Skip to main content

tv   Experts Discuss American and European Perspectives on Cybersecurity  CSPAN  October 6, 2021 9:00am-10:01am EDT

9:00 am
at c-span.org. also watch full coverage on a also watch full coverage under new video app c-span now. >> next, a discussion on cybersecurity from american and european perspectives. an event hosted by the center for strategic and international studies, technology and security officials talk about areas where improvement is needed in the public and private sector's. this runs one hour. .. >> will then be followed with a panel that has john costello, chief of staff of the national cyber director. robert, the director of the cyber security department in the prime minister's office in
9:01 am
poland and sebastian bergermeister, a managing partner at bw advisor. we'll start with isabela with opening remarks for 10 minutes or so. over to you. >> thank you very much, jim. good morning to american friends and participants and the participants from european part of the atlantic. it is great to be the event virtually. and remember when the cyber team visited the headquarter in washington. so last time in march of 2019 before the covid-19 breakout and we had put together some on site event and hope that we'll combat to those and meet each other again in the physical
9:02 am
area. meanwhile, i'm really happy to support this important on-line exchange. i just finished the intervention during the security-- singapore international cyber security week. so the same discussion basically took place and the first question was the minister, all communication and information to wake up, and she basically said that protection of critical so we have very good topics to discuss today. and i think that the cooperation on cyber security management and particularly on security and resilience of critical infrastructure on which our-- rely is now vital.
9:03 am
cyber threats to critical infrastructure are growing, prove to be particularly vulnerable. this increasing threat is mainly driven on the one side by growing aggressive posture in cyber space of multiple actors. and nascent state actors and also cyber criminals and the other way around and on the other side the process of the digitization of everything. and even more by progressing development and instrumentation of more and more solutions based on emerging and adaptive technology. the interplay and the interference of the technologies has been widening cyber landscape and cyber security, and this will first
9:04 am
only accelerate as we move forward full between physical and fiber. and the fiber has been advocating, between the transatlantic partners and like-minded transfers. i'm glad that as we speak, we can see new developments supporting such approach. last week, the first meeting of eu and trade, which although it has not been in the security corporation, the interests are definitely in cyber security and considered a very good development, but at the same time, we can see also from the white house, the process of building the cooperation, which
9:05 am
which bring together the first countries and cooperation in combatting cyber crime and enforcement and collaboration, the cryptocurrency and engaging on the issue, the diplomatic fleet is now advancing. and the u.s. is also building a coalition of nations to advocate for and invest in cyber technology and better secure supply chains. and it's offense the discussion that we are having today, and they will be -- and i hope that there will be many eu countries in this for the cooperation on cyber crime and law enforcement collaboration. and despite this important and good development, the--
9:06 am
critical structure particularly between the eu and the u.s. is very much needed now and i will concentrate on four possibledy mentions of such collaboration. first is eu-u.s. level and then ce level and private sector collaboration level and last but not least, nato level. starting with the eu, and even the eu and the u.s. have focused their attention on the same type, with special recognition of threats for critical infrastructure and they also have history of cyber security cooperation. in the view of many in experts, this collaboration is not in that and practical. we need as soon as possible to develop cooperation between eu
9:07 am
and countries with the u.s. government on the particular topic. maybe transfer the latest developments and gathers, and u.s., india, japan and australia. and this is declared building on longstanding collaboration, against cyber spread by bringing together the expertise of their nations to drive domestic and international practices. that's the quote. another good example of such an enhanced collaboration, a month ago with u.s. singapore again declaration on the partnerships for new challenges, including cyber security cooperation for a new era with three agreements that will expand to cyber
9:08 am
security cooperation with the financial sector, and engagement and -- there is a lot of expertise to be shared with eu in that respect and a lot of expertise to be shared with central european region. and the message from the -- is that since hybrid, including cyber attacks and sabotage of critical structure we should continue to champion the collaboration and best practices exchange. it can be done together with the u.s. as a strategic partner of the important region. and the aim should be to build resilience and security of the infrastructure in the region. the one which is now being deployed or planning to be
9:09 am
deployed in the future. and this is at best development of the energy transport and the infrastructure, then there's a collaboration and that invests inside for security. and this report was presented with a couple of recommendations and what is needed in that respect in the region and many of them are related to critical infrastructure, and so it's on our website. then the private sector role in terms of collaboration to critical infrastructure. and here it's concentrating more because they have become a place with are we innovate and create solutions for networks and systems against aversarial
9:10 am
