Speakers as well as an Awesome Group of participants in the room itself. Let me also welcome our viewers on cspan. Obviously they play an Important Role in Public Service and to better understand how washington does and does not work. But im going to be hyperbrief because youre going to get more than you want of me throughout the day, but im going to very quickly introduce my my partner in crime, or maybe better partner in countering crime, lenny hainesworth who is Vice President at Northrop Grumman. Northrops been a wonderful partner of gws, of our center in particular. Not only todays event, but multiple reports weve done together, and i think play a Critical Role in advancing our National Security and our national interests. So ill leave it at that. Lenny, please. Thank you. Thanks for the introduction. Good morning, everyone. On behalf of Northrop Grumman, we are just very pleased and honored to cohost todays event in partnership with gorge washington university. Frank and gwu in general have an exceptional reputation in leading rich and deep conversations about policy that will contribute to our collective ability to enhance the National Security of the United States and our allies. As we commit Cyber Security awareness month, starting next week, i cant think of a better platform or a time for all of us to get together to discuss and pursue solutions that will enable the policy objectives for robust Cyber Security. As a company and a mission partner, we are committed to delivering innovative Cyber Defense and full spectrum cyber and Intelligence Solutions to our customers across the department of defense, the interagency and Intelligence Community and the federal space. From our work, we see firsthand how the threat is growing exponentially, both here at home and abroad. To combat the growing threat, we believe that a multitiered approach is necessary to protect our national and Economic Security interests in the cyber domain. This approach integratesence hansed cyber capabilities, builtin cyber resiliency and an execution of a unified Cyber Mission with our closest domestic and international partners. In the spirit of partnership, todays event is a true collaboration between government, private industry and academia to Exchange Ideas and pursue mutually Beneficial Solutions to advance policy objectives for the u. S. And our allies. Todays panels are going to be exciting. They will focus on issues surrounding cyber deterrence and the importance of Public Private partnerships in spurring innovation on both the technological and workforce front. Later this morning, well hear from the white houses Homeland Security adviser, mr. Tom bossert. And the Deputy Director of the nsa, mr. George burns. Let me move on to introducing our first keynote speaker, congressman will hurd. Congressman hurd service on the committee of oversight and reform. He also sits on the committee on Homeland Security and as the vice chair of the border and Maritime Security subcommittee. In 2017, congressman hurd was appointed by speaker ryan to serve on the house permanent select Intelligence Committee, where he sits on the d. O. D. Intelligence and overhead architecture as well as the emerging threats subcommittees. Im sure everyone here is following the progress of the federal i. T. Moderation bill that he authored and is helping to push through and usher through congressional approval now. Congressman hurd is one of the most knowledgeable voices regarding Cyber Security in congress. Prior to being elected, he served as a Clandestine Service officer in the cia. The only current member of congress with this background that we know of. That we know of. [ laughter ] sorry. No worries. And an industry was a Senior Adviser for a Cyber Security firm. Congressman hurd, we thank you for your strong leadership on cyber and the Intelligence Committee and we look forward to hearing your perspectives today and your insights. Everyone, please join me in welcoming congressman hurd. [ applause ] well, thank you, congressman. And let me just underscore the purpose of this center is to try to shed more light than heat on complex issues facing our country. And when i think of leaders in government, both in the executive and legislative branch, i know i sleep better with you fighting the good fight on capitol hill. So as a bit of a backdrop, let me say your bar is low. Your bar is really low, though. My bar is very high. Im joking. You worked to a good friend of mine at one point. Absolutely. Hes on our board here. And i think it genuinely is important for those that legislate to understand if youre providing a menu for people to eat from, you better understand what it looks like, and i think thats really important. And i might also note your committee, the Homeland Security committee and on the House Permanent Select Committee on intelligence, youve been incredibly active as a legislator as well. So youve got a lot of members of congress who can speak to the issues, but not necessarily follow through with legislative prescriptions. So thank you on behalf of the center and all of us. So lets start with a general question. I mean, you cant turn on the tv, you cant pick up a newspaper, you cant click on a link, and be careful which links you do click on, on the net without reading and hearing about the hack du jour. Whether its equifax, you name it, every day there seems to be another one. Lets put it into perspective, not all hacks are the same, not all hackers are the same. Intentions vary, capabilities vary. Before we jump into some of your legislative initiatives, can you help us rack and stack the threat as you see it . What keeps you up at night . And what should we maybe pay a little less attention to, if anything . So, thanks