THE ATLANTIC COUNCIL OF THE UNITED STATES
INTERNATIONAL ENGAGEMENT ON CYBER:
ESTABLISHING NORMS AND IMPROVED SECURITY
PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY
ACTING SENIOR DIRECTOR FOR CYBER SPACE,
NATIONAL SECURITY AND HOMELAND SECURITY COUNCILS
WEDNESDAY, MARCH 30, 2011
Federal News Service
MELISSA HATHAWAY: Good afternoon. Hope everybody is doing well. I’m moving a little bit slow, and some people are asking me, so I’m just going to give the global announcement. I’m just off of eight weeks of medical leave, so if you’re chasing me down the hall, I’m moving really fast – or slow. And so – but I appreciate that I – for Catherine to invite me here and for everybody for the opportunity.
I have been working on speaking and writing about the private-public partnership an awful lot. And as many of you know, there are lots of private-public partnerships. And at my last count, last fall there was over 55 in the – in the United States. And I think since then we’ve established more than a dozen more.
But one of the things I’ve asked for this panel to really cover is some of the best practices and the lessons learned of the private-public partnerships that they are supporting and leading. And I’m just going to introduce my panel.
We have – and I’m going to just go down the – they’re actually sitting in the order that we’re going to speak. So Bill Guenther is the president and founder of Mass Insight Global Partnerships, and he’s been leading private-public partnerships in the Boston innovation corridor for over 20 years that span the academic and industry relationships and incubating the new technologies that we need to solve big problems.
To his left we have Dr. Phyllis Schneck, who is the chairman of the board of directors of the National Cyber-Forensics & Training Alliance up in Pittsburgh, Pennsylvania. She’s also the chief technology officer at McAfee and the chair of InfraGard. And as – leading multiple private-public partnerships in information-sharing environments for the – between the government and through the industry, she has a lot of insights that she’ll be sharing with us from an NCFTA and a broader perspective.
To her left is John Nagengast. He is at AT&T, driving a lot of the operational private-public partnerships right now within the – and between the government and the private sector, and has a long career, distinguished career at NSA, and brings a broad-based perspective from the Internet service providers in a tier-one telecommunications carrier. And as we look and turn to the telecommunications carriers perhaps to carry more of the burden, he’ll be able to discuss what that means and the much bigger picture from an operational context.
To his left is Eric Werner. And Eric is now a principal security strategist at the Microsoft Corporation. Prior to that, he served at the White House and helped me write the Cyberspace Policy Review. Prior to that he was at the Department of Commerce, and prior to that he helped stand up the Department of Homeland Security. Eric’s going to talk to some of the unique mechanisms that now the private sector can turn to the government for facilitation of that partnership.
And then finally – not – we have Mr. Kristjan Prikk from the Embassy of Estonia. He arrived here in August of 2010 and is representing a broad portfolio for the Estonian government here in Washington – not just national security issues, but many of the issues. And he’s going to be giving us a perspective, because he served in the ministry of defense prior to coming to the United States, of what it means to actually operationalize and get the private sector to restore the infrastructure, and the lessons learned from an Estonia perspective.
So I’d like to kick it off immediately to my panel, but for the tagline I’d like you to think about – is we got to think big, start small and scale fast. And what are the key things that we can take out of each of these private-public partnerships so that we can get to a more scalable model to address this in a global situation? Thanks.
BILL GUENTHER: (Applause.) Thank you. Thank you. And I’d particularly like to thank Catherine for the quite extraordinary job of organizing this day. I know what it takes to do this, and she’s done a really, really terrific job with a great group. And I want to thank Melissa for leading this panel.
I’m going to talk very – I’m going to first of all run through some slides that are part of our business plan for the advanced cybersecurity center located at MITRE in Bedford, Massachusetts. These have a lot of detail in them. They will be available to you, for anyone who’s interested. I’m not going to go through a lot of the detail in specifics. What I do want to do is just create a quick context for these kinds of centers, broadly speaking, as regional R&D centers, talk a little – a little bit about where we are in the process and what the objectives are, and then close with some lessons learned.
We came to this center really through two streams of activity. One, in the last 10 years we’ve focused a lot on the connections between universities and business and ways to connect the dots within a region in terms of the intellectual assets that span the commercial and the academic side, and particularly large-scale R&D centers.
And secondly, we did a study with McKinsey on the IT sector a number of years – about four or five years ago. And Bob Nesbit, a senior vice president for MITRE, was part of our advisory group. And we were looking for strategic opportunities where, again, we could pull together assets in the region and be a national player in terms of solving national and global challenges, and also, obviously, create competitive advantage for all the organizations involved.
And Bob specifically said that the APT, the advanced threats, were not being responded to effectively; that it was not a problem single organizations could solve on their own. And he was very interested in cross-sector play between the financial-services sector and defense, because each sector thought differently about strategies to respond to the advanced threats. And so that’s really the genesis for this work in this center.
And let’s see whether I can get these slides to work.
There we go.
So first point, context. We think in terms of talent clusters: that if you’re thinking about regional, particularly technology-based economic strategy, it’s about identifying pools of talent and then pulling those together in effective combinations, and also about guiding universities to produce the talent to feed that cluster, both the supporting talent and the stars.
It is important – and I think we all recognize that proximity still matters, that having people able to deal face to face within a region creates activity that wouldn’t occur otherwise. So one way of thinking about this is really a combination of regional centers around the country and around the world that are then networked in productive ways and facilitated.
(Inaudible) – problems. There we go.
So very simply, as I mentioned, flagship R&D centers as a place to bundle and broker assets. It doesn’t mean the center is doing all the things directly; it means that it’s acting as an intermediary between different kinds of assets and an incentivizing organization, sometimes even a funding organization for separate projects.
The advanced cybersecurity center is, as I said, focused on the assumption – and this slide is based on all the interviews we did in the business-planning process with our 16 charter members along with others in the region – but it is based on these three fundamental assumptions: that the APT is a major threat, and that it is not a threat that can be solved by single organizations. The – there is a fundamental assumption in here too that any organization that collaborates with others is going to raise the sophistication level of its staff. So if you think of this as basically creating the Navy SEALs of cybersecurity, that’s one of the goals of this collaboration.
At the risk of offending an organization that isn’t represented here on the slide, or somebody who feels they’re in the wrong space, this was an effort – and PwC Consulting worked with us on doing an environmental scan of existing collaborations around the country – and then we put them into this grid based on the vertical being information – informational at the low end to actionable on the top end, and then known threats to new and emerging threats along the horizontal.
What it is intending to show is this white space in the upper-right-hand quadrant where we are not collaborating to produce actionable information and R&D to deal with the advanced threats that are new and emerging.
This represents schematically the current partnerships. And I want to emphasize that this is a center in launch phase. And I’ll go through exactly where we are in a later slide. But essentially what we’ve said is we’re building on a regional base that connects the end user community on the left-hand side, the broader business community, with the supplier, the vendor community, and with educational institutions as partners.
