 You got a big turn on No, where was he Unix I was just singing its praises to someone I Yeah, okay, maybe We're maxed out, okay Yeah If I could ask people to go ahead and take their seats wow how they have this set on maximum Thank you very much for Coming out this morning and I want to also thank our speakers and our panelists for giving up their valuable time I think this is going to be a really interesting event There's been a lot of changes in cybersecurity in the last couple years and this might be one of the most Dynamic it might also be one of the few things that could actually come to fruition in the next The upcoming months, so we're very eager to have a full discussion today's agenda is we'll have three keynote speakers Following them will have a very distinguished panel come up and have an interactive discussion with the audience I believe each of the speakers has time for one or two questions. It's all right and then We'll See where we go from there We put biographies of everyone out on the desk by the entryway because all three of our Keynote speakers here have had such distinguished careers that it would take up almost the whole session for me to go through them I'll skip that and instead say we will begin with Howard Schmidt Cyber security coordinator for the Obama administration He'll be followed by Cameron Kerry general counsel at the Department of Commerce and then Michael Michael English is not my first language Michael O'rearden Chairman of the MOG the messaging anti-abuse working group, so I'm eager to hear the remarks. Let's get started with Howard Thank you very much for coming. Thank you very much Jim and thanks Not only to you for your personal contribution, but also CSIS for their ongoing efforts in helping support the cybersecurity effort and putting on events like this As Jim mentioned, we are very fortunate they have some really excellent speakers and panelists To discuss in I think all of our reviews. Otherwise, we probably wouldn't be here very important issue And that's specifically what role very broadly what ISP should play in Dealing with some of the security issues we deal with online and specifically about the role of the relationship with consumers there's been a lot of work that's been It's taking place in the past looking at these issues We've seen things take place internationally relative to this area And so some of the things we'd like to sort of flesh out a little bit today is you know, what's good for us in this country? What are the things can really be helpful? also as Jim mentioned we have Good friend and and someone that really understands this as well as anybody from the Department of Commerce Cam Kerry He'll talk a little bit about some of their efforts to pull together multi stakeholder groups to create Issues look at issues relative to the ISPs and various code of contacts and and they've really really been Leading in this area and not only this specific area, but also working with the private sector In an area that basically extends beyond just critical infrastructure Michael Royden Royden. I may see Michael Jim's got me started on this now from Mog as I think many of you know Michael has written extensively on this topic Including an IETF RFC on remediation of bots on ISP networks Which is well received by the community and it's also a very worthwhile document As we go through the questions to the panel I would ask you to once again be as you normally are and that's don't be shy about asking questions These are tough issues and the only way we're going to get to the Solving some of these issues is to make sure we're asking those tough questions In a venue like this we have an opportunity to be small enough focused enough to really come up with some good Conversation to help us move forward in this area and dealing with this important issue So before we get started, let me let me just take a few moments and Reflect on where at least we see Cybersecurity is heading we all know that cyber security issues Are here they're not going to go away. They're not something that someone some day is going to wake up and say yeah I'm tired of messing with networks. We're just going to quit Nor are we going to be in a position someday where we're going to be so secure that people say yeah, no no Money to be made in this. Let's go do something else And stay away from networks that's not going to happen the president highlighted this in his 2009 cyberspace policy review And by creation of this office once again a reminder Dual had it between the national security staff and the national economic council now I think none of us are idealistic enough to believe for a moment that the issues We're dealing with they're going to be somehow solved by a silver bullet or any one action taken by a company an individual or a government Is going to fix all the problems we have But once again having said that we fully should recognize that with her has to do We all have to do a little part to make this more secure. We have to do something to move forward We've said in meetings Endlessly about we've been admiring the problem for too long So looking for solid solutions and moving forward as difficult as some may be is something that we want that we wind up Really need to work towards When we look at the moving forward, what does that entail? Well, I think it's a combination of efforts We look at the role that we all have to play and you know You've all heard this quite a bit about the role of government is only a small role We have to make sure that the private sector small businesses state local tribal governments Territorial governments foreign governments individuals pretty much everybody on the planet that has the use of this technology has a role to play in this When we look at the international strategy that was released a few months ago Clearly it laid out the president's strategy for how to deal with these things not only in an international basis But also working amongst the private sector in various governments But in order to be able to make some achievements in this we have to understand what our role is and that's one of The things that we are constantly looking to better define. What is the role of government? What is the role of private sector? What are we as individuals can do? So let me drop down a layer if I may and just focus on the issue of botnets, which we hear a lot about There's been some recent Interruption of some botnets that have taken place We have some really good work done by the Department of Justice Working in concert with private sector and the ISPs not too long ago disrupting a very very Widespread bot network, but once again when we look at these this category I see things fall into basically four categories You know the first one is sort of the awareness prevention and I'll come back to that in a minute because I think that's going to be a Lot of what we're going to be talking about today But specifically on handling and affection first we have to detect that it's there And I remember a few years ago when my before my dad passed away and some of you heard He was had quite an affection for computer systems And he was late 80s early 90s and every time I turn around he wanted an upgrade But also every day it seemed like every day I was getting an email forward to me saying isn't this a virus? Isn't this a worm and it got to the point. Well, thank you for sending that to me Very much a prayer. I appreciate you're sharing But with his pension for computers He also became in the community. He lived sort of the computer guru, which was really really scary by the way And I remember going down to visit him one time and he told he asked me to go over and talk to one of the local Women, I think she was in her 80s at the time that she bought a brand new computer and it was running really slow and some of you will really appreciate this next comment went over the house looked at it and The DSL modem the light was flickering like there was so much data moving back and forth And the computer was just sitting there an idol Pretty pretty good indicator that it had been bought it She had no idea no idea what it was no no idea how to clean it up So this whole detection piece is something that if you can think people that you know that would be in a similar category They have no idea. They think it's nice that those lights are blinking all the time And so detecting is an issue we have to deal with Then the second piece of this is actually being able to do something with it. Who do we notify? Who do we contact? You know, it's not as if people go out and open up what used to be in some communities The yellow pages who get online and say, you know computer infection specialists And there's somebody right around the corner like a plumber would be We have to figure out a way to better address this issue to be able to notify the people that there's something wrong and then the whole remediation piece of it and that's something that we We see some good tools out there But often cases because of one or two people don't know the tools are available how to get them how to use them So that's something we need to wind up dealing with So I mean we could probably drill down in any one of these topics and they literally spend days on it on how to Fight it how to clean it up how to deal with it But the bottom line it exists and we need to figure out better ways to dealing with it so if we think those of us that are in this business that have a Whether you're a journalist or whether you're a technologist while we think that This is a challenge for us. Imagine how the lay people feel Or as I once said when I had a technical problem and the help desk sent exact support over there and said here It's fixed and the question became what are real people do? How do they get this kind of support? So we have to look for reasons to do that because the botnets are out there not only can can harm and threaten any of us out there but also Is it become a victim of a crime? But it's also used to commit other crimes so not only is it still data from the computer It's also used to infect other computer systems and often systems that trust that computer to be part of their They're trusted network. So as a consequence, there's a lot of work. We need to do in this area When we Look at some of the things that we need to do forward to Incentivize people to do this and there's been a lot of discussion is what does it really take to get people to pay attention? When you really don't know you're a victim or when you're a victim, there's no real loss to you But I think overall we fully recognize in industry. There is a loss. There's a lack of confidence There's a lack of trust and we really have to go a long way to clean this up And I truly believe that's why this is an important discussion topic and why we're here today to talk about it So let me go back to what I said. Let me wait for a moment. That's the awareness and prevention piece. Let me turn to that This is different because it's not a response of action to an infection It's basically the awareness is prepared as preparing yourself to keep from something that from taking place It's you know, we look at National Cyber Security Awareness Month, which is which kicks off this month We look at the things that we try to do through Cyber