Emerging trends that we see when comes to protecting Critical Infrastructure protection from attack. When the type of protecting from overhead attack we really talking about this particular issue. And so today it is important to us. We thank you for the invite, and inviting us out. As elaine just mentioned, we come from a background known as the National Protection programs directorate. Say that 10 times fast. Bonus points if even knew what that meant. But today with a name like the u. S. Cybersecurity agency, we have that Value Proposition. We understand before even walk in the door what the value is never going to bring to the table and so the name like that, while we still pass on business cards, while we still great relationships, their story recognition out today with a name like cisa, protecting Critical Infrastructure. That mission has changed over time as well. Today as we move further and further away from 9 11, and that antiterrorism post9 11 mission is gravitating towards domestic terrorism. Its gravitating towards nations nationstate actors that are looking to cause damage and disruption to our Critical Infrastructure. And this is Important Mission for cisa and something we have embraced. We are our nations risk advisors. Notice, i did not say risk managers because that is your job. You manage risk. , on ourcumbent upon us shoulders to provide you the intelligence, the information you need to make educated risk decisions and we pride ourselves on providing that advisory capacity. Industry. With in the last 15 years i can tell you weve done a lot of great things that nobody knows about so a big part of it today is providing some visibility thats Value Proposition back and forth. Value proposition back and forth, that information thats now going to be in your hands to do something about, when things go bump in the night, have the ability to reach out to the local advisor and a conversation back and forth, either in the clear space because you have the clearance or the terror line, what the threat is and what are the industry best practices, what are the mitigation measures we should all be doing. We pride ourselves on having that ability to have a conversation back and forth. I think years ago some of that information sharing just wasnt there. It was a big black hole. Wed ask for information, wed walk away never to be heard from again. But today its an ongoing dialog back and forth. We have information. Here it is. What does it mean to you the , stakeholders in the field, the practitioners who can do something about it, the boots on the ground that own over 85 of all Critical Infrastructure in this country . So now i think that conversation is little more robust going back and forth. Today, we are here to help manage Systemic Risk to our Critical Infrastructure. And also, raise the security baseline with tools and resources to secure Critical Infrastructure. We do most of this through our voluntary basis. We have table top exercises, full scale exercises, threat and vulnerability assessments, the ability to grant clearances, active shooter work shops, count ied work shops. Were focused on a counter mission as we speak so today the portfolio is very big. This week i was with representative joyce out in pennsylvania talking about School Safety and school security. Last week, i was in Salt Lake City talking about faithbased talking about houses of worship and today its drones. And it may be with the bulk power system or grid for United States and canada here in north america. So the portfolio is big, but i can tell you theres a dedicated cadre of a lot of people that work for the department of Homeland Security that are focused on Mission Accomplishment taking care of you, american citizens. Within cisa, we recognize we cannot do this by is your selves, we cannot do this alone. I mentioned that private industry owns majority of infrastructure and that is true. But we have the ability to do something about whatever mitigation or threat we raise. Security, and we do. And whatever mitigation and threat we raise, we cannot do it in a vacuum. We must do whats called collective defense. The ill circle back on this, collective defense, its our federal government, state and local partners and also the american citizen that when there is an issue that were all in this together. What impacts you impacts me. What impacts me could potentially impact you. So to operate in silos, like we used to so many years ago, we cannot do that anymore. Were all in this together. So really one of my calls to action today is to overshare threat and vulnerability information, engage local Law Enforcement, the fbi, department of Homeland Security and have that conversation. Let us not pass around business cards when an event unfolds. Also, let us not build our Crisis Response plan in the midst of crisis. Have these relationships now under blue sky conditions. And i think cisa, the u. S. Cyber Security Infrastructure Agency is that conduit, the mechanism to do that. We have to bring the right stakeholders to the table to have a robust conversation on reliability of Critical Services, the resilience of our nations Critical Infrastructure, and how to best protect americans even in the face of threats like domestic terrorism. Within cisa, weve broken ourselves into 10 regions, looking