2017 Security and Critical Infrastructure Teleconference with Robert McCreight Recap

On January 24, 2017, The Center for Policy on Emerging Technologies held our first 2017 Security and Critical Infrastructure Teleconference: Innovation for Infrastructure Resilience featuring Dr. Robert McCreight, C-PET Senior Fellow, Senior Consultant with Global Concepts & Communications, LLC, and author among other titles of An Introduction to Emergency Exercise Design and Evaluation. What follows is a lightly-edited transcript of the teleconference, and should not be quoted without confirmation from the relevant participant.

 

 

Innovation for Infrastructure Resilience:

Conversation with Dr. Nigel Cameron and Dr. Robert McCreight

 

 

Nigel Cameron Introduction:

Good afternoon, ladies and gentlemen, it is my pleasure to welcome you to this conference this afternoon. My name is Nigel Cameron from the Center for Policy on Emerging Technologies in Washington, D.C. and this kicks off our short series of conferences on critical infrastructure security issues. You’re invited to keep your phones muted, preferably double muted just to make sure, and if you would like to raise any questions during this discussion, you will send an e-mail address to use so that you can let us have them and we can bring you in at a suitable moment and invite you to unmute your phone and join the conversation. So much for those details, also glad welcome to our call from our C-PET team Adam Turosky and Hannah Reed who are joining us and have helped set these things up, and to announce the next in these calls on February 23rd when our subject will be securing the internet of things, critical infrastructure, and cyber security, and our guests will be two more of our senior fellows from C-PET: Jody Westby, of Global Cyber Risk, and Dan Caprio, co-founder and chair of the Providence Group. We will be sending you further information about that call nearer the time and then there’s a third call in the series for March on EMP resilience issues, which has yet to have its details confirmed. Very glad you can join us today, and I’m delighted to introduce Dr. Robert McCreight as our guest. You have been sent his bio in more detail, but I’ll welcome him as a C-PET senior fellow, who has many other associations, he is a senior consultant with Global Concepts and Communications, he has over thirty-five years of experience in the State Department on global security, arms control, biowarfare, other questions, and he is most recently the author of a second edition of An Introduction to Emergency Exercise, Design, and Evaluation. Very pleased to be working with Bob McCreight, and the plan for the call is that he will have some time to make some opening remarks and then those who would like to join the conversation have been told how they can do that and, Bob, over to you, thank you for joining us, we’re so glad.

 

Robert McCreight Opening Remarks:

Thank you very much, Nigel. I appreciate the opportunity to talk to the C-PET audience and I appreciate you giving publicity to this event and attaching some materials so people could see the main arguments that I am raising.

 

I told Nigel some weeks ago that I’m sort of tagging this idea, which I don’t claim to be original, but which I am advancing as an idea that deserves further hearing as something I call “IRI”, which stands for Innovation for Resilient Infrastructures. It’s an invitation basically to begin to concentrate on the multi-year, multi-billion dollar process of repairing our aged and overburdened infrastructures.

 

It’s anybody’s guess about how long some of the existing infrastructure we have will last before we have some major system disruptions and break downs. None of the infrastructure that we’re living with now is pretty much designed to last for an unlimited number of decades, and so we start with the assumption that when an infrastructure is built, the kind that surrounds us these days, it wasn’t built necessarily with resilience in mind, and the second part of the argument is that we need to have, what I call, multi-hazard tolerant resilience, and multi-hazard tolerant resilience involves dealing with the multiplicity of threats, which I will get into in a minute, but it means that the systems we build now and in the future must be able to withstand all kinds of pressures and to successfully withstand those events in such a way as to eventually recover and restore sustained normal operations.

 

We’re dealing with infrastructures that are inherently interdisciplinary in nature, as you know, when it comes to the energy system in particular, the failure of the energy system can produce very negative, cascading effects. So what we’re concerned about here with each of the infrastructures that the Federal Government has identified, we find that we’re facing partly a technical issue, partly a financial issue, certainly a political issue, and there are certain other issues imbedded in this that we have to deal with those three initially they are the first obstacles to overcome.