Security Awareness Month and that's prevent these things from taking place I've heard a lot of people talk about how great we are as a country To recover from bad things that have happened whether it's a physical event cyber event But the bottom line is we have to constantly get better about preventing these things from taking place And this is an area where it's it's most important to do that because we depend so much on these systems and So when you look at the botnets and look at the capabilities that that will bring that someone could turn that against a company and individual Publication you name it. It's something we need to take care of and take very seriously So as we work through the year like many of these things You know, we have Mother's Day Well, we have Cyber Security Awareness Month, but the same token with Mother's we should always treat them respect We should always make them happy Cyber Security Awareness Month. We should not just have it for one month We should do it year-round. We should make sure that we're doing the basics All year long that we should we're teaching and talking about during Cyber Security Awareness Month and really implement some of the things with the Homeland Securities Program on stop think connect Because that's an awareness campaign that really brings us to the forefront of what we should be doing So in closing I thank you for the opportunity to make these comments As I as I think you will take these to heart Because these are four areas that we need to work on. I think we've got the right folks here to help us make that happen So thank you very much Well, good morning. I'm the public private partnership on botnets that's the subject of this morning's forum is a prototype of the Kind of policy making and problem-solving that we at the Department of Commerce have been advocating as a Central way of addressing the key Policy challenges that we face on the internet It puts into action the multi stakeholder approach that is Modeled on the institutions that have so successfully built the internet itself It represents the kind of dynamic flexible regulatory approach that we believe is needed to adapt to the challenges of rapidly changing technology And this approach advances The central policy of maintaining a trusted and a secure internet while protecting the Innovation and the interoperability that have made the internet such a driver of economic growth globally As the Economist writes this week The internet is shambolically governed And the shambles is a lot better than the alternative We simply cannot in this diverse interconnected complex space Rely on a top-down approach So under the obama administration the commerce department has made the internet central to our mission to promote growth to create jobs and to retool the u.s economy for sustained Leadership in the 21st century I as howard mentioned the work of cyber security is dual-hatted under the national Security council and the national economic council and i'm grateful for to howard for Being a leader in recognizing that the mission of cyber security must Take into account economics must take into account the needs of businesses And so really making Those interests a part of the discussion And that has been central to the role of the department of commerce Uh secretary gary lock last year established an internet policy Task force a department-wide task force that draws on the expertise of many of our agencies the national telecommunications and information administration The economics and statistics administration nests the national institute of standards and technology And the u.s patent and trademark office this task force Was assigned by secretary lock to look at the norms and the ground rules That foster innovation In uses of information in four key areas In enhancing internet privacy In protecting cyber security In promoting intellectual property And in ensuring the free flow of data across national wars We recognized as we set out to look at these issues that that You know these issues these difficult issues needed the input and the cooperation of a diverse range of stakeholders From businesses to civil society to academia And to consumers as well as government And our approach has been to engage all of these groups in the discussion It recognizes that a key role for government Is in convening stakeholders And leading the way to policy solutions that protect the public interest As well as private innovation But pure government planning in this space Is a prescription for failure So today's discussion of Building a code of conduct around botnet Detection notification mitigation Focuses on security But we believe that a similar approach to policy making Works across a range of internet issues The range of the full range of issues that We continue to work on at the department of commerce Central to that work is trust The value of trust in this space just cannot be understated in a world Where commerce and trade operate on the exchange of digital information Security and privacy are two sides of the same coin And that coin is essential currency in the global economy today So one important part of commerce's role in building trust on the internet Has been the work of the national institute of standards and technology And of NTIA in developing cybersecurity controls It's been part of NIST's role as a lead agency for civilian government agencies Its documents like its special publication 853 Have become leading sources for cybersecurity protections for the private sector as well NTIA's role in key internet areas such as internet governance Remains a key to keeping a trusted infrastructure So in June we published at the department of commerce our cybersecurity green paper Which focuses on those elements of the non-critical infrastructure in communications My colleagues at the department of homeland security Bruce McConnell and others Focus on the core critical infrastructure that Is essential to banking to health care to core telecommunications But there is a significant portion of our economy that falls outside this space So the cybersecurity green paper focuses our efforts on public policies And private sector norms that can improve Cybersecurity posture in a number of commercial infrastructure operators Software and service providers and users outside the core critical infrastructure It's a realm that we've dubbed the internet and information innovation sector or i3 sector And it includes important telecommunications functions delivered by small and medium-sized online companies by retail businesses that have large online components by Information services including internet and mobile services designed for the consumer level by social networks and information technology Designed to be used by individual consumers by content providers and other businesses that Create and use cyberspace but are not part of the critical infrastructure So we stressed that we want to work with the segments of this i3 sector To build security best practices that can become industry codes of conduct that will chart out Voluntary standards that can raise the level of security in this sector So this forum today provides an excellent opportunity to begin the process By working with all stakeholders to build a code around botnet identification Around detection around mitigation for consumers And to encourage the incentives for the the i3 sector companies To implement these codes We all know as Howard described how botnets increasingly have put consumers at risk A botnet infection can lead to the monitoring of a consumer's personal information To exploitation of computing power and internet access And you know like the woman in Howard's father's neighborhood These are threats not just to the individual consumers But to all of us as these networks are used to disseminate not only spam But denial of service attacks and attacks on government and private institutions So many leading companies like Comcast, like Google have begun efforts to detect and to Notify their customers about infections in ways that avoid invading individual's privacy Around the world, other countries have begun to create codes to help alert consumers And to encourage these efforts So we need to begin to define and to create in the United States A vision for similar codes of conduct This should be a voluntary effort It should be stakeholder driven and taking advantage of experience And the expertise of people like you This can be a winning proposition in all senses for consumers For small businesses, for government, for internet service providers For security companies and e-commerce companies We're going to need your help in reaching consensus on a code And reaching consensus on the kinds of collective actions That can implement these codes to deal with botnet successfully So we have many avenues for you to participate The first of these is the Department of Commerce and Homeland Security Request for information published last week It will remain open until November 4th We want your comments We've been asked already to host a meeting soon after that RFI process ends We're going to work quickly to plan that meeting And to discuss the responses and to develop a path forward So as the first of what I hope will be many The Department of Commerce led and the Department of Homeland Security led Multi-stakeholder initiatives This is a great opportunity to show that government, industry, and civil society Can work together collaboratively without regulation To keep the internet safer and robust So I thank CSIS for the opportunity to be here today I thank you for being here today I hope this discussion is just a beginning And as we move forward tomorrow I hope you will bring your thoughts and your ideas to this process Thank you Hi there, good morning My name is Michael Reardon And it's a great pleasure for me to be here at the Center for Strategic and International Studies today to talk to you I'm going to take a couple of minutes of your time to explain what Morg is Because sometimes people hear the pronunciation They think that it's where we keep dead bodies, but it isn't I'm the Chairman of Morg and that's the Messaging Anti-Abuse Working Group And you can find us at www.morg.org And I'd like to just take a minute or so to briefly explain why in my experience This organization holds a unique position in the global ISP industry Whilst we were originally founded to combat spam Morg no longer concerns itself with that struggle As a group, work has been going on amongst the ISPs at Morg To deal with the issues of malware and bots for some time now In fact, we issued guidance to ISPs back in 2009 on this subject We also focus on emerging technologies such as mobile and social media Overall, Morg represents about a million mailboxes globally From our ISP, telecom and email service provider members And we bring together public policy advisors, academic researchers Anti-virus vendors, anti-spam vendors And the legitimate sending community who work very hard to make sure That the mail they do send is wanted And is sent to people that have opted in to receive it It's a global organization with members from Europe, Asia, India, Russia And we're actively involved in outreach to China and other countries And we have working relationships with many of the most