Going to be hyper brief because youll get more than you want of me throughout the day but im going to quickly introduce my partner in crime or maybe better partner in countering crime lenny hanesworth whos a Vice President at Northrop Grumman. Northrop has been a wonderful partner of gw and our center in particular. Not only todays event but multiple reports weve done together and i think play a Critical Role in advancing our National Security and our National Interest so ill leave it at that. Lenny, please . Thank you. Thanks for the introduction. Good morning everyone. On behalf of Northrop Grumman, we are pleased and honor to cohost todays event in partner with George Washington university. Frank and gwu in general have an exceptional reputation in leading rich and deep conversations about policies that will contribute to our collective abilities to enhance the National Security of the United States. As we commit Cyber SecurityAwareness Month starting next week, yii cant think of a bett platform or time for all of us to get together and discuss and pursue solutions that will enable the policy objectives for robust Cyber Security. As a company and a Mission Partner we are committed to delivering innovative Cyber Defense and fullspectrum cyber and Intelligence Solutions to our customers across the department of defense, the inner agency and Intelligence Community and the federal space. From our work we see firsthand how the threat is growing exponentially both here and abroad to combat the growing threat we believe that a multiteared approach is necessary to protect our national and Economic Security interest in the cyber domain. This approach integrates enhanced cyber capabilities, built in cyber resiliency and execution of a unified Cyber Mission with our closest domestic and international partners. In the spirit of partnership, todays event is a true collaboration between government, private industry and academia to Exchange Ideas and pursue mutually Beneficial Solutions to advance policy objectives for the u. S. And our allies. Todays panels are going to be exciting. They will focus on issues surrounding cyber deterrence and the important of Public Private partnership in spurring innovation on both the technological and works for front. Later this morning well hear from the white houses Homeland Security adviser mr. Tom bossert and the Deputy Director of the nsa. Im sure you cant wait for us to get started so let me move on to introduce our first keynote speaker, congressman will hurd. Congressman hurd serves on the committee of oversight and government reform and chairs the Information Technology subcommittee. He also sits on the committee on Homeland Security and is the vice chair of the border and Maritime Security subcommittee. In 2017, congressman hurd was appointed by speaker ryan to serve on the House Permanent Select Intelligence Committee where he sits on the d. O. D. , intelligence and overhead architecture as well as the emerging threats subcommittees. Im sure everyone here is following the progress of the federal i. T. Modernization bill that he authored and is helping to push through and usher through congressional approvals now. Congressman hurd is one of the most knowledgeable voices regarding Cyber Security in congress. Prior to being elected he served as a Clandestine Service officer in the cia. The only current member of congress with this background that we know of. [ laughter ] that we know of. And in industry he was a Senior Adviser for a Cyber Security firm. Congressman hurd, we thank you for your strong leadership on cyber and the Intelligence Committee and we look forward to hearing your perspectives today and your insights. Everyone please join me in welcoming congressman hurd. Thank you and let me just underscore the purpose of this sector is to try to shed more light than heat on what issues are facing our country when i think about leaders in the executive and legislative branch i sleep better with you fighting the good fight on capitol hill so as a bit of a backdrop let me say were glad to have you here. Your bar is really low. No, my bar is very high and you worked for a good friend of mine at one point hank crumpton. If youre providing a menu for people to eat from you better understand what it looks like and thats important. And i might also know your committee, the Homeland Security committee, youve been incredibly active as a legislator as well. So you have a lot of members of congress who can speak to the issues but not necessarily follow through with legislative prescription so thank you. Lets start with a general questi question. You cant pick up a newspaper, you cant click on a link, and be careful which link you do click on, on the net without reading and hearing about the hack du jour. Whether its equifax or you name it everyday it seems to be another one. But lets put into perspective, not all hacks are the same, not all hackers are the same, intentions vary, capabilities vary so before we jump into your legislative and Congressional Initiative can you help us rack and stack the threat as you see it . What keeps you up at night and what should we pay less attention to, if anything . So thanks for the inhave station and thanks for helping to facilitate this conversation. We still have to be worried about the nation states. Theyre still at the top of the food chain and a. P. T. S are what we have to ultimately defend against and that is where the federal government should be spending the bulk of their time and so the theft of information is going to continue to go on and we have to be able to start thinking about authentification and what does that mean. When we look at equifax, we wont see the affects of that right away. We have to look at authentication. People