Department of Homeland Security National Cybersecurity Summit

click to begin

Youtube

National Cybersecurity Summit
National Cybersecurity Summit
National Cybersecurity Summit
National Cybersecurity
SummitNational
National Cybersecurity
Summit.
National Cybersecurity Summit
National
Cybersecurity Summit National
Cybersecurity Summit National Cyber
Security Alliance national National
Cybersecurity Summit and National
Cybersecurity Summit and National
Cybersecurity Summit and National
Cybersecurity Summit distinguished
guests, good morning and welcome to
the Department of Homeland Security's
National
Cybersecurity Summit.
We thank you
for joining us today and for being
part of this important
discussion.
Before we begin, please allow us to
take a few moments to go over some
important administrative
details.
Security for today's event is a joint
effort of the federal protective
service, the United States secret
service and the New York police
department.
We ask that you kindly
follow any instructions given
by uniformed law enforcement
officials
and report any suspicious activity
to
a law enforcement official or any of
our event staff who can be identified
by their staff badges.
Please take
note of the marked exits around the
auditorium.
Should we need to
evacuate the facility, guests
seated
in the forward half of the auditorium
should exit through the doorways to
the left and right of the main stage
and proceed through the courtyard to
the bridge Street emergency exit.
Guests in the rear half of the auditor
auditorium and balcony should exit
to
the rear of the auditorium into
the main corridor through which you
entered and use the curveed stairs on
either side to reach the emergency
exits located in the stairwells.
Restrooms are located across the
main
corridor and can be accessed by
exiting to the rear of the auditorium.
We also have an overflow room
available which will be showing what's
going on, on the main stage, in
meeting room 1.
Finally, we ask that
out of respect for our panellists and
your neighbours that you please
silence your mobile phones and any
other electronic devices at this
time.
Again, thank you for joining us
today.
We are honoured that you are
here.
Please now welcome our master
of ceremony for the day, the
Honourable Chris officer Krebs,
United
States Department of Homeland
Security.
>>Good morning.
Welcome.
Thank you, everybody, for
joining us
here today at the DHS National
Cybersecurity Summit.
I want to thank
you for your contribution today.
You
have all made an investment of some
kind to be here today, and that is
critically important as we continue to
advance national cybersecurity
initiatives.
Why is that so
important?
Because in no other
national security arena is industry as
the private sector on the front lines,
where you are expected to
defend
yourselves.
What we want to
communicate today is that government
is here to help you.
We are
inextricably linked.
Your risk is our
risk, and we must take action
collectively and together together.
That will take a collective defence
approach approach.
If I know anything
about U.S.
history, it's that when
America is threatened and we
mobileize, no one can stand in our
way.
That's what today is.
It's the
beginning of that mobilization, where
government and industry will
partner
and collaborate to enhance our
national cybersecurity.
So over the
course of the day, you'll hear from a
number of government officials and
private sector executives, and
each
panel, each keynote keynote, will have
a concrete deliverable or
outcome.
We're not here to talk; we're here to
act.
All of these panels, all of
these commitments, will have one
single organizeing principle.
United
we stand, divided we fall.
It's going
to take a collective defence model to
enhance our national cybersecurity.
So, with that, I'd like to introduce my
boss, the sixth secretary of the
Department
of Homeland Security, secretary Kirstjen
Nielsen.
[APPLAUSE]
>>Good morning.
Thanks for that kind introduction and
giving us a road map of everything we
accomplished today.
It's my great
honour and pleasure to welcome you
here today.
It's so wonderful when an
idea with such passion actually
comes to fruition.
So it's very much a
pleasure of mine to see you all here
today.
We have a lot of serious
threats to discuss today.
Americans
are worried about what our digital
enemies
might do, whether it's taking down the
power grid, holding health care
systems hot standing or the nightmare
scenario the day the new TV show drops
on Netflix.
I often hear about what
keeps folks up at night.
I'd like to
thank the speakers for bringing their
species and leadership to
this discussion as well well.
What you will see before you today is a
true effort from all of the United States
government to work with private sector
and academia to combat these
threats.
I'd also like to thank director Alice
bringing his species, Under Secretary
Krebs, and those of you in the
audience and.watching from home to all
of the men and women from DHS for
oeverything you do every day to protect
our country.
Thank you.
Whether you represent government,
industry or academia, we are glad to
have you on our team.
I want to thank you for your continued
collaboration for the time you're giving us
today, and for your future efforts to
work with us as we look at these
threats.
This afternoon we'll also have the pleasure
of hearing from vice-president Pence.
He will lay out how this administration
is strength strengthening
cybersecurity across the
board and why we will be relentless
against our cyber adversaries.
This
event is the first of its kind.
Together we are coming together
government leaders, CEOs, academics
and cyber experts to send a message to
these online threat actors actors:
game over.
Our team is formed, our
team is ready and we are ready to
combat you wherever you might manifest
your threat.
We're not waiting for
the next intrusion to act.
We're
taking a look at the threat and taking
action, noteably as Under Secretary
Krebs mentioned, collective action.
That's truly the only way we will win
this struggle.
Today is a watershed
moment, a chance to cement
partnerships in order to protect our
networks and to repel digital invaders
together.
This morning I'm going to
give you a stark overview of the
threat landscape.
I won't sugar-coat
it.
DHS and the administration
are
fighting back.
I'd like to announce
bold new efforts starting today that
will make the digital a infrastructure
of our country more resilient.
So let
me give you the bottom line up
front.
We are facing an urgent evolving
crisis in cyberspace.
Our adversaries
capabilities online are simply
outpaceing our stovepiped
defences.
In fact, I believe that cyber-threats
collectively collectively now
exceed
the danger of physical attacks
against
us.
This is a major sea change for
high department and for our country's
security.
Indeed most Americans go
about their daily lives without fear
of personal injury or harm from
foreign adversaries, but our digital
lives are now in danger every day.
These threats can have consequence
when the bad guys can steal money from
your bank account, shut down emergency
services, the impacts go far beyond
our smartphone screens.
But don't get
me wrong.
Terrorists and criminals
still pose a terrorist threat to
our
lives.
We take this mission at DHS
seriously.
They're plotting against
America daily.
But the attacks
surface in cyberspace is now broader
and under more frequent assault,
forceing us to rethink Homeland
Security.
DHS was formed 15 years ago
to prevent another 9/11, but today I
believe the next attack will more
likely reach us online.
The warning
lights are blinking red this
cyberspace.
I agree.
Intruders are
in our systems, seeking to
compromise
more of them every day and they
represent a very active threat to
our
digital security as a nation.
Everyone and everything is now
target.
Individuals, industries,
infrastructure, institutions and
our
international interests.
The scope of
the problem keeps getting wideer.
The
cyber-threat landscape is
different
today because cyberspace is not
only a target target.
Cyber can be used as a
weapon, an attack vectorror or a means
through which activity can be
conducted.
Today our innovations can
be stolen and used to diminish our
prosperity, our infrastructure can
be
hijacked and used to hold us standing,
and our institutions can be
compromised and used to undermine our
democratic process.
Our smartphones
and computers can be turned into force
multipliers, your computer can be part
of a Bot army or commandeered to
still
bit counsel to finance a rogue
regime.
Last year was the worst ever in terms
of cyberattack volume.
The headlines,
we'll continue to see this year.
Last year nearly half of all Americans,
half, had sensitive personal
information exposed online in 2017.
But that wasn't even the total for
2017.
That resulted from one single
breach when cybercriminals hacked
major credit bureau.
We witnessed North
Korea's ransomware, which held systems
standing.
We saw compromising and you
be leisuring of malware which
wreaked
havoc.
These incidents, though, are
only the beginning.
Rogue regimes and
hostile groups are probing critical
systems worldwide every moment as we
speak.
Without aggressive action to
secure our networks, it is only a
matter of time before we get hit hard
in the homeland.
It's not just risks
to our prosperity, privacy and
infrastructure we have to worry about.
Our democracy itself is in the
crosshairs.
I'll take a moment to
touch on this, because I think
it's very important to do so.
Two years
ago, as we all know, a foreign power
launched a multi-faceted
influence
campaign to under undermine public
faith in our democratic process
and to
distort our approximation
election.
That campaign was multi-faceted.
It
involved cyber espionage, cyber
cyberintrusions into voter
registration systems, online
propaganda and more.
Let me be clear.
Our intelligence community has it
right.
It was the Russians.
We know that, they know that.
It was directed from the highest levels and
we cannot and will not allow that to happen
again.
Although no actual votes were
changed in 2016, let me be clear in
this: Any attempt to interfere in our
elections is a direct attack on our
democracy.
It is unacceptable and it
will not be tolerated.
Mark my words.
America will not tolerate this
medals.
It's clear we're in a tough fight now.
The headwinds are against us.
Let me
give you a few examples.
First,
increased connectivity has led
to
increased systemic risk.
There's no
getting around it.
The wideer and
deeper the web gets, the more
vulnerable we all become.
The
Internet of things, which is really
now the Internet of everything, has
compounded that problem by giving
cyber criminals a direct route on to
our door steps and into our homes.
Wherever and whenever you are
connected to the Internet Internet,
you
are unlocking doors and windows you
might not even be aware of to let the
bad guys in.
What's more, our growing
digital at that dependence means
that
vulnerabilities can have cascading
consequences when they are exploited.
Whether it's common tools such as GPS
or payment systems, everything is
closely intertwined.
An attack on a
single tech company can rapidly spiral
into a crisis affecting the
financial
sector, the energy grid, water systems
or even the health care industry.
Secondly, our cyber arrivals are
getting more sophisticated.
It might
be similar to a sloppy break-in,
the window might be broken, furniture
overturned, missing jewellery would be
a dead giveaway that somebody had been
in your house, that you had been hit.
But they're getting savvier.
Now when
you get home that door appears to be
still locked.
The house appears
exactly as you left it.
But no.
In
reality, the intruder has been for
hours, perhaps days and weeks weeks,
and will remain in hiding waiting for
the right moment to strike.
That's
what we're up against together.
So to prevent cyber intrusions today we
don't just need abalarm system or a
in additionhood watch or security cameras
or even armed guards constantly
roaming the highways.
We need it all.
Third, similar to the pre-9/11 days,
and this is where we'll focus today,
we still have trouble connecting the
dots.
Between all of us, government,
the private sector and individuals
here today, we do have the data needed
to interrupt and prevent
cyberattacks,
but we aren't sharing fast enough or
collaborating deeply enough to make it
happen.
This is partly because we're
operating in a legal and operational
paradigm designed for a different era.
Long before brand name breaches could
threaten to cripple entire
industries.we still have the walls up,
still have stovepipes and silos.
So
what are we doing about it?
Today,
let me say this, we are replacing
complacency with consequences, to
deter bad behaviour you have to punish
it and we can't wait for the big one
to do just that.
Our adversaries, we
can't sit by while they outmanoeuvre
us.
We must act now.
That starts out with calling out the
offenders, whether North Korea or the
Russians.
We are identifying countries that have
compromised our systems or who
have
unleashed destructive malware.
We are
im imposing costs, whole-of-government
costs, diplomat diplomatically,
legally.through other means.
The
United States possesses a wide
range of response option options
option
options some seen and some not.
Let
me also again take this opportunity to
issue a warning as I have in other
forums and speeches to any foreign
power that would consider medal
manying in our networks or affairs
of
our democracy.
The United States will
no longer tolerate or accept your
interference.
You will be exposed and
you will pay a high price.
Second, we
are changing our posture and setting
course to confront systemic risk head
on.
Traditionally, DHS and our
sector-specific agencyies have
focused
primarily on protecting
individual
assets, companies, individual systems
or sectors.
But now we are looking
more across government,
across
sectors, across government private
at
those national critical
functions.
What are they?
These are the
lifeblood of our economy, of our
national security, of what allows our
day-to-day lives.
We must identify
single points of failure,
concentrated
dependencies and interdependedcies
that can create those ripple effects
across sectors.
To do this we're
launching a voluntary supply chain
risk management program under
secretary Krebs will talk a bit about
that later.
We're also partnering
with companies to hunt down unseen
security weaknesses and limit our
attack surface.
I urge you to join us
and lend your species in these
efforts.
Third, we are reorganizeing
ourselves for a new fight.
I'm
working with Congress to pass
legislation to establish the
cybersecurity and infrastructure
security agency within DHS.
This
would recast what is now NPPD or our
cybersecurity arm into an ambitious
agency capable of better confronting
digital threats.
But we all know that
waiting for Congress to act is like
waiting for a new game of thrones book
to come out.
In the meantime, we're
taking other steps, including ones that I
will announce today to make sure we can keep
up and stay ahead of
our online adversaries.
This also includes dramatically ramping
up efforts to protect our election
systems, including through a new
election task force and deploying a
vast array of services, and
partnerships nationwide working
with
all 50 states to help our partners
secure our election infrastructure.
And finally, we're embracing a
collective defence posture.
As I've
said many times before, in a
hyperconnected world and as Chris
mentioned in his introduction, your
risk is now my risk.
My risk is your
risk.
Each of us is on the front
lines of the digital battlefield, so
we must work together to protect
ourselves.
Any of us could be the
weak link that not only allows
adversaries adversarieses to
infect
our systems but allows them to use
our
system to spread further into
others.
The approach is like a flood.
It will
find every crack, gap and seam.
Even
if I place sandbags around my house to
prepare for that flood, if my
neighbours don't do it too my house
will soon be under water.
Collective
defence calls for all of us to use
sandbags, if you will.
To optimally
configure our systems to employ patch
management, to share, receive and act
on threat indicators.
To that end,
DHS is improving and expanding or
information sharing programs,
including those focused on sharing
threat indicators.
And we're
developing new and novel ways for
government and industry to
collaborate
to identify threats before they hit
our networks and to respond more
quickly and effectively to
incidents,
and we will discuss this throughout
the day.
We've made a lot of
progress, but it's simply not enough.
We must move beyond routine
information sharing and we must be
better at teaming up with the private
sector to combat our common enemies in
cyberspace, to understand their
goals,
to understand their actions, to
understand the operational effects
and
implications of their intrusions,
manipulations and disruptions.
The
majority of U.S.
infrastructure is
owned and operated by the private
sector, not the government.
So we
must be working together to enable
those in this room across industries
to better defend your systems and our
critical functions.
For far, far too
long we have lacked a single focal
point to bring government agencies
and
industry together to assess the
digital dangers we face and counter
them, a place where analysts and
network defenders can address these
risks together through the full
myriad
of mission sets that we look at when
addressing cyber.
I'm pleased to
announce that we are going to change
that.
This week the Department of
Homeland Security is launching the
national risk management centre.
This
is an initiative driven by industry
needs and focused on fostering a
crosscutting approach to defend our
nation's critical infrastructure.
It
will employ a more strategic approach
to risk management, borne out of the
reemerge reemergence of the
nation-state threat, our hyper
hyperconnected environment and
our
survival and its need to effectively
and continually collaborate with
the
private sector.
So what does it
actually mean in practice?
The centre
will bring together government experts
with willing industry partners so they
can influence how we support them.
Our obowl is to simplify the
process,
to provide a single point of access to
the full range of government
activities to defend against cyber
threats.
I occasionally still hear of
company that call 911 when they
believe they've been under a
cyberattack.
The best thing to do
will be to call the centre.
We will
work with our partners in
government
who will be on stage today and others
to provide you what you need to help
repel, mitigate, root out the
adversaries adversary from your
systems.
With we will take a piece of
intelligence and ask ourselves the so
what to be able to determine what
we're going to do about it together.
These days cyber-threat data is
a bit
like a puzzle puzzle piece.
For those
of you who have started to begin a
puzzapproximatele with your children,
the first question is what puzzle does
that puzzle piece belong to.
It will
enable us to take a piece of threat
data, to determine what puzzle it
belongs to and then determine how to
fit into the puzzle so we can see the
trend, the thread, the purpose perhaps
of the attack, but certainly the
implications and effects.
So this is
where the species of the private
sector comes in, to help us
contextualize the threat both in the
planning phase as well as through
mitigation response and recovery.
The private sector also knows its
operation operational environment better
than we will ever know in
government, so we will look to their
species to help us to understand how
the pieces fit together.
So we welcome industry experts side
by side
with ours to break down these silos
and to engage daily to develop
actionable solutions to defend our
critical infrastructure.
We will
begin with the trisector model
focusing on telecommunications
and the
energy sector.
We will push this
effort forward in 0 day sprints to
identify key priorities and to
conduct joint risk assessments and we
will have a major cross-sector
exercise this fall.
We will look to you to
influence how we can support you best,
to help us tailor our assessments,
plans and playbooks that you can then
action.
And as I often say from a
department with myriad
submissions,
let's do what we do best and partner
with you to do the rest.
But time is
not on our side, so we're moving
quickly.
I ask all of you to consider working
with us to develop the centre and to
deepen engagement so we can fortify
our defences.
I would also ask that
everyone here, whether you're from
federal agency, a fortune 500 company,
a think tank or university,
identify
at least one new actionable
operational way in which you can
contribute to our nation's collective
cyberdefence.
That is why we are here
today.
Think about it now.
Think about it throughout the day.
Commit to it this afternoon and follow
through
on it when you leave.
We don't put
together summits to just keep admiring
the problem.
We do it to solve them.
Our adversarieses are crowd-sourcing
attacks and today I'm pleased to
announce everyone here has agreed we
will crowd source our response.
We do
not take your presence here
light
lightly.
We appreciate your time,
efforts, commitment, leadership, and
we thank you for being here.
We hope
to enlist your continued efforts
in
this fight if you're not already in it
with us.
Our digital enemies are
taking advantage of all of us.
They are exploiting our open society to
steal, manipulate, intimidate, coerce,
disrupt and to undermine.
They're
using our interconnectedness to
attack
us.
But let's use the fact that we
are all connected to our advantage.
As I noted at the beginning we are in
a crisis mode.
The hurricane has been
forecast and now we must prepare.
That leaves us with a choice.
Admit
defeat and assume that our devices and
networks will always be compromised or
respond decisively and dramatically
together in order to restore security
and resiliencey to the web.
If we
prepare individually, we will surely
fail collectively.
You're here today
because you believe in working
together with clear eyed urgency and
together I have no doubt we will turn
the tide.
So thank you for your
attendance today.
Thank you for your
participation.
We look forward to
many conversations to come and we look
at the end of the day to be able to
announce some very tangible actions
that we will agree to throughout the
day.
So thank you very much.
Again, thank you for joining us at this
summit.
[APPLAUSE]
>>Me again.
The secretary announceed a number
of
different initiatives that we will
kick off with, most importantly in my
view the national risk management
centre.
Our efforts are based on a
clear identified need, a demand
signal
from industry, a request, a set of
requirements for government
assistance.
So who better to hear
those requirements and that demand
signal than lead executives from the
telecommunications telecommunications,
finance and energy sector.
It's my
pleasure to introduce the next panel,
the CEO, cabinet member panel that
will kick off right now.
Today, first I
have the honour of introducing the
Honourable Rick Perry, Secretary
of
Energy.
[APPLAUSE] general Paul
Nakasone, Director of the National
Security Agency and Commander of U.S.
Cyber
Command [APPLAUSE].
The Honourable
Christopher Wray, Director of the
Federal Bureau of Investigation.
[APPLAUSE] Mr.
