Skip to main content

tv   National Press Club Discussion of Corporate Cybersecurity  CSPAN  December 31, 2018 1:46am-2:55am EST

1:46 am
c-span's "washington journal," live every day with news and policy issues that impact you. will open the, we phones and take your calls and reactions to the government shutdown, and your top news stories of 2018. is sure to watch "washington journal," live at 7:00 a.m. monday morning. join the discussion. >> the national press club hosted a panel discussion with global corporate leaders who explained the global initiative to provide free basic tools and resources for businesses to improve cyber security raising -- security readiness. this is just over one hour. >> good morning, everyone. good morning and welcome to the national press club, the place where news happens. i am an editor at bloomberg news and the 100 -- 111th president of the national press club.
1:47 am
before we get started, if you have not done this already, please silence your cell phones. you don't want them going off during this program. if you are tweeting today, which we encourage, we are pressclubdc. 70% of cyber attacks worldwide are against small businesses. most of these businesses don't have the tools or knowledge to prepare for hackers looking for vulnerability. often, the hackers are not looking for anything specific, but rather seeing if they can find something of value. they steal credit card information, access confidential material, or propagate identity theft, among other crimes. leasts pursue the path of resistance, and will often use a small business as an entryway to a larger, global company, or
1:48 am
perhaps a government entity could for example -- entity. for example, a shoe store or a supplier of engine parts can be used to gain access to systems run by global companies, which instantly blows up the size of the problem. the fiber readiness institute includes senior executives from global companies, including mastercard, microsoft, exxon mobil, and gm. theas set up last year on heels of a report by a government commission that prepared recommendations for the white house on securing the digital economy. one commission was led by today.guests she is now managing director of the fiber readiness institute, and is a scholar at the university of pittsburgh. she has held decisions in the executive and legislative branches and is also the founder
1:49 am
of liberty group ventures. i will skip over you for just one moment. we will come right back. [laughter] we are also joined by the general manager of engineering hummus -- engineering, consumer trust at microsoft, and the ceo of mastercard and cochair of the cyber readiness institute. coming back to the gentleman in the green tie. [laughter] it is a beautiful time, i love it. former ceo of ibm and cochair of the cyber readiness institute. he is also chairman of the center for global enterprise, a private, nonprofit, nonpartisan research institution that studies corporations, management science, global economic trends, and their impact on society.
1:50 am
samuel will open our program today with some comments about the launch of the cyber readiness program. i will then ask you a few questions and open up the q&a to your questions. welcomingn me in samuel and all of our panelists. [applause] samuel: thank you for that wonderful introduction. i thought i would spend a couple of seconds putting into perspective why we decided to do this and create this entity. up?ea: could you speak samuel: i'm going to try to give you some perspective. today is the essential launch date of the learnings and process and management at the ciber institute. there is more to come, but this is the first phase of where we are. it began as a result of the time we all spent on the commission,
1:51 am
the nonpartisan commission we worked on for president obama. we -- very important stuff. ajay: sam cochaired and drove us crazy. [laughter] samuel: i had a lot of support. seriously, once we finished the recommendations from president obama, we realized collectively as a group that there was not enough focus on the small and midsize companies, and the worry we had was that the larger -- yes, there are lots of issues associated with national security and large businesses, but there are lots of resources focused on the problem. when you get in a small business
1:52 am
and very small business, the problems are just as large but very few resources focused on the problem. what could we do to help small companies prepare themselves for the world we live in today? they all have a digital experience but very little expertise. that's why we decided to focus this nonprofit initiative, which we are, we are all nonprofit initiatives come in this space, so we look at the value chains of these companies. wonderful company like exxon mobil, gm, microsoft, etc. , american express. they know their extended value chains, their partners, the suppliers, their drillers, restaurants, whatever they happen to be, all have vulnerabilities, and don't have the management systems in place to address those concerns. that is why, it's really an economic orientation that we felt that if we could help improve the economy, and if you
1:53 am
could lessen the risk associated with cybercrime or fraud or hacks, more than just disruption of service, that you could actually benefit these companies as well as the economy as a whole, so that is the origin of how he began. it has taken us a little more than a year to put together the total so we have today. we had a lot of help from a lot of different organizations. a lot of companies have joined us, these large institutions with lots of learning have helped us do this. this is where we are, we are launching, this is -- there is more to come. i guess it will pass it back to you. andrea: can you tell us a little bit about the tools you're going to be offering small businesses? what are they going to be able to use? how is this going to help them? samuel: we will do this as a basically,nk about
