Welcome back from the break. Thank you to amazon and web services for hosting our break at the sponsor. Thank you. Now were going to be talking about zero trust, a topic near and dear to some of our hearts, for those of you that havent been to the dream port, you should go over there and talk to them about their zero trust efforts as well. First of all, id like to introduce our moderator, mr. Tom temmon, he is the anchor of the federal drive from federal news network. Thank you, tom, for moderating the panels. His panelists are rick howard the chief Security Officer from palo alto networks. Sylvia burns, the deputy chief Information Officer for enterprise strategy, fidc. And michael friedrick. Over to you, tom. If you have a streaming device you can hear my voice on the radio now through the magic of streaming technology. Our topic today and its really great to be in such a nice intimate setting here with listeners that are close by, we are going to talk about something that in many ways is like a frisbee, coke and skunk words, you have to almost be careful using it in speech and in texts and in the discussions and white papers because the idea of zero trust is an area where some companies have staked a claim to exactly what it is, but were not going to buy that today. We are going to talk about zero trust as something that is value to the entirety community. We have three really good experts to talk about it. So thats where were going to begin is a definition of zero trust. Im going to just start with you. All right. We could talk about that thing for the next 12 hours. We will try to be brief here. Zero trust from my perspective is you absolutely have to know that bad guys are in your network. Okay. You assume that they are in your network and if you do that how do you rearchitect it so you can reduce the risk of Material Impact to your organization. Thats completely different from the way we used to do it back in the 90s where we would put this electronic perimeter around all of our stuff and assume that the bad guys were on the outside. So its a different way to think. Okay. Actually, sylvia, im going to come to you third. Okay. Sure. Because you have a lot of followup. You have the best answer. She gets the government answer. Mike, we will go to you. I would agree, zero trust is an abused word. It is a process, a methodology, a way of thinking about how to attack your network. I know that sounds like a strange statement but you need to attack the concepts of identity and mobile and the workforce and assume the adversaries are inside your network and you need to decide how youre going to define what your assets are, who needs access to them and you need to go through the process as an agency, as a user, as a piece of software that youre leveraging who owns that system and you need to define that. So zero trust just means what it says, i have to assume you only should have access if you need to. This idea that is going on and the technology being leveraged is opening up holes all over our networks as the government and we need to stop that. Okay. And, sylvia, you are doing work at the fdic itself but also as an interagency person for the cso or ciso council. So tell us about that. Sure. I used to be the ciso at the department of the interior and i was one of the cochairs of the cio councils strategy, services and Infrastructure Committee and, you know, in my experience at interior i was involved in the opm breach. So that was a really like impactful experience, if you can imagine, right . I havent heard of that. Please, tell me what happened there. You know that wasnt a big problem at all. I testified twice in front of congress. It is like if you have to tell your mother, one day im going to testify in front of congress, right . So basically i was familiar with the concepts about zero trust. Actually a small team of people working with me before i was in that job in 2010, we were talking about what do we need to do to significantly change our i. T. Environment. We had this notion of protect the data and the network. Thats what zero trust is, i agree with everything that rick and mike are saying. It is a philosophy that for us has become like a way of thinking to drive an architecture for protecting data. Thats really what its about. The adversary is in your network not because its because they want to take your data. Thats the most sensitive thing. So the interagency committee, we started with working with we had an industry government collaboration where we were trying to understand what technologies exist today that fit kind of the mindset of what were trying to do with zero trust. And last spring i published a paper on it. We progressed since last year and we actually kind of converged all activities in working with nist. Interagency Steering Group that im part of is actually working with nist on two things. A subteam working on architecture, and theres another team working on technologies to come to the lab, kick the tires, look at what exists, all of this informing publications that come out for the federal government. So thats what we have been working on. Nist put a draft together, a special publication, 800 document around zero trust architectures that the Interagency Team just reviewed. Nist is working