Back from lunch. Those who are in the exhibit hall if you could begin to move back, we would greatly appreciate it. I want to get a special thanks to Northrop Grumman. Jennifer walsh smith and Chris Valentino i know are here. If you could raise your hands. Jennifer is here and is valentino from Northrop Grumman, i want to give a special thanks to them for this lunch sponsorship. [applause] i also want to thank them for their seven years of sponsorship and support, which is been greatly, really a key reason for us to be able to host this forum are free for the government, military, and to be able to do this now for the tenth year. So thank you very much. I want to just also give to your attention, please, on your seats are flyers that describe the next years event, september 8 and 9th at the Marriott Wardman park. That would be september 8 and 9th, 2020. We also have for Corporate Executives that are interested, we have a series of quarterly Leadership Council meetings. We are in the third year of that. Look at the flip side you will see the corporate members include cisco, aws, booz allen hamilton, raytheon, hp, northrup, google cloud. If youre interested in that please let us know. I would also like to recognize and express our appreciation for the Advisory Board members. Ill this is once again as they had been very helpful. So Brett Scarborough from raytheon. Dan from google cloud. General great to hill from the federal group, brad from hamilton booz allen, will ash from cisco. Matt barry from ap federal, dave from amazon web services, and charlotte from Northrop Grumman. If we could all give them a round of applause, please. [applause] just a couple logistical announcements. If youre a member, you can get credit i going to the Registration Desk and giving them your member number and they can send you a print certificate or they can give you a print certificate or they can send you a digital certificate. If your an osaka member i gather you have to to the osaka portal to register for a continuing education. Were delighted to partner with those continue education organizations to offer continuing education credit for those of you who would like it. This is a very full and exciting afternoon. Im very excited about, we will have a number of keynote from general crall who will be introduced shortly. We then love a number of panels and will conclude with keynotes from chris krebs from dhs and from martin from the National Cybersecurity center in the uk. We have a full day ahead, and we will then have a number of awards at the end of the day and i am very honored that well we giving a Lifetime Achievement award now to general mike kayden who also give final remarks to our audience, and im honored i that. With that said, id like to not introduce gregg potter, a Corporate Lead executive for Northrop Grumman at fort meade and aberdeen and he we introducing the luncheon keynote speaker. Thanks very much. Thank you, tom, thanks to billington for putting on such a great conference. Its my honor pleasure this afternoon to be able to introduce the keynote speaker for this afternoon. Major general dennis crall is a Senior Advisor for cyber policy. He was appointed to the role in 2018. Hes a a career aviation commad control officer who has commanded squadrons at group level. Hes got deep cyber and operations Information Operations background where he was the chief of the joint operation or joint Cyberspace Operations center at Central Command as well as the deputy chief of the Information Operation center at Central Command. Lastly, he was the branch chief for strategic plans for Information Operations at u. S. Special operations command. If you would, please give a warm welcome to Major General dennis crall. [applause]. To get done streaming a conversation andbeing available to take your questions. Im, im your afternoon caffeine. We just had lunch, ive got enough excitement for all of us here. What i like for you to do is take the conversation up a notch and were going to talk about war fighting for my quick portion of it and were going to think strategically and the slide thats in front of you is my staff is embarrassed about my slide. I dont my slide itself so it probably shows. Thats as many words as i want to cover in a framing document and i want us to think the way the Department Takes and breakdown our work fighting mission in this critical domain. Im going to use the language of it comes from our National Defense strategy and the Cyber Strategy that flows from that in 2018. This is language that are former secretary of defense used clearly about lethality, partnership and reform and its a great blend by which to look through cyber and a few other items we will talk about. But i need you to remember something when we have this conversation, theres a couple caveats. Every one of these framing ideas doesnt exist unto itself. This is all about outcomes. We got to make sure that we pause and think about what it is were doing, why were doing it and it lends itself to the ultimate mission, the reason were doing it which means theres got to be policy and execution to make sure were still on track. Technology changes at a rapid pace. Its easy to Chase Technology and not the mission. Its easy to stay focused on antiquity and not a not modernization but theres got to be some level of balance and we do this within a government system of funding which drives a lot of this but at times is a bit episodic. So the challenge is balancing those three tendencies but not to forget this is all about outcomes. And driving to anend state. What makes this different in our approach that were looking at this year and previous years is the right emphasis and weight to what we call persistentengagement. The items that our talk about especially under lethality really lend itself to think about is this