Directions but we are truly fortunate to have rob joyce in his place. For those that dont know rob, rob is the cyber lead at the National Security council. Hes the socalled cyber czar, the coordinator for all things cyber. He comes to the white house from the National Security agency where among other roles he ran t. A. O. Which i think has gotten a little more noticed in recent years and there was a time we couldnt even mention that, but rob comes to this job with true professionalism. And he has a natural ability to translate sort of those ideas into policy and the like. So rob, thank you for doing this, especially at last minute. I thought wed start with a general question. The executive order promulgated in may. I know a lot of homework items were due early september, late august. Can you sort of give us a sense of where we stand and i dont expect you to break all news in terms of what exactly was provided but tell me where things stand and in particular, just because its been a common theme of our overall event today, the cyber deterrence language in particular. Certainly. The first question is this on. Sounds like it. So thanks for the opportunity to be here and tom bossert did send his deep regrets. Hes in the middle of, you know, the white house response to the hurricanes, both as the devastation hit texas, florida and puerto rico and sister islands, so working that hard, he asked me to step in and i appreciate the opportunity to talk in this space. So the executive order, let me give pay brief thumbnail for those not familiar with what it covers and then well talk about the reports that come in under it. Four big areas in the executive order, the first is protection of our government networks. Those networks are the ones that transact government business but also hold the business of the american people. When you look at the opm breach, its not hard to understand why weve got to put effort into making sure those are secure and modern and i think anybody whos either interacted with government i. T. Or is currently in the government knows that not every place in the government is at the same level of protection and security. Probably not the case that Everybody Needs to be, but we do need to make sure the most important information, the most important both National Security information but also privacy information is protected. So the eo was tasking the modernization of those networks and thinking about how we do cybersecurity at scale and a lot of that, you know, looking ahead, the recommendations coming in there with things like shared services. The idea of moving to modern cloud based services. The concepts of getting connected to the experts in cybersecurity. When youve got the bureau of Land Management overseeing hydro electric Power Production theyre not going to committee with dhs and dod in recruiting cybersecurity specialists but you want those Networks Just as secure as the other places we have in the federal government. So thinking about how we can do some shared Services Even in security operations. So thats area one is federal networks. Area two is Critical Infrastructure. In that area were talking about the critical 17 Critical Infrastructure sectors, things like power, energy, communications, health, water, transportation, maritime. All of those sectors where often those are run and operated by the commercial industry partners, but have implications to the safety and even National Security of our country. So that is a collaboration between those sectors and the u. S. Government as to how we improve security. This year the trend line continues that advantages going to offense and thats a scary thing when you think about Critical Infrastructure. We cant have our power grid being held at rick. We cant have questions as to whether the Financial Sector can stay free from intrusion. So what that means is, we have to have both security as well as resiliency in those Critical Infrastructure networks. It will always be with the attacker . Red will always be ahead of blue given what you previously did. Just one comment. I did t. A. O. But i also was assurance, there you go. I really encourage. People have to flow across that membrane for offense and defense. The phrase, i use with others is it takes a thief to catch a thief. Absolutely. Both of those jobs i thought differently about the way we needed to move forward because of the experience of the other but what job trumped the other, not in terms of more fun but my t. A. O. Job was easier. So Critical Infrastructure resiliency is important. We cant assume that offense wont get through the defenses we put up, so at that point youve got to have capabilities one to find and uncover intrusions as fast as you can, two, minimize the impacts from those intrusions and three, when you do have an impact, how do you recovery and recovery quickly . And it only takes the devastation that were seeing from some of these hurricane impacts to know that, you know, when these services are down, it has tremendous implications to health and safety and welfare. Which is part of the deterrent, the ability to bounce back minimizes the reason a perpetrator may turn to those if you can demonstrate the ability to bounce back. Absolutely. You asked about our deterrent strategy. One piece of that will certainly be demonstrating resiliency. So if you have of a question as to whether an effect can hold someone at risk, whether an effect will succeed or whether it will have the impact youre seeking, it may change the calculus of your willingness to go ahead with that. And on the Critical Infrastructure side, i mean no one will disagree that the 17 Critical Infrastructure areas are allimportant, but some are arguably more critical than others, the life line sectors, energy, electric, telecommunications, Financial Services, water, transportation. How do you we cant have the Peanut Butter approach where we treat everything evenly and equally or can we . No. There has to be priorities because we dont have unlimited resources and when youre faced with scarcity of resources you have to prioritize. For me the base of that pyramid is the power sector. If you look at when the power goes down, things cascade from there. The the sugar daddy of all. It can only run so long on generators. The Communications Sector goes down, the banking and finance sector isnt going to be able to transact. So theres this cascading effect. Were working on the grid x exercise that will be coming up. We always do an Energy Sector cyber exercise. This year were trying to make this joint with power and the communication sector im sorry, the banking and communication sector to look at some of those knockout effects and make it more realistic as to how society would react. And even the old Willie Sutton principle, clearly the Financial Services sector is very far along and quite bluntly, theyre only a few sectors that can genuinely absorb some of the high end threat indicator information, intelligence whatever we want to call it. I dont remember if theres nyac or end stack, they did a report calling out the four Critical Infrastructures and creating a super sector, is that something you think worth looking at . Or does that unfairly put forth ahead of others . I dont think were create a super sector but we are going to spend more time looking at the interactions between sectors and making sure that, you know, all of the dependencies in one are teased through and the threads are pulled. That gets to the concept i mean, we have unlimited vulnerability, limited resources and a thinking enemy that bases their actions on our actions so its not like security is an end state. Its a continuous process. So the question there becomes sort of in that prioritization, anything new coming out of the out of the executive orders that you think weve all heard Public Private partner. Everyone agrees with that, i think. Ive been known to say long on noun short on verbs. Weve talked about it. Weve admired the problem. And its not to suggest that there arent solutions because the Defense Industrial base, we just heard from scott at ei. We do tons of work with the fsi and theyre doing phenomenal work but it still comes to the policy without resources is rhetoric, so where do we kind of see that coming down . Sure. So i think its a joint activity for both of us. Private industry has invested. Government has invested. I dont know that the gears on the teeth are meshing yet so weve one of the calls we often get from the isacs, we need more sharing of the