1:54 am
what are the basics of need for cyber as a small company? let's start with cyber hygiene. simple things. i was teasing some colleagues -- how often do you change your passwords? we are not talking about two level authentication, how often do you change your passwords, and are they not your children's birthdays? then you get into sophisticated stuff like some of what kind of firewalls have you established, what culture do you have in the organization as far as the tone at the top, coming from the management system? what do you expect employees to do, how do you expect them to behave? if someone is sending a message you don't recognize, it is a good indication someone is trying to get in, and what you do? all of that stuff around the learning associated with cyber
1:55 am
from a broadly processed management system. you want to jump in? on the focus,uild this is to create simple, accessible tools for small and medium-sized businesses. the idea -- what we have learned is that small businesses don't get this, large businesses get this. of them are sourced from authentication weaknesses, using passwords. what the program does is focus on four key issues -- authentication, patching, usb, and phishing. our member organizations helped started withand we creating a simple foundation -- a strong foundation of simple
1:56 am
policies that anyone can follow. that is the objective, anyone can do this without spending extra resources, and having additional expenditure for cyber security. what we see a lot is that the tools offered for small businesses often require what the large businesses can afford. we wanted to focus on the accessibility and simplicity. i mentioned earlier we are nonprofit, so all of this is available for free. we are really not selling anything, quite honestly. our biggest challenge is getting the word out so people use the stuff we have created. were going to do stuff around software. the main goal of this phase is to create awareness of people start using the tools, and give us feedback on the tools and methodologies so we can improve upon them. but it is a not-for-profit. it is much like the bloomberg foundation, where i am on the board. except he has a lot more to give away than some of us. [laughter] you touch on something i
1:57 am
was going to ask about, how are you going to get the word out and share this? -- two of you here represent large global companies , are you going to use your company networks to share this information? various high-level -- we have champions partnering with us right now to get the word out. we are using media outlets like this conference today. is going on fox news this evening as well. i am sure we will do bloomberg once we get that set up. we will do all those organizations and get the word out on a high level. we also rely on our partners and companies themselves to help. without -- valecia: take it away. [laughter] valecia: it is my pleasure to be
1:58 am
with you today and continue to demonstrate our advocacy and support for something so critical, which is protecting our global supply chain and recognizing that small businesses are critical to not only our global ecosystem from a technology perspective, but for economic prosperity. as a part of the foundation, we are certainly committed to making sure tools and practices are out there, and also looking forward to how we advanced technologies that do that. i often say, you can never out higher a cyber threat. as sam talked about, hygiene. it's even more critical for small businesses that don't necessarily have the resources of large businesses. something you also have to start to look at is the tools, the policies creating that awareness, providing that training. any people don't know what they don't know until they have a
1:59 am
loss or face a data breach. forward, as we move into the future, had we leverage technologies to then make that transparent to the user? very much like what we see with apps and things today. how do we move the equation forward where we are not as dependent on the human element? at the microsoft coming, we're looking at all of those factors, in the supply chain as well, and creating a socialization of awareness of best cyber hygiene practices. torea: you are offering this the small businesses you do business with? who purchase microsoft? -- valecia: as a technology vendor, we understand the challenges they have peered we do offer a number of tools to help secure the supply chain that we work with every day, including the things we leverage from cri.
2:00 am
samuel: microsoft is wonderful partner. have incredible expertise and incredible total sets -- full ms. edney: could you talk a little bit about that? i will come toa: the distribution. i have one thought on that which is i think this is an asymmetric threat. small businesses are also the source of the data breaches into the large companies because of the supply chain affect. they are unable to protect themselves. cyber threats do not distinguish between large and small. .ost are using robots we are only as strong as our weakest link. it is a problem for us individually and collect of
2:01 am
late. society, government, and companies. i am interested. it goes beyond a company or a few companies. the second part is that the internet of things which we are all excited about and provides a lot of conductivity across devices and people say 20 billion or 50 billion devices will be connected. i don't know how many it will be but there will be a lot of zeros there. but the problem is you are multiplying the asymmetric issue many times over. do you how much effort think the photographer can do to protect himself from a sophisticated cyber theft? only so much. but at that point he is exposed. not just connected to the internet. at home it is connected to his wi-fi which is connected to his personal computer. you need to understand this is not just an issue for somebody else but for you personally.
