In this portion youll hear from coordinator rob joyce and Deputy Director george barnes. Good morning, good afternoon. One bit of housekeeping information, tom boss ert is duty calls, hes responding to obviously the devastating effects in puerto rico and since his job is to be head of Homeland Security, cyber, counterterrorism, hes kind of running in a million directions. We are truly fortunate to have rob joyce in his place. For those of you who dont know rob, rob is the cyberlead at the National Security council. Hes the socalled cyberczar, the coordinator for all things cyber. He comes to the white house from the National Security agency where, among other roles, he ran tao, which i think has gotten a little more notice in recent years, and there was a time we couldnt even mention that. But rob comes to this job with true professionalism. Hes worked these issues from a collector and an operators perspective. And he has a natural ability to translate sort of those ideas into policy and the like. So rob, thank you for doing this, especially at last minute. I thought wed start with a general question. The executive order that was promulgated in may. I know a lot of homework items were due early september, late august. Can you sort of give us a sense of where we stand . And i dont expect you to break all news in terms of what exactly was provided. But tell me where things stand and then in particular just because its been a common theme of our overall event today, the cyberdeterrence language in particular. Certainly. Please. The first question is this on . Sounds like it. All right, so thanks for the opportunity to be here and tom bossert did send his deep regrets. Hes in the middle of, you know, the white house response to the hurricanes, both, you know, as the devastation hit texas, florida and puerto rico and sister islands. So working that hard and asked me to step in. I appreciate the opportunity. Thank you, rob. To talk in this space. The executive order, let me give a brief thumbnail for those not familiar of what it covers and then well talk about the reports that come in under it. Four big areas in the executive order. The first is protection of our government networks. Those networks are the ones that transact government business, but also hold the information in the american people. When you look back at things like the opm breach, its not hard to understand why weve got to put effort in making sure those are secure and modern. And i think anybody whos either interacted with government i. T. , or is currently in the government knows that not every place in the government is at the same level of protection and security. Probably not the case that Everybody Needs to be. But we do need to make sure the most important information, the most important both National Security information, but also privacy implicating information is protected. So the e. O. Was tasking the modernization of those federal networks and thinking about how we do cybersecurity at scale. And a lot of that, you know, looking ahead, the recommendations coming in there where things like shared services. The idea of moving to modern cloudbased services, the concepts of getting connected to the experts in cybersecurity. When youve got the bureau of Land Management overseeing important things like hydroelectric power production, theyre not going to compete with dhs, nsa and dod in recruiti recruiting cybersecurity special circumstance lists, but you want those Networks Just as secure as other places in the federal government. Thinking about how we can do some shared Services Even in security operations. So thats area one is federal networks. Area 2 is Critical Infrastructure. In that area were talking about the critical 17 Critical Infrastructure sectors, things like power, energy, communications, health, water, transportation, maritime. All of those sectors where often those are run and operated by the commercial industry partners, but have implications to the safety and even National Security of our country. So that is a collaboration between those sectors and the u. S. Government as to how we improve security. You know, this year the trend line continues that advantage is going to offense. Thats a scary thing when you think about Critical Infrastructure. We cant have our power grid being held at risk. We cant have questions as to whether the Financial Sector can stay free from intrusion. So what that means is we have to have both security as well as resiliency in those Critical Infrastructure networks. Not to cut you off, do you see a day where the initiative can be with the defender or where it always be with the attacker . Red will always be ahead of blue, right . Given what you previously did. I think well, just one comment in that. I did tao, but i also was cnb, yes, yes, assurance. There you go, youre right. I encourage people to flow across that membrane, offense and defense, the phrase i use with others is it takes a chief to catch a thief. Absolutely. Both of those jobs i thought differently about the way we needed to move forward because of the experience of the other. So its which job trumped the other, not in terms of more fun, but i would say my tao job was easier, and the Information Assurance kept me up at night. There you go. So yeah. So Critical Infrastructure resiliency is important. We cant assume that offense wont get through the defenses we put up. So at that point youve got to have capabilities, one to find and uncover intrusions as fast as you can, two, minimize and lockalize the impact from those intrusions. Three, when you do have an impact, how do you recover and recover quickly . It only takes the devastation that were seeing from some of these hurricane impacts to know that when these services are down it has tremendous implications to health and safety and welfare. Which, by the way is part of a deterrent, too, the ability to bounce back minimizes the reason a perpetrator may turn to those directions, if you can demonstrate the ability to bounce back. Absolutely. You asked about our deterrent strategy. You know, one piece of that will certainly be demonstrating resiliency. So if you have a question as to whether an effect can hold someone at risk, whether an effect will succeed or whether it will have the impact youre seeking, it may change the calculus of your willingness to go ahead with that. Absolutely. And on the Critical Infrastructure side, i mean, no one will disagree that the 17 Critical Infrastructure areas are all important. But some are arguably more critical than others. Absolutely. The lifeline sectors, energy, electric, energy and electric, telecommunications, Financial Services, water, transportation. How do you we cant have Peanut Butter approach where we treat everything equally. Or can we . There has to be priorities. We dont have unlimited resources. When youre faced with scarcity of resources, you have to prioritize. For me the base of that pyramid is the power sector. If you look at when the power goes down, things cascade from there. The sugar daddy of all, yeah. Can only run so long on generators. The communication sector goes down, the banking and finance sector isnt going to be able to transact. Theres this cascading effect. In fact, were working on the grid exercise that will be coming up we always do an Energy Sector cyberexercise. This year were trying to make this joint with power and the Communications Sector im sorry, the banking and Communications Sector to look at some of those knockon effects and make it more realistic as to how society would react. Even defensive standpoint, why rob banks, thats where the money is, clearly the Financial Services sector is very far along. And quite bluntly, theyre only a few sectors that could genuinely absorb some of the high end threat indicator information intelligence, whatever we want to call it. I dont remember, theres nyack or n stack, creating sort of a super sector. Is that something you think worth looking at . Does that infairly put forth ahead of others . I dont think well create a supersector, but well spend more time looking at interaction between sectors and making sure that all of the dependentsies in one are teased through and the threads are pulled to impacts to others. Then that gets