Issue. And so today it is important to us, we thank you for the invite, and inviting us out. As feeling just mentioned, we come from a background known as the National Protection programs directorate. Say that ten times fast. Bonus points if even knew what that meant. But today with a name like the u. S. Cybersecurity agency, we have that Value Proposition. We understand before even walk in the door what the value is never going to bring to the table and so the name like that, while we still pass on business cards, while we still great relationships, their story recognition out today with a name like cisa, protecting Critical Infrastructure that mission has changed over time as well. Today as we move further and further away from 9 11, and that antiterrorism post9 11 mission is gravitating towards domestic terrorism to its gravitating towards nations to actors that are looking to cause damage and disruption to our Critical Infrastructure. And this is Important Mission for cisa and something we have embraced. We are our nations risk advisors. Notice, i did not say risk managers. Because that is your job. And over the last 15 years i can tell you weve done a lot of great things that nobody knows about so a big part of it today is providing some visibility thats Value Proposition back and forth, that information thats now going to be in your hands to do something about, when things go bump in the night, have the ability to reach out to the local advisor and a conversation back and forth, either in the clear space because you have the clearance or the terror line, what the threat is and what are the industry best practices, what are the mitigation measures we should all be doing. We pride ourselves on having that ability to have a conversation back and forth. I think years ago some of that information sharing just wasnt there. It was a big black hole. Wed ask for information, wed walk away never to be heard from again. Today its an ongoing dialog back and forth. We have information, here it is. What does it mean to you, the stakeholders in the field, the practitioners who can do something about it, the boots on the ground that own over 85 of infrastructure in this country . So now i think that conversation is little more robust going back and forth. Today, we are here to help manage Systemic Risk to our Critical Infrastructure. And also, raise the security baseline with tools and resources to secure Critical Infrastructure. We do most of this through our voluntary basis. We have table top exercises, full scale exercises, threat and vulnerability assessments, the ability to grant clearances, active shooter work shops, count ied work shops. Were focused on a counter mission as we speak so today the portfolio is very big. This week i was with representative joyce out in pennsylvania talking about School Safety and school security. Last week i was in Salt Lake City talking about faithbased talking about houses of worship and today its drones. And it may be with the bulk power system or grid for United States and canada here in north america. So the portfolio is big, but i can tell you theres a dedicated cadre of a lot of people that work for the department of Homeland Security that are focused on Mission Accomplishment taking care of you, american citizens. Within cisa, we recognize we cannot do this by is your selves, we cannot do this alone. I mentioned that private industry owns majority of security, and we do. And whatever mitigation and threat we raise, we cannot do it in a vacuum. We must do whats called collective defense. The ill circle back on this, collective defense, its our federal government, state and local partners and also the american citizen that when there is an issue that were all in this together. What impacts you impacts me. What impacts me could potentially impact you. So to operate in silos, like we used to so many years ago, we cannot do that anymore. Were all in this together. So really one of my calls to action today is to overshare threat and vulnerability information, engage local Law Enforcement, the fbi, department of Homeland Security and have that conversation. Let us not pass around business cards when an event unfolds. Also, let us not build our Crisis Response plan in the midst of crisis. Have these relationships now under blue sky conditions. And i think cisa, the use Cyber Security Infrastructure Agency is that conduit, the mechanism to do that. We have to bring the right people to have the conversation on reliability of Critical Services, the resilience of our nations Critical Infrastructure, how to best protect americans even in the face of threats like domestic terrorism. Within cisa, weve broken ourselves into regions, looking at the fema region. I say that to allow the understanding right now in your back yard where you reside we have protective Security Advisors, theyre in the field, they eat, breath and sleep with you. They know the local politics, they know the local economy, they know the local crime stats. They know what you care about in your back yard. If you dont know who your productive security advisor is today, i strongly recommend reaching out, figuring out who that person is and we can provide that information to you today so you can have a relationship