2:02 am
that is my interest. it is not about companies or people but about all of us. back to your second country -- second question. just that we not provide technology to merchants. that is done through chips. that is different. this is not just about our merchants but how we get these practices that seem -- that sam and kiersten just talked about. you want small businesses to watch out for patching, phishing. do it quick. there is a reason that the updates come to you. someone figured out that there was a problem with the operating system you are using. the cresta nation is your enemy in this case. getting those practices out there is what we have to do. getill get there -- we will them out there to the merchants
2:03 am
and those that have small business cards with us. in turnwith banks who service small businesses and we get them to be a channel to get it to small businesses. use our digital channels. we have another website called we have new products being launched for small and medium-sized businesses to help them manage their accounts payable and those kinds of issues. we all have multiple channels. like ours,ike hers, exxon citibank ngm. the idea is to take everything that kiersten and her team have developed and use them to propagate things out there. andrea: if i am a small business and i come to your website, what do i look for and what do i
2:04 am
find? as of today, in the upper right-hand corner of the website there will be an opportunity for you to register. you register as an individual. as sam mentioned it is free. the program walks you through a five stage program. five steps starting with identifying someone in your organization that takes ownership of this. what is important is that we are not asking you to expend additional resources but working within the organization you have. we are enforcing a culture of cyber readiness. i push back on the term cyber workforce. we talked a lot about this on the commission. as ajay and sam mentioned come everyone that has a phone and a computer is part of the cyber workforce. in creating this culture come everyone becomes accountable. this program walks you through five stages that help you to understand the four issues -- it
2:05 am
provides policy templates you can adapt for your organization and talks about different ways to encourage this workforce environment. and a culture of cyber readiness. and at the end, we offer a certificate with the idea that we are creating communication tools, templates and posters -- all of the things that you need around you to internalize this. the other point is that when you bring someone on board, we talk about ethics training in a company -- we have to be thinking about how cyber security and cyber readiness are part of that element. the other point that ajay was talking about when we look at small businesses in the weakest radicale of the most assets of infrastructure we have right now is data and data no longer is held by large, critical, infrastructure companies. data is held by the photographer and the small vendor. every company has a role because of interdependencies in the national and economic security
2:06 am
not just of the nation but globally. that is why we are focused on simple policies of on which we will develop more sophisticated ones. it is about getting to the grassroots so more companies can be engaged. valecia: and what is so critical to that is that most small businesses know how to secure their product inventory. they know how to secure their premises. but they really do not have insight into what their role is in protecting their customer data. and if they do have an incident, they do not even know how to respond. andrea: do they even know if they have had an incident? they may not know. your five-year-old knows how to call 911 and lock the door. but there is cyber readiness that we have to institutionalize in the fabric for all of us. our refrigerators and phones and televisions are all connected. cribeauty of the tools that
2:07 am
is laying out is their practical application. --n i speak to companies when i spoke to companies in the past, they do not know where to start. we cannot take for granted the fundamental basics that creates a broad modern of ability. of a riveru think with water in it. it is easy for people to navigate even if they do not know how to swim. think about this as a way to raise the level of water in a river. to idea is to make it harder swim. create a high level of water, create currents against them and make it harder to swim so they go somewhere else to get to their natural practice. such a powerful technology for our future.
2:08 am
these young kids are internet natives and the -- and that is the way it should be. the trick is to allow them to interact in a forum that is completely safe for them without them having to go through hoops to be safe. that is what we are trying to do, create a foundation, create a way that has no profit attached. it simply uses our technology and capability. will kit to be used, for example, by a business as small as an appliance repair shop? validate that will set we had to -- 19 companies. some had to employees and some had several hundred companies.
