 And how do we think about building the security end to enable that innovation and enable that platform for innovation and prosperity? Well, at the same time, how do we think about the national security risks that are in play right now as there's so many intrusions against the infrastructures going forward? And the innovation and the technology challenges that we have have to take into account the privacy and civil liberties as you have more and more of your personal information traveling on that infrastructure going forward. And so if you think about that then diagram, that's the digital infrastructure or information communications infrastructure. We looked at a number of goals and the President asked us this, how can we build the trust and resilience back into this communications and information infrastructure? And how do we work that public-private partnership to get us there? The private sector owns and generally operates this infrastructure of which the government is inherently buying the services or buying the capability from you. But it's our responsibility to help you with your economic prosperity and your market leadership. It's up to us to really help prevent, defend against, respond to and work together to remediate from any damage and or interruption to that communications infrastructure and how do we go about doing that together? Which we highlight in the report. How do we continue to operate and cyberspace and meet our national goals and whether that is to the next how do we start to strengthen the cyber crimes convention toward how do we appropriately negotiate for stronger standards in the international domain. So that we have stronger security in that backbone of our infrastructure. And then finally all the while protecting civil liberties and privacy and keeping that in the forefront as we're moving more and more of our information across that infrastructure. We had some key elements of the study that we had to take a look at. And what is the full extent and vulnerabilities of interdependencies of that information and infrastructure? Do you actually know all the assets that comprise your architecture within your business and or the architecture within a particular department or agency? And we would argue no, that nobody has full visibility into what that enterprise looks like. Where are all the assets that comprise it and how and where are the interdependencies with the other critical infrastructure, specifically energy and communications? So how do you start to catalog what the baseline is? And then how do you identify what are the high priority assets that have to be protected? How do you define and engage a process for looking at the standards, the minimum standard that's going to be required for securing the infrastructure? And how do we start to promote those standards more globally going forward? And then how do we protect our national essential functions? And how do you link that in the interdependencies as you start to look going forward? Had the opportunity to meet with the financial services sector just last week as well as the energy sector this week. And the amount of interdependencies that we're seeing in those infrastructures are profound. And we need to understand that the security or lack of security in one is going to affect the other. As we're moving forward at government and industry, we need to think about what are the metrics for progress? And it was noted actually that we haven't really defined some of those metrics. And it's the metrics for risk and risk management. And it's also the metrics for progress going forward. What does success look like? And what are the quick wins? And how do you measure the progress over time? How do you start to diagnose or grade yourself of when it's working and when it's not? And then how do you clarify the roles and responsibilities and who's accountable for what and when as you're operating on this digital infrastructure of which has multiple services that are intermingling? As I said, we had to keep in account of the different other initiatives that the President has underway. Broadband, Smart Grid, NextGen, FAA, Health IT. And how do we intersect with those and how do we partner with industry in identifying what are the next generation research and development needs? And how do we encourage innovation for the intersection of those? We had a small team of six dedicated folks and a few others that we're underway. And you have to appreciate as we had the 60-day review, it was after my first week at the National Security Council. And it was really the first day of the arrival of the six details from the different departments and agencies. That was day one of the 60 days. And then it was really a pretty daunting task and 60 days was included the weekends and a lot of hours. But it was interesting because really the staff that came in from the different departments and agencies, they actually didn't get communications infrastructure, which is kind of ironic, for almost a week and a half. And so it was really, so almost kickoff is almost a day ten of really when we could effectively operate on the infrastructure and really collect data. So how do you get scaled quickly? Many of you know I spent most of my life in the private sector and this is a daunting challenge. You've got a major report to do the president, 60 days. You've got weekends, you've got no comms and you've got to get scaled quickly and get to task. So we did a combination of methods and you'll see this in the annex and the methodology. It kind of details it of could you get a repeatable process and do it again, which hopefully I won't be responsible for the next time it has to be done. But we had to inventory all the requirements and the requirements were across all these different policy directives, defense science board studies, intelligence science board studies, all of the different NSTAC, NIAC. You take, if it was out there and it touched the information and communications infrastructure, whether it was from an intelligence perspective, a law enforcement perspective, a defense department perspective, or a general telecommunications policy, we went out and inventoryed all of those different areas to try to get a baseline view of what have we been told to do and what