to sort of the concept that we have unlimited vulnerability, limited resources and a thinking enemy that based their actions on our actions, its not like security is an n state, its a continuous process. The question there becomes sort of in that prioritization, anything new coming out of the executive orders that you think can because weve all heard Public Private, everyone agrees with that, i think. But ive been known to say long on nouns, short on verbs. Weve talked about it. Weve admired the problem. What are some and its not to suggest there arent solutions. The Energy Sector we just heard from scott erinson at ei, Financial Services the fsr and the fsi sack and theyre doing phenomenal work. But it still comes to the policy without resources is rhetoric. So where do we see that coming down . Sure. So i think it is a joint activity for both of us. Private industry has invested, government has invested. I dont know that the gears on the teeth are meshing yet, so one of the calls we often get from the isacs and the fs arc is we need more sharing of the government knowledge and information that you have. In the classified arena, thats hard to push everything the government has, sources and methods are, you know, implicated in some of that. So what weve been talking about is instead of the push model, send us everything youve got, is finding ways to integrate a few of the key analysts with Sector Knowledge into the government areas where they can then look for their equities, identify information that then needs to be pushed out for action. And how about the vice versa . Do you see that going where government can spend more time in these Critical Infrastructure areas, not just hiring them out of government but we think it is important not only for the connection but also for the development of the government expertise and the relationships. Awesome. Awesome. But i think that the most impactful step well have is bringing more into the analytic sectors from the commercial side so that they can have expansive access, but in a controlled way where the data isnt as at risk and we can keep track of what then is pushed out and shared with industry. Coming to your role as sort of a primary producer of information and customer of other bits of information, but largely a provider, i mean what did you find coming into a white house kind of role . This is more of a personal question. What did you think made sense . What didnt . All of these executive orders that we have all put a lot of blood, sweat and tears in in this room, and of course you guys, but what really works . Did we have the ability to know in the event of an incident what would trigger an escalation, what a significant incident is . When are you going to get your war room together to be able to manage the consequences of an incident . Are those still well know it when we see it or what are your thoughts on that . No, weve got a process. In the end it is going to come down to expertise, right. Thats why it is really good youre there, by the way. We have a wide array of really smart folks distributed across the community. So when you look at what dhs has, what odni has in the ctick. Ctics is that taking flight . It is. I consume intel from that. For those, thats the Cyber Threat Intelligence center. That is an organization that takes reporting from across the Intel Community to include open source and commercial and partner information, and then tries to summarize up what we need to know. Theyre at the front lanes of sensing a warning, but also the Intel Community and commercial entities. So every day across that wide array of participants, we all drink from these fire hoses of information streams, but what we rely on is the expertise and judgment of a bunch of different people and thing get elevated quickly. We have routine interaction where i host the interagency once a week. In that we talk about Threat Landscape can and other things, but with those daily information flows weve got a process when something is breaking to pop and call an ad hoc session, and theres a president ial policy on when we turn to a very formal Coordination Group that kicks off and is led at the dhs level that triggers some very formal processes, communications, interactions with the commercial entities, and even has a lessonslearned process at the end so that every incident we get a little better. Can you give us a sense of what that what sort of an incident would potentially trigger that . I mean would obviously i dont think the Equifax Breach went in, but if there were an attack on the grid, as you mention, as we saw in the ukraine, that probably would trigger it . Absolutely would. A great example is, you know, as wannacry hit the health sector. That triggered . It wasnt hitting in the u. S. , but we watched the impact it was having at the uk, and that kicked off, you know, significant interagency processes. What about iot, how big i mean youve got a vast universe when we talk about prioritization that im sure keeps you up at night. I used to say i get up i sleep like a baby, wake up every few hours crying. But in all sincerity, where does iot and the fact that our attack surface is genuinely growing exponentially and the realtime to get solutions is probably at the design phase, i mean systems to systems. For all of the engineers that are here, i believe you, i believe in what youre trying to do. But at what point, where does iot sort of come into your thinking . And specifically, the physical cyber convergence vulnerability in terms of how we should be thinking about that. So iot is at the same time both a huge opportunity and a huge threat. The things it is going to enable in our society, making lives easier, you know, the train is moving and we are going in that direction, right . Were not going to slow it down and stop it. But as we saw in the myriad bot net and other things, poorly designed iot is a real threat to infrastructure, to capabilities, financial and even National Security. So at this point theres been various calls, everything from do you do the Underwriters Lab to certify the cybersecurity of iot all the way down to let Market Forces drive. Were in the middle. Wed like to see great articulation of standards, what is best practices. We would like to encourage the Industry Groups to follow those standards. Theres some really simple things that every iot device ought to have and, you know, it starts with it needs to be updateable, right . The idea that when vulnerabilities are found that it can be updated. You would like to have the ability to make sure that it doesnt have default credentials and passwords. Beyond that, the curve starts going up. Ideally it ideally its update process is c cryptographically secure. Theyve thought about doing an update so it cant be spoof. Those are easy things that are understood how to do. Market pressures are not always driving the companies to do that right stuff from the beginning, and thats where i think the government and Industry Groups can push and help. You know, it is our desire not to see that pendulum swing all the way to regulation, which is why we in the executive order kicked off some bot net studies and other things that really go back to iot roots and some of the same root causes. Awesome. One other thought since you brought up crypto, the going dark dilemma and challenge. Obviously stymies Law Enforcement intelligence. The flip side is without strong encryption, the chinese, the russians, whoever the perpetrator is, is going to exploit that information. How should we think about that . And then we have key provisions to fisa sunsetting at the end of december. Is there a call from congress and we just had congressman herd here and many others, but whats the call if there is a call to action, and help me think through the going dark phenomena. Let me start with 702 first. Fisa 702 statute, it is just a critical tool in the terrorism and even Cyber Defense realm. Happy you said that. Yeah. So it is a tool that helps us understand threats, and it is a lawful tool under close court supervision. It is, you know, even based on some of the reporting out there, you can see that it is wellmonitored. Theres oversight from multiple levels, both inside those agencies and with independent