 

A second question is what systems can be fixed, which can be repaired, which can be improved, which can be replaced, and which must be upgraded. Certainly, going out may be for many people is to replace and upgrade all the systems and that fixing and repairing them just won’t do. That brings you to do the doorstep of the very difficult question of setting priorities, and I leave the question of setting priorities to the political and economic leadership of the country because they not only have to determine priorities, but they have to determine what criteria make sense in trying to achieve resilience.

 

Let me take a moment to talk about what I mean when I talk about ‘resilience’. My definition, and you’ll find lots of definitions out there in literature and academic literature, but my definition includes, very simply, the capacity of these systems to withstand attack, disaster, damaging error, and recover to a status where sustained, normal operations are resumed. That’s important because, as I parse this down a bit, we’re looking at societal, technical, economic, and security risks entailed in that definition. We’re talking about withstanding what?  Well, withstanding attack, natural disaster, operator error, systems error, we’re talking about natural disasters which can range from solar storms to more devastating kinds of weather and earthquake events, and certainly the manmade kind of attacks, which include, of course, terrorism, and could include, of course, and EMP attack on certain systems. So the idea of withstanding this has been defined by some people as resilience meaning a very low probability of failure, a less severe need for, a less severe concern I should say, for any negative effects and consequences, and it also implies faster recovery, but we withstand it by developing technology new systems, innovated systems if you will, that’ll allow us to overcome anything that comes against these systems. Fortunately you learn, fortunately as the case may be, that many of these systems comprise an integrated network and that is not necessarily by design. Sophisticated infrastructural systems share common interconnectivities and so we have to look at the limited reliability that exists right now and determine the extent to which, not only how priorities will be set for fixing those systems, but also the concentration of our effort on terms of how, in affecting one system we don’t inadvertently topple another. Today the risk-based linkages between existing systems put several at risk even if only one system fails.

 

Another part of resilience has to do with the question of whether or not there is a resilience recovery curve, or what I call a recovery curve that takes into account the entire process of recovery. Certainly when you walk into a room and flip on a light switch, we assume the lights will come on automatically, but we know from certain complex systems like nuclear power, and other complex systems, the restart or the shut down can take a very long time and we’re not sure that we’re completely acquainted with the simple and complex issues involved in the recovery phase, whether that’s short or long.  We’re basically leaning deeply into the question for each infrastructure, which basically how long will it take to restore the system to normal operations.  This could entail four separate  sub-phases—[1] initiate restoration; [2] launch systems resumption; [3] validate systems restoration and ; [4] sustain restored operations.

 

And that’s why I feel resumption is key.  Resumption means that you’ve basically triggered the initial recovery period, thereafter you can validate that crucial aspects of the system have in fact been restored.  From there you now have high confidence of sustaining normal operations.  This is not fool-proof. You have figured out a formula of not only acquiring sustainability, which you can manage, but you’ve minimized as close to zero any risk of subsequent collapse. In other words you have attained some level of resilience.  Without further research on metrics and technical validation we really don’t know whether this constitutes minimal resilience or is the first of many subsequent measurable levels of resilience.

 

That means that you’re also wrestling with the question of what is the genuine spectrum of resilience for each critical infrastructure. It means finding, if you will, a range of minimal resilience versus maximum resilience. I would put on the table the question that we have in front of us, which is in the absence of benchmarks for every single infrastructure, we need to find out what that range of minimal resilience may be and maximum resilience and what needs to be done to achieve it. We already know too well that the loss of key infrastructures can damage business, travel, commercial transport, ordinary commercial transactions, disrupted emergency systems, loss of power and so on. Very deleterious effects to airports and seaport operations. So the decision about which systems must be fixed, improved, repaired, etc., involves making priority decisions about which infrastructural systems are critical to the nation’s security, socioeconomic, and in fact, certainly which systems are tethered to and may have incidental negative effects on other infrastructural systems. We want to, in setting up this priority, have to make this very difficult policy triage between the most essential and secondarily essential, and again I leave that to the business, economic, and political leaders to work out, but it must be done.

 

The third thing which is critical here, in terms of the C-PET audience, is determining which technologies and strategies methods we can develop and derive, which will enable a more resilient set of infrastructures to emerge for the next several decades. We don’t know what the race against time actually entails.  Do we have two decades to accomplish this or far less?

