 Good morning. Welcome to CSIS. My name's Jim Lewis. I'll be hosting this event. We're very fortunate today to have an old friend of the family and a real expert, chairman of the House Committee on Homeland Security, Michael McCall. In 2007, a couple of us had this idea, maybe we should do like a report on cybersecurity, it would be. And so we've been talking to some people that said there's someone on the hill you really need to talk to. And so he's been concerned with this and an expert in the field now for years and years. Well, that works out to be about eight years, maybe a little more, which is longer than almost everyone else in Washington. So a true leader in the field. This is a sixth term. I don't know how he does it. I mean, I would never... Running for election every two years, great sixth term. He was a former prosecutor, worked with Senator Cornyn, of course, and did counterterrorism. And it's a fourth generation Texan. Is that really true? That makes you a 4G Texan. Yeah. So I guess that's good. But no, he is one of the true experts in the field, and we're really grateful that he made some time this morning to come and talk. The format will be that Chairman McCall will make some remarks, and then we'll go to questions and answers, which hopefully everyone in the room will be energized and ready to ask things. So with that, please, thank you. Thanks, Jim. Thanks. We thank Jim and CSIS. I remember doing that report for whoever the next President of the United States is going to be, and it turned out to be Barack Obama. And I'm going to talk a little bit about the President's proposal on cyber and what is happening in the Congress in response to that. I'm glad he's providing leadership on that. And you said an old friend. I know my hair is getting a little bit wider, but we do kind of go way back. I remember when I was a Department of Justice here in Washington, but then when I was working with Coroner's Attorney General, I had the idea in 2001 of doing a conference or summit on terrorism in cybersecurity, and a guy named Dick Clark was going to be my keynote speaker. And the date of the event was September the 12th, 2001. And a little sort of pressure, I guess, but we ended up rescheduling that. But just to sort of, by way of background, how far back on this issue, Admiral Inman, former director of the NSA, a very good friend of mine over time, and we've come a long ways. And it's to the point where this issue finally has the attention, I think, of the American people and the Congress. I formed the Cybersecurity Caucus to get the attention of members and educate them on this issue because it is so important out there. And I do want to thank Jim and also Denise Zheng for your latest report on cyber threat information sharing that you released. That's the job well done as always by CSIS. I'm going to do, I don't normally do text, but in this case I have been, it's recommended that I do that. And then I'll open it up to the Q&A, which I always find very, I enjoyed having a live discussion and dialogue. So as a nation, we're finally beginning to grasp the magnitude of the cyber challenges we face, and particularly as they start to hit home for millions of Americans. Just last month, our country's second largest health insurance provider, Anthem, announced it was the victim of an unprecedented cyber intrusion. The attackers gained access to a database holding the sensitive records of 80 million individuals, including the names, birth dates, and social security numbers. In total, the personal information of one in four Americans may have been compromised by that cyber attack. Taxes like this are a wake up call that our cyber adversaries have the upper hand and the consequences will get worse if we fail to reverse the tide. And today I want to discuss three issues with you, including the scope of the cyber threat our nation faces, the government's cyber defense role, particularly at the Department of Homeland Security and how we've been enhancing it, and finally some of my legislative goals this year to defend American cyberspace against destructive attacks and costly intrusions. First, we must recognize that a silent war is being waged against us in cyberspace and that we are losing ground to our adversaries. The cyber landscape has shifted quickly. At the dawn of the digital age, our nation saw endless opportunities to generate prosperity by expanding our networks and connecting to the world. But today, American prosperity depends as much on defending those networks as it does on expanding them. We cannot tolerate acts of cyber vandalism, cyber theft, and cyber warfare, especially when they put our nation's critical infrastructure and secrets at risk, and when they compromise American innovation. Yet our cyber defenses have proven weak in the face of agile enemies. As I speak, government computer systems are being hacked, proprietary data is being stolen from American companies, and the computers of private citizens are being compromised. And most of it is being done with impunity. Criminals, hacktivists, terrorists, and nation states have managed to exploit our networks by staying at the cutting edge of technology. In the meantime, our defenses have lagged behind. These faceless intruders regularly change their tactics and escape justice by masking their identities, and usually they're operating beyond the reach of U.S. authorities. China, North Korea, Iran, and Russia are among the most advanced of our cyber adversaries, but even terrorist groups like ISIS are working to develop or acquire disruptive cyber attack capabilities. It is obvious