government knowledge and information that you have. Umhum. In the classified arena thats hard to push everything the government has, sources and methods are, you know, implicated in some of that. So what weve been talking about instead of the push model, send us everything youve got, find ways to analyze with Sector Knowledge into the government areas where they can then look for their equities, identify information that then needs to be pushed out for action. How about the vicea versa when you see that going where government can spend more time in some of these more Critical Infrastructure areas. We think its important not only for the connection but also for the development of the government and expertise and the relationship. Awesome. I think the most impactful step well have is bringing more into the analytic sectors from the commercial side so they can have expansive access but in a control way where the data isnt as at risk and we can keep track of them what is pushed out and shared with industry. Coming to your role as sort of a primary producer of information and customer of other bits of information, but largely a provider of information. I mean, what did you find coming into a white house kind of role . This is more of a personal question, sort of, what did you think made sense . What didnt . All these executive orders that we are all weve all put a lot of blood, sweat and tears in this room and of course you guys, but what really works . Do we have the ability to know in the event of an incident what would trigger an escalation, what a significant incident is . When are you going to get your war room together to be able to manage the consequences of an incident . Are all those still well know it when we stee . What are your thoughts on that . Weve got a process in the end its going to come down to expertise. We have thats why its really good youre there, by the way. We have a wide array of really smart folks distributed across the community so when you look at what dhs has, what odni has c tech, has that taken flight . It is. Thats where i started. C tech cyber threat intelligent center. That is an organization that takes the reporting from across the Intel Community to include open source and commercial and partner information and then tries to summarize up, you know, what we need to know, so they are theyre at the front lines of sensing and warning but wls the Intel Community and commercial entities so every day across that wide array of participants we all drink from these fire hoses of information streams but what we rely on is the expertise and judgment of a bunch of different people and things get elevated quickly. We have routine interaction where i host the interagency once a week in that we talk about Threat Landscape and other things, but with those daily information flows, weve got a process when somethings breaking to pop and call and ad hoc session and theres a president ial policy on when we turn to a very formal Coordination Group that kicks off and is led at the dhs level that triggers some very formal processes, communications, interactions with the commercial entities and even has a Lessons Learned process at the end so that every incident we get a little better. Can you give us a sense of what that what sort of an incident would potentially trigger that . I mean, would obviously i dont think the Equifax Breach but if there were an attack on the grid as you mentioned as we saw in the ukraine, that probably would trigger it . It absolutely would. A great example is wanna cry hit the health sector. That triggered it. It wasnt hitting in the u. S. But we watched the impact it was having at the uk and that kicked off, you know, significant interagency processes. What about i. O. T. . Youve got a vast universe when we talk about prioritization that im sure keeps you up at night. I used to say i sleep like a baby, wake up every few hours crying, so in all sincerity, where does i. O. T. And the fact that our attack surface is generally growing exponentially and the realtime to get solutions is probably design phase . Systems are systems. For all the engineers are here, i believe you, i believe in what youre trying to do, but at what point where does i. O. T. Sort of come in to your thinking and specifically the physical cyber convergence vulnerability in terms of how we should be thinking about that . I. O. T. Is at the same time both a huge opportunity and a huge threat. The things its going to enable in our society, making lives easier, you know, the train is moving and we are going in that direction. Were not going to slow that down and stop it. But as we saw in the poorly designed i. O. T. Is a real threat to infrastructure, to capabilities, to financial and even National Security. At this point theres been various calls, everything from do you do the Underwriters Lab to certify the cybersecurity of i. O. T. All the way down to let Market Forces drive. Were in the middle. Wed like to see great articulation of standards. What is best practices. Wed like to encourage the Industry Groups to follow those standards. Theres some really simple things every i. O. T. Device ought to have and it starts with it needs to be updatable. The idea that when vulnerability are found that it can be updated. Youd like to have the ability to make sure that it doesnt have default credentials and passwords and then beyond that the curb starts going up. Ideally its update process is cryptic graphically secure. They thought about doing an update underneath encryption so it cant be spoofed and those are easy and simple things, theyre well understand how to do. Market pressures arent always driving the companies to do that right stuff from the beginning and thats where i think the government and Industry Groups can push and help, you know, its our desire not to see that pendulum swing all the way to regulation which is why we in the executive order kicked off some bot net studies and other things that really go back to i. O. T. Roots and some of the same rouot causes. One other thought since you brought up cripto, the going dark dilemma obviously sty mys Law Enforcement intelligence the flip side is without strong encryption, the chinese, the russians, the north koreans, whoever, whoever the perpetrator is potentially going to exploit that information. How should we think about that . And then weve got very key provisions to advise sunsetting. Reporter is the . Whats the call there if there is a call to action . And help me think through the going dark phenomenon . Let me start with 702 statute, its just a critical tool in the terrorism and even Cyber Defense realm. Happy you said that. It is a tool that helps us understand threats and its its a laugh tool under close court supervision. Its even based on some of the reporting out there. You can see its well monitored. And so its really important that we get a reauthorization. The administrations called for a clean reauthorization, so since you didnt get tom bossert here today you can get a little of toms information. He did an op ed piece in the the New York Times a couple months ago. Id encourage you to look at it. Its a tool we cant afford for our safety to let sunset. I think congress is well focused on it and were looking to keep that capability. Awesome. When you ask about going dark, i think the first message id want everybody to understand is strong encryption is good for the nation. Theres no black and white about that. We need it for business, we need it for our personal privacy, we need it for, you know, our protections of the National Security side as well as the way we interact just as a society. That being said, theres also a really important part for rule of law and so what wed like to see is, you know, responsible corporations consider how they can be responsive to a judicial order. The government shouldnt have a place in saying how thats done, but the design considerations upfront should consider that, you know, we as a society need to do investigations. Theres a reason, you know, that all of us look to Law Enforcement and the government to provide some basic components for society and that includes the ability for a judge to say i need access to some information. So thats what wed like to see. Very strong proponents of encryption. Theres no doubt that strong encryption needs to be a capability and then weve got smart and Amazing Tech Companies in here, many of them are able to both provide that encryption and security but then when theres a need for warranted