2:09 am
list, welook at that had that range of all sizes primarily because we felt that if you -- that we knew if you took the tools as they exist , you could take that toolset and move it down based on the standards. however, when you get to and 2, 5, 50, orof even a couple hundred, they do not have the expertise to apply the 12th that. if you get the right -- without getting too technical, think about the foundation of a building. a skyscraper if it is right. if you get it right for the smallest of companies, you can expand upon it with scale. between foundations. [laughter] andrea: one more question and
2:10 am
then i will open it up to the room for questions. what makes this cyber readiness program different from other efforts to help small businesses protect their systems? i get asked this question all the time. a great question because there are a lot of resources out there for small business is. there are a few things that make a difference. authentication, phishing, patching, and usb use. we have said that if you do this, based on the research that we did in the commission as well as what our subject members have contributed. templateslying policy and we provide a decision-making
2:11 am
tool for going to the cloud and an incident response template. we are not asking you to expend any additional reeser sister the third piece which is critical is having been in this industry for a long time, we started in 1997 with the development of information sharing. we started on the principle that small businesses would learn from large companies. that is how we sectioned everyone out. we evolved that thinking to information sharing and organization analysis. we learned that small businesses have more in common across the sectors than they do with large companies in their sectors. i will make the analogy to pediatric medicine. for a long time we thought that adult edison needed to be reduced for children. businesses is a distinct discipline. this program defines that
2:12 am
discipline and it helps to create the resources to support it. andrea: thank you. thank you, everybody for being here. i'm going to open up our q&a. danny is part of our headliners team which organized the event today will pass around the microphone. if you have a question, please raise your hand. microphone,eive the please identify yourself and your organization. >> my name is rishi and i am a student at a high school. mr. samuel palmisano's school. what i have seen is that hackers tend to learn. and in other companies i have seen that they set up security measures and the hackers learn
2:13 am
from it and bypass it. looking at your scheme, it might yourthe hackers might take course to learn how to bypass your measures. how will you stay one step ahead of those that are learning? but to bet question clear, cyber security is not a one and done kind of thing. we are continually learning. right now, someone is trying to hack into all of the businesses we are trying to protect. hygiene. running your business in a way that allows you to have the -- if you were to use them today, you would have a modicum of safety from hacking. that is the patching and not using usb. them are pre-planted with the right viruses and malware to get in your system. when we start to put out the , they may tryols
2:14 am
and they may learn. we just have to keep doing this. it is not a one and done thing. that is why the foundation cannot say, i am done and ready to move on to the next topic. this will be a continual effort. on that toolset, one of the things we will rely on, in the software community there are a ton of open source tools. the cyber community will develop a lot of those tools. we believe that if we could inventory those that you can get we couldhe internet have the ability to have some level of currency. we do know these things change constantly. it is an arms race. the only way to stay competitive is to continue to invest in maybe not a nuclear arsenal but
2:15 am
in the basics. a revolver and ap shooter. -- and a pea shooter. making the water just a little deeper so you have some level of assurance. valecia: and it will always be dynamic. it is a never ending challenge. is and what technology that is why it creates opportunity. much of the threat is still starting there. in the foundation. if you were to rewind the too when cars were created, there were no streetlights, highways and roads. those were all infrastructural things that came after the innovation. kind ofn that same transformation in time today as we talk about cyber security risks. we have the technology and now we have to mature from a infrastructure and policy and law's perspective to make sure that we are all safe.
2:16 am
kiersten: in cyber security, a breach is not a demonstration of failure if you have provided for a. in our tools we provide for an incidence -- incident response team. we talk a lot about resilience in this program which is how you keep the breaches minimized and help minimize the disruption to your operation. that is an important mindset for cyber security overall because we will never get ahead of everything. it is about preparation and response. >> thank you very much. i am with a channel based in beirut, lebanon. a worldwide attention to this issue. i noticed the absence of the technology company to be represented here in my opinion. why? because it is essential that all
2:17 am
cyber security problems, the source of these problems come from software or the hardware that the public needs to be aware of all of the deficiencies that the hackers and others are able to come to it. how can we educate the public about what is happening in that field of the software, the new that is the responsibility of the technology companies to provide the public with enough information about something that they found that is a problem and needs to be addressed? do find cyber threat as an i.t. problem, you are going to have a problem. i am not being aggressive. if you look at 80% of all of the attacks that have occurred, most
2:18 am
are on employees. are 80% ofployees the problem. when we talk about the culture of hygiene, it starts with your own workforce. the biggest on the -- vulnerable at the as a person is yourself. let me give you a classic example, my lovely wife. she refuses to change her password. ajay: i would change your example. [laughter] i would lose credibility if i set myself. ok, i will use our labradors. you go through this and you start with a conversation -- when these people -- you have caller id. when you see the number you do not recognize, my dogs do not pick up the phone. when she sees and email that you
2:19 am
