Captioning performed by vitac through our cloudbased shared service platform, its a fed ramped cloud where we get the sensors out for those small and micro agencies and feed that data rather than into individual dashboards at their sites, feed it up into a fed ramped cloud where each agency has their multitenant dashboard. Thats been a great accomplishment for the program in terms of for the first time were getting near realtime visibility of those smaller micro agencies and helping them get the capabilities they need to protect their Critical Mission systems. One of the early wins for the program, once we were getting automated discovery capabilities out to the network, we were able to see on average across the federal government that there were 75 more assets than what were being reported up manually. So from that measurement we want to continue to build on that. Now we have all of this vulnerability information feeding up to the Agency Dashboard summarized up to the federal dashboards, Configuration Information and then ultimately the user and privilege user information. We want to be able to start giving agencies a way to measure their security posture, to better measure their risk so they can better manage it. Thats where more to come on this, but weve been working on the aware scoring algorithm. The purpose is to give agencies a way to measure their overall security posture. Were going to be coming out with more information on that as we head into october, were starting that rollout, but today weve got i think its 31 agencies that we have aware scores for, again, part of that data consistency effort, we want to make sure that data being reported and measured is good from sensor up to dashboard. So thats the effort under way right now. Finally, a key for the program is partnerships, both with the agencies but also with industry. So we have an approved Products List that we work with the agencies and with our System Integrators to look at the tools that are going to be part of the different cdm solutions at the agencies. Thats what the approved Products List or apl represents. Originally we had a pretty stacked process so it was more difficult for vendors to submit their product, have them assessed and then add it to the apl. We have really worked in the program to take Lessons Learned from our prior efforts and to continually improve the program. So we have worked with our partner gsa to expand out how the apl process works, to be able to enable vendors to submit their products to us on a monthly basis and to have that quick turnaround so that the vendors know whether or not their product got added or if it didnt get added what they need to do to get it considered. What the apl represents is its not an Underwriters Laboratory testing effort, its simply looking at products against the cdm capabilities and the criteria, but we also have other criteria including supply chain. The vendors we ask need to know what their supply chain is for their code, for their hardware, et cetera. So thats what the apl is. Weve expanded that. I think when the new effort started we were around 140,000, so just within a year weve added close to a little over 100,000 new products and then really expanded out the ability for different manufacturers to submit to the apl. So those are some of our current metrics. Again, we are in the process of operationalizing the data feeding up through the dashboard, and the other thing that we want to do is to really expand out the benefits of the dashboard to the agencies. So, again, taking Lessons Learned from the original efforts with the program, we wanted to ensure that the agencies could access their data more, do more with that data, get better performance, better scaleability across the larger federated agencies. So we awarded back in may our new dashboard contract, it increased the scaleability throughout the fed rated agencies, we are able to bring in unlimited numbers of offices, we can scale horizontally and vertically. We have improved the performance of the dashboard with the new architecture and then really looking to expand out flexibility of what the agencies have access to with their data as well as the ability to bring in innovation. How thats going to work can be seen in this diagram. Again, i recall the a, b, c, d architecture, the sensors at the a layer, we can bring in any number of new sensors, any number of Additional Data sources. One of the things we focused the program on is on requirements rather than on specific tools. So as long as agencies have tools that meet requirements, we can get that data, feed it up through the stack for reporting purposes. Again, with he feed it up into the integration layer, but then were going to have the ability to do more from a scale perspective as well as performance perspective at that b layer. And then we can bring in additional technologies, additional innovations. So were going to out of the gate have better visualization of the data for the agencies, but were also looking to bring in better analytics, Better Business intelligence, as well as ultimately Machine Learning capabilities, being able to apply that to the data so that the agencies are getting maximum benefit from their cybersecurity data. Thats all at the c layer. Again, continuing to do some risk calculations, some risk scoring, feeding that up with the summary data to the federal dashboard level. Again, were bringing in a lot of that new technology and new innovation there as well to really maximize the value of the data at the federal level. And then being able to orchestrate that across the federal landscape. So what are our priorities Going Forward . I mentioned the operationalization of the cdm data, the data consistency efforts to really ensure from a through d that we have good data flows and the data is good and timely. We are currently in 19 and on all of these things on this slide will carry over into 20 and beyond. We want to help fill any remaining gaps for the agencies as far as their assets are concerned and their identity and Access Management is concerned. We want to help agencies get full understanding of all their privileged users so were still finishing out those efforts. This year we began efforts across all of the cfo act agencies, the cabinetlevel agencies to discover what their perimeters look like as well as to get a better understanding of what they already have out in the cloud so that we know who the Cloud Service providers are that they are working with, what the different environments look like, whether they be infrastructure, platform or software. We also down on the lower row are working to understand what the agencies have as far as Enterprise Mobility management is concerned. So working and i will talk about this here in a moment working to be able to align with an existing system that an agency has and pull data in for their reporting purposes. Weve begun pilots in a few high value asset environments, again, these are the Mission Critical systems in the civilian side on the. Gov side, have some of the most Sensitive Data. We are looking to see what incompetence of technology are needed, data rights management, data loss prevention, more advanced threat capabilities, sitting in front of those highvalue assets. So those efforts are under way. And then with each of the task orders that we have in place for the groups across the agencies, we have different what we call request for service. So for some of the agencies today were working on a Network Access control effort. For other agencies were working towards ongoing assessment of utilizing the Asset Management controls, starting to automate a lot of the control assessments that are done manually today. Were working with an agency on Incident Response orchestration to ensure that each component within that agency can report up centrally to the agency soc and then that data can feed up to the Coordination Center at the federal level so that incident information is shared across all of those levels and they can better track all of those incidents. So those efforts all will carry into fy 20 and then what were also adding in fy 20 is the new dashboard effort. We already have a proof of concept under way in the lab of the new dashboard environment, the new dashboard ecosystem starting in the First Quarter of fy 20 in the october november time frame were going to begin bringing that technology out to a handful of agencies to implement the dashboard ecosystem and really expand out what theyre able to do with their dashboard data. Also now that we have a better understanding of what the Enterprise MobilityManagement Systems look like in the agencies were going to be aligning with those, looking at the open data standards to bring in the mobile asset information into the Agency Dashboard so that the agencies have a better understanding of what they have out in the environment for mobility. With the information we have for the cloud discovery, were working with our partners within the Cybersecurity Division of sisa as well as with the agencies as well as with our System Integrators to determine the right way forward for cloud security. So weve been conducting a pilot with Small Business administration to look at what we can do for reporting purposes of the data they have out in the azure cloud, being able to see what we can do with the partner with microsoft in terms of reporting and really be able to utilize as much as possible the reporting coming from the csp as well as seeing what else is needed perhaps to ensure that agencies have full understanding of how their data is protected in the cloud. Finally we want to expand out what we do with the high value assets. We want to really focus on the tier 1 high value assets the most critical and ensure were helping get the proper protections in place for the data on those systems. So thats the way forward for the program and i just want to conclude with the values for the program. Leadership, partnership and accountability. We want to continue to lean in. We want to remain open to innovation. We want to remain flexible as the threat changes, as Technology Changes to be able to bring those the Technology Changes to the problem to get in front of the adversary, get in front of the threat. From a partnership standpoint, partnership is really the core of our program. We have the partnerships with gsa at the beginning to get the acquisitions in place and they continue to partner with us Going Forward, partnerships with all of the agencies to really help understand their networks better and to get them the capabilities to really help them better manage their risk. Partnerships with industry, with the system integrator community, with the vendor community. If these partnerships dont work then cdm doesnt work, so we really work to help these partnerships flourish and will continue to do so. And then finally from an accountability standpoint we are entrusted with taxpayer dollars, we want to ensure that were using those dollars properly, efficiently, effectively. We want to be able to measure the work that were doing and show that were providing value to the agencies. We also want to help the agencies better understand their risk and better manage their risk so that they can work to ensure accountability across all of their systems. So with that i will open up the floor. We have a couple minutes for any questions and then this is the Contact Information for the program. Any questions from anybody . Yes, sir. [ inaudible question ] okay. So the original let me see. Okay. You will get to see me instead. The original nomenclature for the program was phases, those four capability areas, Asset Management, identity access, network and Data Protection management. Data Protection Management was what we would call phase four, thats what were undertaking with the pilots right now. We have three high value assets were piloting with, bringing two additional customers on with that. So based on those pilots were then expanding out the