access, they can provide it. So and im going to ask an unfair question here, so i mean, quantum computing and chinese satellites being launched ahead of state from russia, talking about the importance of Artificial Intelligence, to dominate the world, what does that mean . Are we in the midst do you know that theres even a race going on and what does it mean for our tail . We need to make sure we have the capability to ensure our dominance in this space, yes or no . Im actually these are big news stories that get buried in the tech pages but theyre actually really big from a policy standpoint. What are our thoughts . Does that cause you to take notice . I know it did you but other policy makers . Certainly. When you look at technology, theres a history in this country that Technical Innovation has underpinned our society and its also really given rise to the amazing lifestyles that we have here in the u. S. The good news is we have such a healthy set of industries, research labs, academia, theres nobody that doubts were the leader in technology we cant take it for granted, right . We cannot. Thats why we continue to invest in that. You saw just last week the white house kicking off s. T. E. M. Educational programs. Weve got to continue investing in that next generation, both of the people and the technologies and i would argue that in the end if we do the people right, the technology follows. The people are the secret and key to our innovation. And even from a threat perspective, i mean, technology always changes but human nature is pretty consistent and good, bad or indifferent that has to be factored in and that gets into the whole human collection versus technical means and all that kind of stuff. Im glad you really glad you raise that. Couple more questions just on the deterrent piece and then well open it up. So what did what can you share in terms of what the agencies put forward in trying to articulate our cyber deterrence . By the way, in fairness and i dont mean to lead with these questions, because i dont think you articulate cyber, you articulate actors from crossing lines in terms of computer networking and exploit capabilities but what are we thinking about that . Do you see a day where we will have a genuine cyber deterrent strategy . So i do think well have a genuine cyber deterrent strategy. And the will to follow through when lines are crossed. Sopy t i tipped you to a cou things. One is resilience. Weve got to have the assurances that weve done the right things to plan for eventualities that sometimes are heinous to consider. Then weve got to exercise. Weve got to practice like we play. That element is really important for resilience. A second element of it is, what i hear you alluding to which is the imposition of costs. We can have norms. Norms are great, but without an imposition of cost for the people who are outside those norms who are going beyond the pail, the norms dont mean anything and the bad guys have to know that we mean business when certain things are crossed right now they dont know. At times but i would say, you know, one of the things weve used is Law Enforcement. Youll continue to see us indict, even when at times we cant bring people to justice, we know that theyre after a public indictment, theyre going to stay put and their governments not going to give them up but its a powerful diplomatic message, its a powerful signal to send to others who are considering it and were using it. So that has a cost too. Were also using sealed indictments and that in the back of the minds of people who participate in these activities, you know, that should make them wonder as they travel internationally, it doesnt need to be to the u. S. But other places theyll come to justice. So thats one element. Another element is that the art of diplomacy. The levers we have with other countries and the ability to shape their actions. Sanctions. The ability to do primary and even secondary sanctions. Weve used that at times for cyber topics. Were going to use that again and more and then theres other elements. We will respond to cyber with cyber. Most of the time you cant solve cyber with cyber but thats one of the arrows in the quiver. So it really is a whole of government but for us its the will to impose costs. We found that Big International consortiums are also slow to move or reluctant to move to impose those costs so for us its often going to be bilateral, finding the right partner for the right problem moving forward and then bringing coalitions along but not waiting for the coalition to be large and grand. This came up in our conversations with congressman hurd and the other panels as well. Do we need new alliances . Firstly, any thoughts on the state Department Reorganization that is ongoing . Part of it the whole story has not been told there. Its not like theyre getting rid of everything state related. When i look at obviously the strongest alliances are our five is in nato and all of which are absolutely backbones for the United States and need to be but then youve got allies like israel, like japan, like south korea, very tough neighborhoods with actors that concern us. Whatever theyre seeing its coming our way soon. Stay tuned. Those are the practice fields and were the main stage. So id be curious on what your thoughts are in terms of alliances specific to cyber . Do we need something new which in part is the challenge with cyber . So how do we put a bow around this . We need alliances and, you know, i just returned from a trip to singapore, who is singapore and seoul in a tough neighborhood as well, with some exceptional technology, a strong focus on becoming both a Digital Economy leader as well as, you know, a security cybersecurity thought leader in the region. That also afforded not only the chance to talk to singapore but the asian neighbors met there. We huddled on cybersecurity and that region of the world is thinking about what they want to do to improve their own Digital Economy and security. Cyber is a topic that comes up with every country we interact with. For us, again, it is about priorities and resources. We are going to have to pick and choose the relationships to grow, and i think the ones we are going to emphasize are the ones who are going to be willing to enter into deterrence aspects with us. And have capacity, right . And have capacity, and we have the start there. Awesome. Last question, and then i will open it up for a few. Weve got a few minutes. But any comment on dhss decision visavis kapersky . I think it was the right decision. It wasnt one we entered into lightly, but the idea we have something with that pervasive access to u. S. Government systems that pushes information overseas to a country that has, you know, laws that require these companies to submit to the intel services, that data, thats just a risk can we cannot have on our government networks. Absolutely. You know, we recently hosted greg clark, the ceo of symantec, and russia is requiring providers to turn over their source code. Fortunately, in their case they took security over sales, but im not sure thats a big issue i think going forward, and china as well. So china has a huge market. So i hope u. S. Companies think about the security implications prior to doing that, the flip side. We have a couple of minutes for questions. Please identify yourself, and well do here and then here, and then oh, god. And then well go there and then who i cant see back there. So lets start over here. Hey, rob. Thanks for joining us. Jeff hancock, senior fellow at the center as well as ceo of advanced cybersecurity group. Questions really around active Cyber Defense. I dont mean hacking back. You and i share some of the similar backgrounds, red, blue. When i talk about hacking back, it is not in context. Active Cyber Defense for across the federal government, civilian side, not dod, not dhs, strictly civilian side. What are your thoughts on that as well as what it means for the commercial realm . Theres been talk for many years about companies hacking back or shouldnt they, there are legal shields around that. Thoughts and perspectives and how it plays into the deterrence aspect, because it is great to be resilient, prepared and defensive, but at some point you have to gather intelligence, you have to be able to weigh your means and active Cyber Defense allows for that. So i was curious about your thoughts on that. Im still not understanding your definition of active Cyber Defense. Did a big report on that. We can send it. You went to