Welcome back, everybody. In the home stretch of our program today. There will be three panels awardsup followed by two and as i talked about before, a very special guest who will receive a lifetime award today. You will certainly want to be here for that. This next panel is dealing with the chief Information Security officers. We are fortunate to have some great leaders here today. Our moderator is the right is a Vice President of the Public Sector. Joining frank is nicholas ward, chief Information Security officer from the u. S. Department of justice, shane barney , Security Division is from homeland security, mr. Jack wilmer, hes the deputy cao for Cyber Security and the d. O. D. Chief Information Security officer, and stacey dawn, chief Information Security officer chief privacy officer for the Export Import Bank. Thank you, panelists, for joining us today. I know tom especially wanted this panel between lunch and happy hour because of the great panel weve put together. I run Public Sector at splunk. We are a tshirt company that also makes really Great Software and wed love to talk to you about that. If we could just start and go down the maybe for a minute the size and scope of your agencys security environment and some of the top challenges you are dealing with today in cybersecurity. Identify the chief Information Security officer for the department of we have about 160,000 users, 250,000 end points, different types of networks that we have to protect. A lot of permissions. We do lawenforcement, we do the negation incarceration, the whole lifecycle of criminal justice is really what the department of justice does. Try to catch up and tell everybody know. We are helping them complete the mission and be successful. Thankful shane . Shane we are a component of homeland security. We are responsible for the administration of the immigration systems which is the administration of the benefits, citizenship, work permits and we componentsh other within the agency on immigration related issues. It is a very large, complex mission. Moving parts. Of because of what we do and where we work, we are very spread out. We have to hunt 50 officers offices we have 200 around the world. Cloudbasedgency is. Maybe more. Theres a lot of challenges. As a heavy shop, we are policing, developing and doing new things and staying on top of that while securing clouds. While securing against all these threats that we dont even know about yet. It is the challenge and mission. It is a dynamic and never ending. Sharing. You for jack . Jack i am jack wilmer. Userse three to 4 million 3 million to 4 million users. If you look at network devices, those of the real cyber text services, about 12 million endpoints. So it is abal scale bit scope of what it is what we are responsible for. In terms of the biggest challenge, when you have to impact the surface that large, it is not that difficult to find any user that is going to click on whatever link you sent to them. To kind of find that weakest link in the chain. A big part of our emphasis is trying to look at converting that cost curve. It is not that expensive for our adversaries to be able to attack waysd try and find throughout offenses. It is expensive for us to keep pace. We have to we are finding a new exploit and find a new tool to find that particular exploit and try something different. One of the big challenges we have is trying to figure out what are the things we can do to make the dod defenses a little more agile so we dont have to continue to buy new tools every time the adversaries pivot their capability. I have the macro level view. Gives me a little bit of anxiety. From exportey dawn import bank of the United States. How many of you have heard of Export Import Bank . Fair number but there is that havent. They are the agency that keeps jobs in the United States by providing credit as insurance and guaranteed product for companies that are exporting products to other countries. We only have about 500 users so our scope is quite different. Because we are a small agency we have the challenge of being able to afford the tools that you have and we are held to the same standard from dhs as the larger agencies. We have a lot smaller staff, we have a lot less tools but we have the same mission to protect the data. Thank you all for sharing. I thought we will start off talking about i. T. Modernization and how it is impacting your world. Jack, i know you are no stranger so i thought you could kick us off on this question. Modernization is impacting all facets of Public Sector today. Your upgrading legacy systems and trend to meet objectives and resulting in the elimination of physical boundaries. Clouds are a unstoppable source. How are you going about optimizing your approach to cyber in this new world . Jack i will start out with that. Our i. T. Modernization strategy, my boss and he has spent probably the first year really honing in on how do we need to modernize a modern physician to make sure we can keep pace. There are four key pillars and i am hoping i dont have a Holiday Inn Express moment. The first one is cloud so that is one of the major efforts that we have is trying to implement the Cloud Strategy and drive the department to make better use of commercial cloud. Real emphasis is to be able to drive agility to bring new capabilities to the field faster. The second is Artificial Intelligence. We recognize as just about every country has nai is going to have the ability to revolutionize house the department of defense does its mission. That is a huge area of importance. There is an intersection between cloud and Artificial Intelligence making sure the ai algorithms that are run. General shanahan yesterday and walked through a little bit what their mission is and how they are helping to bring that change to the department. The third pillar is command control and communications. Basically how we talk. That is integral to how we fight. Torything from satellite your Standard Networks