similar to the fema region. I say that to allow the understanding right now in your backyard where you reside we have protective Security Advisors there to help you. Theyre in the field, they eat, breath and sleep with you. They know the local politics, they know the local economy, they know the local crime stats. They know what you care about in your backyard. If you dont know who your productive security advisor is today, i strongly recommend reaching out, figuring out who that person is and we can provide that information to you today so you can have a relationship tomorrow. So when youre looking for a threat and vulnerability assessment, youre looking for an exercise, for a clearance, looking for somebody who walk aboard your property and point out maybe gaps, point out some opportunities for improvement. Understand where that enemy avenue of approach might be during an active shooter scenario. We have that ability today. We want to provide it to you today and oh, by the way its absolutely free. Its already bought and paid for. So since coming to cisa, my priorities have been pretty consistent. Like i have mentioned before, weve done a lot of great things that nobody knows about and we also chased shiny lures from time to time. Does anyone know what thats like . Really its boiling down the priorities. What is going to stop Systemic Risk . What is going to drive risk to the lowest common denominator . What are the industry best practices that everyone should be doing to protect Critical Infrastructure . Including houses of worship and including schools. Theres a lot of translation between the sectors and critical functions how to best protect on a foundational and fundamental level. Really, one of my chief priorities is to best protect soft targets and crowded places. Weve seen over the last two weeks this on full display in the media. The garlic festival in california, dayton, ohio and of course, el paso, texas. Today we have the ability to engage the local community, provide some of these resources, to become harder targets. Become a resource and provide subject matter expertise to maybe those organizations or venues that dont necessarily have that Strong Security apparatus that you may see in an airport or an nfl stadium, but today we have these resources to bring to bare to best protect all of us. I have three kids that go to school. One high schooler and two middle schoolers, so you Better Believe that im passionate about the issue of School Safety and school security. Our protective Security Advisors since the parkland shooting which killed 17 kids down in , florida, we have been to over, we have bent over 1185 schools across the country. That sounds like a lot until you realize there are 130,000 schools in this country. Its coming to events like this where i can find that force multiplier, where i can say to a group of esteemed executives, we have resources. We have the ability to become better. We have subject matter expertise. Take these resources, go out in the community and talk about them. If you see something, Say Something. Run, hide, fight. Today if you are looking for an active shooter workshop, if youre looking for any kind of service, you can immediately go to dhs. Gov hometownsecurity. I hate to point to a website, on that particular website theres the resources, the guidelines, the white papers, the videos today to become a harder target. So whether youre an outdoor venue, whether youre a concert organizer, whether you are organizing the next 5k, 10k, marathon road race on the streets of Northern Virginia or elsewhere, we have the ability to prevent active shooter, help prevent vehicle ramming. Fire as a weapon. These kinds of things that dont necessarily fit that antiterrorism mission from just 15 years ago. But this is where we are. This is where we have gravitated towards and this is where the department of Homeland Security is focusing at this very moment. Ill talk a little about School Safety. Just this week i was up in pennsylvania, did a number of panels with local congressmen up there and really talked about and engaging, with the administrator, students, chiefs of police, the county sheriffs, etc. Today we can no longer afford to put our head in the sand and say, wow, i hope this really doesnt happen here. Instead, i think the mantra should be, if it could happen there, it can happen here. And we better be ready for it. Now, thats a scary one, not to scare anyone, not to advocate that were going to build forces around schools, but there are basic things we should be doing today. Many of which are absolutely free. Have a response and Recovery Plan and exercise that plan. Exercising is absolutely critical. Being a former Law Enforcement officer i can tell you firsthand that we do not magically become better during the time of crisis. We always default to what it is weve seen, the things that we know, how weve been trained and what we have exercised in the past. And this is why Law Enforcement, why the military trains every single day. So that when crisis happens, when an event happens, it becomes like second nature. We know exactly what to do. Now never, ever fall in love with your plan because it never goes like you want, but have the basic understanding of what to do during an active shooter. What to do during a crisis