both places which is i dont mean hacking back but i mean gathering intelligence. I dont understand. If you are doing active and gathering intelligence, it sounds like hacking back. Versus intent. Yeah. So i have a very strong belief that offensive Cyber Operations where youre compromising a box that you dont own needs to be an inherently governmental operation. So if you are talking about going out, compromising a box and deleting the data that they stole from you or imposing punitive penalties so they feel like they feel some pain and dont want to go after you again, i really think thats a bad idea for the cascade of things that can occur in that space. If youre talking about compromising a box to go gather intelligence, that still is some pretty risky space because we are, as you heard, going to start imposing costs for the intrusions that are coming at the u. S. That puts us in a delicate policy space when, you know, were out there poking countries and pushing them hard to respond to intrusions, and if theyre seeing our companies doing intrusions into their space, whether it is gray space or red space, theyre going to have a legitimate ask to us to make it stop. If you are talking other definitions of active Cyber Defense where you are changing your network, you are manipulating the data thats coming in and putting it into places where the adversary may be talking to something that you are gather more intelligence about, where they are manipulating things and the data they get back has been changed so that it is unuseful or unhelpful or causes them to question their tactics and techniques, im a huge fan of that activity and i think theres some really Creative Things being done in the marketplace and across the community. And more can be done there too, right . I mean with massive anything inside your own network arguably is fair game. Or even, you know, collaboration where something sits at a higher level inside the network. I think theres room for isps or partners with isps to do unique things to defend many people behind them. Like the cyber threat alliance, and it is some that can actually do it right now. So there is a difference between cowboy and theres a difference between a Public Private partnership where you then turnover evidence or information that others can act upon it. And that, i think, is part of that gray area, but i dont think it should be so gray, but thats just because otherwise were going to continue to blame the victim and were never going to build high enough walls, big enough locks by deep enough motes. It is doomed for failure. There has to be sort of like in a football game, you need a linebacker. You cant just have defensive tackles. So i dont know, i dont want to go too far on that. We had, yeah. Dustin, and then a question back there. Dustin. Oh, sorry. Then we will go there. Lisa, right there. Dustin voight with reuters. Theres been rising concern among lawmakers of both parties about the cyber threat on social platforms, facebook, twitter, to interfere in elections and so forth. I wonder where you stand on that issue. Should the companies be doing more to sort of get a grapple on to get a grip on this issue of foreign interference and you gave me a real easy question, where do i stand. Yeah, go ahead. Should the companies be doing more in this space to get to be more transparent and monitor this issue more closely . And how substantial a threat do you consider foreign disinformation, propaganda, that sort of thing on the social Media Networks . So i do think theres more that companies can be doing, and im seeing that they are waking up to the threat and putting effort into it. You know, i would commend facebook, for example. The research they did. These Companies Know their platform better than anybody. They understand who is interacting on their platform and whats normal, and i think that the using their platforms and their technologies to understand when theyre being misused is the best solution to some of this. When you asked about, you know, is it a problem, absolutely. Is it a growing problem . Yes. I think anything that would be turned to try to subvert our democratic processes, it is something we need to understand better and put some checks and balances into place. And, again, it is trade craft from an actor we have seen in the physical world for years, i mean the old rumor that agency was behind hiv aids. Now it is just on steroids with no cost, no penalty. The other thing i would point out is every election is an Information Warfare campaign. It has just moved beyond the two participants who are candidates. We have a question back here, and then we will have one more here and thats it. Mike levine from abc news. Going back to the kapersky issue, would you say your concerns are based on what the russian government could do through kapersky or was part of the concern what you know the russian government has done through kapersky . All im going to say is we made a really thorough investigation and we made a prudent risk decision, and im confident we got to the right answer. Wellsaid. Question over here. Hi. Thanks. Eric geller from politico. This morning bloomberg reported investigators looking into the Equifax Breach believe theres evidence it could have been nation state activity. Im not going to ask if it is true, but im going to ask what you and the Trump Administration do to mitigate the damage from these kind of things, where theyre trying to find information to use for blackmail as opposed to Social Security fraud. What are the steps that the administration can is and can take to limit the damage from that kind of incident . Eric, great question. It is clear that we cant other nations hold us at risk through cyber, right . And if this is a nation state im not saying it is you know, that amount of data has huge value to intel services, Information Operations and other things. You cant make it go away. Once it has been stolen and, you know, operationalized it is out there. What we can do is look at the things that make it useful and valuable. Are companies doing the right things to defend personal information . Do we have the proper breach notification so that when there is an incident that it gets discussed in a timely fashion and responded to . And then weve even got to think about the underlying components that put us at risk. I would offer that the Social Security number is a pretty antiquated thing. The idea that every time i want to use my Social Security number i put at risk by sharing it for legitimate use, i think thats pretty unacceptable and i think theres good opportunities to use modern technology to factor authentication. Public private keys, to give us a way that we can modernize and use that in a way that i dont have to put it at risk by using it, and when there is a compromise that theres easy revokable way. So a show of hands, how many people have changed their Social Security number knowing that it is compromised . I dont think that happens. Yeah. I personally know four instances where mine has been compromised. I think everyone here, does everyone here have i mean if there were a show of hands that you think your ssn or your passwords have been compromised . So that to me is, you know, the need to think about how we define information, how we use it, what we put at risk, and limit the knockon consequences of using information. We might have time for one more because a question here. Rob, let me ask, and i dont want specifics on this by any means, but can you give us some assurances that everything were doing to address the crisis visavis north korea also includes a cyber dimension to that . Because ultimately cyber, again, it is an instrument of their political and it may be the first volley we are seeing of something that could get bigger. Are you part of those discussions . So north korea is a huge issue. Were using all elements of National Power in there. Were also considering it in terms of risk can, right. So north korea is a belligerent nation. Theyve chosen to use cyber in the past, and so were making sure that were attentive to the probability that they if cornered or even if not cornered will use cyber in malicious ways. Awesome. Last question . Rick weber, inside cybersecurity. Executive order also deals with use of section 9, the most Critical Infrastructure. Can you tell us a little bit about the administrations thinking about how to refine that process . Yes. So were taking a look at how we define section 9. Today theres a set of criteria that gets