actions. and the cluster enjoys the support from the police of political affairs, and it's gathering today more than 40 cyber security components, including components working on exclusions for open run into including 5-g and since involvement of the private sector is crucial for cyber security and for the creation of cyber security and framework for critical infrastructure. i can see great potential for the mutually beneficial collaboration between american and as well as european companies in critical infrastructure protection. and last but not least, another platform of cooperation on
9:11 am
critical infrastructure between european countries, and the partners, is now nato. and with this particular allies collaboration, including increasing resilience of infrastructure within the concept of for our shared security. and due to the military using civilian infrastructure, including assets from ways to harbors and networks, and efficient transport of trucks and equipment, departments have come to be seen as a significant element in allied resilience and in nato's joint defense as well as its compassing building. and with nato well-managed both, there is opportunities emerge and of emerging
9:12 am
technologies like quantum computing and critical infrastructure, protection and this can be done within the -- and innovation frame works of collaboration which is now being developed. and we can read that nato and allies will maintain and enhance the security of critical infrastructure to supply chains and communication networks, including 5-g. it's aimed at the u.s. and the resources and confidences for mutual benefits. and i can also -- what
9:13 am
president joe biden said on october 1st. he said the whole nation to confront cyber threats at the first place that he is commented, cyber security the u.s. critical infrastructure against cyber attacks. so i will paraphrase in a way that that is the whole of like-minded transfers and allies. and we need to work together to increase the our critical assets, which is the infrastructure in the first place. thank you so much and i'm looking forward to the discussion and then practical steps to enhance this cooperation between european countries and u.s. government. thank you very much. >> thank you, isabella, that
9:14 am
was great and perfect timing, too. we are now going to our panel of experts, sebastian bergmeister and -- and i'm going to ask questions and they can respond briefly, i hope and we'll have a conversation about cyber critical structure. let me start with one that helps the audience. maybe each of you could give your views, when we say resilience, what does it mean? what is resilience of critical infrastructure? do you want to start, john? >> certainly. first of all, jim, thank you for having me, this is my first in the new position, a newly established position in the u.s. department of the and certainly happy to talk about critical infrastructure protection. resilience to me is composed of
9:15 am
a number of different components at a baseline level is the basic security of an eco system to begin with, whether it's the technical components of the eco system or the functional components. one meaning the technologies in which they rely and underpinning, is the how different services and different services were to interact. if they were to go down and cascade failures in communication. i i'd say more broadly, the inability of any of these systems to quickly respond and rebound and continue functionality in some method and by some means, regardless of a disruption or resilient system would be one that resists disruption or destruction from a security
9:16 am
perspective, but ultimately one that can really quickly continue functionality in some form in the event of the destruction or disruption. >> great, thank you. robert, let me ask you the same question. when you think about it from your position in the chancellery. what would be-- ments i would describe through cyber security aspect. one is adopted by the council of ministers in 2019 and should be implemented down to 2024. so resiliency is one of two goals, strategy goal first of all is the resiliency and this is related to cyber security. and of course, we're talking about how to avoid disruptions of critical much infrastructure
9:17 am
and the second is of course, increased capabilities in information protection. talking about resilience, this is the way, how the country should focus on the maintenance and continues availability of critical services. so, that's why, where we refer directly at the national, implementing them. and in this directive in the european countries, we are focusing on how to protect essential services. so, essential services, you may ask how they refer to critical infrastructure. what i see, actually, that resilience becomes more and more important right now, also, in this relationship and connection between critical infrastructure and critical digital services, so resiliency
9:18 am
is about both. it's about how to maintain, how to keep -- how to protect infrastructure and how to protect services around the infrastructure. >> all right. thank you. sebastian, you work with a lot of companies. what's your perspective on this? >> thank you, jim, to are the question. and i prefer to use the different words than resilience. he think from my perspective, it's better to use fragile than only resilience, because the fragile also use the way after the incident, the companies could adapt to the new situation and easily, quite easily use the capabilities to respond to every major
9:19 am
incident. of course, in today's interconnected world, there is no such thing like linear thinking and linear incidents. that's why what i see when i am working with my clients, i see interconnection between a lot of suppliers, vendors, partners, and the resilience, or -- also based on the complete security of the eco system, that it's connected to this one client or to the to the country or to the system itself. that's why i'm looking at it through the -- from the protection and also adaptation to the new situation and to the new risk or press. >> thank you.