verification. And so it is really important that we get a reauthorization. The administration has called for a clean reauthorization. So since you didnt get tom bosert here today, you can get a little of his information. He did an op ed piece in the New York Times a couple of months ago. I would encourage you to go out and look at the oped piece, but it is a tool we cant afford for our safety to let sunset. I think congress is wellfocused on it and were looking to keep that capability. Awesome. When you asked about going dark, i think that, you know, the first message i would want everybody to understand is strong encryption is good for the nation. Theres no black and white about that. Hear, hear. We need it for business, we need it for our personal privacy, we need it for our protections of the National Security side as well as the way we interact just as a society. That being said, theres also a really important part for rule of law, and so what we would like to see is, you know, responsible corporations consider how they can be responsive to a judicial order. The government shouldnt have a police in saying how thats done, but the design considerations up front should consider that, you know, we as a society need to do investigations. Theres a reason, you know, that all of us look to Law Enforcement and the government to provide some basic components for society, and that includes the ability for a judge to say, i need access to some information. So thats what we would like to see. Very strong proponents of encryption. Theres no doubt strong encryption needs to be a capability. We have smart Tech Companies in here, both that are able to provide that encryption and security, but when theres a need for warranted access they can provide it. So and im going to ask sort of an unfair question here, so i mean quantum computing and chinese satellite, satellites being launched, ahead of state from russia talking about the importance of Artificial Intelligence to dominate the world, what does that mean . Are we in the midst of a space do we know theres even a race going on, and what does it mean for our tale . We need to make sure we have the capability to ensure our dominance in this space, yes or no . Im actually these are big news stories that kind can of get buried in the tech pages, but theyre actually really big from a policy standpoint. So what are our thoughts on that . Did that cause you to take notice . Yes. I know it did you, but other policymakers . Certainly. When you look at technology, theres a history in this country that Technical Innovation has underpinned our society, and it has also really given rise to the amazing lifestyles that we have here in the u. S. You know, the good news is we have such a healthy set of industries, research labs, academia, theres nobody that doubts were the leader in technology. But we cant take it for granted, right . We cannot. Thats why we continue to invest in that. You saw just last week the white house kicking off stem educational programs. Weve got to continue investing in that next generation, both of the people and the technologies, and i would argue that in the end if we do the people right the technologies follow. The people are the secret and the key to our innovation. And even from a threat perspective, i mean technology always changes but human nature is pretty consistent. Yes. And good, bad or indifferent, that has to be factored in, and that gets into the whole human collection versus technical means and all of that kind of stuff. So im glad you really glad you raised that. A couple more questions just on the deterrent piece and then were going to open it up. So what did what can you share in terms of what the agencys put forward on trying to articulate our cyber deterrence . By the way, in fairness and i dont mean to lead with these questions. I dont think you articulate cyber, you articulate actors from crossing lines, in terms of Computer Network and exploit capabilities. But what are we thinking about that . Do you see a day where we will have a genuine cyber deterrence strategy . So i do think well have a genuine cyber deterrence strategy. And the will to follow through when lines are crossed . So i tipped you to a couple of things that are in there, right. One is demonstrating resiliency, is going to be a cornerstone to deterrence. We have to have the assurance we have done the right things to plan for eventualities that sometimes are heinous to consider can, but we have to do that planning, and then weve got to exercise. Weve got to practice like we play. So that element is really important for resilience. A second element of it is, you know, kind of what i hear you alluding to, which is the imposition of costs. We can have norms. Norms are great, but without an imposition of cost for the people who are outside of those norms, who are going beyond the pale, you know, the norms dont mean anything. And the bad guys have to know that we mean business when certain things are cross, right . Because right now they dont know. So at times, but i would say, you know, one of the things weve used is Law Enforcement. Youll continue to see us indict even when at times we cant bring people to justice, we know that theyre, you know, after a public indictment theyre going to stay put and their government is not going to give them up, but it is a powerful diplomatic message. Absolutely. It is a powerful signal to send to others who are considering it, and were using it. Theyre retired, they cant travel. So that has a cost, too. Yes. And were also using sealed indictments. That in the back of minds who participate in these activities, you know, that should that should make them wonder as they travel internationally, you know, it doesnt need to be to the u. S. But other places, theyll come to justice. So thats one element. Another element is the art of diplomacy, the levers we have with other countries and the ability to shape their actions. Sanctions, the ability to do primary and even secondary sanctions. Weve used that at times for cyber topics. Were going to use that again and more. And then theres other elements. You know, we will respond to cyber with cyber. Most of the time you cant solve cyber with cyber, but thats one of the arrows in the quiver. So it really is a whole of government, but for us it is the willingness to impose costs. We have found Big International consortiums are often slow to move or reluctant to move to impose those costs. So for us it is often going to be bilateral, you know, finding the right partner for the right problem moving forward, and then bringing coalitions along but not waiting for the coalition to be large and grand. Because this came up in our conversations with congressman hurd in the other panels as well, do we need new alliances . First off, any thoughts on the state Department Reorganization that is ongoing . I think part of it is the whole story hasnt been told there. It is not as if theyre getting rid of everything staterelated, but anything on new alliances . Because when i look at obviously the strongest alliances are our 5is and nato, all of which are absolutely backbones for the United States and need to be. But then youve got allies like israel, allies like japan, allies like south korea who are in tough neighborhoods with actors that concern us, because whatever theyre seeing it is coming our way soon. Stay tuned. Those are the practice fields and were the main stage. So i would be curious what your thoughts are in terms of alliances specific to cyber. So do we try to integrate the cyber issues into every existing treaty, policy, organization, or do we need something new, which in part is the challenge with cyber. It is its own domain, but it transcends air, sea, space, right . How do we put a bow around this, or is there not a bow to put around . We need alliances and, you know, i just returned from a trip to singapore, who is singapore and seoul in a tough neighborhood as well, with some exceptional technology, a strong focus on becoming both a Digital Economy leader as well as, you know, a security cybersecurity thought leader in the region. That also afforded not only the chance to talk to singapore but the asian neighbors met there. We huddled on cybersecurity and that