We don’t know what existing systems may fail over the next several years, however we do know that we have to come up with a solution for re-engaging these systems. For example, we’re talking about resilience in terms of resistance to natural disasters, terrorism, catastrophic cascading systems failures, operator error, and hostile action by enemies engaged in warfare. We’re talking about solar flares at one end and high frequency  E1 pulses from manmade EMP high-amplitude, low-frequency zaps, but also implying with this, without getting into a great deal of detail, the extent to which one would consider the domain of cloud computing to be in any way associated with, or dissected from, our existing IT and telecommunications infrastructure. Implying here explicitly that we need more work on how to make the cloud resilient.

 

One of the assumptions that we make is when we go down this road is that we want to bring together the experts necessary into the process of creating pathways and mechanisms for better resilience.. So I’m calling for and suggesting that there be at least a two year process that involves universities, departments of engineering, physics, etc. with an organized Delphi process to bring government military private sector experts together with university schools of engineering to allocate RND funds for the first couple of years to validate test concepts to use these expert groups to help us prioritize these systems and to determine system failure risks and to isolate any secondary or tertiary effects and then develop some pilot ventures in resilience technology, which can be beta tested and funded over a short term as they’re applicable to the priority systems that we want to restore.

 

This can involve, of course, a multi-year investment of money, a multi-year investment of talent, it’s not something that can be done in a few months, it certainly takes a long time and requires a strong commitment to innovative technology and sharing these innovative techniques where possible and engaging in proof of concept testing and risk testing for rigorous demonstration of actual resilience. Based on a derived scale of what minimal resilience in each of these infrastructures looks like.

 

Now, one of the things I’m suggesting in my ideas, which is simply a proposal, is there will be 50 state innovative incubators, if you would, hosted by the state college of engineering [along with relevant schools of business administration] and by the leading manufacturers and industrial leaders of the state, working with the governor, to begin to identify and prioritize those infrastructural systems that may need priority attention.  To the extent that one recognizes that over 80% of our nation’s infrastructures are owned or managed by the private sector clearly they must play a pivotal role in all these discussions, helping and guiding when a discussion takes place.  Capital Investments will have to be made as long term investments and have to be realistic, may include any mixture of tax incentives and investment tax credits and other aspects of the financial landscape necessary to sustain a multi-year effort at promoting and encouraging resilient and innovative infrastructure.

 

This is what I think of as a wholly new concept. It’s totally based on the idea of resilience being the paramount criteria and it indicates, in its assumptions, that we’re deliberately engineering future systems and we’re taking advantage of the linear extrapolation of existing advanced technologies like nanotech, neurotech, biotech, and we’re also taking account of what I call convergent technologies, that is the mixture of biotech, and robotics, and neurotech, because understanding and managing multiple advanced technologies to deliberately attain better convergence and—by design—better resilience is a national security priority

 

If we are careful and determined by focusing efforts on strategic designs to build in greater systems resilience for our critical infrastructures we will add a layer of protection for our nation which is robust and superior to then system vulnerabilities we face today.  This affords our nation the opportunity to share this technology as it pleases with the globe. With sustained and focused programs over many years with adequate funding we may attain the capacity to overcome negative, destructive consequences and damage. We must commit now to engineer productive and sustainable consequences by deliberately engineering convergent technologies that are more sustainable and more resilient, I think this proposal and overall set of ideas deserves widest possible support and encouragement.

 

 

Cameron:

We seem to have lost the sound. Can others hear Dr. McCreight?

 

Woman:

No, we can’t hear anything.

 

Cameron:

Okay, well I just messaged him to let him know, we’ll see if we can’t rescue the situation, thank you very much. I’m trying to get Dr. McCreight to call in again so we can hear him, something has gone wrong with the line, so people please hold on and be patient and keep your phones on mute, thank you. Our guest is calling in again, we’ll see if we can make the system work. I do apologize.

 

McCreight:

Am I back now, Nigel?

 

Cameron:

You’re back, well done! Yes, we’ve resurrected you, we lost you for a couple of minutes so move back a bit and carry on, thank you, thank you everyone for your patience.