something we are doing episodically . Is this something i can stay in steadystate or is this a series of it and starts which means you break continuity, lose momentum and dont have the ability to proper exploitation of success. These are all principles we talk about in every other domain, yet we somehow shy away from them in this one and its just as applicable. In order to see that advantage and to maintain that advantage throughout operations. The other piece is we talk a lot about operations in a contested environment. And ill be honest, im not sure that we are as practiced as we need to be to be successful given the threats we believe were going to face. Im fully aware there are those who believe we have made our adversaries 10 feet tall and giving them more prowess than they deserve but i also tell you there are times because we really believe we can fight through certain things are not well rehearsed that we may be in for a rude awakening if we are not practiced and postured to succeed. So think about what information contest would look like. Deadlines, redlines, very low bandwidth. The ability to prioritize information in need of speed, what are the minimum elements a commander needs to fight. Those have not been defined, its a difficult to figure out how youre going to employ that on a battlefield when you realize that its at that time under this crucible of challenge that youre not going to have a boss point, the fog of war creeps in and everythingbecomes more difficult. These have to be practiced. And you have to understand what it means to your perfectly rehearsed plan when you do that in garrison, what it means to meet that plan on a battlefield. A famous boxer once said about his competition that every man has a planuntil i punch him in the face. You think about that and we all plan and we think about what is going to be like and then we need the crucible of contest. We got to be ready for what that looks like. So when we talk about these principles that are not esoteric, they are not things that sit out there to be admired but theyre there to be practiced, embedded, rehearsed, challenged, improved and implemented with confidence. Thats where we need to be. So lets talk aboutthese things under lethality first. Three subareas that are important the way i look at defining them. Thefirst would be the idea of authority. Weve got have the right authority to operate in space and it doesnt matter what kind of activity were talking about. Whether were operating networks, talking more of an it centric role, whether were talking about defense or offensiveoperations, their required the requisite authorities in order to move pace. This persistent engagement means authorities need to be deep enough to characterize thebattlefield as well, not just execute. Weve got to anticipate in that authority realm that these things will be as planned, not sprinkled on afterwards but there are four thoughts built in, planned for andtested as ive mentioned earlier. Ill be honest, weve had a lot of help and i mean that in a good way from the administration and congress. They have loaded us up with authorities we havent had before. Its important that we utilize them in line up a couple other items that go along with them so authority would be one idea that you have to think about what to others have to be lined up in currents with that area the other one is process. Weve got have a process in place that takes advantage of the authorities that we are given. The process isnt repeatable, if its mired in quagmire, this idea of constant uphill battles and fights , and im not intimating we should not share information or have d confliction with others and other interested parties but the point is the process has to lend itself to a successful and timely outcome. Not for a process that exists unto itself. Anyone whos worked in the pentagon personally and seen the pentagon process upfront knows exactly what imtalking about. Terry mattis used to have a phrase back when i worked for him as general mattis that when good people meetbad process, bad process wins. Bad process and take the most energetic, forceful, excited individual and crush them through a series of bureaucratic morass. That doesnt lead to an outcome so these are areas taking advantage of the authorities we are given and working on numerous, looking at this process within the building and outside of the building to execute operations in a timely manner and the last piece of the threelegged stool is on the idea of capability. We got to make sure that we have the trained workforce and be the equipment to perform the mission at hand. Weve taken really a hard look at this workforce and in some cases i think weve taken maybe for granted that the workforce will be available. The amount of training thats required, the recruitment, the competition that we wonder to retain individuals given their a lot of walks of life that people can go do but looking at models that lend itself to attracting and retaining the best and brightest for our mission is critical towhat we do. Also, the capabilities and the terms of our tools that we have two employ these are critical as well. We got to make sure that we employ cuttingedge technology. We got to make sure when we start looking at the ways we can take advantage that we do so in a timely manner and that were not looking at Old Technology delivered twoways. Theres a quandary i have that i keep on my board that i try to avoid and thats the phrase of this may not work but at least its suspenseful, we want to avoid the idea that were paying premiums for outdated technologies. Weve got to be more responsive and use whats available so if you think about lining up the authorities, the process and the capabilities, how critical that is to the lethality rubric that i got in front of you. The next piece is the idea of