region of the world is thinking about what they want to do to improve their own Digital Economy and security. Cyber is a topic that comes up with every country we interact with. For us, again, it is about priorities and resources. We are going to have to pick and choose the relationships to grow, and i think the ones we are going to emphasize are the ones who are going to be willing to enter into deterrence aspects with us. And have capacity, right . And have capacity, and we have the start there. Awesome. Last question, and then i will open it up for a few. Weve got a few minutes. But any comment on dhss decision visavis kapersky . I think it was the right decision. It wasnt one we entered into lightly, but the idea we have something with that pervasive access to u. S. Government systems that pushes information overseas to a country that has, you know, laws that require these companies to submit to the intel services, that data, thats just a risk can we cannot have on our government networks. Absolutely. You know, we recently hosted greg clark, the ceo of symantec, and russia is requiring providers to turn over their source code. Fortunately, in their case they took security over sales, but im not sure thats a big issue i think going forward, and china as well. So china has a huge market. So i hope u. S. Companies think about the security implications prior to doing that, the flip side. We have a couple of minutes for questions. Please identify yourself, and well do here and then here, and then oh, god. And then well go there and then who i cant see back there. So lets start over here. Hey, rob. Thanks for joining us. Jeff hancock, senior fellow at the center as well as ceo of advanced cybersecurity group. Questions really around active Cyber Defense. I dont mean hacking back. You and i share some of the similar backgrounds, red, blue. When i talk about hacking back, it is not in context. Active Cyber Defense for across the federal government, civilian side, not dod, not dhs, strictly civilian side. What are your thoughts on that as well as what it means for the commercial realm . Theres been talk for many years about companies hacking back or shouldnt they, there are legal shields around that. Thoughts and perspectives and how it plays into the deterrence aspect, because it is great to be resilient, prepared and defensive, but at some point you have to gather intelligence, you have to be able to weigh your means and active Cyber Defense allows for that. So i was curious about your thoughts on that. Im still not understanding your definition of active Cyber Defense. Did a big report on that. We can send it. You went to both places which is i dont mean hacking back but i mean gathering intelligence. I dont understand. If you are doing active and gathering intelligence, it sounds like hacking back. Versus intent. Yeah. So i have a very strong belief that offensive Cyber Operations where youre compromising a box that you dont own needs to be an inherently governmental operation. So if you are talking about going out, compromising a box and deleting the data that they stole from you or imposing punitive penalties so they feel like they feel some pain and dont want to go after you again, i really think thats a bad idea for the cascade of things that can occur in that space. If youre talking about compromising a box to go gather intelligence, that still is some pretty risky space because we are, as you heard, going to start imposing costs for the intrusions that are coming at the u. S. That puts us in a delicate policy space when, you know, were out there poking countries and pushing them hard to respond to intrusions, and if theyre seeing our companies doing intrusions into their space, whether it is gray space or red space, theyre going to have a legitimate ask to us to make it stop. If you are talking other definitions of active Cyber Defense where you are changing your network, you are manipulating the data thats coming in and putting it into place wrs the adversary may be talking to something that you are gather more intelligence about, where they are manipulating things and the data they get back has been changed so that it is unuseful or unhelpful or causes them to question their tactics and techniques, im a huge fan of that activity and i think theres some really Creative Things being done in the marketplace and across the community. And more can be done there too, right . I mean with massive anything inside your own network arguably is fair game. Or even, you know, collaboration where something sits at a higher level inside the network. I think theres room for isps or partners with isps to do unique things to defend many people behind them. Like the cyber threat alliance, and it is some that can actually do it right now. So there is a difference between cowboy and theres a difference between a Public Private partnership where you then turnover evidence or information that others can act upon it. And that, i think, is part of that gray area, but i dont think it should be so gray, but thats just because otherwise were going to continue to blame the victim and were never going to build high enough walls, big enough locks by deep enough motes. It is doomed for failure. There has to be sort of like in a football game, you need a linebacker. You cant just have defensive tackles. So i dont know, i dont want to go too far on that. We had kwae. Dustin, and then a question back there. Dustin. Oh, sorry. Then we will go there. Lisa, right there. Dustin voigt with reuters. Theres been rising concern among law mamakers of both part about the cyber threat on social platforms, facebook, twitter, to interfere in elections and so forth. I wonder where you stand on that issue. Should the companies be doing more to sort of get a grapple on to get a grip on this issue of foreign interference and you gave me a real easy question, where do i stand. Yeah, go ahead. Should the companies be doing more in this space to get to be more transparent and monitor this issue more closely . And how substantial a threat do you consider foreign disinformation, propaganda, that sort of thing on the social Media Networks . So i do think theres more that companies can be doing, and im seeing that they are waking up to the threat and putting effort into it. You know, i would commend facebook, for example. The research they did. These Companies Know their platform better than anybody. They understand who is interacting on their platform and whats normal, and i think that the using their platforms and their technologies to understand when theyre being misused is the best solution to some of this. When you asked about, you know, is it a problem, absolutely. Is it a growing problem . Yes. I think anything that would be turned to try to subvert our democratic processes, it is something we need to understand better and put some checks and balances into place. And, again, it is trade craft from an actor we have seen in the physical world for years, i mean the old rumor that agency was behind hiv aids. Now it is just on steroids with no cost, no penalty. The other thing i would point out is every election is an Information Warfare campaign. It has just moved beyond the two participants who are candidates. We have a question back here, and then we will have one more here and thats it. Mike levine from abc news. Going back to the kapersky issue, would you say your concerns are based on what the russian government could do through kapersky or was part of the concern what you know the russian government has done through kapersky . All im going to say is we made a really thorough investigation and we made a prudent risk decision, and im confident we got to the right answer. Wellsaid. Question over here. Hi. Thanks. Eric geller from positive lit co. This morning bloomberg reported investigators looking into the Equifax Breach believe theres evidence it could have been nation state activity. Im not going to ask if it is true, but im going to ask what you and the Trump Administration do to mitigate the damage from these kind of things, where theyre trying to find information to use for blackmail as opposed to Social Security fraud. What are the steps that the administration can is and can take to limit the damage from that kind