A critical differentiating piece of this is that it is a cross-sector collaboration, so it includes financial services, the defense non-profits, MITRE, Draper, Lincoln Labs in the region, as well as utilities, health care. The Federal Reserve Bank of Boston, it turns out, has national-perimeter-of-defense responsibility for the entire Federal Reserve system, so we’ve got some real sophisticated staff up there, and they’ve been a major partner with us.
But again, on the national level, the effort is to connect only to the federal agencies up in the national cybersecurity framework and then with the existing security cooperatives in other centers like this around the country.
The – functionally, if you look at the work that will be done in the center, the core of it is on the left-hand side where it says “shared threat data and response strategies.” So there is being set up currently – and MITRE is developing the collaborative software for this – a threat-evaluation/data-sharing capability that will bring together, again, the initial 16 or so organizations involved, and then we hope another 10 or 15 that will join with them.
That threat evaluation and data-sharing is intended, however, as a platform for R&D. And that’s where you see on the right-hand side the “develop next-generation solutions.” We think it’s also distinctive that the center is focusing on a public-policy informational capacity. And we have a terrific policy committee that’s in formation that Jack Goldsmith at Harvard Law School is chairing with us.
And then underneath that, under regional leadership, we are putting a major emphasis, something we’ve – actually is the easiest consensus-builder among members around the fostering of talent, the ability to bring the industry side together with universities, to look at gaps in the education programs, to encourage universities to either create new degree-granting programs, certificate programs or internships and work-study is obviously a critical advantage.
In terms of our actual work, these are the work groups at the bottom here. The policy legal work group I just mentioned. Threat evaluation/data sharing, that’s being led by Matt Richard (sp), a senior staffer at MITRE. And the industry education work group that’s bringing together the university and the industry assets.
The executive director, just to be clear, is, in essence, Mass Insight at the moment. We are in the process of working with Foley Hoag, a law firm, to file for the nonprofit. And when we go into full launch phase in 2012, the budget would then support a full-time executive director. The steering committee is the currently – is currently the operating group of the 16 members that’s driving the process.
So another way of looking at this is to think about the different kinds of staff that are connected through a collaboration of this kind and the different levels of sophistication. At the top clearly are the elite security experts from the companies, who we are starting to bring together. And in the mid-level are the front-line staff. We have had a technical operating group for about eight months where some of those front-line staff have been meeting on a weekly basis and spending a day together.
In terms of where we are in the process, again, this is a transition from business planning to full-scale launch, 2010. We put together the small-scale technical group; the steering committee led a three-year work plan effort, which is completed. We are now organizing the work groups, 2011, setting up the legal and governance and working toward a full-scale – or a large-scale regional conference in the third quarter.
In terms of lessons learned, the – I wanted to run through, just quickly, some opportunities, challenges, and some of the lessons.
The first point, I think – and having worked on a number of other collaborations of this kind – we attempted to put together a drug-development/biomarker imaging center a couple of years ago and never got enough consensus and closed it down. What’s interesting here is really the increasing perception of the threat. As everyone said this morning, this is not an invisible problem today, and that helps a lot.
And secondly, I think, the widespread recognition among the major users like the Fidelitys and the State Streets, the Liberty Mutuals and the John Hancocks, all of whom are members of this consortia, that they can’t solve this problem on their own and that existing tools and resources aren’t doing it for them.
I want to emphasize, this kind of collaboration is not an effort to replace commercial products. It is focused on integrated strategies, and it is – the reason we can get vendors to the table, like EMC, RSA, Microsoft and others, is because it’s helping guide them towards solutions that they will develop in the future. So it’s pre-competitive.
In terms of the challenges, certainly aligning partners with different levels of sophistication, financial services defense at the top of the pyramid, probably health care lower down, utilities somewhere in the middle.
Secondly, there’s been already comments about business disincentives to share information. Obviously, that’s an issue with government as well, so getting over those hurdles. The two next bullets, “fostering trust” and “defense-sector restrictions,” really fall into the same bucket. And broad-scale, it’s about, you know, how do you create the confidence among the members of the consortia to actually open up their books? The fact is that, you know, even down to the level of individuals – the individuals who are doing the work and the background checks, the security checks, you know, those are all issues that have come up in the participation agreements that we’ve worked on.
Defense-sector restrictions: As you all know, the private-sector companies are using foreign nationals extensively. The defense sector doesn’t allow it. And how do you deal with that problem?
And finally in that category, the funding assumption. This is an industry-led consortia. The assumption is – and what – the way we’ve been operating is that industry puts up initial membership and provides the initial funding. You hire only an executive director, and then you go out and get significant federal funding through contracts and grants and projects. The issue of quantifying risk and having CISOs and CIOs – and some of you are represented here in the room – able to convince CEOs and senior executives that this is worth investing in and how much is it worth investing in it, is a hurdle. And, you know, everyone has said that the difficulty of quantifying the risk is a problem.
So finally, lessons learned. First of all, regional centers are manageable in scale. You’re dealing with a small membership base. You’ve got 25 people around a table. You can actually manage that group, as opposed to a hundred or 500. That group is intended to produce value that will then get disseminated out to a much broader group. But it’s manageable to do it at the regional level.
Secondly, phased start-up. My experience with universities is they are wonderful places with extraordinary assets, but they tend not to be top-down-driven. So establishing partnerships with universities is even more difficult than it is with industry. So start with industry, get the industry funding. And some of our university partners told us the same thing: start with the industry side and the universities will come along. And that’s what we’ve done.
Organize around the IT users, because obviously the vendors present particular challenges in terms of IP that State Street or Fidelity don’t.
And finally, as I said before, education and talent is an incredibly easy consensus-builder. Everybody’s interested in building the talent base, particularly in regions where they can tap into it.
The final point I’d make is, I do think the federal role is to encourage some of the existing centers, to build support for them, to build funding, to stay out of the way where they need to stay out of the way, but basically to allow these centers of excellence to grow up and then help them connect to each other.
Thank you. (Applause.)
PHYLLIS SCHNECK: Good afternoon. I forgot which mic I’m supposed to be using. So thank you. I want to first start by thanking Georgetown University, thanking Catherine, thanking Melissa, and certainly the panelists that preceded us this morning.
There’s a lot of good guidance. We’ve had this meeting – somebody joked yesterday and last week that we’ve had this meeting several times, and we don’t want to reiterate this same meeting for you after lunch. But I’ll try and give you some different kinds of insight that we’ve had on this information-sharing problem.
So little bit – my background is actually high-performance computing and how to do that more with cryptography. And you learn very quickly in the world of security that none of that technology is very effective if we can’t do – as Mr. Moss (sp) suggested at one of the lunch talks – find what we believe in as a country and as a world and use that technology. Because you can’t solve a people problem with technology.
