The 14th annual billingtons cybersecurity summit in washington d. C. [background noises] [background noises] [background noises] good morning and welcome to the 14th annual billington summit. With the performance of her National Anthem please welcome to the stage oh say can you see by the dawns early light what so proudly we hail at the twilights last gleaming whose broad stripes and bright stars through the perilous fight or the ramparts we watched were soaked gallantly streaming and the rockets red glare the bombs bursting in air gave proof through the night that our flag was still there oh say does that starspangled banner yet wave or the land of the free and the home of the brave please welcome emcees for the 14th annual billington cybersecurity summit billington cybersecurity chief of staff and director of finance. Thank you. Thank you for that beautiful rendition of our National Anthem. Lets give her another round of applause. [applause] good afternoon and welcome it. We are thrilled to have you all here for billington cybersecurity 14th annual summit. I am charles of cybersecurity this is director of finance it. Throughout the next four days will be serving us or mc for the many firesides, general sessions and breakouts here in the amphitheater and the Ronald Reagan building. Is excited to the empathy of filling up. Our team is been planning for over a year for this very moment. Cybersecuritys longestserving employee this is really our best Summit Program to date. Its also great to put your faces to names. Im usually behind the computer lab for crunching numbers, making invoices, bucking some of you guys its an exciting moment to meet all of you guys. We have over 33 registrants this year thats a record for the 14 years the summit has been held. This weeks agenda is a testament to the dedication and vision by the foresight and founder and ceo Tom Billington alongside his wife susan to enhance our collective cybersecurity. It happened because of the tremendous speakers that we have here and are honored to present over the next four days. The agenda is developed the content director of the current worldclass team an incredible lineup of sessions, panels, and discussions. Over the course of the next few days will explore a wide array of topics that span the entire cybersecurity spectrum. We will delve into cutting Edge Strategies to fortify this Critical Infrastructure and fort the face of adversity the Artificial Intelligence and Machine Learning part exploring how these technologies can both empower defenders and potentially be exploited by malicious actors. We will scrutinize the ever evolving threat landscape, examining the techniques of threat actors to breach defenses and compromise data on how to prevent them. But will engage inthoughtprovon about the legal and ethical implications of cybersecurity as the digital round intersects with issues of privacy, surveillance, and international policy. I could not have said it better myself. He really captured it. This year were not only feature in closer 200 speakers and a lot of fantastic and timely content. We are hosting a large exhibit hall featuring over 110 sponsors. The exhibit hall is located just down the hall in the atrium and surrounding ballrooms we are broadcasting during the fireside general session happening in this room throughout the Exhibit Hall Space its really explore each and every wanted to explore the space and talk to the many exhibitors. Not only that, will be hosting an perception later today and tomorrow that spans the entire exhibit area what networking, full bars and music. From the rich content to vital networking, billington cybersecurity strives to provide an environment convenes and the brightest minds in Senior Agency leaders. We encourage each and every one of you to participate actively and engage in beautiful conversations with your peers. The diversity of perspectives in this room is one of our greatest assets. It is through the exchange of ideas that we can drive innovation and stronger defenses. That is right. As we embark on this 2023 billington cybersecurity summit journey together, i know we are confident the countless discussions will spark new insight and connections. Ultimately contribute to the mission of creating a more secure Digital World for the generations to come. Now before we get to all of that theres a couple of announcements i would like to mention. First about this conference is on the record and unclassified. We welcome many distinguished members of the media that are here with us today for the fourday summit. We will also allow during the breakout session will allow for q a time. With all that said its a very tight agenda over the next couple of days due would appreciate your help in us staying on time. All sessions are first come first seeded soap fireside and general sessions are happening in this room will also be simultaneously broadcasted in the exhibit hall as mentioned before. We expect to many of these sessions to be full to encourage the attendees to utilize the exhibit hall for the viewing area and overflow. We also recommend downloading it the app if you have not already done so is great for networking on staying up to real time. We recently established a wifi network that you can see on the screen behind me. For username and password. Hopefully you will be able to access what we are doing this. The full agenda as part of our printed program at billington same or sub. Com. In the hoover app. He could reference the qr code on the screen the qr code is available in your program. I think we should probably demonstrate how we should download it. [laughter] a me unlock my phone here. Great. Take the picture. Got it. And it is downloading. All you have to do is enter your email address you registered with and then create a password its pretty easy. You will get all the information in a printed program but realtime updates as well. It will be super helpful over the next week. You could network to stay informed with the session and the speaker details. We would like for you to take some surveys if you have it available as well. Once you do open the app you will see a tab for surveys. And all the sessions would appreciate your comments as your feedback is very, very important to us. So, lets think these next few days look enlightening and impactful. With that said it is my great pleasure that we introduce and welcome founder and ceo Tom Billington to the stage. [applause] good morning. Welcome to our 14th annual summit. Im honored and very excited to describe our event to you today. And to see so many friends and familiar faces from across the u. S. And the world. The 200 distinguished speakers and overwinter 15 sponsors and exhibitors that fill our exhibit area in the atrium just down the hall from here. Too that media including cspan, we welcome you. To you watching whether you are here in the auditorium or in the exhibit hall viewing