through comments to release publicly for comment. Very serious. I would like to emphasize the point that we talked about this back stage, zero trust is a philosophy, it is not a definition. Youre never going to get there and be 100 complete. The argument i want to tell the Government People is dont make it too complicated. You already have technology in your networks that can get you 80 of the way there. Youre going to spend the next five years doing the next 20 , but you have the technology in your networks right now. If you have a next gen firewall, it can do 80 of the work by making simple rules that say the Guest Network cant connect to the internal network. Just do that, youre halfway down the path. You want to get to a point where developers cant get to secret database we dont want anybody to see. Simple rule in the firewall will get you almost there. It doesnt have to be as complicated as were talking about. We still have 20 minutes. Were going to make it complicated. I heard the words state, zero trust is a state of being, a mindset, it is a philosophy, an architecture, it is an approach and journey. But i think as rick pointed out, it is not a technology necessarily. Nevertheless, it exists in a technological system. How do you besides buying a firewall, setting up rules, maybe thats all you have to do, what are the steps, how do we get to making the federal networks with that Data Protection idea at the center of it. How do we go about getting to zero trust . Let me jump in, observations from talking to folks like sylvia as we talk about the process. Start with classifying data. What your data is, who should have access to this. One of the biggest weaknesses when we talk to agencies, Identity Management is pretty poor, getting to a sense of who is on my network, what devices are on my network, who should have access to my network and what data within my network, and where does this data live . Thats really important to understand because the boundaries are broken when i can read email on my phone, approve invoices for an agency on my phone or on my watch, the boundaries are gone. Now i need to look at where do i protect what, who should have access . Thats the beginning of the conversation. Classify, clarify, and understand. You have to know where it is and whos touching it to start with, who should touch it. Isnt that complicated by the fact that in the cloud era, we hear already this morning that agencies are pursuing a multicommercial cloud strategy, that there could be many substantiations of data and associated applications, how do you know at a given point exactly where it is . Thats the critical part in understanding the contracting process. What vendors have been selected, what technologies youre using to take the cloud smart policy and apply it so that youre not having a vpn here thats weak or problem, or technologies that dont address users coming off the network. Microsegmentation is the beginning. In order to microsegment, you have to do the first step i was talking about. You need to understand who, what, where, when, why. Thats why zero trust initiatives fail. Talked to many in the last couple years about trying to do it. It doesnt fail because they dont have the right technology in place, it fails because they dont have the policy and leadership in place to make decisions, that the general doesnt get access to the really cool data he shouldnt have access to. Right . It fails politically. Cant be done by the info sek team based in the pentagon, these have to be policies at the high level to implement this policy. Sylvia, for fdic, theres data and data. Some is critical commercial data. Yeah. Thats true for everybody, right . Regulated institutions, and theres administrative data. Absolutely. Isnt there need to apply a hierarchy to how you do protections such that tools can be applied efficiently . Absolutely. Everybody has to take a riskbased approach, right . Youre not putting all your energy in the least important things, right . You want to know what the crown jewels are, and put Energy Around that because thats what youre most at risk for. It is always a riskbased approach. So absolutely. Youre going to focus on high value assets, high value data. I want to get back to users, zero trust implies zero trust of what . And as we mentioned earlier, it is everybody. How does that work in the age of contractors being on your network, you being on their network to some extent, and mobility question . This is where you need to select technologies to enable zero trust platform. And agencies need to site the use case and solve it and what the right technology for them is. First thing im going to say is more technology is not always the right answer. Less technology thats better integrated and fits use case is the right answer. You shouldnt select a technology that doesnt integrate with itsm systems or seam systems, ids, or dlp cant talk to it, or ai as it is evolving. And giving trust scores more and getting smarter. You need systems that make themselves smarter, better, faster, more agile. If they dont work together, you bought the wrong tool. Yeah. Simple works better. Can we say that, too, it is easy to try to boil the ocean for these kinds of things, who gets access to what. You can get it down