did not opt in in order for their information to be at equifax or any other Credit Agency so now weve used the Credit Agency so much for authentication, how do we change that. But the growing area that i getting concerned with is this information and while it is not Cyber Security in practice because its not its not technical. We have to defend against it and there are technical ways we can inculcate ourselves from this information, track this information and thats why i think these issues should be talked about close ly but the broader problem is ourselves. What is a digital act of war . Everybody asks that question, everybody thinks of it differently. We dont have an overriding policy. If north korea launched a missile into equifax headquarters, we know what the response would have been so nobody knows what the response should be now and that requires industry, government, legislators to finally work those issues out. And working with that with our allies, you have to manual which ive spent time in estonia recently and yes theyre only 1. 3 Million People but the fact that they people have trust in their abilities to defend their infrastructure everything on line is a big deal and we can learn from that. You have a lot of experience given their neighbor so i think that the man may be pretty good at his job. Im not one to look to the u. N. To help solve a lot of problems but if you look at the u. N. Defining acts of war the manipulation of a utility grid or impact on a countrys electricity is identified as an act of war so when the russians did this to the ukrainians, what was the International Response . Exactly. Crickets. And not only defining what is an act of war, we should defining our responses. Some we should say were not going to tell you. Strategic ambiguity is valuable is general attribution enough . We have to continue to work with our many countries to make sure that hacking and things of that nature. Thats why i this i the work at mr. Painter was doing at the state department that the coordinator for Cyber Security is an important tool in our diplomatic tool kit and i hope we see changes at the state department to reinstate that. Thank you. Nation states engage in Network Attacks and exploit. Peer nations that are fighting their strategy, russia, china, countries that may not be yet at the capability of those but what they lack in capability that i make up for with intent, north korea, iran. Given all your terrific work, does it warrant concern . It does. But for me can a terrorist Organization Take down our grid . Can a terrorist organization manipulate markets . I dont think they have the capabilities to do Something Like that but when it comes to the Digital Space and i say looking at i think part of Cyber Security is broader of how do you engage in the cyber domain. Cyberspace is a domain like air, land, sea and space so when it comes to ill use isis specifically their ability to leverage social media to put out a message, countermessage is important as well. And when you have people using social media, youre increasing your surface area of attack for good guys to get information i left the cia in 2009. Social media is not as much as it is. The info that i could gather from that is significant its an opportunity for us. And i think its fair to say well never firewall our way out of this problem alone. At the end of the day you touched on themes were going to pick up in greater depth throughout the entire day such as deterrence but when we think about our own capabilities, what good is having a doomsday machine if nobody knows you have it. So theres a lot of mixed signaling going on. It has benefits on occasion but not all. This is an ageold question and its an ageold intelligence question. If you have access to intelligence, do you use it to do something and if you use it to do something, youre going to reveal the intelligence and possibly lose the intelligence stream and that is why i think its important for policymakers to be making those decisions not the practitioners so this is a decision if, you know and i think the future of Cyber Command and nsa, youre going to see nsa providing a perspective and saying, hey, we need to preserve longterm intelligence value and then youre going to have Cyber Command say we need to use this to put the equivalent of lead on the target and theyre going to be in friction which is good, you want that tension but the policymaker makes the decision on we are going the ability to act is worth the loss of the capability in the future and this is even more germane and importance in cyberspace because as soon as you reveal a tool or a tactic Everybody Knows it and guess that . Its probably going to get turned around and used against you. Exactly. And that means pulling in the defensive community into any of the offensive discussions becomes more important today than in the past. And one thing that i might underscore, and its not to get a drift and well move to other topics in a second but when you look at the greatest, i would argue, breakthrough since member on the counterterrorism front it was the synchronization of title 10 and title 50 where you saw the joint special Operations Command really know when do you string them up, when do you string them along and when do you take them out . And i think that there is some history there that we can rather than relearn the hard way we can apply and i wrote a piece on this with a few friends of mine so i think there is something there that can actually get the two entities theres always going to be conflict but they have to come together to have concerted impact. And we should be perfecting that right now today in Eastern Ukraine. Thank you. The russians look, this is where Electronic Warfare and