respected Industry organizations including such things as a formal liaison with the IETF Which I'm proud to say they approached us about A lot of people try and get liaisons with the IETF And they generally sort of bounced them But they came to us and said, we'd like to work with you Morg discussions are confidential To quote the Vegas ad, what happens in Morg stays in Morg And our membership is vetted We sponsor invite-only law enforcement meetings Organized sessions on other sensitive topics Provide quite a lot of issue related training From people who actually know what they're talking about Because they're doing these kind of jobs day to day And publish the only metrics report on abusive email We have to call it abusive email because being a global organization There isn't a global definition of spam And in some countries spam doesn't exist There's no legislation against it In some countries spam is, I mean, you have to call it something other than spam But those are the only metrics that report on abusive emails Aggregated directly from network operators And the figures there are submitted anonymously Our three-day multi-track meetings in North America and Europe Are unprecedented opportunities to stay current on emerging issues Whilst meeting a whole bunch of other people Who really know what they're talking about 300 or more security peers From 10 or more countries at any one time We go to nice places This month we're hosting our Paris meeting With the London Action Plan In conjunction with the European Union Contact Network Of Spam Authorities Between the 24th and the 27th of October It's going to feature a keynote panel Of French government cyber security officials And amongst the international participants Will be representatives from Europe, Canada, Korea, Turkey The United States and China If you've got any questions on this meeting Or would like any more information about more Please go to our website And we can be contacted through there And we'd be delighted to address any questions Anyhow Now on to the meat of what I've got to talk about Which is the public-private partnership The ISP role in fighting malware To start off with I've got to say You can't just focus on the ISP It's a team sport this And everybody's got to play their position And the main players on this team Are the service providers The end users Tools vendors Operating system and application vendors I'm going to go through what I think Are the roles that the various players have The service provider role is to detect And notify end users of possible infection End users themselves Have to be vigilant and sensible You know, if someone sends you a note Saying you've just come into $27 million If you'll only send them $5,000 It's not true, chaps You're not going to get the money But they shouldn't have to be their own CSOs No, they shouldn't have to be their own Chief security officers There's a massive role for education But it needs to start very young I mean, it's very cute to see little Johnny Navigating his way around the screen Clicking on every pop-up box That sort of presents itself in front of him That's actually not what we want to be teaching Little Johnny Little Johnny should know that it's, you know Not such a safe place And the default yes button is not the one to press Bad habits can start young And social engineering is a massive problem Tools vendors need to come up with better tools Because the bad guys are outpacing the existing tools Years ago, AV was a total solution But now it just forms part of the answer In the underground economy Where the bad guys get together to buy and sell bots Buy and sell botnets And buy and sell your credit card details There's websites out there Which allow them to actually test Their software that they create They can put it up against the latest version Of vendor A or vendor B And check that it can't be detected And then what they do is they offer guarantees Because if it does get detected, we'll just recompile it And we'll give you a version that doesn't get detected Tools vendors also have great information As to the effectiveness of remediation And they have proved singularly unwilling to share As for operating system vendors Some really are doing much better than others The dominant player in this space Has got their act together Five, six years ago you'd have gone Crikey look at them But now they've really got their act together And they're doing a fine job However, one or two of the other vendors aren't They could be doing a lot better And sometimes they seem to be operating in denial Of the problem rather than the acceptance of it Application vendors need to look at security More intensely too When you look at from the end user perspective And you see pop-up boxes To update application A Or update application B It's just too confusing It's too hard for them And I think this is one of the reasons That we're seeing more and more More and more malware vulnerabilities now Targeting the applications Rather than targeting the operating system Because people don't always keep their Applications up to date Their copies of Java, what have you Because it's too hard And you're expecting too much of the end users Now there's some jolly good work going on Jolly good, you see I'm British I finally said jolly good I have to say Comcast with its constant guard Is probably a leading example It's basically a notification and remediation Option with a paid notification And self remediation with a paid option Much of this technology has actually Been published on the Comcast website And the IETF have published an informational RFC 6108 Which actually goes through the system In use at Comcast However I'd say that the truly Inspirational one there is Century Link They've been doing this for a long time They were a quest I believe when they started And they've been working away At notifying their customers And they have a very impressive track record Their approach is much more along the lines With the they put customers in a walled garden With self remediation option And I believe there is some hand holding There's also a major US wireless carrier Which is starting to notify customers Of possible infections And with the spread of Android And it's sometimes interesting security model And we've obviously seen a number of infections On a global basis, particularly in China Where there was some substantial Android infections I think it's important that the wireless players Start getting in on the game There are other ISPs in the US Who are doing quite a lot of good work They just don't really talk about it a lot And there are a number of other ISPs Substantial ones Who have either are in pilot Or have got plans to sort of start doing this notification There is work going on at the IETF And Howard was very kind to it Kindly referred to it And I have to admit it's been one of the authors Of an RFC on bot remediation Which is in what's called last call at the IETF That means has anybody got any final objections Before we publish this And I'm hoping that it's got to be published soon And we'll have to give credit to my colleagues And Amal Modi And Jason living good at Comcast In 2009, as I said, Morgue issued Guidance to ISPs on what to do about bot remediation But I believe the IETF document is going to supersede this However, there's some great global models out there And I'm going to pick on three We've got the voluntary code of practice Where the user basically sorts themselves out The clean up with assistance model And the clean up by the end user using centrally provided tools So I'm going to start off with the Aussies The Australians with the iCode This code was launched back in 2010 And it contains four main elements In order to be iCode compliant You've got to have a notification Or management system for compromise computers There needs to be a standardised information resource For end users A comprehensive resource for ISPs To be able to access the latest threat information And a reporting mechanism back to In fact, the CERT in Australia To facilitate a national high level view In case of any major cyber attack Now in Australia 30 ISPs so far have signed up for this Which constitutes around about 90% Of the Australian ISP market However, if you look at the iCode There is a key statement in there Which I think bears quoting ISPs are not required to fix your computer That's really your responsibility But the iCode encourages them To let you know there may be a problem So that's the voluntary code version The next one is the one that's going on in Germany Which is botfry.de, the website There's an English version if you're interested In having a look And this initiative has been up and running For about a year now And the way I would sort of categorize This is clean up your computer with assistance It was initially funded by the federal government In Germany And it's run by ECHO Which is the German ISP Industry Association And their target was to take Germany Out of the world top 10 As identified by the Semantic Internet Threat Report For malicious activity and bot infection And thus they have a three stage process Which can be summed up as in form Clean and protect It differs from the iCode As there's a central service to clean up computers And it's a two stage process Initially the ISP detects And then passes the customer onto the botfry.de website Where there are tools to clean up a machine And those tools are supplied by industry partners Failing success there And we know that with the effectiveness of tools They will, some people will fail to be successful The users revert back to the ISP Who issue a ticket To let the customer then dial up the botfry call center Where they get individualized hand holding To help them clean their machines In the year it's been running There's been over a million visitors to the website 711,000 downloads of cleaning tools And 315,000 tickets have been issued For customers to get hand holding and support There's not a lot of statistics yet out of them But they are planning on publishing them One of the important things to bear in mind Is that being Germany they're subject to EU Privacy legislation So there are very firm rules around What data is and or can be shared Finally of course we come to the Japanese cyber clean center Now this has been running since 2006 So I guess we can call this the granddaddy of them And makes it, it's very interesting Because the legal, and really sorry This is very much a sort of clean up by the end user system The legal framework in Japan Makes it rather difficult to monitor networks For bot activity and to block access to bot nets So the Japanese cyber clean center Focuses on detecting infected PCs And providing tools to clean up those infected PCs And to educate end users I would encourage you to go and look at the website There is a large part of it in English There's some very comprehensive diagrams And you can actually see the flows that they put end users Through how they detect, how they clean up And which industry partners they have available There's four main parties involved in this You've got the Japanese government With their Ministry of Internal Affairs and Communications And the Ministry of Economy, Trade and Industry The Japanese telecom ISAC Which is their Information Sharing and Analysis