9:20 am
those are all good answers. but it raises the question, and we have -- this program will be rebroadcast to a broader audience. so let me ask you, what is critical infrastructure in the digital age? is it expanded beyond our old understanding of, you know, electricity and banks and a few other things? what is critical infrastructure now? how do we define it? do you want to start again? >> so i can give you, sort of the textbook answer as it's the system assets and functions on way national security economic security and public health and safety rely, which is the straight up policy and technical definition. you know, i think robert sort of hit on it in his opening remarks. i think that critical infrastructure is really the critical services that really underpin the functioning of society and the separate, but
9:21 am
certainly functioning, critical functioning of the state as well. and that's where we get into national security systems, things that underpin the military. i think to your point, that the idea of what critical infrastructure is has expanded over time given, largely due to the fact it's interconnected on technology. i mean, if we -- the original sort of definition of critical infrastructure and the concept sort of originated in the late '90s, we were talking about strict services and telecommunication, and cyber related services were a part of that, but as, you know, this has become a technical strata that's become everything, something that's separate and requires its own attention and something that i think is substantively and in a degree, something that needs to be worked on at its own.
9:22 am
and the european union does an interesting job how they categorize infrastructure, rather than having 16 sectors there, sort of categories of critical infrastructure. and i think we're getting to a place where looking at the physical related critical infrastructure, things like energy, water, et cetera, lifeline sector, if you will, separate and distinct from cyber critical infrastructure or information infrastructure, countries with a number of ways how they describe it that are the telecommunications infrastructure and then the sweep of technology and manufacturing, development and services, itself to the cyber eco system, but overall, i think we're finding that as society has grown more dependent on technology, it's the ability in which it can be disrupted. as services have gotten more
9:23 am
and more into our daily lives and we're more dependent on them. we're more critical and the sort of footprint or area has expanded for sure. >> great. robert, do you want to take this one up, please? >> and i think if we will follow the definitions that's been quite recently discussed and among the eu members say under the discussions within the proposal for the directive of the european parliament and critical entities, i think it's quite obvious right now that we are shifting our focus from the classic infrastructure that jonathan mentioned, into essential services, so essential services, those of course, the services in the essential for the maintenance of vital and services for society and economic activities, and then referring to infrastructure itself, this
9:24 am
is actually the system or the part of the-- of it which is necessary to run the essential services, so this is the definition. this is the way that we approach it and i like this approach because from the legacy apreach when we look on the infrastructure and we look in our minds and our services, i think that this is the good direction. >> right, thank you. great, sebastian? >> thank you, and i think they kept a lot of interesting points, especially that right now the development of the definition of critical infrastructure goes into the critical system. because the infrastructure could be on premise or in the cloud and right now, we could not sometimes define what is
9:25 am
critical infrastructure. if the hospital have hit all infrastructure in the clouds, what is the critical infrastructure? so the cloud service provider will be critical infrastructure right now. you will be part of the critical service, but the infrastructure, of course, for this service, will be critical, but for other services could be not critical. so, that's why i like the idea going from the infrastructure to the service, because the service is based on the infrastructure and we have to protect the services and then because of that, we'll protect the infrastructure. >> great, thank you. sebastian, let me pick up on something you said earlier, you used the word fragile. and i kind of like that word though it's a bit disconcerting. having done this for a while.