are we funding, really, and what are the programs in place. And then really do a gap analysis or an assessment of do we have everything covered, which we didn't. We identified those in the first week while we were waiting for communications infrastructure. And we identified about 250, little over 250 requirements from all of those different documents. And they weren't just from the last five years. We had some of those policy directives that dated back to the Reagan administration, because the telecommunications policy venues really date that far back. And so if you think about those requirements that are carrying over 20, 25 years, that's a pretty interesting history just in and of itself to look at. And then we went out to industry and to academia and to Congress and to our international partners, the civil liberties and privacy community and the like. And we started asking a lot of questions and we asked for help. This is where we get scale. And we asked for help in a lot of different venues. And over the course of really the next 30 days, we had 40 meetings with all of those different stakeholders. And we started asking and receiving input. During the course of the 60 days, we received over 100 papers from the private sector. We had research being conducted by our international partners that were feeding into the study. They were feeding us their development of their national strategies and some of the things and shortfalls that they were experiencing in their respective countries. They were telling us the lessons learned of how they're organized and organizing. And what we should be wary of or consider as we're moving forward in our recommendations to the president. And we learned a lot from the papers and you'll see those papers all reflected in the study. Many of them are footnoted. The majority of the papers that we had that we were given permission to release, they're all up on our website. And so you can go and you can review them, whether it was a view on Smart Grid or whether it was a perspective from the civil liberties and privacy community. The National Research Foundation and National Science Foundation had 50 universities that they pulled together that informed the study. And for me, that was a very great experience because the institutions that would normally compete against each other, all basically put their competitive nature aside to collaborate and partner on what are really the research and agenda and what does it need to be and how does academia perform? So then we started to identify our gaps and conduct the analysis. And as Jim said, we did actually completed on April 17th. There were a number of annexes that were a part of this report of which we have published some of them on the, openly. We had the methodology to help, couldn't you get a repeatable process? Could you do this again and just document all the things to get the scale? We talked to the growth of the modern communications. And for me, this history annex is very informative. If you haven't read it, I would recommend it. It actually tells you how we got here. And it's not, we didn't get here overnight. We got here over the last 150 years from the telegraphed to the telephone, to satellite communications, to wired cable now to the wireless and then internet. And it's interesting because internet based communications haven't been defined as a communications regime. And so we need to address that going forward. But if you think about it, each technological innovation then vested statutory authority within a different department and agency. And then there was a new civil liberties or privacy concern that had another new law that came up. And then you'd have your next technological innovation and you'd give the authority to yet another department or agency. And you start to see the patchwork of the laws and the laws were never clarified over time. The statutory authority of the departments and agencies were never clarified over time. And now as we have a converged communications and information infrastructure, we don't, we have a very diverse and patchwork of laws and authorities that govern that space. And we need to clarify that over the time. And we need to consider and anticipate the next technological innovation as we're moving forward in that converged space. We also started to, and you'll see in the report, we did an assessment of the Comprehensive National Cybersecurity Initiative. That strategy still sounds, we must have offense and form defense. And majority of the programs that we have and laid into the Comprehensive National Cybersecurity Initiative become the baseline that will help move us forward from the federal space to the national space. Which is really what this report focused on was, how do we solve this problem nationally? As you saw in the preface, we really underscored the fact that cyberspace touches practically everyone and everything. It's that platform for innovation and prosperity. And it's really the means to improve general welfare around the globe. And it's not just the United States, it's the globe who has to participate in the security and driving the innovation going forward. But because it's loosely and lightly regulated, it has presented a lot of risks. And if you think about the internet, it was not designed to be the backbone of the global economy. It was designed to be an alternate command and control structure during a time of war or during a time of catastrophe here in the United States. And so as you think about that and that platform, it wasn't really meant to be secure and resilient and penetrable from the lines that we are seeing it now. So in the nature of that, because it is largely based on the internet, it's not secure and it's not resilient enough for what we're currently using it for today. And so how do we build toward the next generation infrastructure and continue to address the as needed fixes today. And start to make everybody far more aware of how we're using it and how we need to use it going forward. As I said, we've suffered intrusions allowing cyber criminals to steal hundreds of millions of dollars. The financial services sector has seen fraud against their networks and against the banks has more than doubled in the last four months. And that's because the cyber