Going back on two comments that really resonated this morning, Congressman Thornberry said cyber needs to be elevated – I’m paraphrasing – but elevated to the highest levels of private industry; and certainly General Hayden, who pointed out that even an F-22 is a node on our network. So if you think about the fact that we’re all connected, we’re all interconnected, everything we live and breathe, that cyberresiliency is absolutely fundamental to our way of life as a country and as a world. And that way of life then is fundamental, and our ability to understand as both private sector and government, the pieces of the cyber puzzle, be able to put them together and be able to push them out to protect, in two ways.
In real time, making our network fabric resilient. Just as your body fights a cold, we shouldn’t have to know the name of the virus or have a signature to it to fight it. We just fight it off.
And the second way is, in human time, to put some understanding around it. A lot of people have a lot of interest in this. This is a very fun thing to look at, very exploratory. But who’s behind it, what’s the motivation, that obviously moves a little more slowly.
I come back to a story in 2003 when I had been chairman, as Melissa mentioned, of the private-sector side of the FBI’s InfraGard program. And we briefed a foreign government on how we did private-public partnership just in that program. And I remember one of the citizens there telling me, this is so different, because – and she said to me, in your country, the private sector does what they want, and so you can lead a partnership. She said, here we do as we’re told. And she said, you’re very lucky that you can do that.
So as we think about that, I’d offer that as some insight as we build these partnerships. This is an opportunity as private sector to take everything that we know, the eyes and the ears, the information that we see around these networks, and put it together and work very quickly with each other as partners, competitors, colleagues, and with our government. I know that it’s not always the easiest, having been in some of the trenches that others have been in as well. But this is something that we have to do.
And on those principles, that is a foundation upon which the National Cyber-Forensics and Training Alliance is founded. So I currently serve in my volunteer time – whatever’s left after the CTO of public sector role at McAfee – in chairing the board of directors of the NCFTA, as we’ll call it – the one acronym I’ll try to use today.
And the principle of the NCFTA is putting under the same roof and under the same organization your fraud analysts from different sectors, from the better part of our financial sector, pharmaceutical sector, transportation. And we’re expanding. We’re looking at energy. We have telecom well represented, and having – to the point made earlier – the highest levels of private industry represented on our board, several of the major sectors represented there, and then having their – some of their fraud analysts in our labs, working with the information that they get from their companies, from partner companies.
It comes into a 501(c)(3). So it’s private sector sharing with private sector. And then walled off within the same building, same complex, we actually have an – part of an FBI cyberfusion unit. So when the private sector’s ready, the analytics can go over there.
So on some of the specs, we have a hundred sponsoring partners now; 30 percent of our funding is private sector, 70 percent is still federal. We have 45 live staff members, had the privilege of meeting a lot of them a couple weeks ago; just some of the best talent in the country that’s chasing down some of the worst adversaries in the world, and able at the right time to give it to law enforcement, leading us to a presence in 34 different countries, relationships that we’ve leveraged from the FBI, from law enforcement, to have those relationships overseas so information can be passed.
And my favorite one is 300 arrests of cybercriminals worldwide to date. And the organization really just kicked off – you know, founded in 1997, but really found its legs, I would say, a few years ago. And a lot of the credit goes to our CEO, Ron Plesco, for standing through what most of you know is a tough industry and a tough goal, and really making this work.
We bring the trust together of the companies, their partners, their colleagues, their data. We have a back end where it’s supported. We look at things like chain of custody to make sure that the FBI can use the data that comes in, or DHS or our other partner agencies, ICE and others that are partnered with us. There are several. And you look at how you can actually take that evidence and make it work in a court. Often companies don’t keep that the right way. We do at the NCFTA, so it can go and put bad cybercriminals in orange jumpsuits.
So you combine the trust, the speed. We maintain control of it as a private-sector 501(c)(3) until a company allows us to give the data to law enforcement.
You know, that’s very important to another point that I’ll make. The cyber – (inaudible) – we face is fast and strong and better than we are, and that’s why we’re losing. They act, they share information, they have absolutely no barrier to entry to share. They – they’re criminals, so their way of life is not dependent on intellectual property or legal barriers. They execute.
The only that we as a country and as a world can execute private-sector and government is to be faster and take back the infrastructure that we own, use our ability as companies all over the world to see the activity across the world, to correlate that, to put it back into the network fabric so that we have that cyber immune system that so many are saying that we need, so that your network fabric can defend something from reaching its target, even without knowing its name.
Great point made earlier, I believe by Mr. Carr, when he said the signature model – again, paraphrasing – but the signature model doesn’t work. It doesn’t. And I eat from a security vendor, right, the biggest one in the world. But the signature model is over. We and our colleagues look at how you work with behavioral analysis, and in real time as well as in human time. And the way to do this is to build these partnerships.
So the NCFTA is one model that works internationally. It’s not the solution. It’s a hard-driving component of something that we need to leverage the existing information-sharing and collaboration organizations that we have.
But I’ll end with a little bit of a war story. And that is, when you’re on the phone, looking – we have several of these advanced persistent threats – I shudder at that term, because it’s a little bit more these days, like the advanced persistent marketing threat. Everybody out there likes to use that term.
But there is an adversary that loves to look in your system, gets in there; not so terribly – not so hard to do it; they look at your information. They either want your information, future information, what you’re doing. But they’re there. And once we’re able to look at one of these adversaries, we work with our partners all over the world, both the NCFTA and other companies. There’s a good-guy underground.
And you put that information together and you start to build a picture. And then you end up on the phone at some hour of the morning understanding that, look, this must be the same adversary because they’re obfuscating what they’re doing in exactly the same way as we’ve seen on XYZ date. And we believe it’s coming from this part of the world because of this reason. And look, they’re going for nine or 10 companies in the same sector.
But we can’t give that to law enforcement right now. We’re not protected to do that. It could cause material events for shareholders. It could cause other data release. So we sit there as private industry saying, we want to do this faster. And we watched this happen in the NCFTA not so long ago.
So we need to use groups like this to figure out how do – how – not building another organization; how do we work together to be able to share that information over so that we retain control and we don’t lose out to this adversary?
So with that, I will thank you very much and look forward to your questions. (Applause.)
JOHN NAGENGAST: OK. Well, good afternoon, everybody. And I think there’s only thing one – the only thing worse than being in the panel after lunch is being the third speaker in the panel after lunch. So I’ll try to keep it light and fast so we can – we can keep everybody moving.
I want to start out with – disagreeing with something my former boss Mike Hayden said. When I was at NSA, my last five years, I worked for Mike. And he mentioned something about market failure. And I want to start out by saying there is no cybermarket failure. All the companies in cyber – most of them, at least – are doing very well.
And he got a look at it from a private-sector perspective. Companies are in business to make money for their shareholders. That is their single objective, whether they’re doing virus detectors or any – or providing communications services. You got to start with the principle that they’re there to make money. Anything else is a secondary objective.
