Cybersecurity threats. I want to welcome our guests and remind folks please submit questions and i will read them toward the end of the session today. Just heard from cyberSecurity Acting director, senator warner is the vice chair of the Intelligence Community, representative will heard who in addition to being a cochair of the Cyber Security group is the Ranking Member on intelligence modernization on the health house Intelligence Community. And underwood on the subcommittee on Cybersecurity Infrastructure protection and innovation. I thought i would start with the Cybersecurity InfrastructureSecurity Acting director from the department of Homeland Security and the reason we have an acting director, the president fired the director, maybe i will start with representative underwood and turn to representative heard to see what you make of the fire ring of cybersecurity officials. Hi, everybody. I oppose any effort to politicize the National Security department and agency. Our last investment warned adversaries from Cyber Capabilities undermining the United States and advancing our interests and we know adversaries used cyber tools to steal intellectual property and intellectual data and engaged in espionage and towards that end i was disturbed director krebs was terminated for doing his job. Leadership should be commended and not punished for their quick work building strong Election Security partnership but more broadly i am concerned about messages sent to our adversaries when a competent and successful leader is purged from the top Security Agency and i hope Brandon Wales who you just heard from will remain in place and provide stability until the Biden Administration and he has also spoken at the summit and been a great partner on the Homeland Security committee and im confident hardworking employees, the Cybersecurity Workforce the chose to lend their talents will continue forward. We know there is a provision establishing a term for the director and concerns about that. Will be reassessing that in the next congress but the news of the last month was disturbing. It decided to work with mister wales moving forward. Turning to you. You were quick to call and congratulate president elect biden, curious what you make of the firing and whether you have seen president in the last month it has shaken your belief this election was conducted in a free, fair and secure manner which is the comments that got him in trouble. When chris was fired my comment was he should have been thanked, not fired, for being responsible for one of the most secure elections we ever had. No evidence to suggest otherwise is what i find interesting is mike mccall creates this. There were a lot of debates about whether we should have an entity like that. Im glad that we are having debates about the leadership of it and krebs did an amazing job taking a new organization there was a lot of doubt about its effectiveness and turn it into a top entity within the federal government and to do that when the microscope was upon him. I think mister wales will continue that tradition but ultimatelys firing was ubiquitous. Congressman, there arent many others from your party including those who were supportive of the mission on National Security who have spoken as bluntly as you just did. Why do you think that is and is it something that can be addressed . You are going to have to ask them. My philosophy is the same. I agree when i agree and i disagree when i disagree. I agreed with some of the things president obama did. I spoke out. I have done the same thing under this administration. I think as my friend lawrence said in opening remarks, we should not be politicizing the Intelligence Community or intelligence operations on something as important as the integrity of our vote and again i think krebs and his team should be commended for what they did and we can talk about jay johnson and what jay johnson did. I was the first person to hold a hearing on the 2016 election before the 2016 election happened and i was talking about kicking the Russian Ambassador out of the country. We had debates, jay johnson said voting infrastructure was Critical Infrastructure and everybody freaked out that this would be the federal government taking over the election, called down, take a deep breath, this is a tradition of folks in the government doing their thing, not getting a pat on the back for it or getting the boot like my friends but in the end the people that have worked in this will make sure everything is in place. Do you agree, going to the issue of Critical Infrastructure, you have been working cooperatively without direct authority, the mandates when it comes to improving election infrastructure. Is that the right balance . I want to pick up on was will send. This is about keeping america safe and we know we have many different Critical Infrastructure designations even during covid19, repeated attacks on our Healthcare Infrastructure which have never been the center of our Critical Infrastructure conversation, they were in colluded but there wasnt energy, effort and investment in building those capacities and we are seeing negative repercussions about vaccine distribution. All of this is connected. When i think about opportunities moving forward i see two challenges, one is budget, their authorities are pretty limited. This is responsible for securing the networks of federal agencies, but also this billion dollar budget if this doesnt do what it is supposed to be doing, additional funding for the agency, to do that, in terms of the authority, we work with our colleagues, cybersecurity, that work across different committees, we have jurisdictional problems. Dont start with the word jurisdiction. It has to be said. The agency has some