partnership. We have a couple areas that challenge us as well. On the good side we know that partners, many of our partners at unique authorities and capabilities we dont have and we want to make sure that we take advantage of those. We want to make sure that we build their prowess and capabilities up through our practice relationships and as they get better, we are better. Its less service for us to look at on the challenging side with partnerships, we still struggle with information share. How do we exchangeinformation in a timely manner not just on the battlefield , as we have joint Coalition Partnerships and information sharing it difficult, we need better Cross Domain Solutions and thats on the radar to solve this year. How do we move information at the speed of warfare and take it one extension further to our Defense Industrial base. How do we help safeguard our nations most critical secrets, the time there through development and implementation through a supply chain and eventually for the introduction in our worklighting apparatus. Saw partnering from the idea of missing execution and then on the side of ensuring that we are able to share information with a common level ofprotection is critical for us. All of these varying efforts that are ongoing in the building today and served again that framework that i just described. The last piece, and its one of the most critical because it involves a level of trust. Trust with the taxpayer, trust with their governments and keeping the trust and not breaking faith with our workforce and war fighters. We need reform. Some of this reform is going pace which is respectable and others may be at pace that needs to be picked up and made better. So what do we mean by before . This is the idea of scarce resources being applied in the most consistent, meaningful and thoughtful ways gone are the days where everyone doing whats right in their own eyes so the word that serves to me the most under this category is tendered. We talked a lot about standardsetting. We already understand what requirements are due to the acquisition cycle and im not talking about that. This is the idea of making sure we have common standards that we drive to and that we have an apparatus in place to inspect what we expect. That we have adherence to those standards. Nothing is more frustrating than publishing a standard and not following them and not even knowing youre not following them but the idea of following through with the expectation that we have a level of adherence and commitment to those means that were a better war fighting organization as a result. This reform has to be all the way through the lowest level when we look at our workforce all the way up to the most extreme and strategic ways for actions and activities. Weve got to look across the department to make sure we dont have unnecessary redundancies. There was a time in the information environment when it was new. When we used terms like Information Operations, military Information Support operations, those types of things that we went to congress and we asked for money. On kind of this newfrontier for us , its always been practiced but this it was upscale and embraced by the department and there was a time whenthat money flowed to freely. And we couldnt always count for how it was spent. We couldnt always look at measures ofeffectiveness. We had measures of performance but we couldnt provide the so what the money we were giving and what was really a permissive friendly giving environment turned into a very challenging environment to demonstrate a level of sufficiency and rebuild trust. Ill tell you i think we are probably not too far off in the realms within cyber if were not careful. People want to help us, our leadership wants to help empower us in this area but we have to be very good stewards on how that money is spent. Weve got to have something to show for it. Its got to be datadriven, its got to show the level of effectiveness or how we commit to these treasures. So every single day, we wake up in the principal Cyber Advisors office. Our relationship with chief Information Officer couldnt be closer to the relationships that we have with our services components, chiefs, etc. Couldnt be closer and we think in these returns. Because the National Defense strategy tells us to think this way and our Cyber Strategy demands we think this way and the possible review which reveals the gaps are framed in that rubric of lethality, partnership and reform. Strategic thoughts, a way to share a broad picture in less than 10 minutes with you. And i stand ready to take what i imagine will be the challenging questions where i can answer, i look forward to answering. [applause] i dont know what the rules are here but youre right in front of mewith a hand up. [inaudible] [inaudible] a great question. For those who couldnt hear, this was about how the od response to calls from the Defense Industrial base for a challenge they may have for cyber security. And one ofthe statements that were made, we certainly wouldnt call the crowd, i would agree with that. They could, they may be unsatisfied with the answer they would get since that particular mission set literally falls outside of our primary work rule. It doesnt fall outside of the air of responsibility for thedepartment. The answer will not be perhaps as detailed as you may like there are challenges , some seminal challenges to how we share information, what information we can share and who owns the burden of responsibility. Owns the liability if information is shared or solutions are provided and those compromises will take place. These are not easy questions to answer. I dont pretend they have been solved at our level i promise you this year a received more attention than i personally have witnessed and there are really probably some difficult choices