efforts in fy 20 for the Data Protection efforts. So some of thats under way now. [ inaudible question ] yeah, so the question is is there any way to get your companys product into or for consideration in the pilot. I think what we typically do is we want to make sure that the product is in the approved Products List. So you can see me after and i can get you that information. And then its working with the System Integrators in terms of what the product will bring to bear to the problem. Good . Okay. Thank you. Any other questions . Okay. If not, i thank you for your time. I appreciate your efforts in terms of better understanding the program and were looking forward to continuing to support the agencies Going Forward and i will be around for a few minutes if you have any questions. Thank you. [ applause ] thank you, kevin. Were going to move off to our break right now. We will see you back here at 9 45 for a zero a discussion on zero trust. Thank you. The first break of the day in this daylong forum on cybersecurity. When they continue after this break, discussions on creating a system that maintains strict Access Controls where no one is trusted. Also, Top Priorities for military cyber commands. Live coverage here on cspan 3 continues shortly. And a look at some of our other cspan coverage, weeknights this week were featuring American History tv programs. As a preview of whats available every weekend on cspan 3. Tonight its the 50th anniversary of woodstock and we begin with a historian david far ber talking about the cultural phenomenal. Arnie cornfeld discusses how the concert was organized and Wade Lawrence describes how the threeday concert was held in bethel. Enjoy American History tv this week and every weekend on cspan 3. Watch cspans campaign 2020 coverage of the democratic president ial candidates at the New HampshireDemocratic Party convention. Our live coverage is saturday at 9 00 a. M. Eastern on cspan. Online at cspan. Org or listen with the free cspan radio app. This daylong forum on cybersecurity will continue at about 9 45 eastern today with a discussion on whats called zero trust, where Network Security maintains a strict Identity Verification for everyone without exception. In the meantime, a look at election system vulnerabilities and cybersecurity. Joins us again from ann arbor, michigan, where he teaches engineering and Computer Science. One of your Research Specialties is computer and Election Security. I wonder what you thought of this headline last week. Hackers can easily break into Voting Machines used across the United States, hackers at a recent las vegas conference penetrated Voting Machines within minutes turning them into gaming consoles. Well, unfortunately its all too true that election infrastructure across the United States remains weakly protected and vulnerable against sophisticated foreign hackers. Weve got a lot of work to do as a country before 2020 and elections to come. That headline is talking about the defcon conference and the students who turned those Voting Machines into video game consoles included some of our Research Students from here at michigan. So Voting Machines unfortunately are a target ripe for the picking. You are somebody who has personally hacked a voting machine yourself. Why did you do that and what did you learn . Oh, yes, so in Security Research i and other colleagues have brought many different kinds of Voting Machines and other election equipment into the laboratory to test them. We play the role of an attacker and see how easily the real bad guys could make them misbehave. What we found with every single kind of voting machine thats been rigorously tested, unfortunately is vulnerabilities where someone could hack in, put Malicious Software on the voting machine and cause it to be sabotaged or even silently steal votes. Do you work with Election Officials at the state or federal level to show them what youve learned about how easy it is to hack these machines . Yes. Yes. So i am currently cochairing for the michigan secretary of state a commission to advise the state on how to become a National Leader in Election Security. I also spend frequent trips to washington trying to educate lawmakers. What we need is more resources for the states in terms of funding, in terms of standards so that all states can get up to the forefront of Election Security. But to have that were going to need stronger National Leadership on the Election Security question. I think thats at the root of the problem of why we have such a poor posture for securing elections in this country today. Take us to the wolverine state and the resources that you get for this issue. So in michigan, michigan is a good example because it already has a pretty strong posture when it comes to securing elections. Thats because in michigan, like in about half of states, every single vote is cast by voters on a piece of paper. Now, paper might seem retrograde, but its actually a pretty good defense against Election Hacking because its something that cant possibly be changed in a cyber attack. So what michigan still needs to do, as many other states do, is make sure that they are using that paper as a form of cyber defense. In order to do that we have to check enough of the pieces of paper, the paper ballots, by having a person inspect them and make sure that they agree with the Computer Systems that give us our Election Night totals. As long as the paper records and the computer records agree about who won, we can have really high confidence that the election result wasnt somehow tampered with. In the 2018 election how Many Americans cast votes on machines that didnt have that paper backup . Well, unfortunately it was about 25 of americans in 2018 and theres still 14 states that for at least some voters dont have any kind of paper backup at all. Now, thats a problem because it means those states for those voters are relying entirely on the output of these complex computer Voting Machines that have been shown numerous times to have vulnerabilities. Those Voting Machines are not as distant from the internet as they may seem, theyre actually behind the scenes much more centralized than they may seem, and all this have leads to a situation where we have the potential for sophisticated foreign attackers to get in and sabotage the system. Whats the argument at this point for not having a paper backup for your voting machine as a state official . I will say last week on this program there was a caller who called in specifically about this issue and was concerned about boxes of ballots being found for machines that use paper backups and whether those could be just as easily messed with as a hacker getting into a Computer System. Oh, yes, well, we have had a long history in this country of people tampering with paper ballots in order to interfere in elections. Thats why a modern approach isnt just to go back to paper and count it by hand. What i and other Security Experts recommend is having that paper ballot box, but also right in front of the voter scanning the ballot into a computer. Thats actually one of the most common voting systems in the country today, its called optical scan. What you get then is both a paper record and an electronic record that we can check in a postelection audit to make sure reflect the same winner. And thats much stronger than either having paper by itself or electronic records by themselves. You would need both lots of people on the ground tampering with individual ballots and sophisticated hackers getting into the Computer System and those would have to coordinate in a way that caused the same tampering in each kind of record. That would just be a remarkable kind of attack, well beyond anything that weve seen. But today i dont think that there are many serious people left who would still argue that we dont need a paper trail with elections. Thats pretty much done. Its just a question of resources. J. Alex halderman is our guest from the university of michigan, he teaches an consults on the issue of Election Security and with us for the next 15 minutes to answer your questions about Election Security. Less than 15 months until election day 2020. Phone lines republicans 2027488001 7027488000, 8001 if you are in the mountain or pacific time zones. We will let you look at the numbers on the screen and hear from frank in long island, new york. Good morning. Yes, good morning. I was wondering how come they dont enforce more paper trail, you know, verify and people can really check the real results. Like in the caribbean, the dominican republic, in our country where a lot of corruption in the voting day and there is no way to go back and check those results for, you know, the corruption that played out in the voting day. Well, i think youre getting at a very excellent point. What we need to secure elections and to give everyone confidence is to make sure that every voter has a piece of paper that they can see and verify is recording their votes as they intend. Then the process of counting and auditing those votes needs to be as transparent as possible. For way too long elections in america have been based on faith, on people having faith that the operators of the system, the Election Officials, are doing their jobs and taking every necessary precaution. But it doesnt have to be that way. We need to engineer elections so that theyre based on evidence, evidence that any skeptical voter can see and check to know that the election is free from any kind of interference. Morrisdale, pennsylvania is next. Angel, good morning. Caller good morning. I would like to know about using Block Chain Technology for security. Oh, block chain. Well, block chain is good for some things, so you might know about bitcoin and other cryptocurrency, its based on Block Chain Technology that essentially gives you a way for everyone to agree about what transactions have gone through the system. Without having any central bank or Central Authority that the making those calls. In voting Something Like block chain could be part of a more secure solution, having a way to post records of votes or records of Voter Registration that anyone can check, add up or are of legitimate people. The problem is its not nearly a complete solution. So to continue the example of bitcoin, with bitcoin we still have problems of theft because people lose their passwords, because attackers install Malicious Software on their computers or because attackers break into bitcoin exchanges. Just like theres still theft despite Block Chain Technology in bitcoin, we still can have problems with voter with Election Integrity even if we apply Block Chain Technology in voting. It may be a step forward, but its away from the whole solution. Dominic out of new york. Good morning. Youre next. Caller good morning. You know, i live in new york, we have paper ballots, you just go up and get a paper ballots, they ask you your name, they give you the form, you know . What about showing id to make sure the person who is getting that paper is really who they said they are because from what i heard a lot of dead people have been voting, you know . Id like to hear your opinion on that. Yeah, so voter identification is a complicated question. Theres a kind of tradeoff between two things we really, really want. We want to make sure that everyone who is entitled to vote is able to, and we want to make sure that nobody who isnt entitled to vote falsely does. When you have that kind of tension between two properties its always hard to balance them. States have taken different approaches to where they want to air on that line and it remains a matter of policy. I would say that there is not a lot of evidence of people falsely voting by impersonating other people, most of that broad tends to be via fraudulent Voter Registration and so forth. And the reason for that is that there are severe penalties forecasting a vote when you are impersonating someone else. You can go to jail for it. And thats a lot of risk to take as a