 Okay, well welcome everyone we're going to go ahead and get started on time Hopefully everyone has got something to eat and a beverage in front of them We've got a great conference today on a very interesting fascinating and important topic My name is Rick Ozzie Nelson director of the Homeland Security and counterterrorism program here at CSIS We're a nonprofit at CSIS, so we're really independent upon outside supporters to make terrific events like this happen So first thing I need to do is to thank our sponsor for today's event is Raytheon With that I'd like to introduce One of our the senior the vice president for Homeland Security Brian Seagraves He's gonna come up here and introduce our special guest mr. Howard Schmidt special assistant to the president for cyber He's on a very tight timeline. We're absolutely thrilled that he made time in his schedule to come over here and give us some remarks He's gonna do about 20 minutes of remarks followed by about 10 minutes of questions and answers Moderated by me and those of you that know me means it's questions only no statements So without further ado, I'm gonna go ahead and introduce Brian Seagraves. We'll introduce Howard. Thank you But I get to make a statement first So first thank you CSIS for hosting this event and we're very pleased to work with CSIS as an industry partner In giving visibility to a topic of identity management today Raytheon works with civil security agencies around the world to address their mission challenges and management of identity The credentials and access is a core enabler that spans across all the security missions that we help customers with border security immigration control critical infrastructure protection, you name it And while we're out there around the world, we're amazed at the functionality that other countries are offering their citizens for example single national identity credentials That authenticate for financial services health services voting electronic voting drivers licenses And even the physical and logical access within government agencies all on the same credential And yet across our base, we also see customers confronting a number of overlapping challenges Challenges in how agencies move to interoperability and a person-centric view from their legacy systems challenges taking advantage of advances in biometrics technology and addressing the overload of biometric systems And doing all these things while protecting privacy and confidentiality These challenges are compounded in the cyber arena and the wiki leaks incident actually really underscores The importance of strong identity management and insider monitoring is a precondition to information sharing And then there is our need to foster trusted identity in cyberspace As a core member of the defense industrial base Raytheon believes that the way the dib Address federated identity authentication provides a model that can address many of the broader challenges that we have today We believe all these challenges can best be addressed through a partnership between government and industry Where both critical systems and critical know-how reside and that's why the united states is fortunate To have someone that who has had such a long and distinguished career in both government and industry now coordinating cyber policy Cyber security efforts for the white house Howard schmidt has had a distinguished career spanning more than 40 years In defense law enforcement and corporate security Since 2009 he has served as the president's coordinator for cyber security And he's a long-standing Expert in the areas of computer security cyber crime critical infrastructure protection And business risks related to cyber security Mr. Schmidt was formerly the president and ceo of information security forum a non-profit consortium That conducts research and develops best practices and information security risk management and critical infrastructure protection He has held executive roles in the private sector including vice president c iso at ebay and chief security officer for microsoft Mr. Schmidt's government service has included previous assignments at the white house The fbi the air force office of special investigations Including tours as supervisory special agent Supervisory special agent and director of the computer forensics lab and computer crime and information warfare division His military career includes active duties with the u.s. Air force With the arizona air national guard as a computer and communications specialist And in the u.s. Army reserve is a special agent criminal investigative division Where until his retirement he served with the computer crime investigations unit Mr. Schmidt is professor of research at idaho state university adjunct professor at george atek information security center adjunct distinguished fellow with carne g mellon sileb and a distinguished fellow Of the panaman privacy institute He's also received numerous awards and recognitions from government and private industry including the cso magazine compass award And baseline magazine's 50 most influential people in business it to just name a few Ladies and gentlemen, please welcome. Howard Schmidt Ryan, thank you very much for that kind introduction and And rick, I like to thank you and csis for putting this group together I think you're opening comment about you know, these things are made possible because of of support The people bring together But we need more of these and we very much appreciate you hosting this and my dear friend john hamre Runs a great shop here, and we're very proud to be over here today I don't want to spend a whole lot of time telling you