So there’s no market failure. And you see the market starting to recognize the need for enhanced security. Our lunch speaker in the group I was in talked about the fact that Windows 7 is much more security-robust than some of the previous versions of Windows. And we’re doing a lot more in the cyber space today as a carrier service provider. There’s a debate going on, obviously, about could we do more, you know, how do we partner and how do we collaborate. But we are going in the right direction, simply because the market is starting to turn the corner and understand that cybersecurity is important in all of this cyberspace. We don’t even have a definition we agree on. I think the Europeans refer to it as ICT. We’re kind of talking about cyberdomains or cyberspace. But it’s this whole interconnected infrastructure that we’ve created, and nobody really knows how it all – how it all works in a complete way.
But that’s not a market failure, and I think we are responding over time to the – to the demands of the market.
The other thing I want to say is we had some China-phobia and Russia-phobia. And the model I’ve always worked on in the long time I’ve been in the business, both at NSA and the private sector, is trust no one. Globalization has made the idea that you can localize the threat to one particular country or one particular set of bad actors – it just doesn’t compute anymore. You got to really operate on the basis that I can’t trust anything in my infrastructure.
So then I go on from there and say, now, what do I want to do about that? I want to – I want to be able to tell when something is misbehaving in my infrastructure, irrespective of whether it has an American brand logo on it or a Chinese brand logo or a Russian brand logo. Because that’s almost immaterial in the – in the world that we work in.
In fact, it’s not at all surprising that we – this was mentioned this morning – Symantec and Huawei formed a research partnership. That’s what globalization is all about, is reaching out into the various technology bases around the world to expand your business. And that’s what they’re doing there.
You know, we can question some of the motives, but basically they’re doing what a company is – any company is going to do. They’re going to try to expand their reach into the global marketplace and expand market share. And we shouldn’t be surprised about that. What we lack in the United States is a real strategy to deal with the globalized environment that we’re operating in today. And I’ll – we can come back to that in questions if you’d like to.
I’d like to – you know, since I was asked to talk about private sector and collaboration, let me say that, number one, AT&T, as the largest communications service provider in the world, takes cybersecurity very, very seriously. We have a large, well-organized effort focused on detecting bad activity in our network and attempting to mitigate it before it reaches our customers.
That’s our – that’s our single, you know, philosophy, is: We don’t want to deliver it to the end user. If you think about the world as it’s going to exist in the future, you got mobility – mobile devices, cloud computing and information applications stored in the cloud. And in the middle is this telecommunications infrastructure, the network, the Internet, if you will, that ties it all together.
The way you’re going to stop cyberthreats in the future is by detecting, from a behavioral perspective, malicious activity and stopping it in the network. You don’t want to connect the cloud and the mobile user together – you know, from a malicious perspective.
So that’s the way we approach it. And I think we’re involved – and we try – every six months or so, we try to count how many partnerships of collaboration, public–private-sector, are we involved in as a company. And I don’t think we’ve ever been able to get to ground truth. Sometimes it’s, like, 30, and then we count it again – well, it’s 35, and then it’s 40. And it goes on and on.
And one of the points I’d like to make here is, most of the collaboration, the private-public and the private-to-private collaboration that’s taken place in the past, has been mostly post facto. It’s kind of like, well, what did you see last week? I saw this. Oh, OK. Well, what did that look like? And then I saw that. What did that look like? And then we compare notes.
What we really should be focused on is what’s happening right now and what’s likely to happen next week and how do we stop it before it achieves its objective. That’s the only way you’re going to get ahead of the threat. And we’re not going to get there by regulating the industry or trying to impose the Australian model on the cyber – you know, the providers. You’re going to have to deal with, how do we operationalize – I think Phyllis talked about this – we have to move at the same speed or faster than the bad actors in the world, whether they’re cybercriminals or whether they’re nation-state-sponsored or associated.
We have to be able to move faster. And the only way we’re going to be able to do that is by automation of sharing. And I’d like to use the term “active defense.” I think that my friends in DOD use that occasionally. And we got to really be able to detect the malicious activity in the network infrastructure and stop it before it achieves it objectives. You’re never going to be a hundred percent successful in doing that, but that’s clearly one of the foundation elements we have to build on for the future.
When you think about – so how do we do that? There’s a set of players, obviously. You know, we talked about service providers. We use the term ISPs.
Let me – let me just give you some context. In the world of the Internet, the way the global infrastructure has evolved, it is basically a set of autonomous systems operated by independent, mostly private companies, some very large – the AT&Ts, the Verizons, et cetera, the BTs, NTTs of the world. And then there’s lots of little players. There’s literally – I don’t know, Steve, do you know how many autonomous systems there are? Three thousand, 4,000, at least, maybe more? A lot. There’s a lot of them, OK?
And it’s not a neatly constructed hierarchy, OK? It’s not like, well, this guy’s doing a bad thing, so I’m going to shut him off, I’m going to disconnect him. It doesn’t work quite that way, OK? If you’re a third-tier – second- or third-tier provider, you’re connected in multiple ways through multiple venues. And there’s – it’s almost literally impossible to say, I’m going to shut, you know, company, you know, ASN-XXX down because they’re not behaving well. What you’re going to do is just create another – they’re just going to find another path to get past the things that you’ve been looking at.
So we really have to think about – holistically about this infrastructure, and clearly, being able to work with the responsible players and the larger – you know, the tier-one carriers, where there’s a lesser set of those and they typically tend to be responsible. They don’t want malware on their – on their networks; they don’t want malware-distributing servers on their networks. But it’s going to take cooperation and collaboration and an operational perspective to be able to deal with that. And we don’t have the mechanisms in place to do that.
One of the issues is basically, in the United States, is we don’t have a legal framework. I think Phyllis touched on this. As a carrier service provider, we’re subject to all kinds of laws and restrictions about who we can share information with about what our customers are doing. If you look at the body of law in the United States, the Electronic Communications Privacy Act and the Stored Data Protection Act and all the laws that have been written over the last 30 or 40 years having to do with some dimension of electronic surveillance or privacy in, you know, cyberspace – which is a term that’s not used – basically, nowhere do you find the word “cybersecurity.” There’s nothing – or nowhere is it defined that says for cybersecurity a carrier service provider can do the following things.
Everybody – we’re all in the same boat, by the way. Phyllis mentioned it from a, you know, McAfee perspective. But we want to protect the privacy of our customers just as well as anybody else. And the body of law does not really support real-time operational sharing.
So one of the things we think the Congress can do in the near term is start to tackle that problem. What are the legal modifications necessary to our current structure to enable us to do a better job of public-private sharing while we maintain the privacy of customer protected information? That’s essential, and we don’t have that capability today.
You know, I will – I’d like to close just by saying that, you know – we were talking in the back room about what keeps you up at night. You know, what keeps me up at night is the United States is no longer leading in the technology space, the way we’ve enjoyed over the last 20 years or so. If you look at the international standards bodies, where is the nexus of energy coming from? It’s coming from a lot of different foreign countries. We have become much more passive as observers in those fora as opposed to leaders in those fora. And that’s the scary thing for the future.