challenges, this is a continuing conversation to be candid about it but we have the opportunity to raise this. If i could add on that the next stop is in the dot. Gov space, originally designed to be, on commerce if commerce isnt doing something. That is the logical place to expand where you have that stick as mister wales was talking about because that was the goal to say to help to assure this, you have to make sure omd plays a role in it, omb has these areas as well so they have power. I want to get beyond. The question we should be talking about is how do we have a quantum resilient infrastructure, Artificial Intelligence, if the chinese were to lean on that. Washington gets caught up, talking about this one little thing wh we forget this is a freaking war and we need to be a raid as be as we can and we wont have enough money to fall on this and has to be a cooperation and partnership and we need those folk senator warren will solve these problems so all is good. A good handover, and here and into the future, a little bit late. Let me turn to you, both of those representatives talked about how it is difficult to get legislation throug congress. It is difficult to get legislation passed through congss . Will and i only worked for three years on the lowest hanging fruit in this realm. On an unrelated topic, we are deep, deep, dp into trying to see if we can actually not do something stupid again which would be relief for the holidays lve for holidays and not do covid package. We might surprise the cntry againn terms of getting stuff done. On iot, and toe this was an example, got to happen but it should not have been this hard. We all know people within the aspen would understand what purchasing literally billions of ip connect devices. We talk about 5g a lot. You need 5g to be able to bring all the sensors and connected devices to the full utilization before going to have driverless cars. Its going be based on a lot of iot devices. Yet the surface space of all the additional devices really add another vulnerability point. We thought at first maybe we could mandate across the country and, of course, w have been pulled back and said could we at least say tt if w were going to use taxpayer money and the government is going to be buying these devices, they ought to have some level of de mimis security. Because otherwise we would be out for all t good we try to do with cybersecurity just increasing our surface vulnerabilityxponentially by billions of devices and we had a pretty low standd. I would ask both congress meers to wait in, it wasnt like we tried to go to the highs, denominator. We went to the lowest and said lets make sure they are patchable. Lets make se theres not any better passcode. Lets make sure just not even great cyber hygiene but at least minimal cyber hygiene. What we frankly found is that the highend device makers were basically okay with ts. I did a call with microft earlier. They had been generally supported. The what wen extraordinarily cheap devices, low end. They fought us the nail even though theost would only be a few pennies per device. We ended up getting there. It took three years and a lot more effort and, frankly, it was more on the senate side of house are not reay much the house. Give them credit where credit is due, but it does s up a de minimi process and then do lots of intervening whos going to be taking the lead, and there was all these bureaucracy, congressman nottingham on that. It probably took an exterior whats we g an agreement this was what we going to do. What commerce was going to do, who was going to take all of the lead inside government. Is that a fair description, relatively fair . Senator warr, ihink youre 100 right. Its even more basic. Even if you cant patch this thing you have to have a plan on how to defend, so you can still defend those widgets, right . Th was le the first letter of the alphabet. We got it done, and guess what, legislation is not supposed to be easy. Its notupposed to be easy to ge things through this place. It was a desig element of the system. But when you have smart people, robin kelly, this is her bil on the house and you can getome things done. Im excited. Were going to probably pass a National Strategy on Artificial Intelligence next week, got through six committees. There is hopend this is one of the areas, cybersecuty in general, i would add the threat of the Chinese Government when it comes to global leadersp is still a partisan issue. How do we make sure we keep these issues a bipartisan issue. Like i said this is been a great ferry ive been able to work on the lastouple of years. Congratulations on a bipartisan accomplishment with the iernet of things legislation. Its one week long talked about in the comt cyber and its an important, basic step to take. Let me ask you more broadly been speaking abo the theme of areas where we can work in a bipartisan nonpartisanay. Turning it to all panists, but what did the Trump Administration get right about cybersecurity and the tersection of National Security and technology that the Biden Administration should continue, and where are there areas wh the Biden Administration should do something differently . Who do you want to sta . I will start off. Look, i think the Trump Administration, when it comes youave to have will. One of my frustrations with the Obama Administration was never naming and shaming some of the tors. I know there was always that were involved i Cyber Attacks anothers general attribution versus never. Some of us indicted them. [laughing] but not a much, okay . This is after you left, after you left. I think the Trump Administration di a good job on that area, and to think that something i hope the Biden Administration continues. I think the fact thatisa at