disinformation come together. The russians have been able to convince some people there is a separatist movement in Eastern Ukraine. Its not a separatist movement. Its a russian invasion of a sovereign nation. They annexed crimea in the southern part of ukraine. They invaded Eastern Ukraine in t that region and they are using the latest and greatest Electronic Warfare and we should be testing our latest and greatest counterElectronic Warfare activities to support our ally ukraine so this is a real opportunity where we should be testing some of our capabilities and were not doing it to the level of where we should and one of the question ive been asking is who is the cyber jsoc . I dont know, maybe that was russian tv over there. Theyre here. Theyre looking for me. They are. Yeah, trust me, im aware. And so that is where that should be the pointy end of the spear. Let me go back to something before we move on. When we talk about what are the biggest issues and what keeps me up at night, what keeps me up at night is kwan couple computing. Wan tum computing is going to be i knew i loved you. Its going to be here sooner than we expect and Vladimir Putin said whoever gets ai first, hegemony is going to be decided by who gets to quantum computing first and in real broad applications and that is going to change how we do things and we us and our allies should be focused on this, canada has some really interesting things going on of course here in the u. S. And this is something that the only way were going to achieve being the first here is industry and government working together. And academia. Working together as well. And we did a major report last year on active defense looking at proactive steps companies can take because we cant simply blame the victim and what makes cyber different is theyre on the front lines of this war. I mean, how Many Companies went into business thinking they had to defense themselves against Foreign Intelligence Services who, by the way, are not only bringing cyber to the fight but all source intelligence. But also dont be a victim. Most of the major attacks weve seen are not zeroday attacks, they are if youre watching your network, if youre doing proper credentialing you would solve these problems and so utilizing good and digital System Hygiene is where we should go and the government is some of the biggest violators of these principles and thats why ive spend so much time trying to shine a light on that problem is to make sure that prevent the opium from happening again, that were following some of the most basic of activities and a lot of my work is focused on the dotgov space but the Intelligence Community is just as bad. The cloud is not new technology and the cloud is secure, you can secure the cloud. We should be transitioning to this as quickly as possible and by dragging our feet and we have folks that dont understand this, guess what . Get up to speed on it. Thats why i. T. Procurement is so important because i want to make sure our chief Information Officers across the federal government have the tools they need in order to modernize and make sure theyre defending and not only defending our Digital Infrastructure but providing the service theyre supposed to be providing to the american people. Well said. Hygiene is still twothirds of all attacks are due to phishing expeditions. I might note the phishers are getting more and more sophisticated, doing intelligence they get one credential to move to another but youre spot on. Thank you for raising that. Lets go to legislative activities and when i quickly introduced you in the very beginning, youve been legislatively incredibly active and, again i think in both hats youre wearing but also the homeland committee, your Foreign Fighter Task force and terror finance work thats rich with legislative prescription which is im not sure have been poll lowed up by your bicameral colleagues on the other side of capitol hill but tell me in particular about your United States modernization bill. Where is it . Where does it stand and what are the guts that we need . Two things, thanks for those comments but its also the Homeland Security committee, its chairman mccall. Brendan shields is right there. Yes, theyre intimatelied involved and focused on this, when john katko was the chairman of the task force that looked at foreign fighters which produced a lot of interesting pieces of legislation, so this is theres a lot of folks that are intimately involved in this then you have to talk about oversight and government reform, ogr where im the chairman of the subcommittee on i. T. Where weve done our mgt work, our modernizing government technology, or smart government as i like to call it. So the bill passed the house on the senate so were going to go to conference on the ndaa and make sure we keep that language in the ndaa and hopefully well get a conversation version passed before the middle of december and then one more tool for cios to use and the omb and office of American Innovation have been really intimately involved in this process. They have ideas on how they want to implement and my biggest fear is that our cios are not prei paired as soon as this goes into law to take advantage of it so that is where many of the folks watching here today can be helpful in helping some of these federal cios be put in a position to take advantage of mgt. One thing im going to be doing on the subcommittee, we do a score card and the score card i score card and well start keeping track of the working capital fund for modernization so if youre taking advantage of that, theres a culture of modernization in your organization so i think that is one more metric we should be looking at for our various agencies so some agencies will take advantage of