If you want to define what the future of the global infrastructure’s going to be, the Internet, you got to be in the leading position. And we’ve kind of lost that bubble in the United States. There’s a variety of reasons for that. Other countries have strategic visions and we don’t. But we’re going to have to figure out how we can regain that and regain some of that global leadership.
We also are – you know, I think global cooperation in cyber is improving in the law enforcement space, but we have a long way to go. Shawn Henry’s doing a great job at the FBI, but we can dump more cybercrime in his lap than he can possibly pursue, so we’re going to have to think about, you know, how do we, you know, provide additional resources into the law enforcement community. Because, you know, what we see, basically, in our network infrastructure – 90 percent of it is cybercrime of one sort or another. People are out there to make money and they’re very creative in doing that.
You know, the latest twist – and I’m going to stop with this – is now I’m not going to have to trick you into downloading malware. I’m going to sell it to you in – packaged in an application. I’ll set up my own little app store and I’ll sell you the malware and you’ll pay me for that and then I’ll – and I’ll profit from downstream.
So innovation in the – in the bad space is very, very rapid. We have to be able to innovate even faster, you know, from a defensive perspective and a technology leadership perspective. And that’s – I’ll close with that, because I want to finish on time.
Thank you. (Applause.)
ERIC WERNER: Well, so if being on the panel after – third on the panel after lunch is the worst spot to be in, I’m – I talked to Kristjan – I’m not sure exactly where that leaves me. (Chuckles.) But it is a pleasure to be here. Thank you all for sticking around for the afternoon session.
I’d like to add my thanks as well to Professor Lotrionte and to Georgetown and to the Atlantic Council for sponsoring this conference. It has been an enormously informative opportunity for me. It’s a pleasure for me to be here; a pleasure as well to be on this distinguished panel and on a topic of – an issue that I consider to be of particular importance, which is how we approach partnership generally, the public-private partnership in particular, and what we can be doing to drive it forward more effectively.
We’ve had a very rich discussion today. Clearly there have been a number of themes coda throughout the day, recurrent. I will try to be brief as well so we can get to the question-and-answers.
I’d like to start by just touching on what I consider to be an important focusing principle when we talk about partnership. Describe a little bit the vision that helps to motivate some of the work that Microsoft has done in this area, and then focus on some of our recent activities. Clearly we’re very involved, as AT&T and others are, in many of the partnership activities both here in Washington and throughout the world. But there are a couple that I think demonstrate some unique ways of approaching it, and sort of illustrate the points that – the themes that I think Melissa hit at the beginning, which are think big, start small and scale.
So with that, I’d like to begin by talking about one important focus principle, and that is – and we’ve been talking about partnership, the public-private partnership, for over a decade, tracing it back to PDD 63, at least, if not before then.
And we have a tendency in a lot of our discussions to talk about partnership as if it is the thing, it is the objective. Greg Rattray noted earlier I think a very prescient point, that security, we should recognize, is not the end – the goal of itself. It is a tool, it is an enabler to support what we’re trying to do with the systems that we’re seeking to protect.
Partnership’s the same way. We shouldn’t talk about partnership as the objective in and of itself, but partnership is a tool to an end. It’s not the what, it’s the how. And in that regard, we need to recognize that partnership, public-private partnership – you know, that partnership and collaboration comes in many different forms and we need to think creatively and flexibly about how we build our partnerships and where we take them.
More important than the partnership is the outcome. We need to be very outcome-focused and identify concrete goals and objectives that we can drive towards, using a partnership approach, to get to outcomes that have a meaningful impact to improve security and improve the ecosystem.
In international collaboration especially, we need to be thinking about how we build these partnerships. And we need not just public-private partnerships but, with the challenges that were outlined on the panel earlier, I think it’s increasingly clear that we need government-to-government partnerships, we need greater collaboration and discussion at the state-to-state level. We need public-private partnerships, but we also need more effective collaboration between companies, and not necessarily in broad fora.
As some of the – certainly the NIPP structure that we have at DHS is very strong, the CIPAC and the sector-coordinating council and government-coordinating council structures are very, very useful. I helped to build them when I was at DHS, and I recognize the value of creating a forum in which the government and the private sector can engage more fully.
But that doesn’t represent the sum total of the mechanisms in which we can be engaging with one another. And more targeted, focused engagement I think can effectively be used to establish coordination models that can then be developed through proof of concept and then scaled more fully as we work through the incentives and the disincentive issues, some of the business process issues that John identified in his remarks, that we do continue to have to work through.
So with that in mind, let’s talk a little bit about the vision that backs up the work that we do in some of our partnership activity and some of the work that we’ve done recently.
Scott Charney has talked at length about the context for the threat environment that drives some of our thinking. We’ve heard those themes echoed here as well today. There are many malicious actors, many motives. Low-cost technology, widespread connectivity makes – provides low barriers to entry for motivated bad actors. There are motives to engage in crime on the Internet, espionage, both economic and military, and all the way up to state-sponsored activity. Some of those we can grapple with as the private sector. Others of those are more clearly in the ambit of state responsibility. So we need to look and identify where we can have the greatest impact.
But in addition to the malicious actors and the many motives, we also recognize that similar techniques are being used. In talking about the dialogue earlier about whether we should be looking to treaty-based models for controlling cyber resources, we need to recognize, cyber tools, cyber techniques, unlike nuclear weapons, are not chiefly the province of nation-states. You know, we have creative people at our company who for years have been developing software. And as Jeff Moss noted at lunch, the people who are developing the exploits are not nation-states. They’re creative people out in the public domain. And therefore, we have to think differently about how we go after some of these threats.
The speed of attack certainly, and the difficulty of predicting consequences, and the fact that the worst-case scenarios, as we talked about, can be very alarming, contribute to the environment in which we have to work. But perhaps the most important feature, and one that has run through a number of the comments that we’ve heard today, is the characteristics of the environment. Call it a domain or not, call it cyberspace.
The fact is that the environment in which we operate is a shared and integrated one in which all of the things that we do, all of the values, all of the things that we propose in the infrastructure and in the virtual environment that it supports operate and coexist together in an inextricable fashion. Users operate together side by side. Citizens, businesses, organizations, governments. And the uses, whether they’re social, cultural, speech, commerce, national security, all of these are intertwined.
And the difficulty of that is, it’s very difficult to unpack and segregate them when you try and find solutions. That’s important, because, as Congressman Thornberry said in his remarks earlier today, there is a temptation – it’s easy to fall into the temptation to believe that what we need is a single master plan. The fact is that it’s very difficult to come up with a single master plan that will address everything, because the conflation of all of those uses and users together means that the issues they present are likewise intertwined and inter-tangled. And it’s very difficult to take an action in one place that doesn’t have an impact in one other area.
So when we look at issues like supply chain, for instance, we recognize that the steps that we want to take come into conflict with one another, because it’s often – the solutions that we propose will often put our values in contention with one another.