for the invitation and thanks for, you know, helping to facilitate this conversation. And i would say we still have to be worried about the nation states, right . The advanced persistent threats are still at the top of the food chain and apts are what we ultimately have to defend against and that is where the federal government should be spending the bulk of their time. And so the theft of information, that is going continue to go on and we have to be able to start, you know, thinking about authentication and what does that really mean. I think when we look at equifax, the equifax brief, were not going to see the impacts right away. This really is changing has to change the way we do authentication. And the American People did not opt in for their information to be with equifax or, you know, any of the other credit agencies, and so now, you know, weve used those weve used the credit agencies so much for authentication, how do we change that . But the growing area im getting concerned with is disinformation. And while it is not Cyber Security in practice because its actually not, you know, taking its not technical. We have to be able to defend against it and there are technical ways that we can inculcate ourselves from disinformation, track disinformation and thats why i think these two issues should be should be talked about very closely. But the broader problem on this is ourselves. What is a digital act of war . Mmmhmm. Everybody asks that question. Everybody thinks of it differently. We do not have an overriding policy. If north korea had launched a missile into equifax headquarters, we all know how what the response would have been. Right . So we have nobody knows what the response should be now. And that requires that requires industry, that requires government, that requires legislators to finally work those issues out. Now, there are and working that with our allies. You have the talon manual, ive spent some time in estonia recently, and, yes, theyre only 1. 3 million people, but, you know, the fact that they their people have trust in their abilities to defend their infrastructure, do everything online, is a pretty big deal, and i think we can learn from that. Got a lot of experience, given their neighbors. So i think that demands they be pretty good at their jobs. Absolutely. Look, im not one to look to the u. N. To help solve, you know, a lot of problems, but if you look at the u. N. Defines acts of war, and, you know, the manipulation of a utility grid or an impact on a countrys electricity is identified as an act of war. So when the russians, you know, did this to the ukrainians, what was the International Response . Exactly. Crickets. Exactly. And so these are some of the things, and i also believe not only defining what is an act of war, we should be defining what is our responses to some of those acts of wars. Some of our responses we should say, were not going to tell you. Right . Strategic ambiguity is valuable and we also have to have these conversations around on attribution. Is general attribution enough . I think it is in some cases. Weve also got to continue to work with our many countries to make sure that hacking and things of that nature are considered criminal laws. And that is another level we need. Thats why i think the work that mr. Painter was doing at the state department was important, that that coordinator for Cyber Security is an important tool in our diplomatic tool kit and i hope we see some changes at the state department to reinstate that. Well, thank you. Just to put a little backdrop to that. So nation states, both engage in computer neck work attack and computer neck work exploit. Pure nations that are into their strategy, russia, china, countries that may not be yet at the capability of those, but what they lack in capability, they make up for with intent. North korea, iran. Then foreign terrorist organizations, given all your terrific work, does that warrant any concern on your end . It does warrant concern, but also so for me, can a terrorist Organization Take down our grid . Can a terrorist organization, you know, manipulate markets . I dont think there is evidence out there that suggests they have the capabilities to do Something Like that, but, again, when it comes to the digital space, you know, and i say, you know, it looking at i think part of Cyber Security and where i look at it is a broader of how do you engage in the cyber domain, you know . Cyber space is domain just like air, land sea and space. So part of it is the rules of engagement within cyberspace. And when it comes to when it comes to ill use isis specifically, their ability to leverage social media to promote a message. So countermessaging important as well. And when you have people using social media, guess what, youre increasing your surface area of attack for the good guys to go in and get information. Absolutely. I left the cia in 2009. And so social media was not used as much as it is. Shoot, i wish i would have been able to have that information to do my job because, you know, the info that i could gather from that is pretty significant. So not only is you know, its an opportunity for us when we go on the offense, especially in the intelligence space. Now, im really glad you brought that up because i think its fair to say well never defend our way our firewall our way out of this problem alone. At the end of the day, you touched on themes were going to pick up in greater depth throughout the entire day, such as deterrence, such as signaling and the like, but when we think about our own capabilities, do you think we ought to be a little more transparent . What good is having a doomsday machine if no one knows you got it . In reality, if we deter, we have to demonstration. Dont