stations down the hall we are so appreciative that you would take time out of your busy schedule to join us today. Thanks so much at the outset to my wonderful wife susan and son nelson who are with us today for they truly make all of this possible. You know you will be in great hands be with her emcees charles and cora and the rest of our amazing team who i will introduce shortly. We are here to make your labor day week very worthwhile. Use of your time as we enhance the cybersecurity of our country and our allies. Thats advancing cybersecurity impact in an age of heightened risk. In a moment i will describe from our incredible agenda and the faculty who make advancing this mission possible. I was humbled to start this company 14 years ago inspired by the formation of u. S. Cyber command. From day one hour mission has been to build trusted relationships, advanced thought leadership forged a serious dialogue to build an ecosystem and cybersecurity here in the nations capitol to secure our country and our allies. Our aim since then has been to build relationships and disseminate knowledge. Focus on solving collective cybersecurity problems. For those of you not familiar with the yearlong engagement our company offers, in addition to producing the annual summit we also will be broadcasting next month during Cybersecurity Awareness month. A dozen free webinars we are filming on site this week. We offer Leadership Council which includes Chatham House rule breakfast discussion and a host of other events including a new one i am very excited to announce today per our march 1920 in the washington d. C. Will host our inaugural state and local cybersecurity summit. Its our first underwriter and new york state chief cyber officer is our first speaker. We are thrilled to bring together the Cyber Community that is here today. The state and local community to enhance our local defensive posture. Please contact our team. Now, to move on to our summit for todays events as mentioned over 3000 registrants from across the country and the world. There is a wealth of knowledge and expertise sitting in this audience today. Our summit is focused on four major themes as envisioned by a wonderful content director terry byrne. The structure of the instructioe Cybersecurity Workforce and the evolving cyber threats. The breakouts will follow the same for teams. We take the time today to choose which of the 22 breakouts you wish to attend. Their signage outside the amphitheater here mullet describes was breakouts will be at the next four days are packed full as outlined in your program for short which i believe is on page two and in your app. This afternoon we aim to provide you with a high level overview of the issues started with general Paul Nakasone found the acting director of Member National cyber director kemba walden and a great opening panel. Tomorrow will kick off the day with assisted director jen easterly followed by panels and two sets of six breakouts and then we will start the afternoon with the ambassador concluded topic on the mind of all of you i am sure Artificial Intelligence and Machine Learning. Thursday we will go with dod cio jon sherman filed by district director Lieutenant General skinner. And in the afternoon our first fireside head of the Cybersecurity Department of the security services. Now this is the fifth time in the past year we have had the great privilege of featuring a speaker from ukraine. We are three old has traveled from kyiv to be with us. Thursday afternoon we will conclude with a fireside with federal. Cia Deputy Director cohen. Finally friday will begin with the honorable and conclude with haynes. Wow, we are so honored in the firesides that i just cited are a small fraction of the terrific faculty if you would please give a round of applause to the entire faculty i would appreciate it. [applause] a reminder again that immediately after todays session and tomorrow so we will hold and all attend the reception and the three parts of the exhibit hall which is a segue to our next. Our sponsors would literally lir summit this week possible. We cannot do it without their support. So now let me recognize them. Behind me too bronson silver sponsors and other partners, to our gold sponsors. To our platinum sponsors. In our registration sponsor. To her diamond sponsors hp, ibm, lookout, oracle, salesforce, and zero fox. To microsoft our identity into your trust partner. Gdi t our Cyber Strategy partner. Our cyber innovation partner our Knowledge Partner and our government it solutions partner. A huge thank you to her lead underwriters amazon web services, cisco and raytheon. Lets applaud now all these important sponsors and partners that make our event possible. [applause] so come as you all know better than i cyber is and so is creating a large multi day event like this. I am honored to work alongside what i feels the best events team in the business. They have worked tirelessly with great professionalism and deep care for over a year organizing the summit. Let me think our executive team charles, kristin, brittany, terry, cork, rachel and sandy. Supported by agent the Global Events Team and the evergreen team. Please give them a round of applause for this incredible effort. [applause] so finally, a personal site faith, family, friends are everything to me as i am sure it is to you. My mentor ted eagles meant met mothermarjorie, mother let e and Rita Thompson my fatherinlaw. Read, i want to quickly conclude with an anecdote read is now 99 years old. In 1945 at the young age of just 20 he served in world war ii and captured a Landing Craft infantry vessel during a typhoon and okinawa. Why do i share that . And each of you in this room are here because you serve. You serve in the military, and the intelligence community, and defensive or work for contractors and allies who serve the u. S. Government you make huge sacrifices and we have heard stories on the dozens of moves you have made the months away from family, the enormous stress in the daytoday responsibilities of securing our infrastructure and our Critical Networks and data. Hopefully a courageous story of heroism nearly 80 years ago a triumph of the greatest generation will serve as an encouragement to each of you and remind us of the heroism needed to defeat todays cyber adversaries. So, you have heard enough from me, him on with the program and to hear our great speakers which is why you are here. So now lets get started. First off its a great honor to introduce our first fireside chat on defending the nation against cyber attacks. And general Paul Nakasone director of the nsa and chief of Central Security service. We had the honor of having him at last to speak for us five years ago just months after assuming his current role. He described that some a vision for persistence in cyberspace. A strategy which has been hugely helpful to among other countries, ukraine. Its yet another