tv Admiral Michael Rogers Discusses Cybersecurity CSPAN November 20, 2016 11:30am-11:56am EST
challenge here that requires attention? yes. is there a role for ceos to play in this? yes. when i talk to the sea-suite, one of the things i will normally ask when talking to ceo's talk to me about the conversation you are having with your cio and cfo. tell me about how your setting expectations. networks,ho defends you don't want your network security being decided unilaterally what is important to you as an organization. you as a leader need to set that tone.
if you've got to prioritize, this is what i want you to focus on. this is what i think we need to or should be willing to take some level of risk. you have to set that tone. --when i asko's important,a think is i get totally different answers. and you need to shape that discussion. you have many other challenges for your time. pretend that this needs to dominate your life. but there is a significant role for you to play. >> the what can go wrong? hack, youer the sony got a call one thanksgiving. admiral rogers: i was with my family. >> what can we learn from what happened at sony? i thought the: positives were great collaboration between a private
company, the computer network expertise they brought on, they knew they were dealing with something and so they hired expertise and capability from within the private sector. they then came to the conclusion that this was something bigger than they had initially potentially thought, and they felt they needed to reach out to the government. i give them big kudos for that. they could have said to themselves, we need to minimize this. let's not really confront this publicly. i thought it was a real positive. they were very up front when they approach the government. we would like your assistance in trying to make sure we truly understand what happened. we would like your views on how do we make sure that doesn't happen again. open.ere very
one of my concerns was i'm a government guy and i and others, i'm part of the government team, and we are going if you want us to provide value and insight, the only way this will work is if we get full access to your network and data. it's the only way we can really generate the level of insight i think you expect from us. i realize that may make you uncomfortable. your opening your structure, your networks, your data to the government. you have to be comfortable with that. they came back to us and said, we are comfortable with that. us of that you inform what you're doing, why you are doing it, and exactly what you are doing, and you stick to that. as long as we do that, we have no issue. i thought the dialogue between -- sony is a company, the private entity they hired, and
the u.n. government response team, largely ourselves, fbi, and dhs. great information flow. >> but there were some things that went wrong. it took them a lot of time to detect this, right? admiral rogers: what we usually find -- it doesn't matter if it's a commercial network, if it's government network. accountablee been for defending, we find there is a significant time lag for most organizations between discovery of activity and the time the adversary initially penetrated the network. that is normally some period of time between 3 to 6 months. that was certainly the case in the sony scenario. admiral rogers: how concerned should we be about state actors? one inorea reportedly
the sony incident. the fact that: the set of actors is so large and so diverse is one of the problems. probably depending on what source you want to use, from a cyber defensive standpoint, probably 60% to 65% of the activity of concern we see is criminal, individuals looking to access systems for access to personally identify information, social security numbers, credit card information. it, and use it to generate revenue. criminal activity includes theft of intellectual property. at the same time, you have areonstates are you find
engaged in actions designed to penetrate the networks within the commercial sector. you also find individuals who ares and groups brought together under a specific ideology or focus that brings this disparate group of .isconnect it will harness the power of the togethere web to bring people with little previous common interaction knowledge of awareness in each other. groupl bring this white of geographically dispersed individuals who will coalesce around a particular issue. the may will harness the interest with a specific outcome . there's a wide range of actors out there.