Ajay Banga, President
and CEO of MasterCard.
[APPLAUSE] Mr.
John
Donovan, CEO of AT&T Communications.
[APPLAUSE] Mr.
Mr.
Tom Fanning, President
and CEO of Southern Company
[APPLAUSE].
Once again, it is my
honour to introduce the Secretary of
Homeland Security, the Honourable
Kirstjen Nielsen [APPLAUSE]
>>Thank
you again.
What we'd like to do now
is to hear from some of DHS's
government partners, as well as
private sector leaders, all of whom
have been working with us as partners for
quite some time.
I'd like to thank you all for your
leadership and partnership at
the very top.
It's greatly
appreciated.
Perhaps what we could
do, secretary Perry, if I could ask
you all, you don't need introduction,
but
introduce yourself and your area.
>>:
Let me take a few moments here and
say, secretary Nielsen, thank you
and
to your team at DHS for putting this
together.
This is a vital issue.
It's vitally important.
It gives us
an opportunity to express some of our
shared commitment to this whole issue
of cybersecurity.
I'm really pleased
that the sector, if you will, is so
well represented at this summit.
We
have partners in the oil and gas, the
oil and national gas council,
electricity sub-sector
coordinating
council.
Both of those sectors, they have
ivalid themselves of their
cyber-based tools and these issues are
extremely important for us to continue
to coordi coordinate on.
With that
said, let me recognize one person
who
is sitting on the stage with us.
We've been working together the last 18
months, Tom Fanning.
He is co-chair
of the ESCC, which I'll make note it's
the only CEO coordinating -- or
should say individual with CEOs that
are sitting on it.
I think that's
really important.
To me has been
working on this for a long time, a long
time before I got to be in my current
job.
Tom is someone who has a lot to
share with all of us in the energy
sector.
I just want to say thank you
for your commitment and expertise.
As
most of us know and most of you know,
DOE is the sector specific agency for
energy.
It's the lead federal agency
for enhanceing the reliability, the
resilience, the security of
America's energy infrastructure,
both
electricity and oil and gas.
And
because the vast majority of this
infrastructure is privately owned,
then we have to have partners, or for
us to be successful, secretary, we
have to have partners in the private
sector that understand they can
trust
their information flowing back to us,
they can trust the decisions, they're
equal partners.
So this
public-private partnership
that's
being created here, not only is it a
model, but it has to be that way.
Our
most important step at DOE I think in
the last 12 months has been the
establishing this office of
cybersecurity, of energy security and
emergency response.
It goes with the
acronym and under underscores the
agency's commitment to this mission.
Initial, the department has
developed
an initiative called ACES,
accelerating cybersecurity in
the
energy sector.
That's just to enhance
our preparedness in response to
threats.
We're leading by example, by
strengthening protection and
response
capabilities for our own power
marketing administrations that
fall under
the DOE's supervision.
It's in areas
like the shared situations, and
situational awareness, I guess,
and
we're aiming this year to double the
number of electric utilities in our
crisp, the cybersecurity
information
sharing program.
That's precisely --
it was due to that close collaboration
that
we were able to identify a very
dramatic event last year.
Chris, your
agency pointed this out within the
last week, publicly reported, that
Russian intrusions into our energy
system.
Had we not had this close
working relationship with our private
sector partners, it would most likely
have gone unfounded, to great
detriment.
Again, I think it's really
important.
We got our national labs
that are working on these issues as
well out at Idaho national lab.
We
have a test grid where we are
actually
able to go out and break things, see
how they're repaired, infest the
system, if you will, and respond to
it.
So the private public partnership
here that's been created, I think
this
is exactly what the president had in
mind.
He's a private sector type and
he understands government has an
important role, but not the only oh,
and that bringing the private sector
in, in a partnership, and a trusting
partnership, is very important.
The
economy of the world is now driven so
much by energy.
It's in our national
security interest to continue to
protect these sources of energy and to
deliver them around the world.
So that infrastructure,
taking care of that infrastructure from
the
standpoint of protecting it
from
cyberattacks I don't think has ever
been more important than it is today.
Secretary, thank you again for
allowing this, and each of you, our
public and private sector partners
partners, thank you for being a part
of this today.
>>Thank you.
You gave
such a preview of the sector.
I'll
turn it to Tom.
We have been working
together with energy and with DHS for
quite some time.
>>Yes.
>>When we
talk about this centre and
breaking down silos and sharing
information,
tell us a bit about what you hope to
get out of it.
>>Thanks for your
leadership.
This is required for the
national security of America.
I think
today is a really important day in
America.
I've helped lead the
electricity sector for cyber and
physical security for some time, and
when you think about the leadership we
have at DOE, governor, not just
governor, he was the CEO, argueably
the most important energy state in
America.
He gets the importance of
the infrastructure that we represent.
And you said something else
very
important.
We break things.
When we
go through our exercises and we
do
some of the biggest tabletop exercises
involving 20,000 people at one time
over a number of days, one of the
things that we learn very quickly is
as resilient as we think we may be,
and we can always be better, the
points of vulnerability are
always our
points of intersection.
That is,
especially with respect to the
other
lifeline sectors, whether it is
finance, telecom, others, we really do
recognize.
Eighty-seven per cent of
the critical infrastructure owned
by
private industry, we are
interdependent on each other.
When we
think of the leadership you
provide
under Homeland Security, this is
the
convening arm that can bring together
these important sectors of America
to
help organize, harmonize
systems,
technology technologies,
information
sharing regimes.
So we've been
working for some time now.
Okay, we
get our silo, but in helping to
organize, through your leadership, the
arms of government, the different
cabinet-level posts, to really think
about a unified approach to the
benefit of our national security,
and
this step we're taking today and
the
announcements you're making are going
to make us better.
Even beyond just our
other prepare to, respond to during
that bad day.
I think what also is
important, represented by
General
Nakasone and others, Director Wray, is
the idea of holding the bad guys
accountable.
It's important that we
share information and create a
real-time, comprehensive network
of
information sharing so that I don't need
to know what you do.how you do it,
but
I'm glad you're there.
And so we'll
work together to make America better
in this regard, and the kind of steps
you're taking really will serve that
purpose.
So thank you.
>>: Thank
you.
John, maybe we can turn to you.
I see that you and the general are not
fans of pillows.
You're putting a line in
between you.
[LAUGHTER]
>>Thank you
for putting us on the couch.
>>: I'd
like to pick up on something you
mentioned, which is the
interdependentcies.
Currently from
your perspective, that's a big deal,
to
be able to run your sector, we have to
assume operability from a variety of
functions.
How do you see this centre
being able to add to your ability and
your capabilities?
>>First I want to
echo the thanks and congratulations on
behalf of industry that Tom just
mentioned.
This was an obvious thing to
do for a decade, but it didn't happen.
And you can't get to a strategy and an
implementation if things sit in silos,
because you lose time and efficiency.
So I think today is important from a
lot of dimensions, and the biggest
dimension is the cooperation and
building an entity, an initiative,
that will be a home for how all of
that stuff occurs.
Because when you're in a defence posture
in
artworks, the grid, financial systems,
many of the companies represented
here, critical infrastructure,
things
don't conveniently come in the form
the way the government has
organized
its defence systems.
It doesn't come
neatly organized the way we set up our
industries and our companies.
It
doesn't come neatly organized
geographically.
So the important to
move at speed across organizations is
really vital to effective defence.
think today has been a step forward in
several dimensions that gets a lot of
the philosophy and the strategic stuff
a bit out of the way so we can get
down to the roll up the sleeves work of
trying to make our companies, our
transactions in this nation safer.
>>General, if I could turn to you.
So part of the beauty of this
concept
is we are now at a place of maturity
within the USG where we can actually
work together, the intel community,
both classified and unclassified
information.
You bring to bear a lot
of capability sets that are additive
to what we have at DHS to ofulfill part
of this puzzle.
What do you see as what could help you
in your mission coming out of the centre
with the input from the private sector?
>>Secretary, first of all, thank you very
much for inviting me to participate today
with my esteemed colleagues.
Today is a discussion and an opportunity to
talk about partnerships.
Our national security
strategy, national defence strategy
talks about partnerships in terms
of
importance to the national security.
This
is our asymmetric advantage, the inter
interagency, intelligence
community
partnerships and importantly the
industry partnerships.
I have the
honour of leading the men and women in
U.S.
cyber command and one of the
things we see every day is that
partnerships is what makes us
powerful.
To your question,
understanding what is happening in
industry, where roughly 90 per cent
of
our critical infrastructure lies,
it's
really important for us to understand
what we'll do to enable our partners
and if necessary to act in defence of
the nation.
>>: Thank you.
Before I
turn to Director Wray, maybe you
could tease more on the dependency issue
from your perspective.
Obviously,
your sector provides the lifeblood to
make all of the other ones function.
What else do you see that we could
work together on through this new
model
to be able to help you protect your
systems?
>>I will go back to my
colleagues who called us the
lifeblood.
Look, I just believe that the
Internet and the Internet of things
is
an unbelievable technology of
capability and capacity for people
and governments and businesses for the
next 25, 30 years.
The problem is it
was never designed for security.
It
was designed for transparency and
openness.
The other guys have figured
that out.
If you're going to keep
connecting ourselves together in every
possible way, then what you've done by
bringing us all together is you're
creating the impetus of the asymmettic
advantage that the NSA talked about as
being the idea that gives us an
advantage over the others, if we can
do this the right way.
Now, we've
been doing what I call cyber defence
exercises in the financial services
sector for a little while now.
We've taken the lead and also participated
in a number of them.
I believe you
get two things done by that.
One is
you get to talk to people like his
agents and others in the better days,
when you're able to build
relationships but also the ability to
know whom to call for what, when.
So
there's a person, a name and a trust
that gets established.
But there's
also a management protocol of how to
respond and what to do and what kind
of defensive tools you could use or
could not use in that process.
That
works.
But I think this idea of doing
is across sectors is really important
because, first of all, when somebody
gets attacked they're not aiming
necessarily always at a specific
company.
These are driven by machines
who look for the weakest links.
If
that weakest links happens today to be
some telecom small vendor who connects
into somebody else who then impacts
me, I'm going to get hurt.
To me the
interdependency, it's obvious that we
need to work together.
They're
looking for the weakest link, the
entry point into the strongest
possible company, and we're up against
strong players.
To me, the
interdependency comes from there.
The
idea of doing something through
your
centre where you could do joint
cyberdefence exercises
between
communications, energy and
financial
services, which I'm happy to take the
lead on, work with them, let them take
the lead, just get it done in one physical
space so we know what to do the next
time somebody else comes after us.
>>Well said.
We are look for
tangible actionable ways forward.
used to have a coach who said practice
does not make perfect but it makes
automatic.
I think in cyber we don't
have time to figure it out while it's
happening.
It has to be automatic, at
machine speed.
Director Wray, we
partner so well together.
We look to
you for capabilities, expertise,
particularly on the investigative
side.
What could we work with
industry on in terms of perhaps pattern
spotting or different motives that
would help you help us bring people to
justice?
>>I think events like this,
efforts like this, are particularly
important because, as our enemies have
become more coordinated
and
sophisticated, we have to as well.
The FBI, unlike, say, secretary
Perry,
who has a very specific sector
that
he's focused on, we're coming at it
more
from across sectors, but focused on
the threat.
We're somewhat unique as
we're both a law enforcement agency
and an intelligence agency, so we have
investigations of both sorts.
What we
see is the range of actors has
changed, the attack surface has
changed, the range of techniques has
changed, and increasingly we're
seeing
what we're calling blended, hybrid
threats, whereas the nation-states
that we might have previously seen
only through the corner intelligence
mission that we have and the criminal
hackers we might have seen only
through the law enforcement we
have,
they're now working together.
So you
see that with Iran, with Russia, with
China, with North Korea.
All in their
own different ways.
So for us to have
an ability to be more agile as a
country, we have to figure out ways to
work better together.
We have at the
bureau a huge field presence.
We have
in all 56 field offices cyber task
forces that have 180 different
agencies, federal, state, local.
And
we have a cyber action team that's
lot like our counterterrorism
fly
teams.
It's an elite force that can
deploy.
We have investigateors
deployed in all of our overseas
offices.
We can go on and on, but the
point is at the end of the day we're
threat focused.
We're pursuing,
identifying, attributing the
threat.
But to disrupt the threat, we will
have to figure out ways to be more
creative as a public-private
community.
There are all kinds of
things that the private sector can
do
far more effectively than we could.
So my concept of partnership is how
do
we take our artworks that is the U.S.
government's two or just the FBI or
DHS or DOE or NSA to put it together
with the private sectors to have an
equal more than four?
Otherwise we're
just spinning our wheels.
The idea is
to combine strength with strength.
think that's why events like this
are steps in the right direction.
>>I
want to talk a little bit about
information sharing.
This used to be
in some circles seen as the end all be
all.
Of course it depends on what
we're sharing, when and how we share
it, in terms of whether it's
actionable, and specific enough to
do something about it.
When we look at
this, what other types of
information
are helpful.
to hear from our private
sectors to begin to place that in the
context of your industries?
Is it
threat indicators?
Is it mitigation
measures?
Is it all of the above?
Is
it motives of nation-states that
the
FBI and the intel community help us
with?
>>For the next two to three
hours I'll answer that question.
always use this meto for metaphor of
trout fishing.
The secretary
mentioned this thing called CRISP.
We
don't talk a lot about this
publicly,
but right now we reach the serveer
traffic representing 80 per cent of
the electricity consumers in the
United
States.
We analyze that information
looking for for anomalies.
Imagine
you're fishing for trout.
We know
this part of the river is okay.
It's the
white listed people.
We let them go.
We know this part of the river are the
bad guys and we know what to do about
them.
It's the part that's grey.
It's the part that we don't know.
We're looking for the anomalies in the
river.
Hope Hopefully there are fish
there.
Even now we have the
capability not to search for fish --
think black energy energy -- but
rather even fish DNA.
We are very interested in
gathering that
information.
Now what we can do, if I
can change metaphors on you is not
fish for trout in a river but, rather, put
that information, the interesting
information, into a bathtub.
So the
faucet from electricity is one
kind of
bathtub.
Perhaps telecom and perhaps
finance.
And perhaps the three-letter
agencies that have the real deep
capability of intel.
What we can do
now as an aspiration is to share this
completely transparently real
time so
we have the most effective
information sharing networks possible.
We know
what to do, having owned 87 per cent
of the critical infrastructure on
that bad day.
I should say we kind of talk
about this.
We're really not focused
on punks, thugs and criminals.
We are focused on preventing that bad
day in
America that may be the existential
threat that is a different set of
priorities and capabilities.
It
requires us to work together.
When we
respond, we'll have to work to make
sure that we get boots on the
ground.
One last point here on this
information sharing.
Homeland
Security set up a while back this
notion of fusion centres.
These are
the entity, there are about 80
something of them in the United
States, one per state plus some extra
ones, where we actually do sort
of
crime prevention, crime analysis, but
also intel, also working with the
governors association, we need
to
think about on that bad day how we get
boots on the ground that will respond
to the tactics of recovery.
These are really important issues and
these are
things that we're making huge advances
on.
>>I think my staff will be glad
there's someone who mixes metaphors more
than I do.
But I think it's important
because in talking to the general
public and helping them understand
that they also have a role to play,
it's important to frame it in a way
that they can understand.
>>One other
thing that's really important here,
and it's so valuable what you're doing
today.
So many times in America, as I
find, and I talk to folks, people are
losing confidence in institutions of
government, people who run them, and
they're getting cynical.
We can teach
Americans, and the administration and
Congress
is working with private industry
to
make America better.
It is a way in
to lean in.
I think people are
thirsting for those stories.
By its
nature, what we're doing up here is
typically not talked about in the
public.
The public loves to hear
about it and you get so much garbage
out there in the media and other
places.
What's happening here is
real, and it will likely not be said
-- stupid thing -- [LAUGHTER].
It's
likely not said all the time time.
This
is clear evidence of the effectiveness
of government and private industry
really to make us safer safer.
>>: Let me turn, if I could, to the
concept of resilience.
We talk a lot
about this from a DHS perspective, we
are changing our posture to focus
more
on this.
As we all know, it's not a
question of if or when.
We're really,
unfortunately, in a situation where
it's how often and how long can we
with stand constant attack.
As we sit
here today, all of our entities are
attempting to be hacked and/or
disrupted by a foreign
adversaries
adversary.
Within that rubric, how do
we innovate while continuing to
operate?
How do we build redundancy
into the system?
How do we make sure
that we've identified those Crown
jewels in terms of critical central
functions, that we all understand the
vulnerabilities there and that we can
work together from a resilience
perspective to get back to where we
started, and perhaps not a bounce back
but a bounce forward approach?
John,
may be you can start.
>>By the way,
your microphone is on a timeer
[LAUGHTER]
>>I saw the person in the
back pull the timeer.
That's a really
tricky question, because it goes
back
to sharing.
There are certain things
that are relationship driven.
So you
need cycle time, learning the people
on the other end, what they know.
Collect Collective experience is
always better than individual
experience.
Similarly, once you do
that, then the data starts to flow.
Our ability to defend needs to
scale.
In order for it to scale, with the
scarcity
of humans, the humans need to do the
things they're best at and the
machines need to do the things they're
best at.
If we're going to take full
advantage of what the machines can do,
more data is better.
So now all of a
sudden us doing things together
makes us all stronger, because each of us
has one piece of the puzzle.
It may
be the same thing we see over and over
again in our industry.
So Tom's
stream may look and feel the same
every day.
Mine may look and feel the
same every day.
But we can give each other fishing tips
effectively, because in fact neither of
those streams are the same on any given day.
So I just think that the resilience is
going to be a function of our
ability
to understand and share experiences,
because I always tell people that
telecommunications is transformation
of power.
We signal process, the
energy that we get from the electric
grid.
So their foundation is our
foundation, which becomes the
communication foundation,
which
energizes the process.
It needs take
full advantage of every step, every
stage and all of the data that we can
begin to share.
>>I think that
process of resiliencey begins
with a
dialogue.
What we've found in terms
of enabling both our partners at the
Department of Homeland Security and the
Federal Bureau of Investigation is
understanding what they're looking
for.
We have tremendous foreign
intelligence reporting.
We have great
work being done on cybersecurity.
But understanding what really is the
threshold for industry, whether or
not
it's in a specific critical
infrastructure sector or it's more
broadly, it's important for
us,
because then we can tailor the
information which helps our industry
partners better.
>>Director Wray?
>>Picking up on Paul's point and
taking it one further, the reality
is
that in most companies you all
will
have unique insight into what
information you think people are most
likely to want to go after, and what
it is that keeps you awake in the
night.
Our perspective is trying to
understand the threat, trying to
put together the nuggets or pieces in
the
puzzle, as John said, with ours is
critical.
It has to happen through
muscle memory day in and day out, out
on the front lines.
Every FBI field
office now has a private sector
coordinator.
That's a symptom and a
reflection of the interdependency that
we
have.
I can go to any head of any
field office and ask him or her: Tell
me about the private sector partners
in your area.
Who are they?
Who is your point of contact?
What are their big threat issues?
How often are you talking to them?
Et cetera.
If I had tried to do that last time I was
in law enforcement, there would have been
crick areets chirping and the sir I'm
going to have to get back to you
response.
Now they can do it fast.