including 5g and all of that. The final pillar is cyber. To get to your question about how do we keep pace . I have two main functions. The first is how do we drive down risks for the department . How can we make sure we execute our mission in the face of some of the worlds best cyber actors that is try to undermine our ability to succeed . The second goal is how do i support those other pillars of modernization . You can have the most agile cloud but if wes if we apply the same standards to how we bring applications to the field, we are not going to be able to deliver on that promise. That is the main focus of the cyber perspective as it ties to modernization. Great. Perspective, both these i am more component level in my understanding is slightly different because we have been in clout for as long as we have been in, we have had to deal with a lot of these issues. It comes back to a saying. Drove which they really kind of tied it all together is the infrastructure is code then security is code. From my perspective, if i have i ught in my developer does not only am i losing the battle, i have already lost the war. , we have hadn the some incidents and some interesting experiences with it and learned a lot. It was the developers who came they were the ones who came in and helped us solve those problems and develop new methodologies and new tools. Having thoselved developers in place is a strategy. We started implementing this about four or five years ago. Can you share . Really, we look at i. T. Modernization isnt simply just, it certainly is there to address mission use but also getting rid of some of that text that can help improve our cybersecurity landscape as well. It is very typical to update and keep up and patch and do her thing you need to do for system that is 10 or 20 years old. How can you secure those kind of systems . Turning your security teams and developers make it really migrate into that kind of model. That is the way weve got to go. We got to be able to be fast and use code and that is the way to success in my mind. If we are not going to go to enable the mission, you need to get rid of these old systems and i. T. Modernization is the method to get there. Stacy . Part of modernization is finding everything you have out there and i think that is the challenge because theres a lot of shadow i. T. , even in a small agency, all of a sudden we will do a report and find out someone is using a system we didnt know about and we have to find a way to modernize that and make sure the network is protected. Cooker that is great. I love that that is great. I love that phrase that security is code. The skills that youre looking for as you build up your staff. You look at the contracts and the staffing models and we recently redid our entire division. So we redid the entire structure around the model. Part of what we have the compliance mindset. We look to create matrixes and add Little Things to it and find colors and make it glow green and yellow and ink and purple. That does is make someone happy. Secure. t make you and we get lulled into that. I band the word compliance. Everything should be based on risk and risk assessments and mitigation over risk. How do we go about doing that . It is a cloud environment. Changings doing is various dynamic. We say have our security analysts. You would have your compliance officers. Nerdyu got these highend cyber specialists who can do Amazing Things and cant really talk ones and zeros. The Development Teams who are helping build what is necessary to drive forward their mission and to deal with their eyes and it should change and has to change. To take that further, thinking we are going to leverage the same skills and Network Monitoring is different you are not going to be a Network Security analyst, youre ng to be looking for develop Test Developers have to be part of your team. I do think we better look at people that are going to have those kind of skills, analytics scripting and it is much different than your traditional Network Security kind of you. You cant just look at peak cap anymore. Sure. If i could followup something he said, you mentioned ai. For each of you, where d. C. The role of ai playing in cyber or your environment. Is there one yet . Or is it in developing piece of technology. The good news is yes. It is still developing and evolving. I dont know how much shanahan touched on this but one of the Mission Initiatives is sponsoring for the department and basically leveraging ai to producing helpful cyber defense. What we are seeing trends where both the militia and defenders are looking at how ai could be leveraged and more machine learning. Leverage to build to find and exploit vulnerability on the attacker side and for us to be able to have the kind of agility to be able to match that. How do we leverage ai to predict anticipate the types of moves they will make as we encounter them. I am going to agree with jack. But we need tools like ai. We have to prepare for the future because right now there is a deficit of cyber professionals and we need tools to help us so we need to rely on things ai. We have seen there is incredible potential opportunity in the set the foundation from what i have seen is having if only there was a Software Company that could help with that . About services. Shane, i will start with you. This security border in the i. T. Modernization have been encouraging Government Agencies to consider increasing the use of services. How will shared services be better for you as you think about your push cyber . So, i am kind of on a yes and no. Shared Services Offer a really unique opportunity and framework modeling type thing. Dhs, there a higher stock optimization on the way and part of that effort is to adopt. We adopted a dod model what elements are involved . Compare our different opponents and then leverage that for those who do not have that center of excellence. That is a good use of a framework. Then use that also from more of a