criminals and the organized crime are becoming far more sophisticated. And they're finding more and more vulnerabilities in that infrastructure and they're targeting it. We're also seeing nation states and others who are stealing our intellectual property for either competitive advantage of their countries or stealing sensitive military technology in order to promote their common agenda going forward. And to reduce the asymmetry between our common defenses. And as I said, the government's really not organized to address this. And there's no one agency that can match the sweep of the problem. And that's what we identified in the report and why we have to elevate and anchor the leadership at the White House. So the first chapter really talks to how do we anchor and elevate this at the White House. That the status quo is no longer acceptable. We can no longer ignore this problem and we really must address it going forward with concerted leadership. As I was briefing a couple of weeks ago up at Harvard, and this was the night before the speech. And I was starting to walk through some of this and I was like, wow, tomorrow's going to be a world event. So May 29th, anybody really realizes that or not the United States President, leader of the free world, gave a almost 15 minute speech on cybersecurity. And there's never been another leader of any other country that's given more than a sentence or a paragraph internationally or nationally. And that was a globally televised speech. I had friends who were emailing me from the UK and from Canada and Australia who were watching it. And that was where the United States is really now has, is being looked to as the lead for setting the pace for what needs to be done internationally. And if you think about that, May 29th was really the beginning of this front. And the beginning of our, really of our true leadership responsibilities going forward. So as we're anchoring and elevating the leadership at the White House, the President in the coming weeks is going to appoint a cybersecurity coordinator to lead those efforts. That person's going to be reporting and really anchored in the national security staff and council. But also will have voting rights, if you will, in the National Economic Council to help inform the economic agenda. As well as a science and technology policy agenda that happens through the National Science Advisor. And that person and that staff will coordinate the interagency policy and strategy development and drive toward the action plan that we identified in the report. And although there's only the top 24 recommendations that are highlighted, there are a whole lot more recommendations that are in that report, over 100. And so they really need to be working off that action plan. And I think I'm working those in earnest as we're going forward. We also have to review the laws and policies. During the course of the review, we identified almost 80 legal issues that had to be addressed in order to clarify this space. And we looked at some key legal issues that had to be addressed first and foremost. Some of those include what is the use of force or an armed attack in cyberspace. Another looked at how do we think about third party storage and Fourth Amendment rights as more and more of our information is moving to the cloud. And how do we think about aggregation of authorities or changing authorities as we're moving forward? In order to really set the tone of going forward, we want to strengthen federal leadership and accountability for cybersecurity. And how are we going to do that? Well, we're going to put it as one of the top of the president's management priorities. And what does that mean? So the decoder ring around that is that that makes every department and agency, head and deputy head at the sweet level, are now responsible for cybersecurity at the same level as human capital management, as responsible fiscal management. And it'll put it there at the top five things that they have to be responsible for as part of their core mission. And when you make it as part of their core mission, it's something that they're accountable and responsible for to reporting to the president on like money and like people. It starts to bring a new profound focus at all the different departments and agencies where they're all weighted the same, not whether or not you have a mission in that area. We also are going to be designating a privacy and civil liberties official within the national security staff to inform that cyber security portfolio. There's already a list of Canada that's sort of been put forward and we hope to have the privacy and civil liberties official on board the staff here in the coming weeks. And that will go a long way to help inform things going forward. We also advocate in this chapter to elevate state, local and tribal leadership and to it's just as much of a state and local responsibility as it is a federal responsibility. During the course of the review, we found that some of the funds that we were sending from the federal government to the state and local government that were specific to cyber security. We're going to the Homeland Security Advisors and not necessarily the CIOs or the CISOs. And not necessarily being spent against cyber security, but maybe other Homeland Security higher priority or perceived higher priority agendas. So we're going to be working with the Department of Homeland Security and the federal money that we're sending to the state and local officials. And we're going to be working with the National Governors Association and the state CIO councils in order to help focus the agenda at the state, local and tribal level going forward. And so you see a new focus also at that level. The second chapter talks to how do we build capacity for a digital nation. And I like to think of this as the digital maturity of a nation. And if you think about our digital maturity and the use of this infrastructure, we're still digital infants. And how do we mature quickly on this infrastructure? And what does it mean to be a digital citizen in the digital age? And what's our responsibility to make sure that there's no digital disaster? And so we look at this as we must increase public awareness. And in the coming months, this is one of our high