9:26 am
i say that some sectors are in much better shape than a decade ago. i don't know if you degree, but we have some crucial vulnerabilities. where are we on critical infrastructure? where is the fragile and where is the risk? it's a complicated question and for a general audience, what's your 50,000 foot view of where we are, how we're doing? so john, do you want to start with that one? >> certainly, thanks, gym. i think in certain sectors we're doing quite well. the in the fans sector, i think it's doing really well and the energy sector is getting there and, but overall they're doing well. they're putting a lot of attention into it, the oil and natural gas section, they're starting to make progress, but
9:27 am
their ceo's and their corporate leadership is paying attention and regulators are paying attention as well. if we're looking at the sector model in general, water, it's going to require a lot of attention and one that's pernicious, there's none for water not there should be, there's no perk for water, this is largely by state and municipalitieses. as far as the ability to disrupt large scale across the country,that's a net positive. we have something similar with election security which isn't the security of the infrastructure itself, but rather the content that i think that guides voter confidence and behavior. the election infrastructure, i think it's doing better since 2016, for a certainty. and that's been, you know, gotten a lot of attention from congress and from the
9:28 am
administration. and i'd say as a general matter, one of the biggest vulnerabilities we have is simply the technology and the services that we use. and i think there's been a lot of attention and a lot of work towards creating more secure services and more secure products over time, and to create some type of transparency for consumers where money to go the furthest. and we can't get past it's passed through critical infrastructure, owners and operators, that do not have the capital, the know-how or the capacity to take on and properly manage that security burden. i think that that's some of the biggest tension, i think that the u.s. and eu has to deal with from a governance perspective. there's no getting around that, and the systems that we use are
9:29 am
still vulnerable. >> now, that may be an extension of just -- and endemic to the technology space itself, i don't think that anybody would argue with that, it's something we need to manage. last point, i don't want to take up too much time from my colleagues here is just understanding risk itself has gotten far harder over the last two decades. as things have gotten more interconnected and as technology has become more sufficient -- sufficient fused for anything, it's how they interact or cascading failure or risks onto others. and unfortunately, i think, for governments everywhere, adversaries are figuring out how to works before the defenders are for a variety of reasons and i'm sure we can get into. which is why i think a lot of times we're dealing with cyber security and resilience and
9:30 am
critical infrastructure in general, it tends to look reactionary. and we could diagnose that and interrogate that, but often we don't realized there's a pathway of scaled risk until it materializes in some way. i would say that in and of itself, what sector is vulnerable or not. is enduring vulnerability. the good folks across the government are trying to get better answers. so i yield my time. >> thank you, mr. chairman. robert, i saw you nodding your head at various points. what's your view on this question? >> yeah, because i agree with john and of course, the point where we start, it's identified interdependence between different sectors and potentially on other sectors, so of course, based on the implementation, we identify seven major sectors, but of course, after many years of
9:31 am
implementation of these, the legal system and those observations of the european countries, it's quite clear that it's not the full length right now. what more? we miss a few sectors like the communication sectors, so the way, how european union designed the system, it's actually full of silos, covering different sectors without even someone operational feature and what's going on in the specific sector and how it is impacting, what is the impact of the sector on the other sectors, that's what we try right now, to fill the gaps and have the independence fully identified for the national cyber security system. it goes to implement for reporting the incident, but to actually identify which, what is deenpendency and this is the way how we implement this on the national level. one practice from our police
9:32 am
implementation, and it's development of the national wide system and it's calls for national security platforms, right now, it's system s-46 and this system collects information from all sector of national cyber security system. it's unique because we improve, and that improves the situation and what's more, we incorporated dynamic and static risk assessment. and so, in, we can dynamically see and the attack against banking sector or energy sector, what's the most critical. and i think that this fragility from one side, it's actually the way that we should match it with the impact and the new approach. and also proposed by poland and until now, at the european level. we talked about essential
9:33 am
entity. so operators of the essential services and the entity. we exit ended this lease and we talked about imposing identities. so of course, to fill the gap and to identify other sectors and subsectors, for instance, media or social media and what's the impact of course on the other sectors. so this is something that i believe that, this is an ongoing process and we share in our experiences from europe and from the u.s., and to develop and to design the most effective systems. >> great. the social media was on my list and i was going to ask you all, you don't have to answer. does it count as critical infrastructure? some people would say yes and more importantly, what you brought up to interdependency, and one of those, with the silos, i have the advice in big companies and you need electricity, you need water,
9:34 am
you need other things, for them to deliver. it was a telecom company, for them to deliver the service, so interdependency among critical infrastructures, probably a point where it's exploring. sebastian, let me get your take on this. >> thank you. and what is my experience, cooperaing with the critical infrastructure companies, and critical services company. what i see, first of all, the difference of maturity. and so financial system, and energy, and energy sector, and financial sector is much more mature than, for example, transport sector or health sector. , for example, but the adversaries, i don't think they will attack one hospital.