that these threats are escalating in sophistication and destructive potential. We are confronting almost daily with frightening new precedents, including nation states launching cyber attacks on our own soil. This happened at least twice in the past year. The director of national intelligence James Clapper recently revealed that Iran was behind a devastating 2014 cyber attack on Las Vegas Sands Corporation, the world's largest gambling company. And nine months later, North Korea, probably more famously, used a digital bomb to destroy computer systems at Sony Pictures, an attack that was not only destructive, but was a cowardly attempt to intimidate Americans and stifle freedom of speech. The impact of cyber intrusions are felt across America, from kitchen tables to corporate boardrooms. The recent breach in Anthem illustrates how easy it is for ordinary Americans to become attack victims. This attack followed intrusions at Target, Neiman Marcus, Home Depot, and J.P. Morgan, all of which were designed to steal the personal information of private citizens. But our cyber adversaries are not just seeking to steal Americans' identities. They want our security secrets and our innovative ideas. We were reminded of this over the weekend when the State Department was forced to shut down large portions of its computer systems in an attempt to expel hackers who invaded our diplomatic networks. They are believed to be tied to a foreign country. Digital espionage extends into the business world. We know that Chinese hackers, for instance, continue to breach corporate networks to give their own companies a competitive advantage in the global economy. And states like Iran have targeted major U.S. banks to shut down websites and restrict Americans' ability to access their bank accounts. Make no mistake, such attacks are costing Americans their time, money, and jobs. In fact, General Keith Alexander, former director of the National Security Agency, described cyber espionage and the loss of American intellectual property as, quote, the greatest transfer of wealth in human history. But the threat extends beyond the industrial engines that drive our economy to the critical infrastructure that supports our way of life. Our adversaries are hard at work refining cyber attack capabilities that can shut down critical infrastructure, and they want to use these tools to threaten our leaders and intimidate our people in both times of peace and times of conflict. A major cyber attack on our gas pipelines or our power grid, for instance, could cripple our economy and weaken our ability to defend the United States. These scenarios sometimes sound alarmist, but we must take them seriously because they grow more realistic every day. And in fact, we saw a preview of this in 2012 when Iranian-backed hackers hit Saudi Arabia's national oil company, Aramco, destroying 30,000 hard drives and simultaneously hitting our financial sector in the same year. In fact, Iran is hitting and penetrating, attempting to infiltrate our financial sector every day. To combat these threats and live up to our obligations, to provide for the common defense, our government must take a leading role in securing cyberspace. We cannot leave the American people and our companies to fend for themselves. The digital frontier is still much, very much like the Wild West. At this moment, there are far more cyber outlaws than convicted cyber criminals, a clear sign that we have a lot of catching up to do. We are really in uncharted territory. Not since the dawn of the nuclear era have we witnessed such a leap in technology without a clear strategy for managing it. To establish order and defend Americans' interest in the digital domain, we must map out the rules of the road and clarify responsibilities inside and outside of the government. We're not quite there yet. In fact, I would argue that we're in a pre-911 moment when it comes to cyber security. In the same way legal barriers and turf wars kept us from connecting the dots before the 9-11 kinetic attacks, the lack of cyber threat information sharing is leaving us vulnerable to our enemies. Between the government and the private sector, we have the information needed to limit cyber threats and stop fresh attacks, but we are not sharing that information. Critical information is not disclosed efficiently enough to stop cyber intrusions before they start or to shut them down once they have. And the danger of poor information sharing is really not a hypothetical, it's real. This month, the head of the U.S. Cyber Command, Admiral Mike Rogers, warned Congress that our adversaries may be leaping or maybe leaving cyber fingerprints on our critical infrastructure to signal their ability to attack our homeland. He believes that before he retires, we are likely to see a destructive cyber attack against critical infrastructure. If we are not swapping information about these threats, their impact is guaranteed to be more widespread and more severe. But the reality is that 85% of the critical infrastructure and the threat information, 85% of the threat information out there is in the hands of the private sector. Because of this collaboration between the government and industry, is vital to Homeland Security. Admiral Rogers had it right when he said that cybersecurity is the ultimate team sport. No single entity in the government and the private sector can tackle these threats independently. Each stakeholder must have skin in the game to prevail against attackers. This is where the unique mission of the Department of Homeland Security comes into play. DHS servers is the primary