you think there is a lot of mixed signaling going on. It has benefits on occasion but not zblaulz there is, but this is an age old question and an age old intelligence question. If you have access to intelligence, do you use it, and if you use it to do something, youre going to reveal the intelligence and possibly lose the intelligence stream. Yep. And thats why i think its important for policymakers to be making those decisions not the practitioners. So this is a decision if, you know, and i think the future of Cyber Command at the nsa, youre going to see the nsa providing a perspective and saying, hey, we need to preserve longterm intelligence value. Then youre going to have Cyber Command say we need to use this to put, you know, the equivalent of lead on the target and theyre going to always be in friction. Theres always going to be at loggerheads. Which is good. You want that tension. But it is the policymaker that ultimately makes a decision on the the impact, the ability is act is worth the loss of the capability in the future. And this is even more germane and important in cyberspace because as soon as you reveal a tool or a tactic, Everybody Knows it, and guess what, its probably going to get turned around and used against you. Exactly. And that means pulling in the defensive community into any of the offensive discussions becomes more important today than it did in the past. Right. And one thing i might underscore, and its not to get adrift, and well move to other topics in a second, but when you look at the greatest, i would argue breakthrough since 9 11 on the counterterrorism front, it really was the synchronization of titles x and titles 50 when you string them along and when do you take them out . And i think there is some history there that we can rather than relearn the hard way, we can apply. I wrote a piece on the cyber jsoc with a few friends of mine. I think there is something there that can actually get the two entities there is always going to be conflict, but they have to come together to have concerted impact. And we should be perfecting that right now today in eastern ukraine. Thank you. The russians, look, you know, this is where Electronic Warfare and disinformation come together. The russians have been able to get convince some people that there is a separatist movement in eastern ukraine. Its not a separatist movement. It is a russian invasion of a sovereign nation. They annexed crimea, which is in the southern part of ukraine. They invaded eastern ukraine. They have 920 tanks there and they are utilizing the latest and greatest in Electronic Warfare and we should be countering that. We should be testing our latest and greatest counterElectronic Warfare activity and we should be doing that to support our ally ukraine. And so this is a real opportunity where we should be testing some of our capabilities, and were not doing it to the level of where we should. And one of the questions ive been asking is, who is the cyber jsoc . I was like, you know, i thought maybe that was russian tv over there. Theyre here. Theyre looking for me. They are. So, yeah, trust me, im aware. And so so that is where that is that should be the pointy end of the spear. And let me go back to something before we move on. When we talk about what are the biggest issues and what keeps me up at night. What keeps me up at night is actually quantum computing. Quantum computing is closer is going to be here sooner. I know i love you because were doing a lot of work its going to be here sooner than we expect. I know vladimir putin, i think he said, you know, whoever whoever gets a. I. First, no. It is going to be decided by who gets to quantum computing first. In real broad applications. And that is going to change how we do things. And we us and our allies should be focused on this. Canada has some really interesting things going on. Of course here in the u. S. And this is something that the only way were going to achieve the being the first here is industry and government working together. And academia working together as well. And we did a major report last year on active defense, looking at proactive steps companies can take because we cant simply blame the victim. And what makes cyber different is theyre on the front lines of this war. I mean, how Many Companies went into business thinking they have to defend themselves against foreign intelligence services, who, by the way, are not only bringing cyber to the fight, but all sorts of intelligence. But also dont be a victim. Right . Most of the major attacks weve seen are not zero day attacks. They are if youre patching your network, if youre doing proper ve credentialing, you would solve these problems. Utilizing good System Hygiene is where we should go. And the government is some of the biggest violators of these principles. And thats why ive actually spent so much time trying to shine a light on that problem, is to make sure that prevent the opm from happening again. That were following some of the most basic of activities. And guess what . Most a lot of my work is focused on the dotgov space, but the Intelligence Community and the military are just as bad. The you know, look, the cloud is not new technology. And the cloud is secure. You can secure the cloud. We should be transitioning to this as quickly as possible. And by dragging our feet and if we have folks in that are responsible for this that dont understand it, well, guess what, get up to speed on is it because and thats why i. T. Procurement is so important because i want to make sure our chief Information Officers across the federal government have the tools they need in order to modernize and make sure theyre defending, and not only defending our digital infrastructure, but