So in that environment, we also recognize that the environment is changing. We have a proliferation of devices, so the challenges of connectivity are getting even greater. ITB-6 is going to exponentially increase that. We also have the fact of persistence of data and the persistence of memory that attends it. So issues of identity, privacy come to the fore even more strongly.
And we have an increasing role of governments. As the discussions here today have illustrated, governments that were once willing to sit back and allow the Internet to grow unencumbered are beginning to scrutinize much more carefully what role they ought to have, whether they ought to be exercising greater regulatory responsibility, reasserting sovereignty rights and the like. And as a consequence, that – all of these factors condition the environment.
Now, we have looked at these issues through a – an ecosystem perspective rooted in a public-health model. Greg Rattray alluded to this earlier, talking about sort of the holistic approach. And in that, we have – we have taken an approach to response to some of these challenges by evolving the defensive postures of the past, which started in individual protection, individual defense, where we had enterprises building firewalls, configuring their desktops and essentially trying to, you know, build walls and moats around themselves to an expanded vision of collective defense, leveraging the capabilities and opportunities that we as a community on the Internet can undertake to more effectively defend our systems by leveraging the opportunities of our positions and working in better concert with one another.
What we’re seeking to do is apply these principles to move beyond just observing the badness to trying to promote goodness, to be more active about promoting machine health, working at an – working to achieve an environment where we are seeking to get to block and defend against infections in the system, and then seek to help end users clean up their systems and maintain a better state of system health.
Our thinking has evolved over the years as we’ve developed some of this. So, you know, we recognize now that simply turning it over to the ISPs to block and quarantine doesn’t align well with some social expectations or existing business models. We recognize that there has to be a greater emphasis on user choice and control. And so we’ve begun to explore these and seek more flexible options for applying them.
There is an important difference, however, in the public health model versus – the public health models applied to cyberspace versus actual public health issues. And that is that biological pathogens aren’t affirmatively malicious; cyberadversaries can be. And therefore we have to adapt our approaches to address that.
So what have we done in order to address some of these issues? So very quickly, the best illustration of what we have done in this space is to leverage our capabilities, leverage the legal system and partnerships with the ISPs and the research community to move in the area of botnet takedowns. Very quickly, a year ago many of you probably heard coverage of our work in February 2010 to bring down the Waledac botnet. At that time, we were able to attain a court order to sever 277 domains believed to be part of the botnet, severing command and control for that, bringing down about 70,000 to 90,000 infected computers.
Through subsequent cleanup efforts with ISPs and CERTs around the world, and some of the natural decay in the botnet itself, we now estimate that there are about 22,000 remaining infected IPs as of March of this year.
Building on this, more recently we extended this even further, into the work that was recently announced in the press of the takedown of the Rustock botnet. Among the largest of the botnets, it was estimated to be responsible for 40 to 60 percent of all global spam and capable of sending up to 30 billion spam e-mails each day. We estimated that at its height there were 1 million infected computers.
So we built on the learning that we took away from the work on the Waledac case a year ago, and this time we were able to develop a complaint in partnership with Pfizer. Pfizer was one of the impacted parties, because the botnet distributed a significant amount of spam on counterfeit pharmaceuticals.
We went after IP addresses rather than the domains. The court order allowed us to capture IP addresses and seize effective servers and hard drives from five hosting providers and seven locations across the United States.
What’s important about this is that we couldn’t have done this alone. We did this in collaboration with industry, academic researchers, law enforcement agencies and governments around the world. We worked with Pfizer, the network security provider FireEye and security experts at the University of Washington, all of whom provided declarations in support of our complaint in order to get the relief from the court. We also worked with the Dutch high-tech crime unit within the Netherlands and with China CERT in order to dismantle part of the command structure for the botnet operating outside the United States.
Cleanup is also important, and we are also working with the ISPs and with CERTs to continue our work, to notify customers and to seek remediation of the infections on their computers.
I see I’m out of time, so I will wrap up with that and leave it for questions. Thanks. (Applause.)
KRISTJAN PRIKK: Thank you. Good day. This morning I actually thought that this is not going to be that good day. I missed my – I missed the speech of General Scowcroft and most of the first panel due to a minor car accident. But the conference has really turned my luck around, and I feel that this is one day worth living. (Laughter.) So I want to thank – I want to thank Georgetown University. I want to thank Catherine and Melissa very much for this opportunity.
Anyway, I’m going to give you a short insight into a – the way Estonia has organized or benefited from the public-private partnership on a national level, how Estonia has used public-private partnerships to build up its national cybersecurity.
And I’m not claiming that this is the right or wrong way. I’m not trying to say that this is the model that any or all of the countries should copy. But I’m just saying that this is something that we think does work in Estonia.
Now, before – OK. I have to also stop for a short while on the sort of Estonian context, or – I do think that Estonia actually is somewhat different than most of the other countries, so I have to also prove you why the public-private partnerships may work better in our case.
So Estonia – first thing that really sets Estonia very much apart from the U.S., for example, is that Estonia is not a big country, it’s not a small country; it’s a very small country. We only have 1.4 million people. So it’s just a(n) almost-decent-size city here in the States.
So this brings some of the benefits as well as some of the down sides. But Estonia’s also very different from many other countries in the – in the sense that, whereas we have a lot of countries where Internet penetration is low and almost no e-services exist, we have an increasing number of countries where the Internet penetration is getting higher and higher and people are using the – mostly private-sector-provided, Internet-based or mobile-based services.
But Estonia really has struck a balance where we have a balanced, very high demand and supply of e-services from both the private and public sector. In many or, I would say, in most cases, these services have a mix of government and private-sector input. And e-solutions are very widely used and dependable in the society.
I just brought a short list for you, to show the sort of range and diversity of those services that are widely used. As I say, there are – 98 percent of all bank transactions are conducted online. I’m so young that I’ve never had an Estonian checkbook. I’ve – I hardly visit any bank office at all. I mostly do everything online. Ninety-eight – 92 percent of tax declarations – this was the last (founding ?) – were submitted online.
And I’m saying this as not just a modus to – a mode to send your tax data using telephonic channels, but this is actually a government-supported, government-developed, free channel for every citizen to – or free platform for every citizen, which actually allows for getting your tax report filled. You only go over it, verify, and if there are some mistakes you correct them. But for most people it takes, like, 10 to 15 minutes, and no dollars from their pocket, to fill – to do their taxes. And – which also means that they can get their returns and deductions and everything much faster too.
And parking. In Estonian capital, 85 percent of parking revenue comes from – through the mobile service providers. People pay for their parking using their mobile phones, cell phones. Then out of our 1.4 million people, about 85 percent of them have the government-issued, industry-supported, microchip-based national ID card, which also the legal aliens can get, and which is sort of the backbone for most of these authentication services.
Then, Estonia is the only country which has held – and, by now, already twice – national elections using Internet voting – again, using this chip card. This time we had general elections just a month ago. Around 25 percent of people who voted did it using Internet. Out of them, around 2 percent actually used a mobile-phone-based voting option that was used – in use for the very first time and is (seen ?) grow in the future.