tomorrow. So when youre looking for a threat and vulnerability assessment, youre looking for an exercise, for a clearance, for somebody who walk aboard your property and point out maybe gaps, point out some opportunities for improvement. Understand where that enemy avenue of approach might be during an active shooter scenario. We have that ability today. We want to provide it to you today and oh, by the way its absolutely free, already bought and paid for. So since coming to cisa, my priorities have been pretty consistent. Like i have mentioned before, weve done a lot of great things that nobody knows about and we also chased shiny lures from time to time. Does anyone know what thats like . Really, its boiling down the priorities. What is going to stop Systemic Risk . What is going to drive risk to the lowest common denominator . What are the industry best practices that everyone should be doing to protect Critical Infrastructure. Including houses of worship and including schools. Theres a lot of translation between the sectors and critical function how to best protect on a foundational and fundamental level. Really, one of my chief priorities is to best protect soft targets and crowded places. Weve seen over the last two weeks, this on full display over the media. The garlic festival in california, dayton, ohio and of course, el paso, texas. Today we have the ability to engage the local community, provide some of these resources, to become harder targets. Become a resource and provide subject matter expertise to maybe those organizations or venues that dont necessarily have that Strong Security apparatus that you may see in an airport or an nfl stadium, but today we have these resources to bring to bear, to best protect all of us. I have three kids that go to school. High school, one high schooler and two middle schoolers, so you Better Believe that im passionate about the ability of School Safety and school security. Our protective Security Advisors since the parkland shooting which killed 17 kids down in florida, we have been to over, 1185 schools in the conduct and that sounds like a lot until you realize there are 130,000 schools in this country. So its coming to events like this where i can find that force multiplier, where i can say to a group of esteemed executives, we have resources, we have the ability to become better. We have subject matter expertise. Take these resources, go out in the community and talk about them. If you see something, Say Something. Run, hide, fight. Today were looking for an active shooter workshop, if youre looking for any kind of service you can immediately go to dhs. Gov back slash hometown security. I hate to point to a website, on that particular website theres the resources, the guidelines, the sources, the videos today to become a harder target. So whether youre an outdoor venue, whether youre a concert organizer, whether you are organizing the next 5k, 10k, marathon road race on the streets of Northern Virginia or elsewhere, we have the ability to prevent active shooter, help prevent vehicle ramming. Fire as a weapon. These kinds of things that dont necessarily fit that antiterrorism mission from just 15 years ago. But this is where we are. This is where we have gravitated towards and this is where the department of Homeland Security is focusing at this very moment. Ill talk a little about School Safety. Just this week i was up in pennsylvania, did a number of panels with local congressmen up there and really talked about and engaging, with the administrator, students, chiefs of police, the county sheriffs, et cetera. Today we can no longer afford to put our head in the sand and say, wow, i hope this really doesnt happen here. Instead, i think the mantra should be, if it could happen there, it can happen here. And we better be ready for it. Now, thats a scary one, not to advocate that were going to build forces around schools, but there are basic things we should be doing today. Many of which are absolutely free. Have a response and Recovery Plan and exercise that plan. Exercising is absolutely critical. Being a former Law Enforcement officer i can tell you firsthand that we do not magically become better during the time of crisis. We always default to what it is weve seen, the things that we know, how weve been trained and what we have exercised in the past. And this is why Law Enforcement, why the military trains every single day. So that when crisis happens, when an event happens, it becomes like second nature. We know exactly what to do. Now, never ever fall in love with your plan because it never goes like you want, but have the basic understanding of what to do during an active shooter. What to do during a crisis event. A couple of the major emerging issues that i see for industry that i think i want to relate to you today and i will, i promise, at some point Start Talking about drones. The convergence between Cyber Security, physical security and Emergency Management is here. We have been talking about this for the last ten years now. And i think a lot of industry organizations have started to move in this direction, but today we are seeing a hybrid style attack Threat Landscape, where what you might see on the cyber side has physical impact. What you