stuff you've heard before So i'm going to try to focus my comments specifically around the topic a couple little highlights because there's a lot of I used to comment yesterday noise going on right now about cyber security Everything from legislative issues to some of the threats we see out there in the real world So i'm going to talk a little bit about some of the things that are going on just to sort of update you as Some of the things we're doing But clearly the crux of a lot of things we're doing Come into the area of identity management or what we call trusted identities in in cyberspace And I think a lot of this as we've seen technology grow as we've seen the Advances and interconnectivity issues move forward We've seen a need for identity management like we've never seen before But on the same token the exact same things we're using for stronger authentication Also create their own set of challenges that we've got to overcome Part of it is designing the systems that can accept the things that we're working with So, uh, it's been a busy year for all of us at least in in the little Group that I work with at the white house and across the u.s. Government I know you all have been very busy And as I made in a comment during a vtc yesterday Was notwithstanding all the things that we've been talking about that are out there in a risk Because of the work that all of you to do on a day-to-day basis and and brian and and all the folks that that Are part of companies that keep this thing going Everything still works And we may have hiccups in it, uh, you know in some cases I like them into the disruption that we have during snow storms, which those of us that live here locally We remember when we used to have snow storms in january 65 degrees outside the day But when we look at the disruptions We recognize that we were able to recover from them quicker than we've ever been in the past But we it cannot lose the fact that Things could get worse and so we have to make sure that we continue to work To reduce that likelihood So a little bit about the office when the president created this office It's part of the national security staff at the time. There was the split national security council Homeland security council. We've all merged We're also dual had it with the national economic council And I think that is one of the things that really sets us apart from some of the previous efforts that have taken place Is we have the focus not only national security public safety, but also the economic Components of cyber security The staff and we are very very fortunate to have some of the best across government from the department of justice homeland security The intelligence agencies department of commerce f. T. C That help us work on individual problems as we move forward Developed a good policy work with the departments and agencies to take very discrete views that departments and agencies have As we were talking before we came in here. There's a lot of Hurting of cats involved And some would say geez isn't there a tension between this particular department and this one over here And the answer is yes, I hope so We do want to hear what their expertise is. We want to hear how they deal with a specific issue But we want to normalize it so we can come up with a good policy that takes into account all the Components that we work with and we've got a good team to pull that together For those of you that listened to or watched the state of the union speech last week The president stated very clearly that the executive branch and the white house is focused on achieving the strategic initiatives particularly with the proposed legislation That we put forth that congress Will be putting a lot of attention here in the next week or two back We've also done a pretty good job. I think of actually prioritizing things I see john gilligan here and a few other folks that have run enterprises And nothing is more troublesome than when you say, you know, here's 50 security issues. You've got to deal with Prioritize them and they're all priority priority one That's life in the real world So we've actually said about and said, okay, what are some of the things how do we prioritize these? How do we expedite the traditional low hanging fruit while making sure we're reducing vulnerabilities that we know exist While still building for the future So it's very important as we do these things that we actually have some milestones and specific priorities that we're looking at And in this venue today, of course the thing that we'll be talking about is the Effective identity management and all the things we can benefit from that You know, I could spend some time talking about the threats out there People talk about hacktivists nation states Criminal organizations and everything else the bottom line is if we had less vulnerabilities They would be less successful When I look at the law enforcement community when I look at the men and women That on a day-to-day basis have to manage these systems from a security perspective Provide the services whether it's government or businesses And the things that they have to deal with Clearly we'd like to take a whole lot of that off their shoulders by saying we can stop the threats out there But I think anybody's been in this business for any length of time No, we're not going to be able to stop the threats We'll be able to get some some small chunks of successes as we've seen with the law enforcement going after some of the criminal activities That control some of the bot networks working very closely with private sector using civil actions using criminal actions But clearly oftentimes we