Then we have national health – electronic health records. And I know all the – yeah, we – I know all the problems we’re – that have been here in the States. But this thing really works in Estonia.
So these things are all optional. These are not things that people really have to do, but this is an option. And people have really embraced it.
Now, as we know, we all know this 80 to 85 percent figure that – the infrastructure that belongs to the – belongs to the private sector rather than the government. And this brings us to reality. The whole-of-government approach is a must when it comes to cybersecurity. But the whole-of-nation approach is a must too, or this is something that we – it’s not an option; this is a must. The bad guys go where the money is. The money is where the private sector is. And when the government and private sector can find out what the bad guys are up to, the society’s better off.
And we certainly need, also, the international efforts, not just live in the bubble or have a naïve thinking of the bubble.
Now, 2007 in Estonia, many people asked whether this was the time when we thought – (inaudible). 2007 definitely was a wake-up call. But many other countries, I would say, pressed snooze, and they did it also after things in Georgia. We certainly didn’t. But we had PPP present already before 2007. In fact, in 1998, I believe, was the year when the major ISPs, banks, came together and had the very clear understanding that the – their sort of cyber risk managers had the understanding that we have to collaborate, we have to share data, we have to stand as one bloc against the – against the bad guys. Because one day – one day they’re going to attack us. The next day they’re going to attack the other guys.
But 2007 definitely deepened the understanding for cooperation.
Now, the – we came up with the cybersecurity strategy, which had the clear aims to deepen the public-private partnerships and also the means for that. Basically, what we wanted to do – we wanted to avoid creating very hierarchical organizations, but rather sort of design the official structures to resemble the ones that were there before informally. Now, the main PPP areas focus on the protection of the critical information infrastructure, of course. And the government and the private sector act in sync. We are trying to do it not as a way – as the government, just to mandate and regulate, but rather to consult and offer advice and assistance, if needed, to the private sector.
Now, I won’t go into the organization’s chart, but I would claim that we have achieved the – achieved the goal whereby, actually, the private sector does have the levers and channels to the top decision-makers in the government, avoiding sort of stupid decisions being taken just because someone wants to overreact or do something like that. And at the same time, the government has the way to consult and get some insight from the private sector.
And there – I know the time is up, but since many people have asked this, about the so-called Cyber Defense League: This is something that we have created to – it’s based on the organization that we have had for almost nine years by now, the voluntary defense organization. But we created a cyber part of it, which is a(n) all-voluntary national cyber corps, both private and public-sector experts from different fields: not just IT guys but also lawyers, economists and so on. And it helps to train, educate and provide the exercising and training sort of forum for those people.
And it really benefits not only the government but also the individuals. And these are my conclusions. The primary – since the primary targets of the attacks are the private companies, the public-private partnership is something that we have to do, and the interagency cooperation is something that we have to do. The way that, in Estonia, we have had shared efforts in creating tools and content by the government and public and private sector also has helped us in this PPP world of cybersecurity. We have the same sort of goals and same aims.
Trust is a – is an invaluable commodity. We cannot get it without the – in official networks work, often, better than the official structures. And small is effective, but size sometimes can be also an impediment. Melissa said that – think big, start small, scale fast. We tried to think big. We start small, but we remain small. We are small. (Laughter.)
Anyway, thank you very much. Happy to take any questions. Thanks. (Applause.)
MS. HATHAWAY: That was great. Thank you.
So I guess some of the key takeaways: partnershop – the partnership is not the what; it’s the how. And that needs to be focused on the outcomes, whether it’s reducing spam, detecting fraud, incubating the new technologies and creating the innovation agenda. It can’t be done by just one of us; it has to be done by all of us. And it’s the private-private partnership; it’s a private-public partnership; and it’s a public-public partnership. And whether that’s a public-public state-to-national-government or it’s a public-public partnership of government to government – and it has to be spanning the geographies and the globe. And – because it really will take all of us to begin to solve that problem.
So as we think big, we start small and scale fast. And I always have an ask. For those of you who know, I had to – I spent a lot of time in Congress, sort of testifying and briefing Congress, during the course of my tour in the government. And you never leave the – without an ask. And so my ask to each of you, if you were king or queen for a day and you asked for just one thing to facilitate that private-public partnership, or the public-public partnership, what’s the one thing you would ask for tomorrow?
I’ll start with Bill. And then I’ll open up the floor to questions.
MR. GUENTHER: Sure. I do think, as I mentioned at the end of my comments, that having the federal government play a match funding role – I don’t – having dealt with state governments and federal funding over the years in different areas, I’m a deep believer in challenge matches. So I think that having the federal government put up some funding for some of the best collaborations and require a match from industry and participation by industry would be a critical piece.
John, just to pick up on your point just add one other: that we took a look at this issue of legal policy restrictions with Jack Goldsmith and Foley Hoag, and we actually didn’t find that many. And to some extent, you know, it may be a red herring: that actually, it’s the disincentive in business practices. So that’s the other piece, I think, just to take two instead of just one and be greedy: that somehow we have to create the incentives for business to share information and to work together in these kinds of collaborations.
Again, I’m not sure the policy/legal is the big hurdle.
MS. HATHAWAY: Kristjan, what would be the one thing you would ask for?
MR. PRIKK: I would definitely like to invest as much as possible of money, human capital and so on, into any measures, any events, any tools that can be created to support trust-building and relationship-building.
As I said, as we see in Estonia, personal relationships matter in critical moments much more than any good technical tools or official structures. And this may be counterintuitive, but sometimes I even feel that people should use less Facebooks and Twitters and sort of try to get together personally much more than they – (applause) – they tend to these days. Because when something really bad happens, those face-to-face relationships, they matter.
MS. HATHAWAY: Phyllis, what would you ask for?
MS. SCHNECK: Let me hit send, right? So when you have the big picture there, let us get it out in a way that’s safe for our companies, in a way that gets into law enforcement, and come back to a point that General Croom made earlier today, into – and I’m not putting responsibility on the ISPs, but into the network routers so that bad things can be stopped in real time. Let us get it out there.
MS. HATHAWAY: Eric?
MR. WERNER: I think a constructive discussion among government and the private sector about some clear, specific objectives – not sort of broad long-term strategic issues, but what are the gets that we can do now? What – I would like to take a more programmatic approach, rather than long-range approach, to some of these issues, and identify particular issues that we can target and work on together.
MS. HATHAWAY: John.
MR. NAGENGAST: Get the last word? Is that it?
MS. HATHAWAY: You do. You get the last word.
MR. NAGENGAST: Oh, OK. I would simply say, you know, I would create incentives for innovation and investment in cybersecurity, which includes resolution of the legal issues. We run into that every day. I’m coming at it from a different perspective, obviously, but we deal with that on a continuing – we have more lawyers, I think, than we have cybersecurity engineers at AT&T. That’s another story. (Laughter.)