might attack and focus on on the physical Security Side has an impact. We meet with Cyber Security every other tuesday, were good. Thats no longer good enough. The attack message, scenarios playing out in real time, theyre converged and theyre here. So many of us have ccb system in our infrastructure, back at our campus wherever you might work. Those are it based. Many of us have active control systems that are internet facing, so let us not have our physical Security Protective measures be that enemy avenue of approach from a cyber perspective and heaven forbid getting into the data side of the house. Insider threats. Im already seeing the heads nod up and down. Right now today, we have folks that work within our companies, within Critical Infrastructure, that has the Institutional Knowledge as to how to bring you to your knees. They know where the crown jewels are. They have keys to the kingdom. They know i dont have to push that button, but if i push this button or pull that lever or destroy that piece of infrastructure,the house of cards starts to deteriorate, it starts to fall. Maybe its a substation engineer that knows exactly what electric components are critical to your grid system. Maybe its somebody who has access to your server room, that can do some sort of significant physical or Cyber Security damage. Maybe its somebody who knows what to shoot out in the field that will elicit and start cascading effects where things start to lean on each other and things start to become destroyed after destroying a particular piece of infrastructure. So having a insin insider threa program today is incredibly important. If im advising anyone on where to invest your next incremental dollar on security, it is the insider threat. Knowing what data is leaving your system, one day we all want to be a consultant in here. We retire, and we go off to do bigger and better things. Many times those consultants before they leave their pro pryty job they will push a lot of information out. Maybe its proprietary information, maybe its trade secrets, maybe its customer data, maybe its credit card information. Maybe its key contacts that you as a company want to retain because you dont want it going to a competitor. Do you have the understanding what information is leaving your system and going elsewhere to somebody elses gmail, going overseas, going to a competitor, et cetera. And same from an Access Control system. Do we have the technology in place that will flag us when somebody might be probing our system. Somebody might be trying to gain access that shouldnt have that access . Quick little example is this your company stationed right here in washington d. C. . And two hours south down in richmond on a sunday afternoon at 4 00, somebody is trying to badge into a facility that they dont have access to. Lets say the technology works, access denied. But is that flagging you . Something is going op here, this person should not be trying to gain access to something. Things are clear in the rearview mirror. Do we have the technology in place to understand the puzzle pieces around us so we can put a complete picture together . And lastly on this particular topic, that pathway to violence. Do we have a program in place that identifies, highlights, and provides the help needed for people that are becoming radicalized, that are becoming violent . And are your cyber folks talking to your physical folks . Maybe on the physical side weve had a Domestic Violence episode. We had somebody Say Something very violent to a coworker. Is that information getting back to the cyber folks that can see the fact that they are looking at radicalized material . That theyre looking at hate groups online. Can we put all of these puzzle pieces together to identify an insider in . Finally on drones, its hard to recall life before the internet. In fact, most of our kids will never experience an unconnected world. Today our Critical Infrastructure relies on web and ability to operate efficiently, that includes our trains, financial systems, water systems, the power grids, even the teleconference calls that we get on just about every single day. All of these activities require something thats webenabled. Sometimes we decide that were going to add a webenabled, internetfacing device to our system, that might be a drone. We need to be very, very could go very cognizant of what were attaching at all times. In terms of drone threats, the first bucket is chinese manufactured drones. If you are operating a chinese manufactured drone, you are introducing and incurring potential risk in your system. And we have seen this firsthand, this is not the bogeyman. We have seen this with our own eyes. We have seen and engaged Critical Infrastructure thats struggling with this particular issue. So what do we do about it . A couple of months ago cisa pushed out an alert to industry to talk about this specific issue, not only did we raise the threat, but we also put together another of mitigation strategies, mitigation measures, to reduce risk, if you already own that drone and its already into your system. What to do about it . Thats the first bucket. The second bucket is the towner uas ill introduce this by telling a quick little story. About a year ago my sons who