in the road ahead for the department to make. I dont know what the balance is personally and i dont know whether the leadership will side on the if you think about this, how much should the department do mark how much cueing can the department provide and how much of those solutions are on the part of those who own for example data. I wont tell you this,no matter what the answerlies , theres one thing thats clear. We as a unit have to do better at securing our data. Theres no argument there. There are things and solutions in place from either basic hygiene to Good Practice to movement of information and safeguarding it there is zero disagreement that we are to force and we have a service that lends itself to come with getting this process or challenge in a way that is unnecessary though probably not the detailed answer you would expect because that is yet to be solved in thedepartment. Center crall, you have another question here. Number other questions. If you could take a mic, we will come down for you. Good afternoon sir. It sounds to me like this could be something to do with 171, is that something that falls under your domain mark. It doesnt fall under my domain in pca but its a number we are involved in and ive got secretarial interest so yes, it does and forcing these antigen contracts, we have a and s that provides a lot of that information. Theres been a lot of reform this year and contracting language to get after that. So yes, its an interest area of mine but primarily in the pca when we look at performance focus, is on implementation and forces that strategy and its owners to that information but its clearly a part of the solution and one thats been inactive this year. Jason miller, federal news network. You mentioned capabilities and authorities in congress and the administration and you said that in a positive way. We have to use them. Would you offer maybe look into whats a couple of them that maybe stand out that you guys are using ortiming to use and why theyre important authorities . In this environment, i cant unfortunately. Please. It isnt a matter of will, its a matter of classification so i will say this. Im confident i have not overstated the empowerment aspect of that. But a lot of these are used for the types of missions that we, this forum would not be appropriate to discuss. I will provide you a consolation because i need to send youaway emptyhanded. If i look at where the department i believe is headed next for organization reform and some potentially different authorities, i would share with you that Information Operations as we know it traditionally, if i looked into a crystal ball i would share with you that that is probably a, or certainly an area of resurgence in how we look and how we execute. What authorities and rules are in place. What capabilities need to exist, how we build war fighters and equipment sets for the fight in that information space. Thats coming. And its coming quickly. Given the recent memo from the dod deployments, do you support the initiative to turn off ipd for to adopt a single stack of ipv6 in order to reduce the overall attack factor . Thats an easy question for me to answer. Mister ducey runs that and i supporthis decision. I fully support it. I thinki understand where youre going. There were alternatives considered, but i support the chiefInformation Officers approach. I think thats the last question. Thank you very much for coming to be our speaker, our keynote and im honored to have you. [applause] please welcome back our master of ceremonies , Edward Devinney the second. Thank you very much Major General crall. A great Panel Following up about supply chain fiber security, a topic near and dear to many of our hearts read a moderator for this session is john check, senior director of protection illusions, intelligence information and services at raytheon thank you for moderating the panel joining john on the stage is bob kowalski, director of the national riskmanagement center at the department of Homeland Security area filled marion the deputy chief Information Officer for the United States air force and matt berry, chief operating officer or hp federal bank you all of you and overview john. I want to thank tom and the lincoln team for hosting this event. Its a great opportunity to pilot these key issues and with that we will jump into securing our supply chain. One of the key aspects of securing supply chain is insuring all parts are incentivized properly and ultimately that works best when the rest, cost and rewards of doing business are equally shared and understood so id like to start with you so what are the things hp is doing to incentivize or supply chain and some of the things your customers are doing. Thanks for the opportunity to be here. I was thinking about this panel and taking incrementally what we do and what others in the industry due to secure their supply chain and a lot of it comes back to fundamentals and i think thats been atheme that weve heard here this weekend. One thing that i think about is our supplier standards and we share that with our supply base and we have them go through rigorous processes of adherence. We do audits, ulcers of things and when you look at it, it starts with design and what we call the secure Development Lifecycle and then you can go down this stack from there from the endtoend supply chain through disposal. So manufacturers, weve got software, firmware, provisioning. Youve got logistics and traffic and as you span through that, you think how do we manage thatwell or less than well , it starts with what questionsare we asking. No one starts from a Vantage Point of prevention. Its a journey and its something weve done for a long time but what was interesting to me about this question is the intersection between physical supply chain and what weve done for many