 

McCreight:

Okay, sorry, I don’t know exactly where I dropped off but I’m coming to the conclusion of my points, which is basically that other countries in the EU have invested a substantial amount of money and time looking at the resurrection and improvement of their infrastructure. They recognize they have to overcome barriers that are inherent in their political and technical systems to finding solutions and we are quite aware in the US, if you dig deeply into the history of the US political system, there has been a rather sad history of congressional hearing over the prioritization of certain infrastructural restoration projects, people having their own pet areas to nurture at the expense of others.

 

What we need now, of course, is a broad consensus that’s bipartisan, where we can, on a bipartisan basis, identify those infrastructures that are critical and restore them and replace them as needed, based on a rigorous assessment of what technologies can bring to our knowledge. We have to be aware, especially again, of those existing and extrapolated and convergent technologies, extrapolated technologies would be for example genomics being extrapolated out ten to fifteen years to try to imagine what possibilities may come out of extrapolated genomics. Convergence has to do with the merger of several advanced technologies like genomics, robotics, and nanoscience and using these convergent technologies to our advantage to bring about resilient infrastructures.

 

We know engineering has taught us that there is no such thing as a system that’s been built that has an absolute zero chance of failure, so we’re not deluding ourselves into thinking that what we’re trying to achieve will not contain any risk of failure whatsoever, but we are trying to build systems that are inherently better, inherently stronger, inherently wiser, and more sustainable than the ones we have now. So we, in effect, we have to completely redefine what research and development for the next ten years looks like. We have to be able to engage in proof of concept testing, we have to be willing to experiment and engage in departments of engineering in each of the key states, get the private sector involved, begin to map out what our criteria for minimal to maximal resilience looks like.

 

We have to come up with strategies for dealing with negative cascading effects, we have to come up with this “yard stick” for resilience, which enables us to develop the technologies and strategies needed to move forward. We are aware of innovation models that have existed before and I think they will be of limited value, but they’re there. I am concerned as well, in closing, with the idea of building innovative resilient infrastructures which may add to those we already have, of course, what we have already is the chemical sector, energy, defense, IT telecoms, waste, water, public health, agriculture, transportation, financial services, but the other infrastructures that I am concerned about that are of equal concern is our security infrastructure, our infrastructure for public safety, our infrastructure for education. The question is whether or not these are deserving of attention or whether they need to be put on a side track.

 

Basically what I have discussed today is a summary treatment of the issues I’m trying to raise with the IRI concept. I hope that, despite the interruption in our talk, that the main ideas were conveyed and I’ll stop at this point, Nigel, and throw it back to you and the group if there are any questions.

 

Cameron – Questions:

Well thank you, thank you very much, and just a word to others on the call, if you’d like to ask a question, please do drop an e-mail to one of our e-mail addresses, the easiest is just admin@c-pet.org, admin@c-pet.org, and we’ll pick that up and then we can bring you into the conversation. There are too many on the call to have a free for all.

 

I have some issues I’d like to raise, Bob, as we open this out a bit. Now, obviously there are various moving parts here in what you’re proposing, and one of the difficulties, of course, we have in the policy community is dealing with issues with a whole lot of moving parts, you’ve got public sector, private sector, range of technologies, legacy technologies, and of course, some very new technologies. One or two questions occurred to me while you were speaking: are there parallel initiatives? Are there efforts which the US has engaged in the past, which in some way resemble the kind of initiative which you’re proposing? I mean, we all fall back on the moonchop and song, but is there something really complex like this which has been done, which could be some sort of model, a heuristic, as we move forward.

 

McCreight:

Yeah, I can think of two that follow two different patterns. One would be the national technology initiative the kind of support and scientific and academic engagement that it elicited as well as the stimulation to the private sector. The other one would be the search for breaking the genomic code and being able to pursue a better understanding of genomics. A third one, maybe a candidate for that, and as the recent attention that’s been paid to the vulnerability of energy infrastructure and the concern that we have about how vulnerable our energy infrastructure is to penetration collapse and break down. Maybe your listeners have other ideas, but those are the three that come to mind and each one of those, as you point out, has many moving parts and there’s a mixed record there of success, and the question is, for me, the two part policy question, is, first of all, not only framing a coherent policy map with a set of guidelines about how to proceed and bring in the right people, but the second key thing is getting funding and energy to sustain the effort over several years.