are 10 and 8 respectively and what we decided to do was go out to toys r us when there still was a toys r us, and for 100 i gave them a homework assignment were going to go out and buy a drone for 100. Here is the homework assignment. I want you to bring this drone up to 25 feet and figure out how to drop this six inch piece of pvc pipe. Thats it, thats the advice. A couple weeks goes by, we have baseball, we have school. Both boys rushed back into the house to say, dad, dad, come and take a look. Sure enough at 35 feet with a crude claw contraption on this 100 drone and a bluetooth device they dropped the six inch piece of pvc pipe and theyre highfiving, and i thought my goodness. We just dropped a pipe bomb into a water system, into a stadium packed with 60,000 people and maybe instead of it being a six inch of pvc pipe, its packed with rock, glass, et cetera. 8 and 10 years old about 104. And this is where we are today. What do we do about it . Really, this is what you guys are here today to help try and solve. Some of the technology out there in the conference space is important. You guys are contributing to mitigating this threat. Its our number one thank you, my hat is off to have. We need your help. Number two from the department of Homeland Security perspective we need to move the needle as well. As of right now the end of the year we will be pushing out a report that will highlight a number of issues surrounding tdhs authorities and how were protecting Critical Infrastructure and our federal building. A lot of recommendations from this report need to focus on protecting Critical Infrastructure from the overhead threat. We understand that Critical Infrastructure does not own the air space above its infrastructure. We understand that a lot of the technology out there today, as we speak, is illegal to deploy. But theres a lot of really good did he text methodology out there. A lot of Detection Technology out there to understand whats flying above our infrastructure and once we know that, how to engage with Law Enforcement and bring it back down to resolution. Resolution. Unmanned Aircraft Systems do not represent an emerging threat, but rather, an imminent threat. Given their retail availability mere in the United States, uas will be used to facilitate an attack in the United States against a vulnerable target such as a mass gathering. This morning, this dire warning comes from the fbi. Director wray. And so its important that we embrace the issue, we understand the issue ab we not kick this can down the road. And thank goodness, this is why were here today to solve hard issues. We are in i guess this is really my call to action. We need to figure this out today. We put partisan politics asidement we put one vendor over another in a competition aside and we figure out how to safeguard not only Critical Infrastructure, but also, the american public. So as an executive, we really need to be really, really mindful of understanding the Threat Landscape is changing. Today its really focused on domestic terrorism. Weve seen this over the last two weeks. Its focused on soft targets and crowded places. So be very mindful of where we are congregating. Be findful of where we are going shopping. And this isnt a warning. This is education awareness. Understand that there are individuals in this country filled with hate. Filled with bigotry that want to inflict the most damage, the biggest ash sual possible on the american punl. We need to be cognizant this is their play and what theyre focused on. And we have to be aware there are Resources Available today to mitigate that. Do you understand the gap in your own security . And sometimes it takes a third party, it takes somebody else to kind of walk in with a fresh set of eyes to say, you know what . Youre really close to the issue here. Ive been doing this for the last 25 years, but have you ever thought of x, y and z with that fresh set of eyes. So, are we prepared and understand what those gaps are . And coming from a private sect sector, i was appointed by the president , and i come from industry and one day ill go back to industry and one thing ive always told my staff over and over again, based off of battle field lessons earned and the myriad of issues across corporate america, are you prepared to be overwhelmed . Some of you yeah, we have this plan, that plan and we exercise it from time to time. No, are you ready prepared to be overwhelmed with incomplete information, with people screaming on the radio all at the same time . With Law Enforcement that you may or may not have a relationship with responding. Dont fall in love with your plan, but have a plan. Be flexible, exercise that plan and today, under blue sky conditions, where nobody is screaming and nobody is bleeding, have relationship with local Law Enforcement, the fbi, the department of Homeland Security. I have another quick story and my staff is rolling their eyes because theyve heard it many times. Years ago as a Law Enforcement officer out in los angeles and every single day throughout the day, youd have a number of issues, whether it was Domestic Violence, burglary, whatever the case is and you need to write a report and give it to the sergeant for it to go up the chain of command to get