civilian interface for sharing cyber threat information and for a good reason. DHS was created to stop terrorist attacks after 9-11 and it is well positioned to do the same to stop cyber attacks. The Department's key tool is the National Cyber Security and Communications Integration Center, or the NCIC, which is quickly becoming the tip of the spear for cyber threat information sharing between the government and the private industry. Last year alone, DHS estimated that it received nearly 100,000 cyber incident reports detected 64,000 major vulnerabilities issued nearly 12,000 alerts or warnings and responded to 115 major cyber incidents. We cannot measure its effectiveness in numbers alone. The NCIC must actually improve and increase information sharing and to do that, it needs to be a trusted partner to the private sector. Its job in doing this is made easier by the virtue of the fact that the NCIC is not a cyber regulator. It cannot prosecute you and it is not a spy agency. It's a civilian interface. Accordingly, the NCIC has no authority to do anything more with the information it receives other than use it to prevent and respond to cyber attacks and enhance our cyber posture. During the last Congress, we managed to strengthen our cybersecurity foundations including landmark legislation, authorizing information sharing at the NCIC. And we managed to get five cybersecurity bills passed into law for the first time in the history of the Congress. This is now a starting point for our efforts in this Congress. Importantly, we passed legislation supported by both industry and advocates for privacy and civil liberties. It was called a pro-security and pro-privacy bill. There are very few bills in Congress that can say that. First, we established a federal civilian interface at the NCIC to facilitate information sharing across 16 critical infrastructure sectors and with the private sector. Second, we laid down the rules of the road regarding how information is shared. Third, we assured that Americans' rights and personal information will remain protected. Fourth, recognizing that human capital will ultimately determine our ability to succeed, we positioned DHS to improve its cyber workforce. And fifth, we enhanced the department's ability to prevent, respond to, and recover from cyber incidents on federal networks. This brings me to my cyber agenda for this year. We made a lot of progress in 2014, but we still need to remove obstacles to information sharing while simultaneously protecting the privacy interests of Americans. Right now, the lack of liability protection for the private sector is a problem. Companies are hesitant to share information about cyber threats and intrusions that take place in their networks. They fear that doing so could put their customers' privacy at risk, expose sensitive business information or even violate federal law on the duty they have to their shareholders. As a result, the vast majority of cyber attacks go unreported, leaving others vulnerable to the same intrusions. This is an urgent problem that needs to be solved now. The bottom line is clear. If no one shares, everyone is at risk. Distributing threat information should not be punished. It should be encouraged, which is why we need to create legal safe harbors for companies to be able to exchange this threat information without fear of being sued. Moreover, better information sharing actually improves industry's ability to safeguard our personal data by allowing entities to keep the prying eyes of hackers outside of our digital health records and bank accounts. I'm pleased to announce that we are aiming to resolve this dilemma and strengthen our cybersecurity foundations further. This week, I'm releasing the draft of a new bill that would further enhance the in-kicks role as the primary federal civilian interface for the sharing of cyber threat information to enable timely, actionable, and operational efforts between the federal government and the private sector. This draft bill will give protections for the voluntary exchange of cyber threat information, including government to private and private to private sharing. For instance, if a major bank falls victim to a cyber intrusion, it would not be held back from sharing details of the attack with either the government or other banks and businesses. As long as the sharing is done through the appropriate channels and does not compromise the private information of customers and citizens. Moreover, the draft bill would give liability protections for companies to monitor their own information systems and use, importantly, and use defensive measures to prevent intrusions. In the current environment, companies do not feel that they have adequate legal protection to take these measures. We're not incentivizing them to be a full participant in the safe harbor and in the ink cake. Right now, I'm working with the House Judiciary Committee on crafting a liability exemption standard that addresses these issues and will be used in other cyber information sharing legislation in the House. With this legislation, I also plan to continue our laser light focus on privacy protections so that information sharing can be done without risking exposure of personal data. My draft bill would ensure when information about a breach changes hands, whether it is provided to the government or exchanged between companies, that it is thoroughly scrubbed for personal information so Americans do not have their sensitive data exposed. It would also require the ink cake to destroy any personal information that is unrelated to cybersecurity risk or incident. And