9:35 am
they will focus on the most critical systems. so they will focus on the energy sector, or the financial sector, or any other sector or companies, which is major, which has major impacts on the state level. so i understand why the maturity is different. the difference. what i also see almost in every sector that the companies do not really manage the first for supply chain attack will be quite easy to do from the adversary point of view. even sometimes they are -- do not understand that there is
9:36 am
only two or three suppliers in one sector for the critical software like its software or the software for managing the capital and so on. so i think it's important from the systemic point of view to understand that the attacks on not the hospital, but for the service provider will have much more impact than attacking, say, one or two companies. this is an example of the solar wind attacks or other vendor attacks. the attacker will focus on the companies that will have much more impact on other companies on the federal, on the state level. >> great, thank you. since you all brought it up in some way, one of the debates
9:37 am
here is the balance between mandatory requirements for security and critical infrastructure, and remaining in a voluntary approach, and you know, the example that helped start this was colonial pipelines, the gas, the fuel companies was under voluntary standards developed by the government. and some people came away from that saying are voluntary standards enough? maybe we can reframe the question a little bit bying asking, how do we best with the sector. i've been doing this for 10 years and if you say some of the words like information sharing or something, and then we'll press the buzzer. but let's talk about how you incentivize the private sector. isabella, i know you're still on-line even if you're off camera, if you ever want to jump in, please do so. but, john, what are the best
9:38 am
incentives, regulation is an incentive, but not necessarily the best. john. >> i think that's a good question, jim. i think that's the question, i think that governments have to wrestle with in my opinion. i don't think that we can, critical infrastructure is not a monolith. i think a number of critical infrastructure sectors are already regulated. sometimes heavily, sometimes overlapping, and financial sector, at least is-- you know, has numerous regulatory overseers and has a number of regulations. my sense is, this is that for a number of sectors, we've reached the limit of what voluntary standards and voluntary public-private collaboration can accomplish. and i think we, you know, the u.s. needs to explore what mandatory requirements look like in certain circumstances. i know that the congress is
9:39 am
currently considering measures at least when it comes to incident reporting, which in my mind is a bare bones requirement. it goes to, i mean, it goes without saying that if you're informing the government of a particular incident or a particular threat you notice, what's going to follow on after that is a question what you're doing about it and how you're going to prevent an incident like that in the future and benefits, obviously, from being able to share that information across a number of critical and infrastructure sectors and entities that are most certainly similarly targeted. we get down to brass tax about critical infrastructure, protection standards, themselves. something like ferc put on the industry. and i think those have been effective in some degree. i know that, you know, i don't think anyone has practiced perfectly how do we get beyond a checklist approach. i certainly don't have, you know, fully mature thoughts on
9:40 am
the matter, but i know it's something that the u.s. government is looking at. i know it's something that congress a considering, how do we strike that balance and more importantly, how do we strike that balance with respect to the relative maturity of each sector in the space. and i'm not going to pick on water, but a mature sector like water considering a financial sector which has the benefits of sufficient capital to invest in cyber security, as well as the, you know, the risk being externallized and evident through financial loss through like fraud. how do we real align those? i know it's not a particularly satisfying answer, but it's something that the u.s. government needs to look at. it is, and overall i think we've hit the limits across a number of sectors, what a
9:41 am
purely voluntary approach can achieve. >> thank you. robert, what's the situation in poland when it comes to voluntary or mandatory? >> so we went through, of course, for a voluntary approach for many years and we know very well that it doesn't work effectively. so, we observed the situation and the development of the situation around colonial pipeline in the u.s., so we've had an immediate call with other colleagues from dhs and cisa and we start out the practice how we approach this type of situation and talking about from voluntary to mandatory, this is, of course, the balance, first we start with voluntary. if it doesn't work, then the regulation is needed and of course, the penalties are needed, therefore, you can find starting from the protection, through this and through other regulations and, but of course, the move to mandatory approach, you need to provide the right
9:42 am