you inside that that Critical Infrastructure designation. For those not familiar, theres a section in a previous eo that talks about Critical Infrastructure, and section 9 of that executive order talked about probably the most critical of Critical Infrastructure. If you go through that list today and we dont publish that list, the companies that are on it understand who they are and have interactions with us. But if you go through that list, i think most people would see a couple of companies and scratch their head and say, why arent they on there, and when you think about the knockon effects of second order things we rely on in Critical Infrastructure weve also got to consider that, you know, the idea of what a major Banking Institution relies on, what a major Power Institution relies on. Those are dependencies that arent often considered in that in that previous structure, and so were looking at that. Rob, on behalf of everyone, let me thank you not only for joining us today but for your public service, for fighting the good fight, fighting it well. Thank you for joining us today. Appreciate it. [ applause ] thank you. No rest for the weary. Were going right into our next keynote discussion with george barnes, who is as everyone knows Deputy Director of the National Security agency. Again, of all of the agencies that have been doing cyber long before it was cool, the National Security agency is at the very top of the list. George has arguably the most important job at the agency. Because youve got i think youve got all of the headaches and youve got all of the opportunities. So im really thrill that you can join us today and maybe start with a couple of opening thoughts. Sure. And then i definitely want to get into some of the Cyber Command kind of decisions right now. Certainly. Is my mike on . Can everybody hear me . Please. Great, great. So it is opportune that rob joyce went before me, not only for the topic matter but because we worked together for years, and i think it is a great testament that based on his background hes in the position that hes in because he has worked both the foreign intelligence side in the cyber realm and others as well as the information insurance or cybersecurity side. I thought i would open up with some comments about nsa and where we are these days. Obviously the world is rapidly changing under our feet as a nation and nsa continues to evaluate itself, its mission, its authorities and its ability to be a viable provider of key intelligence and Information Security products and services for our nation and our allies. Most may know in the last year we have undergone a reorganization, and the whole rationale for that was an evaluation of where we were, where were going and were we postured to be as successful as we have been 10, 15 years from now. The judgment was that while we were dramatically successful, there were certain things that were pulling and tugging on our structure. Our structure was about 15 years old. The last time we had restructured was actually right before 9 11, and we had learned a lot, we had adjusted a lot through a lot of the campaigns, the dawn of the cybersecurity challenge, but we realize that for several reasons we werent fit for purpose from the structural perspective. Where that comes to play here is looking at the two authorities we have. We have the signals intelligence, foreign intelligence authority, and we also have our Information Assurance authority under National Security directive 42. Traditionally nsa had been organized along those authority boundaries, and that was good at the time that it was initiated but over time we realized it created a weakness and the weakness was kind of what rob pointed out to. It takes a hunter to know how theyre being hunted, and one of the things that we were not able to do in our prior structure is to get the talent at all levels of their career to move back and forth across both sides of that coin. It was a major it wasnt just an organizational move, it was a physical move because the clusters of people in those organizations were geographically distant from each other. And so one of the things we look at was the continuous pull to provide not only those Mission Outcomes we had provided in the past, but the increasing nexus for us of what cybersecurity represents as a challenge and what could we do better to meet that challenge. Really, the way that we found we could do better is to organize based on the functions that we perform, operations, supporting so we found through the a little bit of the cultivation of talent like rob and some of his peers, where they went from being on the signals intelligence side over to the Information Assurance side, they realized that they didnt have all of the insights where they arrived. A lot of the intelligence stream that they had become conditioned to receiving routinely was shunted off. We had not done a good enough job in making sure our Information Assurance components were fully enriched by all of the insights we were getting on the intelligence side, and the expertise we had, people had built careers on one side or the other and they really didnt mix. So it was a major cultural change and shift, not only an organizational shift, to bring these people together in new and different ways, and we are already are realizing the benefits of that. We are taking people that conducted Information Assurance ops and foreign intelligence ops and brought them closer together, respecting their authorities and associated boundaries but making sure that they actually enrich each others cognizance of whats the vulnerability space for the United States and our networks. Thats the key issue for us, is security, whether it is protecting networks or gaining insights from our foreign Intelligence Mission to make sure that we are appropriately and in a timely fashion protecting those networks. The new structure allows us to do that in ways we hadnt done it before, and so thats really a key point. All of the things that rob talked about we are trying to condition ourselves to evolve, emerge and even help define a way. We have so many years of expertise in this business that we do have ideas, we have technology, were trying to work with our Mission Partners, whether they be in the Government Agencies or our industrial partners, to understand what has worked, what has not. How do we evolve together . I know it is trite, but there is something to the fact that we have to have a different formula. We cannot just scale our old models to the new problem. And so having a continuum across the public and private sector is extremely critical, and bringing in academia. We as a country are not putting out technical degrees at the pace that we need to. We have a supply and demand challenge. That is a National Security issue, isnt it . It is a National Security issue, it really is. It is perhaps the biggest, because if you look at a lot of the others in the world that we find ourselves comparing ourselves to such as china, they are graduating computer scientists, engineers and mathematicians at dramatically higher rates than we are. We as a nation and we as a democracy rely on innovation. I mean the core gris that has made our country what it is is in jeopardy if we dont attend to the cultivation of our children. Thats the security thing that i focus on and thats what has made nsa what it has been for decades. We have traditionally developed most of our technology inhouse with dramatic support from industry, but we have always hired in the talent, cultivated them, and they have pioneered new ways of doing business. We need to continue to do that so that we remain viable and to use those insights to help our partners find the way. George, thank you. Thats a wonderful way to start us out, and very consistent with a lot of the things weve been discussing earlier in the day as well. I mean this is a little off the beaten path, but do you see a day where even at the National Security agency, where everyone from a promotion standpoint because we all know promotion is the way to build skills where anyone whos on the breaker versus maker to go back to old codes, but all of the i dont know what we can talk about in terms of what it is now. Sure. But do you see a day where to get promoted they will have to sit in different roles, not just bring their entities closer but where individuals right. Will have to know how to both break and protect . Certainly. We havent gotten to that point yet, but what we have done is weve looked at what