 

Cameron:

I think the example of the national technology is interesting, as it’s something we’ve tracked over the years.  Of course part of its problem has been its initiative, it’s spread across twenty different agencies, it’s funding comes from different subcommittees, and so on and so forth, but it certainly has been an effort to correlate and to bring together at a high level, very diverse efforts on the ground. You made some reference to the EU, and of course everything in the EU tends to be more centralized, more organized, more planned, and there are pluses and, of course, there are minuses. Do you want to talk a bit more about how Europeans have been responding to the situation? Are there models there, other things we can learn? How would this discussion be playing out if we were in Brussels?

 

 

McCreight:

Well, that is both a simple and difficult question, Nigel. I think, on the simple side, I think in my judgement I offer strictly my interpretation of what’s happening in Brussels is they’ve opened the door to a wide variety of ideas on ways to go forward, and they are to be commended for that, and to encourage that and to support innovative ideas in that direction. At the other end of the spectrum, however, are the questions of whether or not the kind of difficult decisions that I make, that I’m arguing, have to be made here, which have bogged down previous efforts in the United States, which is the politicization of innovation by either congressional theatre, committee, or political preference. I see the same things perhaps happening, to some degree, in the EU where efforts to try to advance certain kinds of infrastructural values maybe advanced at the expense of others that are competing for ascendency and competing for funding. My own take is that, on the good side, many ideas are being brought forward. On the more negative side, there’s a rather vicious competition for whom has the best among equal ideas.

 

Cameron:

Of course we had an election campaign, which is perhaps the first ever in which the word infrastructure has been quite prominent, and President Trump has spoken about it repeatedly and even in the context that we have picked up on is it’s the bridges and the roads and the more obvious infrastructure questions, which have driven that discussion, but there is of course a political moment here when that word has a phrasing it hasn’t had before. Is that a fair comment?

 

McCreight:

I think there is, I think there will be great attention paid to infrastructure. I think that, certainly, we can’t ignore the political questions involved because they have killed previous moves in that direction, but if the new president can cobble together the degree of broad consensus needed to sustain both congressional support and funding, and have it work its way back to the private sector in a multi-year, multi-billion dollar way, I think anything is possible. I’m trying to remain hopeful, fully aware of previous efforts that have not been as effective.

 

Cameron:

Just to take that conversation a little bit further, there are all sorts of agencies in mind here that refer to specific initiatives. We have, you know, OSTP, which has always seemed to me to be sadly undervalued in the federal government, the Office of Science and Technology Policy, which never has much money, but has some very smart people, has very little leverage in terms of policy. My one line joke is always that we don’t actually have STP in the US, that there isn’t a category for overarching science and technology policies across the administration, even though we have this office there, and of course we have PCAST, which relates to it, which tends to be very full of grand people who fly in and they produce lovely view books which put all these pieces together. Some actually very interesting reports come out of PCAST, but we have some infrastructure if you like there on the policy side that seems to have very little actual connection with the policy decisions being taking in the agencies and the budgets, is that a fair remark?

 

McCreight:

It’s a fair comment, Nigel. For two years I ran international science programs out of the State department and that’s where I learned, I actually got an additional amount of education from that because I found in the inner agency there were three basic truths that I have to put on the table and share with you, they’re again strictly my perspective. Truth number one is: OSTP is indeed full of smart people, but OSTP doesn’t have either the lightning bolts or thunder to cause independent agencies with their own significant science budget to adhere to their preferences.  Number two, would agencies that have a big science budget, like department of energy, like HHS, and so on, there is a tendency for them to want to focus their scientific projects on endeavors that are congruent with other congressionally approved, or politically accepted outcomes. This is not to say that free research and unrestricted, unregulated research doesn’t take place, it does, but it means, bringing me to the third point, that in order to corral the inner agency’s scientific community, one cannot easily ask OSTP to get everybody to stand in one line and take “one step forward”. They just don’t have that kind of authority.  In addition to which you have the NSF, and you have the National Academies, and in many ways the difficulty of them being brought together has been a consistent problem.

 

One thing I did see in the past and in my many years of government service, which was a worthwhile idea, is that when previous administrations decided that one of the things they gave to the vice president to do was to be the official, interagency spokesperson for government science. I still think that’s a valid idea, that’s one way of corralling this unmanageable interagency beast and to have it focus on the kinds of things we’re talking about in creating innovation and resilience in infrastructure.