That's a reflection of how much we
need each other to be reflective.
>>That's a good point that Chris
makes relative to the trusting nature
of what you're creating here and
where
we can talk to each other.
Ajay you
brought this up in an earlier
gathering.
When I'm going to share
this information with you, looking
over at your shop, this is information
that's used in the proper manner and
that your folks in the private sector
do in fact have that comfort level
that we can share this information
with
them and it's going to be used for the
proper use.
Let me change gears for a
second.
From the standpoint of one of
the -- five of the ten fasci fasciest
supercomputers in the world belong to
the Department of Energy.
It's goes
into Exo scale.
Paul, your ability to
take this data, your own machines that
you use and these massive amounts of
data that literally a year ago we did
not have the computing capacity
to
answer some of the questions that --
because of this amount of data that
we
have today.
And as we go to quantum
computing, as we travel down this
road
to be the first to get to that ability
to quantum compute, it is incredibly
important for this country, both from
a private sector partnership, from
those of us in government, to
our
friends in Congress, to really
understand the importance of
supporting, in the many ways that they
can, and certainly up to and including
the appropriation, to make sure that
these agencies of government and our
private sector partners have
clear
messageing that our ability to
supercompute is tantamount to
whether
or not what we're doing here is going
to be successful or not.
If we lose
that race, then the potential to
losing it all is very real.
So our
ability to compete in the
supercomputing world is I think
tantamount to victory when it comes to
this.
>>In fact, one of the early work
products of this joint effort
between finance, telecom and
electricity has
been two things.
One is a joint
threat matrix.
That is, we analyze
the threat surface by kind of
consequence times likelyihood.
We're
able to array scarce resources,
whether it's attention span,
dollars,
whatever.
The other thing as a
product of that is what we call our
wish list, that is, how can we work
more effectively to stave off these
existential threats as lifeline
sectors, with the administration and
with Congress?
So as we progress,
we'll get better at really advanceing
the cause in a significant way.
>>:
If I could -- one point the secretary
was going towards towards, I think
that's important.
I'll repeat this
line.
I'm sitting next to the FBI
director, but when you get arrested
you have a right to remain silent
whatever you say shall be used
against
us.
If you want us to share
information that could lead to an
asymmettic advantage, then we have to find
a way for that to convert to see
something, say something.
We need to
move the way our people are thinking
and the way regulators thinks,
the way
harmonization of regulation needs to
happen oto the point we feel
incentive.
The supercomputers are
only as good as the information they
receive.
Making sure we get the right
information into that machine is as
important as what we do within it how
we behave together after that.
That's one point.
The second point is that I
would emphasize the care that needs to
be taken on the weak weakest link in the
chain.
I continue to believe that
cyber attacks do not happen only
because somebody specific is being
targeted.
They happen because the
machine systems that troll looking for
where the weak link is.
If that weak
link is a smaller business, that that,
in turn, connects into oone of our
bigger supply chains, no matter how
much work we do we will not have
created the right defences for
industry or our country.
The third
part is my favourite.
I will repeat
it here.
If you can get us some
momentum on a group of like-minded
countries willing to stand up and say
these are the rules of the road of the
Internet, these are global cyber
norms, and this behaviour is bad
behaviors you will be put in the dock
when we see it, as compared to all this
is okay.
We need that.
Because what we
have today is the Wild West in the
Internet.
The technology has grown
and blossomed by the allowance that has
been given to do so.
But at some
point in time, that Labrador puppy has
grown up and its tail and head are
breaking everything in the room
[LAUGHTER] we need to take to a dog
trainer and get it trained.
That's my
analogies.
>>Weaponization is one of
the biggest issues we will have in
responding to a threat.
The bad guys
will use the Internet to create chaos
and misdirect our response.
>>My
personal experience over the last few
years of working with government
agencies, the secretary service,
the
FBI, NSA, is the people who work
there
deeply care about this.
When you reach
out to them they will respond.
If you
get to know them in advance they are
your best friends.
Getting to know
them at the time of the bad day is a
stupid idea.
We need to get to this
program of getting proactive and not
react reactive.
The only way that will happen if you
allow this idea of see something, say
something, to take root inside people
without the fear of being sued or pursued
with some form
of regulatory arbitrage that you
don't
deserve, to say I'm seeing this river
flowing this way.
You think it's the
same river.
It isn't.
It has this
stuff hidden in it.
>>On the see something, say
something approach, that
is one area we'd like to work with you
all in the centre.
What I mean by that is we need to
identify what is suspicious, what is
out of the ordinary.
There's still a lot of
confusion between an attack, a malicious
effect, and just operability.
Sometimes your computer just
doesn't
work, right?
It's nothing to do with
a nation-state.
Sometimes, however,
if it starts blinking, slowing
down --
we've all had the experience where it
gets ridiculously hot all of a sudden.
These are things that might indicate
there is something wrong wrong.
So working together and understanding
within industry what is uniquely
suspicious within that industry is
then very helpful to guide the private
sector to then report to us.
>>It is.
I do believe that we're discussing
this from the perspective of
businesses and
government.
That's the audience here.
But what we're actually catering to
is
the average consumer and that pain
they feel.
I feel cybersecurity has
become a technical top topic beyond
the capacity of most people to
comprehend, if you look at the stuff
that's written when you buy a device.
If we can create the equivalent of a
nutrition label or a restaurant
rateing ABC for devices so that
everybody can look at it and say: That
one looks like a better one to buy
than this one.
You attach a mental
value to how much you pay for it.
That logic will create a level
playing
field for American consumers that goes
beyond the knowledge.
Those are
things we can do that since you're
taking the lead and you have a group
of principles of the United States
administration who care about this
topic, then over the next few years if you
can prioritize things but knock the
ball hard on these three or four, we
can make progress and our
adversarieses will sit up and realize
you can go after the other one and
leave us alone.
>>You gave us good
lists.
The weakest link is I believe
something each one of us has talked
about in one context or another.
The
bottom line is if an adversary is
trying to attacking you, he might do
so through secretary Perry's computer.
>>That one is easy [LAUGHTER] >>It's
not necessarily about the target,
right, because it's a means to an end.
We definitely see that when it comes
to nation-states.
I wanted to quickly
turn to one of the 90 had-day sprints
that we're looking at, which is to
couple up with registries.
We need to
focus.
We had in our previous meeting
someone make this point we will.
We
can't be everything to everyone, so we
need to focus on those threats, that
if mitigated or addressed will give
us
the biggest bang for the buck.
It would
be cross-sectorial.
It's the crown
jewels of what makes the nation run.
If we look at those functions, identify
those functions first, then they
will
help enable everything else.
The FBI can't function if we don't
have
electricity, right?
You can't
function.
To use electricity, most of
us can't function without electricity.
We
have a big load on your shoulders.
But I think thinking about those
functions and in terms of a registry
that we all are attacking against
would
be helpful.
I'd be interested in your
thoughts as we look towards that 90-day
sprints sprints.
Secretary Perry, any
thoughts on that.
>>It's really
fascinating from the standpoint of
historically these agencies were
really siloed.
One of the things that
is very heartening that I've seen over
the last 18 months being at the
department is obviously with the
SEC
and the work that we did with the
hurricanes and the private sector and
the
sharing with our national labs and
the
interaction with probably everyone
sitting at this table in some form or
fashion at our national labs,
whether it's with the private sector on the
finance side or whether it's
obviously, Tom, over in the electrical
generation side and what we do at INL
with the test grid out there, to the
communication side, John, the
coordination between the private
sector and government -- I've spent
the bulk of my life in government in
some oform or fashion, and I
have
never seen the federal government,
who
I've spent my fair share of time back
as the governor of Texas criticizing
them from time to time [LAUGHTER].
But I've never seen the federal government
with the intention and with the response
of working with the private sector in
a responsible way -- and when I talk
about responsible way, in a trusting
way.
Ajay, I think that's exactly
what we get to here.
The private
sector hadn't necessarily trusted
the
government historically.
I think,
Secretary Nielsen, if you're as
successful as I think what all of us
want us to be with this, then this is
a great opportunity for this country
to defend ourselves against those
nefarious acts that are out there, but
also to have an offensive way of
sending the message that we can send as
well.
So I'm really heartened that
we
see the private sector coming to
the
table here and a clear sense of
responsibility that you have, but also
you have a partner that you can trust.
That will go a long way towards
getting the solutions that I think all
of us desire.
>>: To pile on that, I
think we should always remember that
not
all risks are createddial.
As we look
at the power of bringing the
partnerships to the forefront, our a
asymmettic advantage and prioritizing
what we want to go after with our most
critical resources, how do we assist
industry, how does industry assist us
in identifying it?
This is where we
have real payoff.
Our adversaries
have their focus on what we want to
get to.
What we want to get to are
the risks that we need to take on
immediately.
>>I agree.
>>: The one
thing, the risk idea is that these
cross-defence exercises may
actually
compose risk ideas that we do not
currently have in our spectrum.
If
you're going to make the sprint happen,
you have to get a few of these
cross-sector cyber defence exercises
going so we can identify what
those links are that we're missing and
bring
them to that registry so we start
paying attention.
>>A good example of
that: If the system goes down, back in
the fifties, we ran the system
manually.
We can disconnect interest
the digital grid, but I can't do it if
I can't talk to my folks in the field.
That's our weak link.
We have to make
sure this harmonizes during the worst
of indictments.
Reliability is how we
operate during normal times.
That's
what we have to drill.
>>: He has a
bunch of pigeons hired for that
purpose [LAUGHTER]
>>The risk
registry is a great idea.
I just want
to make are sure that if you think
about this as a process and you're
going to do a 90-day effort -- I don't
want to use the name of a competitor
to name a process.
[LAUGHTER] so a
90-day something may not be exactly
the right -- risk registry may not be
the first place.
But much like you
steal that phrase from the technology
companies who do 90-day intervals of
everything that they do.
Let's make
sure we don't get disheartened and
make it 180 days and then 360 days and
then before we get to item 2.
If we
can get a tempo of moving quickly, if
we're going to fail, then fail quickly
and move on to another priority.
We
have to make this progress.
The ultimate
strength of it, the leverage that will
occur, won't be based on necessarily
getting the first item right.
It's getting the process process,
the
relationships, the data to flow, and
understanding of what each other are
doing here.
I think that's where our
strength will be.
I think the general
said it effectively that once we get
in there and we start to establish
these things, that cooperation will be
the greatest strength that we have
here.
>>Absolutely.
The concept too
has to be fluid, adaptable,
scaleable.
What is most important today with
the
way the technology advances might not
be what is most important a month
from now.
So it has to be a living
process.
I think you're exactly right.
The process and the way in
which we quickly identify process,
assess, prioritize, respond to, react,
is what will be the goal here, what
will help us move the ball forward.
Director Wray, closing are
words?
>>The one point alludeed to by
ajay was the importance of setting
an example for our foreign partners as
well.
I know Paul and I have had
conversations with some of our
counterparts together about -- at
least with our closest allies --
about
the importance of the public-private
partnership.
Since they look at a lot
of these problems the same way we do
do.
Your point about a common
statement, it's not just the public
messageing.
If we can set an example,
which is I think what people expect America
to do, to set an example for how we
can deal with this kind of threat in a
public-private way, I think we will
build on that asymmetric
advantage
that Paul was talking about at a whole
other level.
>>I agree.
Secretary
Perry, closing thoughts?
>>I just
want to take a last moment to say
thanks to everybody on the stage for
participating in this.
The one thing
that came to mind while you were
making your points is that as we look
at our foreign partners and
Internet
with them, that we don't forget about
the local partners that we have as
well.
They're probably as important
or more important than anyone in this
on that bad day that occurs.
One of
the things I found as a governor is
that your county judges and the
mayors
and the people, the law enforcement, et
cetera, that are really going to be
right there when you talked about
getting back to the small mom-and-pop
businesses, and I say this with all
great respect, the mom-and-pop, if you
will, from government are those right
there where the rubber meets the
road.
It's the local law enforcement.
It's
the local government entities at the
state and county levels, making sure
that they're every bit as bought into
this as those of us on the stage, and
that we need them, that our success is
going to be very much part of them
being clearly engaged in this and know
that they're an important
foundation,
if not the foundational part of
what
we're going to be doing.
>>Thank you.
General Nakasone, before we close?
>>Thank you, secretary.
Whether or
not it's U.S.
cybercommand, our
partners, I'd like to close by saying
we're ready, highly trained, fully
committed.
I feel this in the
partnerships we've developed here-I
see this as the way forward for our
nation.
>>On that note, we'll ask you
throughout the day day -- hopefully we
have in the last little bit of time
time, made the case with respect to
the threat we face together and the
need to counteract it together.
As I said, we will do this a couple of
times during the day.
As of now, can
I see with a show of hands who will
partner with us in this and to commit
to something very tangible to move
forward in either these sprints or
another way?
As the day goes on,
we'll get more hands.
Thank you to
all distinguished panellists.
I very
much appreciate it.
We'll pause for a
minute while we de demic.
[APPLAUSE]
(Pause).
>>Folks, if you can grab
your seats, we're ready to start the
next panel.
Thank you.
I'll give everybody
a chance to stretch their legs after
being seated for a bit.
What we've
heard is a number of different
perspectives from industry leadership,
government leadership,
particularly of
hard infrastructure.
The next panel
we're going to explore some of
the
challenges associated with information
and communications technology, supply
chain challenges, risk management
challenges.
At least from where I sit
in DC, it is truly one of the emerging
issues, particularly when you think
about third-party risk.
I'm going to
bring a couple of panel I said out
here and we'll spend the next 30 or so
minutes having a back and forth.
To start, I'd like to introduce Mr.
John
Donovan, CEO of AT&T Communications.
[APPLAUSE] next, Mr.
Mark McLaughlin,
former chairman and CEO of Palo Alto
Networks.
[APPLAUSE] and I'm going to
veer off script a little bit.
We have
a special guest joining us today.
Last-minute addition, in fact,
Mr.
Rob
Joyce senior adviser, former white
house cybersecurity coordi
coordinator.
[APPLAUSE].
I think
everybody will agree with me that this
is a quite impressive line-up.
We've
already heard a bit from Mr.
Donovan, but we will now have an
opportunity to
hear from others in industry.
When we
think about what's ahead of us, the
boom in IOT devices, the future of 5 G
in it front of you, at the same time
we've seen an explosion across
the
threat actor space in terms of
compromising supply chain.
What I
want to do is start with you, Rob.
If you could talk a bit about the global
threat or the concerns you have
with
supply chain compromise and
third-party risk.
>>Thanks, Chris.
I appreciate DHS host the forum and
bringing this expertise together.
I'm impressed not only by the talent
we get on stage but the folks you've
brought together for the sidebar
conversations.
In supply chain risk,
there's a number of different avenues
we worry about.
Certainly top of the
headlines these days are the supply
chain risks from China.
We worry
about the manufacturers, the
supply
chain aspects where the government has
a role and a close, tight connection
with those suppliers.
In some
countries, like Russia, we see
them
even having laws that say these
certain providers have to participate
with government monitoring, and it
doesn't just apply to the people
inside their country.
So there's an
aspect of that.
And it's not just
what's in the hardware itself;
it's
the way the hardware is maintained,
controlled and maintained.
So if you
get a manufacturer who produces
something and they have maintenance
access or they have the ability to
insert themselves into that supply
chain and maintain it, that poses a
risk.
We've also seen a significant
change, a significant new emphasis the
last couple of years where people have
recognized the value of compromising
software in the supply chain
without
the aid of the manufacturers or
the
authors.
A great example is the
intrusion where people realized a
specific website had to support a
number of Ukrainian businesses but
also, unfortunately, a number of
international businesses.
They
compromised that site as a hot point
to get to other places and infected
number of visitors to that, that had
continued to cascade.
We've seen
others like the sea cleaner, if folks
remember that, a mobile application
where tens of thousands of users
were compromised and in the end the
analysis looks like they were going
after three very specific targets,
but
they were willing to cede the wheel
ecosystem and compromise that
software.
We have to think about that
holisticically, everything from
the
manufacturers and whether they have
relationships with countries that are
unfriendly, all the April to what
threat actors and nation states can do
to those independent software chains.
>>You mentioned a couple of things
between not pet you, secretary wanna
cry earlier, as well as the bind
binding directive the DHS issued on
the anti-visor.
These are
whack-a-mole approaches but
global
problems.
John, I think you're a bit
on the leading edge of this right now
when we think about what's ahead of us
in terms of 5G with a lot of the
hardware, the protocol.
That's the provenance of the hardware, and
how do
we need to mobileize to ensure a
little bit more transparency,
clarity,
whatever it is, across the supply
chain?
>>I think that before you talk
about specific types or origins of
threats, most large organizations have
done a very good job over the last
couple of decades in understanding the
supply chain of atoms, because you
get
burned like you have a shortage of
tran trancystors and you look and say:
Whether didn't realize they were
all
from a certain region and a flood took
us out.
So we've had to go back and
look at the chain of custody and the
traceability of not only systems but
subsystems and then components.
So at
our scale, we reached all the way
through to the component level.
Now
fast-forward to today, where more
things are bits than atoms.
Certainly
the value, and these things get
assembled and they know no geographic
boundary.
So now, when you start to
decompose software into its sources,
its origins, and it's not just
security; it's all dimensions of the
assembly of that, the more places it's
assembled, the greater the risks,
and
how do you debug it?
The new world is
not a new world for us.
The new world
is moving from atoms to bits, this
software construction is very complex
to look at its origin.
So for us it's sort
of the next natural thing that we're going
to do to understand our supply chain
and what geographic if not
geopolitical risks are involved in how
our products get assembled so that
we
know that we have a reliable supply
chain, an affordable supply chain and
a secure supply chain.
Those are all things we need to do with
every subsystem subsystem, every
component that we put into our network
network.
>>So I think the last three points,
reliable, affordable, secure, are
three clear organizeing
principles
going forward.
When we think about
how government and industry work
together, Mark, you and I have had a
number of conversations
conversations
about what's the opportunity in
front
of us?
I might pivot that to Rob in a
minute to talk about some of the things
the Department of Defense has done in
lestons learned through trusted
foundry.
But in your view what does
government need to do to support
efforts to achieve that reliability,
affordability, security?
>>There are
a lot of things that need to be
discussed, but if we back up and tie
together something you said and John
alludeed
to, before we get to the tactics, the
strategy.
In thinking of supply
chain, there might be two angles to
sit on this.
I lost my mic.
>>You
got Fanning's.
>>Is it out of time?
[LAUGHTER]
>>We'll hear about that
one for a long time.
>>Back by
popular demand.
On the strategic
side, first of all, the issues around
supply chain of what would people want
to do, so disruptions.
We like
stability, the adversary likes
disruption.
They can use the supply
chain to disrupt many things.
It could
be businesses, all sorts of things.
The second thing which may be
underlooked
a little bit is making sure that
from
a supply chain perspective we
have something they care about in the
first
place.
Why do they want our
intellectual property?
That's where
the national security and intellectual
security
of the country are tightly woven
together.
We have things that people
want to get, ideas and intellectual
property.
What could we do?
I think
we should be focused on the labour
force, for example, the education of
the labour force.
Are we producing AI
scientists, quantum computing
scientists?
Let's make sure we have we
have this.
The second thing on the
labour angle would be thinking in
terms of decades, not in terms of
quarters and years years, because the
adversary is thinking that way.