priority items. We're going to be working a public education and awareness campaign to promote that digital literacy. What it means to be a digital citizen now. And we'll be working with the National Ad Council, Department of Homeland Security and the National Cyber Security Alliance going forward. And how do we start to work that agenda? We're also going to increase cyber education and the focus on cyber education. And this would be consistent with also the science and technology agenda that we need more trained people across the board, not just at the university level, but we need to extend it from the K through 12 programs. There's a really good effective program that's being advocated for of this digital ethics and digital citizens through the National Cyber Security Alliance. And I know because it's in my kid's school, so my boys are eight and nine. They're getting ready to finish second and third grade next week, and they can't wait to get out of school. But in their school, they have these posters that are, what does it mean, how do you stay safe online? And what is a digital predator, and why don't you give away the password, or why don't you tell people where you live? And if you think about all the social networking, and I'm sure a lot of people are in LinkedIn. LinkedIn, yeah, Facebook, okay, not so nice, it's a different generation of Facebook, I think. And so you've got to think about what you're putting out there online. You've got to remember that I came at least in my last couple of years in the intelligence community, and I didn't really think about it so much in my business life. Because it was really the social networking, but it's like I had somebody invite me to be on LinkedIn. I was like, I don't like LinkedIn anymore, I'm a target now. And so you have to think about how you're being targeted, whether you're being targeted from a predator as a kid, or you're being targeted from an intelligence service, from a competitor, and what is your social network? And you need to think about what you're putting online, and how much you're putting online. And as we're moving more and more into this digital age, and you can start to geolocate people through the internet and or through your cell phone, we need to be thinking about the technologies and such moving us forward, and broadly, awareness and education. You'll also see that we need to really focus the university and high school agenda as well in this chapter. And how do we take advantage of the award programs and the prestige programs, whether it's in science and technology, to start to really incentivize more of the innovation in this area? And how do we get, again, scale or get it to become more national? I like to think of this as what we did in the 60s for the space race, where we made science and technology cool, and we had science fairs. And we had lots of things that were incentivizing every level of education to try to go out and learn and experiment and innovate. And we need the same level of attention now. We also talk in this chapter about expanding the federal information technology workforce. And how do we start to get to a more versatile, more cross-trained workforce, and the importance of that. And I kind of think of this as sort of like the GE model where you had to go and you trained in each of the different divisions so that you were as a new employee and you get that. Well, what if you had the same for, beyond joint duty, the way we think about it today, but you had a tour as a CIO, and then you went as a tour as a CISO, and then you went and you performed in the law enforcement or the analytic kind of area, and you started to have cross-training across the different disciplines, and then you start to have multidisciplinary approaches to things. Right now, we're still too stove-piped in the way we think about it. CIO, I need to keep my pipes alive. My CISO, I need to make sure that the data is secure on those pipes. The analyst just needs that information so they can start understanding who's the threat to that pipe. And we need to really have a much better comprehensive view of the knowledge, skills, and abilities of our workforce and get them cross-trained so that we have a more versatile workforce going forward and that we have less translation going on between knowledge, skills, and abilities in these job categories. We also talked to the importance in this chapter that we need not just to focus on the recruitment, but more so the retention. And because once we get somebody who's cross-trained, they become a very lucrative opportunity for them to go to the private sector or elsewhere. How do we retain that talent in the government? And I don't think we do such a good job. And certainly not at the senior levels of once we get them to the senior level. How do we keep them at the senior level and driving more change? The last part of this chapter talks to the need for more enterprise or private sector leadership. And it was interesting last week at the financial services sector meeting. And some of you have heard me talk a little bit about this, of the monetize the risk. But in the financial services sector, you have a data breach. The data breach is you're losing money. And so there's no kidding. You can put an output and it's quantifiable. But if you're in the defense industrial base or you're in the pharmaceutical line and you have a data breach, your data breach could have been something your intellectual property that you've been investing in for the last 15 years. Do you have the ability to quantify what that loss is? What the time to market? What the future sales would have been if you're not first to market? And we need to really start to make all of our industry aware of all the threats, not just the internet-based threat that are in their vertical lines of business, and start to get to the input output or the equation. And I think that this is a key area of research going forward and we need metrics and we need the methodologies by which to collect the data and we need the items going forward. And once we start to have more corporate awareness and we start to have a better understanding of what's happening, I think that you'll see a higher demand curve for secure software, secure applications, secure hardware