-- that looks attraction because it is from some fashion magazine, she clicks on it and now she has just been phished. this is why we are back to education. there are technical vulnerabilities but most of the stuff gets solved in learning and education. we would argue that you would eliminate the majority of the hacks through better procedure and process. what the facts in addition to that, there are vulnerabilities which gets back to ajay's point about patching. the companies are learning about the vulnerabilities. but as they learn about those, you have to update -- if you get an alert from your service provider, telecom or your phone provider, and they say update your software, well, update your software as an individual. fornext thing we recommend
2:20 am
the future which gets back to the obama commission is the internet of things which these 20 billion or 30 billion things. issues are there is no cyber -- the security protection in those things, the phone or the sensor or your thermostat or a rose -- voice activated device you have in your house. we recommend that with all of these things, talk about autonomous vehicles becoming weaponize. levelll need to have some of cyber security embedded in those things and we suggested in the commission that you have a cyber seal of health. and the commerce department creates those standards. if you are developing these future technologies, you have to put a seal on whether you comply with the basic level of certification. that would educate, to your point, educate a lot of the
2:21 am
users so when you get that thermostat, you understand if it has security in it. there is no seal on the thermostat that says it is a secure device. when we put it in our house, the guys doing it wanted to know if we worked for the cia. i don't talk to devices in the house. ajay: you mean your labradors. samuel: my labradors do not work irri but for me. to summarize, it starts with knowledge and learning and how do you take care of your company or yourself. and then it gets to the future of some of these devices but if you look at all of the data and studies that independent companies have done, the majority of the issues have come
2:22 am
because of hygiene and your employee base. we -- we do have microsoft as a key element of the partnership. i cannot think of a more interesting partner to talk about the ability to patch. >> steve from -- reading. how do you get people to do a culture of patching? noticeswe get update all the time. >> but i'm in the middle of writing a story. do i do a patch tuesday like you guys do? [laughter] valecia: we do have our patch tuesdays as he knows.
2:23 am
but you are right. when you heard me talking earlier about developing capabilities where there is a lot more automation so there is not as much dependency on the user for those things. we do still have to start with the basic practices. ,e put the patches out there and they are not used, you has still -- you have still left yourself vulnerable. i equate it to leaving your door unlocked. many of us do not leave our house without locking our door or our card. they have even made it easier with the toot toot. is a combination of the technology as well as the hygiene and awareness that have to work together. first thing in the morning or at the end of the day tried to
2:24 am
patch if not look to see if there is something. valecia: exactly. that is why -- [laughter] [indiscernible] cri is so valuable and that is why you hear us emphasizing the technology as well as the awareness and training. they have to go together. if you look at any other evolution as a society, we have had to do that and that is what we are looking to do for cyber security as well. kiersten: it was one of the key issues we confronted in the commission. you move between do security away from the end-user or do you educate the end-user? we came down to having to do both. of people,pyramid process, and technology with the people being at the foundation. we want to educate the people and get to the place where the technology pools that
2:25 am
decision-making and choice out of it as much as possible. --nd bader here for mpc ann bader here for npc. as part of your education process, are you giving in your templates what people can do to continually update for example if they see a phishing, what should they do? who should they report to? i find that to be one of the major gaps in my own country. kiersten: we have made the program very prescriptive. we have talked about the balance between being too prescriptive and not prescriptive enough. we lay out the policy templates for what to do when the officiate -- when the phishing attack occurs. we wanted to keep it agile
2:26 am
enough because we did have some companies in our pilot that had two people. it would be the same person talking to themselves if they had a phishing attempt. but it is the 750 person company. we do create that structure which it says this is who you should talk to and create reference points. and we will build upon that in the next phase. when will we be successful? i would say the two pieces we are most focused on right now -- we will look at 2019 and say we will be successful based on hot how many small businesses -- based on how many small businesses across the globe have used this. and also in may be perhaps more importantly, being able to measure the impact of the program on their cyber readiness. we have metrics that are
2:27 am
established in stage two that we ask people to take again in stage five. they are qualitative metrics. what we hope to do is to partner with some of our technology companies and other members to look at how do we more qualitatively and quantitatively measure the rams. we will measure the number of small businesses across geographic differences. >> will you share the number? kiersten: we have not had the meeting yet. samuel: it would be great. putting mark pressure -- putting more pressure on my friends. we want it to be global. biggest benefit would be awareness for people and they start to take advantage of the materials that we have. they would take
2:28 am
advantage of the more sophisticated. we will develop. we do not have the marketing budget of my colleagues to the left so therefore we have to rely on an ecosystem of partners to help us and that is what we are about. but i do believe that if we can get awareness up and then get cases that are successful where come itave testimonies will lift itself in a viral way. and then that will put more challenges on us. is when we will ask them for their feedback and what they would like us to do in the future and that will drive us to our future agenda. more external pressure for us to move and act. valecia: and i would add this element that kiersten mentioned earlier which is that breaches are going to happen.