guidance. you need to provide support. you cannot just only penalize and you cannot only request or then follow the compliance if there is nothing of support. so talking about voluntary, and first, we adopted similar approach like the u.s. and so the common development by government and industry, and standards, recommendations, technical, special documents, special publications. so, we also started to development the national cyber security standards that we published on the set of many dew points right now covering the first of them covered cyber security requirements for cloud computing. but we talked about how do we incentivize the public sector, it's to start to collaborate and act with public sector, and private sector, because what we are searching in the past is usually, it was declaration, the declarations about
9:43 am
partnerships and there was nothing behind. i know what i'm talking about because at first i worked with the polish government for 15 years and 10 years for one of the global companies and i came back to work again with the government. so, i know both sides. so actually what i was missing in there, in the business and commercial side was only declarations for the government. that there was no real will to work with the private sector, in a lot of cases, answers for questions by government already developed in the industry. but the answers was not used by the government because, you know, sometimes of course, the corruption and objective and so on. so, i think what is quite important to mix and to really benefit from what industry developed and i can tell you in 2019, in poland we introduced a program called cyber security cooperation program. it's about five major areas, we
9:44 am
had companies engaged and another 14 in the pipeline. and it's about increased cyber security awareness. so, building the education programs, together with industry, and based on materials that were developed by industry and specific services and products. and second, it's about, identification of the vulnerabilities and stress and sharing those threats by industry. and how the government is using this. the third is security baseline. >> the configurations and baselines, and use them across the public assembling sector, and the fourth was about evaluation certification and how we work with industry to help and to prefer specific services and products for valuation and one is very important, incentives for them,
9:45 am
and the public-private sector more than welcome. it's now to promote innovative solutions to implement more security. and running this program in poland, we have very good practices develop and you can ask the company's presence, working in poland and working in the program. what the value they see coming from the real partnership. thank you. >> thank you. let me note before we turn to sebastian, that we're getting a few questions in the chat and most of them focus on cooperation, transatlantic cooperation, the role of nato and how things are working, how to strengthen, u.s. collaboration. and so after we hear about voluntary versus mandatory, we'll turn to those aspects. sebastian, if you want to close this out how to intensify on the private sector? >> first of all, the private
9:46 am
sector incentivized themselves, if it's the cyber security, it's connected to the business. it is -- this is easy. if it's really connected to the business, the private sector will invest money to be cyber secure. if not, we have to create, let's say, some mandatory requirements, but after that, they have to be some penalties and the penalties similar to the gdpr idea. so, it has to be very high penalties to not comply with those requirements, but of course on the other side, i.t. and ot comply. so the idea of compliance with the requirements, it's not the same as the security and/or
9:47 am
cyber security of the company. after the requirement and it compliance or ot or its compliance, there has to be external verification, from let's say the government or the third parties to verify if those requirements are met not only on the paper, but in the real situation. so i saw a lot of companies that have a lot of papers, procedures, but at the technical level, there are not-- they are completely not secure. of course, first of all, we are trying to create some baseline, some baseline mandatory requirements after personalities, but we have to
9:48 am
check if it false policy or false-- >> thank you, for any of my tests for new recommendations that people make it, how would we actually implement it or-- >> and it's easy to come up with recommendations, cyber security and how to advance it, tell me what to do. begins you great up gd about. r. let me talk about the international and collaborative aspects of this. one of the things that came up is how do we strengthen eu collaboration on cyber security? important to get the like-minded nation more in the same place when it comes to resilience. john, do you want to start again? >> no, i think engagement-- i think that the engagement is the number one thing that we're doing. i think that the biden administration is certainly doing that and it's trying to
9:49 am
advance that. as regards the role of nato, one i think i think we need to make sure of is that the u.s. and its involvement in nato, that all allied countries have a common sort of framework for sharing threat information. there's much that we can learn from the europeans, specifically on the disinformation states, that the europeans have been dealing with russian disinformation for decades, and they're well-steeped in it and we know that that can have effects on that and public confidence. that's a major issue. and i think the cooperation is essential both with the u.s. and eu, and individual member countries, and i think that we have to continue to make sure that we're strong in that perspective. with legal attaches from the cyber crime element and need to push forward on that.