I take that issue very seriously. Fortunately, DHS has some of the strongest privacy protection mechanisms in the federal government and has the first statutory, thoroughly established privacy office. Such built-in privacy oversight is an important reason why DHS is the leading civilian interface for these exchanges. In fact, privacy advocates already have endorsed the ink cake's role as an information sharing portal. The changes made by this draft bill will increase what we know about the digital threats and in doing so will enhance American security. Today we have a dangerous, incomplete picture of the cyber weapons being used against us. More rapid and frequent information sharing about these threats will give us the ability to head off cyber adversaries before they can do more damage both to the public and to private networks. The president has proposed steps to enhance liability protection. And I was pleased that he did so because it moves the debate and the discussion forward on both sides of the aisle. I would submit, however, it does not go far enough on liability protection, which is why our bill aims to create a more robust liability protection piece. The Committee on Homeland Security will mark up this bill in the next few weeks. In the meantime, we will continue meeting with industry and private groups as we always have to ensure that we're getting this right and crafting the best solution to tackle the surge in cyber threats we are all witnessing. Our plan is to take this legislation to the floor of the House by next month. And when we do so, we will be forward-leaning and eager to reach across the aisle to get it passed. This will be the landmark. This will create how we deal with cybersecurity for the next decade. And now is the moment to take action. These threats are not just looming on the horizon. They're not hypothetical. They're real. They're already inside our networks and they're putting security and prosperity in peril. Safeguarding the digital frontier is one of the leading national security challenges of our time. And our generation will not back down from that challenge. It is clear that we've been losing ground against our adversaries in cyberspace. But better cyber threat information sharing will help us turn the tide and defend our networks against destructive intrusions. Thank you so much for having me. Thank you. Well, I will say that a couple of years ago, Chairman McCall told me that he was going to pass cyber legislation. He was going to pass multiple bills. And at the time, this was the start of the last Congress. I thought, hmm, that'll be really a good trick. But he delivered. So when he says he's got a new bill, I would probably bet on this one this time. I didn't bet the last time. So with that, I have loads of questions. I don't know if people in the audience want to start. We've got one in the back there. Good morning. I'm Kevin Winston, retired Navy captain. I'm great to see you guys wearing green ties for St. Patrick's Day. I'm glad I'm not the only one. My question is, how do we combat insider attacks? Which seems to be one of the biggest problems we're facing is, you know, there's all these outside guys, but there's insiders. And with the U.S. being a global country and businesses so forth, there's a lot of openings for that kind of attack. Well, I mean, that's very hard. I mean, we're being infiltrated not only in the cyberspace itself, but also human capital intrusions. And that's a matter of more human security measures to ensure, you know, through clearances and things like that, that we have properly vetted individuals who are participating in this process. But it's an issue that I think is open to I mean, we're vulnerable in that regard. Just like any spy can penetrate, you know, any federal agency in the physical realm. They can also do it in the cyberspace. And in our bill that we passed last Congress, we do call for more clearances. We heard that complaint over and over clearances. I would argue, too, that the information we're giving is kind of like when I worked with the Joint Terrorism Task Forces and we had a terrorist threat information. We didn't give the sources and methods, we just gave the threat information itself. Same is true here where we're giving not really sources and methods, but really the actual malicious codes themselves which are, you know, if you see them, it's just ones and zeros. And it doesn't, that's where the privacy piece I talked about is so important. It doesn't have personal identifying information. But yeah, the infiltration by human spy elements is very real and you can't be 100% secure from that. Okay, we had, we have multiple questions. Let's get the two in the front and we'll put one on the back. I've been in the cyber realm for almost three decades now and looking at Homeland Security and in the recruitment, you look at Homeland Security and look at workplace retention and like satisfaction scores. So in terms of like getting people to join Homeland Security and even DOD, any agency, like what do you recommend those changes in terms of recruitment, policies and strategies? Well, one of our bills we passed enhances that in terms of the workplace and be able to hire and retain more highly credentialed individuals. And I would argue within DHS, this is probably one of the most innovative, it is the most vibrant offices within the Department of Homeland Security and I don't know if you've been over to the in-kick, but over the last five years, your capabilities has really stood up. I think Dr. Phyllis Schneck who heads that up and the Under Secretary Phyllis came