Center And they work with 76 participating Japanese ISPs Which is the majority You have the Japanese CERT, the Computer Emergency Response Team Who working together with Trend Micro Create the anti-bot tools And the fourth partner is the Information Technology Promotion Agency out there Who brings in other security industry partners The bots are detected using honeypots The customers are notified by log analysis The customer ISP then sends email to the infected user As a call to action The customer visits the Cyber Clean Center To download the tools and self-remediates They attribute a decrease in estimated infection of machines From 2.5% in 2006 down to 1% in 2010 Partly to the activity of this Japanese Cyber Clean Center As well as the efforts of the OS vendors to secure their software I'd suggest you go there because there's a very good report And they've got to the point now Where they're starting to actually look at how they notify people And how changes in methods of notification In terms of just wording Can up the response rate and get people going to hit those sites And this is the kind of thing that we're going to have to do Because driving people to action is going to be hard People get bombarded with so many instructions to do this, to do that That there's going to need to be some good work done To work out what are the most effective ways to message And what are the most effective ways to make people feel secure I know that, for example, with some method of notification People go, well, why are you doing that? It looks like a fish Or why are you doing that? It looks like a pop-up I think the position that I take is that you have to start somewhere If you don't start going down a path You're never going to get to the end And being scared to put your foot on the path in the first place Isn't going to get you anywhere So throughout the world, service providers, internet government And technical organisations, quasi-governmental organisations And governments are increasingly adopting approaches To combat bots, malware, DDoS attacks and other security threats This reflects an emerging worldwide consensus A consensus that something needs to be done But that thing can't be preordained and predefined By any government or regulatory body No two approaches are the same, I think I've already shown that Just in the US alone And certainly if you look at it on a global basis We've seen three different approaches from three different geographic areas Preserving the ability for everyone Service providers, tools vendors, OS and application vendors And even the end users in the ecosystem to innovate And create new and better approaches and tools Is essential to combat cyber security threats more effectively I thank you for listening to me today And I'll be happy to take any questions The speakers do have time for one or two questions So perhaps we could, why don't we start over there Early bird gets the worm And if you could introduce yourself It's like law school, you can hear late, you have to go to the front of the room Right I'm Steve Ryan, I'm the general counsel In the American registry of internet numbers And one of the things I just want to say Is that Aaron as a representative of the regional internet registries Is also available for this We have a lot of experience Every ISP in this room undoubtedly has multiple contracts with us And so one of the policy processes that we have May be of use in this activity So we look forward to working with you on it Great, thank you Another one that we've got one over, Diane Great, you can use them both if you want Mr. Schmidt, Mr. Kerry Could you tell me what you think the chance of Cybersecurity legislation becoming law Say by next February or March Boy, it's like asking me to know which lottery ticket to buy No, but seriously, I think there's a tremendous commitment Both on the House and the Senate To move forward on legislation to buy partisan area There's been a number of comments made by the leadership Leading the cybersecurity side on the House Who has said that they are committed to working through this issue So I have a high level of confidence that something will move forward Don't know what the final form will be Because that's where, as we've said ever since the outset That the proposed legislation we move forward on Was the beginning of a discussion, not an end point So we're hoping, looking forward to see it And I think Congress is very much engaged In doing the right thing with this If I could just add, yeah I mean, this is a difficult political environment To get things done But we've seen that there are times That we can get bipartisan agreement on legislation We saw that with patent reform last month I think we certainly see bipartisan support For cybersecurity legislation This is complicated stuff So there are a lot of pieces that need to converge But I think there are a lot of committees That there are work on this Focused on it Senate Judiciary Committee is reporting out its data security bill So I think we will It's a good chance we will see Some significant components of this pass in this Congress Well, let me ask you to join me in thanking Howard Schmidt The cybersecurity coordinator for the Obama administration Cameron Kelly, general counsel at the Department of Commerce And Michael O'Reard and chairman of the morgue For these remarks they've made What I'm going to do now is let's applaud them, please I could ask the panelists to now come up Great So to do quick introductions And again, we have bios for people out at the entry desk Jamie Barnett, chief of the Public Safety and Homeland Security Bureau at FCC Really grateful he could make it today Known him for a long time Bruce McConnell, Department of Homeland Security My staff yesterday asked me I said, who's Bruce McConnell? We can't find his bio anywhere So I said, well, let me tell you I am known Bruce And known Bruce quite a while What is your title? Counselor to the Deputy Undersecretary for National Protection and Programs Director at U.S. Department of Homeland Security Really, someone has been doing this for quite a long time Oh, Max Weinstein, President and Executive Director of Stop Bedwear We're really grateful for Max for coming in Ari Schwartz, who most of you know now at NIST Long and distinguished career in these issues, internet issues And finally, Kate Dean, Kate, we're very grateful for you to appear today Executive Director of the U.S. Internet Service Provider Association So what I'm going to ask to do is we'll just go right down the row I'll ask each of the panelists to maybe talk for five minutes We'll start with Jamie, we'll end with Kate And then we'll open the floor to questions or comments from you So, Jamie, please It's your choice All right, well, if you don't mind, I'll sit So good morning I especially want to thank Jim and the staff at the Center for Strategic International Studies for this important dialogue and really to be able to serve with these distinguished panelists and get to hear our keynote speakers I really think that the title of this program is fascinating It's a public-private partnership and the ISP role which would of course be one of the private parts of the partnership And that partnership indeed needs to take a holistic approach and a collective coordinated action among both government entities and private companies So I'm here to talk about the FCC's role in that partnership And I would call that a role that is a supporting role when you compare it to the leadership roles that the Department of Commerce, the Department of Homeland Security must play But it's still an important and perhaps essential supporting role in helping us secure the nation's cyber ecosystem against malware threats And the point is that all hands must be on deck for this partnership to work and we can't really afford for any part to be idle The FCC has always been vitally interested in the security and reliability of communication networks The internet has expanded the concept and scope of communications But the very openness of the internet makes it very vulnerable to exploits and exploitation and the specific areas of risk exist in the internet routing and directory services So now the guy in your office next to you your mom's computer Howard's dad even your computer all exposed to torrents of malware and spam and make them susceptible to infection and setting them up as threats to other users but perhaps in extreme scenarios to the communications infrastructure itself So millions of computers get incorporated into botnets each month capable of launching crippling distributed denial of service attacks Just last week one of Australia's key internet registries net registry reported a major denial of service attack it left customers unable to access their websites for one or more days So like legacy communication networks we must remember the internet is operated by private commercial entities not the government and so the legacy like legacy communications private companies are the vanguard for protecting their infrastructure and their consumers ISPs are not alone in this responsibility but they play a significant function in battling botnets and malware and naturally ISPs would be concerned about the responsibilities and remediating botnets and really in a lot of ways they're pulled in a lot of different directions I think that ISPs are concerned about unnecessary the possibility of unnecessary government intervention or regulation they're concerned concerns about customer privacy rights fear of losing commercial advantage fear of exposure to new legal liabilities have caused trepidation for ISPs that are seeking to create safer online experiences for their customers but the industry also lacks an effective common set of guidelines for what should be done to detect notify remediate end users computers that have become infected by bots and other forms of malware so speaking for myself I think that a proper role government role should start with facilitating collective action among the public sector and private entities using the least restrictive least regulatory means available that actually achieve success and I think I can speak in harmony with my other federal partners that when I say that we in the public government sector realize it will take a cooperative focused public-private partnership in order to effectively combat the malware that threatens internet users and networks and Ken mentioned the commerce department so the green paper it suggests that voluntary codes of conduct are really a written set of industry-wide voluntary practices designed to spur a community to operate in a uniform manner it should be developed through a multi-stakeholder process to significantly advance efforts to protect the internet so the U.S. Department of Commerce and the Homeland Security's RFI which was built on this I guess that came out just really to works on bills on past work here and abroad to ask those important questions about creating that voluntary code to address the detection notification and mitigation of botnets I think is a major step forward and we at the commission fully support federal partners in going through this method to combat this growing threat we're really especially interested to hear the responses to the RFIs questions on practices to