to the individual user. Okay. Start with four big groups. Contractors, government employees, military, who do those groups of people get to attach on the network. When you get that done, get more granular. Start simple, get things done down the journey. Earlier i think rick, you said protect data but open the network. So what does that you said that, im sorry. So this notion, i think everybody had this false sense of security about the perimeter. And that is false because a simple phish event can compromise the network. The concept of zero trust in conversations i had with people in my circles have been really shrinking the perimeter around our most valuable assets. So were not putting the perimeter around the whole organization with all users, for instance, which is what we do today. Youre actually saying where are the most sensitive pieces of information and systems that house it, and put the perimeter around that. You create micro perimeters, right . When you get to that point, if you think about it, implications for large organizations, especially in the federal government, you can open the network up. So at the department of interior we had over 2400 locations. Some locations were in very remote places. I know the same for many of my sister agencies in the federal government have large, sprawling organizations that are located in the middle of nowhere quite honestly, so youre trying to drive them into it is like youre trying to create one solution for a diverse set of circumstances in the physical environment, and if you shrink the perimeter and open the network, you can let your local offices use whatever best quality Broadband Services instead of trying to shove them into the Corporate Network because they dont need to be in the Corporate Network. I love the shrink the perimeter idea. I have a different word or phrase for this. I think of it in terms of data islands. We do still have a perimeter in headquarters, data centers we run and operate, we have mobile employees now with phones and laptops. And other things. Government is using sass services. And as the government moves to the cloud, thats another place your data could go. What we dont want to get into is a situation you buy different technologies to protect the data islands. You want to unify the system with one policy. They have different use cases. If you can simplify it, you have a chance to get it right. Many years we had regime of the idea of multilayer security. The conferences, people used to say networks were like porcupines. I think the phrase went. They were difficult on the outside but soft on the inside. Sounds like youre saying make the smallest part of the inside the date wra, the hardened part, and who cares if somebody bites the porcupine in the neck. Kind of. Move up the tech chain. The technologies that are out there now regardless of numbers of vendors are doing a good job of cloaking Network Access at the initial point of sign on. Integration points that happening are important. You need to leverage different things, single packet authorization, you need to leverage mutual tls encryption. Why . You stop man in the middle. Get people off the network, but leverage that philosophy and technology across multiple places. The thing i want to challenge agencies and leaders to ask questions about, is the tools compliant. A lot of people claim zero trust. If you go to the trade shows. Start by asking, are you fed ramp, common criteria, show scans of data, where do you do your development . Ask the important questions before you get down this road and realize this could be kind of interesting but i have no idea whether this is safe to use in the network. Yes, it gets less crunchy on the outside but not really. Youre putting new technologies in place to be sure people that do get in are appropriate, along with their devices, so you start to establish a greater sense of trust, but you develop automation with that. Once i establish that the device belongs to the user, i can control what they see, when they see it, how they see it better. You reinforce the boundary but make it more open. I would like to push back on that a little bit. I agree, you might need new technologies to do the journey, but i am telling you, you have technology in place that can do 80 of it. Think of how to use that first before you spend money on other things. Thats practical. Totally agree with that. I think theres also look to the future, where we want to be longer term. I think thats all true. The thing that frustrates me, you mention the ads, mike, it frustrates me to hear when i drive, i was saying i am driving my car, have wtop on, and theres an ad about zero trust, somebody selling zero trust. It has become a Big Marketing thing because i think industry realizes it is a hot topic, right . The federal government is keenly interested in it. But in all the work ive done with nist and talking with various agencies quite honestly in the federal sector but also some in the private sector, everybody is still trying to figure out how to crack the nut. Nobody has actually yes, we are using whatever tools we have. To get us to where the vision is, nobody has the lockdown on that. Part of it is i think we need a dialogue between the government and industry so that we not