criminal for just one or a very small number of fraudulent votes. The caller asked for your opinion on voter id. The president offered his opinion on the issue of voter id when he was leaving new jersey yesterday on his way back to washington, d. C. Here is the president talking to reporters. I think voter id if you look, voter identification, so when people show up to vote, because if you look Judicial Watch made a settlement with california, i guess, or los angeles where they found over a million names that was very problematic, a problem. You just take a look at that settlement. Thats a lot of names. You had people that were well over 100 years old that were voting, but we know they are not around any longer. So you have a lot of voter fraud. The way you stop it, the easiest way is voter identification. We have to go and think about that. I hope republicans and democrats can both sit down and work something out on voter id. Your position on voter fraud, did it find any actual fraud . Well, we let the commission the commission was having a tremendous problem legally getting papers from various states, like california. They were absolutely hardlining. They didnt want to give this commission it was just a quick commission, headed up by Vice President pence to look at voter fraud. The problem the commission had is we had to have a vast amount of lawyers which i didnt want to bother with because california and other states were giving up no information whatsoever and the reason they werent giving up information is because they were guilty. They were guilty of it. And they know theyre guilty of it. Many, many people voted that shouldnt have been voted. Some people voted many times. What im saying is we need voter identification. We need voter id. Professor j. Alex halderman, your thoughts on the president s comments from yesterday. Well, i think the president has maybe has some of his facts wrong there about the number of voters who could possibly be voting fraudulently. Its not a Million People who are voting falsely in california. That may be the number of Voter Registration records that have that perhaps need to be checked or theres something out of date about them. One of the interesting things about Voter Registration, though, is that in many states the Voter Registration lists are public so anyone can go in and check the names on those lists to see whether there are people who are dead or have moved out of state or just dont exist. So that does that transparency does provide a kind of protection that can help members of the public confirm for themselves whether the voter rolls seem to have integrity. Professor j. Alex halderman joining us from the university of michigan in ann arbor. A little bit farther north, billy is in vancouver, canada, and he is next for you this morning. Go ahead. Caller good morning. No matter how much he repeats it, trumps lies about voter fraud are patently untrue. It is to disenfranchise nonwhites. Im wondering why Mitch Mcconnell wont pass any Election Security bills in the senate. His argument is that it would benefit the democrats. So, what, having russian interference somehow benefits the democrats. Its ridiculous. Professor halderman, can you give us the state of bills in the senate so far. There have been a number of strong efforts on a bipartisan basis to advance Election Security bills in congress, particularly in the senate, the last congress had a bill called the secure elections act gained significant bipartisan support. Theres several good bills that have been introduced this term so far. But the caller is right, Mitch Mcconnell unfortunately is the major road block to Election Security legislation in this country and he just hasnt been allowing anything to make it out of committee or reach the senate floor. I dont want to speculate about his motivations for that, but i will say that many republicans and democrats already recognize that Election Security is a Significant National security issue and without federal action we are just never going to be able to move forward in a coordinated manner as a country or give the states the resources they need in order to protect the public. Corpus christi, texas. Daniel, good morning. Caller hi. I have an idea. Why dont use a dollar bill since they have serial numbers to memorialize the votes on. You just go to your place to vote, they give you a special pen to mark your dollar bill and some kind of camera takes a picture of your dollar bill and you walk home, youve got your paper receipt and youve got your dollar bill and then you can spend it latter and it becomes sort of one of those bitcoin things. Thank you. Professor halderman, perhaps some incentive to go vote as well. Yes. Well, the problem with that is that your vote needs to remain as secret as possible. We want to have a secret ballot and that means we cant just give voters a receipt that memorializes how they voted. If we didnt do that, if you did get a receipt, well, someone could coerce you into voting a certain way or it would make it much easier for people to buy or sell votes. For that reason the secret ballot is one of the most important security protections we have in elections. We need to maintain ballot secrecy while also finding mechanisms that increase the integrity of the count. Thats what makes this a difficult security problem is we want both of those things at the same time. You mentioned Mitch Mcconnell, his home state, the bluegrass state, janine in crescent springs. Caller Mitch Mcconnell is running up for reelection in 2020. We need to push this question in 2020 because he is my senator. I think you addressed this issue a little bit earlier. We have 120 counties in kentucky and out of those 120, 48 of our counties had more voters registered than we did in the population. Now, it could be there could be various reasons to why this was happening, but currently now we have what i would call the optical scan, we have a paper where i fill in my little black mark and then we scan it through. So i hope that is more viable then to be hacked than any of the others. Also what i would like to see is i would like to see more control of our voting by the county clerk in our county rather than giving it to the secretary of state, which is Allison Grimes and she was sued by Judicial Watch for not cleaning up the voter rolls. And at this time the voter rolls are still not cleaned. We do have a new person by the name of Michael Adams running for secretary of state and every one of these candidates that were in the primary had basically supported cleaning up these voter rolls. Another issue that i would janine, we are running out of time. I want to give professor halderman a chance to respond to some of that. Well, i would say that the very positive thing that you just mentioned is the optical scan paper ballots in the polling place. That is the best technology we have currently for securely recording peoples votes. What the state also needs to do, though, is make sure that those paper ballots are being regularly audited to make sure they match the statewide results. That is not expensive, its not particularly timeconsuming, but its a step that most states just dont do yet. You need an audit in order to get a strong assurance. I think another interesting point this raises is just how local Election Administration tends to be in this country. There are about 8,000 different jurisdictions across the country that are responsible for running elections on the local level and unfortunately we just dont have good standards to provide a minimum floor for securing elections across those 8,000 jurisdictions. I think thats where more federal resources and federal standards could play a huge role in making things better. We still have to allow autonomy for jurisdictions to accommodate local needs and go beyond those minimum standards, but as it is from county to county and state to state, we just have a very a highly varied patchwork of strongly protected and weakly protected jurisdictions. Last call for you. Mary lee, albuquerque, new mexico. Good morning. Caller good morning. And thank you for taking my call. Here is new mexico, by the way, we have a really good strong election system, i believe. I am concerned about what happens if there is an election that is questioned where the results come out so that so that the election is actually in question even in some local jurisdiction . Ive thought about the question of what happens if there is a call for doing over an election, which i think would be disastrous. And i wonder whose got the leading edge on those kinds of things or do you just have to throw it to the courts and cross your fingers . Well, thats a great question. What happens if we find out that something is wrong . I think the answer to that is going to depend a lot on the local rules in each state about whether there are things like recounts available under the law, whether there is a paper trail to go back to and check. The good thing when you have a paper trail, you can go back and audit it potentially recount it if the audit is showing something wrong and then get much more evidence about what happened. Now, its possible the paper has been tampered with, too, and we need to investigate any kind of evidence for that to see whether the paper or the computer record is the one with the more integrity in that case, but this is all about making sure elections are more resilient. We need layers of protection, including physical backups like the paper trail, including other cybersecurity defenses to just make them as difficult to alter and as easy to go back and recheck as we can. New mexico, by the way, youre right, has a great history of strong Election Administration, including that they are one of the states that does the most to check its paper trail after every election to make sure its rigorously audited to confirm that the computer results are right. Professor Alex Halderman is Computer Science and engineering professor at the university of michigan. Im sure we will chat with you again before the 2020 election, but i appreciate your time today. Thank you. Ladies and gentlemen, we would like to remind you that the use of any recording device is strictly prohibited. Please take this moment to turn off or silence your cell phones. Our program will begin momentarily. Ladies and gentlemen, please welcome back our master of ceremonies, captain edward w. Devinney ii, navy retired. Thank you. Thank you, everyone. Welcome back from the break and also thank you to amazon and web services for hosting our break as the sponsor. Thank you. Now were going to be talking about zero trust, a topic near and dear to some of our hearts, for those of you that havent been to the dream port, you should go over there and talk to them about their zero trust efforts as well. First of all, id like to introduce our moderator, mr. Tom temmon, he is the anchor of the federal drive from federal news network. Thank you, tom, for moderating the panels. His panelists are rick howard the chief Security Officer from palo alto networks. Sylvia burns, the deputy chief Information Officer for enterprise strategy, fidc. And michael friedrick. Over to you, tom. If you have a streaming device you can hear my voice on the radio now through the magic of streaming technology. Our topic today and its really great to be in such a nice intimate setting here with listeners that are close by, we are going to talk about something that in many ways is like a frisbee, coke and skunk words, you have to almost be careful using it in speech and in texts and in the discussions and white papers because the idea of zero trust is an area where some companies have staked a claim to exactly what it is, but were not going to buy that today. We are going to talk about zero trust as something that is value to the community and we have three good experts to talk about it. So thats where were going to begin is a definition of zero trust. Im going to just start with you. All right. We could