providing the service theyre supposed to be providing to the American People. Wellsaid. Hygiene, its still twothirds of all attacks are due to fishing expositions. I might note that the fishers are getting more and more sophisticated than doing intel. One they get one credential to get to another. Youre spoton with that. So thank you for raising that. Lets go to some of the legislative activities. And when i quickly introduced you in the very beginning, youve been legislatively incredibly active. And, again, i think in both hats youre wearing, but also in the homeland committee, your Foreign Fighter Task force and all the terror finance work, i mean, that is just rich with legislative prescriptions. Im not sure have all been followed up by your bicameral colleagues on the other side of capitol hill, but tell me in particular about your i. T. Modernization bill. Where is it . Sure. Where does it stand . And what are the guts . So two things. Thanks for the for those comments, but its also the Homeland Security committee. Its chairman mccaul. Its the staff and the folks brandon shields is right there. Did he sneak in . That are that are intimately involved and focused on this. When john katco was the chairman of the task force that looked at foreign fighters that produced a lot of interesting pieces of legislation. So this is there are a lot of folks that are intimately involved in this. You also have to talk about oversight and government reform, ogr, im the chairman of a subcommittee on i. T. Where weve done our mgt work, or smart government as i like to call it. So the bill passed the house and its passed the senate. So now on the ndaa. So were going to go to conference on the ndaa and were going to make sure is that we keep that language in the ndaa. So hopefully well get the ndaa conference version passed in the house and the senate before the middle of december. Then there is one more tool for cios to use. The omb and office of American Innovation have been really intimately involved in this process. They have ideas on how they want to implement it, and my biggest fear is that our cios are not prepared. As soon as this goes in the law to take advantage of it. I was going to ask you about that. So that is where many of the folks watching or here today can be helpful in helping some of these federal cios to be in a position to take advantage of mgt. One thing that im going to be doing on the subcommittee, we do a scorecard, and the scorecard is evolving from a scorecard to a digital hygiene scorecard. One of the things well start keeping track of is the working Capital Funds for moderation. And that is if youre taking advantage of the working capital fund for modernization. That is one more metric we should be looking at for our various agencies. So some some agencies are being able to take advantage of this. Others . Others will not. That is the work for having working Capital Funds at each agency. There should be 26 different experiments going on in how you modernized based on your infrastructure. And so we we im excited about this. I always joke. Ive been in almost 50 parades in my 2 1 2 years in congress. Ive never seen a sign on a parade that says i. T. Procurement. There wouldnt be parades without it. Exactly. Its really exciting to be able to to hopefully see this come to fruition pretty soon. It genuinely is exciting, and i think legacy systems bring about vulnerabilities that are no one is patching them either because theyre on to the next and the greatest. Look, and people understand that. I represent 29 counties in south and west texas. San antonio on one end, Cyber Security city, usa, el paso on the other, one of the safest largest cities of its kind. In the middle, probably more cows than people. When you tell people the federal government spends 90 billion on purchasing i. T. Goods and services and 75 of that is maintaining legacy systems, theyre outraged. The oem costs. Two and, two other legislative initiatives of yours. The smart wall, which ive very curious, and also the specific implications of what that could be, both from an exploit and from a defend from a good guy a red and a blue expect. Sure. And also, i was really intrigued with your proposal to initiative a stronger role for the National Guard, which i think the men and women serving in the guard is an incredible resource that is tapped when bad things happen. Right. But they could be so much more, and i think especially with respect to cyber. Its a way where you can have men and women who want to serve their country, but maybe want a salary or a lifestyle with their families that is a little different. To be able to do a little bit of both. You mentioned estonia earlier. They have whats called the Cyber Defense league. Yep. They have sort of a National Guard on steroids, they can support for a foreign intelligence issue the ministry of interior. Theyre actually expanded the way we think of the guard under title 32 statutes and the like. Id be curious about both of those bills. First the smart wall and then any insights you may have on the current proposals from the administration on the wall and then specifically on the guard. So i represent 820 miles of the border between the u. S. And mexico. Thats a lot of miles. Its a lot of miles. More than any member of congress. I chased al qaeda and russian Intelligence Officers and nuclear proliferators all over the world so i know something about chasing bad guys. The premise of building a 30foot concrete structure is the least effective and most expensive way to do border security. We should be using the latest technology to understand the difference between a bunny rabbit and a person coming across the border. The border is broken up into sectors. El pasos sector