because the demand curve will go up because the losses and the financial losses will be too significant once they're quantified. The third chapter, we talked to sharing responsibility for cybersecurity and that we can't do it in isolation. Who's the we? The federal government can't do it by itself and the government period can't do it by itself. It's got to be done with the private sector. But we also can't do it in isolation that this is truly an international problem. And so we talk in this chapter really into three categories, the public-private partnership. How do we improve that public-private partnership going forward? How do we think about the negotiations going forward of the value proposition of what's expected of both parties with the government? What do you expect from industry? Do you expect tools? Do you expect information? Do you expect understanding, intelligence of what's happening? Just alerts of the viruses that are getting ready to hit. And how do you think about that? From the government asking the private sector, it's again, it's almost a similar ask. The tools, the information sharing, the response strategies of how do we start to make these secure and resilient. We need to have improved dialogue in the public-private partnership. We need to start to build toward trust in this environment in an area where I think there's not enough trust, but trust has to be earned over time and has to be earned through little events and then leading to big events. Hopefully it's not a big event first. We also need to think about the barriers in impeding that evolution of the public-private partnership. Despite the fact that the government strengthened FOIA through the Critical Infrastructure Act, there's a perceived lack that FOIA is still not strong enough, and that if you give us proprietary information or vulnerability data, that we won't protect it in a way that won't hurt your competitiveness. And that's a problem, and we need to address that. But we also found during the course of interfacing with you the private sector and looking at the legal problems. Problems such as the Configure Worm, which during the course of the review, that was supposed to be weaponized in really some one April, and there were a lot of, if you read in the report, the government was less than 50% patched, and so if it had been weaponized, that would have been a pretty significant problem for a lot of our departments and agencies. There were some state and local officials who weren't patched and actually were brought down offline for over a week, and that was pretty significant. And so, but if you think about, there was a really good industry consortium of sharing vulnerability, sharing techniques that had a patch during the course of the build-up to Comthicker. We had a lot of lead time, actually four or five months, and industry self-organized government was late to join the organizational bandwagon, if you will. But the thing that was interesting is that was a perceived antitrust violation. And so, if we need to secure our infrastructure and we need to share information about common vulnerabilities to ensure that we can deliver services on a day-to-day basis, we need to look at the law and have the law migrate to the 21st century so that we can do what needs to be done to protect the country and to protect your corporate viability. The last area was talking to the partner effectively internationally, and there's an international annex to the report, and to the extent that we highlighted here, there is more than 20 international venues that are deciding the future of cyberspace. And that's just what the government deals with. I'm sure there's probably some order of magnitude more for the private sector. And if you think about that, that's ranging from strengthening the cyber crime convention or law enforcement capabilities broadly to negotiating and identifying the next generation standards that are going to be advocated for that your technologies are going to have to meet to the future of the Internet and the Internet governance. And during the course of the last 10 or 12 weeks, not just the ITU, which is the UN, is really still wanting to have control of Internet and ICANN or the domain name services and the technology around the Internet, but also the G-12 also asked for it to be considered to go to a more multilateral or perceived multilateral view of management. So if you think about all of these different venues and the fact that the Department of Commerce is representing the United States in one venue, Department of State is representing in another venue, Department of Justice in a third, Department of Defense in a fourth, sometimes it's a combination of those. Sometimes it's yet another Department, USTR. We need to get a common and comprehensive view of what is the international agenda. What are the alliances that we need going forward? Who are the new international partners? What do we need? What do we want? And start to think about it in a completely new way of going forward. And then what are the information needs that are going to be going into ensuring that our negotiators and our delegates are well prepared going forward? And how do we collect that data? How do we prepare them for the negotiation? And there's just a lot of work that needs to be done internationally. And I see this as actually one of our most strategic objectives and agenda items and we're the furthest behind on it. And so it's one that I'm personally focusing a lot of attention on. The fourth chapter talks to creating effective information sharing and incident response and how do you build that framework for an incident response? Now many of you know that the Department of Homeland Security has the National Response Framework and they're responsible for creating the cyber-annex or the cyber-response annex to that. We don't have an annex currently. We need to have one tootsweet by the end of the year. But it can't just be a federal incident response plan. If you go back, this private sector is owning and operating the infrastructure. So how do you get a public-private incident response plan? So we started to identify what the chapters of that incident response plan would look like and how do you start to catalog the capabilities that