the support andhe strength that he did throughou its years to get to where i was, that was a positive thing that evolved ov time. Im pretty confident that is something the department of homeland securit will continue under a Biden Administration. Turn to congresswoman underwood and then senator warner yeah, i think theres not been, obviously the last four years would seem a real threat from statesponsored agencies, bad actors across the globe so huawein zte and the thing presidtelect biden understands that and will continue to have a pretty serious standing posture towards thatn. But when i think about where we can reallyake the shift, theres a lot of work we need to do to rebuild public trust and government agencies, and democratic norms and institutions. Its easy to think about just like elections when i Say Something like that, democracy type language but it extends to th whole mission of all the agenci to interact in t cyber arena. I think its going to take concerted leadership a active engagement with stakeholders across the sctrum. Not just like expert stakeholrs, as private industry stakeholder but like the enduser who might eventually feel the impact of this advancement that we passed and just rolled her eyes instead of sayingait, actually lets make sure my data and privacy are being secure. Lets make sure that somebody is looking out because who knows where m dad is going . Right now theres a lot of bitterne, a lot of people who are just fed upnd that she is going to b a lot of work to do even in this realm with restoring Public Confidence and trust. Let me wait in and agree with both of my colleagues way in. Ybe stated a slightly different way. I think President Trump was directionally right on china. I would put myself in the category of being wrong, that i part of the conventional wisdom crowd, the more you bring china income they are close theyre going to come to us. When i i say china is importano say might be is that with the Chinese People or chineseamericans obviously. But i think the implementation left a lot to be desired. It was kind of a hammer, hammer, hammer. They we by, for example, to move on huawei but because we didnt do it any framework, when the Trump Administration moved to tiktok there really wasnt a case me. We havent made the kind of effort around standard rules, protocols. We need to he i kind of comprehensiveheory of the case. Some of that as got to relyn basic trust in our institutions. It was a huge mistake that we didnt move on any rifications for sloppy actors in the private sector. The fact that when hundred 60 million of americans personal data cuts td from equifax and there was no penalty, that doesnt encourage and stimute better behavior, and i think we could have, they could have wehed in there. Its been interesting the administration, tangential direct cyb but support the fact where forears and still in a privacy legislation around our platforms is crazy. That we have not done anything, a series of bipartisan bills got incident about da portability around interoperability or cant make sure peoe knew the value of theirata or the ability to print things like dark patterns. The ainistration never engag on those issues and now in the Fourth Quarter with two minutes left has something made secon 230 total repeal the top issue. Thats a zigzag approach that doesnt bring the coherence which also been breeds the trust that a think we will need and haveo expect because again as ive long indicated if we don make, have trust americans say when we save a step that it really going to affect our lives and were not going to say things rationally but theyre going to be the result of a full approach, and we lose our muster. Final thing i guess i would say is i will believe the Biden Administration, and im obsessed about these technologies, not just cyber but 5g, ai, quantum, go down the list, that cna is winning the battle. They are setting the standards, setting the rules and protocols. They have this authoririan capitalism would have national chken at the National Chicken gets 75 of the global market. They think it back with belt and Road Initiative and unlimited finaing. There is no american orven other western in a price i compete against that under normal capitalism rules. Were going to need this alliance of the willing in the technology space, cyber bng a piece of that, andhats going to look different than pvious alliances and it will be byebye but also i hope jap, korea, taiwan and singapore, india, as residual along with some of our traditional data partners but thatsot to be a true alliance, valuesbased and it has got to require collaboration and lots of these fields. Another question for the group, followed up on something senator warner said, so if one of the goals for the new administrati would be to ensure theres a coherent centrally driven appach that cuts across a range of issues to try to diminish cybersecurity risk, one of the suggestions has come from the Solarium Commission to create a position th would fill that function. It seems like the natiol Defense Authorization act which mightve been one vehicle for implementing tt complex of the less certain perhaps today and it has. I want to do a quick pol through the group. What do you think of that recommendation abo the National Cyber director, if not done tough nda, doou have other suggestions of how to do it and are the other key reforms from the solarium commissn that you would prioritize . Start with congresswoman underwood, and moved to congressman hurd and active senator warner. I had to kill it ie only been the chair for a couple of months. We havent quite gotten tohat. Im going to defer to my colleagues on the panel. So, john, having a centralized person focus on this, the key is who is the