talk about that thing for the next 12 hours. We will try to be brief here. Zero trust from my perspective is you absolutely have to know that bad guys are in your network. Okay. You assume that they are in your network and if you do that how do you rearchitect it so you can reduce the risk of Material Impact to your organization. Thats completely different from the way we used to do it back in the 90s where we would put this electronic perimeter around all of our stuff and assume that the bad guys were on the outside. So its a different way to think. Okay. Actually, sylvia, im going to come to you third. Okay. Sure. Because you have a lot of followup. You have the best answer. She gets the government answer. Mike, we will go to you. I would agree, zero trust is an abuse word. It is a process, a methodology, a way of thinking about how to attack your network. I know that sounds like a strange statement but you need to attack the concepts of i had ilt and mobile and the workforce and assume the adversaries are inside your network and you need to decide how youre going to define what your assets are, who needs access to them and you need to go through the process as an agency, as a user, a as piece of software that youre leveraging who owns that system and you need to define that. So zero trust just means what it says, i have to assume you only should have access if you need to. This idea that is going on and the technology being leveraged is opening up holes all over our networks as the government and we need to stop that. Okay. And, sylvia, you are doing work at the fdic itself but also as an Agency Person for the cso or ciso council. I used to be the ciso at the department of the interior and i was one of the cochairs of the cio councils strategy, services and Infrastructure Committee and, you know, in my experience at interior i was involved in the opm breach. So that was a really like impactful experience, if you can imagine, right . I havent heard of that. Please, tell me what happened h. Tell me what happened there. I testified twice in front of congress. It is like if you have to tell your mother, one day im going to testify in front of congress, right . So basically i was familiar with the concepts about zero trust. Actually a small team of people working with me before i was in that job in 2010, we were talking about what do we need to do to significantly change our i. T. Environment. Thats what zero trust is, i agree with everything that rick and mike are saying. It is a philosophy that for us has become like a way of thinking to drive an architecture for protecting data. Thats really what its about. The adversary is in your new york, they want to take your data. Thats the most sensitive thing. So the interagency committee, we started with working with we had an industry government collaboration where we were trying to understand what technologies exist today that fit kind of the mindset of what were trying to do with zero trust. And last spring i published a paper on it. We progressed since last year and we actually kind of converged all activities in working with nist. Interagency Steering Group that impart of is actually working with nist on two things. A sub teamworking on architecture, and theres another teamworking working on technologies to come to the lab, kick the kietires, look at what exists, all of this informing publications that come out for the federal government. So thats what we have been working on. Nist put a draft together, a special publication, 800 document around zero trust arch tech terse that the Interagency Team just reviewed. Nist is working through comments to release publicly for comment. Very serious. I would like to emphasize the point that we talked about this back stage, zero trust is a philosophy, it is not a definition. Youre never going to get there and be 100 complete. The argument i want to tell the Government People is dont make it too complicated. You already have technology in your networks that can get you 80 of the way there. Youre going to spend the next five years doing the next 20 , but you have the technology in your networks right now. If you have a next ten fire wall, it can do 80 of the work by making simple rules that say the Guest Network cant connect to the internal network. Just do that, youre halfway down the path. You want to get to a point where developers cant get to secret database we dont want anybody to see. Simple rule in the fire wall will get you almost there. It doesnt have to be as complicated as were talking about. We still have 20 minutes. Were going to make it complicated. I heard the words state, zero trust is a state of being, a mindset, it is a philosophy, an architecture, it is an approach and journey. But i think as rick pointed out, it is not a technology necessarily. Nevertheless, it exists in a technological system. How do you besides buying a fire wall, setting up rules, maybe thats all you have to do, what are the steps. How do we get to making the federal networks with that Data Protection idea at the center of it. How do we go about getting to zero trust. Let me jump in, observations from talking to folks like sylvia as we talk about the process. Start with classifying data. What your data is, who should have access to this. One of the biggest weaknesses when we talk to agencies, Identity Management is pretty poor, getting to a sense of who is on my network, what devices are on my network, who should have access to my network and what data within my network, and where does this data live. Thats really important to understand because the boundaries are broken when i can read email on my phone, approve invoices for an agency on my phone or on my watch, the boundaries are gone. Now i need to look at where do i protect what, who should have access. Thats the beginning of the conversation. Classify, clarify, and understand. You have to know where it is and whos touching it to start with who should touch it. Isnt that complicated by the fact that in the cloud era, we hear already this morning that agencies are pursuing a multi commercial cloud strategy, that there could be many substantiations of data and associated applications, how do you know at a given point exactly where it is. Thats the critical part in understanding the contracting process. What vendors have been selected, what technologies youre using to take the cloud smart policy and apply it so that youre not having a vpn here thats weak or problem, or technologies that dont address users coming off the network. Micro segmentation is the beginning. But to do that, you have to do the first step. You need to understand who, what, where, when, why. Thats why zero trust initiatives fail. Talked to many in the last couple years about trying to do it. It doesnt fail because they dont have the right technology in place, it fails because they dont have leadership in place to make decisions that the general doesnt get access to the cool data he shouldnt have access to. It fails politically. Cant be done by the info sek team based in the pentagon, these have to be policies at the high level to implement this policy. Sylvia, for fdic, theres data and data. Some is critical commercial data. Yeah. Thats true for everybody, right . Regulated institutions, and theres administrative data. Absolutely. Isnt there need to apply a hierarchy to how you do protections such that tools can be applied efficiently . Absolutely. Everybody has to take a risk based approach, right . Youre not putting all your energy in the least important things, right . You want to know what the crown jewels are, and put Energy Around that because thats what youre most at risk for. It is always a risk based approach. So absolutely. Youre going to focus on high value assets, high value data. I want to get back to users, zero trust implies zero trust of what, it is everybody. How does that work in the age of contractors being on your network, you being on their network to some extent, and mobility question. This is where you need to select technologies to enable zero trust platform. And agencies need to site the use case and solve it and what the right technology for them is. More technology is not always the right answer. Less technology thats better integrated and fits use case is the right answer. You shouldnt select a technology that doesnt integrate with itsm systems or seam systems, ids, or dlp cant talk to it, or ai as it is evolving. You need systems that make themselves smarter, better, faster, more agile. If they dont work together, you bought the wrong tool. Yeah. Simple works better. Can we say that, too, it is easy to try to boil the ocean for these kinds of things, who gets access to what. You can get it down to the individual user. Okay. Start with four big groups. Contractors, government employees, military, who do those groups of people get to attach on the network. When you get that done, get more into it. Start simple, get things done down the journey. Earlier i think rick, you said protect data but open the network. So what does that you said that, im sorry. So this notion, i think everybody had this false sense of security about the perimeter. And that is false because a simple phish event can compromise the network. The concept of zero trust in conversations i had with people in my circles have been really shrinking the perimeter around our most valuable assets. So were not putting the perimeter around the whole organization with all users, for instance, which is what we do today. Youre actually saying where are the most sensitive pieces of information and systems that house it, and put the perimeter around that. You create micro perimeters, right . When you get to that point, if you think about it, implications for large organizations, especially in the federal government, you can open the network up. So at the department of interior we had over 2400 locations. Some locations were in very remote places. I know the same for many of my sister agencies in the federal government have large, sprawling organizations that are located in the middle of nowhere quite honestly, so youre trying to drive them into it is like youre trying to create one solution for a diverse set of circumstances in the physical environment, and if you shrink the perimeter and open the network, you can let your local offices use whatever best quality Broadband Services instead of trying to shove them into the Corporate Network because they dont need to be in the Corporate Network. I love the shrink the perimeter idea. I have a different word or phrase for this. I think of it in terms of data islands. We do still have a perimeter in headquarters, data centers we run and operate, we have mobile employees now with phones and laptops. Government is using sass services. And as the government moves to the cloud, thats another place your data could go. What we dont want to get into is a situation you buy different technologies to protect the data items. You want to unify the system with one policy. They have different use cases. If you can simplify it, you have a chance to get it right. Many years we had regime of the idea of multi layer security. The conferences, people used to say networks were like porcupines. They were difficult on the outside but soft on the inside. Sounds like youre saying make the smallest part of the data the hardened part, w. Kind of. Move up the tech chain. The technologies that are out there now regardless of numbers of vendors are doing a good job of cloaking Network Access at the initial point of sign on. Integration points that happen are important. You need to leverage different things, single packet authorization, you need to leverage mutual tls encryption. Why . You stop man in the middle. Get people off the network, but leverage that philosophy and technology across multiple places. The thing i want to challenge agencies and leaders to ask questions about, is the tools kplien compliant. A lot of people claim zero trust. Start by asking, are you fed ramp, common