example of his inspired leadership. If you have had a chance i suggest you google that speech he gave for us back in 2018 to see how truly prissy and it was. Best of all, both many of you know besides the exceptionally smart hes equally humble. Its an honor to introduce you to this fireside chat with general nakasone conducted by the Vice President u. S. Federal government nonprofit and Global Health at amazon web services. Enjoyed the event. I will see you on the tail end on friday. Thank you very much. I now to dave. [applause] [applause] [applause] thank you. Alright sir, it looks like we are helping kick this thing off for. Is good to see again the day progressed good to see you. Before we get started just want to say from me and all of my colleagues i would suspect many others just thank you. Thank you for your service. Thank you for defending us, protecting us. And having our backs. You and your team and everybody. Your service is incredible and we are behind you one 100 . [applause] thank you. [applause] i could barely get this on the cue card but as a fourstar general for the u. S. Army director of the national Nationalsecurity Agency who ovee nations premier signals in cybersecurity and intelligent service. And the commander of the nine states cyber calm. Is there more . Theres probably more and forgetting some. But it has been a five years later in your leadership what has changed . Dave, before we begin let me first of all thank tom and susan billington. It is great to be back here at the cybersecurity summit. The fact we have 3000 folks register, toted speakers and a number of buy own agency and command it really speaks to i think the importance. That ties a bit into the answer to your first question of what has changed . First of all with change in the security environment. I was coming up to speak here we were all focused on 2018 Midterm Election have a safe and secure election. We were thinking certainly about intellectual property and intrusions into systems. But everything we have seen since we werent talking about 2018 but here the other things i think that are also important as a security environment. Certainly china at our pace and challenged russia in acute threat. Think about the progression of where we seen russia since 2018. The second piece is cybersecurity is National Security. Foti said that 2018 that probably wouldve raised a lot of eyebrows. But what have we seen since 2019 . We have seen supply chain. We have seen rent somewhere. We have seen a number of Different Actors that have changed who provided an Inflection Point this is the National Security issue. But heres the other part i dont think is often talked about which is think about how the nations responded since 2018. New authorities, cyber solarium. Often the National Cyber directory. Fantastic work, fbi, nsa Cyber Command. Tremendous outpouring of what we need to make sure cybersecurity is part of her National Security. And im a little closer to home. I would say what we do has not changed that much. Let nsa we still do cybersecurity that signals intelligence i recommend we do cyberspace operation. But how we do it has changed dramatically. Fifty different operations 23 Different Countries 77 Different Network since 2018 the cyberspace the Cybersecurity Collaboration Center nsa unclassified, zero bids Defense Industrial base in 2018. Now over 400 moving toward 2000. Cyber security advisories unclassified level. The last pieces returned to the fall of 20. The classified to build a coalition disrupt an adversary. That is a little bit about the last five years. While, unbelievable and you are right collectively that group. He mentioned really strong organizations are all coming to the table and collaborating its fantastic. Lets talk about 702. Lots of discussion on this topic. Lots of chatter everywhere. Can you explain to us what it is and what it is not and how does it work . Great question. To collect communication of nonus persons operating outside the that utilized u. S. Collections capabilities and phone service it is an authority at the president ial Advisory Board described and most recently the most transparent Surveillance Authority in the world. Transparent surveillance. It ensures at the protection of our Civil Liberties and privacy not orbit and. It is an authority that is focusing of the series of categories. It is an authority that saved lives and ensure the protection of our homeland. It is an authority that is overseen by all three branches of government. That is what it is. So how does it work . You are an analyst you begin and say hey i have a target thats a non u. S. Person outside the united states. I would like to see if acute communication information what they are saying. U. S. Government compels the egos company to provide that information to us. We look at it we determine perhaps this person is not u. S. Person outside the u. S. Government is planning an attack on the u. S. Company perhaps a ransom or attack. Interesting, we take that and can do a couple of things. First felt previously legally is this person ever said this before . Are they unknown actor . At the u. S. Company being targeted at them and targeted before . This is the key piece of the teamwork that goes on here. So then victim notification is done. A key player in what goes on here. We write a report to make sure we provide Early Warning or victim notification. The important piece at the end of the day i said National Security and protection of Civil Liberties and privacy. What are the metrics . Lets start quantitatively. One 100 of the intelligence requirements that the president requires are wrapped up in some type. Secondly, 59 president ial Daily Briefing is sourced from some type. Third, 20 of all the National Security Agency Collection is based on some form of 702. The single source. Again, coming back to the president ial intelligence the authority would be disastrous to lose. Qualitative, what is it mean . Lester nation lost over 100,000 people to fentanyl. 