years and the cyber supply chain. Any ict project that were talking about here, ip enabled, logic bearing components, you have to mine both. This idea of supply chains being static and you drag a bucket of parts through a supply chain from point a to point b and check the box is not the case anymore. Theres persistent supply chains, their data begins. How do we manage that so i think thats a lot of the conversation for us is going back to the suppliers trust but verify and then of course we triage or tear the suppliers. So people that make lasting and screws, maybe slightly different than aesthetic controllers, etc. And we hold those people quite close. In fact, the technical contribution from those partners is paramount to our joint success and so in terms of incentives, thats the overall framework and then were pretty outcomes base. We let the market force the science, either were jointly successful and theres a tremendous upside for the alternative. Ill ask you, what in what sense would you liketo be implemented to drive these behaviors . Lets start with the idea that information itself and better information about risk is an incentive and i start with the area but my taking a step back and when were talking about business and government responsibility to the supply chain, i believe all the incentive in the world except for a business to make sure something doesnt happen in their supply chain will affect their operations that could affect the bottom line. And you get the information imagery and maybe how much steps they take to protect the supply chain can be changed by the fact that more information about risk. What could go wrong in terms of the supply chain when we talk about the questions of intentional efforts to do things against icp product hardware so one of the things the government can do certainly is create a better information environment that helps businesses take advantage in ways they already have. Second order incentives are there has to be an expectation that if you are selling something, that you are part of the supply chain or something thats important that your taking the stuff seriously and that happens through contracts, that happens through that being part of the overall conversation for those of us who have a little more influence about what get into the supply chain and the smart performers area at incentive is proliferating out there right now. But lets make sure its a go or no go decision around important parts, around those incentives so start with information, go to basic user contractual procurement incentives and we can have an interesting conversation then , is there still a gap of where those National Security concerns cant be handled for business incentives but i think were going to talk about Public Private partnerships in the second but lets get all the incentives lined early on and accept that government can have several similar incentives and only have government intervene when there is a gap. So bill, what type of incentives are using implement it for the dod . Youre looking at it from a manufacturer side, from our side its typically acquisition. One of the things act in the acquisition process to incentivize the right behavior because if we incentivized the right industry, it will build it for us so taking these standards, the work thats going on and working those into the proverbial security is part of the cost jewel performance equation and providing some level of ratio or investment roi of what the investments, manufacturer did and how do we give them credit in the acquisition process so thats the biggest piece because were typically fine, not building. Though i definitely believe if we put the right incentive structure , businesses will,. But we also have to take a little bit of a reality view that when its too much. Just like in regular security you can keep putting more blankets on, we have to figure out what the right threshold is to manage the rest at the right level so thats going to be the hardest part of the incentive today and thebiggest incentive is to stick , our bats were a club. We know that doesnt work well longterm and doesnt create the right incentive behaviors on the manufacturing side so we got but that fundamental equation , but the biggest risk is how do you understand what that roi is and how do you determine its applicability . Something that id say, sometimes the problem with what happens with disincentives in terms of security, we put disincentives for things that work against the purity but also require too much and then there causing people do not want to be in the market and we can take advantage. So was doing this well today . Anybody stand out there that you think is hitting the incentives right and studying the right framework to get us to where we need to be . Ill make an aspirational statement. I think comingfrom a place of manufacturing and managing our extended supply base , where i think we Industrial Base might be falling short is in the management of certain fourthquarter notes in the supply chain and how can we cascade that effectively but efficiently at the same time. I do believe theres an opportunity or sweet spot to look at some of the work let out of the dod acquisition, cmm c model where we can put a smart baseline, achieve that and then iterate against that. I think its a journey, but quite frankly a lot of other things we ought to be doing already and if we can start there, the benefit is not only do we reflect through our own internal process, but we can look up and down the chain and have some level of visibility and illumination up and down and we have more confidence that when we are representing our extended supply chain, we have some ground to stand on. I think the mcc is i think the best thing we have going right now. You remember the Security Models and its not a perfect