from McAfee who brings extraordinary experience. We have partnership within SA to have a detail program where they can lend their expertise and I think with the legislation we passed last Congress on enhancing the workplace there, we're going to get more and more talent. Now the problem is keeping them. You know, I remember I went and worked for the Justice Department to check that box and move on doing something else and I ended up doing that I guess, but you have to recognize it's a great place to gain great experience but we also want to get more experienced people coming over there. You can't keep them forever. This is one of those, I mean it's hard, even the NSA has a hard time keeping good workers because the private sector it's so attractive I mean it's one of the most lucrative fields out there now is cyber security. So that's always going to be a challenge but I will tell you over the last five years at the NK has really stood up with very well credentialed individuals and I would anybody watching this podcast I would encourage them to look into working with the Department of Homeland Security. It is going to evolve. We're going to have several portals and I'm sure that question is going to come up but this is going to be the primary civilian interface to the private sector so I mean the future of the NK and DHS is, and legislatively too because it's already been authorized it's very, it's a bright future I think for the Department of Homeland Security. That's actually the fourth question on my list but we'll take, we've got three more in the form for an audience so we'll take them in sequence. Thank you for your brief congressman my question is as you or your team draft this bill and in consideration that you know it will become it will be legislated that sort of thing what consideration has been given to include other countries who are probably considering you know legislation to support information sharing and if you could talk about that in the context of US multinationals that also have footprints in those countries and is there any consideration for reciprocity if said countries would you know ask for information sharing on your people here. That's a great question I think I'm really glad you brought this piece up because I think the rest of the world is watching the United States right now to see what we do the other countries don't, they're not as far along with legislation as the United States and I think as I mentioned this what we do this year will change cyber for the next decade but it also has an impact globally because the other nations are watching to see how are we crafting this and it will be a model I think for the rest of the world and they will take what we do and try to apply it in their own countries and there is an opportunity for an exchange of information you know our view is within the civilian interface she has several threat streams of information you have the intelligence community the Department of Homeland Security and the FBI that's all being funneled through the civilian interface I think that's a model that's going to play well and I think the rest of the world will appreciate that model particularly post-Snowden and what I found is a lot of the high tech companies prefer the civilian interface because they don't want when they do international business they don't want the idea of the NSA's in their networks and so it's important for them to have a civilian interface that's not now if somebody wants to voluntarily work with the NSA to get information you can see legislation providing for that so we have one of that portal and one of the DHS portal depending on which portal you prefer but I know again I'm talking to a lot of the tech companies that I deal with they would prefer to have that civilian with the privacy protections when they do international business but that's a great point to make is that this will impact the rest of the world not to get into all the other I'm on foreign affairs committee too but after Sony what is their response what is an act of cyber warfare that you and I try to grapple with with the CSI's report those questions are still on the answer today and something with Chairman Royce we want to get a work on legislation to greater define when you have a nation state attacking like in the case of Sony which is North Korea or you have the Quds Force out of Iran and it's a nation state what is the proportional response great thank you Chairman McCall thank you for your comments Lynn Matias from National Economic Security Grid in DHS today you have an under secretary General Taylor who is probably the most knowledgeable and understanding individual relative to information sharing with his time at DHS with his time at State Department with the Overseas Security Advisory Council and then his time in the private sector how does he accomplish this when he has a staff of 300 people he can't process the information he needs he turns the FBI's got 10,000 analysts he has 300 he seems he has a much larger task in front of him but he doesn't have the resources necessary to accomplish it what can you do to help him make that happen? Well Frank Taylor is I think doing a fantastic job I think the challenge for intelligence and analysis the INA Division is not to compete with the intelligence community and duplicate efforts but rather provide a unique product that DHS can provide through primarily intelligence we get through Overseas TSA screening at airports and customs and border patrol and secret service that intelligence can create a unique intelligence product that interests in that you start trying