2:29 am
as part of that awareness and removing the fear factor, a quantitative measure is how have we helped the businesses that are part of the program reduce the impact to their business if they do face that real-life threats. then come you can start to implement the policies and the training and help their employees be aware of good cyber hygiene. were they able to protect customer data? were they able to minimize the impacts of phishing? are they changing their passwords regularly? that will lift the tide. this,n you were testing can you take an example of perhaps someone who found success? or conversely, some challenges that you realize that you will need to address? kiersten: we have started to
2:30 am
make the adjustments and as sam said, this has been a tremendous effort of a team of people in this room. what was interesting is one of our pilot programs had 750 people in the corporate office. cio was a woman that came from the financial sector. the company had 22,000 franchises of restaurants. was she found most helpful the culture. she said, i have made all of the technology decisions and i have done right by this company by knowing the firewalls and sensors. but where i have not succeeded as much is creating the culture. i was able to achieve more education across the company. we had simple feedback such as the posters are great but the fonts don't work for us. it is that usability peace process. and we had a company who is a
2:31 am
cyber leader, the title we get to the person within the company, went out on maternity leave in the middle the program. how -- this should be able to transition to the next person but there was a little bit of difficulty in doing so because they required more briefing. we included some other materials at the outset of the program. to understand that this is going to be hard. please do not take that by us producing a few posters that it is suddenly going to change the way the labradors behave. [laughter] i am quite concerned. it will be a hard slog for us. about how many millions of businesses we should get to. i've think the first -- i think the first sign of success is when people understand that this is a real issue and we have simple tools for them to begin
2:32 am
to raise the level of the water in the river and we start to get engagement. upgrade whatle can they are doing as well as we can launch new tools that they can put into their software so they can say that they are safer. think of this as a several year effort to change the nature of the dialogue between small businesses and the industry. to get the whole level to improve. it will be a hard slog. i am a member of the club. you mentioned the obama administration. the small business administration and the current commerce department, are they involved as party or team? kiersten: yes. the obama commission was in independent, bipartisan commission which was tasked with creating a roadmap for the trump administration. -- sam and isely briefed the transition team on
2:33 am
putting together and helping them in form their executive order on cyber security. in may of 2017. we supported their efforts that aligned with some of the recommendations of the commission. specifically on the small businesses. i have spoken to grant schneider. and most recently with chris kress last week who is running the new entity within dhs on collaborating with their partnership and outreach efforts. we do want to work within the existing structures. as we have said all along, even with our partners and champions, we do not want to compete in this space because everyone needs as much help as they can get. part of our effort is to collaborate with the other entities helping small businesses in the hope that we come together and create efficiencies for small businesses to be able to do what they need to do. i am dannys --
2:34 am
selnick. what you are doing is important but can you talk about the institute and what it will be doing in terms of advocacy and policy and agenda -- the tools are there but talking about strengthening, penalties or what congress can do to help? [laughter] >> i am glad he asked you. kiersten: someone once told me that you can ask whatever question you with like an you can answer whatever question you would like. i mentioned the champions. we do have some here. we have gone out to other organizations that have networks and associations in small business, not just small business, to say here is a free
2:35 am
12 for your network. distribute it and let us know what you are hearing and seeing and being able to bring that back. the other piece is working with our member companies and champions to get this into their value chain to see if this will make a difference when looking at third-party vendors. if they have done a program like this, does it mean something for you and is a valuable? we have to see what is working and what is not. and in partnerships, we can see if there is an opportunity to take it to the next step. first, we have to make sure that what we have is going to the right place. and looking to see how this is working within the value chains, the supply chains, not just within the u.s. but around the world. >> first things first. andrea: it is not --
2:36 am
is not that people are just doing things in their own industrial -- industry groups. we do chips and cars. tokens. those are all good things for protecting the data transaction. this is a little more than that. the merchant may have payment data but other stuff. r own accounting data. this is meant to raise all of that as well. i see this not just as a set of rules or punishment if you don't do something. that is not what this is about. it is about making this available to people saying that this is affecting your own self interest and get them educated. samuel: as individuals, all of
2:37 am
us are involved in having this discussion around policy. as individuals and not as cri. world, ourlobalized small and medium-sized companies engaged in cross-border commerce, more or less vulnerable as a result of doing that and to stretch the water metaphor a little further, some of the water is saltier -- [laughter] ajay: i don't know if you can generalize if cross-border commerce makes a business more vulnerable than domestic. this works, they use ai and robotics to probe where the weakest link is. the weakest link.