system but its far better than what we have. So thats the first step. I think were at the information stage right now is just how do we understand a company and their relationships and how do mergers and acquisitions second and third party. You got to know the environment so im not sure where there with the right tools but at least we got some great efforts in the navy and air force to understand the ecosystem and the c3, but weve got to get that level of model, we know we have a problem,lets go fix it. Lets move on to Public Private partnerships and everybody talked a lot about that, its a hot topic and we know in order to make those effective you have to collaborate and collaboration arts with building that trust, your trust in the person youre collaborating with to listen to what theyre saying and think differently about how youre approachingtasks. Bob, id like for you to highlight some of the work that youre doing with cisco focusing around riskmanagement initiatives and how those things are progressing. Sure, one of myfavorite topics is Public Private partnerships because its the absolute absence around Critical Infrastructure security. Where we established the national riskmanagement center, one of the mantras is to operationalize the Publicprivate Partnership we established for the department over the last 15 years which got everyone to the table , started to share information, talk about solutions but lets go further towards optimization old capability, working more with more intensity together. So thats what were trying to rent large in terms of the work were doing with the ic supply chain. Thats a task force that there are 60 representatives, he is on the task force, the od is on the task force, only federal member of the Security Council then representatives of the it Sector Coordinating Council and communications center. We have most of the big it players and associations that represent the smaller players and representatives from Small Businesses so what we have is 60 people who are forming a task force to work this issue fulltime to make policy recommendations, to process improvement recommendations, to better help us understand the threat and the rest and to talk through where theres possibility for joint Capability Solutions such as around information sharing where it is not about giving the legal framework, but its actually developing, thinking through how to develop programmatic linkages so thats what were using the task force to do. A Public Private partnership, its nice to have 60 people around the table working the problem. Occasionally you have toget smaller groups around the. And then some example of what we were able to do by a task force, the department was asked to provide recommendations to the secretary of commerce on where to apply emergency Rulemaking Authority around restrictions into the supply chain. We could go out and study this as a government to try to understand the supply chain but its a lot easier to ask a companies the people who know their supply chains and people whowork those notes. To ask them how those supply chain work, develop a framework and one of the most importantelements around the supply chain. I dont think effectively, there are two elements to answer. One gives us a better answer to the question and we have better sources of information because of the people who are closer to the supply chain. Secondly when we make recommendations, its something that may be critical or less critical that may have policy implications, we can talk to industry about what would happen if you put more restrictions around this. What would happen if you put more requirements around this. What would be the security impact and you can start to balance that conversation with whats the real world impact of anything the government does. When youre talking about essentially securing things that are privately owned , has to be part of theequation. Matt, youve been heavily engaged and do you have thoughts around whats working . I would start just by extending my congratulations for the leadership and the team i think has wrangled a lot of people in a number of workgroups which is no small feat. The area that im personally focused and working for is around incentivizing purchases via oem and authorized fusion and what i was very encouraged by early on was number one, the level of engagement and part Public Partners through that process how quickly we moved from admiring what our practical recommendations to pick up. I think back in the junejuly timeframe , we sent some draft proposals up. So first thing i think the process was well worth the investment. And im looking forward to seeing come out in the full Task Force Report and i think theres tremendous opportunity there to see it and tried in acquisition and so on. Bill, from your point of view maybe a little bit on whats working. What else in government are the things going on he would like to highlight that maybe its a recognition for taking on this initiative and trying to drive this temple supply chain Publicprivate Partnership . Theres two fronts, one from a Material Command perspective , that partnership with industry to have the financial discussions, down the partnering discussions, happy honest feedback about who their partners are. Even forecasted mergers and acquisitions, theres a lot of those that are nuances we dont think far enough ahead so theres been a lot of work in the Research Side and just the applicable taking our Weapons Systems and decomposing and making those discussions with those Companies Understand where the rest, and its riskmanagement. Dont get rid of supply chains, you try to manage it better. So i think thats the first thing. Ill call it almost tactical operational level, is we are with this thing called enterprise it as a service, initiative and looking outta we use