 

Cameron:

Thank you. Well, as I say, there’s an open invitation to those who would like to drop a one line e-mail to us, just do admin@c-pet.org. We do have a question or two from Christine Peterson, who I would like to bring into the conversation. Christine, are you there? Can you unmute yourself? You should be able to do star six and be able to get into the call.

 

Christine Peterson:

Nigel, I’m here.

 

Cameron:

Great, welcome! Great to talk to you, it’s been a while. Christine Peterson, famous for many things, not least of being one of the co-founders of the Forsight Institute and do join the conversation and ask what you would like of Bob McCreight.

 

Peterson:

Well, I had a number of questions. The thing that’s bothering me the most now, obviously this is a gigantic topic, it’s a huge problem with so many aspects, it’s hard even to wrap your mind around. So, in order to make any kind of a difference, I’m trying to drill down and pick an area where I might have some leverage. The area that has me most concerned, in terms of mere term issues, is software vulnerability of the electric grid. So, I had a couple questions, one was what can you say about that, first of all, if that’s one of your areas of expertise, I know you have very many? And then secondly would be do we need to change liability questions? If we’re dealing with private companies or utilities how do we persuade them to take action and make major investments? Don’t we need to start to turn around the situation and change the responsibilities about the legal liability issues, so that they understand that this is not optional and this is a business necessity? How do we go about that?  I remember back, at the time of Y2K, that Alan Greenspan did some stress testing on the banking system. Basically, if I understand correctly what he did was he told the banks “look, we’re going to do some testing and you have to prove that you can interact with the new data system or we’re going to cut you off”.  Pretty harsh threat, but, you know, the system did need to work it needed to be known to work in advance and it did work, it worked fine. I think, so this is just one aspect of this huge topic you’re discussing, but do you have any input on any of this?

 

McCreight:

Ms. Peterson, thank you for the question, I’ll do my best to try to answer and bring me back to your third point after I try to tackle the first two, okay? In terms of the liability thing, I think that, in some ways, is the easiest of the two, first two parts, liability gets you into the terrain of lawyers and there’s nothing that is quite so scientific and quite so un-scientific as legal reasoning and it pertains to the question of liability. What comes to mind in this whole issue, is and it creeps up on the legal notion of due diligence, and if you dive deeply into negligence cases, and things of that nature, those instances where a harmed party has been able to show that the harm was a result of the failure on the part of the offender, or the manufacturer or the operator, who exercise due diligent and therefore harm directly resulted; one can certainly make the first level of an argument about due diligence liability.

 

The flip side of the coin is the private sector on this issue will probably want to argue most keenly that while they own 80% or more of the infrastructure they don’t believe they own 80% of the responsibility for its failure or its disruption. Now, that may seem counterintuitive, and it may seem that maybe I have my facts confused, but I think when we look at the liability question, I think that represents a very credible way of getting to the question of infrastructural restoration, that is through the back door, that is as you hold certain infrastructural managers responsible for the failure of systems, that effect individuals and cause a harm, they improve in cases of legal liability which form a way through the legal system, may eventually prove that a manufacturer was the harmer and therefore has to take remedial steps… I would much prefer the positive side, where people are doing this because they see it as a way of minimizing their liability, as a way of increasing their confidence in the relationship with the consumer. I would hope that would be the case.

 

Switching back to the electric grid and the software vulnerability, I’m certainly not an expert on that issue, I know there are questions of software vulnerability that could be raised, I was involved in, and privileged to be involved in a thirty person group, sponsored by the FBI, to generate a report, a month ago called Powering Through—Creating Resilient Infrastructures, which dealt with initial questions involving grid collapse, and while software came[ available from Amazon at a cost of $21.95] up as one of the issues to be concerned about, we have to pay attention to everything running from natural disasters, up through solar storms, as well as EMP, and if one tried to rank the probabilities of those events, I’d have to put software problems certainly near the top. I think that we have to be aware of the fact that the electric grid has many vulnerabilities, and trying to, in effect, build better electrical grid systems, against what amounts to about nine or ten potent risks. It’s going to be a difficult task, and if we protect the electric grid system, simply, with the focus primarily on software, as valuable as that would be, we run the risk that we would leave ourselves vulnerable to EMP or to high, manmade amplitude, low frequency EMP events.