just the government, but other big sectors like the banking sector, like the health care sector, that have Sensitive Data and want to protect that data, so we have an exchange and understand what the two sides are saying, right, and what we need from industry. The government is not building this by ourselves. We need industry, but you have to understand what we need. Funny you Mention Health care. The industry that effects government with dha and va, health care is one of the biggest problems in zero trust. Were now building machines that are remotely managed and monitored, have personal Health Information through big networks. These machines have no sense of them. Iot devices generally have no installable operating system thats common that you can install agents into or monitor in any effective way. As a zero trust philosophy, you have to figure out how do i stop devices being rogue or someone plugging in, masquerading as that and stealing information out of the network. Thats another Big Government issue where i think they need to work with the Technology Vendors out there to define what our goal is. There is not a right answer. But it needs to come. Come back to the definition. This is where i get in trouble, it is not the standard definition, this is how i view zero trust. Theres two big security philosophies out there. Dominating one is zero trust, the other is intrusion kill chains. You need both to keep bad guys out. But in my mind, zero trust isnt passive, it is reducing the attack surface. So any military people, like digging the foxhole, put sandbags around it, overhead cover and wire in front of it. Thats the journey we talked about, passive, not based on how the adversary attacks you, but absolutely needed. A couple recent famous breaches that happened not so much in government but in the commercial sector involved people that were trusted, at one point trusted by the organization. Can a zero trust philosophy result in architecture and technical setup such that people that you trust are not exfiltrating against rules the organization has to have in place. Lets talk about the most famous one that happened recently. Were probably both headed to the same one in capital one. How did this woman succeed . She had access to the network, had privileges to get to that, understood the architecture. Then you come back to the point i made earlier. Identity management. If Identity Management was done properly, she wouldnt have had credentials. Systems that talk to each other and understand the hr system terminated the employee, active director needs to terminate the employee. Guess what, zero trust boundary side says you dont exist. Even if you had the right tool loaded on your machine, it is not going to acknowledge you because you dont exist. That integration is really important. Identity management. That does not succeed if zero trust is integrated appropriately. Sounds like a case for robotic process automation, when somebody is apis. Theres an orchestration of elimination of their existence cyber wise. Capital one, technical piece to it, another classic case for zero trust, the virtual server has to communicate with hypervisor in the network. The fire wall, they allowed somebody from the outside to talk to the hypervisor. Thats a classic zero trust problem. Anyway, dont get me started. We all have to do the basic blocking and tackling. You cant not do that and have anything good. You were mentioning data before. Actually the interim chief data officer for fdic now as well. In terms of data, you cant manage what you dont know. Thats a fundamental 101 concept, right . I think agencies struggle to understand where all their data are, and their data honestly because of the way people work, it is sprawling all over the place. Getting your arms around that is key to zero trust. And understanding the devices theyre using. Byod is coming to the government, omb is looking at this, they started a draft release for zero trust, one of the feedbacks from industry was you didnt draft in the policies you probably saw this on cio council, you didnt draft in the policies beyond byod. You need to take the bring your own device policy and bring it into zero trust because you have to define a standard to know whats signing on. Whats my minimal acceptable device that i know belongs to you, by the way . And thats not happening right now. And thats another exploit that will lead to another u. S. Version of capital one because that device now has rogue access. You keep using vpns as the way to connect, you enable ssl technology to back door, and guess what, cookie crumbs are there. You can follow that vpn in, now you have massive policies trying to enforce access as opposed to zero trust as a philosophy and microsettingation. Classify, clarify, who, what, where, when, why. You have to start somewhere, then cut access and Technology Decisions of how it works three easy steps to get started. First, what you were saying before, identify the applications on your network, using existing technology. You dont have to pay for this or have consultants come in, turn it on, get a list of applications running on your network. Tie user ids to who is using the application. Just turn it on, see what you have. Third most difficult step, start making