the federal government brings to bear. But we're going to start to have that outline read-teamed by the Cross-Sector Cybersecurity Working Group and the other private sector entities to help inform what are the missing parts? Because the private sector has a different Kupkog kind of arrangement, how they think about incident response. And I think that we, the government, could probably learn from how the private sector thinks about it and then how do we collectively think about incident response and the national response framework of going forward? What are the policies that govern that? What policies may need to be fixed or streamlined in order to enhance that? Then how do we think about, again, that value proposition and the negotiation of that partnership and that incident response? What information sharing do we need to have? How do we think about thresholds for reporting? How do we report? And how do we start to begin to modernize that in a way and build the trust along the way of the information sharing environments? And then again, how do we improve cybersecurity across all infrastructures? If you had a major problem in the energy sector and it took out one grid or multiple grids, then we'll start to bring down the communications infrastructure. And then if it starts to bring down the communications infrastructure, it'll bring down banking and finance and every other national essential service. So how do we respond to that when money of these different industries and or infrastructures are not, they're not centrally managed. They're not even managed necessarily regionally. And so we need to think about, again, what does that architecture look like? Where are the interdependencies? Where are the true vulnerabilities? And how do we start to shore them up? How would we respond to an incident and or restore the infrastructure if there was a major problem? Along those lines, we are looking at that national incident response. We are initiating the dialogue with the eye toward streamlining and aligning and providing resources to optimize private sector contribution to the incident response plan. And then finally, the last chapter talks to innovation. And I think a large part of the agenda going forward is going to have to be about how do we get to the innovation agenda. And I was on the phone today with the energy sector and we were talking about really about legacy systems and the legacy systems and we're doing really kind of the patching up the legacy systems. But they're not seeing a lot of innovative approaches to the patching of the legacy systems. They're like, here's a patch, we need to work this. So how do we move that forward and start to get to the innovation of as we're moving into smart grid and we're looking forward into that infrastructure? How do you look at that future architecture and the future infrastructure and how do we design toward the 10-year point or the 8-year point together? We have national security needs and economic security needs. There's interdependencies across these infrastructures. How do we work together with the private sector to as you're building toward the next specs start to look at together what do we need going forward? How do we link our research and development framework and infrastructure development to that desired goal? In the past our research and development agenda hasn't necessarily been linked to a common goal and then how can we start to amplify the research and development dollars that the private sector is going to bring to this and so that we can have almost a one plus one equals a greater than the sum of their parts going forward. The government has an inherent need for identity management to get to attribution or to be able to track people from law enforcement or from compliance and such but there's also a need for privacy anonymity on this infrastructure and so what privacy enabling technologies are out there that can help us get to identity management as well as that anonymity or privacy going forward and then we also need to think about the globalization policy and supply chain security and how do we start to think about not just who designs whatever the technology is, who builds it, who fields it but then who upgrades it, who manages the service afterwards and where might there be opportunities to introduce vulnerabilities along the way? How do we use the power of government procurement to define a higher standard by which it would then drive the market to meet? How do we start to pair those dollars up also with the state and local procurement as they're using a lot of the federal buying schedules and so that it starts to reduce costs and actually demand higher standards for security going forward and then finally as I stated earlier many of the technologies are now IP based and our communications are now almost all voice over IP but the internet hasn't been declared a communications infrastructure yet and so how do we continue to think forward in national security emergency preparedness so for some of you you have a gets card, I have a gets card government emergency telecommunication system which requires that if there's an international emergency like 9-11 that the key government officials will be able to get through, they get priority telephone means the president gets to communicate if there's a crisis well we need to be able to have the president be able to communicate in a crisis as we're moving forward with that internet based infrastructure but still recognize the need for balance to competitiveness going forward so a lot of people ask me what's new and what's different and knowing my last role and going forward in the future role and I'll just talk a little bit about that first we have presidential leadership, the president believes in this it's personal to him, he had a campaign intrusion he's blackberries, they try to hack into his blackberries on a regular basis they're targeting him but the president believes in this he's committed to the technology, he grew up on it, his campaign was based on it this president is going to drive this forward and it continues to be raised on a weekly basis what else is different, it's including the economic security issues in the past we've only thought about this as a national security issue this is