we can and should do to cultivate expertise, and how do we understand what is pulling on our people. We are very lucky in that we have dramatic numbers of people across the u. S. That want to work with us, and thats something i think that despite the money, the sense of purpose, it is something that brings people in droves to us from an aspiration perspective. We have a tough but great job in front of us every year when we look at how many people were going to actually bring on board, and that has been a great history and it continues. The challenge now is really the retention piece, because we have a supply and demand imbalance. We have, as i mentioned before, these functions when i started 30 years ago, you know, what i did was very unique. Now what i do and what my peers do, there are analogs out in the commercial sector private sector, yeah. Out in industry. We have a dirth of talent and insights, and so all the discussion you all have had today just points out the fact that this imbalance is causing us to readjust. That readjustment really comes into the talent, cultivating the children when theyre in grade school, getting them interested in pursuing the technical degrees so that they can actually increase the supply. I think it is healthy that a lot of people come into nsa, they spend five years, ten years, and then they go out into industry. A lot of the people that leave nsa today are leaving to go work in this industry. Yes, thats hard. We have to continue to bring people behind them and it is sometimes traumatic to lose wonderful people, but at the same time it is also good for our nation. Absolutely. Because that knowledge, that expertise and the connections back to the rest of our network of people enrich us more broadly. I think thats part of our survival. And one thing that National Security agency doesnt get enough, at least in my eyes, credit for is you have very strong relationships with the universities. Yes, yes. And that is a way to sort of bring talent in and out, and i hope you double down on some of that. Most definitely. I mean we have had many programs. Weve had centers of excellence, partnerships with many universities across the nation. We also have a program called gen cyber that we started with the National Science institute where we work with upwards of 150 universities across the country to help the universities put on summer camps for children to learn about cybersecurity. Those camps have nothing to do with nsa. I dont care whether any of those kids come to nsa when they get out of college it would be nice but i want them to be interested in that domain and to pursue College Degrees in the various fields that help our country. So those Little Things we are finding that were getting the kids can interested. Just go online and just, you know, do a search on gen cyber and you will see lots of great examples where those seeds are being sowned and theyre having an effect. So lets go to because another theme today was looking at the role of u. S. Cyber command. Sure. And obviously theres the president recently elevated made a decision to elevate it to a full combatant command, getting it out of the shadow of its subordinate command role. I guess no decision made yet on that the role with the National Security agency, but i think it is inevitable at some point thats going to peel off. Sure. But tell me what we think what we should be thinking . How does it affect legacy issues and relationships, and what does that mean . Okay. So obviously decisions have yet to be made about the nature of a split, but the split discussion is not about splitting the partnership we have with Cyber Command. It is about whether or not one person should have both roles as the director of nsa and the commander of Cyber Command. Thats really the decision. Whether or not that happens, it does not change the underlying facts that since 2010 when Cyber Command was created, it was created under the premise that to be viable as a nation that extends into cyber space, defensively and offensively when required, theres a lot of expertise, a lot of knowledge, a lot of technology thats been developed over the years in the National Security agency that can help to accelerate the viability of cyber com into being as a Viable Service for its functions and, secondarily, it will always find that it derives benefit and value from being connected and supported by the National Security agency. We are a big intelligence machine. Intelligence is required to feed cyber activities and operations. So we will never separate. Thats why Cyber Command has been physically instantiated on ft. Meade campus, alongside us in our buildings. And all of the Services Except army, right . All the Cyber Commands . All the services are part of the formula. Army, navy, air force, marine. Coast guard, okay, theyre all services have cyber components. Theyre all part of the overall formula. They are distributed physically, but, as are we. We have points of presence across the United States, and invariably the cyber components in the services colocate with the nsa counterpart. That partnership is tight. It is growing, it is evolving, it is maturing, and we are also demonstrating by bringing in Service Members into our world it accelerates their ability to be productive for foreign intelligence while theyre with us, but also to apply those skills when they turn and have cyber com roles. And it allows i mean just deconfliction i would imagine. Almost always. It is an issue of not compromising. Most definitely. Thats another key thing. The equity space is extremely fragile, it needs to be managed actively. The fact we are coresident together and we develop a culture thats informed one side of the other, that helps the discussions so were not doing things transactionally across the transom as though we didnt relate to each other. Uhhuh. So Cyber Command, nsa, we will continue on forward. We will have a tight and growing partnership into the future. That will be independent of whether or not we have one or two masters at the top. Think of it as sort of a title 6. It is basically what jsoc was able to deliver for ct missions. Thats right. Thats right. But even even tighter. The thing about cyber thats a little bit different is it is continuous, right . And so the physical proximity is also just as important as the organizational partnership. So tell me, george, thinking about and just because youve had a lot of senior weve had a lot of Senior Leadership from dhs, how do you see the relationship between ft. Meade or nsa and the department of Homeland Security . Im glad that rob brought up ctic because it seems to be people seem to forget the significant role that it plays. Right. But give us some thoughts on that, because i mean cyber is everyones mission. Thats right. And we tend to ask whos in charge. The real question is who is in charge of what. Exactly. When and under what circumstances. Thats right. How does that purple role, how does it look, your relationship. So with dhs it is critical if you look at all of the things that rob enumerated about the fragility of the Critical Infrastructure landscape as a case in point, dhs is the organization that connects with the Critical Infrastructure and key resource entities, all of those sectors. They are the ones when a company is penetrated that goes and knocks on the door and delivers the message they have a problem. Were not that entity. We are a Foreign Intelligence Service and we provide that function for the department of defense and the National Security systems but not for the rest of the government, the dotgov domains or all of those constituents downstream upon which they rely. And so our partnership with dhs has to be extremely tight and growing, and it is, and weve had, unfortunate, we have hey things that have happened over the last year, where there have been events that all of you all know about, and those have given us every time theres an event, its an opportunity for learning. So we exercise our system. We find out where it is weak. We do the Due Diligence rollback and find out how we fine tune it so the next time we dont make that same mistake and it gets better and better with time. Do you actually do active hot washes . Do you have a formal process, sort of not like a trade not a very but do you have a process where you are doing after actions . We definitely have one with nsa and within the nsa cyber com realm. Interagencies . We dont have a formalized one with dhs. That said, we have various levels in the