to monitor the it capabilities and think differently about thesecurity model. So were putting this literally to the test every day, not having, but this is no getting tactical level contract, work through that supply chain piece, both operationally from how we run and defend our networks to the supply chain type piece of that though that is just kicking off here in the next 30 days. It will be following that one as a key one. To say you got the macro policy, how is it bubbling down the implementation . Will pick it to one of my favorite topics around zero trust. So with the landscape, the vulnerabilities, certainly in the supply chain, a lot of times your supplies made a different Risk Appetite and you have and thats a concern with the supply chain rest and those type of things. How can we apply a viewer trust methodology to our supply chain and help build that security into what we desire . Originally from san antonio, my joke is every car in san antonio can be stolen. Dont come in with that. Supply chain is no different. You cant completely secure the entire supply chain so you infer theres a rest that im anybody can come in your front door so this is where the concept on cyber cons, that model is gone with clouds and mobile. I would argue that the same thing with supply chains so how you flip the model to say i cant intrinsically trust everything and its not just a buzzword, thinking differently which is the most important thing about zero trust. What am i going toprotect, how am i going to think of things different. Certain largescale manufacturer that knows in their supply process they dont have an end to the supply chain so they look at it on the end which you can argue is wrong or you could say they just recognize they cant control that so one of the mechanismsat the end . Other manufacturers may be from the end and so they may have a different process but ddn just like some sailor manufacturers, i dont trust the network so how do i encrypt the application, how do i encrypt the service and data and look at the problem differently mark going back enterprise it as a service, how do we flip the paradigm use concepts like zero trust, encrypted, different ways to scan and remediate the hardware. Look at those concepts to lay on top versus believing everything in supply chain will be secure. We cant afford all the trust and foundry work that we need to make that whole so realize youre insecure and look at the problem you have anything at that . Zero trust isnt a phrase i use a lot. I use things like layered security, understanding prioritization of risk and being ready and having resilience so that any failure, you can minimize the consequences and so were not out preaching that theres a simple solution but theres places that youve got to apply a higher standard of trust certainly and one of those areas for example weve been working on his Election Security and we want to push up and we are working with state and local governments. The security components that youre demanding more trust within the, thats going to help out throughout the process. Thats a place where trust and up mattering and results themselves. Matt, we can agree that zero trust doesnt happen overnight. Establishing that type of environment so maybe if you could touch on recommendations or best practices that we could all use to get started with. One, just taking a step back. Zero trust as an umbrella. Definitionally i think its important to acknowledge the importance of shifting the workforce focus as bill was saying, maybe thats not their core competency so if you engage in a Cloud Solution or migrate, what are you enabling your team to do . Sometimes people confuse that with Operational Management of risk. It doesnt eliminate the risk, it shifts the risk so the question is are you safeguarding everything and and for layered defense and are you doing that politically or are you simply shifting a problem set . Just thinking through zero trust doesnt mean wild west and it doesnt matter whats on the network. It matters critically so from our lens we think about endpoints as a horizontal and what do we do in order to make sure that those are just locked down, but ideally they are resilient so when you can take an attack and they will come and wewill be breached, what happens . Can we detect it . Can we self heal and if you can, you reduce the functional attack space and you can then migrate the focus of the organization of the stack to higher value added activities so that a lot of what were focused on. Anything you guys would like to add . Lets move to our call to action. I see the buildings in conference this week. Its been a great discussion and ill make sure that we provide some roomfrom admiring to actionablesteps. Ill start with you , bob. Give me one shortterm recommendation, maybe one forward thinking recommendation of how we can start attacking this. Hopefully we are. I speak because i have an opportunity and hope i dont have a hidden recommendation but these are things we do spend time on and i think we are ata moment of Real Progress. I think creating a greater information sharing environment is something that we are at a moment where we can make progress. Some of the information sharing discussion has been around indicators and things around the fence but i think Mining Supply chain rest, understanding collection of information, theres a lot more data out there to really put that information together, thats something were working hard as a government to do and getting that information in the hands of folks who can make decisions related to this that dont have to be tied to the idea of procurement. That have the training and know how to take advantage of information so i think were at a moment that we can make Real Progress to join information sharing. Right now its longerterm, its securing down