criteria, show scans of data, where do you do development. Ask the important questions before you get down this road and realize this could be kind of interesting but i have no idea whether this is safe to use in the network. Yes, it gets less crunchy on the outside but not really. Youre putting new technologies in place to be sure people that do get in are appropriate, along with their devices, so you start to establish greater sense of trust, but you develop automation with that. Once i establish that the device belongs to the user, i can control what they see, when they see it, how they see it better. You reinforce the boundary but make it more open. I agree, you may need new technologies to do the journey, but i am telling you, you have technology in place that can do 80 of it. Think of how to use that first before you spend money on other things. Thats practical. Totally agree with that. I think theres also look to the future, where we want to be longer term. I think thats all true. The thing that frustrates me, you mention the ads, mike, it frustrates me to hear when i drive, i was saying i am driving my car, have wtop on, and theres an ad about zero trust, somebody selling zero trust. It has become a Big Marketing thing because i think industry realizes it is a hot topic, right . The federal government is keenly interested in it. But in all the work ive done with nist and talking with various agencies quite honestly in the federal sector but also some in the private sector, everybody is still trying to figure out how to crack the nut. Yes, we are using whatever tools we have. To get us to where the vision is, nobody has the lockdown on that. Part of it is i think we need a dialogue between the government and industry so that we not just the government, but other big sectors like the banking sector, like the health care sector, that have Sensitive Data and want to protect that data, so we have an exchange and know what the two sides are saying and what we need from industry. The government is not building this by ourselves. We need industry, but you have to understand what we need. Funny you Mention Health care. The industry that effects government with dha and va, health care is one of the biggest problems in zero trust. Were now building machines that are remotely managed and monitored, have personal Health Information through big networks. These machines have no sense of them. Iot devices generally have no installable system that you can install agents into or monitor in an effective way. As a zero trust philosophy, you have to figure out how do i stop devices being rogue or someone masquerading as that and stealing information out of the network. Another Big Government issue. I think they need to work with the Technology Vendors out there to define what the goal is. There is not a right answer. But it needs to come. Come back to the definition. This is where i get in trouble, it is not the standard definition, this is how i view zero trust. Theres two big security philosophies out there. Dominating one is zero trust, the other is intrusion. You need both to keep bad guys out. But in my mind, zero trust isnt passive, it is reducing the attack surface. So any military people, like digging the foxhole, put sandbags around it, overhead cover, and water in front of it, thats the journey we talked about, passive, not based on how the adversary attacks you, but absolutely needed. A couple recent famous breaches that happened not so much in government but in the commercial sector involved people that were trusted, at one point trusted by the organization. Can a zero trust philosophy result in architecture and technical setup such that people that you trust are not exfill traiting against rules the organization has to have in place. Take capital one. How did the woman succeed. She had access to the network, had privileges to get to that, understood the architecture. Then you come back to the point i made earlier. Identity management. If Identity Management was done properly, she wouldnt have had credentials. Systems that talk to each other and understand the hr system terminated the employee, active director needs to terminate the employee. Guess what, zero trust boundary side says you dont exist. Even if you had the right tool loaded on your machine, it is not going to acknowledge you because you dont exist. That integration is really important. Identity management. That does not succeed if zero trust is integrated appropriately. Sounds like a case for robotic process automation, when somebody is apis. Theres an orchestration of elimination of their existence cyber wise. Capital one, technical piece to it, another classic case for zero trust, the virtual server has to communicate with hyper adviser in the network. The fire wall, they allowed somebody from the outside to talk to the hyper adviser. Thats a classic zero trust problem. Anyway, dont get me started. We all have to do the basic blocking and tackling. You cant not do that and have anything good. You were mentioning data before. Actually the interim chief data officer for fdic now as well. In terms of data, you cant manage what you dont know. Thats a fundamental 101 concept, right . I think agencies struggle to understand where all their data are, and their data honestly because of the way people work, it is sprawling all over the place. Getting your arms around that is key to zero trust. And understanding the devices theyre using. Byod is coming to the government, omb is looking at this, they started a draft release for zero trust, one of the facts is you didnt draft in policies, you probably saw it on cio council, didnt draft in policies beyond byod. You need to bring that to zero trust, you have to define a standard to know whats signing on. What is my minimal acceptable device that i know belongs to you, by the way, and thats not happening now. And thats another exploit that will lead to another u. S. Version of capital one because that device now has rogue access. You keep using vpns as the way to connect, you enable ssl technology to back door, and guess what, cookie crumbs are there. You can follow that vpn in, now you have massive policies enforcing access instead of zero trust as philosophy and micro segmentation. Classify, clarify, who, what, where, when, why. You have to start somewhere, then cut access and Technology Decisions of how it works three easy steps to get started. First, what you were saying before, identify the applications on your network, using existing technology. You dont have to pay for this or have consultants come in, turn it on, get a list of applications. Tie user ids to who is using the application. Just turn it on, see what you have. Third most difficult step, start making difficult decisions about which group of users get to have access to which applications. If you can do those three things, 80 of the way there. Youre like plus one, not quite to zero. One trust. We should copyright that. We have a couple minutes left. I wonder if we have questions from the floor. Shout it and i will repeat the question. This looks like the chapel on a cruise ship. Nobody there. I didnt think we were that boring. I have a question. The topic of dev ops, this is something the government is doing a lot of, taking shape, the idea of continuous development, fast releases, prints and all that. What do you do in those operations to make sure when thats inserted into your authoritative system, still maintain zero trust. Whats growing fastest with those that move to the cloud because you can enable tags and apis as a relationship. Same rules apply from my point of view in technology, which is if i can clarify the user should have access, tag them to the group and their device, then as the definition changes in the cloud, it should api trigger the technology that youre using to enable zero trust strategy to change their access. Being amazons tags, you tag a server as preproduction and user tagged being preproduction in the active directory, if that changes role to production and youre not in the group, your access should go away immediately. Enabling that technology helps. There are some not in the cloud starting to tag, make it easier with apis, but it is forming faster and faster. The security tools are starting to inform the ability of api with zero trust tools. Thats where im seeing a lot of customers where i see the Biggest Movement is in Security Operations center. Using solar technology. Let me brag about the internal sobbing. We get 100 million events, with store technology, we can automate all of that so they only look at 500 every 90 days. 100 billion every 90 days, reduced to 500 things. You can look at rules violated by zero trust philosophy. You can do something about it. And automate things we know about. Thats where everybody should be heading. And sylvia, last question for you. Do you get complaints from users about access and difficulty of getting to as sets they need or can we do high level security zero trust and not make life miserable for people that have to do work at the agencies dayin and dayout. We have to be mindful of that. There could be those consequences which for me is the reason why, let me say that while we could do 80 of what we need to do with what we have today, i think what were trying to do in the interagency Steering Group and others that are involved is take it further. And when you take it further, yes, you can disrupt, could potentially disrupt business. So i think doing robust testing, incorporating users in pilot modes as you go along, so you understand what problems youre encountering from that perspective. It needs to happen. If you create a system where you make it too difficult for people to do their work, theyll go around and then we have a different kind of problem, right . So. Agreed. That brings us right to the end. Mike, rick, sylvia, thank you so much. Give everybody a round of applause. [ applause ] thank you very much, paul, and your panelists. The next panel is on top military cyber priorities and strategies. Moderator, ralph kahn. Thomas miceli. Command control communications and computers and also cyber and deputy chief Information Officer for joint chiefs of staff, j 6. Paul cunningham, chief information Security Officer for department of veteran affairs and katie harrington, chief Security Officer of undersecretary of defense for acquisition. Ralph over to you. We are fortunate to have a distinguished panel to talk about security in the dod and whats top of mind. I would like to start with understanding more about what Top Priorities are. Tom, do you want to start and talk a little about what Top Priorities are in your organization and how youre addressing them and well move through the panel. Yes. Top priorities as always is to support the president , secretary of defense and chairman of joint chiefs of staff and how they provide National Security. We take direction from National Defense strategy, National Military strategy and chairmans priorities. The chairman is responsible for providing best military advice to the secretary and the president and does that through his role as global integrator. He looks at all forces the United States has and partners and allies have and what it takes to provide assured power projection anywhere in the globe, not just in a regional conflict which is basically the last fight to the next fight, talks about global competition with two particular peer competitors, russia and china, how do we stay ahead of them, how do we fight a war with them so were not fighting the last war. China and russia spend money on information warfare, big on attacking all domains, particularly cyber. How do you prepare against that enemy. One thing is we go back to basics. Priority is culture. War fighters are used to picking up a radio, pushing a button, having capability wherever we need to be. How do we enhance confidentiality, integrity, availability of information, synthesize it so you can have any decision, shooter, able