has 300 miles, only 60 miles of Persistent Technology along it. That technology is 20 years old. We dont need the Hubble Telescope on the border, we need a camera that can see at night, which is basically any camera. We can use radar, lay a fiberoptic cable and use the analytics off of that. The reality is, since our technology has come so far and its so cheap, its basically disposable and we should be thinking about it that way. So all of that information were gathering from those sensors, and we should take a mile by mile perspective because a one sites fits all solution doesnt work. Figure out whats the best solution for that and beam it to the manage or woman in Border Patrol for them to do their job. Now the Cyber Security implications of that is, is basically Cyber Security of the internet of things. And so making sure that, you know, and this is i think going to be one of the biggest debates that we have to make sure that as we are building the internet of things we dont make the same mistakes with the internet. Dont hard code. Dont hard code, you know, passwords and, you know, usernames into your systems. Make sure that your systems are able to update remotely. Make sure, you know, these are some of the basic things we should be using and ultimately being able to secure a Sensor Network along the border is not a unbelievable challenge. But we also do have to remember that the narco traffickers and king pin smugglers dont have debates in congress. Make them compete for contracts. Exactly. They dont have to worry about congressional approval for their operations. The bad guys are wellfinanced, wellequipped and that they will be using countertechniques in order to counter what were doing. And before getting to the guard, just one so with the intent, if you see real momentum there, will you also have Cyber Security requirements . Because we did a couple of major reports actually with Northrop Grumman in the past with their cio. It was on baking security into the design of infrastructures and it played a significant role in some of the defense acquisition process. Would that be a stipulation . So i think fizma already requires some of those requirements and that is something that would ultimately get pushed down to dhs procurement. But its something that needs to be but youre open to looking at that . Absolutely. Look, i want to just i want to get this done and because, look, it is 2017. We dont have operational control of the border and its because we havent looked at the entire border at the exact same time. You cant look at the entire border at the exact same time if youre not utilizing technology and manpower. And on the guard, its real simple. The notion is now that we are close to finish line with mgt, were going to start focussing on this. What i call the cyber National Guard is real simple. Were going to try to find some federal dollars if they want to get a degree in i. T. And if you go to school on a scholarship, youve got to go and work for the federal government for the same amount of time. Call to four years. Come to gw or texas a m. Work at the census bureau, the Social Security administration, the department of interior. We need people there. After youve worked there and going to go work in the private sector, that company, you know, like northrop are going to loan you back into the federal government for the proverbial one weekend a month, two weeks a year. I think the loan back will probably be Something Like ten days a quarter or ten days every other quarter. So it doesnt disrupt business processes in the company but its enough time where you can sink your teeth into something. So thats the process. Now, some of the challenges. The 15,000 holes in i. T. Jobs in the federal government, we dont have common job descriptions for that. So if we have someone coming out of school, we have to make sure that they have the credentials in order to come into one of these jobs. So the first step is weve got to make sure that there are common job descriptions across the i. T. Across i. T. Positions in the entire federal government. I thinks this is something that can be solved in 60 and 90 days. Lets go ahead and take somebody who already has job description, take the top 300, tell federal cios map each one of these to a different position, boom, put it in a database and were ready to go. Thats one of the preconditions we have to do. I think we have some ideas on how to sweat out the money, but the other question is loaning people back into the federal government, how would businesses be comfortable with that . And then well also have to Start Talking and streamlining the process of getting security clearances as well. But that will allow crosspo crosspollenization of ideas. And we accept that the federal government is never going to be able to compete with the private sector on salary. But mission. There are not too many other entities out there that have a scale of any Agency Within the federal government. So that is a skill set and perspective you cant get in many places in the private sector, but you can get it in the government. Its a skill set that is absolutely valuable in the private sector. Wellsaid. Im glad you touched on the workforce issue and building career paths and professionalizing the processes is really important. Weve got ten minutes about for questions. Seven minutes, actually. So please identify yourself before you ask the question. Well do two here and then well go to the back. We have a mike coming. Hi. Is it on . Yeah. Hi, rick weber, insite Cyber Security. On other legislative issues, can you talk a little bit about the mpdd reorganization bill passed the Homeland Security committee . Government oversight is looking at it. Can you tell us about when its