event. A couple of the major emerging issues that i see for industry that i think i want to relate to you today and i will, i promise, at some point Start Talking about drones. The convergence between Cyber Security, physical security and Emergency Management is here. We have been talking about this for the last ten years now. And i think a lot of industry organizations have started to move in this direction, but today we are seeing a hybrid style attack Threat Landscape where what you might see on the cyber site has physical security impacts. What you might attack and focus on on the physical Security Side has a cybersecurity impact. Pe for us to say we meet with Cyber Security every other tuesday, were good. Thats no longer good enough. Today these today these issues, the attack methodologies, the scenarios playing out in real time, theyre converged and theyre here. So many of us have ccb system in cctv system in our Critical Infrastructure, back at our campus wherever you might work. Those are it based. Ip based. Many of us have active control systems that are internet facing, so let us not have our physical Security Protective measures be that enemy avenue of approach from a cyber perspective getting into the corporate system and heaven forbid getting into the data side of the house. Insider threats. Im already seeing the heads nod up and down. Right now today, we have folks that work within our companies, within Critical Infrastructure, that has the Institutional Knowledge as to how to bring you to your knees. They know where the crown jewels are. They have keys to the kingdom. They know i dont have to push that button, but if i push this button or pull that lever or destroy that piece of infrastructure, the house of cards starts to deteriorate, it starts to fall. Maybe its a substation engineer that knows exactly what electric components are critical to your grid system. Maybe its somebody who has access to your server room, that can do some sort of significant physical or Cyber Security damage. Maybe its somebody who knows what to shoot out in the field that will elicit and start cascading effects where things start to lean on each other and things start to become destroyed after destroying a particular piece of infrastructure. So having a insiden Insider Threat program today is incredibly important. If im advising anyone on where to invest your next incremental dollar on security, it is the Insider Threat. Knowing what data is leaving your system. One day we all want to be a consultant in here. We retire, and we go off to do bigger and better things. Many times those consultants before they leave their pro proprietary job they will push a lot of information out. Maybe its proprietary information, maybe its trade secrets, maybe its customer data, maybe its credit card information. Maybe its key contacts that you as a company want to retain because you dont want it going to a competitor. Do you have the understanding what information is leaving your system and going elsewhere to somebody elses gmail, going overseas, going to a competitor, etc. And same from an Access Control system. Do we have the technology in place that will flag us when somebody might be probing our system . Somebody might be trying to gain access that shouldnt have that access . Quick little example is this is if your company is stationed right here in washington, d. C. And two hours , south down in richmond on a sunday afternoon at 4 00, somebody is trying to badge into a facility that they dont have access to. Lets say the technology works, access denied. But is that technology flagging you . Something is going op here, this person should not be trying to gain access to something. To this piece of Critical Infrastructure. Why . Things are Crystal Clear in the rearview mirror. But do we have the technology in place to understand the puzzle pieces around us so we can put a complete picture together . And lastly on this particular topic, that pathway to violence. Do we have a program in place that identifies, highlights, and provides the help needed for people that are becoming radicalized, that are becoming violent . And are your cyber folks talking to your physical folks . Maybe on the physical side weve had a Domestic Violence episode. We had somebody Say Something very violent to a coworker. Is that information getting back to the cyber folks that can see the fact that they are looking at radicalized material . That theyre looking at hate groups online. Can we put all of these puzzle pieces together to identify an insider . Finally on drones, its hard to recall life before the internet. In fact, most of our kids will never experience an unconnected world. Today our Critical Infrastructure relies on web and webenabled technology to operate efficiently. That includes our trains, financial systems, water systems, the power grids, even the teleconference calls that we get on just about every single day. All of these activities require something thats webenabled. Sometimes we decide that were going to add a webenabled, internetfacing device to our system. That might be a drone. We need to be very, very could go go very cognizant of what we are attaching to corporate systems at all times. In terms of drone threats, the specific buckets. The first bucket is chinese manufactured drones. If