to make a decision, take out the enemy. Number one priority is how we enable that. And were doing it through joint command and control. I think thats enough. I talked a good bit. Katie. Good morning, thank you for having me. I am going to pylile on what to said. Where we differ slightly, our role is worrying about the dib, getting services, Acquisition Strategies that can meet needs of the war fighter. Big priorities for us, were in the process of wree writing the dod 5,000. The keyword, everybody should hear it loud and clear, were changing our culture. Our culture is security. Cost, schedule, performance have no value if it is unsecure. If we cant deliver at the right price because our adversaries have taken it, useless. Performance doesnt matter if the adversary has it before we get it to the battlefield and it is outnumbered. And schedule, were working hard to change the way were doing things. We dont like the word reform, we like innovation. Rewriting one of the Top Priorities, retraining pms on building cyber resiliency into weapon systems and products. One of the big things i spearheaded that hit the press yesterday was cybersecurity Maturity Model certification. We in the dod are going to institutionalize cybersecurity standards throughout the dod. It will roll out in draft form, right now looking for everyones comments. It is on the website. It is a bunch of controls now. Wave taken iso 2700 nist 171, nist 171 bravo, aia, a multitude of different standards and controls. We mapped it out. What were looking at now is for industry because it is collaboration, 70 of my data living on your networks, it is no longer me or you thing, it is a we thing. The only way we solve this problem is together. I ask you to go to the website. Were looking for feedback before september 22nd. All feedback is good. Were going to take controls, make them into requirements. And then june of next year youre going to see rfis rolling out of dod with cmmc levels. Companies need to get mature level certified. It will be a go, no go decision. Were not looking to make security a source selection. It is go, no go. Those are big initiatives were working on. Thank you for having us. Opportunity to come tack to you today. Thank you for being here. Va, everybody is familiar with va. You start looking at it, deconstructing it, it becomes larger than it is at first glance. Obviously were there for the veteran. Thats the primary customer. We rotate providing Better Benefits and services to them. With that we have three major pylons or pillars around Health Services which everybody is quick to realize. We also have a big Financial Sector as well that provides benefits, over 120 billion a year. And then memorial, we make sure that veterans receive the honors and privileges in memorial as well. You look at the three things and normally they dont tie together in business practice. We have to work with the veteran from the time they leave service through memorial. And where they are in their lives from health, financial, and memorial perspective. In doing so, we have to make sure the confidential availability and integrity is there in how we provide those services. Some of the biggest successes, recently was the mission act that opened up or removed some barriers for veterans to get Critical Care they need, even going outside into the Public Sector which was a huge win for the department and for the veterans. Over the last couple years theres been increased focus across government on things like compliance and Asset Management. I wonder if you can discuss your missions and what the advent of Continuous Monitoring might mean in that context. One of our big initiatives besides cmmc is the supply risk chain management. How were taking those tools and look at what the commercial products that are available to us now, that the government can ingest and integrate with our threat, anyone tell, nss, to create illumination tools to get visibility. The problem we have now is Asset Management is a challenge because if we have an event, we have somebody that we need out of our network, where do they lie, how do we get access to that. Thats one of the big focal points, get the right tools in the right hands at the right time to use to make decisions based on data. Thats one of our bigger challenges, making sure that it is not an emotional decision, that when we make the decision on where we are in a supply chain and the risk and assets to it, that it is based on data we can understand what the risk to the mission is, and sometimes selectful neglect is a good thing, things might be bad but to remove them would be worse. How do we get those metrics right. Thats one of the big focuses on that. Were seeing change from more heavily compliance method into Risk Management approach, understanding that you cant overplay everything. One, it is not cost effective. Two, can provide the security you need. Really it is risk that youre ignoring is the one you cant afford to ignore or take. In doing so i see with the advent of ot and iot and those wider computer assets being introduced into networks, it is a very dynamic field. Thats where Continuous Monitoring pays dividends, it is no longer a huge wave hitting us, it will now be something to manage as we ride on top of all that volume of information and be able to use whether Machine Learning or Artificial Intelligence to help us focus our energies on those things that matter most. Tom . So im going to ripoff him a bit. One of the things thats important, talked about any sensor, shooter. Is the right sensor from air, sea, space, cyber, correct. Transmitting with confidentiality and integrity once it gets to the decider if we respect using Artificial Intelligence, if we push that button does it send the right signal to the right target, very important you know what the end points are and if theyre secure. Another piece is partners. We cant fight anywhere globally without partners, right . How can we quickly add partners, nato type partners where we have agreements already with them or some other country we dont have agreement with but are friendly for this particular fight, how can we bring them on with confidential and integrity. It is important to us to be able to fight at the speed of relevance, to have Asset Management visibility, all the way from the tactical edge where band width isnt as good and tools still work. Looking at everything from weapon systems to the shooter to what theyre pushing to make it happen. So one of the other areas getting a lot of investigation these days, you hear a lot about our need to speed up cycle times, right . And we have done cyber accreditation at the speed of weapons systems. Theres a lot of conversation about role of accreditation, how it is changing, should it be changing, different accreditation for different systems, is there a role for more active accreditation controls. Paul, you tell us about your point of view on accreditation, where it is going and the role helping us defend better. I think were at that point where critical mass, i mean, how many more controls can we put on, and how many are we trying to complete just to get accreditation mark and move on. It is a lot of time, is a snapshot of time. Everybody talks about that. In reality, two or three years later, are we looking at the same system we did when we first accredited. What is the ao signing. As we move forward, we have to talk about what are the controls which ones that in some cases we want to follow a standard, we should reach to fill those, but which ones can we meet by the spirit of intent, take the appropriate risk documentation to show that we understand what the risk is, what the control is trying to accomplish, and are we meeting through some other means, whether it is physical or managerial. Then of course there are some controls that youre not getting done. It shouldnt be a show stopper. This is a time to pull together, have honest discussion on the true risk of control not being complete. And are we willing to take that, whats the benefit from cybersecurity perspective but also tie it back to the mission. Over the years i have seen one of a kind equipment and take multi factor authentication, built 10, 15 years ago, still in operation, still performing the duties it is supposed to be doing, cant take that off line because it is not designed for multi factor authentication, where it will cost a national lab or hospital or war fighter millions to replace it. Tom. So im back on the partnership thing. Very important to us at the speed of the war fight that we have accreditation thats automated but operable with partners. We established a process that we passed out, if you want to connect to Multi Mission partner environment networks, process you go through, next step is to automate that manual process. Again, you get out there, were going to have to fight at the speed of our enemy and it will be fast. This is the way theyre prepared to fight. And building on exactly what these two gentlemen are saying, the challenge we have is that in our Accreditation Process we go through the rigors, where adversaries, create something, dont like it, they burn it down, bring it back up again. We have to think, i think now within the dod thats become a highlight point. How are we doing it, what is relevant. On the cmmc side, we look at how we look at the dib and supply chain, how we get the right controls that equal real requirements, i dont want to use the word agile. But innovative enough to be a threat. Are we accrediting for the threat today and controls we need or thinking in the future. I think were at the Tipping Point with that. I think theres a lot of work to be done with that. On the weapon systems side, i think what were really doing in creating real, three ps, you know, we have to make sure that we have the processes in place at the right time at the right security level to make sure that the control were creating actually works. And were working through that. Very good. So none of these panels is ever complete unless we talk about ever changing demands for cyber work force. It has been a challenge either sitting on or moderating panels for most of my career in cyber. It has been a challenge we continuously face. I wonder if you can talk about new things youre doing, how you view that in ways youre managing the cyber work force issue. Tom, do you want to start . One of the Things Congress has given authorization for, moving on is cyber accepted work force which enables us to hire folks at higher grades than normally hire, a direct hire. Able to bring in military folks in different grades than we normally bring or assess people into the military. Once theyre in, we have ability to provide additional education, training, and higher pay scale on the civilian side and bonus on the military side. Finished phase one, 400 folks that was 2017, 2018, were now phase two. Have 2500 people in it. Not a lot of data points, except one. Thats cyber com can make an offer for civilian 60 faster than the past as opposed to 111 days, down to about 60 days, 80 days. Im sorry. Thats a substantial proven benefit of the cyber accepted work force, direct hire and other enticements to bring people into the work force. I think were in the same department, we have a lot of the same issue. The second is availability to bring in commercial influx. You look at mr. Deezy comes in from the commercial sector. I am an hqe, highly qualified expert. Not a long Term Government employee. For a certain amount of times, five years is the maximum i can serve, bringing influx of industry into the dod is imperative that were excited about and working hard on. Understanding that we dont always do things the best way and need another lens to see that. And we talk about the work force, i see theres a great deal of people that want to come in and work for the government. I think the best thing that we can do is reduce the bureaucracy for them to come in and make working in a collaborative manner much better. I think