If we think but our supply chain today,
decisions have been made 20, 30, 40
years ago by a lot of companies in the
United States to offshore
manufacturing and capability sets for
cost reasons.
We never thought about
national security, we just offshore
them for cost reasons.
Can we use new
technologyies, whether it's
robotics
or 3D printing, areas where we can
incent industry to dissolve some of
those labour costs arbitrage
advantages that we can start to do
things back onshore or at least with
friendly nations.
On the tactical
side, what are these countries doing?
Particularly if they have a large end
market, they're saying if you want
to sell into my market, you're going
to
put your R & D over here, maybe I will
look at your source code.
Now they're
talking about standards, like
having
their own standards, where it used to
be international bodies.
These are
very long-term views that these
countries are using to say this is how
I get into your supply chain.
What
can we do through incentives and
disincentives?
Source code review,
for example.
If you're working in
your supply chain with a company, you
ask them: Who do you share your source
code to?
You may be required to do
that to sell into their market.
These are choices companies have to
make
every day.
Show me your source code.
Should we make that illegal, a U.S.
company can't do that, or should we
give you tax breaks if you say you
won't do that or federal procurement
incentives.
Because we would have to
walk away from market opportunities to
do that.
I'd say there are carrots and
sticks that can be used, but I think
we should have the big picture before we
get to the tactical speaks.
They're
very important, but why are we doing
this.
>>If I could jump in.
You asked the question specifically
about 5G and I didn't get to that part of
the answer because I was afraid the mic
was going to get pulled [LAUGHTER]
5G
is a new network.
With a new network
and these issues at the forefront,
everybody is inspecting this
process.
Our industry was borne out out of
interoperability.
When you phone
Japan, you don't think about whose
assets that touches, but it might
touch a dozen company's assets,
maybe
2.
There's always been collaboration
ignored to achieve can
interoperability.
You get a brand new
network like 5G someone says how
does this come together?
These are the
points that Mark is making.
Now all
of a sudden people care who is sitting
on which committees to build the
standards bodies to make sure that
these things are being done with
reliability and security and
economics
in mind, because historically it was
really just about interoperability and
economics.
Now we're adding these new
dimensions that are causing people to
inspect these processes a lot
more
closely to make sure that what gets
delivered that will survive a decade
is built with the proper foundation.
>>So the way I think I see it, at
least more recently, is the more
visibility and transparency you
get,
the more questions you have.
Then when
you get to the concept of sticks
and
carrots, I think from a tact tactical
perspective, the way the conversation
is going right now is: I'm a little
concerned that we're focusing on the
bad options and we're focused on
taking the bad options off the
table,
when maybe we should also be incentivizing
those good options.
You talked a bit
about that.
Rob, if you could touch
on some of the efforts and
initiatives
in the past that we've tried to
incentivize, to develop those good
options, trusted foundry.
What are
the lessons learned and the strategic
vision of incentivizing a base,
what
does it look like.
>>We've had a few different things the
Department of Defense has done over the
years.
We created our own chip fab.
The
government needs classified silicon
for a number of applications.
There
was a foundry at NSA where we owned
the apparatuses apparatus, we had
cleared people working in it and
we produced chips.
The issue was that
private industry could spin on such
faster cycle to innovate and
improve
those technologies that the plant was
continuously obsolete.
So we had to
move to a new model, and the new model
was trusted foundry where we would go
out and find a corporate partner
that
could create with cleared people in an
environment at times runs of chips.
That had its own problems in that we
had to stop their normal production
run.
We had to remove some of the
workers who were uncleared.
You had
to even worry about what happened to
the little pieces left over in the
manufacturing processes and
where
those went.
It was beneficial that we
linked in this public-private
partnership and we linked to the
commercial models.
But it was still
hard on both the private sector and
government sector to use that model.
But we have to have solutions that we
can follow and trust because we don't
want the situation where the tokeens
authorized in the DOD networks are
only produced overseas.
They may not
be produced in the countries you worry
most about, but they're still only
produced overseas.
That's a hard
thing for the most sensitive
applications.
That also drove us to a
lesson that we need to be granular
about what imp position we need to
do to
have the security necessary.
So you
have to choose when you're a
completely free market commenthe
best
idea, the best process, the most
economical is going to wingers all the
way up to this is a niche thing that
can't fail and I know there will be
high-end actors trying to get
inside
that development cycle and exploit
it.
That will take some special
applications.
Finding where we adjust
the dial along that continuum is hard.
John pointed out that 5G discussion
is
starting to discuss do we have toe
reset that dial?
It's causing people
to think in new ways and talk about
these hard problems.
>>I think Rob
brought up a good point, something
that's Anathema to how we think in the
United States.
We let the market
decide, which is right.
When it comes
to this topic, we may need to start
thinking about are we going to have
national champions, not for everything
but for certain things in the
semiconductor industry,
micro-electronics, artificial
intelligence, quantum, things
that
will matter in in the supply chain.
That's not the way we think about
things from an economics
perspective, but perhaps we should be
thinking about that.
Then it's a question of you don't want the
government to run them because usually you
end up in that kind of situation where
you're object absolute.
What are the incentives that we
provide in order to
establish these national champions
for not everything but things that we think
are important at the end of the day on
what the future will look like
technically?
The future is moving to
a smaller number of technologies at
the core, not broader and broader.
We
know what they are.
We need to to
decide what those are and think about
what those incentives may be to have
companies do them in the United
States.
This administration did
something recently with minerals to
determine certain minerals that are
important, like lithium.
Lots of
technology uses to say we need to have
a better source of mineral production
in the United States.
We have some.
Where are they?
The U.S.
geological
agencies are sharing those kind of
data with U.S.
mining companies now to
say: Here's what we know.
Maybe you should drill over here.
Because we're
trying to get these minerals that are
important for weapons systems and
things.
Give an advantage to the
national champion for things that we
think are critical critical.
>>:
John, anything?
>>I think the one
point that has not been made is that
there are natural ecosystems that
evolve.
I think it's important that
when we talk about companies in our
nation, and I'll use wireless as an
example, we're in our current
thinking, but if you go back to 2016,
the debate globally was whether Europe
or Asia would become the centre of
wireless innovation.
You get at the
right race going on with us and
Verizon trying to get the network out as
soon as possible and suddenly the
economy stands up in the U.S.
and we
become the access of innovation.
The
economic vitality and security are
kind of linked one and the same, so
you start to have supply chains that
are geographically concentrated.
That's worked really well for our
industry.
Every time you have a
technology leapfrog problem, there's
an opportunity for you to either take
advantage of that or miss it.
>>:
One of the core elements of the
national risk management centre
is
bringing industry and government
together to identify integrated
solutions to whatever the problem
identified in a prioritized
manner.
One of the things we've discussed with
the IT sector coordi coordinating
council is establishing an
information and communications
technology supply
chain task force.
When we step back
and think about frameing this
strategic conversation to
better
inform short or near, mid and
longer-term approaches, in your
view,
if you chop staff over to work with me
and my team and other government folks
in the centre, what would you expect?
What would you want them to focus on
right out of the gate?
Because the centre
is open for business starting
tomorrow.
Ninety day sprints.
We'll
establish within the centre a task
force and I want to get these folks
together starting tomorrow and say:
You have a job.
What do we want to be
talking about in 90 days and in one
year?
>>I'm happy to start off.
I'd go
back to the standing up any
organization, and if CEOs, the first
thing you're going to want to do is
Shea is the strategy?
More specific,
what is the definition of success
for
supply chain?
If we said we're
starting to solve supply chain
integrity, what would we mean by that in
a world that is increasingly
interconnected and a guarantee it will be
even more so in five years.
So we're
not solving for today but for five
years into the future.
I hope it's
apple bishops in nature.
We can say
if we're going to do certain things
and I'll come them tactical, the next
things we will do, are they in
furtherance of that or not?
Because we could get very busy on a lot of
things and not be very productive
against any really long-range
objectives.
Again it's hard for us to
think in general terms about
decades,
but I think that's the way to think
about
it.
That's what I'd love to see in
the next ten days, what do we think
the 10--year success looks like?
>>That's a useful framing.
One of
the things I continue to worry about
is if we in government take a
solely
binding whack-a-mole approach.
It
would be useful if we could have
broader frameing.
>>Draw us a
picture.
When you think about where
we've been, getting philosophy and
departmental chart charters and silos
broken apart is a great foundation.
think Mark talked about what's next.
In a business context, you'd
say: Well, that's where you get a
strategy
on a piece of paper.
But when you get everybody together,
that exercise
could take forever.
That's why I say
make it simple enough to draw us a
picture.
Draw us a picture about who
is in and what their role is.
Then I think we'll organize ourselves to
success.
The really practical stuff
is events and processes.
An event
happens.
How do we work together?
So you
can prioritize the events.
There's
nothing that's a downside to working
through even an event that would be
low probability approximate and we
got
the priorities wrong, because we'll
start the dialogue about this happened
and it's now 10:30 a.m.
who do I
call, and what do I do?
Those things
become -- philosophy breaks down quickly
when you start to put a time-stamp on
an exercise that says what's next in
order?
So I think that in 90 days, if
people came out out and said, our
team, AT&T, said we made big progress
figuring out how to jump across
layers.
As I mentioned earlier, and
I'll reinforce the point, the bad
actors don't operate at a level and a
geography or a function that's
really
convenient for us.
So to go go in and
say we're going to move from power to
communications and Internet
infrastructure and then the
application layer, jumping across
those layers and across those
industries are all fair game.
So
figuring out what are some of the
practical things we can do, it can be
as simple as a picture of
cooperation
and a couple of tabletops and we
will have made great progress in figureing
out how do we handle ourselves on a
bad day.
>>So as we've kind of moved
through this conversation, we've
hit the high strategic level, we've hit a
little bit of the tactical and then the
organize organizing principles or
framework for this conversation.
One of the things that I've always, at
least since I've been in this role,
even in the acting position, is let's
not reinvent the wheel.
A lot of good
work has been done over the last
decade-plus.
How do we stitch
everything together in a useful, effective
framework to make sure everybody is
pulling in in the same direction?
Both
of you are members of INSTAC.
Several
years ago there was an I ICT
mobilization report.
I've seen a
couple of your points of contact and
co-authors of the report in the room.
Based on what you just said, I don't
think that is a useful framing --
that
is a useful approach.
The incident
management team, and you have the
consequence management side of
it,
which is the cleanup on aisle 9.
Where are the consequences
manifesting
of something that takes place in the
ICT ecosystem?
Thank you to the good
work that your teams have done in the
past contributing to that report, and
that gives us a blueprint to move
forward.
But a part of it is that
it's not just DHS, not just industry.
Rob, NSA was obviously a
contributor
to that report.
What do you see, particularly when we
think about a
frameing of a playbook or we had
the national cyber response plan, we
have a
gap from the release of that plan to
actual operational coordination.
I think that's a bit of what John is
talking about, and that's part and
parcel of what we're thinking in terms
of the centre, is synchronizing an ops
plan giving a home for everybody to
come together and identify what they
can contribute to, whether it's
cleaning up the ecosystem a little
bit
or contributing to the overarching
fight.
>>I echo John's sentiment.
think we learn a lot when we get
together and tabletop things.
My
advice is we start with some
exercises, because that's going to be
everybody bringing together their
SOPs, the understanding of the
way we
thought it was supposed to work,
and
we'll find out where the gears align
and where the gears don't align.
Those exercises sometimes take a
lot
of effort to kick out, but we learn so
much, especially in the early days
like we're talking for this new
initiative.
It will be important that
we just get together and try some
stuff and then learn, iterate and do.
Approximate I think that will match
with your philosophy of 90-day spins.
>>When we think about concrete
deliverables, admittedly
incremental,
we're not going to solve the problem
in 90 days, but we've got to develop
that foot footing for greater success
down the road I commit my team to
work
with your folks to frame that out,
frame out what these playbooks look
like, what an operational
response
environment, how we can work together,
and at the same time whether it's a
separate track or whatever within the
task force, we can certainly start
framing out what that state looks
like.
That can inform what's going on
with the cybersecurity moon
shot.
>>If you look the ICT, you're going
to love the current report.
It is
called the cyber moon shot and the
mission statement on that is to take
the Internet safe and secure in ten
years.
That's a big ask.
But if we
actually thought way, everybody
thought that way, the belief is we
would probably do things fundamentally
different than we're doing today, in
education, in diplomacy, in supply
chain
integrity.
If it was your job to make
that statement true, and hopefully
we'll hear more about that from the
vice-president this afternoon.
I think that's the organizeing
principle, is something
broaden
ambitious.
Government has the unique
role there to be the one who can lay
down the organize organizing principle.
Everybody else will fall
in line and phenomena from a resource
perspective.
>>We're about out of
time here.
But John, Rob, parting
shots?
>>I would say to my team in
this 90-day effort is we don't need to
go out and invent a lot of stuff.
There are a lot of blueprints that
have been written waiting for this to
come together.
So we can go out and
innovate by taking what's out there,
including frameworks, tooling and so
on, and get something very productive,
very quickly.
So I think just taking
advantage of the body of work and
using this new way of thinking and new
process can yield a big result.
>>Got
it.
I think that's a clear direction
to the government and industry side.
Stuff doesn't have to be be, as hard
as we're talking about it.
Let's use what's already been done and
bring it together in one spot.
With that, we can close up this panel.
I want to give our panellists here a
round of
applause.
[APPLAUSE] I have some
quick announcements before lunch
lunch.
We are going to break now for
lunch.
Then we'll reconvene here at
2:00.
Let me give you a couple of
bits of guidance.
There are a number of excellent restaurants
in the area.
You are in New York City, after all.
I'm going to go ahead and warn you
that we are aware of protests that are
taking place outside.
If you exit the
building, please plan for time to
reprocess through security.
Also,
I'll add that there is a lunch being
sponsored on the third floor by a
number of industry associations.
So if you don't want to leave the
building, you don't have to.
You can
run upstairs.
Beginning at 1 p.m.,
we'll also be hosting e emerging
issues, the emerging issues in
cyberlaw and policy breakout group.
That will be in meeting room number
1.
Please, enjoy lunch.
Thank you again
for being here.
We'll reconvene at 2
p.m.
(Lunch break).
National
Cybersecurity Summit and National
Cybersecurity Summit, National
Cybersecurity Summit, National
Cybersecurity
Summit.
>>All right.
Well, thanks
for everybody coming back.
I hope you
enjoyed lunch and you didn't
experience too many problems
reentering the building if you
did
leave.
What we talked about today is
joint problems or joint challenges the
government and industry both face.
think the workforce and broader
education challenge is probably one of
the most acute that both public and
private sectors experience.
This next
panel will focus on building that
cybersecurity workforce that we
need for the future.
We heard about it in
the last panel, about how we're being
outpaced a bit by other nations and
how they're investing in their
workforce.
Frankly, they're investing
in their communities and in their
population, and particularly the
education system.
So this is a timely
conversation conversation.
It's once
again something that we can focus on
through the National Risk Management
Center.
At this point, let me go
ahead and bring the panellists out.
We're going to start with Mr.
Russ
Schrader, the Executive Director
of
the National Cyber Security Alliance.
[APPLAUSE] next, Dr.
Les Guice, President
of Louisiana Tech University
[APPLAUSE].
Next, Mr.
Raj Samani, Chief
Scientist of McAfee [APPLAUSE] and
then Mr.
Aric Perminter, President of the
International Consortium of
Minority Cyber Professionals.
[APPLAUSE] [APPLAUSE].
And to
moderate the panel, it is my honor to
introduce Assistant Secretary of the
Office
of Cybersecurity and Communications,
Ms.
General Nakasone [APPLAUSE]
General Nakasone Nakasoneet Maffra.
-- miss Jeanette Manfra.
>>I'm the Assistant Secretary of the
Office of Cybersecurity and
Communications at DHS.
What that
means is my organization, which
falls
under Christopher Krebs's
organization, we run everything from
the inte integration centre, where our
response teams sit, where we do
vulnerability coordination
with
industry, our mal malware, reverse
engineering processes, all of
the
technical analysis, all of the stuff
that supports our operational mission.
We also run the programs that
deploy
services and capabilities across
the
federal government, everything from
the national cybersecurity
systems,
Einstein, and continuous diagnosis
and
mitigation.
We're also responsible
for public safety, communications and
interoperability, and working with
federal agencies and critical
infrastructure to help understand what
their information needs and how we can
work better to collaborate in
the event of an incident.
You might be
wondering why I'm sitting here
moderating a workforce panel.
Because not
only is it one of the most critical
things I think personally and
professionally to our organization,
because we cannot do all of those
things without a highly skilled and
motivated workforce.
It's something that we've increasingly
identified as
a threat to our entire country's
ability to be able to manage the
cybersecurity risk.
Something I
personally care a great deal about and
I also think while there's obviously
plenty of challenges with identifying
training and recruiting a
cybersecurity workforce that we
all
share, there's also tremendous
opportunity, both in training the next
generation of cybersecurity
professionals but also reskilling a
workforce that may not be able to find
opportunities else where.
We're an
optimistic bunch up here and we have a
really great slice across different
parts of the community looking
at
workforce.
I'd like to start, if you
wouldn't mind just introduce yourself
and talk a little bit about your
experience in workforce and why
you've
become passionate about this topic.
I'll start with Aric.
>>:
Absolutely.
I'm Aric Perminter,
president with the International
Consortium of Minority Cyber
Professionals.
We started the
non-profit about three years ago,
when
a group of friends were out at an RSA
conference and we were participateing
in everything that was there and that
he would there were not a lot of folks
that looked like us in the room.
We walked away from that and said we need
to find some way to be able to connect
individuals like us to the
cybersecurity profession because
we
loved it so much.
It was so
passionate for us and allowed us to be
able to provide a good lifestyle for
our families.
We started that about
three and a half years ago.
We have
about 3,000 members right now, all
voluntarily led, and our mission is to
bridge the cyber divide between
women
and minorities and the cybersecurity
field.
We do that through four key
programs.
One is issueing scholarships
just to help fund folks' entry or
expansion into the cybersecurity
field.
We have a mentor protege
program where we connect juniors to
senior folks and we have a business
match making program.
We feel we can
get business owners connected to our
opportunities and they will have an
ability to hire more folks like
themselves themselves.
Third, we have
a workforce development program.
It's
a broader program, but we have several
initiatives that align with some of
the things that we're going to cover
today.
>>Great.
Raj.
>>I'm Raj
Samani, Chief Scientist of
McAfee.
More important than that, I'm actually
a father.
Recently my two daughters
were looking to leave school.
We went
to my old school, which was in
probably not the niceest areas, but we
went nonetheless.
As we were shown around
the school, the person who was
showing
us what the school has to offer asked
me: Does your daughter like
beauty?
And I kind of -- I've never been
asked
that question before, obviously, and I
kind of said: Well, look, I don't
understand.
He said: Let me show you.
He opens this door and in there
there's a salon, like a proper beauty
salon inside the school.
There are
three girls in there.
Two of them are
getting a pedicure.
One girl is lying
down and the other is having her feet
down.
The third girl is following
towels.
I was appalled.
I said: What
on earth is going on.
I was told by
the teacher that children won't
graduate with a high school
equivalent, but with a diploma, where they
will work in a local salon and that's
the job they will have for the rest of
their lives.