you are operating a chinese manufactured drone, you are introducing and incurring potential risk in your system. And we have seen this firsthand, this is not the bogeyman. We have seen this with our own eyes. We have seen and engaged Critical Infrastructure thats struggling with this particular issue. So what do we do about it . A couple of months ago cisa pushed out an alert to industry to talk about this specific issue. Not only did we raise the threat, but we also put together a number of mitigation strategies. Mitigation measures to reduce risk if you already own that drone and its already into your system. What to do about it. Thats the first bucket. The second bucket is the counter piece. Ill introduce this by telling a quick little story. About a year ago, my sons who are 10 and 8 respectively and what we decided to do was go out to toys r us when there still was a toys r us, and for 100 i gave them a homework assignment. Were going to go out and buy a drone for 100. Here is the homework assignment. I want you to bring this drone up to 25 feet and figure out how to drop this six inch piece of pvc pipe. Thats it. That is the assignment. A couple weeks goes by, we have baseball, we have school. Both boys rushed back into the house to say, dad, dad, come and take a look. Sure enough at 35 feet with a crude claw contraption on this 100 drone and a bluetooth device they dropped the six inch piece of pvc pipe and theyre highfiving, and i thought my goodness. We just dropped a pipe bomb into a water system, into a stadium packed with 60,000 people and maybe instead of it being a six inch of pvc pipe, its packed with c4 rock, glass, et cetera. 8 and 10yearsold, about 104. And this is where we are today. What do we do about it . Really, this is what you guys are here today to help try and solve. Some of the technology out there in the conference space is important. You guys are contributing to mitigating this threat. Its our number one thank you, my hat is off to have. We need your help. Number two from the department of Homeland Security perspective we need to move the needle as well. As of right now the end of the year we will be pushing out a report that will highlight a number of issues surrounding dhs authorities and how were protecting Critical Infrastructure and our federal building. A lot of recommendations from this report need to focus on protecting Critical Infrastructure from the overhead threat. We understand that Critical Infrastructure does not own the air space above its infrastructure. We understand that a lot of the technology out there today, as we speak, is illegal to deploy. But theres a lot of really good did he text methodology out there. A lot of Detection Technology out there to understand whats flying above our infrastructure and once we know that, how to engage with Law Enforcement and bring it back down to resolution. Resolution. Unmanned Aircraft Systems do not represent an emerging threat, but rather, an imminent threat. Given their retail availability mere in the United States, uas will be used to facilitate an attack in the United States against a vulnerable target such as a mass gathering. This warning this dire warning , comes from the fbi. Director wray. And so its important that we can raise issue understand the , issue ab we not kick this can down the road. Goodness. This is why we are here today to , solve hard issues. I guess this is really my call to action. We need to figure this out today. We put partisan politics aside. We put one vendor over another in a competition aside and we figure out how to safeguard not only Critical Infrastructure, but also the american public. So as an executive, we really need to be very, very mindful of understanding the Threat Landscape is changing. Today its really focused on domestic terrorism. Weve seen this over the last two weeks. Its focused on soft targets and crowded places. So be very mindful of where we are congregating. Be findful of where we are going shopping. And this isnt a warning. This is situation awareness. Understand that there are individuals in this country filled with hate. Filled with bigotry that want to inflict the most damage, the biggest casualties possible on the american public. We need to be cognizant this is their play and what theyre focused on. We need to be mindful there are resources today to help mitigate that. Do you understand the gap in your own security . Sometimes it takes a third party, it takes somebody else to kind of walk in with a fresh set of eyes to say, you know what . Youre really close to the issue here. I get you been doing this for the last 25 years but have you , ever thought of x, y and z with that fresh set of eyes . So, are we prepared and understand what those gaps are . And coming from a private sector perspective, im still relatively new to government. I was appointed by the president back in december. I come from industry and one day ill go back to industry and one thing ive always told my staff over and over again based off of battlefield Lessons Learned and the myriad of issues across corporate america, are you prepared to be overwhelmed . Some of you say yeah, we have this plan, that plan and we exercise it from time to time. No, are you ready prepared to be overwhelmed with incomplete information, with people screaming on