of incident . Eric, great question. It is clear that we cant other nations hold us at risk through cyber, right . And if this is a nation state im not saying it is you know, that amount of data has huge value to intel services, Information Operations and other things. You cant make it go away. Once it has been stolen and, you know, operationalized it is out there. What we can do is look at the things that make it useful and valuable. O are companies doing the right things to defend personal information . Do we have the proper breach notification so that when there is an incident that it gets discussed in a timely fashion and responded to . And then weve even got to think about the underlying components that put us at risk. I would offer that the Social Security number is a pretty antiquated thing. The idea that every time i want to use my Social Security number i put at risk by sharing it for legitimate use, i think thats pretty unacceptable and i think theres good opportunities to use modern technology to factor authentication. Public private keys, to give us a way that we can modernize and use that in a way that i dont have to put it at risk by using it, and when there is a compromise that theres easy revokable way. So a show of hands, how many people have changed their Social Security number knowing that it is compromised . I dont think that happens. Yeah. I personally know four instances where mine has been compromised. I think everyone here, does everyone here have i mean if there were a show of hands that you think your ssn or your passwords have been compromised . So that to me is, you know, the need to think about how we define information, how we use it, what we put at risk, and limit the knockon consequences of using information. We might have time for one more because a question here. Rob, let me ask, and i dont want specifics on this by any means, but can you give us some assurances that everything were doing to address the crisis visavis north korea also includes a cyber dimension to that . Because ultimately cyber, again, it is an instrument of their political and it may be the first volley we are seeing of something that could get bigger. Are you part of those discussions . So north korea is a huge issue. Were using all elements of National Power in there. Were also considering it in terms of risk can, right. So north korea is a belligerent nation. Theyve chosen to use cyber in the past, and so were making sure that were attentive to the probability that they if cornered or even if not cornered will use cyber in malicious ways. Awesome. Last question . Rick weber, inside cybersecurity. Executive order also deals with use of section 9, the most Critical Infrastructure. Can you tell us a little bit about the administrations thinking about how to refine that process . Yes. So were taking a look at how we define section 9. Today theres a set of criteria that gets you inside that that Critical Infrastructure designation. For those not familiar, theres a section in a previous eo that talks about Critical Infrastructure, and section 9 of that executive order talked about probably the most critical of Critical Infrastructure. If you go through that list today and we dont publish that list, the companies that are on it understand who they are and have interactions with us. But if you go through that list, i think most people would see a couple of companies and scratch their head and say, why arent they on there, and when you think about the knockon effects of second order things we rely on in Critical Infrastructure weve also got to consider that, you know, the idea of what a major Banking Institution relies on, what a major Power Institution relies on. Those are dependencies that arent often considered in that in that previous structure, and so were looking at that. Rob, on behalf of everyone, let me thank you not only for joining us today but for your public service, for fighting the good fight, fighting it well. Thank you for joining us today. Appreciate it. [ applause ] thank you. No rest for the weary. Were going right into our next keynote discussion with george barnes, who is as everyone knows Deputy Director of the National Security agency. Again, of all of the agencies that have been doing cyber long before it was cool, the National Security agency is at the very top of the list. George has arguably the most important george at the agency because youve got i think youve got all of the headaches and youve got all of the opportunities. So im really thrill that you can join us today and maybe start with a couple of opening thoughts. Sure. And then i definitely want to get into some of the Cyber Command kind of decisions right now. Certainly. Is my mike on . Can everybody hear me . Please. Great, great. So it is opportune that rob joyce went before me, not only for the topic matter but because we worked together for years, and i think it is a great testament that based on his background hes in the position that hes in because he has worked both the foreign intelligence side in the cyber realm and others as well as the information insurance or cybersecurity side. I thought i would open up with some comments about nsa and where we are these days. Obviously the world is rapidly changing under our feet as a nation and nsa continues to evaluate itself, its mission, its authorities and its ability to be a viable provider of key intelligence and Information Security products and services for our nangtion and our allies. Most may know in the last year we have undergone a reorganization, and the whole rationale for that was an evaluation of where we were, where were going and were we postured to be as successful as we have been 10, 15 years from now. The judgment was that while we were dramatically successful, there were certain things that were pulling and tugging on our structure. Our structure was about 15 years old. The last time we had restructured was actually right before 9 11, and we had learned a lot, we had adjusted a lot through a lot of the campaigns, the dawn of the cybersecurity challenge, but we realize that for several reasons we werent fit for purpose from the structural perspective. Where that comes to play here is looking at the two authorities we have. We have the signals intelligence, foreign intelligence authority, and we also have our Information Assurance authority under National Security directive 42. Traditionally nsa had been organized along those authority boundaries, and that was good at the time that it was initiated but over time we realized it created a weakness and the weakness was kind of what rob pointed out to. It takes a hunter to know how theyre being hunted, and one of the things that we were not able to do in our prior structure is to get the talent at all levels of their career to move back and forth across both sides of that coin. It was a major it wasnt just an organizational move, it was a physical move because the clusters of people in those organizations were geographically distant from each other. And so one of the things we look at was the continuous pull to provide not only those Mission Outcomes we had provided in the past, but the increasing nexus for us of what cybersecurity represents as a challenge and what could we do better to meet that challenge. Really, the way that we found we could do better is to organize based on the functions that we perform, operations, supporting capability of element and other things like that. So we found through the a little bit of the cultivation of talent like rob and some of his peers, where they went from being on the signals intelligence side over to the Information Assurance side, they realized that they didnt have all of the insights where they arrived. A lot of the intelligence stream that they had become conditioned to receiving routinely was shouldnted off. We had not done a good enough job in making sure our Information Assurance components were fully enriched by all of the insights we were getting on the intelligence side, and the expertise we had, people had built careers on one side or the other and they really didnt mix. So it was a major cultural change and shift, not only an organizational shift, to bring these people together in new and different ways, and we are