this. Others will not and that was the reason for having working Capital Funds at each agency as well as the centralized fund because there should be 26 different experiments going on in how you modernize based on your infrastructure and so we im excited about this, i always joke ive been in almost 50 parades in my two and a half years in congress, ive never seen a sign on a parade that says i. T. Procurement. There wouldnt be parades without it. Exactly. So its really exciting to be able to hopefully see this come to fruition pretty soon. It genuinely is exciting and i think legacy systems bring about vulnerabilities that are no one worth their salt is patching them either because theyre on to the next and the greatest. And people understand that. I represent 29 counties in south and west texas. San antonio on one end, Cyber Security city usa, el paso on the other one of the safest largest cities of its kind. In the middle probably more cows than people but when you tell people the federal government spends 90 billion on purchasing i. T. Goods and services and 75 of that is on maintaining legacy systems, theyre outraged. And two other legislative initiatives of yours, the smart wall which im very curious and also the specific cyber implications of what that could be from an exploit and from a defend from a red and blue perspective and also i was broke intoed with your proposal to initiate a stronger role for the National Guard which i think the member and women serving in the guard is an incredible resource that is tapped when bad things happen but they could be so much more and especially with respect to cyber its a way you can have men and women who want to serve their country but maybe want a salary or lifestyle with their families thats different to be able to do a little bit of both and you mentioned estonia earlier and they have whats called the Cyber Defense league where they have a National Guard on steroids where they can support the ministry of interior so theyve expanded the way we think of the guard under title 32 tach commutes and the like but i would be curious about both those bills, first the smart wall and any insight you may have on the current proposal on the wall and then specifically on the guard. So i represent 820 miles of the border between the u. S. And mexico. Thats a lot of miles. More the border, between the u. S. And mexico. Thats eye lot of miles. More than any member of congress and i chased al coup i da and russian Intelligence Officers and proliferators all over the world, so i know a Little Something about chasing bad guys and the premise is, building a 30 foot high concrete structure from sea to shining sea is the most expensive and least effective way to do border security. We should be using the latest technology in order to understand the difference between a bunny rabbit and a person coming across the border, and we can but look the border is broken up into sector. El paso has 300 miles, only 60 miles of Persistent Technology and the technology is 20 years old. We dont need the Hubble Telescope on the border. We need a camera that can see at night which is basically any camera. We can use radar, lidar, uhm, lay a fiber optic cable, use the analytics off of that. The reality is Sensor Technology has come so far and so cheap its basically disposable and we should be thinking of it that way. All that information that were gathering from those sensors and we should take a mile by mile perspective because a one sides fits all solution doesnt work and figure out what is the best tool for that location, have the information and beam it to the man or woman in Border Patrol for them to do their job. Now the Cyber Security implications of that is basically Cyber Security of the internet of things and so making sure that and this is i think going to be one of the biggest debates that we have to make sure as were building things we do not make the same mistake we make with the internet, dont hard code passwords and user names into your systems. Make sure your systems are able to update remotely. These are some of the basic things we should be using and ultimately, being able to secure a Sensor Network along the border is not an unbelievable challenge, but we also do have to remember that the narco trafficane and smugglers dont have jurisdictional debates in congress. They dont have to worry about congressional approval for their operations, so the bad guys are well financed, well equipped, and that they will be using counter techniques in order to counter what were doing. Before getting to the guard, one question. With the intent, if you see real momentum there, will you also have Cyber Security requirements because we did a couple of major reports with Northrop Grumman in the past with their cio and it was on baking security into the design of infrastructure and it played a significant role in the defense acquisition process. Would that be a stipulation . So i think fisma kind of already covers some of those requirements, and that is something that would ultimately get pushed down to dhs procurement, but its something that needs to be youre overlooking . Absolutely. I want to just, i want to get this done, and because look, it is 2017 and we dont have operational control of the border and its because we havent looked at the entire border at the exact same time and you cant look at the entire border at the exact same time if youre not utilizing technology and manpower and on the guard, its real simple. The notion is now that we are close to the finish line with g mgt were going to focus on what i call the cyber National Guard is simple. Kid in high school with aness to get a degree in Cyber Security well find some federal dollars and then if you go to school on a scholarship