the radio all at the same time . With Law Enforcement that you may or may not have a relationship with responding. Dont fall in love with your plan, but have a plan. Be flexible. Exercise that plan. And today, under blue sky conditions, where nobody is screaming and nobody is bleeding, have relationship with local Law Enforcement, the fbi, the department of Homeland Security. The department of Homeland Security. I have another quick story and my staff is rolling their eyes because theyve heard it many times. Years ago as a Law Enforcement officer out in los angeles, and every single day throughout the day, youd have a number of issues, whether it was domestic issues, whether it was Domestic Violence, burglary, whatever the case is and you need to write a report and give it to the sergeant for it to go up the chain of command to get approved on. Sergeant for it to go up the chain of command to get approved on. Typically you try to find a quiet spot to write the report. Typically i would park my blackandwhite radio car in california we use blackandwhite right in front of an Elementary School. Thats great you parked your police car outside of the Elementary School and presenting that as a hard target. Great, wonderful. That isnt really why i did it at all. I did it because i knew on the other site of the door at their was a free door was a free cup of coffee. Thats the gods honest truth. 15 cents for that Elementary School, they had a constant resolving door of Law Enforcement there presenting that school as a hard target. What are the things that you guys can be doing today to do something similar . An almost free mitigation school, they had a constant resolving door of Law Enforcement there presenting that school as a hard target. Measure. Have relationships with Law Enforcement today. I can tell you that they are thirsty for that relationship. Where there is an invite, they will show up. No doubt in my mind. Information sharing is critical. Information sharing is critical. I started this presentation talking a little bit about it. Within cisa, we are focused on oversharing. Pushing information out, trying to get ahead of that cnn moment. And everything that we push out to be of value today. Today will be pushing out information on ransomware attacks. It is very timely given whats happening down in texas. Not only do we highlight the threat, but we also highlight how to mitigate that threat. That basic cyber hygiene, things we should be doing day in and day out. But information sharing is king. Its incumbent upon you when from, you know, come day in and day out we get this deluge of information and you need to parse what is the most important thing to really focus on. Information and you need to parse what is the most important thing to really focus on. How does this impact my mission, how does this best safeguard my crown jewels the reliability of , my system, my brand management, etc. I can tell you though that if everything is important, then nothing is important. Really the onus is on you, on your shoulders to talk about how to impact myself and the system . I talked earlier about a collective defense. This is incredibley important. I dont want this to be a buzz word you hear from time to time, but more of a culture shift. Similar to what we did in the 1980s and 1990s around safety. We have a culture of safety within industry, dont we . Typically before every single meeting back at your shot, you typically will start with a safety moment. If we have to evacuate, theres the elevators. Dont use the elevators, use the stairs. You be the first one out, ill be the last one out. Aeds are on the wall over here. You call 911. We take 30 seconds to talk through safety. I really think we should add another 30 seconds to talk about security. How we should not be piggybacking into Access Control sensitive areas. Phishing, antiphishing techniques, being aware there are people trying to capture our data and steal it and take it. What are those pathways that we to violence, that we should be focused on, so when its raised , i can alert somebody. So adding a security moment to a safety moment is 30 seconds of our day, but i think it starts to adding to changing is that culture, and of course that culture is collective defense. The federal government, state and local partners, and of course yourselves as american citizens. We are all in there together. And lastly, and i promise this really is the last thing im going to say, investing in resilience. Let us understand that bad things are going to happen. One day, your organization will likely be attacked by something. Maybe its manmade, maybe its natural, like a hurricane, an ice storm, whatever the case is. Are we ready for that . But more importantly, have we invested in resilience . Theres another buzz word. And resilience really is the governance of uncertainty. Have we removed single points of failure . Have we added redundancy to our system, so that when bad things do happen, things go bump in the right, we have the ability to recover and respond and head back to homeostasis as quickly as you can. And youre building out your budgets, three, five, seven years from now. Have you built resiliency into e into your system, or are you just talking about todays attacks, todays events . Please build into our system so , we