already are realizing the benefits of that. We are taking people that conducted Information Assurance ops and foreign intelligence ops and brought them closer together, respecting their authorities and associated boundaries but making sure that they actually enrich each others cognizance of whats the vulnerability space for the United States and our networks. Thats the key issue for us, is security, whether it is protecting networks or gaining insights from our foreign Intelligence Mission to make sure that we are appropriately and in a timely fashion protecting those networks. The new structure allows us to do that in ways we hadnt done it before, and so thats really a key point. All of the things that rob talked about we are trying to condition ourselves to evolve, emerge and even help define a way. We have so many years of expertise in this business that we do have ideas, we have technology, were trying to work with our Mission Partners, whether they be in the Government Agencies or our industrial partners, to understand what has worked, what has not. How do we evolve together . I know it is trite, but there is something to the fact that we have to have a different formula. We cannot just scale our old models to the new problem. And so having a continuum across the public and private sector is extremely critical, and bringing in academia. We as a country are not putting out technical degrees at the pace that we need to. We have a supply and demand challenge. That is a National Security issue, isnt it . It is a National Security issue, it really is. It is perhaps the biggest, because if you look at a lot of the others in the world that we find ourselves comparing ourselves to such as china, they are graduating computer scientists, engineers and mathematicians at dramatically higher rates than we are. We as a nation and we as a democracy rely on innovation. I mean the core gris that has made our country what it is is in jeopardy if we dont attend to the cultivation of our children. Thats the security thing that i focus on and thats what has made nsa what it has been for decades. We have traditionally developed most of our technology inhouse with dramatic support from industry, but we have always hired in the talent, cultivated them, and they have pioneered new ways of doing business. We need to continue to do that so that we remain viable and to use those insights to help our partners find the way. George, thank you. Thats a wonderful way to start us out, and very consistent with a lot of the things weve been discussing earlier in the day as well. I mean this is a little off the beaten path, but do you see a day where even at the National Security agency, where everyone from a promotion standpoint because we all know promotion is the way to build skills where anyone whos on the breaker versus maker to go back to old codes, but all of the i dont know what we can talk about in terms of what it is now. Sure. But do you see a day where to get promoted they will have to sit in different roles, not just bring their entities closer but where individuals right. Will have to know how to both break and protect . Certainly. We havent gotten to that point yet, but what we have done is weve looked at what we can and should do to cultivate expertise, and how do we understand what is pulling on our people. We are very lucky in that we have dramatic numbers of people across the u. S. That want to work with us, and thats something i think that despite the money, the sense of purpose, it is something that brings people in droves to us from an aspiration perspective. We have a tough but great job in front of us every year when we look at how many people were going to actually bring on board, and that has been a great history and it continues. The challenge now is really the retention piece, because we have a supply and demand imbalance. We have, as i mentioned before, these functions when i started 30 years ago, you know, what i did was very unique. Now what i do and what my peers do, there are analogs out in the commercial sector private sector, yeah. Out in industry. We have a dirth of talent and insights, and so all the discussion you all have had today just points out the fact that this imbalance is causing us to readjust. That readjustment really comes into the talent, cultivating the children when theyre in grade school, getting them interested in pursuing the technical degrees so that they can actually increase the supply. I think it is healthy that a lot of people come into nsa, they spend five years, ten years, and then they go out into industry. A lot of the people that leave nsa today are leaving to go work in this industry. Yes, thats hard. We have to continue to bring people behind them and it is sometimes traumatic to lose wonderful people, but at the same time it is also good for our nation. Absolutely. Because that knowledge, that expertise and the connections back to the rest of our network of people enrich us more broadly. I think thats part of our survival. And one inning that National Security agency doesnt get enough, at least in my eyes, credit for is you have very strong relationships with the universities. Yes, yes. And that is a way to sort of bring talent in and out, and i hope you double down on some of that. Most definitely. I mean we have had many programs. Weve had centers of excellence, partnerships with many universities across the nation. We also have a program called gen cyber that we started with the National Science institute where we work with upwards of 150 universities across the country to help the universities put on summer camps for children to learn about cybersecurity. Those camps have nothing to do with nsa. I dont care whether any of those kids come to nsa when they get out of college it would be nice but i want them to be interested in that domain and to pursue College Degrees in the various fields that help our country. So those Little Things we are finding that were getting the kids can interested. Just go online and just, you know, do a search on gen cyber and you will see lots of great examples where those seeds are being sowned and theyre having an effect. So lets go to because another theme today was looking at the role of u. S. Cyber command. Sure. And obviously theres the president recently elevated made a decision to elevate it to a full combatant command, getting it out of the shadow of its subordinate command role. I guess no decision made yet on that the role with the National Security agency, but i think it is inevitable at some point thats going to peel off. Sure. But tell me what we think what we should be thinking . How does it affect legacy issues and relationships, and what does that mean . Okay. So obviously decisions have yet to be made about the nature of a split, but the split discussion is not about splitting the partnership we have with Cyber Command. It is about whether or not one person should have both roles as the director of nsa and the commander of Cyber Command. Thats really the decision. Whether or not that happens, it does not change the underlying facts that since 2010 when Cyber Command was created, it was created under the premise that to be viable as a nation that extends into cyber space, defensively and offensively when required, theres a lot of expertise, a lot of knowledge, a lot of technology thats been developed over the years in the National Security agency that can help to accelerate the viability of cyber com into being as a Viable Service for its functions and, secondarily, it will always find that it derives benefit and value from being connected and supported by the National Security agency. We are a big intelligence machine. Intelligence is required to feed cyber activities and operations. So we will never separate. Thats why Cyber Command has been physically on the fort meade campus alongside us in our buildings. And all of the Services Except army, right . All of the service real school part of the formula, army, navy, air force, marine. All have cyber components, theyre all part of the overall formula. Theyre distributed physically, as are we. We have points of presence across the United States, an invariably the cyber components in the services colocate with the nsa counterpart. That partnership