But really, you know, again, enabling the investment. We want to be the leaders. We got to regain leadership in the world as part of moving the world to a more secure environment. It’s the only way it’s going to happen. And we have to create the environment in the United States where people want to invest, want to invent, want to incentive. That’s what we need.
MS. HATHAWAY: Thank you. I’m going to open to questions on the floor.
Q: Yes, hello. Out of this panel, I actually got several salient points. In the cyber area –
MS. HATHAWAY: Excuse me. Could you – could you tell us who you are?
Q: Yeah. My name’s Mike Zeberling (ph). I’m with a defense contractor. In the cyber area, clearly there’s a plethora of options that are all highly debated and bandied about. However, some are more effective than others, some are better than others in having a real impact. And I’d like to ask the panel their opinion on three particular – Cyber Defense League. Other countries have it. Maybe it’s a cultural thing in the United States, but it’s something we do not have that I see our country could benefit greatly from. And how would we approach that and embrace that so that could take root in America?
The second thing is with the Microsoft takedowns. There’s probably been about two takedowns a year for the past three years, and that seems to have been very effective. And what can we do to ramp up the pace and rate of those takedowns now that that model’s been successful?
And the third of which is, we have a tremendous amount of cybersecurity talent already in the industry. However, they do not – you know, EV (ph) community, security communities and Defense. But they don’t have the clear authority to do various things. So under the concept of cyberstrike teams, is there a model that could be used to empower or give some type of get-out-of-jail-free card to enable vetted researchers or security people to actually assist the government in resolving some of these threats in a more timely manner so we don’t have to wait till 2018?
MS. HATHAWAY: Wow. That was a lot of questions. So I’m going to try to – Eric, if you could – how can you increase the rate of takedowns, in a couple of words?
MR. WERNER: So there’s a – as you can imagine, there’s a tremendous amount of work that goes into these efforts. And right now it’s largely our digital-crimes unit, working with our malware protection center and trustworthy computing, that have been spearheading these efforts. What would help to ramp up the pace is developing a framework where others in the ecosystem who have similar equities at stake, who have legitimate claims – what we call standing in the courts, to be able to pursue these – would begin to stimulate action themselves, come to us, and, you know, we can discuss the methodology in which, you know, we have approached these issues.
They’re resource-intensive, obviously. The reason they get done one a year is because it takes them time to build it up, to develop the case to do the research and so forth.
I think the best way to stimulate that is to get other people who are prepared to take the proof of concept that we’ve offered and act on it themselves.
MS. HATHAWAY: I’m going to answer the – I think the bundle of the other two questions. In the Cyberspace Policy Review, we identified that we needed to have an overall national education and training program writ large. And that starts with awareness first. There are 133 universities that are part of the information assurance centers of excellence, and, of them, another 33 that are getting National Science Foundation grants. And there’s a lot of education programs that are ramping up across and around the United States, and I think that you’ll see more universities become those centers of excellence as that program gets revamped over the course of this next year.
And then there’s some real talent development that’s happening with the overall national cyber challenge, which is the university competitions, where there’s actually problems where the universities have to go after and solve the problems. And then that’s been extended down to the high schools. And this week the Air Force Association is actually going to be recognizing 15 of the high schools that won the competitions, out of 700 schools around the country.
The thing that I found most notable was there was not one high school in the Northern Virginia or Maryland area that won. And that was, I thought – interesting fact. And so I’m going to be digging into that further. (Laughter.)
And then I think that that needs to be brought into, actually, the elementary schools. Because as my back-to-school homework sheet for mom was – I had the opportunity to get to explain to the principal why a thumb drive wasn’t going to be going back and forth between school and home. (Laughter.) And I’m picking it up with the school board now.
And so as we start to – (chuckles) – create these opportunities for education around America, I think that you’ll see an emergence of a broader cyber-defense league and adoption of the technology.
Thank you for your questions.
Q: One quick follow-up, really quickly. Is there a particular reason why we haven’t evolved to a point where we’re actually doing – using botnets to self-delete themselves? I know it’s been talked about in the past, but I think we’re at that level where we can effectively analyze these threats to ensure that we don’t kill somebody in their hospital bed. So can you address it real quick? Thanks.
MS. HATHAWAY: I would like to recommend that that would be taken offline and at the break or over the cocktail hour so we can get to the next two people in line.
Q: Thank you, Ms. Hathaway. I’m David Smith (sp). I’m director of the Georgian Security Analysis Center in Tbilisi, Georgia.
I’d like to – Melissa Hathaway made you king for a day. I’d like to go back to Mr. Nagengast and Mr. Prikk and extend your reign for another day or two, if I could, and try and draw you out a little bit more. And Mr. Prikk, I’d also like to ask you another Estonia-specific question.
So on the king-for-a-day thing, OK, great, it would be better if we had developed more incentives for private industry to invest in cybersecurity. I don’t think anybody would disagree with that. But how about some ideas? Do you have any thoughts about what would those incentives be? Are they tax breaks? Are they – how do you get them to channel in the right kinds of security? Do you have any thoughts?
And specifically, Mr. Prikk, what have you done in Estonia along – I know it’s a very small country and the problem is somewhat different, but there might be some things to learn there. What have you done in Estonia to convince businesses to do this, particularly the ones that are more reluctant? The ones that think it’s a great idea are not the problems. It’s the ones – it’s the laggards that may hold a piece of critical – of critical infrastructure.
And then, Mr. Prikk, if I may ask you a question about the civil cybercorps, do you do any kind of vetting of the people who are involved in that? Do you know who they are, what their backgrounds are? And have you had any problem with Russian infiltration?
MS. HATHAWAY: We only have a couple minutes left, so if we can –
MR. NAGENGAST: That’ll kill it. But let me quickly answer. Start – I would start with the federal government, as the leader in cybersecurity, acquiring effective cybersecurity solutions. I would start with that, just as – you know, the market responds to the market demand. And the federal government is the largest single buyer of IT communications services in the United States.
So if I was – if I was king for a day, I would start with saying, hey, the federal government is only going to buy secure products and services. And of course we need some risk metrics to go along with that, to say, you know, what are the effective ones?
MS. HATHAWAY: Kristjan?
MR. PRIKK: All right. Firstly, the answer to your last question, yeah, we do have some vetting. There are different layers to that, so we can discuss that later. And regarding the reluctance of the companies or their willingness to cooperate on that, I think that there’s actually – it has to do something with the sort of overall, as we say, cyberculture. Estonians – the private citizens have really embraced the idea of doing more in cyber. People are constantly asking, why can’t we do this electronically? Why can’t we use our ID card? So this – people also have less sensitivity to – regarding their loss of privacy and so on.
So – which also triggers companies’ willingness – or to – (inaudible). So we really haven’t had problems with convincing companies to come forward on that.
MS. HATHAWAY: We are out of time. And I have had the honor to work with many of these people for – and colleagues for the last more than a decade. And it’s going to take all of us to drive the private-public partnership, to get to the innovations and solving the problems.
So thank you very much. If you please. (Applause.)