Department Level is to say, ok, these services are required based on our assessment in the framework that will help leverage that and theres cost savings. The danger for me becomes you get a compliance mindset because now youre looking at it and saying oh, we had all 17 points. We are rock stars. Security is a proactive game. It involves far more than making sure you check all the boxes that youre actively engaged in doing bug bountys, that youre always assessing all your risks and understanding what is critical and what is not critical there is those elements. Model sod Services Long as it doesnt apply so far to become the standard by which you define yourselves. You know, for me shared services, i think, is a critical component on the even attempting to win this fight in cyber. How many federal agencies are there out there . Theres just not the talent to be able to fight this war. Theres no way every Single Agency can possibly recruit all the best people and be successful here. Thats one area that we saw. We did well in Security Operations so we built a Security Operations as a service. We offer that out to other federal agencies because we just think its really important to have good strong capabilities that can be leveraged across any agency and we shouldnt be trying to hoard those things and keep them for ourselves. We need to share them with everybody else. The cost savings is definitely a piece of that, but i think it has more to do with how do we share the best capabilities we have within the federal government. Leveraging pockets of expertise. Absolutely. From my perspective it becomes id almost love to talk about an api framework. I always get back to the data because a lot of these conversations that i would have at the department at my level, it always comes down to that data element. Api models within that framework would actually really extend our capabilities and allow us to know where we have our gaps. In terms of shared resources, absolutely. I dont need Digital Forensics in my sock ever really. Im happy to push that off to somebody else. But there are things i do need that are unique to me that a shared Service Model doesnt always permit. Theres got to be a good balance, is my view. I would offer, part of our experience, using the Defense Industrial base as an example, youve got the big guys pretty well situated. They understand how to operate a sock on down the line in terms of cyber capabilities. But you have very small suppliers that are not going to be able to handle the nation state attacks directed their way depending on what theyre supplying to us. If we can target the guys that are not going to be able to attract that Cyber Security talent to kind of build it all themselves but at a price point where they can afford it, i think thats kind of the optimal use of a shared service. How we apply that to the larger organizations i think has to be done with a lot more care just because they do have a lot of expertise. Definitely as a small agency we rely heavily on the shared , services and the economies of scale to get the prices down for some of those tools that we wouldnt be able to negotiate on our own with only 500 users. Its really important to have those shared services and the staff to test those tools and to give us feedback on them because we dont have enough staff to create all of those Development Environments for everything that is out there. Is so great about having a florida view is we have such diverse environments from large agencies small little ones. Stacy brought up something that i think is important and i thought i would ask the question your way is about the Human Resource issue. One of the Biggest Challenges ive heard from other government leaders is the skills gap in the shortage of cyber personnel. This is impacting everyone but more acutely government. How are you dealing with this and do you see technology helping you address this . These address this . These are my opinions and not those of my agency. Splunk did not pay me to say this, but its really hurting the small agencies to attract that cyber talent and the federal government is seen as a place if you come out of school, they are old, they are backwards, they dont have the latest tools and it takes so long to get something done. So the federal government as a whole has to look into modern technologies, keep modernizing and bring in the workforce and have them get challenging assignments. So we need the career progression path clearly defined for them. And we need to use other agencies. Mines so small, we need somebody thats at an advanced level and we need tools like splunk so we dont need as many humans, that Technology Helps us to fight the bad guys. Its really important to stay on top of whats modern, use those tools, train the workforce. The way i look at it is if were in the government and one of the agencies trains somebody and they get a promotion to go to another agency, thats better for the government as a whole. If we train them and they go into industry, its still better for our country. So we shouldnt not train somebody because were afraid that were going to lose them. But giving them that training might actually keep them happy and retain them more. That is a great perspective. Its interesting from a larger organizations perspective. We have a lot of the same challenges in terms of Cyber Security talent. So my organization is the functional Community Manager lead for the cyber workforce. Were in charge of figuring out what are the standards and then also of standing up whats called the cyber accepted service, which is a tool Congress Gave us to be able to help better attract, hire, retain, train our cyber workforce. As we look at building that out, we have a huge advantage in terms of our mission. We give people an opportunity to go toe to toe with some of the best Cyber Warriors of other countries. But at the same time theres a lot of jobs that have to be filled when youre an organization as large as