inner agency and part of the you know, im on the Deputies Committee and all of the deputies come together and meet with rob for cyber and a lot of the other people in the National Security apparatus, and then we have subordinate layers that come together and tease out issues and problems and strategies and policy formulations. Get a policy recommendation here for us to help. Thats an area where this spring when we had the wannacry, you know, there were tight partnerships that were exercised between us, the do d, dhs, fbi and others, and we learned, we tweaked, and theres rich, fluid discourse. Awesome. I hadnt thought and how about the bureau . The bureau is i mean, the fbi has been a tight partner of ours for decades, so it is not as new of a partnership as the dhs domain, so thats just natural. The natural relationship kind of evolves with the application, you know. It has always been the National Security apparatus, counterintelligence, cyber is just an extension of that with technology wrapped around it. Sort of that key general alexander had. Yes. Good, good, good. How about our allies . What are we thinking here . I mean in addition to obviously the collection capabilities you have, youve been the ultimate provider of defensive capabilities. How does that look from an allied perspective . Do we need to look at new sorts of alliances, and what does it mane for combined operations at some point, whether physical, kinetic or cyber . So i think if you take the cybersecurity layer of mission, that rides can ride and in our case it does ride on top of previouslyestablished partnerships. Some are more fit for purpose than others just based on the partner, the sophistication they bring, the operating authorities and how those can relate to ours. Most people know about the fine is and thats one thats obviously. We have a tight partnership with the five is partners. They are each at different places in the evolution of the operating authorities. The one that was out more commence rat with us was the united kingdom, and so that partnership is rich and deep and vibrant and rides on the backbone of our Information Assurance partnership, our foreign intelligence partnership, and our dod mod partnerships. Those partnerships are across all agencies and factors and so that makes it natural for us to link up and also learn from each other. We have different scopes and scales, so what works for them might not work for us and vice versa, but by looking at what they do, seeing how it worked, how it didnt, looking at what were doing, it is great to have somebody else that has your challenges and you can just bounce things off of each other and iteratively learn. And in the uk, i mean the way theyve organized and structured for this with their National Cyber security center, that comes largely out of gchq, out of the british equivalent. Yes. But it has an interagency role. It does, thats right. It is an interesting way. I think they came to conclude what many here would say, nsa has the capability but not all of the authority. Right, right. But i think you have figured that out. Right. And the uk is a Smaller Government than the u. S. , and so it became more efficient for them to build out of gchq. Also their operating authorities were a little different from what we have in the United States. Uhhuh. So for their authorities, for their position in the government and the size of the government and the challenge, the ncsc is the right model. The other thing theyve been proactive is how to draw industry into the model. And universities. Most definitely. They have oxford involved there as well. We have ten minutes for questions. If people have questions, please raise your hand. Identify yourself and please. And then well go there. We have one here. There, there and there. Theres a trend here. Dustin wolf with reuters. Two quick questions for you. Again, on the issue of social Media Companies having to getting pressure from lawmakers to deal with foreign disinformation on their platform, Faye Facebook and twitter, im curious if you are helping them survey their networks and provide intelligence that might be effective. Secondly, we have heard about the importance of section 702, fisa, due to expire on december 31st. The last time we were in a situation like this with the patriot act in may, june of 2015, the nsa came out and said they had to wind down that bulk phone meta data program a little earlier than the actual statutory deadline because of the sophistication of the program. I am wondering if a similar situation will exist for section 702 where the nsa may actually lose some of its Authority Even prior to december 31st. Okay. I will hit those in order. First you asked if we are collaborating with the social Media Companies with respect to what is happening. We are not. Thats purposeful. You know, we do not as rob mentioned, they are very sophisticated. A lot of the people that come to nsa are built out of the same cloth as go to those companies, a lot of the computer scientists an those times of folks. But based on our operating authorities and our focus, we dont collaborate on helping them look at who is in their networks. That just would be totally outside of our purview. But we are encouraged, as rob said, when they are actually taking it upon themselves to understand whats normal from their Customer Base and look for aberrations and whats the significance of those and do they tell the companies that something is going wrong. Now over to your u. S. Freedom act and 702 question. First can i add a footnote here . Certainly. Because i mean just and i think this is a public a vast majority of the information or intelligence that is provided to the president in his daily brief comes from section from similar capabilities that could be blacked out or eroded. Right. Yes . For faa, section 702, theres a large productivity piece there and it does inform and influence much of what goes to the president s daily brief. There are many other sources as well. Obviously the key one that weve talked a lot about and is still extremely critical is counterterrorism, that it is extremely critical to us. And the big difference between what happened with section 215, which became the usa freedom act and 702 is the ufa is billing records from u. S. Companies in the u. S. So those are transactions that happen in the u. S. Section 702 is foreign entities outside of the United States. So they get conflated, theyre different technologies, theyre different authorities and theyre different focus areas. So 702 is 100 foreign individuals, outside of the United States. When somebody comes to the United States, they are treated as u. S. Person with all of the rights, and so we have sophisticated algorithms and checks and balances to ensure when someone comes the United States, if they happen to be an entity that was on coverage because they were a nefarious criminal actor in terrorism, they would be dropped, and thats just the way the statute works. So those assurances are just core to the foundation of 702. Now, if we thought we were going to lose the authority by the end of the year, to your point, we would have to be looking to work with our Mission Partners in the government as well as the companies to start scaling down in advance. So we would definitely, because the last thing we want to do is conduct any operation and that goes from us all the way through to the Company Delivery data back, zero of that could happen at the point we did not have an active statute in place. So we would have to work the dates backward to make sure that we didnt cross across that line. Question back there, and then were going there i think. There. There and then there. Thank you. Im hidiki with nhk japan broadcast corporation. My question is north korea cyber capability. It has been reported that north korea is responsible for the wannacry attack and also a banking attack. Bangladesh attack. Im wondering, you know, that north korea is in a very isolated country and whether they have such kind of capability or not. Could you tells about your assessment of the north korean capability . Certainly, we are on record to say that we have not definitively tied the wannacry 2. 0, which is the one that caused the impockets to the National Health system that rob mention mentioned. The nsa have not definitively tied that back to north korea. Other states have. There is question whether or not north korea is or is not responsible. Attribution is very tough. Thats one of the challenges of Cyber Security and the current strategy we talked about and providing pressure back on those that perpetuate cyber action. So attribution is tough and we take it seriously because of at repercussions of a miscalculation. We have not attributed the 2. 