To be honest, I went out
furious.
My wife was upset.
I said: We can do something about this
because we can afford to put them in a
private school, which I know is the most
selfish thing to say publicly and I
realize it's being streamed on
YouTube, so I look awful awful.
The
reality, I said what about everybody
else?
Like you said, this was an
incredible industry.
It is fast
changing, fast moving.
It pays really
well in the private sector, certainly.
From my perspective, what was what can
we do as an industry to inspire young
kids to get into the most remarkable
industry there is?
>>Thank you.
>>:
I'm Les Guice, president of
Louisiana Tech University.
We're a national
university up in north central
Louisiana, which is a very rural area.
We've had a long history of building
advanceed technology programs in areas
like biomedical engineering and
micro-nano- micro-nano-systems,
things
like that, producing great graduates.
Too often, they go off and work in
other parts of the country.
So about
a decade ago we had the opportunity,
thanks to some leadership of
some
people in a city an hour away from us,
who decideed there were some things
emerging that could create great cyber
education and economic
development
opportunities for our region.
They
formed an organization a decade
called
called the cyber innovation centre
and
created a plot of land, the national
cyber research park.
Then they began
to invest millions, tens of millions
of dollars in cyber infrastructure
facilities and secure facilities that could
support operations and research and
other kinds of things,
magnificent
facilities.
I got involved as a
university because I realized the
economic opportunities for us,
for the educational opportunities it
would
provide for our students.
We began to
recognize at that point we had to
shape out curricula.
We already had
computer science and computer
information systems, and they had a
course or two in cybersecurity.
But
after talking to the air force -- by
the way, this is the home of the air
force base and now global strike
command.
But they issued some
challenges to us to really think about
preparing for the next cyber
workforce.
So we at that time, in
2012, established the nation's first
cyber engineering degree program.
At
that time, we had about 250 students
in our computer science and CIS
program.
Now we have over 750
students.
The visibility of that
program, what it attracts for our
students, has been a huge impact.
We
can talk about some of the economic
development impacts a little bit later.
>>Absolutely.
Russ?
>>I'm Russ
Schrader, Executive Director of the
National Cyber Security Alliance,
which
is a non-profit non-profit,
non-partisan organization.
We work to
educate, to amplify and to convene
people who are interested in
cybersecurity, whether it's
broad-based consumers, whether it's
things that are focused on small
and
medium-sized businesses, whether
it's
helping keep our government safe.
We
also partner with DHS in national
cybersecurity awareness month.
Coming
at these different audiences with
different messages at the time that
they're ready to hear them is what
we're most interested in doing at
NCSA.
I also come from this looking
at it as a small start-up that takes
privacy centre insights and applies
it to
digital a advertising.
When you try
to find in a start-up situation people
to really work in cybersecurity, it
can
be very difficult.
The sacrifices
made for a start-up are many and work
in different ways, but you have to
find ways to encourage and develop
the
kind of talent that you can.
>>Thank
you.
We'll start with Dr.
Guice.
I'd
like to tease apart a little bit the
role that formal education should
play
in cybersecurity versus hands-on or
other types of training, on the
job,
apprentice training.
My own
experience, I'm the first person in my
family to graduate college.
I had two
grandfathers that didn't even graduate
high school.
How do we get both at
more formal education and ensuring
people have those opportunities in
formal education but also find finding
those ways to train those who may not
realize or believe that they have an
opportunity to pursue a computer
science degree or a cybersecurity
degree?
>>I think we all understand
the complexity of cybersecurity
technology-wise, but we all also
understand the importance of
having
critical thinkers and creative
thinkers and people who have
appreciation of the political and
social and ethicalIing
indications
indications, and that requires formal,
broad education, I believe.
We think
that's very important.
At the same
time, we put a lot of emphasis on
having intern internships and
apprenticeships, both with the government
sector and the private sector,
that
have been incredible learning
experiences.
What we're finding is
those students come back after that much
better able to learn the more complex
things that they're going to face in
their classes.
>>Approximate I think
that's great.
>>I could not agree
more.
In fact, one of the initiatives
that we have under our workforce
development program is called the
educational security operations
centre, where we partner with
universities and private entities to
set up a cyber range live, fully
functioning cyber range, on or near
the university so that students can
leave the classroom and come over and
perform the job that they most likely
would be qualified for fresh out of
college.
We give them job titles.
We
align their work experience to the
nice framework so that they understand
what task they're supposed to be
performing.
We walk them through
different workflows around incident
response.
We flow attacks at them, so
they can leave this experience and
interview in real-world
contexts.
When we talk to organizations out
there, a lot of them will give anyone
an opportunity who has the aptitude to
learn and the passion to be able to
put in the work to close any gaps that
they may have around their learning
experiences.
Our first one was
launched at capital technology
University in Maryland and it's
going
well.
We have a program called 20/20.
We're aligned with the CAEs and our
goal is to have 20 ESOCs up and
running by 2020.
>>: Raj, from
McAfee's perspective.
>>I think
that's the keyword, passion.
Approximate the question request I
asked is how many role models exist
for young children in cybersecurity?
It was funny.
We just got back from
vacation in the Dominican
Republic.
All I heard was about Lebron James
James.
I don't have any passion for bask
ball, but I began to ask the
question: What about a realistic
career for kids in cybersecurity?
Where are the role models for young
children today?
Some of the things
we've been doing, we ran an online
safety for kids campaign, which
taught
half half a million children today
around cybersecurity.
We're trying to
feed the career of cybersecurity to
young children.
We've launched McAfee
program where we're trying to get
children to understand what
careers
exist and now we're partnering with
universities.
I feel like all of
these discussions have to start a lot
earlier so that kids can actually -- I
mean, Lebron James might be a
fantastic role model.
I have no idea.
But the reality is: Is that
achieveable for most kids today to get
a career in the NBA?
Or perhaps
getting a career in cybersecurity.
That's perhaps where we have to start
looking at more positive role
models
across multiple, diverse groups, for
example females and ethic minorities
as well.
That's my perspective.
>>:
Thank you.
Russ.
>>It is very
important to reach kids along the way
way.
Their first exposure is video
games and they see somewhere someone
has created these worlds.
They get
sucked into: Gee, could I use my
skill, imagination, to do that kind of
coding?
Then they start to get
messages a little further on, maybe
about their privacy or it's in social
media.
We have to find a way to reach
them while they're engaged on the
Internet, while they're thinking
about it, while they're fascinated by
this
world of games that so many of us
don't understand or participate in.
But then say: All right, but it can
turn into a real-world job.
And
finding the kind of role models,
finding the first one at school, it's
very interesting.
They see codeersb
how do you then make the switch of a
particular kind of codeer or other
ways dock it?
It's quite an interesting
challenge, but you can't say that the
average student is unaware of the
creativity piece of it and unaware of
the interconnect interconnectivity
of
it and unaware of the importance of it.
>>I tell my son that I fight the bad
guys.
He thinks it's actually in the
computer.
He's only 6, so he has time
to figure it out.
Dr.
Guice, we
talked about this a little bit in the
beginning, but the notion of economic
development and particularly
partner
partnering with the Department of
Defense and veterans and others, and
being able to use cybersecurity job
opportunities in this workforce gap as
a way for developing a community.
Can you talk a little bit about your
experience in that?
>>No question about
it.
We have the headquarters
of
century link about 30 miles from us,
but not much else until we began to
put the cyber programs in place.
Some
of our friends helped to recruit the
company CSRA to the city, an
integrated technology Senator brought
a thousand jobs.
Those jobs are
filled now with many of our graduates
there.
That's exciting for our
students as they begin to see these
opportunities and get intern
internships, experiences and help
to
cultivate that climate.
We also know
that it's really important for us to
bring in some non-traditional
workers into
this arena.
So we're actually
expanding facilities to support
veterans and some of the
non-traditional workers.
One of our
corporate partners helped us create a
cyber training centre right next to
the community college where we're able
to create additional pathways to get
some of the non-traditional
workers
into the cyber field.
>>: Thank you.
I heard somebody recount a study or a
story once where they had done a
search on monster.com -- this was a few
years ago -- and looked for all the
cybersecurity, all the jobs entitleed
cybersecurity analyst.
Of course,
there were thousands of jobs.
They
did a study, and not five of them were
the same qualifications or
skill sets.
The government for a while has been
working, the department of
commerce,
really in the lead in thinking about
how do we actually define what a
cybersecurity professional is?
Because we need everybody.
We need
people who can do the forensic
analysis.
But we also, frankly, need
lawyers.
We need managers.
You need all these different peoples
peoples.
And part of our problem, I really
believe, is that employers don't
always know exactly what they're
looking for or how to define what
they're looking for.
So Dr.
Samani, if
you could talk, as our industry
representative here, a little bit
about how your company as a
cybersecurity company thinks about
what a cybersecurity professional is.
>>The reality is that the industry is
evolving.
I started off in IT
security, went to Infosec governance,
did
a piece in privacy as well.
I think
my role fundamentally hasn't changed.
The reality is that we begin to adopt
the framework and a lot of the roles
we're doing internally are
beginning to align to the framework.
Its imperative that we start to get
consistency.
We work with DHS, for
example, we work with academia, to
begin to understand what the roles
are, ensure that we advertise those
roles appropriately and ensure we
communicate that to universities so that
when we go to universities
and say these are the types of skills
we're looking for, people have
absolute clarity about what we need.
I think that's imperative, to get
a degree of transparency.
For me, there's nothing more
disenfranchising than you're starting to
learn something and you realize all of a
sudden actually that's not what
employers are looking for.
>>But it's a skill.
So much has changed in terms
of technology.
As you mentioned
earlier, the passion is what's
important.
It's almost sometimes a
bit of intellectual sloppiness, where
you say you have to have this box
ticked called university or
two
two-year degree.
Some of our greatest
inventions came from people who
dropped out of college or tinkered
in
the garage down in Palo Alto.
So much
is happening in terms of technology and
so many different threats at different
levels that you want to look for the
person, someone who needs to be not
only passionate but adaptable as well
because things are changing so much.
Can I make a quick point on that?
gave a talk at a local school for
15-year-olds and I asked the children
in the room: What career do you want
to get into?
One child bravely put
his hand up and said: I want to get
into sports science be a physio.
asked the question: Do you use
Twitter?
They said: Yes, I do do.
Do
you follow the England team
doctor?
No.
Who do you follow?
Lady Gaga and
so forth.
For me, when I went through
school, I never had visibility into
the careers, into the people behind
the careers.
There's a lot that we can do and I think
there's a lot we are doing.
If I look at the service for
scholarship program, which is fantastic,
needs to be expanded, but there's a lot that
we can do.
But equally some of the responsibility
has to be put on the parents and also the
children, because they've got the
ability to follow people on Twitter,
to look on social media, to go into
YouTube to look at the types of
careers that exist and understand what
those jobs are about.
We never had
that luxury.
>>Building off of that,
how do we reach those populations that
may not have the aptitude or find
those communities that can follow the
model that you've done, and how do we
get them excited and motivated, role
models, absolutely, seeing people like
that, frank frankly, that have made
this a career?
How do we get to them?
>>It's a huge problem to tackle, but
I think it starts with us as
individuals.
You made a great example, going out,
speaking to that school of
15-year-olds and helping them
understand that there are
additional options.
I think there's
also a huge interest in updating stem
programs within the K through 12 with
some cybersecurity aspects.
I know
cyber innovation centre has defined
that program extremely well.
In fact,
we're positioning that in three school
districts in the Pittsburgh,
Pennsylvania area as we speak.
So it's individuals, but it's also
continued support for organizations
like the cyber innovation centre
to
help remove the obstacles of
articulating what is possible.
One of
the things that was really exciting
about you, which is why we partnered
with you you -- and this is not
advertising, but it's just fact fact
-- but what was really interesting
was
that even though we went in and I had
the relationships in the school district
I knew -- my former high school, the
teachers didn't think it was possible
to achieve.
They didn't know how much
help they would require.
So having a
script to be able to present to them
and follow and then coupling that with
trousers non-profits is allowing me to
see a difference in the schools we're
working with today.
I think more
activity like that will chip at it
further.
>>We also have to put in a plug
for DHS and the scholarship and
training programs that you already do,
helping to develop people, taking some
of the burden of student debt off of
them, giving them a good job, training
them and the outreach you're doing.
We're happy to partner with you at
national cybersecurity awareness month,
coming
up in October.
The work you're
modelling there is something that the
private sector could embrace and work
together with.
>>I'd like to address
the K to 12 outreach program you were
talking about that was supported by
DHS.
It was a recognition that
bringing young faculty and
schoolteachers and K to 12 students
together, doing something around
cyber, creates real magic.
It's what
gets the inspiration there.
As one
example, the cyber innovation centre
offers summer camps across the
country.
We're often involved to help
lead those camps camps, week-long
immerse camps.
They held one three
years ago in Michigan.
There's a
young lady leading the program there
and she participated in this.
Her
name is Kylie.
She's been on our
campus for two and a half weeks
pursuing our cyber engineering
program.
We see that replicated
over
and over again.
>>: The other thing
I'll add to that is there's an
under-represented community of
individuals who are making a
transition through life.
We're
working on a national program with
goodwill industries to be able to take
your curriculum and make that adult
driven so that we can bring those
individuals that are transitioning
through life, their life experiences,
into the cybersecurity field.
Another
initiative that I just agreed to join
a board on yesterday is the cybercrime
support network.
They are setting up
a 911-like call centre specifically
to
handle cybersecurity jobs.
In that
scenario, you have individuals who can
be transitioning through life become
qualified
to be operators to take those
cybersecurity calls.
It kind of goes
back to redefining what a
cybersecurity job can be, right?
Does
it require a huge degree and mastering
technology and the like?
It's a
broader view.
>>We've talked about stem
a little bit, but one of the things
that my school district is doing
is
steam, adding arts, that it's not just
the science.
You need the
imagination.
Some of the artists, you
look at the meticulous work they
do,
and the media, where they're coding,
and the gaming part.
It's that kind
of attention to detail.
It's a kind of
consistency and a dedication and
ability to concentrate for
extended periods
of time.
It can be switched, can be
led, can be manipulated
different
ways.
But it's another audience that
perhaps people haven't really
thought
of as being an intuitive move.
>>I
want to ask each of you a final
question: What more should the
government be doing to incentivize the
development of all these things we've
been talking about?
Some of this is
not to be government driven, but what
more can the government be doing.
We
talked about the scholarship to
service, who funds scholarships across
the occurrence and they've got a job
in the federal government or state
and
local.
All we ask is that they serve
some time in a government
agency,
hopefully DHS.
Then we also have K
through 12 curriculum that we provided
some grant funding towards that is
being used throughout the country.
I talked about the department of
commerce's work and the department of
labour also in coding different
cybersecurity professions
underneath
the broad discipline.
But what else?
If we're going to be investing money
in this, which it's so important, I
believe we have to and there's a role
for government, what else should we be
doing and where with can we best place
those limited resources we have
in I'll start with Russ.
>>: Thank you.
It's a really tough question.
On the one hand, you want to be broad
based, reach the broad set you have.
Part of that is an amplification piece,
where
you meet the people.
If they're going
through a life change, what am I
going to do now that I'm graduating from
high
school, to be involved in the
fairs,
to be involved in targeted but broad
messages to reach those people is
really good.
Role models are better,
the local person from high school who
is doing the service, or from college,
or who had a career change, or works
in a community college where they
have
gone back to school after a change in
life, or veterans programs where once
again it's a change and switch.
We have someone who is disciplined, who
is trained, who is used to working in
government, and that would be great.
There are so many opportunities, but I
think
you just have to get out there and
figure out whether you've mapped your
program to the audience and finding
some
way to get the role models and to
spark that imagination.
>>I agree.
I think some of the non-traditional
pathways for working in the cyber
fields certainly needs some focus
and
we're doing that, as I said, with
veterans and veteran resource centres.
think universities have to look at
non-traditional alumni and workers
that maybe not having the formal
education and figure out how we can
give competentcy-based
credits and let
them move into the pipeline.
While
there's a short-term demand, there's
also a long-term demand.
We shouldn't
take our eyes away from building the K
to 12 community that's going to
really
be our future.
I think the programs
the chief supported that put the K to
12 curriculum in place are
absolutely
key that.
>>I think first of all
kudos to the programs that you are
doing.
They've certainly been a
tremendous success.
For me, one of
the challenges that I -- or one of the
frustrations that I have is that
there's so much good work going on.
As you can tell from my accent, I'm
from the U.K.
In the United Kingdom
they have launched a program getting
children into schools to understand
the types of industries and
careers that exist in industry.
But my challenge is there's a lot of great
work going on.
You look at Amazooo or
McAfee, and sometimes they can be
disconnected.
If we began to do more
public-private partnerships to
identify where there is duplication
where we can pool resources that will
be imperative.
We all have limited
resources.
How can we better utilize
them as an industry rather than in
specific sectors.
>>That was my
response.
>>: I have the same suit
as you and I beat you to it.
>>I'll
add to that.
As part of that
consolidation and streamlining of the
different efforts so that you can
point people in the right direction
and you have momentum behind, what
we're all trying to do as part of our
mission, I think driving discussion
around relaxing some of the conditions
that are required for employment
employment.
A good example, I was
talking with some of the folks at some of
the other agencies and they said they
were considering relaxing some of
the
stigmatism around criminal records.
Is there something that you can do to
forgive folks who have made mistakes
ten years ago in order for them to
be at the same qualification level
to be able to be hired like someone else?
>>You think our clearance program
is difficult now now.
>>Yeah, right?
Just a little.
I've gone through it.
Just a little.
I think that is kind
of putting action to work to complement
some of the other great things that a
you all are doing.
>>I think pulling
together the private-public
and
different corporations frankly
is the
best plug for the NCSA I could
imagine.
It's precisely what we're
doing, is pulling together several
dozen of the top corporations who
feel strongly about cybersecurity, coming
up with things that do reach a broad
consumer, reach simultaneously
medium-sized businesses, reach
large
businesses but also work closely with
the government.
We do try to be that
aggregation point.
We do come out
with nationally broad-based
programs
that I think are certainly worth
expanding.
>>I have to close.
We
could talk about this forever, I'm
sure.
I would close by focusing on
the role model.
There are a lot of
other things that we will continue to
work on and build out, but I would
challenge the audience to think
of
yourself as a role model in this
space.
I joke that I can do an event
like this, but the thought of going to
my son's school and talking to them is
terrifying.
We need to be getting to our communities.
We need to be talking to the people we
interact with every day.
I'm happy that we were able to not sit
here and talk about the statistics and
the gaps that we are going to o
oexperience in cyber workforce and really
challenge us all
to get to that point and DHS is happy
to be the lead convenor here, but
it
has to be a community-wide effort
to
take advantage of this tremendous
opportunity that the workforce gap is
providing us.
So thank you.
Please,
thank our panellists.
[APPLAUSE]
(pause).
>>We're looking at our
penult panel.
We've talked a lot
about both the hard infrastructure
side as well as the information and
communications technology side.
We're
going to pull the thread on that a
little bit more.
This next panel is
entitleed delivering cybersecurity
solutions, ICT industry
perspective.
It's my honor to introduce Mr.
Frank
Cilluffo, associate vice-president at
the George Washington University and
director of the George Washington
University George Centre for Cyber and
Homeland Security.
[APPLAUSE] next,
Mr.