to compete with the CIA you're going to get destroyed you're going to lose that competition and in times past that was the failure of DHS I think Frank Taylor is taking this into an innovative new place to answer your question I think the White House has proposed sort of an intelligence sort of melting pot if you will of information something similar to the NCTC National Counterterrorism Center but it would be for cyber threat information that could greatly enhance DHS's capabilities and General Taylor in his office by providing this other entity that can synthesize all this information and then feed it to DHS to then share one important point that was not in my remarks is the real time sharing is absolutely vital if we can't do it in real time it's worthless we've got to stay ahead of the threat curve and if you can't you're going to lose in this game because the threat is always evolving so the real time sharing we're looking at machine to machine we're trying to take out the human error as much as we can so this is really share machine to machine in real time we'll just sweep across the room and we'll get two guys on the other side there but start over here my name is Martin Apple from the Council of Scientific Society and we have a long term view of how we look at the world and things far in the future you're writing a bill that you say will essentially be the holder of the places we're going for the next decade I think one of the most important things that we have to focus on are the personnel who will be doing this kind of job over the next decade they will not be the people who are trained as computer software engineers they will be people who can think ahead many generations of thinking and jump to the areas where problems are not currently seen connect the dots that aren't quite put there yet find them and put them together there may be 10 or 15 centers in the United States that have that capability but they don't have any support to do it is that possible to put into your legislative thinking you know again we had a bill to enhance the talent in the workplace last Congress that's an interesting point you know right now the discussion graph will go around that's something we'll take a look at I agree with you that you need creative talent and innovative talent that can think outside the box on this one because the threat is so ever-evolving and it's not just the classic software guy you know you need that you also need the critical analytical thinker to put in there that can look outside the box for solutions and I mean if there's ever an area that's really needed it's this one so I take your point very well we're waiting someone asked me about proportional response to North Korea and they said how about if we close down a North Korean country and I replied that people would probably be grateful so so this proportional is difficult Sir good morning and thank you for your time my name is Jim Bailen from LIDOS for many of our DOD customers we serve one of their biggest challenges is shared situational awareness not only a situational awareness but one that is understandable all the way from your basic 18 year old soldier straight out of tech school to advanced defenders what investment are we making you mentioned some portals that they have a DHS and some other efforts what efforts are we making so that I as a private industry can go somewhere and understand the vector of the threat and how to react to it even if I haven't made a significant investment in defensive or IT infrastructure to handle that well the good news is you just hired the former head of the NCTC which is going to help you Michael Whiter is one of the most talented national security experts in this I would say this talent of this country I mean I always encourage companies to sit down with Dr. Schnack and go to the NKIC and look at it your ability to get into NSA well yours is a little more unique you probably could to go to the cyber command at NSA maybe a little more limited the NKIC is very open it's a very open information sharing portal that is there for no other reason than to share information it's not there to do offensive work it's not there to prosecute it's not there to spy it's there to provide threat information to the private sector so I would just I mean to anybody extend the invitation to tour the NKIC offensive I took my freshman member on my committee I gave him a tour of the NKIC last week I think it's good to educate the members they came back very impressed with the operation Mr. Chairman I'm Rich Wilhelm recently retired from Booz Allen where I led all the business with the intelligence community so I'm going to out myself a little bit by saying that when I was in my group prior to that time I was a lifelong intelligence officer do you do you have a position on the programs that he exposed not the ones against foreign intelligence but the things that are referred to as domestic spy you know I wouldn't call it that but and you know what is your position how would you modify them he he did extensive damage I was offended my hometown of Austin Texas South by Southwest he appeared by Skype and got a standing ovation I consider him to be a treasonous I think we're aligned on that and it's demonstrated by the damage he's done to our national security in the United States and the amount of money I read the classified report from DIA sorry maybe you have as well and it is very extensive very damaging goes across a lot of different areas in reading the document it was clear to me he didn't just think this up on his own because of the areas he targeted to steal and