9:50 am
what we've seen over the last few years is as we continue to be vulnerable in this space and threats everywhere continue to get more sophisticated. we're seeing the asymmetry of cyber capabilities rise in the disruptive power of cyber criminals. colonial pipeline is an excellent example of that. and i think it's a common concern for both the european urn union and the -- i want to circle around to voluntary piece and didn't mean to oversite the mandatory aspect. i think that voluntary information sharing and voluntary public-private cooperation is the foundation that needs to be maintained and much like robert said, that needs to be sort of the prerequisite and place where we start from. overall accountability is what we need to try to reach and maybe that's accountability in
9:51 am
a negative sense, but the accountability in the positive sense that the u.s. government and governments are in some way rewarding the type of behavior that we would like to in the sectors and entities they're doing it appropriately. i wanted to double-check that. >> great. let me ask you about this question of u.s. european collaboration and what would you do? >> i think we already have the cooperation. of course, there are some economic interests both from eu side and the u.s. side, and you know, the most controversial discussions runs to cloud computing and cloud service providers where we have discussions around the consideration for the service providers and our argument is of course, we should not forget about transatlantic with the u.s. and so the position is we
9:52 am
should not to develop two categories of providers, like trust from the u.n. and trust in eu-- talking about eu, i would reefer to what was achieved by eu-u.s. trade and technology counsel during the first meeting, and the declaration that was signed on the 29th of september so a fresh document. 10 working groups and of course, they will cover areas like secure supply chains and very important, of course, for us. of course, investment screening and technologies security and competitiveness. so, some regulations and some, i believe, in outcomes from this working groups came to
9:53 am
create the good foundation for close cooperation. talking about cooperation itself. i think it's a case by case basis as well. and it's like we just talk about colonial pipeline, but there have been many other situations where the-- worked with building information how to mitigate the vulnerability on the driver soft area vulnerability and microsoft. and we shared the first how to solve the problem even when the solution from microsoft was not public yet. and another story was ransomware against the u.s. and it's on a daily basis, just two weeks ago, we had another round of discussions, and we're working on some because in case
9:54 am
of ransomware, capture of the evidence of the attacks, but the most important after the ransomware attack is to recover the critical service. and we looked at how the polish teams recovered operations against the attacks and regional and government, and local and regional governments. and what's more, this cooperation, we established before helping others to recover after ransomware attacks and health care systems. and i think that just creating the common understanding, creating understanding and the economic goals, and to starting discussions, and working to establish, the eu-u.s., and technology council, this is a good driver for developed corporations. >> thank you, robert, that's a very valuable point on mansomeware. we've got about four minutes
9:55 am
left. as usual in these events. we've gotten a flood of questions, some of which we've covered, but sebastian, your views on us-eu cooperation? >> i think what is important in all cooperation between on the political level, it's also, it's also trying to involve the private sector, because there is a big difference from the point of view of every administration and the people who are really in the business. so the involvement on the private sector, it's really crucial for the success of the cooperation. and this is one thing. the other thing i think what is also important to create the same or similar certification standards or understanding of certification standards on the eu and the u.s. side.
9:56 am
from the private sector perspective, that is creating different kind of certification standards in eu or in u.s., will be-- will be the difficulty for providing business because sometimes you need to be certified in eu for some standards in the u.s. for different standards and so on, so the-- using the same or similar standards, or even creating the analysis on the national level, will help business to provide their services. >> okay. thank you. we need to remember, and all of you have touched on the point of maturity. the internet itself was only specialized 26 years ago. and if you were going to measure the point where we switched from it being sort of a desk top ornament to being
9:57 am
crucial part of our lives, it might be not even a decade ago. so this is a very new problem. we've talked about three things that might help. we've talked about vehicles for cooperation, nationally and internationally. we've talked about incentives, particularly for the private sector and how the blend voluntary and perhaps mandatory measures. and we've also, i think, highlighted the point that while everyone's doing quite well and we're so much better than we were a deck ago. there is a-- there's a lot of room to improve. we didn't talk about nato and only one person brought up russia, i wasn't sure, but foreign actors as a source of threats and these are all good topics, perhaps for a later discussion. but let me thank sebastian, robert, john, and isabela, for what's been, i think, a very useful discussion.
9:58 am
isabela, any final thoughts as long as you're back? >> that would be that we should follow up on that with some -- and then some concrete actions and proposals together with john costello and sebastian and put these thoughts on paper and then make it happen so that's -- that's from me. it was very, very interesting. thank you. >> great, great job. thanks to everyone and everyone enjoy the rest of their day. thank you. >> thank you. >> thank you, jim. >> ♪♪
9:59 am
♪♪ >> download c-span's new mobile app and stay up to state with live video coverage of the day's political event from the senate floor and key congressional hearings and the supreme court and live interactive morning program, washington journal where we'd hear your voices every day. c-span now has your covered. download the app for free today. >> live now to the u.s. senate which today is scheduled to vote on the nominee for the u.s. district court in
10:00 am
connecticut. also today the senate's expected to vote on whether to move forward with legislation to suspend the debt ceiling for two years. the treasury department said it will run out of money to pay the government's bills in the middle of the month which could cause a default in government debt payments unless congress takes action to extend the debt seeing. now it live coverage on c-span2. officer: the senate will come to order. the chaplain will lead the senate in prayer. the chaplain: let us pray.. almighty god, we trust in you, and look to you for protection. .lead our lawmakers in your life-giving light. may they find in your precepts a lamp for their feet and a light

8 Views

info Stream Only

Uploaded by TV Archive on