0 wannacry virus or malware, ran some ware back to north korea. North korea has a track record of conducting Cyber Operations for all kinds of outcomes. Many of you know what happened to Sony Corporation in the United States several years ago and also because they are a closed society under fiscal duress due to sanctions, they are looking to have ways to generate revenue and malware sponsor crime. Randomware is the way it could be done. Leads to the hypothesis perhaps they were behind it. We have not connect the those dots definitively. On the social media question twitter identified 200 twitter accounts and closed them down after linking them to russians for the purpose of pushing fake media. Where do you think that number stands . I would have no idea. We dont have sight into their infrastructure and how they make those estimations. They as an operator have the best view in assessing who is connected at their infrastructu infrastructure, what profiles those actors might have, such using advanced big data an lit ins to really assess what fits the profile and the Due Diligence to look down deeper is this tied to something thats bigger. We have no insight into those things, im sorry. Were about out of time, but i would argue, and please, disagree with this premise, that we discussed earlier that the role of private sector providing attribution of state sponsored atacks has actually made the governments role a little easier. Right. Allows them mandiant, fire eye, cloud strike, im not sure that made it easier. But theyre all over the place, and im starting to hear from some of their execs they may not be as forward leaning because it doesnt help business. Thats right, and so their business is to untravel those things for their customers so how public you are in that there are pros and cons there, right . Only they can assess based in the aftermath, once that happens, that draws attention to them, which may complicate what theyre there to do. So in the end, and thats one of the challenges with Cyber Security. Most customers, most entities that are penetrated do not want to advertise the fact theyre penetrated because it basically creates a magnet to draw more attention, whether its just from all of us being interested for our own purposes in security or other malfeasance, other bad actors can be drawn to what they see as a vulnerability and weakness. A lot of things happen and theyre not reported so you dont get the full picture of whats going on. Not to be columbo or snarky but last question, where do we stand on the Insider Threat issue . I know youve done some yeomans work of late. Anything you can share there . Its been a tough road from 2013 all the way up to this past year. We have had a series of losses unfortunately. What that did, and tit didnt happen all at once. After the 2013 loss we started to evaluate our security practices, that initial start was in the i. T. System administration realm because thats where the loss started and so we started to really evaluate how we did that, how, what permissions we gave to what sets of people for what functions, but on top of that, we learned subsequently by some losses that we had to have a multifaceted strategy that hit all aspects of technology, personal security, physical security, and so we have a Robust Program now. Weve spent a lot of money trying to actually totally revolutionize the architecture we have to enhance security, to all of us that have accounts on those National Security systems, every time you login, you have a content to monitoring banner, that has to mean something, so we have to be able to understand whats happening on our systems, what are the normal things that people do based on their function. I and my job should not be going into some database where our analysts are working traffic against a sworn adversary. I have the ability to do that, since im the Deputy Director, but its not my job. And so typically im on email. I have a very simple profile. Its working actions and moving people archound. We had to become much more sophisticated and we had to look at the vulnerabilities inherent in the fact that we hire people whose job it is to tear apart systems to understand their weaknesses so that we can either leverage those or use, better secure them for our nation. So understanding that means we had to change our mindset, culture, as well as our architecture and process procedures. So its been a long road, but we are much stronger than we were. Awesome. And weve used a lot of what weve done has influenced whats happening more broadly in government, which i think is helpful and it also gets to what were talking about in the Cyber Security space in general. If we make it easy to go in the back door, thats where people will go, and we can have all kinds of mechanisms in place but we all have to have Network Hygiene and multifactor defense and depth. George, not only i thank you for taking time out of your insanely busy schedule, thank you for your leadership and all youre doing for the men and women that you lead, and even more importantly, for the men and women you serve. I think the mission is imperative. Theyre in good hands with you at the helm. So thank you. Thank you, sir. Thank you. [ applause ] weve got an awesome partner in northrop. Thank you all for joining us and thank you, lenny and team. [ applause ] join us tonight and all this week for American History tv in prime time. Tonight former president Herbert Hoover and his relationships with other president s. American history tv prime time begins at 8 00 eastern on see pan3. Tonight on cspan2, its book tv, in prime time. Our focus will be science. First, scientist kelly winersmith and car on ittist zach winersmith on their book soonish and microsoft Ceo Satya Nadella talks about the reinvention of microsoft in his book hit refresh. After that, its Software Engineer ellen ulman on her book life in code and later, Massachusetts Institute of Technology Physics professor max tegmar examines the concept of Artificial Intelligence in his book life 3. 0. Its book tv all this week in prime time on cspan2. Coming up tonight on cspan former secretaries of state Madeleine Albright and Condoleezza Rice are joined by ambassador nikki haley. The pam was part of a forum on freedom and security and includes opening remarks by first lady laura bush. Here is a brief look. And i think we have to recognize that we are dealing with a president of a country, of russia, who is a kgb agent, and they know how to do propaganda, and what theyre doing is using information in a way to undermine the system, democracy. What they want to do is undermine the democracies in europe, and separate us from europe, and i do believe that they have figured out how to make our life more complicated in every single way, through various new methods, tweets and bots and various aspects, and we are an open society, and they are using our openness and how do we deal with it, without closing down . So it is a challenge for all of us to think through, but it has changed, because we are being attacked in a new way through a new system. And that just a brief portion from tonights program, featuring former secretaries of state, Madeleine Albright and Condoleezza Rice and u. N. Ambassador nikki haley. You can see that program in its entirety tonight starting at 8 00 eastern on cspan. Tonight on the communicators adam altar talks about his book irresistible the rise of Addictive Technology and the business of keeping us hooked. We know the dangers of technology. We dont say things like weve built in special mechanisms designed to hook people therefore we dont want our kids hooked. Thats the sense you get. Basically never get high on your own supply. If you are creating something you know what the dangers are, you want to make sure other people you love and hold dear are not going to be affected by them. Watch the communicators tonight at 8 00 eastern on cspan2. Recently, two combat veterans joined National Security experts in a discussion on u. S. Military strategy in afghanistan. At the Kato Institute in washington, d. C. The panelists discussed the Current Situation in afghanistan and whether a negotiated settlement or removing u. S. Troops was an appropriate option moving forward. This is about 90 minutes. Good morning