person, right . We can get a good one, but my fear around this particular ise is that everybody should be focused on this. We cantust have one person setting the policy. This is to become its moving too fast. We he to have everybody. I think removing mr. Painter out of the state department was probably a bigger hit because we need someone building those coalition with all of our allies around the world on engaging on these norm settings and things that sta one was talking about. In my opinion its six of one and half a doz of another. I fear it at one centralized place it takes responsibility off of everybody else to be focused on this. Unless dispersiblerack the whip and make sure everybody i still playing their part. The individual matters. I think how presint biden wants to view his nional securi staff and where he wants to put someone, that is u to them on how to pursue this issue. Generally, the soleri yams recoendations were pretty darn good. Angus king briefed me on it a few weeks ago. I kind of agree with will is that this is maybe, dependent upon who the person is at how much power is he or she going to happen. You probably need somebody in e white house whos got this responsibility but are we going to empower the person with enough tools to bng all of the public side of house and the private side of the house kind of to bear. I dt know. Cyber is so pervasive. I had a brief yesteay from a couple of fks come two days ago from intel cmunity that was asked to think aboutaking cyber backed out of the standalone and placing it back and all the various pieces of the intel world around counter counterespionage or counterintelligence or back in on counterterrorism ratr than funneling. Im giving an unfortunate little too political answer because expense of who the person is come how much power would come with that. I think unless you make this position very powerful, visit take awayesponsibility from all the various otherarts of the enterprise that need to have this high priority. Chris krebs or his replacement cant tell someone at commerce, take that thing, take that wget off the digital infrastructure, i think that is the more important thing we need in order to defend digital infrastructure. Having some a and coordining this policy and if this person is going to be involved in creating that coalition at senator warner was talking about, to make sure that the standards and norms a based on our value system that lren expertly articuled, then thats a great addition. The closest i got, at least a cousin of this, is when richard burr and i, we get deeper and deeper into the 5g debate, and were trying to get all of the working entity from across the fedel government. King thinking because none in the white house did. It was a lot come with commerce and dod and nsa and we h, they worked 15, 16, 18 different people at this session. And then we converged them again expense later. They admit that anything because nobody was in charge. Are we going to, o cyber, really get somebody the jews to do something . Are going to need this intersection juice between National Security, between the nsa and nec on these convergent issues around technology and that may be a model thats also rth exploring. Did one convergent issue, some questns from the audience, and this is around the threat, a little different from hacking i think and more complex in some ways, which is athe threat of nist. What other res of social Beatty Companies keeping it safe and monitored or policing some of this content. I think the debate started in the arena of terrorism wre itsasier to define what would be impermissible, may be hard to estimate how to keep it off for those services but easr to define. Now its moved into a broader range of content, theres been discussion about changing section 230thnic medications Decency Communications decency act as senator warner mentioned is a current priority. I wanted to open up a littl bit as we think about the 117th coress. Where do we thi legislation is going to go into space . What are the pros and cons to putting social mediaompanies into a position where they are regulating content . Who do you want to start . Heres what im a little obssed about. I think i like to set the table on this with if we look with the russians did in 2016 in our Elections Come what they did in the brexit vote, what they did so obviously in the presintial election of france and at all that activity. It was both cyber hacking into information and releasing it and then disinformation. At the combined expenditure on all three of those efforts is than the cost of one you f35 airplane. This is both eective and it is wicked cheap. The asymmetrical value whether it isyber attacks or misinformation and disinformation isot going to go away but only increase. Number two, we were totally caught off guard. Ou Intel Community was caught offguard. The arrogance of the Platform Companies was pretty stuing to me. We have gotten better and folks at the nsa have gotten better and chris krebs obviously did a great job with our infrastructure, and we made to have as much. This information but we had plenty of domestic disinformation coming forward. So what do we do . I would put on the social Media Companies to pockets, when puckett is trying to irease more competition, data portability, thats upith the detour act in terms of dark patterns, thats what put letting consumers or the value of the data. A series of other items around that bucket. The other on t content itself, i think section 230 may be made sense when these were startup enterpses in the late 90s and we thought of them as dump pipes. Thisothing done about the facebook and google algorithms that deliver news in some form or another to 65 of americans. The idea that the 90s framework