702 was able to identifies chinese precursors utilizing that drug. 702 was utilized to prevent shipments of that drug to the united states. It has provided us an ability to recover the ransom of Colonial Pipeline attack in 2021. It has provided us an ability to thwart a radiant cyber actors conducting on u. S. Institutions or Public Sector entities. And finally its part again of the ability for us to conduct a campaign and eventually successfully take down the last leader of al qaeda. So again, sorry for the long discourse here. I will tell of the things we look at today 702 as a reauthorization is the among the most important National Security issue i think our nation faces today. It is fantastic so its good to hear those results and how things are getting done today and how that has evolved. Geopolitical challenges often receive a lot of attention and National Security discourse. Particularly around nation state actors you mention a few of those. What are the geopolitical security challenges you think deserve the most attention . Click certainly we take a look at the security situation as i indicated. Lets begin with nation state actors we look at today an interNational Security strategist identified and National Defense strategies begins with china as a challenge. The nation that has the diplomatic information military and economic capabilities to obvious impact our nation. It isnt autocracy it has its own agenda for the future. Its not just in the rules based order we have lived under peacefully since the end of world war ii. We have seen across a number of different entities whether its the south china sea, East China Sea whether or not china is conducting incredibly Violent Attacks within hong kong. Or whether or not is the imposition of their willing number different places where they certainly have a different agenda for the future. And then i think the other piece of course is russia. Russia and ukraine today . The illegal invasion of ukraine that we witnessed since 2022 . Again, our concern of being able to understand the focus are vigilant against both are critical. Looking at regional powers such as iran. The transporter challenges i just mention fentanyl and office of the challenges the drug. Cyber its something that certainly be look at very, very closely. It is the challenge again of pandemic disease of which we all saw over the past three years. There is a rich tapestry of things that are out there and ongoing. I think the piece we look at in one of things we can say is what is the competitive advantages that we have . That we have as an agency as a command of the nation . I think at the end the idea of partnerships. The next four days were going to talk about publicprivate partners. No hudson better seen than obviously the Russia Ukraine conflicts. There is the power that has meant so much. I think that is certainly something our competitive advantage that we hope our nation continues to have her quickset is great but Artificial Intelligence make its been around for a while those of us in the Technology Business are familiar with it. It certainly feels like the ai revolution is here. And these are exciting times. It is shaping the future of humanity across every imaginable industry. It is dominating the news cycles. What do you see as a challenge and opportunity of ai . How do you think is going to change the world . Change the world . Lets begin a little closer were changing her agency command perhaps. One of the interesting things is if you were to say lets consider Artificial Intelligence machinery eight months ago we wouldve had a lot of interest in this crowd here interest in my in command but broadly not as much. What we have seen over the past eight months weathers and whetht or a number of different instances is capture the attention of the public. We have seen all of the folks whove rushed to query different ai functions. One of things we did at the National Security agency sent and like to take a 60 day study lets do a roadmap for ai and ml Going Forward. That was recently completed. We talked a little bit about that. Much in the sense the private sector summoning Artificial Intelligence for quite a while weve been doing it for long time as well its something we are familiar with. One of the first things we said is how does generative Artificial Intelligence and or Machine Learning how does that fit in the future . And how does it perhaps in your words change the future so differently . We begin with what we do. We use Artificial Intelligence primarily within our intelligence information. How do we look at it for Cyber Security . How do we look at it differently for Cybersecurity Mission . But of the business functions . One of things very interesting from the roadmap and the subject Matter Expert and briefing was they take one third of the uses, have tremendous impact on the business functions of the agency. Terms of how we do our business. Even as compliance how does it impact us . Many of the things i am sure you have seen as wellin the private sector. That was piece one. The second piece was we have a tremendous responsibility of the National Security agency for National Security to engage with u. S. Companies have intellectual property. That they understand they are the targets of foreign entities. We had the opportunities or talk to some of the leading experts among the leading corporations in america to say this is what we are seeing. This is the tradecraft these are the techniques. This is what they are normally targeting in terms of what you should be aware of as you think about the future. The third piece came back and said that we have a tremendous responsibility. At nsa one of the things we have is a culture of compliance. We understand the authorities given to us we also understand the responsibilities to maintain our Fourth Amendment rights. So from that how do we build it in . Because this is going to be different as you saw. And so from that we have the discussion of what do we need to be due Going Forward . Here are some the things we think as an agency we have to look at. We have to look at policy. We have to look at governance. We have to look at our infrastructure. We have to look at security. No doubt security. We have to look at hate where do we need to be bigger players in International Forums on Artificial Intelligence . We have intellectual capitol. We have the knowhow how do we assist the government a number of different forms Going Forward . Finally and perhaps among the most important what does that work force have to look like . How do we train our workforce differently in the future. How do we recruit . How do which brain . How do we focus the retention thats going to be powerful and ai future . As we look at the future we do see tremendous changes. We see coupled with the security, coupled with the safeguards that we will ensure but we put in place. I would add not only are looking at the Agency Congress with a cyber commit a fiveyear plan for ai and im taking the briefing on that as well but we have a fiveyear plan how do we use ai . In the realm of cyberspace operation Going Forward . So as we look at ai today, 2023 we have this much in terms of what we need to do. But this is growing quickly. We also note i sent in a growing quickly for us but for our adversaries. This is something we will continue to work on very, very hard. She mentioned human capitol. How fast these things are growing. And in order to make any of this happen its going to be all about the people and the talents. Are you challenged with finding the right skill set . Especially in these areas . And in an era where we are coming off of covid in somewhat of an endemic where there is notions to work from home. Theres a lot of names for it. But are you challenged with workforce and skill sets . I cant imagine any speaker who get up