Dean Garfield, President and CEO of
the Information Technology
Industry
Council., ITI [APPLAUSE].
And Mr.
Jonathan Spalter, President and CEO of
USTelecom [APPLAUSE].
Lastly, our
moderator, please welcome the
moderator
for this panel discussion, Ms.
Catherine
Lotrionte, a Brent Scowcroft Scholar
with the Atlantic Council Cyber
Statecraft Initiative.
[APPLAUSE]
Thank you.
Good afternoon.
Thank
you for joining us this afternoon.
Chris, thank you for introducing our
panellists.
They can begin with the
questions.
I'm going to start with
the threat landscape.
You heard from
Secretary Nielsen this morning as she
laid her views out about the threat
landscape.
We sit and meet today not
so far from the ground in which
another threat manifested itself
on
September 11, 2001.
In those days the
lights were also blinking.
As
secretary Nielsen reminded us, in
cyberspace we are also seeing the
threats and the lights are
blinking
red.
Another way to say that is that
we all need as a nation to pay
attention and to start acting
together.
This panel will be about
how we not only talk about the threat,
recognize it, but also act to not only
prevent it but to actually work
through the threat when it does
manifest in our systems, both
against
our government and our citizens and
companies globally, as well as
domestically.
To begin, I'd like to
ask each of you to discuss how you see
the threat landscape.
Do you agree
with that quite dire assessment of
where we are today?
As the secretary
said, we're in crisis mode.
What does
that mean from your perspective, and
particularly members of the ICT sector
and the telecommunications
sector?
Frank, do you want to start from your
perspective?
>>Thank you, Catherine.
Hats off to DHS for an amazing summit.
They pulled together some amazing
people.
What I was most impressed
with is the focus on getting things
done not in another session that
admires the problem.
But eliminator
problem for a second.
When we look at
the threat environment, I think
it's
important to delineate and
differentiate that not all hacks are
the same, nor are all hackers.
Intentions and capabilities vary.
The
tactics, techniques and procedures
vary, as well as the actual tools
themselves themselves.
I think at the
very high end of the threat speck you
petroleum we see nation-states.
There's no shortage of activity coming
out of Moscow, Beijing,
Pyongyang,
Tehran, and any country that has a
cybersecurity.
It's just as important
torrential and I think one of the
great points of today's summit is
just
as not all hacks are the same, not all
critical infrastructure is
equally critical.
That's not to suggest that
they're not all important.
They are.
But focusing on the lifeline sectors,
focusing on telecommunications,
on
energy, on financial services, maybe
you can throw water in there.
These are the critical
infrastructures that
independently and collect collectively
are literally the backbone of our
country.
I think it's important to
get to the point where we not just
identify the be vulnerabilities but
we
really put our emphasis on
solutions.
I'm thrilled to be here and I think
that embodies where we need to be
going forward forward.
>>I begin
where you began by commending the
secretary, DHS, Chris, for all the
great work they've done.
I completely
agree that the threat matrix is
becoming increasingly complex and
increasingly sophisticated.
It used
to be that we would say by 2020 there
would be 20 billion interconnected
devices
and it seemed so far away we didn't
have to think about it.
But 2020 is a
year and a half away.
Heree and we do
have to think about it.
That's in
part why Jonathan I and our
organizations and member companies
decideed to do something about it
by creating the council for securing
the
digital economy, which we'll get
into
in greater depth.
>>I also would like
to add my thanks and appreciation but
also commitment to really take today's
call to action and move to action that
the DHS and its leaders and its
staff have asked of us.
Thank you very much
to DHS.
Look, I agree completely.
We
have gone from a world in this very
ancient part of New York City where
threats used to be both observeable
and linear, to an increasingly complex
threat landscape, the densification of
our networks, unobserveable
phenomenon
existing within those networks.
The
identification that Dean just
mentioned, 50 billion connected
devices globally, 5G standards are
anticipating networks so dense that we
will be able to have a million wireless
sensors in a square kilometre.
The
complexities have become exquisite.
As they have become equivalent, our
determination as an industry, as
communications providers, as IT
companies, to use our resources, our
plashings our innovation and
imagination, to address those, to
learn more about how we observe the
unobserve unobservable, how do
we do
pre-Mortems to ensure that had when
there will be the next major incident,
we will be as prepared, deliberate
and
resilient as possible.
>>: Now that
we seem to agree on the level of
concern and threat, particularly with
the companies and your industries, the
ICT and telecoms, how are your member
companies delivering secure, resilient
products and services to the
customers?
Part of that question: How
much of it is about the Telcos and the
companies securing their own networks as
opposed to helping their customers be
secure and resilient?
>>Let me start.
think it's actually a blend of both.
We have within the communications
sector an enormous amount of
diverseity.
We have our large
national, international,
mid-sized
providers and also within USTelecom'
membership some of our nation's small
smallest providers serving some of our
more rural communities.
Each of these
parts of the sector have been
deliberate engaged for not just years
but decades in thinking through
our
intrusions and threats exist
within
our networks.
We have developed from
small to large companies habits
of
interconnection and interoperability
that have facilitated our ability at
the network level and through the
various stacks of the network level,
even as it's becoming more software
defined, to understand where and
how
threats appear and how to mitigate
them proactively as best as possible.
You mentioned the incredible
importance from large to small
companies of that dynamic and
real-time interaction with customers.
Our largest providers are
developing
on more of a bespoke basis with their
customers those solution sets.
But we
have to remember that 90 per cent of
American enterprise is composed of
small companies that have 20 people or
less.
Equally, our companies have
been developing off-the-shelf,
scale
scalable, ASSS-based ISP-led
initiatives so even the smallest of
companies can can adapt and have the
resources that ISPs in the
communications sector plus a number of
creative vendors have been making
available.
So there is I think a
dynamic and important baseline not
only of good practice within the
networks themselves but between the
networks and our customer bases
across
a diverseity of what those customers
look like.
>>The thing I would add is
that size doesn't necessarily
correlate with sophistication.
So there
are small companies that are
incredibly sophisticated about
these
issues and large companies that are
not.
Our companies are working hard
to make sure we take an integrated and
comprehensive approach to
identify
cybersecurity risk and work to deal
with them, to approach these issues
in an integrative way so that you are
thinking about comprehensiveness
across
your network and those within your
supply chain.
The third, which is I
think an opportunity is incubating
best practices.
That is where the
announcement today about the national
risk management initiative is
particularly sound and helpful,
because we'll move away from dealing
with things in an ad hoc basis to
creating some institutional
platforms
through which we can work and
collaborate.
>>: Catherine, to add
one other point: I think we're all
here in part -- how many companies,
even the biggest in the world, thought
they were going into business having
to defend themselves against foreign
intelligence services,
nation-state
threat actors?
The reality is the
call to action I think is that
collective defense piece.
I would add
one other critical infrastructure
sector that I think has to be part of
the equation and that's a the
defense have industrial base.
Because when
you look at the financial services
sector, energy, Telco, Dib those
are
the gold standards.
Things kind of
drop off a little bit.
I don't mean
to be pejor pejorative, but it's
the
reality.
The question is: How do we
flip the equation?
How do we get to that
collect collective defense?
Government has unique capabilities
capabilities, but it used to be
government lead, private sector
follow.
I'd say today it's becoming
the opposite.
The reality is not only is
the private sector on the front lines,
but they've got resources, but
they've
got certain capabilities beyond
cyber
forensics that they need Uncle Sam to
step in.
When I think about the Telco
sector, you brought up 5G, Jonathan, I
am concerned that there are some
issues there with the supply chain and
how it could potentially be
misused by
nation-state actors.
So we've got to
think that set of issues in the cyber
discussion and vice versa.
So it's a
pretty big challenge, but I think the
actors that have to be part of the
solution are actually here.
>>When we think about risk assessment and
the supply chain, we heard a little bit
about it this morning, how are
you seeing the companies themselves,
both
in the IT and the telecoms, how are
they doing their own risk assessment
for the global supply chain?
What are
you seeing?
What's been effective?
Part
of that question: What can the
government learn from that process?
Are the private companies learning
things, implementing principles that
the government could benefit from?
>>I think we can refer to an
operator's perspective.
We heard John
Donovan, the CEO of AT&T
Communications, reflect that this --
and
this is a practice that all of our
largest national communications
providers have been focusing on -- are
enormously vigilant.
They understand
down to the component level the depth
of and the accuracy of supply chain
materials.
They understand increasingly that the
supply chain is
not just about hardware, that
there's
been a migration to include enormous
numbers of software inputs, and
understanding where and how those
inputs are actually -- and those
coding contributions are actually brought
to bear is equally important.
mentioned that that is a supply chain
issue that has to be front of mind as
we're moving towards increasingly software
defined networks.
So I think
the largest companies have been both
visibly and aggressively
and
innovatively thinking about where and
how their supply chains are
evolving,
both at the national level and also
globally.
There are, as I mentioned,
different stacks and tiers of broad
band providers.
Our mid-tier
companies are the earliest examples of
what they're learning from adjacent
cohorts, tier 1, the largest ISP ISPs.
Our smallest companies, also with
the
right kinds of both business,
financial and operational
incentives I
think will be equally up the stack in
terms of being vigilant.
But those
incentives need to be in place and
fully developed to ensure that both
the smallest providers who
are
vulnerable to attacks, as well as
the
largeest ones, have the right kinds of
motivation and understanding that
the
balance sheet impacts of remediation can
be addressed in effective ways.
>>Dean, your members are quite
diverse in the ICT sector.
As to
their assessment on the risks for the
global chain supply, has it been
effective, what they're doing?
Do you
see challenges in the diverseity of
these companies?
>>Absolutely.
But I
also see opportunity in place where
the Department of Homeland Security
and the government generally can play.
think to the initial question about
what we're learning that is proving
effective, there are two things that
immediately pop to mind.
One is
recognizeing the importance of
cybersecurity, cybersecurity
risk
mitigation and management at the
inception.
We talk about cradle to
grave, but it's before the cradle.
When you're developing a
system,
product, making sure that you're
contemplating
and thinking through.
Also, when we
talk about data, we talk about the
need to assess what data you have, and
develop solutions and opportunities
and business models based upon doing
that assessment.
I think we're
increasingly finding that doing a
similar assessment around cyber is a
business imperative and creates
business opportunities.
Similarly, and
finally finally, just the
international nature of our businesses
require us to take and consider our
supply chains not only as integrated
but also international.
I think,
given the work that's being done in
Europe right now on a parallel path to
the work that's being done in the
United States, that's an opportunity
that, if we let go bi-, I think we'll do
ourselves and the nation a disservice.
>>Frank, I don't know if you want to
-- on the international aspect
of things, so a lot of times we think
domestically, but certainly the supply
chain is international.
But so are
the companies.
>>: Absolutely.
>>In
thinking about the global activity and
engaging with the U.S.
government, so the private sector has
been engaging
with the U.S.
government, but we hear
today a call to do that even more
effectively, in an operational way.
What are some of the ways that
potentially have not been done so far,
and it's not just the U.S.
government.
I would like to get your views on how
do you deal with like-minded
governments, and how do you deal with
companies that are operating, foreign
companies in other countries, and
maybe even non-like-minded
governments
or companies in non-like-minded
territory?
I'd like to hear from all
of you on that.
>>Great point,
because I think one of the things
you're starting to see here is the
need to unify all the interagency
components within the government,
public-private, within the private
sector, sector by sector, and then
cross-sectoral.
Just within -- many
and then all the clients and
customers
they in turn serve.
The reality is it
will require transnational
approaches.
Part of me says you build on what's
worked.
So you take the five eyes
infrastructure, you build a cyber
dimension to that, and you take NATO.
But we also have critical allies that
are outside some of those
organizations and alliances.
So you
think Israel, you think South Korea,
Japan, countries that have to be part
of that solution, all of whom live in
tough neighbourhoods.
I would argue
this is in our best interest.
Saudi has become the practice field for
Iran.
What happens there comes soon
to a theatre near you.
Ukraine has
been the field for Russia.
South
Korea has been the practice field for
North Korea.
So we -- but it has to
go beyond just intention
information
Why Cyber security scrow
krocht TeletovicTeletovic
Tell co-Mccurdy depass
consolidate consolidate
o work not only country
to country but
infrastructure
to
infrastructure
We need to rethink how
we do some of
these issues.
Let's get
creative.
>>
What are the
companies
doing now
with
respective to
foreign
government.
What has to
be done
that's not
done today?
>> I'll
address that
but let me
also brief on
your point.
Deeper
transporter
sector to sector
operational engagement is
critical.
I'll also
point out and it's vital
that
the
adjacentcies
are getting
closer.
Cross sector
engagement
can't be
within the
national frameworks.
It has to be
transnationally.
That has
been one of
the emphasis
for Dean and
I and an
amazing
number of our
partners to
actually
extend our
work streams
that we have
been
individually
doing in
various cyber initiatives
to join together
through the
council of
digitally conmy.
We have all
of them
engaged in a
highly
operational
way in work
streams.
We
can discuss
what they are
in a moment
so we can
create a best
practice baseline that
can be a
model for how
other sectors
can actually
move forward
for their own
engagement
and model for
how we in
working as
closely as we
are in the
United States government
through this
platform and
as we will
with other
governments,
that can also
be an
operational
model of best
practice and the case
study if you
will.
This is what we
need to bring
for this
cross
sectional
effort.
All
of our
companies
within the
economy,
within
USTelecom and
larger
companies,
obviously,
have bigger
programs with
national
governments
but
multilateral
organizes we
are working
with to
ensure the
right kind of
vigilence and
focus.
would adjust
one point on the government
to government
bases there are some
initiatives
we are tries
to think through.
How do we enhance
our ability
within our foreign
service to
privilege and
create new
capabilityies
for foreign
capacity to
do better
cyber diplomacy.
That's the expect tease to
work within our national
borders but insist our
diplomatic
services have
capacity and performance.
>> Can you
talk also and
wrap-up the
discussion
what made you
join forces
and develop
the council?
>> It was a
recognition
that we have
been talking
a lot for a
long time
about the key
elements elements.
We have our
own set of
five Is.
The
need for
greater
incentives to
get these to
work.
Bidirectional
sharing.
The
need for
integration
and on and on.
The solution set
has been
discussed a
lot.
It was
a solution
set into
tangible
action and
recognizing
as Jonathan
and all of us
noted that we
live-in an
increasingly
horizontal
world.
To
have the
impact we
need to have
requires
working
across
sectors and
sharing.
So we can have a clear sense of whom
to work with, when, I think will be an
important part of our solution set but also
deploying real strategies to achieve
them.
>>Often you'll hear references to the day
that there may be a major cyber incident,
where it may require the mobilization of
the companies that are in your sectors.
First I want to -- and for the national
security of the country, and
economic.
I want to first ask you: From your
perspectives, informed by the companies and,
Frank, in your view, what would a major
cyber incident look like?
Before I get into what do we do about
it?
But what would that mean if an incident
happens?
>>It's a great question, actually,
because the two work streams that we're
advanceing relate to both of them.
John, I don't know if you want to jump in.
>>And we could, but imagine this, a
single Botnet which
you can rent can deploy 6 million
zombies and impact two million people
per hour.
If you can exhale about a
single Botnet and scale that for
increasingly dense networks,
increasingly inanimate senseors
that
will actually be incorporated
through
the Internet of things into our
communications artworks.
You're
talking about some very challenging
scenarios.
>>: What about state
actors?
>>With the introduction
of
all kinds of new types of criminal
enterprise state actors that are
loaded.
That's why we have
these real
pressing dangers we
are facing
today.
You
want to talk
about Mobilization.
>> The two,
just to give
people an idea you want
to get more involved.
One is
around
botnets and identifying the best
practices and sharing them on how
to prevent
those sorts
of automated
attacks.
Second is essentially a playbook on
what would we do in the
scenario if there is a
successful attack.
>>
It follows up
on what Chris
mentioned.
This is a
need to
operation
operationallize
the concept
of
Mobilization.
The real
question is
when you have
a really bad
day in cyber
land who will
you call?
We
are taking
very
seriously the
idea with our
global
companies
that are part
of the
founding
partners of
CISD to take
a cross
sectional
apromotion to
come up with
the protocalls
and best
practices on
how we
mobilize the
broader ICT
sector and
use it as a
template to bring other
companies to
have
visibility
into our
conclusions
in the report
we are
developing
but stem from
that.
>>
I'll push you
farther.
>>
Can I take a
different
approach.
>>
I'll push you
farther.
Today
happened.
If
today we have
a major cyber
incident that
rises to
level and the
nations
security is
at stake.
Your opinion
frank, you
guys can join
in.
What do
you expect
the
government to
do.
Do you expect them
to show up at
your
companies and
what will
your
companies do?
>> Katherine,
I'll get to
your question
but I'll
frame it a
little
differently.
We are on
hallow ground.
We are very
close to
where 9/11
occurred.
Many of us
got into this
business because of
that horrific
attack on the
United States.
When you
think back to
that it was
telecommunication
providers
just as it
was
government
that got wall
street back
online and
got the
country
backup running.
The reason I
say that is,
ultimately,
I'm not sure
of the E 911
model is the
most
constructive.
I'm worried
about loss and
confidence in
our systems.
An erosion
of trust and
coif a dense
with systemic
risks you
don't need
that one
massive cyber
bang.
That's
not not to
suggest that can't happen.
The biggest
risk is cyber
in combination of physical means.
The
conversion
issue keeps
me up at
night.
Technology remains consistent.
People have been doing bad things for a long
time and they will do it in a cyber means.
Should there be a massive cyber
incident that has kinetic impact?
Some of the sectors we are talking about
right now are the gold standard.
Yes, they too need support and that's
where the public private partnership
is important.
It's not the way we normally talk about
it.
Transportation is critical.
I'm not sure if it's at the same level
people are starting to build relationships.
I think we are getting.
>> We hope in is a focal point for
coordinating all of the frameworks that
currently exist.
We are prepared.
>> At the we are on that day what's the
type of information that's most critical
to move between the private companyies
and government.
In the mist of an incident.
In another discussion should that be taking
place beforehand?
Before the incident?
Let's begin with
the day.
>>
The day of
event, it's such a hard question to
answer because it depends on
the nature of
the event,
nature of the
instruction.
What sector
and where and
how it's
transpired.
I will say,
I think the
idea that we will have
government folking show
up at our
companies, we
have to take
the reverse
view.
Companies in
the
communication
sector working
together with the
IT sector
were careful about
ensuring the
type of trust
groups we have between
our companies
exist so that
kind of
information
can flow
quickly.
We
are working
on advancing
and extending
the
protocols.
To not only
interact
between each
other but
cross
sectorly and
in meaningful
and quicker
ways.
There
has been a
tremendous
amount of
innovation
that we are
seeing within
our
governmental
partners,
particularly
with DHS.
This is the
central convening
group for a
lot of our interaction.
We have to
be careful we
don't atomize.
That single
stream of information
flow has to
be developed
in very
thoughtful,
creative, and
different ways.
There is an
expression
there is left
of boom and
right of
boom.
Preand
post
incident.
They are
taking
important ant
meaningful
steps in the
catalyst of
today's
efforts.
We
have been
working on
this already
to be sure
this can
extend cross
sector
allyally.
Through the
life cycle of
the event and
post event we
have
meaningful
protocols for
preevent,
analytics,
and other
efforts.