 

So let me get back to the third part of your question, if I’ve answered those two.

 

Cameron:

Chris, you still there? Could you come back?

 

Peterson:

Yes, yes I’m there. So, last time I asked so many questions, are you asking what the third one was?

 

McCreight:

Yes.

 

Peterson:

Okay, you know, I don’t remember, but I want to ask a follow up on what you just said.  Here’s why I would make the case that the software vulnerability is, in my view, orders of magnitude, more urgent than even these other issues, which we all agree are very serious issues. The more familiar one gets with what’s going on with internet security right now, the more we realize it seems that the attacks, and these are just routine, normal attacks, these aren’t unusual attacks, these aren’t state level, actor attacks, these are just normal, everyday, security attacks, are happening, they’re just like exponential. Any open door is being entered. That’s why, even though I’m a strong believer in preparing for things like earthquakes, and EMP, and all that, the urgency of the software issue is hard to overstate. If there a way to take action on the software issue before, and I want to deal with the other ones, I’m not saying they’re not important, they’re super important, it’s super urgent that we work on the software issue and that will gain us time to work on all the other issues. That’s how, I’m out here in Silicon Valley, that’s how things look from our perspective.

 

McCreight:

Well, I couldn’t agree with you more, it’s very urgent, and the only reason I answered you by pointing to five, or six, or seven different concerns that we had when we put this report together, and by the way we’re working on version 2.0, is simply this—The idea of software vulnerability was something we were aware of, but having said that and recognizing the high priority that is attached to it, I would just say that, and this is not to detract in any way against what you’re saying in any sense, there is the concern that remains out there over DHS and cyber command and DOD side, there are rather difficult and awkward questions still hovering in the air about the extent to which the U.S. government bears responsibility as the gate keeper, protector of private sector systems from cyber attack. That in some ways elevates the software issue to the number one spot, but I don’t see a consensus forming around that by itself without a recognition of its other vulnerabilities, as well. That would include infrastructural systems made more vulnerable because of there IT mechanisms.  So I hope for the sake of all of us, that software vulnerability is attacked and looked at seriously.

 

Cameron:

Well, thank you and Christine thank you very much for joining us. I’d like to move in a little different direction. I was very interested in the way in which you were talking about the State level activities in all 50 states and so on, and maybe that’s something perhaps that we should tease out a little more, of course part of our difficulty is the way in which the federal government works, and we’ve mentioned this from several different angles, and getting focus and getting collaboration. States operate very differently and of course we have Governor Brown in fighting form in his state of the state today out in California and some of you may have read, I had an op-ed in the San Francisco Chronicle around the turn of the year suggesting that California could take a lead in all sorts of ways across the technology front if it just decided to because initiative can come in many forms. Of course now California is the sixth largest economy in the world, and often doesn’t think of itself in the context as taking national and global leadership. Are there states which have done things in this resilience infrastructure area which we can showcase? Is this a discussion which has taken place at the state level, Bob?

 

McCreight:

To some extent it has, I would certainly include California among those states. Where I think it breaks down, Nigel, is certain states have broken off pieces of the infrastructure that they want to focus on in particular, and I think that they’ve done so for good reason, but at the expense of identifying other areas of infrastructure because this is the Wild West, this is unsettled terrain for which national policy has yet to be articulated. I’ll just say this in closing on your question; while you can point to five or six states that are leaders on their particular area, in particular focusing on areas of telecommunications or focusing on the question of maybe public health systems, they are few and far between because people are awaiting for a national leadership signal to be sent that there is a train there that everyone can get aboard that will be funded and sustained, and this is part in parcel with what I’ve written about before, which is understanding the emergency powers of the State Governors under article ten of our Constitution, if there were a major disaster or major problem that caused certain infrastructures to collapse, even DHS will tell you that they’re not sure about the strategy for restoration and recovery of those infrastructures and what buttons and switches would be pulled to make these things happen because they would ultimately be relying on the private sector. This puts the state governors in a difficult situation because the State Governors’ emergency powers have not been fully explored in terms of what can be done within the confines of each State to ensure some level of continuity and dependability on those infrastructural systems for which states are responsible. This deserves further attention.