see another group will pop up to replace them But once again the things that we can control is the vulnerabilities that exist in our systems Who's on our systems and and how we wind up better hardening our systems? So wherever the threat comes from the likelihood of success is reduced So zero in a little bit I want to just take a few minutes talk about the n-stick the national strategy for trusted identities in cyberspace Jeremy, I saw you walking there. You are Jeremy came in a few minutes ago We were very fortunate to lure him away to run our program office the department of commerce on that When we rolled this out at the u.s. Chamber of Commerce last year It was a true testament to the amount of support we had on this We had the president's national economic advisor We had one of the most Informed and vocal senators senator mckalski as part of it We had the chamber hosting us for so clearly a recognition. There's a lot of moving parts of this trusted identities in cyberspace The basic vision is to build an identity ecosystem That provides individual with an option of using a federated user-centric digital credential To conduct transactions with more security Simply stated is we have a choice If I want to just do a small transaction, I can choose to use one identity over here If I have something more robust, I have the ability and also the institution I'm working with has the capability providing me the ability to have a higher level of assurance To move away what I think all of us recognize the static user ID and passwords Should have been declared dead years ago Matter of fact, I remember another csis event probably in about 2001 That we had that same discussion and here we are almost 11 year 11 years later And I think we're finally making progress on this. We're finally having a mechanism to move this forward But the other thing it wants to do is we want the private sector to give us the capabilities To be able to draw on a marketplace of identity providers both public and private to say here's the choices you have I was trying to explain to someone what a OTP one-time password was on a mobile device They understood what we call a smart card because it you know that resembles an ATM card So they said well, why would I use something that I don't know about when I have this card here thing that I can use And that's the thing we're trying to do is provide options for people But on the same token in these options We want to make sure we're not sort of reliving the the problems we had in the past Pen and chip technology Great technology But people have since figured out how to break some of the encryption on there They've looked for the man in the middle of tax. So we know that now So we should not saying okay The answer is here's new pen and chip cards and everybody go out and use these because they're different of what we've been doing We have to build these things with the ability to say here's what we've done to make these better than what they are now To understand there's likely to be a man in the middle of tax To understand you're likely to be operating from a system a computer system at least for now That's likely to be compromised And how can we still operate in that environment? And that's not something you're going to get five people in the government say yeah, well, here's the answers go forth and do this It's going to take the intellectual capital that we have in the private sector In the security community in the vc community entrepreneurs coming and say here's a better way to do this That's easy to use cost effective and gives us options The next thing is looking at that interoperable framework. That's why it's very important We've got commerce and nist working with private sector saying what are the standards that we're looking at How to meeting this morning with one of our international uh my international counterpart And we were talking about trusted identities and what they're right wrestling with at their government Everything from taxing to services they provide for health services makes the same thing we're doing And when you look at some of the the great advances we've made and we still have a long way to go Is what va does now with the big blue button button, you know the ability to consolidate this stuff One of the things that I probably shouldn't say but I do is uh just before the uh the the lighting ceremony in uh The ellipse last year. There was an email that went out that says any of us We can put in for this lottery to actually be there on the grounds when the lights get turned on And I thought wow that was really neat click the link and it took me to a website that I had to create an account To be put in for a lottery and my cynical manner said to be turned down And had to create an account with a user ID and password And the good news is next year I can use that same account If I remember the user ID and password Uh because as a security professional we tell people do not reuse these things over and over again So I try to stick to that as much as I can not perfect, but as much as I can So I'll never remember that next year. So we need to have a mechanism with a framework that's interoperable We as a matter of fact, we just released and released a memo from The omb and in my office telling government agencies Stop creating these accounts stop trying to manage this stop being the help desk for every citizen in the world Use outside credentials They exist and we have the general service administration or gsa working with nest and work working with homeland security to make sure That these are ones that we can use So you shouldn't have to have in in the case