actually an economic security issue first and foremost that's going to affect our national security and so how do we think about that and bring those different decision making bodies together so they can appreciate what they bring to the table we need to really pay attention to the privacy and civil liberties aspects of this infrastructure we're putting more and more data out on that infrastructure we're putting more and more data out into the services and into the cloud what does that mean from a civil liberties and privacy perspective what happens if there's a data breach in the cloud who's responsible for reporting it, who's liable for that who's supposed to protect that data and a lot of those issues have not been tackled in a way that would modernize the way that we think about privacy and civil liberties as I was pointed out to me by a key privacy official the Privacy Act of 1975 was built for flat files and had never imagined a computing world that we have today so how do we think about those relational databases, the distributed data the distributed storage of data and how you can pair that data up from a civil liberties and privacy perspective those are hard problems that we're going to have to look at we need to also tackle the foundational issues and the infrastructure and those interdependencies and how do we shore those up and try to encourage the innovation that's going to be required to shore those vulnerabilities up and we need to look beyond federal networks in the past the past initiatives have been focused on heal the government first I think that as pointed out in the 60 day cyberspace review it's been a national look it's how do we start to heal the nation and start to prioritize going forward our strategic priorities we need to look at a unified approach to international engagement the international forefront is where a lot of this is being decided right now we need to partner with industry to understand what's needed we need to partner with new allies to think about how they are thinking about the problem and one of the things that in addition to the use of force or an arms attack one of the interesting things and I encouraged one of the universities this is a research program is what's common and what's uncommon about this infrastructure if you think about the commons you know you go out into the street and or a restaurant you're expected to dress a particular way or wear clothes and you're not supposed to have lewd behavior and you know and or drinking and driving is unacceptable as a commons right we're all sharing that infrastructure well we don't have a view of what's common and then what's uncommon on that communications and information infrastructure and until we can get that view we won't get norms of behavior and we won't be able to get to that international environment where we can all agree to agree that that's the right thing to do and we need to we need to look at that we also need to operationalize the partnership with industry we've never really done that in a comprehensive way and what does that look like where are their successful partnerships with industry and whether it's different models and we've looked at different models through the course of the review whether that was something like an intel stat or the Red Cross FAA the Coast Guard there's a lot of different public-private partnerships that have been operationalized what are the attributes of them that fit for cyberspace and this communications information infrastructure and how do we move that forward to operationalize the partnership and where can we start first and then we need to really build capabilities to deter, defend and respond to these intrusions and potential damage to the infrastructure and what does that look like I think the last part I'd like to highlight is that Obama is very keen on being transparent and open and what's different from the past is that we made almost the entirety of this open throughout the course of the review and post-review and it's almost all unclassified and that is an unprecedented transparency for the National Security Council and I think it's just the beginning of the hallmark of this administration of the information sharing and transparency that he would like to see going forward and a new partnership to drive our infrastructure and with that I think that that's going to conclude the majority of my remarks and I'll open up for questions a few questions let's just talk about your your I contributed to some of the report through Tom and I chair an international cybersecurity group in Geneva in about 10 days and there will be people from all over the world to work out the good part of the ITU so we're going to be working out the standards and arrangements for cybersecurity a significant number of those participants are from China and these are people who seemingly want to form a partnership with us to achieve common goals do we have a strategy for doing that yet and or what would be your admonitions as to how to approach that well I think that as far as the standards go the majority of the world is except the industry based the IEEE standards of going IEEE and some of the industry standards that we advocate for going abroad and we need to think about China's wanting to find some new standards in order to do business in China and we need to start to balance what are the right standards to go forward so that we're not having to build to two standards one for one country and another for the rest of the world so I think we need to effectively work with industry to develop that agenda going forward we have one in the back I'm Dan Fowler from Congressional Quarterly my question is about the quote-unquote cyber czar position and many people who I've spoken to think that it's a good idea to have that type of position but they're concerned that it's going to lack authority particularly budget authority and I was wondering if you could address that is this individual going to have budget authority and what do you think about that concern that people have expressed about the possibility of this person having a lack of authority the cyber security coordinator there's a list of individuals being considered right now and the position is still yet to be defined however in the report