2:38 am
there is no discrimination in that methodology yet. yet. it will change. --this young man's challenge to this young man's question, as of now it has not. as sam said a little while ago, we want these tools and processes to be available globally. a lot of us are interconnected. to think you can create a border. that will be hard. we will take one more question from the room if there is one. please. have you involved the insurance industry globally in this effort --setting values and metrics? kiersten: it is a great question. one that i think we have a little bit of ptsd from being on the commission.
2:39 am
the insurance industry is very important in looking at this. they are still looking to collect data. we have had the discussions. i think there are a lot of opportunities for that discussion. but unfortunately, the industry right now -- we have not been able to partner with them yet. we are paying attention to it and are aware of it but the industry itself has a long way to go in this space and we are keeping tabs on it. it could be a very powerful tool at some point for small businesses. both before and after the commission, we engaged. insurance is written upon the assessment of damage. it is hard -- this is the challenge for the industry -- it is hard for them to assess what damage has occurred because you have lost your personal records
2:40 am
if you are equifax or something like that. that is the challenge associated with that. having said that, we argue amongst ourselves that fundamentally, if you could establish a policy where if you ofply with certain levels hygiene metrics, your risk is less as the insurer and then this company should get a better rate. a different if you have burglar system or a fire alarm system in your home. encouragedt we have them to think about. some level of standards, and it has to be something less than the standards of cyber security which are two robust for what is required here -- too robust for what is required here. ajay: this is beyond the scope of cri. this is at the policy level.
2:41 am
-- this is a great policy conversation for another day. whether standards allow you a level of insurance discount or level of protection from liability. -- weind of thinking addressed a lot of that in the commission and then found it hard to solve. the administration is deeply engaged. this and prior. but it is a tough topic in this space. when you were working at the commission, did you find that when of the reasons small businesses do not always patches or download the is because they do not know where their data is going?
2:42 am
when you were collecting data through the registrations, what are you doing with that data? are you sharing it with your corporate partners? kiersten: we are not sharing the data and we do have a privacy r andy in light of gdp the cookie policy. we are only asking for industry, name, and location. to your first question, that is a part of it that i would push back to say it is oftentimes that small businesses do not have the resources and the capacity. if you're getting a patch to the point where you are getting inundated. and you do not have the expertise. how do you ensure that everyone personalzes what their
2:43 am
responsibility and accountability is when it comes to cyber security. that is what we are trying to change. andrea: i will have one final question for you all. there, just aget couple of housekeeping things for the club. thank you all for coming out today. we do have a number of great events. a lot of excellent programming organized by our volunteers here. one, i would like to highlight is the ceo of cbs health, larry merlot will speak in mid-january, january 14 at a headliners luncheon about the current challenges with today's health care system. that is going to be interesting. please take a look at our website to see what other excellent programming we have coming up. for all of you, i have one final question. if you could just answer it in order. we have talked a lot about the
2:44 am
fact that this is important. that there is an urgency. what do you see out there that demonstrates the urgency? i feel like sometimes people hear --you have to do it, you have to do it. they arearrage and inundated with this message. how do we illustrate the urgency? there are a lot of ways. the urgency has to go with what we have talked about with value change and supplied change and the role of small businesses. isgo back to something that -- to go back to something, it is the target. look at marriott. look at the breaches. the importance goes to personal responsibility and accountability. ofhave to get to a place
2:45 am
understanding cyber security as a key component of everything we do regardless of industry or what we do for a living. which means we have to get companies and our vendors and suppliers as a person whether it is the choice of my airline or hotel, get them to understand that security is a value add and they have to make choices that security,i invest in that means i might get more customers. and being able to distinguish that. when we talk about any type of security, it is about getting to the place where security is a value add. when we look at small businesses, it is recognizing that the viability of these organizations depends on their security and their role in global value chains. and they will do better if they are more secure. we talk a lot about the digital pearl harbor and these things that may never happen but it is recognizing that there is a lot
2:46 am