into the knot challenge of course were challenge everyone is challenge everyone is going after the key element is going to make them successful. Its the talent that drives the company you work for the talent that drives the u. S. Government for the child that drives nsa and u. S. Cyber command. So in terms of that one of things we have come to the realization is as sweet goat forward and i would speak from both of her agency and command. Nsa we are hiring. The next thousand years half of our workforce will be hired. Half of our workforce will be hired a tremendous opportunity for us. At the same time u. S. Cyber command 400 people we hired the summer. How do you do that . Think the way we have found we have to think of training. We have to think differently about retaining. We also have to think about our work. Let me talk a little bit about that. One of the things in very focused on one of the two things in very focused on his and think all about our people every single day. How do we get better people . How do we ensure the best people are working in the most Important Mission . For years we said its about the Mission People say the agency because it is the mission. Yes, to a degree, right . But the same time what we found is coming out of covid as you mentioned one of the things is we got to think differently were tickly at our agency better workforce. Establish an Organization Called the futurity workforce. We are focused really on for things. First of all how to be onboard People Better . When you come to our agency you should drink seven years of history in the things we have done that have made the impossible possible. Secondly we have to think differently about wellbeing. How do we treat our people once they can enter agency how do we offer them the services that are necessary . Third, hybrid work. Yes hybrid work. As i mentioned we have an Actual Center outside unclassified center we do cybersecurity from. Theres other parts of our mission to do not necessarily require us to always be in a skiff. So how do we look at that . We are exploring that now. And the last piece, leadership. What i have found is at the end of the day good leaders matter. You got the best mission of bad leaders you have a Bad Organization of great leaders in an okay mission youve a Great Organization all about leadership. How do we have a curriculum that leads people from themselves leading to an institution. How do we ensure this development is built into the lifecycle of their work . Thats really what we are doing in terms of thinking about her agency differently how do we think differently about bringing on people . How do we think differently about getting them on mission . How dont think differently about keeping them in one spot for longer time . One of the nice things will being a Senior Leader in the department of defense as you get to have these conversations with the leader of the services. Maybe people dont need to rotate every three years how about 10 years . How about never . So not really crazy about that. [laughter] i wasnt going to say anything. And nonetheless i think this is a time in as you said you think about talent. We have to think differently and we must do something differently. And going to switch gears a little bit and talk a little bit about the ukraine invasion. The release of intelligence proved to be successful in the ukraine invasion. How do you balance a declassification of information with protecting National Security . Click sign out director haynes will be here at the end great credit to her great credit to the National Security adviser the president for making the determination in the fall of 2021 and it really comes onto this. As many of us know, we classify things for many reasons. We classify for how we collect the information not necessarily what the information is. So if there is some way or you can bounce protecting your sources and methods in being able to release incredibly powerful information we have seen the impact. I would say since the release of information i have never seen the effects it has had on the russian Information Operation impact they have never been able to get. Think about what we were releasing in terms of what we were saying and when were saying it. We had truths, we were first on the spot. It mattered. It mattered to the point of being able to convince a coalition to come together. Being able to disrupt president putin and being able to empower and partner such as ukraine. Its obvious the calculus that goes into but the interesting thing is if you are a fly on the wall at our agency we have some very interesting conversations. As you can imagine for people who have worked their lives collecting some of our most Sensitive Information saying i think were going to release this. That is a conversation we had many, many different times. But the important piece was hey, this is not our agencys collection or any agencys collection it is the nations collection paid from that if you can protect that and you can have an impact that is positive tort National Interest why would you not do that . And i think the power to the folks who made that determination it made a tremendous impact. You have some very prescient words five years ago let me put you on the spot too much. Very impactful words five years ago. What are the next five years going to look like . I think three things but i think the next five years really are a series of threepiece first about the peoples republic of china. We are going to be obviously in a period of intense competition with china for a long time. This is a generational challenge of our time. This is what we will deal with for this of our children will do with its with our children children will deal with. This is what we must do in terms of being able to continue to advance our values. Defend our nation and defend our alliance. The second piece is, i think it truly is wanted talk to five years ago about persistent engagement the idea to enable and enact a series of different part is the key piece is partners and partnership. Think about what we have learned. In the past three years with regard to publicprivate partners in Public Private partnerships. Think of things likes us a and the fbi the National Security agency, Cyber Command have all done to reach out to have a number of different partners whether other inter agency, in, intelligence community, International Partners private sector partners academic partners. I think the power of our nation we continue to advance those partnerships. To think differently about how we partner and did think about the outcomes that we cannot even imagine today. That can be formed with one plus one equals four, five, or six. The last one is certainly people. It is people. I heard general retired this week and one of the tv shows talk about Public Service. If i might i might just talk a little bit about Public Service. Having been in military Service