help prevent and mitigate botnet infections practices for identifying them the effectiveness of consumer notification and incentives which I think are very important to promote voluntary action to notify consumers these questions and the responses are extremely important as we formulate that strategy and as has been previously alluded to this is not just a U.S. problem there the solutions are global and so we definitely are interested in looking at the I code the things that have been done in Germany and Japan steps to remediate the adverse effect of botnets do involve more than the ISP community but the ISP surely have a significant role to play at the commission we're doing our part to assist our federal partners in the industry in combating global botnet threats and here's what the commission is doing in December of 2010 the FCC's communication security reliability interoperability council or CISRIC working group eight released a report recommending 24 voluntary best practices to address botnet protections for consumer and network providers some of you in this room I think served on that and I appreciate that best practices covered several areas including prevention detection notification mitigation and identified means to address externalities such as privacy concerns and then on September 23rd of this year we had the inaugural meeting of the newly rechartered CISRIC 3 and that was working group seven I appreciate Ari Schwartz of the department commerce and my fellow panelists here coming to address the entire CISRIC group as we kicked it off that includes some 60 experts from industry and government Michael Reardon is on it we have Steve Crocker, Rodney Jaffee as a matter of fact Max is serving on one of our working groups it's an Allen Powler there are others of you that are serving on this it's an all-star cast and really over the next 18 months the new CISRIC 3 will be reviewing efforts undertaken within the international community and among domestic stakeholder groups such as the Australian internet industry code of practice relative irrelevant IETF request for comment the Mog or morgue however you want to pronounce it for applicability to our domestic ISPs and then building on the work of the CISRIC 2 working group 8 and in coordination with DHS and the department of commerce and really informed by their RF5 the working group 3 a working group 7 of CISRIC 3 will propose a set of agreed upon volunteer practices and a framework for ISP implementation so we want to work very closely with our federal partners on this and the working group will also identify potential ISP implementation obstacles and identify steps for the FCC and other federal partners can take to help overcome those those obstacles we realize this is not easy and then finally the working group will identify outcome oriented performance metrics to evaluate the effectiveness of their work and addressing the botnet problem so in all this we want to work very closely with industry and our federal partners we're committed to do so through the CISRIC and we want to identify those ways that we can leverage lessons learn globally to create the right environment and so Jim thank you again for the opportunity to come and speak to this group I look forward to our continued discussion thanks very much Bruce thanks Jim let me also say what a pleasure it is to be here and I love it when a plan comes together so we really have a public private partnership in action today in and we have the government acting in concert so that's all all positive it's been a great morning already I've learned two new words moog and shambolic which I thought there is a three dog night song I thought perhaps we were talking about the mythical kingdom in Tibetan Buddhism but apparently it's about something else so so that's been good today is the third or fourth day of National Cyber Security Awareness Month so what more appropriate topic to be talking about because this is all about notifying and making people more aware of what is happening and what their piece of the action is in terms of fixing things it's part of a larger vision that we at DHS have and later in the month we'll be releasing our blueprint our strategy for the homeland security enterprise that focuses on a couple of different things one is protecting critical information infrastructure today and secondly to promote the creation of a healthier cyber ecosystem for tomorrow and this work we're talking about today fits into both of those focus areas because botnets truly are a scourge and from the standpoint of the damage they do but also the fact that they create a lot of noise on the internet and can be the vectors of serious threats or can hide other threats that make them harder to find so we're all for reducing them and but like so many other aspects of homeland security cyber security is a shared responsibility and so that's what we're talking about today let's see if we can figure out the best roles and responsibilities for attacking this particular problem in a way that minimizes the government role and make sure that it is doing the parts that only it can do and that everyone else is doing the parts that they can do the best and we're working together on this so in this case we've seen the government now taking a facilitative role in part to cause this conversation to occur and also it is in an extension of our role as educators and in fact as in terms of homeland security this particular effort that we've been working on with commerce and with the FCC and the White House has been focused primarily on our educational role rather than our protect and prevent role although it'll have a good effect on that we hope because we are key one of our key approaches is to make sure that everybody is doing what they need to be doing so we have a lot of things going on we obviously are the sponsors of the National Cyber Security Awareness Month with our partners at the National Cyber Security Alliance and with all of you and in addition we have our awareness campaign which Howard mentioned the Stop Think Connect campaign which is now really getting some legs we're now partnered with the girls and boys clubs with the Y MCA YWCA we're working with the scouts so this is really getting out there with the young people who need to understand their part in securing the future and present internet so we're looking forward very much to the responses from the RFI from the RFI and see what we can learn about the ways in which the private sector can help participate in educating consumers about botnets and malware and to the and understanding even further to what extent that can actually reduce the prevalence and impact of this scourge on the internet and all of us so is it will education work? Is this something that people want to do and if they do do it will it have an effect are the questions that we're really interested in and finding out there's a broader impact as well will this help improve computer literacy and computer security literacy in general among users and we think that that will and that's consistent with where we're trying to go in our overall educational mission so I too look forward to discussion and I will get out of the way of our further distinguished panelists so we can get that going thanks thank you Bruce Max please Thanks Jim right so stop bad where as an organization over the last few years has been working in something of a parallel area addressing a different area of cyber crime which is what we refer to as bad wear websites these are the websites from which people get infected with bots bot malware and other forms of malware at the websites that tell you your computer is infected with 237 infections and if you just pay seventy nine dollars on your credit card they'll clean it up for you and so on and so as I was thinking about this topic I was thinking as we as we speak about what do we need to do how are we going to do it who's going to do it I was thinking from the perspective of our experience what do the consumers actually need what from our experience in working with probably tens of thousands or hundreds of thousands at this point of website owners whose sites have been compromised by malicious activity what do they need in order to to help themselves address this issue from a remediation standpoint the first one of course it's been talked about a lot is notification a lot of people like Howard's mother or father rather don't don't know that their computers are infected malware has gone much trickier over the years it isn't like a few years ago where you'd be getting pop-ups all over your screen and boy did you know you had adware or spyware or malware on your computer in some of those cases nowadays it can be very stealthy not even slowing down your computer to a crawl but really having no discernible impact that can be easily detected so notification is key the second piece is understanding in our experience when webmasters find out their sites have been compromised and they often find this out when suddenly Google is putting up a big warning saying don't visit this website it's infected people almost go through the stages of grief you know there's an aspect of denial no that's not possible can't be my site and then they get angry often at Google sometimes at us anyone who's giving them the message that their site is is infected bargaining right you know and and finally acceptance and and so there really is a key here that with notification really comes a necessity to educate people about what does this mean how is it possible that my computer could be infected and I'm not seeing any ill effects of it and I have antivirus on my computer how you know how could I possibly have an infected computer the third piece of it is what we're expecting people to do and I differentiate this from how to go about doing it I'm just talking about what they're supposed to do you can imagine it's not uncommon nowadays for people to have multiple devices on their home network you know they might have wireless they might have an iPad they might have a couple different laptops in the home maybe a voice over IP telephone things like that and when someone gets a message saying some device on your network has malware on it well what am I supposed to do now and so we need to kind of spell out for them you need to figure out which device or devices are infected you need to get them cleaned up and you need to get them protected because otherwise they're just going to become infected again and so we need to really sort of spell out what the expectation is for people the fourth piece of course is how do you go about doing that and that's providing the information the tools the services necessary so that people can help themselves and get their devices cleaned up and finally for some people and it's not going to be for everyone but for many people there's also they're going to actually need help doing those things so there's how to do it in terms of here's a set of instructions here's some tools but I can tell you that if I went to Home Depot I could buy a book telling me how to build a wall and I could buy the lumber and the nails and the hammers and everything else and I would get home and I would not be able to build that wall because I can do with computers a lot of things and there's a