>>
chosen very discreet work streams that I
think will immediately address some of these
real, pressing dangers that we're facing
today..
>> the work we've been seeking to do and
accomplish with the CSDE, and we're
looking forward to expand that platform
and bring other colleagues into it
it.
So there really is imagination at work,
and we're seeing it.
Now there's a
convergeence at the public-private
level and I think that will
accelerate.
>> I have al30-second ad,
because I honestly believe that five
years from now what we envision as the
traditional situational Sit room
in a
white house setting, you will have
critical infrastructure
entities at
the table, not only in the CTIC
environment, which is basically
providing situational awareness but in
the incident response side.
But there
are some lessons that I think we need
to learn from counterterrorism,
the
first oneb and I'm going to step in it
and I've never had an unspoken
thought, but the reality is we
couldn't simply defend our way out
of
the challenge.
When you're talking
about Association we're never going to
firewall, defend our way out of this
problem alone.
That's why why having
General Nakasone here this morning was
so morning, having Christopher Krebs
here was so important,
because
ultimately we have to bring the fight
to the adversary as well.
If you want
to induce the behavior, you have
to have consequences and I think now is
the time for consequences.
>> it may
sound simple, this notion of
leverageing existing institutions, the
coordinating councils from the public
sectors and others, but inviting new
players in, it sounds simple, but it
is incredibly critical and needs to
happen.
>> we know that from behavioural
economics.
Behavioural economics
tells us that if we are only solving
problems within our group, the
solution sets will be weak and
short-lived.
We need diversity, and
we need to think dangerously.
>> secretary Nielsen asked us to identify
areas that need to be changed and we
have one.
I want to thank you guys.
>> thank you.
>> we are there.
We see the finish line.
This is the last
panel.
But in my view, this is the
most important panel.
This panel is
entitleed -- of course, it's not on
my paper.
Look, here's what we're
talking about [LAUGHTER]
>> this is
what the National Risk Management
Center is all about.
Everyone has
experiencing or engaged some way
with the national cybersecurity and
communications integration
centre.
That is an alert warning, information
sharing, incident response Hub.
The
National Risk Management Center
is
about identifying those things, in
some cases agnostic to a sector -- I
mentioned it before -- but to a
certain extent, sectors are an
economic artificialallity and
our
adversaries are looking at things
holistically, IT or ITCS.
We need to
identify what are those things that
are truly critical.
The government
types, form, recovering
government
motorcycles know about mission and
central functions.
We need industry
to come together and identify those
functions that underpin our
economy.
So this panel will address just that
and what the path forward looks like.
want to start by introducing the
Honorable mark Menezes,
under-secretary of energy.
[APPLAUSE]
next Mr.
Scott DePasquale, President
and CEO of the financial
systemic
analysis and resilience
centre.
[APPLAUSE] and Mr.
Dave McCurdy McCurdy, President and CEO
approximate of
the American Gas Association.
[APPLAUSE].
And Mr.
Gene Sun, chief
information security officer for FedEx
corporation.
[APPLAUSE].
Please
welcome our moderator for this panel
discussion, Mr.
Robert coal, acting
assistant secretary of infrastructure
protection, Department of
Homeland
>> Thank you,
Chris for
that
introit's
it's good to
be on the
stage and
joined by the panel.
Chris gave a
good over view of what we are
trying to do here.
The idea of doing risk
management is sense of what's important
and what we need to go out and
reduce the
risk.
I'll
start this by
turning to you.
One way we
have been
thinking
about this is rep
la
replicating
the model.
Tell us about your experience,
where have you landed and why do
you think that's left
you in a
better place?
We We
launched the
center a year
and half ago.
The Genesis
of this was
the CEO
important
financial institution
and markets
got together
and said as a
sector we need to come
together and prioritize
our risk.
We need to think
about what
does a bad
day look like
and the
connecttivenes
s of our
system look like.
We need to
work together
on respond
and recover
before we get
to protect
and defend in
the intell
intelligence
side of of
the equation.
The approach
we took first and
foremost we needed a
transparent
project to
bring the
sector together.
We could
work with our
government
partners and
agency and
treasury in
partnership
to have an
open
discussion on
a persistent
regular bases
several times
per month on
let's talk
about what
people think
is a bad day.
Let's get
everybodies
input on that.
That's what
we call our
risk
committee.
That process
is really
important important.
It was
happening
around
systemic
risk.
What that lead to is ark founded by the
member and
operators of relative vicinity critical
infrastructure decided we
need to put
balance sheet
capital
behind understanding
how we will
react to that.
Putting
together
playbooks and
mapping the
processes
that
underline the
key systems.
Chris talked about
wholesale payments and
other
critical
functions
that if
exposed would
effect all 7500
plus final institutions
in the country.
Not just
wholesale but commercial
and retail.
Have we
mapped the
processes
out?
The market understands
them but when
you get to
the underline
business
functions
that each
organize
contributes
that's less clear.
Underneath
that what are
the
technologyies
that support them.
So, our job
was to invest
in understanding
that and
better
driving if a at
the dellty around it.
If prevented
with a bad day or
it's effected or
compromiseed
we have a
playbook on
how it will
work together.
We have talked
to our government
partners
about that.
They talked
about the
importance of
that
relationship.
Also, we
have
implemented tools
that will
make us
measureably
more
resilient.
If we are
looking
Atticus Tom
measure data
to address it
quickly.
How we address
certain
account
behavior.
How we treat
a institution
on a bad day.
Having those
things in
place ahead
of time pays
dividends
towards that
bad day.
On
the
resilientcy
side we are
able to do
that in
advance and
continue to
rethink what
are the top
ten or
fifteen bad
days look like.
On the back
end of that
that will
give us the
ability to
drive our
participating
members in
the sector to
collecting information on those
key systems in a
better way
then they were before
and work with
our partners
across
government
through DHS
to get the
government
collecting on
those in a
smarter way.
One side we
have What do
we do to impact
resilientcy
and on the
other side
can we get
strategyic early
warning when
they targeted
what we have
identified.
Those are
our two major initiatives
in the work we do.
>> Let me ask a quick follow up,
innovation,
is this
evolution
reor a paradigm
shift.
>>
It's
evolutionary
with a
revolutionary out come.
You have to find a way to protect the most
sensitive information.
This is about getting information out
quickly to a lot of members.
Removing context.
It's without come come per
-- comper micing.
We are about building context
backup and
doing joint analysis.
That doesn't
happen at
scale quickly.
You have to
protect and
defend the
data you are
asking for.
You are
asking them
to share
their most
sensitive
vulnerable
vulnerabilitie
s.
That takes time.
Finding a way
to do that
and getting
the sector to
participate
is the big win.
That's
evolutionary,
as we look
back, no one
has
identified
and kept a
compos of
what lives
during this time.
>> We at DHS
found this model so
compelling.
Mark, you
just hosted a
discussion
with a number
of natural
gas
representatives.
How much
does this
thinking
match what we
are doing.
When you
hear Scots
experience
how similar
is it to what
you are
trying to get done.
>> In many
respect it
tracks but in
part our industry has
been looking
at what's
been going on
in the
financial
area.
When congress gave
us the sector
specific
agency and
authority to
make sure we
have the
energy sector
and
Cybersecurity
secure if you
will we looked
to see what
was out there.
We brought
to bear to to
bear our
national ads and put in place
what we saw saw.
Information sharing you talked about is
important.
It's I
deputifyingfy
--
identifying
the threats
and making sure our energy system at
large is operational.
It should be no surprise to everybody
in the room our energy sector is a target
because of the tremendous
success we have.
We talked about this in
the group.
We lead the
world as an
exporter in
natural gas.
We are an
economic
problem for
other countries.
We are a
target.
We
think if we
flip the
light we'll have
electricity
and if we
turn on the
stove we'll
have gas.
FedEx has an
interesting
point on oil
production.
Over 70% of
our energy is
still used in
transportation
fuels.
So, it's
important we have
it safe
guards to
ensure the
resilientcy
in the
electricity
system.
This
drives our
economic
secure
security and
process parity
as well as if
we are I
energy security.
We need to
be sure while
we produce
natural gas
and we have
to have an
electric
system that's
also
resilient.
You cannot
have elect elect
--
electricity
unless you
have power.
We are
engaged in an
effort to
make sure we
have
generation
there as well
as a secure
transmission system
that will
ensure
affordable
and reliable
and resilient
electricity.
In many ways
we model.
Our
challenges
are gater.
I mentioned our labs.
If you go to
our labs we
host an EFFC
meeting some
of the oil
and natural
gas
coordinating
councilmembers
participated in.
I think it
helps race
raise the
level of
comfort when
you see we
have in
place, as I
mentioned.
We,We can
identify
information
sharing on
the I.T.
systems.
With the
industrial
control
systems
playing a
part in
modernizing
our systems
we can go
down the
supply chain
and look at
the devices
and we can
help identify
and add added
-- address those spreads.
We provide
training at
these if a skillties.
We go the
grid X with
the FCC and
oil and
natural gas.
We are trying
to do it as
much as which
much as we can.
It's been the
financial Indus try setting
the standards.
>> He brought you in the conversation.
We had conversations about perhaps
in the past
how we
thought about
critical
infrastructure
and how they
missed things
that are
important important.
Talk to me
about your
prospect
prospective
at FedEx and
what we might
have missed
that's a
national
security asset.
>> You know,
before I talk
about that.
I would like
to remind
people to
about a year
ago.
This time last
year I
personally
spent a month
in Europe.
This morning
we talked
about crisis mode and what the worse day
looked like.
I lived through the
worse day.
>> Sorry.
>> This is
nothing
compared to
that.
LAUGHTER ]
>> You know,
it's public
knowledge.
We brought a
European
shipping company and they got
attacked by viruses.
Within minutes
thousands of
severs and
tens of
thousands of
laptop partly
PC PCs were enencrypted.
Through the
period we saw
the ripple
effect of the
damages.
Many of our
'cuz Tom --
I'm items
couldn't be
shipped out.
Our systems
were not
available.
came to a few
critical
realizations
right after
that crisis.
First, we as
a logicist
company
cannot go
this alone.
When you
deal with
nation
states, you know,
I think our
government
has a nation state with Russia.
This was collateral damage
between the
fighting of
Russia.
For
a pry private
corporate there is
no way to go
against a nation state.
It's a
losing battle.
So,
government --
we started to
realize the
government
has to play a
part in cyber
defense.
That's
first, the
second one, I
do think what
Scott and the
Secretary talked about
collective defense moving
forward on
the sectors.
Take a
playbook from
final
services industry.
It's
important to
share best
practices and
Intel and
bring the
government
into helping
different
private industry.
These are
some of the
items.
Of course, in
the meantime
we are
spending as
much as we
can on
Cybersecurity.
We are
entering a
cyber arms race.
We don't
know if
that's
sustainable.
We need a
new paradigm.
I'm so
pleased and
excited about
what is taking place today.
>> You help
the industry.
I think you
get a lot of
head nods
about a
strategic
approach today.
Throw some
cold water on
it if you
don't mind.
What will
make it hard
for government
and industry
to work together?
>> Well,
first of all,
I want to
commend DHS.
It's
important
considering
where we are today.
There is a
change of
when some of
us started
working on
these issues.
Before it
was called
cyber it was
called
internet security.
We have seen
it accelerate now.
GovernmentsGo
vernment has
worked hard
to keep up
with it and.
When it was
a person in a
basement or
criminal
element or
competition
that was
trying to steal did a tag
number -- information companies
were able to deal with that.
Now we are dealing with
nation states and challenges.
The
government
isn't
organized for
this 21st
century
paradigm.
Congress has
a role to
play.
Congress is still in
the 19th
century structure.
I know that.
I have
experienceed
that and it's
still a challenge.
You have
challenges
with
organizes themselves.
Federal
agencyies.
If you are
an industry
and looking
at this array
and.
In the
natural gas
sector where
we are highly
regulated
from the
local level
through
federal so
you need to
understand acronyms and
have
relationships.
At the end
of the day it
by boils down
to
relationships.
You need to
have the
person you
call and
know.
Everybody
talks about
the bad day.
You build-up
the
relationship prior
to that.
There are
still
obstacles.
Whether it's
congressional
authorities
or whatever.
Our role in
what I've done at the American gas
association.
We have all of the investor own owned
utilityies and 60% of members are a
combination
of electric
and gas.
When we talk
about energy
we understand
the
importance of
that and role.
We need to
be proactive.
The electric
sector we
have to commend
through the
EFFC they
have
experience
trying to coordinate.
They are
bringing
natural gas
into that.
After the
shell
revolution we
have moved
from an area
of scarcity
to abutton
abundance.
We also
deliver
natural gas
to 75 million
households
and over 175
million people
in the
country.
We
power most of
the man
fractureing
manufacture manufacture
--
manufactureing.
All of that
is critical.
As it's
become inno
interrogateed.
As it passes
coal there is
more concern
about what is
the impact of
-- what would
happen if
there was an interruption
in the gas supply.
We can talk
about that more.
We work
closely with TSA.
They are
part of DSH.
They have
surface transportation.
We work with
FINZA on safety.
The Department
of Transportation
Transportation.
We work with
the DOE on a
lot of their functions.
Understanding
the different
agencyies and
coordinating.
>> That
makes sense.
Mark, I had
a opportunity
to listen to
you a number
of times sense you
come onboard.
I know know
you came to
break barriers
abdomen make progress.
What couple
barriers
would you
want or most attune
to go after
at this point?
>> Thank you
for the question.
I have been in industry and now I'm
in government.
I came in with the strong belief back
then that we had to
together
together --
to get
together more
as industry.
We had to
gain information
and share information.
Those are
generally the
big issues we
were told.
We need your
information
but we can't
tell you what we know
but by the
way fix your
system
because, you
know, it's
your system.
So, it's
very
flustering.
Came into
government
and I found
that we do
have information
that we can't
give to you.
We have a
very
cumbersome
process to
identify the
information
then classify
or declassify
it to share.
It has been
a learning
experience
here.
Part
of the reason
we are here
is to let you
know we are
committed.
Bob and I
talked about this.
It's as much
of busting
down within
the
government to
make it more
helpful, more
information
sharing.
More
responsive in
being able to
provide what
you need.
It's
complicated
in the
government.
The good
thing about
the
government,
we have these
national labs in resources
to help work
with you and
provide you
cuttingth
cutting-edge
technology we
need across
the whole
operating systems.
We are
becoming more advance.
If you have
an iPhone you
can have
access to
your energy
and provider.
We are getting to
that point.
At every
point along
with the way.
The
commitment
here is to
help bust
down the
silos within
the
government to
be more
responsive
and
information
sharing two
of the
industries
have been
desperate to
a large
degree.
That's our
goal to
insure we are
much more collaborative.
It was clear that oil and
natural gas
has asked to
be more
includeed.
>> Mark and
I were in
Idaho falls.
I was there
a year ago with
our team.
The I ICS is
there
industrial
control
system and go
figure out
those charts.
>> We'll
draw it up in
a while.
>>
You know, the
lab is doing
things we
find very
helpful as we
go more
machine to
machine.
We
talk about crisp.
It's not as scalable.
What you do
with side
tricks on the
cyber supply
train testing.
What you do
with chi
coyote is
cool.
All of
these things
are, go find
those accident enemies.
Those are
helpful and
those are the
kinds of
things that
industry
would like to
work with
government to
help address
this
challenge.
>> Just for clerrification.
On the
acronyms,
Chris is
cyber
information
sharing
program.
If I can add
this one in
the mix.
It's
Cybersecurity
testing for
resill
resilientcy
of industrial
control systems.
>> All
things we can
get behind.
[ APPLAUSE ]
>> I'm from
the government
and I'm hear
to help.
>>
So, Scott.
LAUGHTER ]
Berry's
industry is
working
across the
industry
working
together.
What would
you like to
see us overcome?
>> I would
say a few things.
The
relationships
between the
sectors and
between the sector
and
government
are important.
They allow
us to mobilize.
They have to
turn into
collaboration.
That's why
what you are
building with
the center is
so important.
I believe
john said it
earlier when
he said the
collective experience is
better than
the
individual
experience.
We have
gotten tuned
into
information
sharing as a
trend transaction.
I have
information,
I need to get
it to you.
I'll give
you to title
of that
information
and good luck
secure
securing your
network and
organize and
be
situationally aware.
That's an
important function.
We have
tried to move
towards a set
of collaboration
with our
sector and
government partners.
Can we look at
joint
analytical collaboration
together so
we are both
watching the
accumulatetive
effect.
We
are analyzing
vulnerable
venerableiliti
>> They were protecting
the cyber
infrastructure
We are part of
the group to
make the economy work
for society.
I'm very
anxious to wait
for for DHS
to Expand the
partnership
farther into
other
critical
functions for
the U.S.
economy.
>>
Let me
clerfy, we
are not stopping
it to three sectors.
We have, I
think, commitment
from industry
and the way
they organize and
experience
plus the
criticality
parts make it
possible to hit
a running start.
When we
think about
critical
national
functions we
don't want to
limit the
definition by
that by who
produces it.
We have to
figure out
what are the
things that
are most
important.
The
Secretary
talked about
GPSPS all
critical
infrastructure
s depend on that.
We will be
in an an
explore an ex
-- explore
Torrey frieze.
>> It's
important for
the sectors
to do their
homework and prioritize
the risk when
they come
with DHS.
If you don't do
that work to
prioritize it
there is a
lot you can
focus on.
If
you don't get
down to the
few when we
come to the
table I would
worry we
would fail.
They have
their part to
play as
operators.
They have
the critical
information
you need to
secure the
bigger system
of systems.
>> In your
experience,
as we get to
the vital few
is it about
securing it
or taking it
off the list.
>> The national
functions are always going
to be the
critical
national function.
You will
only
understand
them better
and have
better
facility and
have better
intelligence
because you
are very
focused on
the systems
and
understand them.
>> So, as we
wrap-up.
I'll go to you.
>> So, under the umbrella
of DHS don't
forget those
primary functions
like TSA and
there are
resources and
staffing they
need as we
updated the
recent
Cybersecurity
guidelines in
this framework.
We are
piling in those.
They need to
be reviewed.
Our partners
need to be
there but
need
resources.
I'll also plug
for Chris as
well well.
HR 3359.
Getting that
agency
designated will
clerfy the clarify
the lines.
The
partnership
is very clear.
We can't do
it without
each other
because the
threat has
changed so
dramatically.
We commend
you for that.
>> Thank
you, yeah,
you know, I
hope that
everyone
leaves with a
sense of urgency.
We will do
it in a
deliberative way.
We have
goals to look
and and
talking about
how we'll
give an
update in 90 days.
We don't
want the 90
day goal to
be a
substitute
with the fact
we need to
deliberate.
Mark.
>> Just on
the busting
down the
silos we
should know
as a team we
can help DHS
do it's
enormous job
to make the
nation safe.
We set up a
special office
that will be
headed by an
assistant
Secretary
with the
accident them
of CESAR.
It ' emergency response.
ThatThat has
helped bring
together the
various
elements
within our department.
We cover a
lot of things
as well.
With that,
if we can
bring those
kinds of
assaults.
assaults
-- assets.
I encourage everyone
to think of
it as a team play.
We are all
interrelated
and
interdependent.
The better
we are less
at guarding
the turf and
pulling
together we
can make
great progress.