is tight. It is growing, it is evolving, it is maturing, and we are also demonstrating by bringing in Service Members into our world it accelerates their ability to be productive for foreign intelligence while theyre with us, but also to apply those skills when they turn and have cyber com roles. And it allows i mean just deconfliction i would imagine. Almost always. It is an issue of not compromising. Most definitely. Thats another key thing. The equity space is extremely fragile, it needs to be managed actively. The fact we are coresident together and we develop a culture thats informed one side of the other, that helps the discussions so were not doing things transactionally across the transom as though we didnt relate to each other. Uhhuh. So Cyber Command, nsa, we will continue on forward. We will have a tight and growing partnership into the future. That will be independent of whether or not we have one or two masters at the top. Think of it as sort of a title 6. It is basically what jsoc was able to deliver for ct missions. Thats right. Thats right. But even even tighter. The thing about cyber thats a little bit different is it is continuous, right . And so the physical proximity is also just as important as the organizational partnership. So tell me, george, thinking about and just because youve had a lot of senior weve had a lot of Senior Leadership from dhs, how do you see the relationship between fort meade, nsa and the department of Homeland Security . Im glad that rob brought up ctic because it seems to be people seem to forget the significant role that it plays. Right. But give us some thoughts on that, because i mean cyber is everyones mission. Thats right. And we tend to ask whos in charge. The real question is who is in charge of what. Exactly. When and under what circumstances. Thats right. How does that purple role, how does it look, your relationship. So with dhs it is critical if you look at all of the things that rob enumerated about the fragility of the Critical Infrastructure landscape as a case in point, dhs is the organization that connects with the Critical Infrastructure and key resource entities, all of those sectors. They are the ones when a company is penetrated that goes and knocks on the door and delivers the message they have a problem. Were not that entity. We are a Foreign Intelligence Service and we provide that function for the department of defense and the National Security systems but not for the rest of the government, the dotgov doe mains or all mains downstream. Our partnership has to be growing and it is. Unfortunate we had things that happened over the last year where there have been events that all of you know about, and those have given us every time theres an event, it is an opportunity for learning. So we exercise our system. We find out where it is weak. We do the Due Diligence rollback and find out how we fine tune it so the next time we dont make that same mistake and it gets better and better with time. Do you actually do active hot washes . Do you have a formal process, sort of not like a trade not a very but do you have a process where you are doing after actions . We definitely have one with nsa and interagencies . We dont have a formalized one with dhs. We have various levels in the interagency and part of you know, im on the Deputies Committee and all of the deputies come together and meet with rob for cyber and a lot of the other people in the National Security apparatus, and then we have subordinate layers that come together and tease out issues and problems and strategies and policy formulations. Get a policy recommendation here for us to help. Thats an area so this spring when we had the wannacry, you know, there were tight partnerships that were exercised between us, the do d, dhs, fbi and others, and we learned we tweaked, and theres rich, fluid discourse. Awesome. I hadnt thought and how about the bureau . The bureau is i mean the fbi has been a tight partner of ours for decades, so it is not as new of a partnership as the dhs domain, so thats just natural. The natural relationship kind of evolves with the application, you know. It has always been the National Security apparatus, counterintelligence, cyber is just an extension of that with technology wrapped around it. Sort of that key general alexander had. Yes. Good, good, good. How about our allies . What are we thinking here . I mean in addition to obviously the collection capabilities you have, youve been the ultimate provider of defensive capabilities. How does that look from an allied perspective . Do we need to look at new sorts of alliances, and what does it mane for combined operations at some point, whether physical, kinetic or cyber . So i think if you take the cybersecurity layer of mission, that rides can ride and in our case it does ride on top of previouslyestablished partnerships. Some are more fit for purpose tha than others just based on the partner, the sophistication they bring, the operating authorities and how those can relate to ours. Most people know about the fine is and thats one thats obviously. We have a tight partnership with the five is partners. They are each at different places in the evolution of the operating authorities. The one that was out more commence rat with us was the united kingdom, and so that partnership is rich and deep and vibrant and rides on the backbone of our Information Assurance partnership, our foreign intelligence partnership, and our dod mod partnerships. Those partnerships are across all agencies and factors and so that makes it natural for us to link up and also learn from each other. We have different scopes and scales, so what works for them might not work for us and vice versa, but by looking at what they do, seeing how it worked, how it didnt, looking at what were doing, it is great to have somebody else that has your challenges and you can just bounce things off of each other and iteratively learn. And in the uk, i mean the way theyve organized and structured for this with their National Cyber security center, that comes largely out of gchq, out of the british equivalent. Yes. But it has an interagency role. Thats right. It is an interesting way. I think they came to conclude what many here would say, nsa has the capability but not all of the authority. Right, right. But i think you have figured that out. Right. And the uk is a Smaller Government than the u. S. , and so it became more efficient for them to build out of gchq. Also their operating authorities were a little different from what we have in the United States. Uhhuh. So for their authorities, for their position in the government and the size of the government and the challenge, the ncsc is the right model. The other thing theyve been proactive is how to draw industry into the model. And universities. Most definitely. They have oxford involved there as well. We have ten minutes for questions. If people have questions, please raise your hand. Identify yourself and please. And then well go there. We have one here. There, there and there. Theres a trend here. Dustin wolf with reuters. Two quick questions for you. Again, on the issue of social Media Companies having to getting pressure from lawmakers to deal with foreign disinformation on their platform, Faye Facebook and twitter, im curious if you are helping them survey their networks and provide intelligence that might be effective. Secondly, we have heard about the importance of section 702, fisa, due to expire on december 31st. The last time we were in a situation like this with the patriot act in may, june of 2015, the nsa came out and said they had to wind down that bulk phone meta data program a little earlier than the actual statutory deadline because of the sophistication of the program. I am wondering if a similar situation will exist for section 702 where the nsa may actually lose some of its Authority Even prior to december 31st. Okay. I will hit those in order. First you asked if we are collaborating with the social Media Companies with respect to what is happening. We are not. Thats purposeful. You know, we do not as rob mentioned, they are very sophisticated. A lot of the people that come to nsa are built out of the same cloth as go to those companies, a lot of the computer