 

Cameron:

That’s very interesting, I mean, not least because if this discussion can be furthered and its significance can be raised, you only need to have one or two States in which you get a Governor who gets it and who shares these concerns and who can do things in integrative ways that are much more difficult at the federal level to bring up and to pull that discussion forward.

 

McCreight:

I think that’s a great idea, I think it deserves support.

 

Cameron:

Well, we have a few minutes left, if anyone else wants to jump in, please just hit an e-mail to admin@c-pet.org and we’ll bring you into the conversation.  Otherwise, I’ll just take discussion in a slightly different direction by picking up one or two other things in the paper which Dr. McCreight circulated earlier. You have a plan here, 2017, 2019, talk a bit about how if you run the circus what the Federal Government would be doing with the next couple of years?

 

McCreight:

If I was in charge, king for a day?

 

Cameron:

If you were the guy.

 

 

McCreight:

Well if I was the guy, the first thing I’d do is have the Vice President call an interagency meeting of the science directors for each of the major interagency players; I’d invite the OSTP, National Academy of Sciences, and NSF, and say, there’s a new sheriff in town, we need to be looking at the role of science from a leadership standpoint in sustaining and developing technologies for sustaining our infrastructure, then I’d put them on a Manhattan kind of project and at the same time I would call in State Governors and I would say, here’s some money for you to start doing some beta testing, and some seed funding for your State universities to do the same thing. I want you to report back to me every six months and at the end of two years I want you to showcase what you’ve come up with in each of the key sixteen infrastructures. I would dispatch DHS, DOD in particular, to monitor what’s happening and provide input and fact checking and rationality to that process. I would also include in this an advisory group of people from the fortune 500 on a commission to oversee the private sector’s interests. I would hope at end of the two year period that I’m talking about, not only legislation, but a realistic sense of budgeting and technology priorities would develop, where we would, as I said earlier, would completely redefine what research and development in The United States looks like. It would no longer be research and development unrestricted as pertains to military hardware and public health, it would be research and development as pertains to the sixteen or seventeen divisible planes of infrastructure resilience.

 

Cameron:

That’s a very helpful way to outline the program. Are there champions in congress for whom this sort of agenda might be something they might pick up? I mean is anybody floating around a bill which would lay out a program like that?

 

McCreight:

Nigel, there are probably a few members, on both sides of the aisle, who have ideas about how to do this, but the questions is whether they can align themselves in such a way to create a truly national strategy, which sets aside arguably petty concerns about their own district and creates a national strategy, which is multi-year in nature and has sufficient funding to create a Manhattan Project kind of outcome. What I’m talking about is Manhattan Projects in all 16 infrastructures that will result in resilience, and I will add to that, also, the caveat, to carefully share these technology ventures internationally where we can to pick up what we can from international players and try to contribute to the overall wellbeing of the less developed and fully developed world, where infrastructures can contribute to greater stabilization of the global community. So, yes there are people there, there are lawmakers who have this mind that they have to set aside their jurisdictional jealousies and go national. Sort of like in the military, they tell the Airforce, Army and Navy to think purple, to think in terms of the DOD.

 

Cameron:

That is very helpful.  We’re drawing to a conclusion now, do you want to offer any final remarks before we wrap up?

McCreight Final Remarks:

Well, the only final thing I’d want to say, Nigel, again thank you for the opportunity to address your group. I hope I’ve raised some interesting questions; I know that this is just an outline, it’s basically a back of the napkin set of thoughts to lay on the table, but I’m hoping that people will find that there is something inspirational in this. I certainly hope that we set aside a serious amount of time to look at resilience metrics, to encourage innovation and fund it, and that we strategize and not let infrastructures fail around us before we decide to fix them.

 

Cameron:

Well, that is a very helpful way to frame our agenda moving forward.  I want to thank you very much for joining us and for setting this out. To invite those who wish to join us on the 23rd of February for our next round, which will be something of a subset of this conversation, looking specifically at the internet of things, cyber security issues, and we will be coming up with a transcript, which Dr. McCreight will be able to approve, of this conversation. So that will be available and that will be circulated, so we hope that this will help take the discussion forward and I’m very grateful to you all for joining us today, thank you all very much, and that you, Bob, in particular.

 

McCreight:

Thank you, Nigel. Bye.