Three decades, having seen the ability to have impact and impact on you. I would continue to encourage the Public Service proceeding Public Service in government to proceed in the peace corps seat a number of different places. I think that our people really are going to be the competitive advantage for our nation. And so with that idea of people pool of young people can operate in this digital age we are going to need it. We are going to need it. We are very, very excited about how we might be able to do that. And then finally as we continue to transition to the future there are different models that people are going to serve. And even again i was a someone y someone whos been in Government Service over three decades that may not be the model of the future. The model of the future might be quickly coming and going. To be able to have an impact, then coming out. Thats a little bit different than what we have experienced before. That model may work very, very wellin the future. Again as we think about the future five years hence i am very encouraged and very, very optimistic. And i look to the future and to the nation in the public and private sector. Thank you sir. Thank you you talks about people. Its all the people that you lead and other leaders lead our contractors, our Service Members and thank you for your leadership. Thank you for your time today. [applause] [applause] what a great start. Our next speaker acting National Cyber director has been at the epicenter of launching and implementing the president s National Cybersecurity strategy. The primary goals of the strategy include the strong focus on collectively with the Cyber Infrastructure a proactive counter effort against our adversaries, drunkards Cyber Resilience in response to readiness. These areas speak to the very essence of billington Cybersecurity School in hosting the summit every year. Please join me in applause and welcoming moderator chief Development Officer fox, former assistant director of cybersecurity. In our featured speaker acting walden executive office of the president. Is a traffic to follow. Thank you pretty want to acknowledge as we get started can alter from the pace of things coming out of the office of the National Cyber director you dont have a whole lot of time. Yet you spent it here this afternoon hanging out with us. Thank you for your service. [applause] quickly start maybe with what the whole discussion is about. The strategy from the white house. Tell the audience how we should be reading this it was published in march how should we be looking that document . First of all thank you for having me here. Thank you for inviting me too participate today. Im going to lean forward a little bits, these chairs are not made for my build. [laughter] so how should you be reading the National Cybersecurity strategy . Read it thoughtfully and carefully the document intended to be durable. Its the idea it is there to inform this decisive decade. As a National Security strategy is crafted. Give you a step back and a framing for the Cybersecurity Strategy. The first thing i want to say to frame the conversation today but the white house called me too be the National Cyber director it was on the eve of russias aggression to ukraine. I was discerning about whether. But the things i saw that was very different at that time was exactly what jenner was talking about. A type of collaboration that did not exist. Once set out to build the office that the office was created to do a few things chief among them was to advise on. It was also to offer counsel and advice to the National Securityy council and the Department Agencies. Is to coordinate the coordination of National Cybersecurity strategy. Clearly we had to do a few things. I like to talk in terms of music, orchestras chris talks in sports of football. But we had to do a few things. We had to first set up an office, which we did. We had to hire great people, which we did. Later craft and i National Cybersecurity strategy which we did. I launched it. But then we had to make the strategy go. Well get to the second part of the movement. Move into the conversation. But to make the National Cybersecurity go we had to consider all of the prior strategy see prior work that had been done before. To make sure we adopt those things that were working well. An upgrade. So there are two things one, we had to make sure we shift responsibility to capable access. So that when we are shifting cyber risk away from small and medium businesses in the federal government to Large Companies to those that are more capable. We also had to invest in making sure we had an ecosystem. What we are whereafter what we are after is a sensible result that likens or values. We have those first three movements of the symphony going. Can we publish the National Cyber strategy Implementation Plan. I release lengthy director of omb memo so the Department Agencies can understand the budget. We have been engaging often, maybe a little too often with the stakeholder communities. With the private sector with academia, with individuals from all towns and cities to really lean into the diverse perspectives we need to be able to execute this thing. Sue when you read the National Cybersecurity strategy read it with that in mind. We are seeking an affirmative vision of an ecosystem aligned with our values you have to read the entire strategy differently than the implementation. But it is one whole strategy. Its not effective to take the piece apart, read the entire strategy she can find yourself in it. Quick swell, that is awesome. You said on a few occasions your favorite part of the strategy document is in its last pages which is the next steps to the Implementation Plan. You kicked off the Implementation Plan earlier this year so given how broad ranging the strategy is, what or three or four parts of the implementation that you want to highlight . So yes i am excited. Quick so far. The implementation is the most exciting part of the strategy. You will see my nerdiness coming out in that way. So the strategy is wonderful for my point of view. It is not necessarily perfect but it is near perfect. Its meant to be durable. Technology agnostic. The Implementation Plan that really makes it go for there are two things. First is that we published it. Which is novel. We are driving federal cohesion and executing the implementation what i mean by that . Theres a lot of departments and agencies that are responsible for cybersecurity in some way and on the federal landscape. We all have to be driving in the same direction we have to be playing music from the same sheet we have to create symphony after all. So federal cohesion is how we do that how we provide advice to the present how we have coordination of implementation howie have Security Council staff. We have identified roles and responsibilities for Different Department and agencies across 69 initiatives that account for