works in 2021 doesnt make sense to me at all. I amot all the way on full repeal but if you think things like socia Media Companies should note able to avoid civi rights laws. They should not be able to afrd, avoid International Enforcement in terms of injunctive relief. The miramar troops are killing rohingya and theres an adjunctive action to takehe extent that i dont think they should be able to avoid the grinder case personal harassment and i dont tnk no matter how much you think about free speech, that freespeech right extends to paid advertising. There are areas we could look at and theres a whole question around speech versus applicatn. You might have the right to say anything you want crazy or dangers, but im not sure that right shoul be guaranteed to amplified. Clearly which in with section 230 therere cracks. We prohibited sexrafficking, child pornograp, bond making. This is mary that is ripe for additional reform. Thank you. Congresswoman underwood . I just would set a couple of things. One, this has reallyome to the fore because at least this week because of a personal grievance from the preside. We need to sit without when we talk about where can we go with this work i just dont want ts conversation to be tainted. He is feeling personally affronted in ts way. We have to call about. I hope in the next Congress House will continue itsork on a range of issues against this and is important but for so many of the Relevant Technology issues like ransoare attacks come antitrust issues, ections could issues, the disinformation that you started out talking about which isuge. I have my own bill protecting Public Safety disinformation act of homeland. I hope again we dont forget especially while were independent thats going on in the healthcare space. With these different technologies. The intersection abo. I think with strong partners in the Biden Administration theres a lot wre going to be able to do. But i do think that with section 230 that we can move forward in a bipartisan way across easter special issues that will and i touched on to rch consensus on a pposal to hold Companies Accountable and incentivize them to address like actually dangerous content that is proliferating online. However, i think that the incentives to get there may not always present themselves the y that they have this week because of the president s engagement. Its my hope that we really are serious a thoughtful about this in the next congress. I dont know that that will happen. Before President Trump started beating his chest on this issue, the far left and the far right were kind of integratedhey wanted to do something on section 230 even though it was for the ect opposite reason. I tnk now the political lives is no longer alned. Its a horseshoe. The edges are closer to each other and this is going toe an issue in the next congress tha has looked at from a lotf different ways. Buts facebook or twitter amplifying somebodys speech different thanomebody going on yelp and s the pad thai at this rtaurant was a little runny . So even the nuance within the various platforms and what should be covered is important. Whats even more difficult, and i think disinfoation is onef the most Dangerous Things haening at a country right now because o week and a postfact world, right . That trust thatas been eroded that was talked of a politico part of it has been eroded because of pple reading and consumin disinformation we all learned as kids, dont get into a car with a stranger, asterisk, unless its like uber or lyft, right . Why are we sharing information with people we have no clue who ey are . So in some of these platforms if you cant authenticate the user, me sure that use be able to talk to anybody . And less its witn your closed network. To look atmart regulations here, you are going to have to people tha you can have onesizefitsallolution to the problem. A Government Role in this is going to be ultimately limited because h can you say whether something is fact or fiction. Somebody criticing a boat that i on a piecef legislation, is that fact or fiction when they abuse that or misinterpret that . Lasting i would say, john, you lead into this question, you alluded to countering violent extremism. We know how to deal with disinformation on terrorism content but in this case when it is directed by americans against americans, right, this is a form of covert action. Covert actions responsible of Intelligence Community and the Intelligence Communityre told you cant do with covert action in the uted states of america. So the entitiesho know how to dealith this disinformation shouldnt and cant be involved in this topic. Who shoul be leading on this issu who should be driving the conversation . We need the Public Sector. We need academia. We need immediate to step up. Because the trust i not, theres not a lack of trust upanddownhe stack in government. Its also the lack of trust in traditional media, and its a lack of trust and other institutions. All these folks have to come together and figure out how we rebuild the trust with the american people. Can i i add one extra thing here . I i agree, this is an area, our inability to come with any rational regulation f the Platform Companies, even as basic as privacy, is i thinkhe Platform Companies got so big, so arrogant and he thought great, wean take advantage of the dysfunction and candidly the ignorant of a lot of members of congress and just push regulati. So instead,ur country leading on this, we have the europeans on gdpr, califnia going with its privacy variation. You got the christchurch call on content. I think youre trying to see, and us it inhis basic, Facebook Like data portability, they are all in now because of their startingo realize they t what they wished, no