you'll see that we recommend that the cyber security coordinator will be the lead for the policy development and coordination the cyber security coordinator will have to affect the budgets working with OMB in the cyber security area and again that the cyber security coordinator will have a vote and or influence in both the national economic council and on the science advisors technology policy council you could give a little more specifics about this doubling of cyber crimes break-ins I think in the financial sector in the last four months to this why is it to seem to be accelerating so much recently and when you mean doubling where is it going from what to what I can't give you a specific statistic it was through conversations it's the cyber it's the fraud that we're seeing against those the financial institutions is increased and it's because of vulnerabilities and one institution is bringing vulnerabilities into all the institutions because they're connected with the Washington Post I have another question about the cyber coordinators authority or role as we know the Pentagon is planning to stand up a new cyber command to unify the offensive and defensive capabilities in cyber cyberspace and the 60 day review report noted that the cyber coordinator I believe will have authority over cyber network operations which includes cyber defense cyber offense and cyber exploits so will this coordinator what role will this coordinator have with regard to this cyber command with regards to policy budget and even some of the questions you asked earlier such as what constitutes the use of hostile you know armed force or hostile intent so the cybersecurity coordinator think of it as the hub by which all policy gets coordinated or made through the interagency policy process and the cyber security coordinator will chair those meetings and get the views of the different departments and agencies will identify where new policy must be made and make those recommendations up through the policy process to the president the cyber security coordinator would also be working with OMB to determine what are the key new programs and plans that need to be put in place for cyber and as each of the different departments and agencies begin to reorganize for cyberspace and or cyber security that will is what the departments and agencies are all in the process of actually doing department of defense department of homeland security department of commerce is reorganizing as well and those will just then elevate the leadership within those departments and agencies and that'll usually mean that's the new person that's coming into the interagency policy process where if there's a decision that needs to be made by from a policy perspective and or if there's an operation that needs to have clarification and or policy or a law around it that it would come into the White House for interagency coordination Alexi Alexis from B&A news two questions with regard to the recommendations and report what's the timing for moving forward particularly with having a cyber coordinator in place and also I mentioned that there are a number of privacy issues that have to be addressed such as breaches associated with cloud computing what role will the White House have with addressing those kinds of issues okay so cyber security coordinator there's a list being reviewed right now and interviewed and we're hoping to have a cyber security coordinator in the coming weeks I can't give you a definite date right now I'm effectively the acting cyber security coordinator driving the policy and driving the implementation of these plans as far as the privacy concerns and that we're looking at from either data breaches some of those are being addressed with new legislation up and on the hill of which we're going to be submitting input as far as to help inform that we're also working effectively with the civil liberties and privacy community both within the government and outside of the government to help identify other civil liberties and privacy concerns that have to inform policy and then we hope in the month of July that the civil liberties and privacy officer will be joining the national security staff to help drive that process in support of the cyber security coordinator you mentioned that there was a cross sector cyber security working group working on incident response what is the process for engaging with the private sector as part of that and you know is there a way in which folks like levels 3 can be involved okay so the co-chair of that is right up here on the front row Guy Copeland and it is led by industry as an industry government partnership already it has membership from all 17 critical infrastructure sectors from the private sector but we'll get with Guy afterwards and so it would have an interface to the defense industrial base which L3 is a part of it would have an interface with the IT comm sector which L3 is a part of and and so it was there's a number of areas by which I think that you would have other opportunities to participate in last question there University of North Carolina Charlotte most of many of the challenges you mentioned are very long term similar to search for cures for disease and one such example is the need for secure software to do that you're going to have to revamp the computer science curriculum of just about every institution in the country there are probably only a half dozen institutions that know how to do that how to write secure software but until you can revamp the educational system you're not going to turn out the students and the graduates who can go to industry and write software that the government needs and it's just a comment though that it's going to take a very long term view this and I think many of you heard me say it before this is not something that we're going to be able to solve overnight this is going to require a number of year multi-year effort if not multi-decade we're in a marathon not a sprint and we need to all of us partner together and there's a role for everybody in this room and everybody in this nation to start to solve this problem and I'm hoping that over the next decade or more that we'll be able to start turning the trends into the right direction so thank you very much for hosting me today