going to come to the floor and what changes there might be . Hes a cyber beat reporter. No, look, i think this is a good piece of legislation. I think chairman mccaul is exactly right in the need for that reorganization. And this is this is one of those issues where the term, you know, jurisdiction gets in the way. Ive heard that term more in the last 2 1 2 years in my life than the previous 38 years combined, and so the answer the real answer is i dont know, but i think its something and i think that it is so important they are the belly button in sharing between the federal government and private sector. They are the only entity that can transition from need to know to need to share and they are. That is why i think dhs is so important when it comes to coordinating it. I always use the example of why need to share is so important. But knew it came out of the 9 11 Commission Report but that translates into the cyber world as well. I have been out of the cia since 2009. I have never ever have said the true name of the farm. My super secret cia. Dont start it now. Every time it is in every book and every movie i cant do it. So thats why culture matters and why dhs is so important. I want to see that bill moved. Nothing that i know of. I think thats hearing coming up next week. Brenden is in the back of the room. Mike nelson with cloud flair. Im a technologist looking but ill be looking for economics. Eems to be less how we can make malware less profitable and even less so how we can change the economics to fix the problem. One good example is in the federal government where we have hundreds of servers that are used in almost every attack because they amplify the attack. Some how we have got to get the economics right so people who run those servers are punished. I think its an interesting thing to follow up on. Thank you. And it plays into some of the psychological operation. Whats the cost if russia gets it wrong on twitter . The skos nothing. If they get it right its at low cost and we all know they started the hiv and cia rumor which was all false. Now they are doing it all intent new tactics. If you can do this. I think youre being a little i think at the state level most only stayed two years. Very rarely stay there four years. I think one of the major problems is we dont have technology management. This week all of the cios will be meeting and the governor across the way is being strong in terms of bringing the states together. Could you comment on that . Sure. I completely disagree that im being tough on cios. Im trying to get them more tools. I dont just bring them. I wring the Deputy Agency as wellment they should be getting all of the responsibility and authority. You cant hold them responsible if they dont do their job. Everything we have been doing is to strength this. There is not enough continuity. We have to look at is it lack of adequate manpower . We have to make sure we are creating the right culture. It begins with making sure the cio is part of it. There are so many agencies where the cio doesnt report directly to the agency. Thats unacceptable. So i think making this issue more of a csweet youll see them feel like their work is being valued. They have huge issues and congress breathing down their throats. I recognize the difficulty of that. Thats why i want to make sure they have the tools. And last question because we are actually out of time and i have to be a bit of a tyrant. But with that state and local question what are your das as government operations. Jay john on recommended that. It prioritized states, cios to get support and training and dollars from dhs, voluntary. I think the concern many had is that dhs is going to try to take over managing elections. No. Dhs are not running utilities. The infrastructure is considered. It is not run ago phone company. So i think those fears have been 26 of the Voting Machines were brought and all hacked within i believe six hours. This is something that our local municipality states in federal government has to be working together to ensure the protection of our voting systems. Thank you for joining us today. Thank you for your service and thank you for getting things done. My pleasure. [ applause ] im a prelaw m the university of charleston. I think the most important issue for West Virginia is twofold. I think its an issue of poverty that ties into our drug epidemic, lack of jobs, lack of opportunity makes the drug epidemic worse and its just a cycle that bills upon itself. A Political Science major at the university of charleston. One of the biggest issues i see in West Virginia is governor justice pushing a road bond bill for our special election that is going to pump millions into our infrastructure that sounds nice but when you look at the big picture, its going to hurt my generation and the future. It says its not foing to raise taxes or be a problem but if you look down the road its going to screw West Virginia long term. Thats not something we need right now. Weve had some difficult Economic Times over the past five or six years. Really one of our Top Priorities is to improve our economy and put people back to work. We have taken a great deal of different steps to do that. Thats what our priority is. Im a senior here at the university of charleston. Im double majoring in english and science. I did my senior project on what we would consider a well known issue is our opioid dependency issue. Sde determining an issue that would be more individual lly for patients. It will make our city, state great. This spanish ambassador to the u. S. Talks about the Independence Movement in catalonia. 90 of voters supported independence in spain. This was hosted by the hudson institute. Its just under an hour. Thank you very much for