then release it appears to me he was directed by a foreign country a lot of the stuff it deals with China and Russia primarily and the fact he's in Russia the fact he flooded China now he's in Russia I think says a lot and I would argue he's not enjoying the irony is he's exposing Mr. Civil Liberties exposing how our government is so when in Russia it's a police state there is no privacy in Russia so it doesn't make any sense to me at all he's done great damage to our national security he's also done great damage to this advancing these policies in this town and advancing this legislation I have to be candid the one thing I'm worried about as we present my bill and when Devin Nunes and Hipsy House Intel presents its bill which will deal with the NSA and I talked to the chairman the other day about this the political environment in the post Snowden world is that going to hamper our abilities to move this legislation forward what impact is Snowden going to have on this now I would argue my bill because the privacy groups do applaud and I think I've got an easier left and in fact I've already codified the in kick and all I'm doing is adding liability protection and more privacy is your challenge in front of me I would argue House Intelligence it's going to be more difficult because they've never codified that information sharing with the NSA now I support that I think we should have any portal that member companies want to go to in a voluntary basis we should support that we don't want turf and silos we want to have a complete picture of information sharing but I will say that he has done great damage economically and to our national security and he's done great damage to advancing the policies that we're discussing here and potentially to the legislation I will say in the next couple months we're probably going to do a series of events here that tries to put the Snowden revelations in the context of Crimea and Syria because it's a very different world than when his stuff first came out we had more on the other side hi good morning Stacy O'Mara with Bloomberg government kind of dovetailing on that line of questioning what about those companies who have said in the past about information sharing bills that they don't even want to entertain the idea until they see NSA reform in the post Snowden era is that going to be another factor this time around getting a bill signed by the president yeah I mean you'll have this wall take place before FISA reform and I think that's part of the if there is any overall strategy which is kind of hard to find in congress these days that has a good ending to it but I think the idea is to tackle this piece before FISA reform it comes down now is that the cart before the horse I don't think they just want it the idea is to do the cyber security first and then tackle that which points to what we'll take on the other side good morning I'm Cindy Dion George I'm from the brand corporation and many of us regarded the Sony attack as quite new in the sense that it was an attack by a nation state directly on our constitutionally protected liberties so I'm wondering if you have any thoughts about the proportionality of response in light of this attack and when it happens again I completely agree I think Sony look we've had attacks in the past but Sony really captured the American people's attention and curiosity because it involved Hollywood let's just be honest and it involved free speech and you're right it was a direct attack on our constitution and free speech and in addition to it was a nation state and it was very highly destructive what they did you go into your office turn your computer on there's a skull and crossbones all your data similar to the Aramco attack all your hard drives are completely completely destroyed information stolen a lot of private information stolen that was leaked so that was a very sophisticated highly destructive attack as you say on our constitutional way of life and what's the proportional response I don't know Jim's hitting their motion picture in history that's a hard question to answer but I do think a response is necessary whatever that is and maybe you have all the tools in the toolkit that you look at but you gotta have some response and I wouldn't say hitting them economically is a good response you can talk about Stuxnet and I can't talk about the originator of that attack that was a hit on Iran and there were some cyber responses to North Korea I can't go into detail about that but I do think a cyber attack merits a cyber response to show as a deterrence because if they can do that with impunity without any response it's just like my kids you have to have discipline and a deterrence to stop them from continuing to doing this and I think at one point I forgot who brought up the whole global picture at some point we're going to have to talk about as we did in the CSIS document about treaties with other nations when it comes to cyber attacks are we going to have a NATO like alliance if one nation gets hit with a nation state cyber attack is that an attack on all the alliance members in a cyber world that's really forward thinking but we have to look at this as a global event and an international issue that will I think call for an international response and alliances I mean China and Russia and Iran need to know in North Korea that they do this that there will be consequences to it without consequences they'll continue Hi, Tal Kopin from Politico ProCyber with the bill you're working on and the HIPC bill that's also being worked on how do you see those being blended on the floor if at all and