that goes on and you do not want to be caught on the backside of it but be in the preventative stage. criwe are hoping to do with is help for small businesses with limited resources build the foundation in order to be secure. i would add the interconnectedness. we talk about that. as a community. we are not going back from here. technology is going to continue to have us interconnected. we are only as strong as some of the weaker links. the value from cri and the informational piece, the tools piece, and i will go back to our evolutionary examples. think about the seatbelt. seatbelts were added to cars. now, they are automated. the car sings to you if you do not put it on. we do still have accidents. [laughter]
2:47 am
we still have accidents. unfortunately, we have deaths in accidents however, it was that human swell of impact at individualized levels that helped to make the case. unfortunately, breaches are not going to go away. small businesses are a key component of our economic stability and our supply chain. they are getting hit increasingly. is ais not something that marriott problem or a sony problem. or the things that we see and prevent in our own spaces each and every day. we are coming to a place with iot where every home could be impacted. it is going to become very real in an individualized way. we are looking to get in front
2:48 am
of that so we can help provide the culture. everyone acts in their own self interests. is a little bit of a stick -- if you are a major procurement their people say you need to comply with this basic level of cyber security, they will do that because they want to sell to these large companies. that will bring a lot of people along. the other point of self interest is i think people are becoming aware now of cyber and privacy. dwell on whato has happened in the media. you can go in and watch the testimony for yourselves. my only point is that now that , itawareness is high enough is in the individual's self interest to be aware that their information is out there and it needs to be protected.
2:49 am
there is a side benefit. it has raised everyone's gosh, my -- oh my information is out there. are they scraping my emails? what are they doing to monetize this? it is now in the individuals self-interest to download the patches or make sure that you understand how your information is being used. my punch line is if i were a business, i would create some level of connection with the consumer in secure and private. if i were still working i would be upset with how i am differentiating. i would invest in companies that would protect your individual information. time, now that the awareness is heightened, you should take precautions. no different then drinking or
2:50 am
anything else that we educate our children on. safe sex or whatever it happens to be. the awareness is out there and it is a great opportunity to take advantage of that as an individual. security by design and privacy by design is what this is all about. sam summarized it well. small businesses are run by people. if the individual becomes conscious of what sam just said which is that there information and data and privacy are an issue they will be conscious of that for their business as well. there is a moment in time right now where awareness is at a heightened level and it is a good time for these tools to be available. andrea: i would like to thank all very much. before you leave, i have a small gift for each of you.
2:51 am
down andgoing to come we will conclude. these are mugs from the national press club. we hope that you use them in good health. [applause] samuel: the labradors can use them as a water bowl. thank you. [laughter] happy holidays, everybody. >> this week on the communicators, our guest is charleston gillespie, author of
2:52 am
"custodians of the internet." up ontforms are catching what it means to have their platforms affect a certain culture or political environment and how they could possibly set rules that are culturally sensitive, understand the kind of tensions at work. this raises the question that the platforms are unwilling to ask. maybe this should not all fall on them. tobe the decision on what remove should be shared with the communities involved. that is a hard thing to architect. >> join us monday at 8:00 p.m. on c-span two. ♪ >> the united states senate, a
2:53 am
uniquely american institution, legislating and carrying out constitutional responsibilities since 1789. wednesday, c-span takes you inside the senate. learning about the legislative body and it's in formal workings. arguing about things and taking them around and having great debates is a thoroughly american thing. the longer you are in the senate, the more you appreciate that nature. historyll look at its of conflict and compromise with original interviews and unprecedented access. allowing us to bring cameras into the senate chamber during a session. follow the evolution of the senate into the modern era. from advice and consent to their role in impeachment hearings and investigations.
2:54 am
the senate, conflict and compromise, a c-span original production. explore the history, traditions, and role of this uniquely american institution. ramirez wednesday at 8:00 p.m. eastern and pacific on c-span. and be sure to go online at to learn more about the program and watch original, full-length interviews with senators, view farewell speeches from long serving members, and take a tour inside the senate chamber, the old senate chamber and other exclusive locations. >> now, former federal reserve chair janet yellen talks about the possibility of another financial crisis, what tools the fed has to address economic concerns, and current deregulation efforts. this runs one hour in 10 minutes. >> tonight, we will be treated to a wide-ranging


info Stream Only

Uploaded by TV Archive on