the 27 objectives identified in the strategy. Their responsibilities in the Cybersecurity Strategy so we dont have unfunded mandate, thats two. Now the nitty gritty thing, some of my favorite things. Recently released request for information because we knew we had to have participation outside of the federal government in order to make this do, right, thats part of our collaborative culture. The first is on regulatory harmony, state and local authorities, all want to raise the cybersecurity baseline in some form or fashion. We imposed requirements to those stakeholders that are responsible for Cyber Security, from the largest capable actors town to the smallest least capable least resourced actors. What we have to do for all of the nation, all of society to make sure we have harmonized requirements and we find reciprocity where we can and in order to have safe space to participate in the policy process. Thats one. Completed october 31st, another one open source secure software is another, one of my favorites. We issued rf5 for that one too. That is october 9th. And then the third one that is near and tear to me is find dear to me is finding a way to shift what we have been using as market forces, leaning a bit more on that. Make sure that we have Software Liability regime, right, so we hold those accountable, told those liable for making sure that our software is secure at the same time finding opportunities for safe haven when there is success in that space. Those are three of my favorite initiatives but there are plenty. Im going to ask you about the next one here in just a minute, whats to come. Okay. In the strategy phases, the National Security council highlighted having oversight while the National Cyber tractor. Help us with the distinctions with those in the nsc and nsc in the white house. Our purpose is provide advice to the president on cyber policy and among other things provide counsel, National Security council and we are there to lead coordination and implementation. Thats laid out as clear what our mandate is in the white house. So to achieve that, we worked hand and glove with the National Security council and with eop partners in order to execute the president s vision so that includes omb, ostp and National Economic council, et cetera, but we have to be able to work hand and glove. So the reason for that is because cybersecurity is a National Security concern that we also work with ostp and we also nsc and omb why because we are all in this boat together. We are all here to drive to the same vision and cybersecurity is clearly a National Security concern but also one of Tech Innovation and one of Economic Opportunity and so we have to be able to make sure that we are cohesive when we drive, so we have to work hand in hand with the National Security council, thats what that means. That helps. Something thats near and tear dear to my heart and security outcomes is the hardest thing to measure, any kind of security outcome but i like the plan, strategy, taking tatta driven approach to evaluate investment, evaluate progress. Drill down on that a little bit. How are you thinking about those measures of success and measures of effectiveness for the strategy . So i have a couple of things to share here. This is an everevolving process. How do you measure success, you cant manage what you cant measure. One key tool that we have used is articulating cyber priorities alongside the office management, director young and i sign a letter to the Department Agencies identifying for them how to request funding along the National Cybersecurity strategies objectives and initiatives. This is now the second year we have tone it. Now its an annual process. We did it for fiscal year 24. We have seen it in the president s budget there and we have tone it for face al year 25 and we will continue to to o it follow in the coming years. Thats t other is that we have listed all of those initiatives so as we complete certain milestones we are able to up grade the Implementation Plan and so as we achieve what our stated goals are, thats another way to measure how will we are i think to, right, so theres going to be a feedback loop in that way. So spend and just accomplishing the the nitty gritty of implementations are two ways to measure progress. Now, ive been thinking about this quite a bit because we also as a part of our mission we talk in the industry all of the time and this is an important piece of of what we to and why we to it. When we talk to industries, i will give you an example. I talked to a Large Company recently in the last few weeks, their ceo wanted to know where this breach occurred some time before appeared on stock ticker. Thats what that particular care about. Other Companies Care about profit. So when you start thinking about measuring cybersecurity, when it comes to industry, how to i project what is important to the nations cybersecurity and what is important to industry as it relates to their goals and one of the things that makes sense to me is that we have to start thinking about cybersecurity as a Capital Expenditure, as investment, so how to we how do we think about investing in Cyber Resilience, right. How do we think about a Capital Expenditure investment so that our profits are better, so that we have less town time and we are able to be resilient against cyberattack when it happens, right . How to we measure that . One of the things that we have to to is collect data. So created the Cyber Reporting council and im part of that in order to be able to figure out how to encourage, mandate, require cyber incident reporting, harmonize the information and how to use the data and the data is really there to be used for measuring, for being able to manage what happens in an impact of a cyberattack so we can start thinking about this in terms of investment rather in terms of how do we respond, how do we get better at response. Thats great. So the plan, youve started rolling out these implementation steps. Where have you hit obstacles, what kind of pushback or feedback are you getting and what kinds of things are you i think to to address that or has it all been smoothsailing so far . I wished everything was smoothsailing. Yeah. So the feedback weve gotten so far is, actually from my perspective quite positive. How do we plug in, where are we in the cyber incident cyber Implementation Plan, where are we in this space. The best that i can to out of the white house is encourage the department and agencies to have responsibility for certain activities. I cannot necessarily assign responsibilities to academic and Civil Society and all the stakeholders whom we need perspective. That is one. Why didnt you include x . So the biggest challenge that weve had, the biggest the most feedback weve had is how do we get to play, how do we engage, gotten that from my counterparts as well and so one of the ways to do is to identify rf5s but reach the Agency