the cyber ecosystem. It is incentivizing more investment in it around curtain places, its scaling the solutions that you can put in place down deeper into the supplychain so you get less vulnerability around the problem. Thanks, bill . Im going to start with a strategic one and i think it should be quick but its probably not going to be quick but i go back to how do we put security as one of the parameters and implement that. Weve been talking about it for a couple years now. At least with serious stuff. No kidding, implying security is part of the performance in the equation. Thats got to bepart of the initiative. Themore tactical level , getting these, ill call them flipping the switch on the rmf process and all these things about how we assess what security is and actually using true assessing and remediation tools, something bad will happen even if we have perfect supply chains, theres going to be bad things that happen so our trust has been how do you get to true and i think were getting there pretty well just getting over that last home of true Continuous Monitoring and understanding of yourenvironment and understanding what is your digital twin . What does it look like when its not there, once you connect with some level of agility . In this world there will be a point when youre breached, a point where somebody does something nefarious of the most important thing is how fast you detect and react. Weve got to attack, see one i think is key and the acquisition incentive model is actually put in. I think industry will react well, but we got to get over that home. We keep talking about it but we have to make the switch. What you feel like the barrier is there . We lack the real threat to return on investment. It goes back to an analogy, if you have 10 doors open on an air force base but only money to close three, theres some people i think in the acquisition world thats a why do they even close three and its a valid argument area theres seven or so open and why did i even spend the money on three . Maybe i go to another target. I think having that understanding of when i make an investment i have real return on investment from a security perspective and i dont think weve done the acquisition side understanding what that means and how do you put some dollar value equation behind that . Matt, your perspective. Bill nailed the immediate one in my mind which is the acquisition piece. Theres so much great work dhs, cnn c, just a ton of great work coming out of the 800 series, 160 deeper, 193 around from wire. All those things are phenomenal, but they dont make it into acquisition. It simply doesnt matter because you have a human being was evaluating these different factors and if its not in the calculus , its not part of the answer. Thats the struggle that weve had so i think those go quite well to that point area ill shift a little bitto nearterm or whats next. Kind of a provocative thought from yesterday, grant shiner was asked what keeps him up at night and he said one word, china. And sitting where i sit, its an interesting question, because china is simultaneously a very important market, a nationstate competitor and an adversary. When youre in this Public Private conversation, unless we have strategic clarity around objectives and unless we can send unified signals back and forth to each other, youve got all kinds of things going on. I wont go off in the weeds but just with the tariff developments, you see people realigning in a reactive sense. What happens when and if that goes away, people read to nominate back in china to taste lowcost. Is that a Strategic Policy execution or are we reacting . Whats the right answer . Its a difficult question. But to take a step, if we had a directive that said were simply not going to build logic bearing devices and source them from that geography, that tends to set up a very different incentive that im not sure industry would get there by itself. But i think this kind of conversation is critical and especially with whats happening in the world today, its important and ill wrap with one other related thing. Theres this other thing going on right now, this fourth industrial revolution. Essentially a 12 trillion jump ball with the manufacturing Global Manufacturing base. Think about digital manufacturing, 3d print, other enabling technologies, we are at the cost of the times when we can realign supply chains to be more regional and secure at lower cost with the capability that coming online and i think we should think long and hard about that as an opportunity, because i assure you other nationstates are investing heavily in the area and my question would be what are we doing domestically to seize our unfair share of that opportunity and i think thats probably a right conversation for another panel. I appreciate the panel today, great job. We had a good discussion and offered a lot of opportunities things people can look at to consider how secure theirsupply chain so thank you. Thinking about participating in cspan student can competition but youve never made a documentary film before left in mark we have resources on our website to help you get started. Check out our Getting Started and download pages on studentscam. Org. Teachers will find resources on the resource page. Id like for anyone to come out and compete to find a topic that youre passionate about and pursue it as much as you can this year were askingmiddle and High School Students to create a Short Documentary on the issue you would like the president ial candidates to address. Cspan will award 100,000 in cash prizes plus a 5000grand prize. Will get a camera, go get a microphone and go start building. Just the best video that you can produce. Visit studentcam. Org for more information today. Coming up at the top, the former special president ial envoy of the coalition