of some of us a half a dozen or so government logs on to Find out what your va benefits are or to get find out what your tax Liability is or what your social security benefits are And we have other options to do that in varying degrees of of assurances. We move through that So if from the government's perspective on this, we will be a facilitator We'll bring the people together. We can help convene a lot of these things, but the government will also be a customer of these And I think there's nothing better than having some identity that I use in an e-commerce environment I can use that that same environment in the government So as a consumer their government is very important as saying you build it and we'll use it as well And we have to actually put our money where our mouth is and I know Jeremy We've made sure that the funding is there to actually do some of these things that we need to do The other piece is when we are looking to streamline streamline the customer experience I mean, that's tremendously Frustrating private sector is spent a lot of time and a lot of effort trying to make sure the user experience Is as positive as possible. It's a business thing They want you to come back as a customer and quite honestly if they give me a good experience I'll be back whether it's an airline hotel, whatever it will be But the bottom line is we have to have a mechanism to do the same thing in the government And that's what the government is looking to do The other thing we need to do is set up a governance framework Once again the comment we had this morning We were still in some cases running around with 18th century laws and 21st century technology So when it looks to identity management we look to the private sector to build this But how do we wind up dealing with some of the things that just are a normal part of business A company may be our service provider for whatever reason they go out of business They take a wrong turn somewhere and how do we protect people against that? What is the governance mechanism in place that says okay companies out of business and their their Value in their company is the data that they've got about us. How do we deal with that? We've seen that a couple years ago with one of the trusted traveler programs We saw it even a few years back with a Child's website that had tremendous amount of information It went up in in receivership in the bankruptcy court says Yeah, the only value you have is this information all these children that we as parents as grandparents say We don't want that being sold off to the eye as bitter So these are some of the things that we have to build in this identity ecosystem to better protect us Because we don't want to have someone go out there with 99.9 percent legitimate businesses out there And at point one it says it's a good way to commit identity theft and credit card fraud Open up a company collect all this stuff, you know take advantage of all these people then shutter my doors and move away We have to have a mechanism in place to be able to deal with that We also want to make sure we have a system that does not have sort of this, you know one size fits all identity One of the criticisms many of us have had for a long time is I have a single single log on That gives me access to everything in the world That means if and when it gets compromised everything I own and everything I have access to is then compromised And that's a choice that we get to make and that's a choice that we have to have the system designed and built to to have to deal with So when we look at some of the things we're looking to solve first and foremost Deal with some of the issues of cyber crime or online identity theft financial fraud online theft of intellectual property All these things that we deal with we're looking to solve some of those things We've seen uh while a lot of people may recall these things advanced persistent threats Some of us don't think they're that advanced. We think they're very determined But when you look at the sort of the analysis of how these things really happen oftentimes starting With a spear phishing email or a phishing email with a piece of malware attached That then gives you a backdoor to find vulnerabilities and escalate privilege That's pretty determined But some of the things that we can do identity management would actually be able to resolve some of that Including the ability when I get an email or any of us get an email It's the owner should not be on the end user end user to figure out is that real or is a piece of malware But that's what we do today Most things get through unless there's a signature out there that says this is known bad It goes through and somebody says yeah, this is my 2012 benefits pay raise Uh, you know holiday schedule and you can bet most people will will click on it We've seen some states that have tried some pilots where they send emails out as part of an education system And 86 of the people click on it because it appears to be legitimate even though they send it from an outside email address I good identity management should resolve that problem for so the end user is never confronted with this And whether you call it certified email or whatever term you want to associate with it That's some of the thing that we're looking to to solve But let's take it up to a more critical issue and that's critical infrastructure, whether it's the energy sector transportation sector financial sector The bottom line is we basically have seen the same thing happening in that environment So having better trusted identities having strong authentications into these systems And more specifically in