want to ask the ceo's out there a polling question and i will also ask the admiral as well. do you trust the government enough to work with your to work with it during a cyber attack, a, absolutely, b, only if my company is attacked, and c, never. a public-private partnership that has not gotten off the ground may be the way it should. clearly we will have to wait and see what the future holds. the other hand, my concern is i don't want it to get to the point where it takes some significant calamity to drive this to the conclusion that we've got to do something different than what we are doing but the ultimate solution
is how you can bring this public-private partnership. as a director of nsa and cyber command, the agreement i reach with who ever we are working with, i will not use the data we gained for anything other than the exact purpose i communicate to you. work thatesn't way. i certainly understand the concern. that fits into a broader historic narrative. as a nation we have to differentiate between what is the role of the government and what is the role of the private sector. that has stood us in pretty good stead. my comments would be, cyber does not recognize these arbitrary lines we have drawn. we love to organize around geography in the army. structures and the world
wide web, they are not organized hathat way. ofoften use these kinds traditional boundaries as vehicles to help us organize a deal with problems. i don't think they are necessarily optimized for the world we are living in now. it's unrealistic to expect the private sector to withstand the little onslaught of activity being directed against them. likewise, i don't think it's the governmenty, will just do this. the challenge with the government doing it, if you want to defend something, i can't do it from the outside. it's like fighting with one hand tied behind your back. i doesn't generally lead to positive outcomes. 56%he poll numbers show,
absolutely, 34% only if my company is attacked. admiral rogers: less than 10% of you said there are no circumstances under which i would consider doing that. that means there a willingness to have someyou form of dialogue, and potentially look at that as a possibility. >> i want to talk about tech. you talked about encryption. proponent of encryption. we had this san bernardino phone. how can you be pro-encryption and favorite intelligence getting more of what it needs? admiral rogers: my experience leads me to believe it's very simplistic to paint it as either/or. proponent of
encryption. wei'm the first to acknowledge that i don't know what the right answer is right now. at its heart, we are a nation about can-do. every time i'm out in silicon and him talking to leaders out there, i will say, about the is all power of possibility and yet we are spending a lot of time talking about what we cannot do. we need to differentiate between what can we not do versus what should we not do. those are two different conversations to me. think the tech sector plays a huge role in that. we want to have a broad dialogue and generate a broad consensus here. a government arbitrarily deciding, this is the right answer.
from a corporate perspective, it's your role -- i don't think it's your role to tell us what the right answer is. the sweet spot is, can we come together and answer the right question. what could we do? is largely a technical issue. -- that's largely a technical issue. so, given that, what should we do? you gave me a set of possibilities. which of those should we have to do? that gets into policy, the legal framework, ethics, what are we comfortable with. those are -- that's an important conversation for us, and a conversation i would argue you want to have at a much broader framework than, let's get 10 tech peoplethose are -- that's t conversation for together and lt them figure this out. isis andthe scale of
terrorism -- admiral rogers: clearly we are not where we want to be or need to be. if you look at the level of activity out there, if you look at how the dynamics are changing here, i don't think where we want to be.som some would argue, i understand that intellectually. you are asking me to do something that is really not my function. i think you are part of the solution. i don't pretend for a moment that it is only your issue or only your challenge. i think we just need to expand parties involved in this conversation about what can we do and what should we do. inwikileaks, you told npr august that these e-mails were late for a reason and to achieve
an effect. what can you tell us about wikileaks from what you know? admiral rogers: because there is an ongoing investigation, i'm not going to get into the specifics. i'm very comfortable with that. any doubt in't be anybody's mind, this is not something that was done casually. this is not something that was done by chance. not a target selected purely arbitrarily. this is a conscious effort by a nationstate to attempt to achieve a specific effect and we are very public in a government as saying that. you have also been public as a government in saying, this is acceptable. this first question from one
of the ceo's. we beingtive are against the persistent hacking coming from russia and china? and i suspect by the word proactive, it doesn't just mean defense. every case is: different. but i remind people, when you step back and think about how we going to change the dynamic we are dealing with out here, there's got to be multiple aspects to that. addressing -- we are trying to make life harder for hackers, we are trying to increase the level of knowledge, increase capabilities. we are trying to deal directly with a host of nationstates around the world and engaging
with them in terms of what's acceptable from our perspective, what is not. we are using the legal tool. we have used indictments against prc and irawith them in terms 's acceptable from our perspective, what is not. nian individuals. we are prepared to use multiple tools and capabilities within our toolkit, if you will, to design, to drive you to change your behavior. on the chinese peace, the conversation that led to the presidential summit in september of 2015, where the two preside nts, xi jinping and president obama, came out and said we agree we will not use cyber as a tool of a nationstate to gain economic advantage. that had been one of our biggest issues with our chinese counterparts. you acknowledge nationstates will use ciber as a tool to gain insight and knowledge about what is going on in the world around them, but in the u.s. system we do not then take some of that
knowledge that we acquire from intelligence purposes and turn it to the private sector and say, this is what you will have to compete against. we don't do that. some nations,y in though, and we raise this with the chinese saying, this is totally unacceptable. actions in the mentioned with the iranians. we indicated, we publicly acknowledge the activity. we publicly attributed the activity to a particular nation, in this case the north koreans. will take anut, we initial response to this in the form of an economic piece. we put sanctions against individuals and a couple particular entities, portions of
the korean government. we highlighted to them publicly, this is an initial step. if this does not change your behavior and we see continued actions directed against the are prepared, we to take additional action at the time and place of our choosing. that seemed to have had a positive effect. my key takeaway for all of you would be, there is no one size fits all here. we make a decision based on the particulars of the conduct. >> so much of security seems to be about taking existing systems, architectures, and hardening it.