lot of things with a hammer that I can't do well at all and so we some people are really going to need that third party assistance whether that third party ends up being the ISP a national level resource like exists in Germany or some other solution we need to make sure people have that option beyond that I think that it's really important when you think about this from a consumer perspective to say there really needs to be this full range of options some people really want the help and they're willing to pay for it and they have the money to pay for it and they're they're perfectly happy to say here here's my laptop please get the malware off of it I don't want to deal with this anymore there's plenty of people that don't have the money to do that I mean we're talking right now about a national level initiative we're talking about people who you know barely can afford to have internet access and you know you're going to be in a situation where they may not be able to spend $129 to pay someone to help with the malware and then there's people who like to do things themselves and there's some people who are willing to try it themselves for an hour and if they can't solve it then they're willing to pay for someone and so we really need to make sure that whatever solution we come up with whether it looks like the Australian model the German model the Japanese model or most likely some hybrid that borrows from some of the best of what's out there and perhaps puts our own unique American spin on it that it has that full range of options that consumers are looking for and that they really need and I say this not only because we want to make consumers happy but also because we need consumers to clean up their devices this is something botnets are a problem that affects everybody you know Bruce and Jamie both talked about this this is a problem where we want people to clean up their devices and if we want people to clean up their devices we have to make sure that we're making it as easy as possible for them to do that in the way that works best for them and meets their needs so that's why I have to say to start and I look forward to the discussion thank you thank you Jim not just for hosting this event but also for bringing together this great audience actually I mean I'm really impressed by the people that are in this room I would I kind of feel like I should turn my microphone around and get everyone's opinion on this topic but that's why we have a request for information so I'll just put it out there that I I hope that everyone in this room that is showing this level of interest and is you know this the caliber of people in this room will will respond to our request for information that's out there until November 4th with that let me just highlight four things that are that are important to the commerce department I mean the RFI asks a lot of questions but it doesn't go into kind of a lot of detail about what our vision is in this space but I do think some things are highlighted in there that give you an idea and I'll point to for four major themes that I think are very important to the commerce department in this space first of all that whatever comes out of moving forward is in the in this space is voluntary and is a public private true public private partnership I think you've heard a lot of that from Cam Carey's discussion of multi-stakeholder discussions but I also like to point out that this is really the a big opportunity to prove that multi-stakeholder effort like that can work we have some efforts that have been successful in the security space I don't think we point to them enough actually Mogg's work on spam is a good example Michael's already spoken to that to some some degree I mean the best practices that have come out of Mogg and the information sharing that have come out of Mogg have helped to stem the tide against spam and have been successful the anti-fishing working group has been extremely successful in bulk fishing in stemming bulk fishing attacks now we have to work on spear fishing a little more but on the bulk fishing side I think we have seen major improvements and the anti-spyware coalition that I helped work on it when I was in the private sector really helped to end nuisance and harmful adware that was supported by major firms and venture capital money so we have seen successes in this space in the past this is really taking it up one step and in order to build a voluntary effort in this space we're going to need greater effort and code of conduct in this space to take things to the next level number two is something that Michael Reardon talked about which I've called on that which I've kind of phrased as that the incentives in this space must maximize the potential of the security the existing security market to address the problem he said very eloquently that we have a lot of tools in this existing security market some have some cases we have kept up some cases we haven't and we have to figure out how to maximize the work that's being done in this space we're spending a lot of money there is an existing marketplace we have to have that work if this effort's going to be successful number three that benefits for there must be benefit for all companies involved and I take that beyond the ISPs there's been a lot of talk about the ISPs but we also know other companies have notified in this space and other companies like the securities companies and others have been are going to be important players if this is going to be successful I also think it's important that those benefits must must be for small companies as well as large companies and we need to figure out ways to get incentives to work for them and those benefits must away costs for large companies and small companies alike and lastly that what we come up with must actually end up protecting the consumer and by that I mean that we have to give the consumers information and it means to fix the problem both Max and Michael spoke about that we also have to be able to protect privacy because we're not doing it the consumers any good if we're invading their privacy and helping their security we can do both at the same time and consumers expect us to do both at the same time and third that we have due process in the notices that we give and the efforts that we take that sounds like we're asking a lot from this process but the good news is we already know the companies have done this right we have Comcast and Google and other efforts out there that have formed best practices Cisrick the FCC work that Adron Barnett's group has done has been has really helped to define best practices in this space we have the IETF standards that do all of these things we can do it and we have to make sure that incentives get more companies involved and more individuals covered in this space thank you I promised Kate the last word so I'm glad it worked out in the seating arrangement absolutely thank you I want to say thank you to Ari and to Jim and to CSIS for inviting me to participate in the discussion today it's rare that I get to spend my mornings with such august company and before I even get started I want to tell everyone that I undertook a real investigation of our members and talked to a number of people in just the general area about this idea of botnet mitigation when we started talking to Ari about the RFI and I just want to let everyone know that the companies are taking very seriously the government's interest in this space and that I think you'll see that many providers and associations will be responding to the RFI so we'll have a little bit more to say a month from now when the comments go in I guess I should tell you a little bit about USISPA we're an organization that is member-driven and we were founded in January of 2002 we focus on really a discrete set of policy and legal concerns that are common to the internet service providers network providers and portal providers we primarily work in the areas of law enforcement compliance and security which would include cyber security getting to while why we're here today the title of today's event questions what the role of the ISP is or should be in combating cyber threats and we've heard a lot from others today about what that role could be and we've heard about efforts that are underway both here and abroad and I think that we would recognize that the ISP does have an important role to play but it really is but a role in the entire ecosystem of participants and in in preparing for today I talked to a number of people and I think you'll see with the range of you know responses to the RFI it's very similar to my membership it's diverse and everybody is going to come at it from their own experience and you know for the needs based on their own architecture and products that they provide but there were some common threads in the responses that I got from people so I wanted to highlight a couple of things here today first of all I think it's very important to acknowledge that ISPs are already on the forefront of cyber security they are the leaders in this space they are committed to cyber security and they have been providing for a very long time security solutions both across networks and directly to the end user consumer they do this both for their own self-interest to protect their own networks and to provide greater security solutions for their customers you know I have so many examples of different services that are available by all different levels and sizes and kinds of providers there are customized services available there are premium services available there are services that are baked into the service itself there are wall garden options there are direct assistance options where the company can directly work with the customer if they have a security problem to quote someone who I talked to the other day the networks and the services are literally pregnant with security solutions today we are vigilant against all varieties of threats and you know this is evident in the fact that the networks are robust and they're very sophisticated and all of you are you know typing on your laptops right now and you know pinging back and forth on your iPhones the second port that I'd like to address today is one that Mike really talked about very clearly earlier and one that I've already highlighted and that is this discussion is an important discussion and I think it's great that the government has initiated a conversation about what the different roles are in this space but it's not so great if we're only looking at one sector of the entire internet industry and asking you know the ISPs to create the solutions to this problem so the one of the things that the government could do would be to broaden the ecosystem of people who are sitting around the table and I think that that you know we've heard from many before me today and I think that's their intention and hopefully you know the antivirus companies and the tool vendors will be responding to the RFI as well the third point I'd like to make really goes to the flexibility points that you've already heard earlier today you know architectures are very different each service provider believe me is very unique they have their their own concerns these systems have been you know build up over the past number of decades the technology