industrial control systems that many generations have been built never designed to work in a networked environment Let alone a network environment that's connected to the internet So as we look to do trusted identities while we think about individual interacting with a machine We also have to understand the machine to machine interaction And build identity management into that as well that gives us the ability to do authentication Gives us the ability to do encryption some of the things that we really need to do on a regular basis The other piece of this when we start looking at some of the things About n-stick and the things that can do for us is it has to be Interoperable worldwide I mentioned that before and I think that's vitally important If we're going to continue to be successful in a digital world from economic perspective There shouldn't be 110 different systems We should not say yeah when I go to the uk I get to do this when I go to Australia I get to do this and that's going to be just as confusing and Less likely people will adopt it if they need to do all these different things Because when you look at the basis of it, we're looking for something easy to do what we want to do And these are the things we need to do as we move forward So on that just in closing a couple things That relate to that the international strategy on cyberspace openness prosperity and cyberspace That when we lease that we lease that strategy last year. It wasn't a strategy on cyber security It was international strategy for cyberspace part of that also talks about Digital identities and identity management on an international platform while we pull into that And the last thing that I want to touch on before open for questions and that's inside the government I think many of us both when we've been in government or outside of government have said many times is it's really Difficult for the government to ask people to do private sector to do stuff that the government's not willing to do And that's truly the thing we need to do We released a memo on use of multifactor authentication It was really an interesting thing to find out that 76 of the people that should be having a PIV card were issue a PID card PIV card And very very few of them were using it because there was no requirement. We flipped that around So not only do you get it, but you actually have to use it And some of the first things are for logical access We're going to be bumping that up to digitally signing email Eventually it'll be used it for smime and an encryption of email And the bottom line is the technology exists. We've just not implemented the policies and enforce those to move this thing forward So when we look at HS Homeland Security President's Directive number 12 and how it's languished for years That's been accelerated and something we need to continue to do with and we will make sure that the expertise is there to Help departments and agencies move this thing forward so in conclusion, uh, I just want to Few comments the things that we're looking at is Knowing what is on our network all the devices how the devices interact a mechanism for those interact securely Know what is coming in and out of that network if it's not signed if it's not digitally Certified I don't want to see it hitting my network Or I want to have some mechanism the sandbox I want to have some mechanism to make sure that we're not introducing risk into the network that we shouldn't be And of course knowing who's on the network to the level required for the business that we're going to transact And that goes for a total anonymous access just somebody to finding out What government services are available all the way up to and including something that's more robust It says this is really me. I've done in-proof Per proofing somewhere and I can actually go out and say this is me and I need my VA records So with that I I thank all of you for coming together I think this is really good form to discuss the things and I know Jeremy's here And I'm sure Jeremy would love is the rest of us would to hear your ideas on things that we can move to accelerate this Because we've got a window to make this happen and we don't want to be discussing this again in 11 years from now So thank you very much for the opportunity to discuss this with you. Thank you Well, thank you for those very uh candid and open remarks hours. We've got quite refreshing An open forum like this to get that kind of uh discussion. So we thank you for that We have time for about five to seven minutes of questions We're going to head into standard csis format. We have microphones Please state your name and your affiliation and due to time please limit to a question. So go ahead. We'll start right here in the middle Sorry, jim mccartney with the lointouche What do you see as the fundamental stumbling block for why this hasn't gone further faster and what do you see is the white house role in trying to leave you that stumbling block Yeah, I think the biggest thing is we've not articulated a good business case for doing it As I mentioned in my opening comments things continue to work Uh, you know everything from a liability issue from a credit card fraud identity theft, excuse me, uh financial fraud The liability cap is at $50 So there has it's been sort of viewed as i'm willing to absorb the losses And not do anything with it But I think there's a bigger picture now people that have recognized through the efforts that the white house And many of you in this room have said it's not just about the money It's the trust in the system. It's the ability to build the system And I think that's what's really got people