are you saying that your bill in no way the information going to DHS will be shared to any other agencies no, I mean the information that DHS will have to share through the civilian portal will come through the intelligence community FBI and DHS the information shared by the private sector and this is a piece we haven't discussed and it's an important one the information that we gave from the private sector will be shared with the federal government to protect and defend this country I've been very encouraged by the sense of patriotism of companies that come into my office and say you know Mr. Chairman this is such an important issue it's not just about my company anymore it's about the United States of America it's about defending the nation and I want to help and be a part of this information sharing process so the information is a two way street the information again 80 to 85 percent that we don't have and it's not shared private to private and not shared with the federal government then in turn can be used to better protect our defenses and our nation from attacks because as you know every federal agency is being hit and the country is under attack you know I can't really speak to the hipsy I don't want to get out of my jurisdiction Elaine other than to say I know CISA has been marked up in the senate I anticipate that House intel will mark up a similar type bill that will have other portals in there so what we say is we think DHS it's a primary portal the lead portal because of the civilian interface the fact you can't be prosecuted it's not a spy agency we think it's really the place for the safe harbor however if a member company wants to go to NSA as a portal we're going to allow for that as well and so I think House intel will deal with some of these other portals NSA being one the other one being a treasury I know a lot of the financial members like to get a treasury well there's no reason why we would want to stop that we want to preserve current relationships of information sharing that exists and not shut those down and say there's only one portal you can use I think it's important to say there are multiple there are several portals and we want to enhance that information sharing through those portals through the liability protection piece that is the cornerstone of this legislation that will enhance information sharing and greater and fuller participation maybe I'll do a final question then if we have a little time which is your chairman of the whole committee you are one of the recognized leaders in cyber security you've been doing it for longer than almost anyone else in Washington I say that in a positive way what do you see the DHS agenda being for the next couple of years what would you like to see the department do what should they focus on not just cyber but across the board what should DHS's priorities and agenda be you know I mean DHS a lot of it's about travel and preventing travel I think they've got in the talk about kinetic threats the foreign fighters going through Turkey into Syria and Iraq keeping them out of the United States is a number one priority. Jay Johnson you have a lot of respect for we call it the dual threat and you have the foreign fighter and the homegrown violent extremists who's going to radicalize over the internet and pull off a major assault or a Boston bombing or you've got a peristyle attack so when he's gone there to train and comes back or a Westgate shopping mall AK-47s in the shopping mall can do a heck of a lot of damage we're very concerned about keeping that threat you know outside the United States in addition to AQAP and the Corazon Group in Syria the premier bond makers within al-Qaeda that are very sophisticated they already have non-metallic IEDs they still try to get these things on airplanes and so that's a great challenge for DHS one of the biggest priorities in terms of protecting the American people the border obviously is a big issue as well but then the area that has no borders and I think is really the future if it's not already here is the cyber peace that's kind of one of the more exciting, innovative engines coming out of the department that I think will have lasting consequences for the Department of Homeland Security as it is moving forward that ink kick I think will evolve into not only being the primary but it will be the go-to place in the future for the private sector and so that's really how I see I see the kinetic threats on the one hand from ISIS and al-Qaeda and then I see the cyber threats particularly as these more rogue nations and terrorist organizations get cyber capability we've really got to stay ahead of that curve because it's going beyond theft and espionage to warfare and destruction and you can buy a lot of this stuff already on the internet and so I think this is the area that they say what keeps you up at night well there are a lot of things but cyber has probabilities getting higher but the consequences are very severe too so you got the probability of a small scale attack is probably high but the damage it's bad stuff but relatively low in terms of casualties but it's human casualties the cyber peace higher probabilities these days and the consequences are could be extremely severe in damaging and with time we'll get worse so great news isn't it I know we're always cheery here at CSIS but I am I'm really grateful that you came and talked to us I'm grateful you took some time out of your schedule I know how busy it is particularly you were busy before you were chairman I have no idea what it's like now thank you so much for joining us thanks for having me