scientists an those times of folks. But based on our operating authorities and our focus, we dont collaborate on helping them look at who is in their networks. That just would be totally outside of our purview. But we are encouraged, as rob said, when they are actually taking it upon themselves to understand whats normal from their Customer Base and look for aberrations and whats the significance of those and do they tell the companies that something is going wrong. Now over to your u. S. Freedom act and 702 question. First can i add a footnote here . Certainly. Because i mean just and i think this is a public a vast majority of the information or intelligence that is provided to the president in his daily brief comes from section from similar capabilities that could be blacked out or eroded. Right. Yes . For faa, section 702, theres a large productivity piece there and it does inform and influence much of what goes to the president s daily brief. There are many other sources as well. Obviously the key one that weve talked a lot about and is still extremely critical is counterterrorism, that it is extremely critical to us. And the big difference between what happened with section 215, which became the usa freedom act and 702 is the ufa is billing records from u. S. Companies in the u. S. So those are transactions that happen in the u. S. Section 702 is foreign entities outside of the United States. So they get conflated, theyre different technologies, theyre different authorities and theyre different focus areas. So 702 is 100 foreign individuals, outside of the United States. When somebody comes to the United States, they are treated as u. S. Person with all of the rights, and so we have sophisticated algorithms and checks and balances to ensure when someone comes the United States, if they happen to be an entity that was on coverage because they were a nefarious criminal actor in terrorism, they would be dropped, and thats just the way the statute works. So those assurances are just core to the foundation of 702. Now, if we thought we were going to lose the authority by the end of the year, to your point, we would have to be looking to work with our Mission Partners in the government as well as the companies to start scaling down in advance. So we would definitely, because the last thing we want to do is conduct any operation and that goes from us all the way through to the Company Delivery data back, zero of that could happen at the point we did not have an active statute in place. So we would have to work the dates backward to make sure that we didnt cross across that line. Question back there, and then were going there i think. There. There and then there. Thank you. Im hidiki with nhk japan broadcast corporation. My question is north korea cyber capability. It has been reported that north korea is responsible for the wannacry attack and also a banking attack. Im wondering, you know, that north korea is in a very isolated country and whether they have such kind of capability or not. So could you tell us, you know, what your could you tell us wha assessment is about north korean capability and you believe they have certainly. Were on record to say we have not definitively tied the want to cry that tied to the National Health system. The nsa have not definitively, 100 tied that back to north korea. Other nation states have and so theres been different news out there about whether or not north korea is or is not responsible. At rubugz is very tough. Thats one of the challenges of Cyber Security and the strategy we talked about and providing pressure back on states whether theyre nation states or individual actors. And so we, nsa, have not definitively attributed the malware, ransom ware back to north korea. That said, north korea has a track record of conducting Cyber Operations for all kinds of outcomes. Many of you know about what happened to the Sony Corporation several years ago and because they are a Close Society thats under fiscal duress, due to sanctions, theyre looking to boo eable to have ways to generate revenue. Ransom wear is one of the ways that can we done, which leads to the hypothesis, they were behind it. We have not connected those dots definitively. From abc. On the social media question. Twitter said this week they y f identified 200 twitter accounts and shut them down after linking them to russians for pushing quote fake media. We dont have any insight into their infrastructure and how they make those assessments. What kind of a profiles those actors might have, such that they would, using advanced analytics to really assess what fits the profile and then the Due Diligence to look down deeper is this tie to something thats bigger. But we, nsa, have no insight into any of those types of things. Because were about out of time but i would argue and please disagree with this premise, that we discussed earlier that the role of private sector providing at rubugz of statesponsored attacks makes the governments role easier. Fire eye, crowd strike, not sure that made it easier but theyre all over the place. And im starting to hear from some of their kpeks they may not be as forward leaning because it doesnt help business. And so their businesses to unravel those things for their customers and how public you are in that, oenly they can assess, based in the aftermath, that draws attention to them which may complicate what theyre there to do and thats one of the challenges with Cyber Security. Most entities that are penetrated do not want to advertise the fact theyre penetrated because it create as magnet to draw more attention whether its from all of us being interested for our own purposes and security or other malfeesance, other bad actors can be drawn to what they see as a vulnerability and weakness. You dont get the full picture of whats going on. The last question. Where do we stand on the Insider Threat issue . I know youve done yomans work of late. Its been a tough road. From 2013 all the way up to this past year we have had a series of losses, unfortunately. And what that did is and it didnt just happen all at once. We started after the 2013 loss, we started to evaluate our security practices. That initial start was in the it System Administration realm because thats where the law startd and so we started to evaluate how we did that, what permissions we gave for what functions. But on top of that we learned subsequently that we had to have a multifaceted strategy that hit all aspects of technology, personal security, physical security and so we have a Robust Program now. Weve spent a lot of money trying to revolutionize the it architecture we have, to enhance security to all of us that have accounts on those National Security systems. Every time you log in, you have a consent to monitoring banner. That has to mean something. So we have to understand whats happening on our systems, what are the normal things people do based on their function. I in my job should not be going into a data base where our analysts are working traffic against an adversary. Its not my job and so typically im on e mail. I have a very simple profile thats working actions and moving people around and so thats not my job, not my profile. We had to look at the vulnerabilities inhairant to tear apart systems to either leverage those or better secure them for our nation. So understanding that means we had had had to change our mi mindset, culture as well as architecture and process procedures. So its been a long road but were much stronger than we were and weve usesed a lot of what weve done has influenced whats happening more broadly and gets to what wrooere talking about the cyber space as well. If we make it easy to go in the back door, thats where theyre go doing go. We all have to have Network Hygiene and multifactor dimension and depth. Thank you not only for taking time out of your insanely busy schedule. Thank you for your leadership and all youre doing for the men and women that you lead and even more importantly for the men and women you serve. I think the mission is imperative. Theyre in good hands with you at the helm. So thank you. [ applause ] weve got an awesome partner in northrup. So thank you and thank you lenny and team
comparemela.com © 2020. All Rights Reserved.