ours. We have a massive number of opportunities and its really difficult to find the good talent. Our team is heavily focused on trying to find ways to incentivize people, make sure that we raise awareness and try and help connect people to the opportunities. Were running short on time so im going to go to one last question. Nick, ill start with you here. Kind of my wildcard question. The Investment Community has been rapidly funding cyber related startups for years, if not decades now. And we just have to attend any industry event and see more vendors popping up and new startups showing up at all of these cyber events. Have we reached peak cyber yet . Or is there still room for technologies . And where would you like to see the investment world spend time on innovation . Nick i sure hope it hasnt because weve still got a lot of ways to go in trying to fight this war. Weve got attackers building ai into their malware to attack us and things like that. Were still playing cat and mouse. I sure hope it has not hit peak. I dont think we have. Some of the areas where i think we need to do better from an industry perspective is we have to be better methods and better ways to get that stuff rapidly built in inherently rather than trying to catch up. It just needs to be there by default going into it in the front end. There needs to be more ways to easily get those legacy systems into those kinds of models too. I think those are some big challenges. Its not easy to move a 20yearold system into a modern architecture. I think we need to see industry come up with better ways to allow these old systems to become more agile. Shane, any thoughts . Shane we definitely havent reached peak. Theres a lot of room for growth. A. I. Ops, those sorts of technologies are really in their infancy. Supply chain is huge in different ways and different methods. Supply chain is traditionally thought of as hardware. You know, im mostly cloud, code is my problem. Code becomes commodity and it becomes a supply chain problem. We rely heavily on open source. So supply chain, definitely a lot of growth there needs to be done and a lot more advancements. Theres room to grow. Fortunately for i have lots of thoughts on that but im looking at the time ticking down. Its optional. Excellent. Jack the one id lead with is complexity. We have a tremendous amount of complexity in our environment and we need to find a way to drive some of that complexity out. Im much less interested in the new tool to solve the latest and greatest problem, much more interested in what is that wholistic picture that allows me to cover a broad swath of threats in an agile manner. And drive some of the capabilities out of the environment so i can shrink down the number of people. Any closing thoughts . I dont think were close to being done with this. We are hitting new technologies like i talked about before with quantum computing, with 5g and we dont know what we dont know yet and we dont know what the adversaries know. So we have to keep creating new tools and theres a lot of room for growth in this industry. Excellent. Well, i want to thank you all for your time and for your expertise today. Thank you for the service to our country and i hope this is valuable for anyone. Thank you so much. Thank you. Thank you very much to our last panelists. The next panel is called the next frontier, aerospace and Cyber Security panel. Id like to thank our moderator mr. Casey ellis, hes the chairman and Technology Officer of bug crowd. Joining casey on the stage are mr. Brian connolly, Vice President , senior chief engineer Cyber Systems at boeing. The head of Cyber Division is really airport authority. Over to you, casey. Casey thank you very much. Good afternoon, everyone. Thank you for joining us for this panel. Very excited to be talking on this subject this afternoon. Just as a point of order, we do have q a cards being handed out by ushers at the moment. Well do our best to get to them at the end of the panel. If youd like to ask questions as we go, have those in mind and hand them to the ushers. Aircraft safety, Airport Security and Civil Aviation regulation, the whole idea of making Aerospace Security for users is a concept thats commonly understood and its been around for quite a long time. The idea of aviation and aerospace Cyber Security on the other hand is comparatively novel, its comparatively new. There are a lot of people who have been working on it for a very long time but as a socialized concept its comparatively new. Thats why im really excited to have this group of people up on stage with me today. Representation from aircraft manufacturing, representation from the airports and representation from the regulators that define Civil Aviation regulation and so forth. So well kick that off with introductions. Brian, do you want to lead that off . Brian sure. Brian connolly. Im the Security Officer for the boeing company, responsible for security and resiliency of our end item products on the commercial aviation side, Defense Space and our global services. Thank you. Good afternoon. Im the head of the Cyber Division for the israel outputs authority under the ministry of transportation. It controls and manages the international airports, domestic airports, land border crossings. One thing thats kind of unique that we also control the air space itself, meaning the air Traffic Control towers and the accs. This is kind of unique in the aviation landscape. The Cyber Division is in charge of the entire operations. Hi, everyone. I lead Aviation Program for direct direct directorate. Very good. Casey kicking off the discussion around the subject, where are we up to with aviation Cyber Security . This is something we were discussing before just around the difference, you know, innovations, improvements, innovations that have been completed successfully, things that are ongoing and gaps and im and areas for improvement for the future. Roee the Civil Aviation is undergoing tremendous changes