can come back to normal and restore Critical Services to the public of this United States. And with that, thank you all very, very much. I certainly appreciate it. Right after me is another member from the department of Homeland Security within cisa, to talking about drones specifically, but aboutk about some things forgs were doing, but today, for this keynote, number one, its an honor and number two, i wanted to give you a sense of the other thing that cisa is focused on and Homeland Security is working on. As we move further away from 9 11, to the terrorist mission overseas and all of a sudden it is happening here in the homeland. We need to be ready, and i can tell you the department of Homeland Security is. And thank you. [applause] tonight at 10 00 p. M. Eastern, in terms of the Heritage Foundation and the Cato Institute debate conservatism versus libertarianism. Among the topics, immigration and the economy. Here is a preview. The economic literature consistently finds that immigration have a positive impact on longrun Economic Growth and little to no effect nativeborns of li americans fared importantly as well, undocumented immigrants are ineligible for federal means tested welfare, so they hardly pose a threat to entitlement spending, which is already out of control. From 2002 to 2009, and the birth of a whole subsidized medicare, making 14 of the contribution but only 7. 9 of its expenditures. A third common misconception is that undocumented immigrants wont assimilate. If you compare todays immigrants to those who came from ireland and italy, two groups it would not dare call a threat to American Culture today, you will see they assimilate at the same rate. Voting patterns and self identification as an american are identical to nonrecent immigrant families. One important fact should be emphasized. Assimilation does not necessarily mean adopting Heritage Foundation values. Protecte truly want to our heritage, we must truly allow for robust integration. Immigration. The very conception of an illegal immigrant did not really exist in our country until 1924. Almost everyone in this room is defended from someone who was fleeing persecution or seeking better opportunity for their families. Same people would not make it to america under current law. When you hear conservatives say get to the back of the line, remember that there is no line area our Current System lacks any meaningful process could we love children away from their parents. We demonize those who try to provide for their families. Our politics create criminals out of good people. They are not a threat to the United States, unless we make them want. The rebuttal from the conservative side. Ok, so we have to remember we are having this conversation within the context of the status quo, a world where we have virtual in agencies like i. C. E. What you think would happen if we just remove these security measures . Contrary to what our opponents have said, they are not the same thing as m16. We will see an influx of crime on the border. 13, killing men, women, and children. How long do we have to wait until we do something . I have yet to hear how we will handle the welfare system, and it is not affect just the federal government but the State Government as well. What makes you think it is willing to build a wall around the welfare . If we allow more income of think of the additional people that would come in. The government estimates that the current 11 million illegal alien population will cross cost is 1. 5 trillion. What will happen to that . We had 10 million, 50 million, 100 more people. And never thought i would see libertarians argue for the welfare state. You can watch this entire debate with interns at the Heritage Foundation and the Cato Institute on conservatism vs. Libertarianism tonight at 10 00 eastern on cspan. A reminder, you can follow all of our programs online at cspan. Org, and listen with the free cspan radio app. Late 1850s, americans generally trust of their congressman, but they did not trust congress as an institution, nor did congressman trust each other. My 1860, many congressmen were routinely armed, not because they were eager to kill their opponents, but out of fear that their opponents might kill them. Yale history professor and author Joanne Freeman will be our guest on in depth, sunday at noon. Her titles include the essential hamilton, hamilton writing, and others. Join our conversation with phone calls, tweets, and facebook questions. Later come on after wo rds, in his book, are they choosing political power over christian values . I think it is tempting the dangerous. I think it attributes to keeping a system in place that takes accountability out of the system , and i think it also is an easy way to bring in Something Like evangelicalism or any other faith and then use that as a way to get votes, which seems like about the worst possible way to do it. Watchable tv every weekend on cspan2. Next, an update on some of the latest research and Treatment Options for type 1 diabetes. With the National Institutes of health official, other witnesses up with an aging Committee Hearing include actor Victor Garber and a nineyearold girl to testify about their experiences living with diabetes. Susan collins chairs the committee
comparemela.com © 2020. All Rights Reserved.