regulati. By the time you come back and regulate come and we will, the standards and level and type of regulations going to be much, much more serious tn what it would have been a year ago, two years ago, five years ago. And john, look, private sector is leading in entrepreneurship and creativity. We have to our intellectual, the public stor to advance as well because the only way that the american econo is going to be able to compete with Stateowned Enterprises in china is if the Public Sector and private sector is workingogether. And by the way, we have to move our allies into this also. This is one have to get this right and look him srts with the breach law, national breach law. It starts with privacy because i thin the next question we will be seeing a lot is, is your attention and extractle resource here that opens up a whole other can of worms. We hav to remember when were having dates, where in the middle of the freaking re. A comment his government is able to a rate all the resources in one direction i get to a point icker. This has to be in the back of our heads is tt we have to deal with the issues. Because we want our belief in individual rights protecting minority rights and human rights, we want that to be what the global standard is, and we know how the cnese communist party is trying to export their knowhow and their tactics to other authoritarian regimes. Finalround, question com before we wrap up. Senator warner touched on it when he tald about the norance of congress. I know you talked about that as well. Its not just a problem with congress. Its with a of directors come with senior officials. This is a newer area, a technical area. Maybe the last lightning round for all three of you because you have all taken the time to study and become experts in this area. What do you do to get the basic knowledge into the hands of pocymakers and to key Corporate Leaders so that they understand the risks well enough to ssm like they would in other areas, or in your case, to legislate . What im hearing from all of you, the homand security subcommittee o cyber Infrastructure Protection innovation, you can i wanto know what people think and what we shoulde going and you can reach out. My staff is on your but i will give o her email because she loves that. Chelsea dots blink. Hit us up and let us know what we should be going for the 117th congress. We want to continue to engage with experts, industry experts, try the, et cetera to keep america safe. Thanks for having me. Ohn, ill add, and let senator cse us out. We need to be able to pay, Congress Needs to be able to pay its staff more because, bause we want to make sure that we had some real hype heaters on all the relevant committees and we need to make sure that when were trainingtaff, like if i what more staffers that of the Computer Science background and the minor in political site or a Political Science major and minor and Data Analytics coming up and not only working for worn onomeland security subcommittee, but also at cisa, theyve had some experience in the privateector as well. So creating that hospitalization were w had that. And look, we have flows, cross polymerization. Lets get some people had that experience and get them into the government or to or three years d they get out and create that back and forth. We need to focus on educating individual members ill be honest, i would be surprised how these members have recognized theroblem but we need some ha hitting staff to understand these issues. Very rarely do we hear a retiring guy call for higher dollars for step. I voted for it. I voted for it before. Also would just did, in my view, give us a little complent tir, three years of kind it shodve been a nobrainer getting an iot bill. We worked on the natiol breach law as well. Thats one that shouldve been done six years ago when many of us started working. I agree, we need input. I do think we need the expertise for control on a regular basis. Some some of this will happen just as more andore newer members coming. So of this is less democrat, republican and agerelated. I think if we are really going to have accountability, theres got to be some penalties for failure to meet de minimis standard. Icicle back to equifax. The fact they took a short ter bump in their stock price, the ceo kind of resned in shame, with the rest of italy paid. Year later it was just built into the cost of doing business. And sloy cyber hygiene if theres not some penalty on that, and im not sure whether itsurely a liability standard, im not sure i know butheres got to be some cost of not doing the righthing, and that has to be need to put some of those rules in place and Industry Needs to realize this has to be a much, much higher priority than it has been. We will end on that note. Thank you to all three of our panelists for a great conversation, notust important topics that will be the defining topics for o time. And with that and on that note we wrap up our three d aspen cyber summit. Hope we will be back next you in person. Maybe thanks t some of the efforts senator warne was just ouining so that we can meet with allf you, audubon to thank fireeye, intel for king this weeks Virtual Summit a success and helping u host more than 45 fascinating speakers this wee from across the gernment, the private sector and academia. We would also like to knowledge loom vector in the American Gas Association for the additional support. If you missed any session please go to aspen cyber summit. Org. Aspen cyber smit. Org to view earlier days andessions. I know ive had a lot of people already questn to see if they can see the recordi. You can. Thank you again for watching, and be safe. We go live now to hear from former House Speaker john boehner picky along with other