under miss lord made Great Strides, cyber accepted work force is making Great Strides in that, we did the professional Exchange Program the past two years, we bring commercial entity people in, cross train them in government, put them back, and vice versa. I think were doing a lot. Biggest thing, the salary isnt the biggest draw. I think it is the lack of the people coming in and not empowering them to make changes they think need to be done. Thats reduction in bureaucracy and i think were moving in that direction. I think it is important that a few years ago we recognized that we had this problem. Not only recognize that, but had a shortfall. What were doing is not going to help. Even doing it faster was probably putting us behind. Applaud opm for the Cybersecurity Work Force initiative and work done by all federal agencies, va being one, to develop not only what the positions are which dhs did through nice, a great start, now leveraging it as a holistic career track which we realize that a senior subject Matter Expert in cybersecurity does not just appear, it has to be cultivated. We have to bring the brightest in and make sure they have the environment to sell, that includes looking at the barrier that weve always had in cybersecurity with women in the work force and other minority groups to be able to say look, what is it we need to do to help us bring you in to get you in. Were not going to solve this, not one person is going to solve this, it is a group effort. So the work force work under omb has been incredible in that weve divvied it up amongst federal spaces, cio councils support this, were taking work paths, work strains, putting people in work groups to develop how we develop a data analyst is the same, whether department of energy, va, treasury, and whats important about that is when they get categorized, their level and coding is done correctly, we can move them across the federal space and we know where theyre at and what were getting and they also know what they need to move to the next branch. Thats really important. It is important to have historical side of cybersecurity in a federal organization, also beneficial when you can leverage whats done in other federal elements. We want a mix of stability that they can stay but also the opportunity that they can advance inside our organization or another federal knowing that may come back. I have to applaud omb, dhs, Cybersecurity Council for recognizing the problem, taking definitive action to address it. Each of you stressed Partnership Collaboration with other organizations. I want to take a minute, ask you to talk about one or two areas that are actively you are actively working on. Katie and tom, you have your own, but paul, talk about how that works, where it is at, what lessons you got out of that. Certainly. So for some of you, Electronic Health care effort between va and dod provides opportunity as you get to final Operational Capability where an active duty member can leave department of defense and be immediately picked up by va, something that we think automatically happens. But theres so much paperwork, hard paperwork that happens today when someone retires or transfers off military service and has to be reprocessed. Usually it leads to errors and mistakes that go with it. The Electronic Health care record, were using civilian solutions, and dod, va as equal partners, working together. That way as an active duty member is closer to retirement, va can start picking them up, looking at that persons history, making sure theyre ready to engage them and benefits are already in place prior to the release. So with that, that means dod and va has to be in synch. And there are a lot of similarities. It is the same clientele when they leave active duty, become va, we have the same lexicon, those same goals we leverage heavily. But becomes kind of a challenge, the things we have to discover along the way where we understand while this person makes this transition and theyre kind of the same person, theyre at different stages in their lives and medical history and have to be handled slightly differently. For instance, not as active duty member, i was told where to show up, what time was my appointment, my doctor was selected for me. Thats not how that works as a veteran. As a matter of fact, we cant tell veterans where theyre going to live or who they have to see in a lot of cases, a lot of them are some of them are migratory. Might get services in chicago and show up in l. A. How do we make sure that were getting the best care, you can look at the complete, total record. So were in discovery mode with dod, it is about a partnership you want to mention where they recognize that weakness in our environment, we recognize the uniqueness of theirs, and try to solve it in a way that meets both needs. Certainly we made Great Strides, some things we have done to help that is find common standards, for instance, for using National Security standards for for accrediting systems, so we open the feed and people can look and see. Our partner can see what were doing, we can see what theyre doing and see the risk in a common measurement. Theres a lot of more good things to follow as we go forward. Want to talk about partnerships that come to mind . The cmmc, we talked about that, fasca, that was signed in december of 2018. Thats where all of the federal agencies have come together. I am on the council. Dhs, omb, nsa, were coming together, creating unified standards which is something that we talk about nist and iso, there are a multitude of standards that we burden our Industry Partners trying to achieve each standard, versus going to unified standard for cybersecurity or software development, so that we can actually give one ask, and that strengthens the nation and also puts more money into what we need to get done, versus trying to get this solution to this. That collaboration has been going on. We did the first report to congress. Youll see some do outs coming to the public on what are requirements looking like, creating standards for all federal agencies. It is huge. Tom . So one that Congress Gave us authority was for support civil agencies, partnership between dod and dhs. Looking at the concern about joint power projection. We have power projection platform in the United States, we rely on all civil agencies and Industry Partners. Theyre looking at critical infrastructures like finance, transportation, food supply, energy. Trading information on threats intelligence with those sectors, theyre providing information to look at to help advise them. If we dont have a stable base to project power, we cant fight the fight we need to fight. Thank you. So we have time for one question. I think we have two minutes left. I dont know if there are microphone out there, if somebody is loud. I see one in back. No, reciprocity. September 22nd, since theyre coming in before september 22nd, the email said september 13th, whats on the website. I want to hear from everybody. September 22nd is my dead date to incorporate all the comments. Thank you. [ inaudible ] both, yes. I dont mean to bogart the moment. Cmmc is supposed to be, the controls are out there. I need to know what ones are not useful, how you would take that control and make it a requirement, right . We talked about two factor authentication. These are things, youre doing it every day. We need to hear the best value, best processes from you, the actual users. All right. No problem. Thank you. That concludes the panel this morning. Big round of applause for the panelists. [ applause ] hi mom thank you very much to the last panelists. Like to introduce you to one of our keynote speakers, dan priata. Executive of the Public Sector of cloud at google. He leads a strategy and thought leadership for google cloud, a Public Sector. Served as senior policy maker at the white house, pentagon and capitol hill. Over to you, dan. Thank you. Thanks very much. I want to thank billington for having me here. It is an interesting time to ask questions about where we are in cybersecurity from a broader historic sweep. Ill start with a story. Four years ago this summer, morning of july 8th, 2015, i was sitting at my desk at the white house, insimy phone rang. My wife typically doesnt call at work, i picked up. Without saying hello, she said what is going on over there. Our phones have been ringing off the hook all morning, email had been exploding. All United Airlines flights were grounded. New York Stock Exchange halted trading, and by this point the wall street journal home page went down. The chief of staff at the white house, Homeland Security adviser, everyone was asking questions. I got home, talked to my wife about it. I said when did we fall asleep and wake up in the future where we presumed the computer outages were the result of some nefarious james bond like bad actor behind the scenes. The same question is worth asking today, the internet turned 30, worldwide web turned 30 in 2019. I think what i want to talk about in the context of call to action is going into the fourth decade of the internet. Can we turn the tide on security issues. Can we digitally transform and transform how we do security, how do you do that, what is the opportunity, what role does cloud play, specifically cloud and Security Capabilities. Lets look back over 30 years. The 90s was a decade of promise and potential, hopeful, exciting time, creation of global community. The internet is a force for good. Netscape, amazon, yahoo, google were created. The 2000s, a boom cycle from a commercial perspective. Facebook, youtube, twitter, all created. 2010s are a period of insecurity. Rising cyber vulnerability, breaches growing year after year, growing privacy concerns, insider threats, disinformation, think snowed enin 2013. North korea hacks in 2014. Opm breach in 2015, and 2016 election meddling. For the first time, people started questioning the internet, Strategic Asset or strategic liability. According to World Economic forum in 2018, cyber attacks, cyber war are top cause of disruption the next five years, only after natural disasters and extreme weather. The fourth decade of the internet, in my mind, will be a decade of reckoning, a decade of potential transformation when it comes to security, and the opportunity is there, but it is not certain that we will succeed in that decade. And it is not for lack of technology capability. The challenges are mostly around people, complexities of culture that come with adoption of cloud. As we think about that fourth decade, lets do a vector check where we are on the cusp between the third and fourth decade in 2019. From a cybersecurity perspective, finance, health care, manufacturing, retail and government remain top targets. There are certainly improvements. How long adversaries stay on network down 23 last year, down of 66 since 2013. Federal agencies saw 12 decrease in cybersecurity incidents between 17 and 18, no major incidents on Government Networks in 2018. There are challenges, shifts, supply chain attacks up 78 . Increased interest in operating technology, and control systems, with real interests in creating disruptive effects with physical consequences. Increase in counter Incident Response where top technique is log destruction and interest in retargeting, up 14 , 64 of incidents evaluated are retargeting even after you cleared them off the network already. So in decade four, whats at stake . Where are we in the calculus of attacker advantage versus defender advantage. In general, attackers always tended to have the advantage. According to crowd strike, the time to break out from time an an adversary is in your networks to other systems, russian average breakout time is 18 minutes. North koreans are down to two hours, 20 minutes, chinese, four hours. Iranians at five hours. And run of the mill criminal or terrorist group is around 9 hours. So thats where the adversaries are, where is the average enterprise . Average Enterprises Continue to struggle with too many things on their plate. Too many things in their job jar. Small organizations typically have 15 to 20 cyber tools installed. Large organizations up to 150 to 200 tools installed on average. According to some surveys, nearly half the Security Risk organizations face stems from proliferation of security vendors and Security Products because that proliferation of things in the job jar make it hard to have comprehensive and strategic visibility. Theres excess of alerts, generated by excess of technologies, and it makes it a challenge for analysts to identify genuine threats from false alerts. They suffer from alert fatigue and burnout while genuine threats slip through the cracks. Theres a flood of data with poor visibility, and that lack of visibility is the the greate impediment to Incident Response. The average cyber analyst takes 45 minutes to evaluate a single alert. Spends one to two hours a day countering real intrusions. 