thinking about this more than just oh, gee, there was a little loss that I can write off Venues like this is things that the white house is doing. We've got we meet with congress regularly. We meet with CEOs the vcs Jeremy's office over there. I don't know. We've had what four or five workshops to date Continuously saying here's what we need And asking private sector to build it. So I think there's a whole different discussion today that when we had 11 years ago We even three years ago All right, thank you for that gentleman in the orange Good morning. Uh, david mcquitter catalyst partners What is the mechanism for a company? You know, maybe a client of mine or a company that I know that has something that we'd like to get in front of You know the entire group. I've been to the workshops. They're great, but you know, what's the mechanism for demonstrating to you The ideas of the company Jeremy stand up and demonstrate to Jeremy Now but seriously And that's one of the challenges we have and I think at the one meeting I was at there were probably 34 different Uh, I'll use the term startups when they were in various stages They had great technology that they put some effort into it weren't quite sure where they get the footing Uh, and that's one of the things we're working with Jeremy is how do that become more public Without endorsing any particular technology or endorsing any particular company How do we get those that want to build the stuff sort of a portal? If you would that says here's the 50 options that are out there Here's the status of fundings whether they're just a founder and some angel investment or even a single investment Or this is something that's done around b and we have some some customers out there So people can see and make decisions on their own. That's the part we're lacking And I think that's the next part we need somebody to help us build whether it's done through universities Whether it's done through Jeremy's office or NIST a mechanism to sort of sift through these and figure out what's going to work best The downside of course like any of these things We may miss something that's that is the most rocking greatest technology We've ever seen because somebody's just a small voice out there We want to put an equal equalizing platform in there through some sort of a portal Great, uh in the back By the way, I think it's a brown shirt. Not annoying to me Andrew how will money in policy group? Hey, how you doing? How are you good to see um, so how I don't want to pick up on a couple of things that you mentioned On hspd 12 implementation and in the fact that you just talked about business case Hspd 12 is a good example of a program that you know Departments and agencies have struggled to make the business case for investment And in the type budget environment where we are now If you've turned the corner Can you talk a little bit about how you've turned the corner in a type budget environment on convincing departments and agencies to spend that money? To increase assurance and identity Yeah, that very simply stated is it's not an option. It's not as gee You can do this if you want to I think that was the biggest thing we did last year when Vivek and I put out the memo said no, this is not an option This is a presidential directive. You come in with the plans We've had tremendous success with senior leadership and and for those of you that have been in this environment for a while It used to be this was a technology problem. It wasn't a business problem And now we have the deputies secretaries across all the departments and agencies Basically, they now have ownership of this. We have a the president's management council We bring them together. We go through their metrics and they're held accountable for it Uh in instances where there may be an issue of funding That's where we look to do some reallocation of budget in this all-steer time said, yeah This needs to be done. We may pull something from over here that can wait and make sure they've got it Okay, great last question. We'll go uh in right there Brian Benson with CA technologies You know, there's a big roi associated with identity management And in the commercial space a lot of those companies have made their decision that are investments on that roi But I haven't seen a whole lot of that within the government within the agencies Are there any plans to use whether it be an roi calculator or we're showing the agencies that they can actually save money By going to whether it be in stick or a just be 12 or 5 cam or on b 11 11 Yeah, and and I think that we're probably way past that because now that we've mandated it It's kind of tough to go in and say you have to do this and here's the value you get in the earlier days. They did some rough Metrics just in Password help desk costs and those sort of things, but we've just got beyond that now There's a true value in as we spend as n stick expands for private sector to say gee if we sell, you know 100,000 credentials at a dollar apiece But it costs us 200,000. He has not a good good return on that. How does that scale? How do we wind up getting the toss costs down? That is what we're looking for the private sector because the government's going to be the consumer of that not building our own We want to get out of that business Well, great. These are awesome questions and great remarks and I look forward to the rest of the day I against again like to thank, uh, you know, brian seagraves and miles from rathione for their sponsorship for this and then Obviously, uh, how we're thank you for taking time out of your day for your candid remarks We'll reconvene at 10 for 1045