these days. The numbers of global passengers is increasing exponentially. According to a recent study, its predicted to double in the next 20 years from around 7 billion today to almost 14 billion in 20 years from now. This has tremendous impact on the way that airports operate and are doing their business. In order for airports to cope with tremendous growth, we see the utilization of coprocesses. Aits are a traditional environment. We have the latest and greatest, face recognition, iot and so on and so forth. So we have this clash and we see it in the way that the passenger does screening, the way it interacts with the airport, the way the aircraft interact with the airport. Whenever we have i. T. , it equals an increased attack surface for cyber attacks, for Cyber Incidents. This is happening as we speak. Brian just to add to that, i think from a manufacturer perspective we look as an industry around cyber resiliency of the ecosystem. We cant just look at the airplane or the uav. We need to look at the totality of the ecosystem. We look at the airplanes, we look at airports, were looking at air to ground communications, air to air communication, satellite communications, supply chain, maintenance interfaces into the aircraft. Really looking at from old to new, you look at the complexity of the actual vehicles, the exponential increase in lines of code on our aircraft, things that are moving to ip based communication brings a lot of capability but also brings up a lot of Cyber Concerns that were never there before in commercial aviation. It is really looking at increasing complexity, increasing communication networking and i am im increasing that Digital Thread from our manufacturers and supply chain all the way up through the development and operations of our aircraft. Its really stepping back and taking a hard look at the ecosystem and what do we need to do as partners across that ecosystem to drive resiliency into the way that we define requirements, drive engineering, design, develop and deploy our platforms within that ecosystem. How do you go about wrapping your arms around that . So regulators and aviation is a sector that is very much regulated safety wise. Now theyre starts to develop test starting to develop starting to develop the new standouts for Cyber Security and integrate them with the startups for this industry. This will take a few years. Meanwhile i take this time to develop those standards and promote taking action before, like before active and do what you can do, use best practices that are already out there and implement them now even before regulation will be effective. Casey yeah. So talking about some of the things that are being done well, you know, some of the Success Stories that we talked about with your unit and the work being done on airports there, like how are you seeing that model of being explicitly focused on the areas that you are, roll out world wide . Roee ive got to say that from an airport perspective, i cant really say that its a success story. Its quite the other way around. We like to call the Key Stakeholders within the Civil Aviation industry as aaa, the airports, the airlines and the aircraft manufacturers. Today the current posture is such that each key stakeholder is actually acting from a cyber perspective as a silo rather than acting as an ecosystem, echoing what brian said. It even goes deeper than that, because if we look within each stakeholder, for example the airports, youll see that not a lot of airports have Cyber Programs at all. The ones that do have Cyber Programs are underresourced, not enough man power and not enough resources, not enough knowledge. If you compare that to physical security, the proportions are really ridiculous. And theres no communication between the airports themselves. Each airport actually acts as they see fit. The ones that actually have Cyber Programs, they do what they understand as far as they understand the need, the challenges and the way to go about them. So its not really an ecosystem from a cyber perspective swrent cyber perspective currently. I think thats one of the main gaps and challenges moving forward. Brian just to add, i think that has been identified. So 100 that need for a cyber trust framework across the ecosystem has been identified. Working at multiple levels all the way up to iko, which is a u. N. Level working with the faa and others to drive what are technical standards around operating in that ecosystem, what does a trust framework look like. So when we start to introduce thousands of unmanned vehicles for both passenger and cargo in our u. S. Airspace, what does it look like to ensure the resilience of that platform and were not going to have unwanted interactions between commercial transport, military aircraft, everything thats cooccupying that space. Casey right. On the regulatory side of that, whats the role of regulators in achieving that shared vision . Eynav i think were just writing the book of Cyber Security for aviation, developing that doctrine, what does it mean, creating the skilled professionals to be working on airports and airlines, et cetera. From our point of view, what we try to do is to push forward the Skill Development that will have those doctrines, will have those Cyber Security procedures put in place. The sooner the better. What we need for this to happen is mostly collaboration between these entities. Its part of my work to create in order to build this knowledge. Casey sure. So changing into what the future looks like in terms of the different aspects of this issue that you all interact with, what are the solutions or what are the things we see potential for success, like the levers, the trends that youre observing . What does the future look like over the medium term, so to speak, without throwing it too far into the future, thinking about whats going to happen next . Brian ill start. Like i talked about before, that framework and tech standard driving the industry and regulators