Meeting that activity, thats one. That would lead to an iteration, update of the cyber incident Implementation Plan version 2, right, so that we have a feedback loop that we welcome in order to improve the implementation of a National Cybersecurity strategy, so thats one. The other feedback ive gotten oddly is the opposite, right. With all of the rf5s and Data Collection we have a person that is responsible for reacting to all of these rf5s and so treasury publishing them, sometimes they are actually in service to the Implementation Plan. Thats a people challenge and so one of the focus that we have is how to we help our stakeholders solve the people challenge, right, and thats in my office too, it crosses federal government. How do we solve the people challenge and so we published a whole different strategy about that but now we are focused on implementation, implementing that. So one of the things that we are focused on, for example, is removing unnecessary barriers to the workforce, right, unnecessary barriers could be Fouryear College trees, could be mandatory inperson work, could be that a location barrier that opportunity enable us to really lean into the diverse perspective that exist outside of the beltway, diverse experience that is exist outside of the beltway and we need to start thinking through those challenges and what would we be able to to to help ourselves really cover cybersecurity across all stakeholder communities, how are we going to raise digital literacy. So theres a people piece to this that i think theres more to come. I love it when im asking about pushback and your challenge is the people are leaning in, agencies are leaning in. Thats a good problem to have. Yeah. So we started this conversation with you talking about the things and the Implementation Plan that you have tone as we look out, maybe over the next quarter or two what are some of the things that youre excited about that are the next parts of implementation . Thats great. So i talked about symphony and the symphony has movements. In my mind we have completed the first symphony. We have executed the National Cyber strategy, Implementation Plans, rf6 data plan, now we move heavily getting objectives done. Gao has been really helpful to us. [laughter] so when we set out to launch this to craft this National Cyber strategy, we looked at the lessons of gao and recommendations that gao published some years before what could be effective and thats what led to the Implementation Plan. The next step, though, to make sure that we are held accountable for all of it so we are looking forward to publishing what we call a posture report, what is the state of cybersecurity now. Partly by data driven that we are getting input that we are is assessing and analyzing it and we are operationalizing it but then we are going to publish and be held accountable for whats the posture of the nation so we can advise the president on the coming thing and i told you before the National Cyber strategy diagnostic and technology. Some of the things that we are leaning into outside of the strategy, at least thats not clearly placed in the middle of the strategy is cybersecurity system, for example, what does that look like. We are leaning in with the National Space council and National Security council on answering that question. We have said openly and emphatically that we are after a system thats defensible, resilient and aligned with our values, what is aligned with our values mean when you start thinking about cyberspaces, part technology, part people, part doctrine at the technology layer, what us the that mean, aligned with our values. You will be seeing a bit coming out of our office there. Implementation of workforce, implementation of a National Cyber strategy, space and what us the it mean to be aligned with our values and that would be wrapped up in our posture report. Thats the second symphony, the movements that we hope to accomplish. Thats a lot. Thats a lot. Just thinking back to tom kicking off the summit this week and he mentioned something coming early next year with state and local federal governments. I think when we two to cybersecurity conferences with a lot of big companies, expert companies, how what are your recommendations for a small state and local federal government even a Small Company for how they action that strategy, where could they two to for help and how do they partner with ncb . Fantastic question. So cybersecurity is as much locally as internationally. Cyberattacks happen in someones backyard. Happens in someones school, someones hospital, it happens in someones backyard on a regular basis so we have to engage at the local level. A few things, one the Implementation Plan was not written just for us at the federal level, it was written so state and local entities can see themselves and plug in as well, right, so you can two to the departments and see they are the lead agency for those things that are helpful to you. There is an opportunity to shift from those that are least capable and least resource to those more capable and more resourced so that is also looking to your Cloud Services provider, your managed Service Provider asking them questions, encouraging them to be contracting process, measure that would be beneficial to state and local entities but its on workforce where that is almost entirely local . Why because our Education System is distributed at a local level. Our workforce is highly feint upon our Education System. So when we work with state and local entities on their cybersecurity concerns when they only to us, its, yes, the Cloud Services provider, managing Service Providers, moving to cloud but theres a people piece that we all need to share the responsibility and response and burden that we have to engage at the state and local level and then that piece, rfi is not just focused on federal regulations but also focused not just focused on regulations but also focused on standards and assessments but also on state and local regulations and how do we find opportunities for reciprocity and how do we find opportunities to make sense of all the state ags and their priorities. We need to fold those perspectives in and i encourage state and local entities to also weigh in using the rf5 process or going directly to the president s and agencies that are assign today an activity that is particularly a concern to you, reaching out to our office and workforce and education issues that we can collaborate on a local, regional level in cyber ecosystems and those are opportunities for state and locals to be able to encage in this process but its support. Excellent. Well, we are unfortunately out of time. Ive got half a dozen more questions that i would love to ask you. But thank you to the billington summit for having us. Thank you, kemba for taking the time to spend with us this afternoon. Thanks. [applause]
comparemela.com © 2020. All Rights Reserved.