things about NSTIC and the things it can do for us is it has to be interoperable worldwide. I mentioned that before and I think that's vitally important. If we're going to continue to be successful in a digital world from an economic perspective, there shouldn't be 110 different systems. We should not say, yeah, when I go to the UK, I get to do this. When I go to Australia, I get to do this. And that's going to be just as confusing and less likely people will adopt it if they need to do all these different things. Because when you look at the basis of it, we're looking for something easy to do what we want to do. And these are the things we need to do as we move forward. So on that, just in closing, a couple things that relate to that, the international strategy on cyberspace, openness, prosperity in cyberspace. When we released that strategy last year, it wasn't a strategy on cybersecurity. It was international strategy for cyberspace. Part of that also talks about digital identities and identity management on an international platform while we pull into that. And the last thing that I want to touch on before I open for questions and that's inside the government. I think many of us, both when we've been in government or outside of government, have said many times is it's really difficult for the government to ask people to do, private sector to do stuff that the government's not willing to do. And that's truly the thing we need to do. We released a memo on use of multi-factor authentication. It was really an interesting thing to find out that 76% of the people that should be having a PIV card were issued a PIV card. And very, very few of them were using it because there was no requirement. We flipped that around. So not only do you get it, but you actually have to use it. And some of the first things are for logical access. We're going to be bumping that up to a digitally signing email. Eventually it'll be used for SMIME and an encryption of email. And the bottom line is the technology exists. We've just not implemented the policies and enforced those to move this thing forward. So when we look at HHS Homeland Security, President's Directive Number 12 and how it's languished for years, that's been accelerated in something we need to continue to do with. And we will make sure that the expertise is there to help departments and agencies move this thing forward. So in conclusion, I just want to few comments. The things that we're looking at is knowing what is on our network, all the devices, how the devices interact, a mechanism for those to interact securely. Know what is coming in and out of that network. If it's not signed, if it's not digitally certified, I don't want to see it hitting my network. Or I want to have some mechanism to sandbox. I want to have some mechanism to make sure that we're not introducing risk into the network that we shouldn't be. And of course, knowing who's on the network to the level required for the business that we're going to transact. And that goes for a total anonymous access, just somebody defining out what government services are available, all the way up to and including something that's more robust. Because this is really me, I've done in-proof proofing somewhere and I can actually go out and say this is me and I need my VA records. So with that, I thank all of you for coming together. I think this is really good form to discuss the things. And I know Jeremy's here and I'm sure Jeremy would love as the rest of us would to hear your ideas on things that we can move to accelerate this. Because we've got a window to make this happen and we don't want to be discussing this again in 11 years from now. So thank you very much for the opportunity to discuss this with you. Thank you. Well, thank you for those very candid and open remarks, Howard. It's actually quite refreshing and open forum like this to get that kind of discussion. So we thank you for that. We have time for about five to seven minutes of questions. We're going to head into standard CSIS format. We have microphones. Please state your name and your affiliation. And due to time, please limit to a question. So go ahead. We'll start right here in the middle. Sorry, Jim McCartney with the Latin tush. Now, what do you see as the fundamental stumbling block for why this hasn't gone further faster and what do you see as the White House role in trying to leave you that stumbling block? Yeah, I think the biggest thing is we've not articulated a good business case for doing it. As I mentioned in my opening comments, things continue to work. You know, everything from a liability issue from a credit card fraud, identity theft, excuse me, financial fraud. The liability cap is at $50. So it's been sort of viewed as, yeah, I'm willing to absorb the losses and not do anything with it. But I think there's a bigger picture now, people that have recognized through the efforts that the White House and many of you in this room have said, it's not just about the money. It's the trust in the system. It's the ability to build the system. And I think that's what's really got people thinking about this more than just, oh gee, there was a little loss that I can write off. Venues like this is things that the White House is doing. We've got, we meet with Congress regularly. We meet with CEOs, the