together is key both for boeing and for the broader industry. Driving cyber methodologies, resiliency, Systems Security engineering deep into our engineering cycles is critical for us. The paradigm of the cyber folks getting to look at engineered products toward the end of a life cycle has changed and we cant keep up with the adversary when doing that. Our leadership is all in and driving back into our needs analysis, requirements engineering and pulling that thread all the way through our development and production life cycle. Thats really the only way were going to be successful in building resilient products. So changing that culture takes a lot of effort. At times there was an adversarial relationship between the cyber folks and the development folks, here they come again, theyre going to tell me what i did wrong. Now its getting those folks back and showing value, showing the ability to build resilient and sometimes more efficient ways to code, ways to develop hardware and make a more resilient product in the end. Casey its interesting, because youve partially answered and preempted a question thats come in from the audience. How do you envision being agile in a highly regulated industry. Industry . Theres obviously the Development Feedback loop processes and the Different Things that i think we all struggle with in terms of feedback loops and security people not calling engineers silly and so forth. Beyond that, the regulation component, how does it fit there, do you think . Brian there have been a lot of good conversations specifically with the faa on how do we become more agile and if we find issues the process is long for a reason. Theres rigor in the process. So when we find critical vulnerabilities if there are any, how do we have a devops pipeline that can iterate code and quickly make changes to become more resilient in a software, but how do you take that through a thorough enough testing regime and get the regulator in there to validate that its good to go before you deploy it to a commercial airplane . The conversations have started. Its not an easy discussion. Its not the 90day paradigm that researchers have with a typical i. T. I. T. Industry. I would say discussions are underway and theres Good Communications going back and forth. Casey do you want to comment on that . Like the idea of the role of regulatory responsibility . Seems like an interesting problem to evolve into. Moving into learning the aviation field, i just realized i think two years into it how slowly things develop. We work closely with the Civil Aviation authorities in israel and the faa and try to push forward best practices and development and Security Development life cycle into this domain. I think it will take a while. Yeah. Casey really it does come back to the shared vision piece and the collaboration viewing this all as an ecosystem. Eynav i think its important to understand that this domain is very complex and system are very complicated. If i do an r d on a communication issue, im going to ask an Airline Pilot to join this research and Civil Aviation Authority Regulator to join the research, because Cyber Security expert cannot do this alone and surely not produce good results, good enough results. Casey the question around what do you see the future looking like, whats your thoughts on that . Roee two things that need to happen and need to happen now, yesterday. One, our airports need to act. They need to think local and act global. Sorry. Act local and think global, meaning, they need to come up with a Cyber Program. Even though there are no Governance Framework yet, they have to act local. They have to have a Cyber Program resilient enough. There are best practices out there even though they are not specifically for the aviation sector. You might find some practices suitable for your line of business and the way youre conducting your operations. And this needs to happen now. What needs to happen on a government level is governments and the Civil Aviation authorities need to join forces and start to figure out the Governance Framework of this very complex and interconnected type of sector. And this needs to happen. We cant really wait until that happens. Thats why we need to act local and think global afterwards about data sharing, intelligence sharing, information sharing and stepping up to the practices as the best practices as they come along. Casey it does sound like a bit of a chicken and egg thing going on there. Eynav it is. It is. We have adversaries and we try to be vigilant and faster than they are. What do you think in terms of the catalysts for the airports to step up into this . Like what are the things that you feel could help them in the absence of regulation which is being developed in parallel actually encourage them to do that . Roee i think we need to understand that Cyber Incidents within the Civil Aviation industry are evident. They are happening. Now, these are supposedly a very security aware environment, security and safety. The thing is that actually the one thing that makes adopting new technology and facing up the more dynamic and changing type of attacks is the safety issue. Introducing new technology into a very well certified orchestrated environment is difficult. So this actually is, again, the type of egg and the chicken. This environment is complex. Casey its really about starting the journey. Roee its about starting the journey, exactly. And what else except understanding that incidents are everything, they are happening and we need to tackle them now. Casey thats good input. So weve got a couple questions that ill go through and then well wrap up with a minute or so to go and land on your call to action. That is the theme. So i think you get a pass on that one. Lets go with these. So what is the challenge with modernizing Legacy Technology and how do you help modernize legacy Business Strategies to yield success . Roee so i think i mentioned it in my previous answer. The fact that