0 to 90 of the time is wasted on manual sbe vags of data of multiple systems and wading through false alerts. All of this, this complexity for the cyber defenders, is challenged by an explosion of devices and data. Iot devices will triple to 75 billion by 2025. Data holdings are growing by around 40 to 50 prgs per year. There will be 175 zeta bytes of data by 2025. In the fourth decade, what do we do . I have a couple of observations of what i dont think will work. We will not be able to hire our way out of the problem. There is a secular global shortage of cyber talent, ai talent, Big Data Analytics data and in the hundreds of thousands to millions. There is no way for government organizations or private sector organizations to simply hire enough people to solve the problem. We will also not spend our way out of the problem. Adding more tools is too often a oneway ratchet. Whats the new cyber technique . Lets buy a new tool, add to the tool kit. Remember, big organizations, 150 to 200 cyber tools installed. The big question is, can you get to the point where you have the confidence to take tools away to create more clarity and less fog, less complexity . I also know that layering on more compliance and standards will also not solve the problem. Compliance is too often used as a proxy for security, as proxy for Risk Management and as grant schneider said it is critical but compliance tends to lag technology, doesnt make the organizations and our cyber defenders more nimble. Controls are rarely evaluated and prioritized. Which allows you to triage compliance controls, say look, i dont have enough time to do all 200, 300, 400 of them. But you know what . If i do this subset that is the most efficacious thing to do. So my call to action is to change the operating model of sib over a decade with cloud to drive transformation and productivity for the cyber defender workforce. Take things off their plate. Rethink private Public Partnerships and turn over core Security Capabilities to the right partner. For example, too Many Organizations spend too much time trying to roll their own multifactor authentication. Can you turn that over to the cloud provider . Nearly 60 of companies lack an enterprise wide encryption strategy and 16 of agencies achieved government wide targets for encrypting da the at risk. In google cloud that is by default. On the identity side, by default with the enterprise customers to have hard token multifactor authentication. The prereck of taking stuff off the plate is respondents say the biggest barrier are security concerns. And its not because the cloud is less secure but it is because it is such a large cultural shift from the way that we have done i. T. And the way we have traditionally done i. T. Security. Second, in addition to taking stuff off your plate use the cloud to get to a place in terms of scale and agility that organizations are not able to get to on their own. Data warehouse projects for big data analysts on prem are 60 to 70 more likely to fail and run 60 to 70 higher on the cost side. With many of our Big Data Analytics customers, the increase in efficiency and productivity is staggering. We have customers in the fortune 50 using our capabilities on their supply chain. For global liquidity and large banks and what on average we have seen is an increased able to use more data. 30 times, a 30 fold increase in the data that they can ingest and reducing processing times an analytics times over 98 . That is across industries and across mull pl use cases. In addition, use the cloud, Machine Learning, ai to strengthen your ability to find signal from noise, core late multiple signals across the complex data thats coming in cyber analysts. Automate so you have lateral visibility and better predictability across the kill chain to see a comp takeover, Lateral Movement and it is not looking for needles in haystacks. It is looking for correlation. Theres never a Silver Bullet but you get better at having insight and foresight of whats happening in your environment. Finally, we need to continue to push to get cyber out of the shadows of being something relegated to i. T. We have done a good job improving on this front particularly since the target breech in 2013 and 2015 when executives lost their jobs after major breaches. But awareness and recognition is not the same as to borrow a phrase from general nakasani it is not the same as nontechnical expect is and there is still a problem. I think its the problem of disconnect of the i. T. Side of the house and the business and mission side of the house. If any of you have read the book the First Digital war by mark bo uden theres a paragraph that captures this disconnect. I. T. Professionals know this look. He calls the look the glaze. The unmistakable look of profound confusion and uninterest that descends when a conversation turns to the inner workings of a computer. Even people who spend hours every day with the fingers on key boards whose livelihoods and leisure time increasingly depend on fluns sy with a variety of software remain utterly clueless about how any of it works. Worse, the innards of mainframes are considered not just unfathomable but somehow unknowable or not even wort knowing in the way that people are content to regard electricity as voodoo. So you really need to find a focal point to get nontechnical executives engaged in the business of cyber security. And the exercise to look at the crown value assets. It was a focal point for cxo interaction, not just cios but both technical and nontechnical. Between the neighal Security Council and omb we drove a process that included nontechnical executives as well. It included press shops, lawyers, folks on the business side really bringing cyber in and what was interesting about it is that in the first couple of months of this exercise a lot of cios you could tell were not comfortable with the exercise. A lot of them were i dont want the white house looking over the shoulder about my systems but after another couple months two federal Department Cios came up to me and pulled me aside and said i wanted nothing to do with this exercise but im happy to go through the process because for the first time, for the first time the secretary of my department stops me in the hall, he knows what our high value assets are, he knows the impact on their business and he asks me if i have everything that i need. And that was transformation in the ability to communicate out of what is tradition ally the black box of technology to mission and secretary level and have them care about cyber and i. T. In the fourth decade of the net, of the internet, though, as we look forward to this challenge of transformation, this is not assured. We are ten years into the cloud journey. The cloud first strategy came out almost ten years ago and u. S. Government cloud penetration as a percentage is still less than 7 . If its a baseball game, we arent even out of the first inning. How do we accelerate that . Particularly when up to 70 still see security as the biggest barrier to cloud adoption. Whats interesting, as well, is gartner indicated new 2022 xlooes 75 of failures is the customers fault. I also believe that given how much hype and promise there is around cloud with a lot of modernization strategies theres a risk of cloud backlash. If the cloud doesnt achieve out of the gate the things that people are expecting, the big promises. So the technology is there. The challenge is there for organizations and cultures to change, to adopt the cloud, to change and transform their operating model of security, to rethink what a Partnership Looks Like with the hyper scale cloud providers. But again its not certain that we are going do get there. With that, ill close on a quote from bill gates. We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten. I think thats the moment that were at. Were at a moment to make critical decisions, to get agreement across the csuite and make bold moves to leverage the cloud to transform our cyber operating models and if we succeed i think the fourth decade of the internet can be called the transformational era in response to the third decade of the internet which i characterized as an era of extreme insecurity. Thank you very much. [ applause ] okay. So nows the interactive part of the conference. This is where you get up to walk around and stretch your legs and go to the Breakout Sessions. So if you would go to page 15 in your program, it lists 5 different Breakout Sessions. Ill go over them right now. But just basically go out to the escalators. They got both of them going down. Well take you down to the next level below and down there will be folks with signs telling you how to get to each one of those. Following the breakouts, youll come up and have lunch and well meet for the followon discussions postlunch. Let me go through very quickly the five breakouts. The first breakout is a deeper dive on cdm. So thats breakout room number 1. Breakout room number 2 is on minimizing the Cyber Threats of federal contractors and the supply chain. So thats breakout room number 2. Breakout 3 is addressing the looming threat to encryption. Thats breakout room number 3. Breakout 4 is operationalizing Artificial Intelligence and Machine Learning. Breakout 4. And breakout 5 will focus on cybersecurity Crisis Management to simulate a Ransomware Attack and then how to move forward after that. Well look forward to seeing you after the breakout. If you could proceed out and head down to the Breakout Sessions well see you soon. Thank you. Our coverage of the Cybersecurity Forum will continue at 1 30 eastern with the lunch keynote address by Major General dennis crawl, the senior military adviser for cyber policy at the defense department. Later this afternoon, well bring you panels on supply chain cybersecurity and the c ios of the justice department, defense department, Homeland Security and the export import bank. Live coverage again starting at 1 30 p. M. Tonight, the 50th anniversary of woodstock. In august of 1969, woodstock attracted nearly 500,000 people to a dairy farm in upstate new york. We begin with a story in david farber talking about the cultural phenomenal, arty cornfield discusses how it was organized and Wade Lawrence describes how the threeday concert ended up in bethel, 60 miles from the town of woodstock and how it became a historic side. Enjoy American History tv this week and every weekend on cspan3. This weekend on American History tv, saturday at 8 00 p. M. Eastern on lectures in history, the California Gold rush and the environment. At 10 00 on real america, the 1977 film on italian newspaper journalist and sunday at 4 30 p. M. Eastern scholars on the history of u. S. Policy towards iran and Irans Nuclear program. And at 6 00, historian dan albert talks about his book are we there yet . The american automobile past, present and driverless. Explore our nations past on American History tv every weekend on cspan3. Today we are bringing you coverage of a cybersecurity policy conference focusing on the government and private ct