varies from product to product and certainly from company to company so whatever whatever it is that comes out of the idea of you know creating more security and fighting botnets must be one that the ISP can can create on their own and can implement across their own network without it being a top-down approach the government needs the companies to remain innovative in the space they need to be able to stay ahead of the threats and any kind of uniform response is only going to handcuff us from being able to quickly respond to you know these dynamic threat environments and lastly I think I think some have mentioned it and I would really like to make sure that we have a full discussion about this going forward but it really is you know we've talked about what the role of the ISP who should be involved in this but there really is a question out there which is what is the role of the government what role should the government be playing and I think we recognize that there is a role for the government but that role may be limited some of the crucial areas where we see government involvement as necessary and and important definitely in the area of of user education and awareness like we've heard today the government is uniquely situated to reach every household in the country and it will it is important that the government be supported in this role the other another area where we see the government is effective is doing what we're doing today they started the conversation they have the ability to bring people together to further talk about this topic and I'm just going to say it because I bring it up over and over again in meetings so I might as well do it again but one of the areas where we would like to see some movement from the government is to provide some leadership and some clarity on some of the outstanding legal issues that create some uncertainty I heard from everyone I spoke to leading up to this particularly when you talk directly to the security guys they have security solutions that they want to bring to market but some of the legal uncertainty can really slow the adoption and the implementation of that so any leadership that the government can provide in that area would be very welcome I'm happy to take question great thank you so this is your big chance you've been waiting patiently can I ask if there are any questions from the floor go ahead please and go ahead I was going to say go ahead Eric but Eric just one short thing on this so one of the things that we're looking at with the CISRIC 3 are some type of performance metric so it's good to have best practices it's good to have a code of conduct but you're exactly right and I think it was Michael or someone that mentioned performance metrics I think you have to have those to kind of see measure how we're going and other other efforts that are very interested in that as well yeah and I'll add to that as well that it can be very difficult you're looking at total populations because when you look at the population in Japan you say okay that the national level is from 2 you know 2.4 percent to 1 percent well that's great you certainly can't attribute that entirely to any one one cause it can be very difficult to to look at cause and effect what you can do is look at correlations and hope that you're getting somewhere close to understanding the cause and I think that as we think about it you also want to think about it in terms of almost like in medicine of treating patients it's great if you can reduce the overall disease populations it's also great if you can treat a certain number of patients regardless of whether the overall disease population has been improved or not in other words you know if you save a hundred people from a disease from dying you've saved a hundred people from dying this is a good thing and so I think as we as we think about metrics we need to think about how we measure the overall problem but we also need to think about how many people have we helped and how many people have we served directly through whatever efforts we're doing because that alone is an important matter that's really let me just raise that we we asked this question in the RFI specifically because we think that it's extremely important and we we think that it's we need to come up with some measures moving forward and figure out what they are certainly important to NIST where I'm going which is based on measurement the work we do is based on measurements but the but I do want to point out also that there's no single solution to a problem like this right I mean I did I credited Mog with helping to solve the spam problem right but there's a lot of things that went into making it so that consumers now today receive less spam than they did five years ago right there's a lot of reasons that that happened the work that Mog did certainly is part of that right but it alone is not the piece law enforcement played a role technological improvements played a big role right we have a lot of different things that went into effect that helped to solve the problem but the you know the public private partnership piece of it and the the multi-stakeholder piece of it play has played a role in several areas and the question is what can we do in this space as part of it we're still going to need the other pieces as well the metrics thing is I think one of the big changes we've seen in thinking about cyber security in the last few years particularly if you can measure outcomes so the more we can do this better we'll be able to identify things that are working so that's going to be one of the challenges over the next couple of years and it's you know where to start it's hard to identify metrics but I think we're getting there more questions go ahead I'll limitize with the national economic security grid from an economic standpoint I don't think we've really from a metric standpoint established what this real impact of these kinds of attacks on our computer systems are you know we had a defining event with 9-11 and with pearl harbour when we were attacked and yet today if you look at the thousands of terabytes of attacks and losses that we're having it just seems to you know fall off the side of the the mountain and nobody seems to really crystallize these issues why is it that we have these issues taking place and it seems to go back to the individuals who created the software systems and the hardware systems that these are operating on and yet they have no liability responsibility you take a look at what's happened over the years with things that impact the population with airplanes we created the FAA and put regulations over them and they now have to have standards that they operate against we did the same thing with automobiles we did the same thing with food and pharmaceuticals and yet we've got the most significant economic impact on our country and on the world taking place over the internet and on our computer systems and we can't seem to get a coordinated approach on it to fight back against the 140 countries that our own government says they know are actively and aggressively stealing technology from our own country it doesn't seem to make sense to me that we can't seem to get a coordinated approach to this and I'd be interested to send you a response go ahead maybe Bruce can take up take up on this as well but I think that you know from from our point of view those of us that worked on legislative package was to address this issue right I mean it is to come up with the authorities that need to be put in place to get a more coordinated response to give DHS the authority to to better coordinate for the critical infrastructure of course of course it is but we believe that that work that will come out of there especially the idea of building frameworks in these spaces and will help to provide better clarity and better liability apportioning in the marketplace and then we can build we will have a better liability structure than we do today similarly in the non-critical infrastructure space we've we're trying to do this work to spell out in this the internet information innovation sector how we go about building up voluntary efforts that we know have worked in the past in certain areas taking them to the next level right and addressing these concerns in with using codes of conduct that we know have worked in other in certain areas to bring making that make getting that to work in a way better than has worked in the past that will also clarify liability down the road the problem that we have today is that it's hard for an insurance marketplace to work or when you don't have liability figured the liability rules figured out and the government shouldn't pick the winners and losers in the marketplace by figuring out but by by pointing liability we need to take we need to to build the authority to create to move the marketplace where the marketplace can figure out who where the where the liability should fall and then we can then the the market mechanisms can kick in and the government efforts can kick in at that point so enough so I just echo both of your comments because I think we are at I mean it always baffles me we always say you know what well when a really bad attack happens then it's like what could be worse than what we're seeing now right except we're not seeing it so we unlike Pearl Harbor or 9-11 where there was a video right there's no video for this so humans don't respond to the fact that this almost invisible at the moment crime that is being committed and so we really do though need to develop a national consensus around this and move forward so as Ari suggests you know the administration did present some legislation some proposals to the hill we say they're not the be all and end all they're not all the answers but we think they go part of the way there and we're you know encouraging everyone to get involved in that process and and let's come up with something in this Congress that moves the ball you know if not all the way to the goal line at least down the field in this area because if we just this is a clear case where the perfect is an enemy of the good it's just too quick things your sense of urgency is spot on you're absolutely correct on that and the second thing is I think we we do have to look as I mentioned earlier we have to have all hands on deck on this we have to look at every organ of government we have to look at every way of incorporating that public-private partnership we can't afford to leave any any stone unturned on that but it has to be now Alan Paller from the Sands Institute mainly for Ari and Bruce if he wants to I'm completely confused about the commerce CAMS sort of initial statement that whatever we do is voluntary I don't mind voluntary I love voluntary but why didn't we use voluntary for airplane safety why didn't we use voluntary for smoking why didn't we use voluntary for environmental safety why I mean if voluntary is so perfect why don't we have dozens of examples what and this one isn't a new problem the CAMS sounded like he had just discovered it this is a decade ago people were barraging ISPs with your your guys are infecting me can you stop them and they completely ignored it so if there's ever a failure of the market to to respond we got one here so I'm just I'm lost on this obviously it's a it's a voluntary