tampering with a very certified, strict environment that might potentially impact safety is very, very hard. Introducing new technology into that environment is a complex and might be a very long process. Until you get that done, there are already new type of attacks and new type of technologies out there. So this is a race that is very, very complex. Yeah, absolutely. I think from a legacy perspective we look at defense in depth. Brian i think from a legacy perspective we look at defense in depth. We look at the entire platform also. So a lot of times updating legacy is an option but it may not be the fastest option. We do a lot of work understanding the system and understanding what the true attack vectors are across that platform to have effects on the mission that that systems supposed to take. And so the biggest part is understanding what our legacy capabilities are. So a good baseline from a cyber platform perspective. What is the attack surface look like, what do the Access Points look like and being able to manage that across a very complex platform. Eynav i would adjust a thought on the focus. So if all of the system is most of them are, again, old and not always built with security in mind but now in place, so i think the focus for us is to add visibility capabilities to this systems, to add Monitoring Capabilities to this systems and develop from it the concept of defense. Start from the monitoring and youll see more and more socks in airports. Youll see more and more online and offline analysis of security logs and data. And this is i think what well see in close years. Im going to paraphrase this one in close years. Casey im going to paraphrase this one slightly because its a bit of an essay as a question. Can you speak to how youre dealing with the Lessons Learned and whether you have liaisons who can translate between these technical issues of what needs to be changed. Eynav im not sure i heard the question. Casey the question is really how do you articulate the technical nature of the issues were trying to solve to people who arent necessarily technical natives . Brian i know at boeing thats kind of my role. Part of it is being an Engineering Company helps, so most of our executives are engineers at heart. Not a lot of translation is needed. But a lot of bringing it up to what is the impact . What is the impact of a cyber event on one of our platforms, both from the actual asset but the brand . Understanding and quantifying why you should invest in things like model based security engineering, why you should invest in the skill sets and the people to be within those teams building those components and those aircraft and integrating all of that from a business perspective and making that translation. So ive gotten from my perspective our leaders get it. Everyone understands we have to go do it. Its ensuring that we make the right investments for the right security pieces throughout our life cycle. Casey sure. Roee i think this question is true crosssector. Its csos challenge to talk to management that right not really be aware of the challenges. One of the first projects that we initiated at the Airports Authority was building a sock. Unfortunately its one of a kind. Im not familiar with any other Large International airport that has a sock security to one premise. In talking to management, you show it in real life. You can show the attempts. You have the ability to prioritize your projects because you understand what vector is being used against you the most and you should invest there. And theres nothing like seeing it with your own eyes. This visibility brings a lot more into the conversation with management rather than it having to be like very fluid, very unstructured type of conversation. Casey the mistreating proof and demonstrating proof, showing that real life realtime attempts against your organization. I think its strong when you approach management. Casey thats speaking my language. So we are out of time. Did you want to finish up with your call to action, your rally cry . Eynav so again we discussed collaboration. Its not just a phrase, its a real issue. Especially i think the aviation, there are so many stakeholders and regulators. Actually, when youre asking about the threats, our concern as a government and of course the airline has their financial motivation concerns, et cetera, but our concern is that Critical Infrastructure is being more and more targeted around the world. So its true for the aviation sector. Its true for the electricity infrastructure. So we see these threats and this is what we are focusing on. But of course the airport has other stuff that is at risk and airlines have the one risk, manufacturers as well. Casey brian, did you want to brian no. i think just continue the collaboration and accelerate the collaboration sharing between industry and government. Casey lets thank our panelists. [applause] thank you. Cspans washington journal live every day with news and policy issues that impact you. Coming up, former republican congressman and currently nra boardman discusses efforts to reduce gun violence and a discussion of women in the Republican Party with julie koehler. He sure to watch cspans washington journal be sure to watch cspans washington journal at 7 00 this morning. Join the discussion. Live friday, and discussion about updating the 1996 Communications Decency act which gives websites liability for what their users post. We are live at 10 00 eastern on cspan. At noon, the Heritage Foundation hosts a form of the rebutting americas military project focusing on the u. S. Army. On cspan2 at 7 30, jim mattis talks about his new book callsign chaos, looking at his life in the military. Washington journey journal mugs are available at the cspan store or check out the washington journal mugs and see all of the cspan products. Next a debate on conservatism. Campaignrmer trump Stephen Moore and magazine publisher. This is an hour. Think as conservatives we benefit when