that is so much more difficult than anticipating where the world is going. any guidance on how you guys are addressing that? admiral rogers: i was just reviewing this this morning with the team. our strategy is designed to replace the infrastructure we had that currently exists. this will take time and significant investment. you are not going to do this in the course of a couple of years. you see that challenge more broadly for us as a society. if you just look at the amount of money the right now as a nation, we have fixed capital costs and existing infrastructure, the idea that we will one day wake up and say, we will replace this in a year or two, that is not a realistic strategy. we do not have the resources -- you would not have time to do it in a year or two. oldstrategy is replace
infrastructure, hard and existing infrastructure while doing that, increase the capability of your networks and other technical capabilities. build a workforce that is more cyber proficient. both your high and cyber workforce as well as all of your users. anybody we have given access to a keyboard is now a potential point of vulnerability based on the choices they make. there's no one single silver bullet to all of this. it's a lot of roll up your sleeve and hard work. >> thank you very much. >> thank you. [applause] >> now i look at corporate culture and governance with new york u.s. attorney preet
bharara. this is 20 minutes. >> good afternoon. thank you for joining us. given that part of your job involves prosecuting companies and occasionally ceo's, what are you doing talking to a room full of ceo's? toet: overtime i've come love the sound of nervous laughter. thank you. you talk about the importance of culture in companies. why is it so important? being theaddition to chief, i've been a law enforcement officer in manhattan. i'm sort of the cl of my
institution. i have to make decisions every day about how we allocate our resources. for my office as an institution in whated and do well its prime mission is, to make sure justice is done, i have to care about culture a lot. no ceo worth his or her salt would think otherwise. it is required by justice department politics taken into account things like the pervasiveness of criminal conduct at a company, before you decide to charge a company, to take into account what their compliance policies are. all those are things that make up the culture of a place. companies have a lot of bad apples,and some have fewer.
my armchair judgment has been that there is something about the culture of some places that keeps corruption and misconduct othern check than at places. the difference is not necessarily what people get paid. it has something to do with the ether of the place, and the that makesleadership sure you have a culture of place.ty in the rebecca: every company has compliance, rules, best practices. what is the specific role of the ceo? preet: place. rebecca: every company has it's a cliche for i'm sure everyone in the room to talk about tone at the top. there's a reason things are cliches, because they matter. it's incredibly important given my line of work that compliance policy is important, need to have a compliance department, and the same with the country has title 18 and lots of rules and regulations, and you need
the more or less depending on your perspective, but as a country we also need a charter. it sets out some fundamental principles on how the company -- is supposed to conduct itself. you have your compliance policy. in some cases they run 100 pages or longer. but you also need charter for the place so that people understand not just that you are supposed to follow these but there's aes, general principle that has to come from the top. i'm impressed when people tell me the when a new employee comes into a hedge fund or trading company, the general counsel once said -- i wanted to ask, do someone say to those people when they come in, does someone say like the ceo, separate and apart
from the regulations we have, in this place we don't lie, we don't cheat, we don't steal. if you do, you're out. those things make a difference. i asked at a meeting, where a company you may have heard of was pleading for leniency. question, could you give me an example. person after person had been indicted and convicted of the company. can you give me an example of one time the ceo of the company in an e-mail, a speech, a phone i carence said that, that people do their jobs honestly and with integrity? there was deafening silence. i care that people do their jobs honestly and withthat tells youd it's not a shock to me that the culture at that place was terrible. rebecca: was this