>> Those are good final
thoughts as
we are ready
to wrap-up.
I would like
to thank the
panel and
we'll get
ready for the
vice Vice
President.
APPLAUSE ]
>> All
right, that
concludes the
official
panel
programming
for the day.
I'll ask you
to hang tight
in the
auditorium.
The vice
president
will be on shortly.
If you leave
the
auditorium
you will have
to reprocess
through
secureity.
don't believe
you will make
it back in.
Hang tight.
Thank you.
AreTurnpikes
[ MUSIC ]
??
>> Ladies and gentlemen,
please
welcome the Secretary of
homeland
security
Christian
Nelson.
APPLAUSE ]
>> Hello and thank
you for being
here all day
with us.
We greatly appreciate it.
Before we welcome our final speaker of
the day I
want to thank everyone for
their leadership and
partnership
and if we
could I would like to give you a round of [
APPLAUSE ] applause.
I know you will be here with us
shoulder to
shoulder.
I could
probably take
all of the
time in
summing up
what we
talked about today.
Let me hit
on a few
points before
I introduce
our speaker.
As I said
earlyier our
digital lives
are on the line.
Our
adversary
adversaries
are trying to
advance our
networks,
systems, and functions.
They would
like to
steal,
disrupt,
manipulate,
and destroy.
Together we
won't let
them succeed
nor falter.
This room is
full of minds that
can help us
solve this problem.
Full of
experts and
those with
expect
expertises.
As I said
the add have
add have a sayer
-- add add
have add they
are crowd
surfing their
attacks.
We
have a will to
win and
secure
cyberspace
against all
enemies.
We have come
together to
send a
powerful message today.
TherERA has
passed.
Whether you
are a
criminal or
nation state
if you breech
our breach
our networks
you should
look over
your shoulder.
There will
be costs for
hacking,
reproconcussio
ns for sealing
and
consequences
for
disrupting
our systems
and meddling
in our democracy.
The national
risk
management
center we
announced
earlyier
today will
allow us to
move beyond
information sharing.
To a stage
where we can take
joint action
to protect
critical infrastructure
and our
national
critical function.
The center
will develop
policies
policies,
plans, and playbooks
to gain the
upper hand in
cyberspace.
Other
initiatives
is cyber work
force
programs and
new joint
exercises
will allow us
to bring
government
and industry
together like
never before.
We'll
prioritize
our efforts
and instil
the mussel
muscle memory
needed at
machine speed.
I asked DHS
and members
of our team
to begin a
nationwide tour to
connect with
cyber expects
and drive
these efforts
forward.
We
welcome the
commitments
many of you
have made today.
We do need
your help and
we need you
to help am --
New amfy our
call to action.
I have the
great honor
to introduce
our final
speak irof ir
-- speaker of today.
He's a
passionate
advocate of
national
secureity.
Our next
speaker is no
stranger to
the practice
of risk
management as
governor of
independent
an Indiana he
established a
Cybersecurity
council.
To
bring the
public and
private
partners
partners together.
He has
carried that
commitment to the
White House
where he's
championed
President
Trump's bold
Cybersecurity agenda.
He's a
leader in
enableing us
to build a
better cyber
ecosystem and
above all a
leader in
protecting
the American
people.
Ladies and gentlemen,
it's my great
pleasure and
honor to
introduce the
vice
president of the
United States
of America.
Mike pence.
[ MUSIC ] ??
[ APPLAUSE ]
>> Well
thank you for
that kind introduce and
your
leadership at
the
department of
homeland security.
Would you
join me in
thanking
Secretary
Nelson for
her
leadership
and bringing
together this
historic
summit today.
[ APPLAUSE ]
>> To the
Secretary and
Secretaryiry
perry and director ray
and all of
the leaders
of industry
and academia
that have
come from
near and far..
It's my
honor to
welcome you
all all.
At the close of
the events
today at the
first ever
national
Cybersecurity summit.
Thank you
all for being
here today.
APPLAUSE ] I
bring
greetings and
gratitude for
your
participation
in this conference
from a great
champion of
nutritional
security
President
Donald trump.
I'm here on
behalf of the
President.
Cybersecurity
is a major
focus of the administration.
Over the
last year at
the
President's
direction we
have taken
action to
straighten
our digital
infrastructure
We know
Cybersecurity
has never
been more important
than the
American
people.
America
depends on
the digital
world.
All
of the
industry
leaders know
too well.
It's opened
countless new
doors of opportunity.
Created
extra
extraordinary
process
parity and
unleashed a
new ERA of(e)
entrepreneursh
ip that
effects our
lives and
society.
While this
revolution
has spurred
new
opportunities
as you have
discussed
here today.
It's also
spawned new
threats.
Criminal
terrorist
foreign
adversaryies
constantly
prowling the
domain and
present a
threat to the
nation.
Americas digitalin
if a
structure is
under
constant attack.
The federal
government
alone
experiences
hundreds of
thousands of
digital
assaults everyday.
Across the
entire
country the
number of
attacks on
our digitalin
if a
structure digitalin
if a stuck -- digitalin
if a digital
-- digital
infrastructure
is countless.
They
threaten our
families
privately.
Like those
that breech
breached ex
EQUFAX.
They extort
our hard
earned money.
As we saw in the
North Korea
attack that
held more
than 200,000
devices and
150 country
countries hostage
demanding a
ransom.
Foreign
interests
also
routinely
steel steal
trade secures
from our
important
industries.
As our
administration
recent
trade-in vestgation
found for --
trade
interest
invasion china
has been
finding and
steeling
steel
stealing our
intellectual
propertyies.
Our cyber
knows also
would like to
disrupt our
infrastructure
They might
have the opportunity
to shut down
the nerve
center of
American
energy in our
national life.
They also
target our
economy.
single
Russian
malware
attack last
year cost a
major American
shipping
company
roughly $400
million and
in 2016
cyberattacks
it's
estimated
cost our
economy $109
billion.
Cyber
attackers
also go after
government at
ever level.
In march
Christian
when hackers
hobbled the
city of
Atlanta and
crippled many
basic
services for
several days.
As the
American
people know
too well they
increasingly
use the digital
world to
manipulate
and divide.
In the face of these threats
the American people demand
and deserve
the strongest
possible
defense and
we will give
it to them.
APPLAUSE ]
>> Previous administration
s have let the
American people down
when it came
to cyber
defense.
The
out set of
this
administration
it became
clear from
early on in a
very real
sense we
inherited a
cyber crisis.
The last
administration
neglected
Cybersecurity
even though
the threats
were growing
by the day.
In 2014 a
foreign government
hacked into the
White House
network
itself and yet
in the face
of constant
attacks like
that the last
administration
too often
chose silence
and paraural
para paralysis
over straight
and action.
Those days
are over.
At
President's
President
trump
direction we
have taken
action to
fortify
Americas
Cybersecurity
capabilityies.
We are
forgerying
new
partnerships.
Evidence all
across the
society with
state and
local
governments
and great
corporations
so well
represented here.
We secureed
new funding
from
Cybersecurity.
In our first
year in
office we
allocated $1.2
billion to
digital
defense and
next year we
have
requested a
$15 billion.
We will
continue to
work with
congress.
We'll
continue to
provide the
resources we
need to
defend our
nation from
the threats
we face in
the digital
domain.
This issue
requires more
than new
funding.
America also
needs a
central hub
for
Cybersecurity.
Today we
call on the
United States senate
to follow the
lead of the
house of representative
s and before
the end of
the year
enact legislation
to create a
new agency
under the
authority of DHS.
The time has
come for the
Cybersecurity
and
infrastructure
agents to commence.
Thank you.
[ APPLAUSE ]
This agency
will bring
together the
resources of
our national
government to
focus on
cyber
Cybersecurity.
It's an idea
who's time
has come.
In addition to
funding and
reforms our
administration
is hardening
federal
networks.
We
are taking
renewed
action to
identify
renewed
action that
our adversary
can exploit.
They have
long allowed
a Russian
antivirus software
to be
installed on
government
devices even
though it has
a relationship
with the
Russian
government
and
intelligence
services.
This threat
existed for
many years.
Our
administration
ended the
threat last
year when we
banned lab software
from the
entire
federal
government.
APPLAUSE ] Where
heWe have
also stopped
sharing
information
with network
defenders
defenders.
Americas
intelligence
and law
enforcement
agency
agencies have
the ability
to find
weaknesses.
While the
last
administration
s almost
always held
onto this
administration
in this White
House I'm
proditory
port we have
improved how
much we share
with the
private
sector and
the speed
with which we
share it.
Today,
nearly one
third of the
threat indicators
are not
available
from any
other source.
We'll
continue on
that track.
Finally, our
administration
is putting
the finishing
touches on
our national
cyber strategy.
This will
make clear
that the
United States
will bring
every element
of our
national
power to bear
to protect
the integrity
and security
of the
American
digital doe
-- domain.
APPLAUSE ]
Our actions
have made our
adversary
actions more costly.
As we
continue to
reinforce our
cyber
defenses
we'll deter
them as ever before.
As you well
know, we
can't prevent
every assault
or attack in
the deathal spear.
The size and
magnitude of
the danger
combined with
the rapid
evolution
means that
some attempts
will slip
through the
cracks.
Be
assured our
government
will make
sure we keep
the
resilience of
our digitalin
if a
structure.
When the
breaches
occur we'll
get back on
our feet
quicker and
we'll prevent
the next attack.
When it
comes to
stopping our
cyber
advosayer --
adversary
adversary
resilience
isn't enough.
In this
White House
I'm proditory port
we are -- I'm
proditory
port we are.
We have
taken action
to elevate
cyber command
to a combaton command.
We put this
on the same
level of
commands that
oversee our
military
operations
around the world.
Gone are the
days when we
allow our
enemies to
cyber attack us.
Our goal
remains.
American
security will
be as dominant
in the
deathal
digital world
as we are in
the physical world.
For youUSE ]
For all that
we have done
and all that
we are doing
there is
still much
more work ahead.
What will
bring us here
today is the
reck
recognition
we can't do
it alone.
Straightening
American
Cybersecurity
doesn't
belong solely
to our
national
government in
Washington
D.C.
The
greatest
progress
happens from
the bottom up
and not the
top down.
Beyond our
government
wide approach
we need you.
We need you
to continue
to partner
with us for a
nationwide
approach.
For together
we can
protect
America's
digital domain.
[ APPLAUSE ]
>> It's been
said
Cybersecurity
is a team
sport and
requires
collaboration
between the
federal
government,
state and
local
leaders, but
also innovate
innovators
and
entrepreneurs.
In a world
it -- word it
requires all
of you in the
room and all
you represent
across the nation.
We have
taken
important
steps to
improve our
partnerships
at ever level.
In addition
to this
conference
today where
you have
heard much
about those
efforts I'm
particularly
excited with
the new
initiative announced
this morning.
The national
risk
management
center.
This new center
will be the
gateway for
American companies
that would
like to work
with the federal
government
more closely
to straighten
our shared
cyber
Cybersecurity.
Let me take
this moment
to thank all
of you who
have already
expressed
intention to
join this initiative.
Just a few
weeks ago in
the situation
room I
personally
met with the
President's
national
secureity
tell
communication
advisory
community
that will
bring
together key
intrussly
leaders --
industry leaders.
I learned
then and
we'll learn
more that
they will
soon launch a
Cybersecurity
moon shot initiative.
This will
focus our
national
energies and
skills on
digital
dominance.
Those
leaders, that
day informed
me America won
the race to
the moon.
To this administration
and in
partnership
with all of
you America will
lead the way
to
Cybersecurity
and straight.
[ APPLAUSE ]
This
examples I
mentioned
today are
essential to
the secureity
and process
parity of the
American people.
As we gather
today the
American
people also deserve
to know that
our democracy
is secure as well.
Before I
close, let me
speak to our
administration
s action to
save guard
the integrity
of our
elections.
While other
nations
process the
capability.
The fact is,
Russia
meddled in
our 2016
elections.
That's the
unambiguous
judgment of
our
intelligence
community and
we except the
intelligence
communityies
conclusion.
Russia's
goal was to
sew discard
and weaken
peoples faith
in democracy.
No votes
were changed
but any
meddling will
be be
allowed.
APPLAUSE ]
>> The
United States
of America
will not
tolerate any
foreign
interference
from any
nation state.
Not from
Russia,
china, Iran,
or anywhere else.
As President
Trump said we
won't have
it.
To that
end, over the
past year
President
Trump has
directed our
administration
to create as
well a whole
of government
approach to
straighten
election
secureity.
As recently
as last week
the President
convened a
national
secureity
counsel
council
meeting for
updates on
the progress
we have made.
We have
taken a firm stance
and backed it
up with
strong action.
The FBI has
foreigned the
foreign
influence
foreign task
force to
identify
secret
foreign
groups groups
trying to
undermined
our democracy.
They have
launched the
information
analysis center.
This project
that all 50
states and
900 Counties
have joined
will prevent
attacks
before they happen.
Identify
them when
underway and
stop them
before they
can do
lasting
damage.
Working with congress
we have made $380
million
available to
states.
They
can update
voting
machines in
secure
technology.
We are
deploying new
centers to
monitor
networks and
identify
instructions
at the state
and local level.
38 states opted
in the
program but
we Expand the
farther 22
states and
Counties as
they are
request.
Our
administration
launched a
cyber
awareness room.
This is a
vehicle vir
vir vertical connection.
In my home
state of
Indiana as
well as owe
Ohio and west
very Virginia this system was used and
will be used in
the elections
in November.
We also
helped them
respond to
cyberattacks.
Two weeks
ago a County
in Kansas
reached out
after a mal
malware
attack forced
them to
shutdown not
just the election
network but
the Counties
network.
They worked
with County
officials to
identify and
eliminate the
dangerous
intrusion.
This was a
model of the collaboration
that we need
to ensure the
security of
our elections
and we commend
the state and
local and
federal
officials
that made it
happen.
APPLAUSE ]
>> Our
administration
show that
they are
administered
at the state
and local level.
This
administration
has been a
champion of
federalism.
With the
respect of
per view in the state and
local officials.
Many states
don't have
concrete
plans to
upgrade their
voting
systems.
14
states are
struggling to
replace out
dated voting
machines that lack
paper trails
before the
next election.
Today, not just as
vice president but
as a former
governor, I
want to urge
with great
respect,
every state
to take
renewed
action.
Take advantage of the
assistance
offered by
our
administration.
Do
everything in your power to straighten
and
protect your election
systems.
You
owe your
constituents
that and the
American
people expect
nothing less.
[ APPLAUSE ]
>> This is a
time for
vigilence and resolve.
I can assure
you our
administration
will take
strong action.
We have done more than
any administration
in American
history to
preserve the
integrity
integrity of
the ballot
box and we
have just
begun.
We'll
continue to work
tire tireless
tirelessly to
keep them
from changing
votes and
election outcomes.
As the
President
said, we will
repel any
efforts to integer in
our elections.
When anyone
violates our
laws we'll
bring them to
justice and
utilize ever
element to
respond.
Our
democracy
demands and
deserves the
most vigorous
defense we
can give it.
[ APPLAUSE ]
>> I want to
assure you with can do
this in a man there
that will
respect the
God given
libertyies in
our constitution.
We will
never stop
voices in a
free society.
We can
expose
fraudulent
voices when they seek to undermined
confidence in
our democracy.
This we
will do.
Our admin station
will always
make efforts to shed light on foreign
attempts to interfere in our elections
and society.
Our 16th
President
said it best.
When he said
give the
people the
facts and the
republican
will be saved.
When the
American
people have
the facts
they always
uphold our
cherished institution
and values.
This is just as true
today as it's
been in our
nations long
history.
So
thank you
again for
being here.
Being apart
of this
important and
historic
gathering.
You do the
nation a
great credit
by
participating
in today's
discussion
and by more
important
important
importantly
following
through with
a greater
partnership
appeared
collaboration.
The truth is
Cybersecurity
is unlike any
challenge we
have ever
faced.
It's
a work that's
never done.
It's a
process that's
continuous
and so must
our collaboration be.
Technologies
are shifting
by the minute.
From the
internet of
things to 5G
to artificial
intelligence
to quantum
computing.
Each advance
is
accompanied
by new
opportunities
and
challenges challenges.
Just as the
threats are
evolving our
defenses
defenses too
must evolve.
The only way
to be strong
and secure is
if we stand
strong and
secure
together.
on
behalf of the
American
people.
APPLAUSE ]
Cyber
security -- [
APPLAUSE ]
Cyber secure
--
Cybersecurity
is a a civil duty.
You have established
yourselfves
as leaders
and patriots patriots.
Long before
this
conference
today by your
efforts for
the American people.
The President
and I need
you to
continue to
be advocates
in your
industry and
among your
peers for
greater
Cybersecurity
collaboration.
The American
people
deserve
nothing less.
Keep talking
about how
they need to enlist
in the fight.
Tell them
they have an
obligation to
identify the
weaknesses in
their own
networks and
platforms.
The weakest
link creates
a venerableility.
Tell them we
need them to
buy American
when it comes
to digital
projects and
services.
Not just the
to support
American jobs
and
innovation
but American
secureity.
Tell them
they need to
share their
insights,
ideas and
innovations
that innovations.
Above all
else, tell
them what you
have heard
here today at
this conference.
Tell them we
need to work
together.
on
an increasing
bases.
Not
just with our
national government
but with
state and
local
government to
ensure
security and
process
parity of our of
-- process
prosperity of
our nation.
The American
people are
counting on us.
They need to
know their
home is
secure from
prying eyes,
their accounts
can't be robbed.
The lights
will turn on
when that
switch the
switch in the
morning and
they should
know our
democracy
won't be
corrupted and
our nation is
stronger and
more secure.
Even in the mist
of a
technological
revolution
then it's
ever been
before.
This
we can do
together.
So
thank you for
the
opportunity
to address
you today.
To wrap-up
what I trust
has been a
meaningful
and
producttive
die altogether.
I hope you
will not feel
that you have come
here today
and done your
part by this attendance.
I hope you
leave with a
burden on
your heart to
do more.
As
the old book have
as we have as
-- we should
not grow
weary of
doing good.
We'll
produce a harvest.
Don't grow
were weary in
standing up
for the
security of
the American people
in the cyber
dodo doe -- domain.
With the
patriotism of
all of you
gathering
here you will
work with us.
With the
leadership
oppose
President
Trump and I
know, with
the support
and prayers
of the
American
people we
will defend
our nation.
We will
defend our
nation on
this cyber
frontier and
I know as
Americans
have always
done we will
do it
together.
Thank you
very much.
God bless
you and God bless the
United States
of America.
MawsPLAUSE ]
>> Thank
you.

How Israel Rules The World Of Cyber Security | VICE on HBO Top 10 Secrets The Secret Service Doesn't Want You To Know 1980s: How Donald Trump Created Donald Trump | NBC News China...If They Pull the Plug, We're Screwed Why the poorest county in West Virginia has faith in Donald Trump | Anywhere but Washington See What Happens When A Plane Violates Presidential Airspace | TODAY How Mexico is Winning the Car Manufacturing War What makes a good life? Lessons from the longest study on happiness | Robert Waldinger Craziest moments at U.N. General Assembly I Adopted Rich People's Habits, See How My Life Changed

Department of Homeland Security National Cybersecurity Summit

Latest Posts