VCs, Jeremy's office over there. I don't know where you've had what, four or five workshops to date, continuously saying, here's what we need and asking the private sector to build it. So I think there's a whole different discussion today than when we had 11 years ago, even three years ago. Thank you for that. Gentleman in the orange. Good morning. David McWhorter, Catalyst Partners. What is the mechanism for a company, maybe a client of mine or a company that I know that has something that we'd like to get in front of the entire group? I've been to the workshops. They're great. But what's the mechanism for demonstrating to you the ideas of the company? Jeremy, stand up and you can demonstrate to Jeremy. But seriously, and that's one of the challenges we have. And I think at the one meeting I was at, there were probably 34 different, I use the term startups, they were in various stages. They had great technology, they put some effort into it, weren't quite sure where they'd get the footing. And that's one of the things we're working with Jeremy, is how does that become more public? Without endorsing any particular technology or endorsing any particular company, how do we get those that want to build the stuff sort of a portal, if you would, that says, here's the 50 options that are out there. Here's the status of fundings, whether they're just a founder and some angel investment or even a single investment, or this is something that's done around B and we have some customers out there so people can see and make decisions on their own. That's the part we're lacking, and I think that's the next part we need somebody to help us build. Whether it's done through universities, whether it's done through Jeremy's office or NIST, a mechanism to sort of shift through these and figure out what's going to work best. The downside, of course, like any of these things, we may miss something that is the most rocking greatest technology we've ever seen, because somebody's just a small voice out there, and we want to put an equalizing platform in there through some sort of a portal. Right, in the back. By the way, I think it's a brown shirt, not an argument. Andrew Howell, Monion Policy Group. Hey, how you doing? How are you? Good to see you. Howard, I want to pick up on a couple of things that you mentioned on HSPD-12 implementation and the fact that you just talked about the business case. HSPD-12 is a good example of a program that departments and agencies have struggled to make the business case for an investment. And in the tight budget environment where we are now, if you've turned the corner, can you talk a little bit about how you've turned the corner in a tight budget environment on convincing departments and agencies to spend that money to increase assurance and identity? Yeah, very simply stated is it's not an option. It's not as, gee, you can do this if you want to. I think that was the biggest thing we did last year when Vivek and I put out the memo, said, no, this is not an option. This is a presidential directive. We've got a lot of plans. We've had tremendous success with senior leadership and for those of you that have been in this environment for a while, it used to be this was a technology problem. It wasn't a business problem. And now we have the deputies, secretaries across all the departments and agencies, basically they now have ownership of this. We have the President's Management Council, we bring them together, we go through their metrics, and they're held accountable for it. In instances where there may be an issue of funding, where we look to do some reallocation of budget in this all-steer time, said, yeah, this needs to be done. We may pull something from over here that can wait and make sure they've got it. Okay, great, last question. We'll go right there. Hi, Howard, Brian Benson with CA Technologies. You know, there's a big ROI associated with identity management. And in the commercial space, a lot of those companies have made their decision and their investments on that ROI. But I haven't seen a whole lot of that within the government, within the agencies. Do you have plans to use, whether it be an ROI calculator or showing the agencies that they can actually save money by going to whether it be Instic or Agents P-12 or FICAM or OMB-1111? Yeah, and I think that we're probably way past that because now that we've mandated it, it's kind of tough to go in and say, you have to do this and here's the value you get. In the early days, they did some rough metrics just in password help desk costs and those sort of things, but we've just got beyond that. Now, there's a true value in as Instic expands for a private sector to say, gee, if we sell 100,000 credentials at a dollar a piece, but it costs us 200,000, it's not a good return on that. How's that scale? How do we wind up getting the costs down? That is what we're looking for in the private sector because the government's going to be the consumer of that, not building our own. We want to get out of that business. Awesome questions and great remarks. I look forward to the rest of the day. Again, I'd like to thank Brian Seagraves and Adam Isles from Raytheon for their sponsorship for this. Obviously, Howard, thank you for taking time out of your day and for your candid remarks. We'll reconvene at 10.45.