solution well the I think here's I want to separate out the critical infrastructure what what what we considered in the in the in the um about administration proposal to the hill for the covered critical infrastructure from the non-covered critical infrastructure and a lot of that gets spelled out down the road right so we need to make that determination but the covered critical infrastructure space we believe is not voluntary it is the the industry has to has the first shot coming up with its framework at which security plans are based but those security plans are required and the so we we do have and the and the the that will set the the goal for this for those critical infrastructure companies for the non-critical infrastructure space right and right it's determined what that is in the future we've set up kind of this area that we think is important to say is non-covered critical infrastructure which is the internet and innovation internet and information innovation sector and spell it out in our green paper in that space we say that it should be voluntary and that's where Cam is focusing his discussion right and he's he specifically did say that he was focusing on the the i3 sector in in as as a place start as the starting point we know that efforts there have worked we also know that DHS has limited resources right that is not going to be the first if even if you consider that some of this these things critical infrastructure it's not going to be the first space that you work in here if you have list when you list out the critical infrastructure we need to start working today and we can do it without legislation to build voluntary efforts today right so we want to spell this out say that we think that companies in this space can do it voluntarily there has been a history of that right and move them towards better efforts in this past so we get the dozens of efforts so that when we get to the point of DHS deciding what is critical and non-critical we have the dozens of efforts that can show that voluntary effort works does that does that make a little more sense I just note that first I'd note I didn't pay Alan to say that second thing is that one way to think about this is this is a new effort it's a voluntary effort try the voluntary approach for a while a year or two and if it isn't working then you have to think about something else but you know this has worked in other countries and maybe I'll take the moderators prerogative and ask each of the panelists when you think of the German or the Australian experience in particular what are the parts you like what are the parts you don't like and maybe you can just it's a big question but so it is a big question so actually I do like the voluntary part and and going to Alan's question too and I agree with Ari on this I do think we have to use the least restrictive means we have to go a voluntary method I think there's a lot more focus on it right now but it goes to Eric's question too I do think we have to measure it and doing that two-year period that Jim mentioned but we have to see how it goes and then if it's not working then probably we have to we might have to do something else but we do have a track record elsewhere Germany, Japan, Australia and I think that that we should measure it to see how we do so I guess I'd say what I like about those efforts is that they are in place so that's better than we're doing here so we that's a good thing I think the question that the underlying debate about this because in our country we always have this debate and especially in this area between whether the government should take a stronger hand or whether the market forces are enough and what's going to be the effect on innovation and so we can all we all know those arguments and we can all have that conversation I think what concerns me the most is that we can't we're running out of we've run out of time to have that conversation at least at some level and then we need to get something done so we are getting things done there are a lot of things that are going forward but on this point about you know getting back to where we have some things that are maybe required you know in a way that's not does not unnecessarily reduce you know increased costs or make the U.S. companies non-competitive or all the other problems you know we do need to move forward on this and we are you know time is short so again let's get something done in this congress and you know see how that goes we won't be perfect but it will be at least moving the ball and I have to apologize I have to go out of this a little bit early so what I like about all three of the national efforts that were mentioned is the fact that they facilitate and really streamline the notification process and really help ISPs do something which we know ISPs are the best positioned organizations to do and that's to notify customers of infections what I think all three haven't gone quite right or certainly not quite right by an American standard is balancing the need for shared educational and support resources for consumers with also facilitating access to the vast marketplace of products and services that are already out there in the private sector and available to consumers and making it easy for consumers to find those resources and connect with the ones that are most suited to their needs I think we could do better in that area and I haven't seen in any of the other three countries so far I would say that in Australia they I think they've done a great job incentivizing the ISPs to participate they have 90% participation and they've given them reasons that it would make sense to sign up including some of the ideas about giving them benefits for getting consumers sending consumers back to them to address some of the issues where appropriate I didn't really like the I think the U.S. in general has done a better job in education than that site does if you look at that the educational tools on that site the U.S. versions are better of the U.S. information that's out there is better on in terms of the German it's hard for me to know because my Germans not that good so they have very long words that I can't follow all the time but the it is I think that they've they certainly have done a better job in terms of describing what their goals are and talking about how they plan to get there I look forward to seeing their measurements and to whether they're meeting that those goals and then it would be more interesting to kind of look through the hand holding piece versus just the education piece that they've been doing so just a download piece and see how those work and why they work or not and get some German language experts to look at what they've done well I guess I can say that the company certainly have looked at the other models around the globe very carefully and I guess I'll comment on the Australian model and say that a lot of what is in that document US providers have been doing for quite some time I'd say you know 90% of that is something that you know US companies are already doing and in fact you can use that as a good example of what companies do without government intervention in this area I think the difference between the approaches really demonstrates the difference in culture and in the different legal structures and in our technological solutions so whereas they may be something that we can look to they are probably not analogous to the US market we have time for one more question so why don't I the fellow in the back there in the blue shirt Rick Afford I'm a consultant at an IT services company I'd like to say thank you very much to the panel and to the speakers it was a great event today very educational my question is I understand that ISPs play a very direct role in computer security but can should we expect ISP implemented security solutions to have as positive and as effective effects on addressing the problem of malware with mobile devices or are there complications in the mobile realm because you have an extra layer of content control from the phone companies thank you was too good I think if anything you know ISPs in the mobile space probably have have more potential to drive security I mean you see it in the relatively locked down environment of the apple app store and the fact that by exerting so much control over over the devices you know the net impact is being able to provide better security less user choice in times but more security you know so I don't think that you know I'm not that concerned about that distinction what I am concerned about in the mobile space is the fact that particularly as more people get accustomed to using Wi-Fi on their devices and sort of roaming around with devices from Wi-Fi access point to access point who's detecting and notifying those people you know it's one thing when you're talking about a home computer sitting on somebody's home internet connection it's quite another when you're talking about an iPad that maybe the person doesn't tend to use much at home because they have a computer there but they use the iPad out on the road a lot you know or Samsung Galaxy Tab or some other Android device and now that device has malware I think you will see problems with ISPs if we're looking to ISPs to be the primary notifier and primary support provider I think that will cause some new challenges I was just going to say that I mean this is it's a very good question but you know one thing that I think this is one of the reasons that it's important to look beyond ISPs right and we do have other companies in this space that have done notification that have looked into this issue and I think there are a lot of players and understanding the future of the mobile information flow I think it's going to be important to figuring out how to best tackle this problem in the mobile space so that's something that we would be interested in comments on the RFI as well and I think I just reiterate what Ari just said and that it is a very good question it's it brings us back to the idea that it cannot rest solely on the ISP to provide you know thorough internet security directly to the consumer but I will say that you know we recognize that there's a role to play we we agree with the outline of prevention detection notification remediation it's just now having a national debate on who you know best fits into what different categories and what are the different roles that people should play and you may find that ultimately the companies may want to have a direct relationship with the customer and provide greater end user security and some won't be able to because of the way that they operate or because of their size etc so we need to make sure that that remains open and flexible as you know we move forward thanks okay well Ari can you for those who I'm sure most have seen it but can you point us to where we can find the RFI is there a website address or something I guess the best place for me to send you is through the internet policy task force at the commerce department there we have a website there that's run by NTIA and there's a cyber security section the top link is going to be the the RFI but it's you know it's available on that or through the federal registry can do a search report tremendous would you join me in thanking our panel thank you for coming