you go and work in the federal government for that same amount of time, call it four years. You come to gw or texas a m university for four years and then you go work at not nsa or dod, but the u. S. Census bureau, the Social Security administration, the department of interior, because we need people there, and then after youve worked there and you work in the private sector, that company, you know, like northrop, are going to loan you back into the federal government for the proverbial one week in a month, two weeks a year. The loan back will probably be Something Like ten days a quarter or ten days every other quart sore doesnt disrupt business processes in the company but enough time where you can sink your teeth into something, and so thats the process. Now, some of the challenges. The 15,000 holes in i. T. Jobs in the federal government we dont have common job descriptions for that. So if we have something coming out of school we have to make sure that they have the credentials in order to come into one of these jobs, so the first step is we got to make sure that theres common job descriptions across the i. T. , across i. T. Positions in the entire federal government. I think this is something that can be solved in 60, 90 days, lets just go ahead and take somebody who already has job descriptions, take the top 300, tell the federal cios map each position to one of the 300, boom. You the it in a database, were ready to go. So thats one of the preconditions that we have to do. I think we have some ideas on how to sort out the money, but the other question is, loaning people back into the federal government, how would businesses be comfortable with that and well also have to Start Talking and stream lining the process of getting security clearances as well. But that will allow cross pollenization of ideas and we except the fact the federal government will never be able to compete with the private sector on salary, but mission and there is not too many other entities out there where, that has a scale of any Agency Within the federal government, so that is a skill set and perspective that you cant get in many places in the private sector, but you can get it in the government, and its a skill set that is absolutely valuable in the private sector. Well said. Im glad you touched on the workforce issue, and building career paths and professionalizing the processes is really important. Weve got ten minutes about for questions, seven minutes actually so please identify yourself before you ask the question. Well do two here and then go to the back and we have a mike coming. Hi, is it on . Yes. Hi, rick weber, insight Cyber Security. On other legislative issues, can you talk a little bit about the mppd reorganization bill passed the Homeland SecurityCommittee Government oversight is looking at it. Can you tell us when its going to come to the floor and what changes there might be . s he the cyber report per this is a good piece of legislation. Chairman mccall is exactly right in the need for that reorganization and this is one of those issues where the term, the issue jurisdiction gets in the way. Ive heard that term more in the last two and a half years of my life in the previous 38 years combined, and so the answer, the real answer is i dont know. But its something that i think that we need to move forward and i think that nppd and dhs is so important. They are the belly button in sharing between the federal government and the private sector. They are the only entity that can transition from need to know to need to share, and they are, and that is why i think dhs is so important when it comes to coordinating, and i always use an example of you know, why need to share is so important. We knew that came out of the 9 11 commission report, about intelligence sharing within the Intelligence Community but that translates into the cyber world as well. Ive been out of the cia for, since 2009. Ive never, have ever said the true name of the farm. Super secret dont start it now. Im not going to start it now but even though its in every book and every movie, i just cant do it, and so thats why culture matters and i think thats why dhs is so important. But i want to see that bill move. Awesome. Nothing that i know of. I think theres a hearing coming up next week on that. Braen dan is in the back of the room. You can hammer him. Mike nelson with cloud flair, technologist working for a Technology Firm so i always look for Technology Solutions but im going to ask about economics. Seems like theres very Little Research done on both how we can make spamming, ddos attacks, malware, ran someware less profitable for the criminals, and we have even less Good Research on how we can change the economics so we can get people to fix the problem. One very good example is in the federal government, where we have hundreds of servers that are used in almost every ddos attack because they amplify the attack. Somehow we have to get the economics right so the people who run those servers are punished. Thats helpful perspective, and austin our legislative director is here and thats an interesting thing to follow up on. Thank you. It does play into some of the perception management of psychological operation were also seeing, whats the cost, if russia gets it wrong on twitter. The cost is nothing. Yep. And if they get it right, its at low cost and we all know that they started the hiv cia rumor, which was all false and now theyre just doing it old intent, new tactics. The cost is an issue. Absolutely. We had a question back here and if we can do quick questions, so please. You got it. Mike klein, university of wisconsin. I think youre being a little tough on state cios and federal cios. Arent many of them appointees, and i think at thete