approved on. Typically you find a quiet p spot. And id park my black and white car in front of an Elementary School. Thats great you parked your police car outside of the Elementary School and presenting that as a hard target. Great, wonderful. That isnt really why i did it at all. I knew because i knew on the other side of that door was a free cup of coffee. And thats the gods honest truth. Free to me, 15 cents for that Elementary School, they had a constant resolving door of Law Enforcement there presenting that school as a hard target. What are the things that you guys can be doing today to do something similar . An almost free mitigation measure. Have relationships with Law Enforcement today. I can tell you that they are thirsty for that relationship. They will show up, no doubt in my mind. Information sharing is critical. I started this presentation talking a little bit about it. Within cisa, we are focused on oversharing. Pushing information out, trying to get ahead of that cnn moment. And everything that we push out could be of value today. We will be pushing out information on ransomware attacks, as you can imagine, very timely given whats happening down in texas. Not only do we highlight the threat, but we also highlight how to mitigate that threat. That basic cyber hygiene, things we should be doing day in and day out. But information sharing is king. And its incumbent upon you when from, you know, come day in and day out we get this deluge of information and you need to focus on how does this impact my mission, safeguard my crown jewels, the reliability of my system, my brand management, et cetera. I can tell you though that if everything is important, then nothing is important. So really the onus is on you, on your shoulders to talk about how to impact myself and the system . I talked to you earlier, too, about a collective defense and this is incredibly important. I dont want this to be a buzz word you hear from time to time, but more of a culture shift. Similar to the 80s and 90s around safety. We have a culture of safety within industry, dont we . Typically before every single meeting back at your shot, you typically will start with a safety moment. If we have to evacuate, theres the elevators. Dont use the elevators, use the stairs. You be the first one out, ill be the last one out. Aeds are on the wall over here. You call 911. We take 30 seconds to talk through safety. I think we should add another 30 seconds to talk about security. How we should not be piggybacking into Access Control and sensitive areas. Phishing, antiphishing techniques, being aware there are people wanting to take our data and steal it. What are the pathways that we should be focused on so when its raised i can alert somebody. So adding a security moment to a safety moment is 30 seconds of our day, but i think it starts to adding to changing is that culture and thats collective defense. The federal government, state and local partners and yourselves as american citizens. Were all in there together. And lastly, and i promise this really is the last thing im going to say, investing in resilience. Let us understand that bad things are going to ham. One day your organization will likely be attacked by somethi something. Maybe its man made, maybe its natural, like a hurricane, an ice storm, whatever the case is. Are we ready for that . But more importantly, have we invested in resilience . Theres another buzz word. And resilience really is the governance of uncertainty. Have we removed single points of failure . Have we added redundancy to our system so that when bad things do happen,things go bump in the right, we have the ability to recover and respond and head back to homeostatus as quickly as you can. And youre building out your budgets, three, five, seven years from now. Have you built resiliency into your system or are you just talking about todays attack. Build into our system so we can come normal and restore Critical Services to the public of this United States. And with that, thank you all very, very much. I certainly appreciate it. Right after me is another member from the department of Homeland Security within cisa, talking about drones specifically, but today for this keynote, number one, its an honor and number two, i wanted to give you a sense of the other thing that cisa is focused on and Homeland Security is working on. As we move from 9 11, to the terrorist mission overseas and all of a sudden it happening here in the homeland. We need to be ready and i can tell you the department of Homeland Security is. And thank you. [applaus [applause] the Trump Administration is announcing rules changes on holding migrant families in detention. Acting Homeland Security secretary Kevin Mcaleenan and azar will be explaining the plan to reporters, this is live at u. S. Customs and reporters briefing room, live coverage here on cspan2. Well, in just a couple of moments we will hear from acting Homeland Security secretary Kevin Mcaleenan, and alex azar talking about rule changes the Trump Administration is instituting holding migrant children, migrant families in detention. This is expected to start live shortly at the u. S. Custom and Border Security room live here on cspan2
comparemela.com © 2020. All Rights Reserved.