difficult decisions about which group of users get to have access to which applications. If you can do those three things, 80 of the way there. Youre like plus one, not quite to zero. One trust. We should copyright that. Better hurry up. Dont get him started. We have a couple minutes left. I wonder if we have questions from the floor. I dont think theres a roving mic so just shout it and ill repeat the question. This looks like the chapel on a cruise ship. Nobody there. I didnt think we were that boring. Chapel on a cruise ship. I have a question. The topic of dev ops, this is something the government is doing a lot of, taking shape, the idea of continuous development, fast releases, prints and all that. What do you do in those operations to make sure when thats inserted into your authoritative system, still maintain zero trust. Its growing fastest with those who moved to the cloud, because you can enable tags and apis as a relationship. Same rules apply from my point of view in technology, which is if i can clarify the user should have access, tag them to the group and their device, then as the definition changes in the cloud, it should api trigger the technology that youre using to enable zero trust strategy to change their access. Being amazons tags, you tag a server as preproduction and user tagged being preproduction in the active directory, if that server suddenly changes role and youre not in that group, your access should go away immediately. Enabling that technology helps. There are some hyper visors not in the cloud starting to tag, make it easier with apis. But its forming faster and faster. The security tools are starting to inform the ability of api with zero trust tools. Thats where im seeing a lot of customers where i see the Biggest Movement is in Security Operations center. Using Solar Technology to automate all the events. Let me brag about the internal sock. We get 100 million events, with store technology, we can automate all of that so they only look at 500 every 90 days. 100 billion every 90 days, reduced to 500 things. So they can look at now rules being violated by our zero trust philosophy, right . You can actually do something about it and automate the things we know about. Thats where everybody should be heading. And sylvia, last question for you. Do you get complaints from users about access and difficulty of getting to the assets they need, or can we do all this highlevel security, zero trust and not make life miserable for the people that have to do the work at the agencies day in and day out . We have to be mindful of that. There could be those consequences which for me is the reason why, let me say that while we could do 80 of what we need to do with what we have today, i think what were trying to do in the interagency Steering Group and others that are involved is take it further. And when you take it further, yes, you can disrupt, could potentially disrupt business. So i think doing robust testing, incorporating users in pilot modes as you go along, so you understand what problems youre encountering from that perspective. It needs to happen. If you create a system where you make it too difficult for people to do their work, theyll go around and then we have a different kind of problem, right . Agreed. That brings us right to the end. Mike, rick, sylvia, thank you so much. Lets give a round of applause for the panel. Thank you, everybody. Thanks, everyone. Thank you very much, tom, and your panelists. Our next panel is on top military cyber priorities and strategies. Moderator, ralph kahn. Ralph is the Vice President of federal atanium. Joining him up on the stage today is mr. Thomas miceli, command control communications and computers and also cyber and deputy chief Information Officer for joint chiefs of staff, j6. Paul cunningham, chief information Security Officer for department of veteran affairs, and katie harrington, chief Security Officer of undersecretary of defense for acquisition. Ralph over to you. Thanks, ed. So, we are fortunate this morning to have a very distinguished panel to talk about security in the dod and kind of whats top of mind. I would like to start with understanding more about what Top Priorities are. Tom, do you want to start and talk a little about what Top Priorities are in your organization and how youre addressing them and well move through the panel . Yes. Top priorities as always is to support the president , secretary of defense and chairman of joint chiefs of staff and how they provide National Security. We take direction from National Defense strategy, National Military strategy and chairmans priorities. The chairman is responsible for providing best military advice to the secretary and the president and does that through his role as a global integrator. He looks at all forces the United States has and partners and allies have and what it takes to provide assured power projection anywhere in the globe, not just in a regional conflict which is basically the last fight to the next fight, talks about global competition with two particular peer competitors, russia and china, how do we stay ahead of them, how do we fight a war with them so were not fighting the last war. China and russia spend money on informationalized warfare. Theyre big on attacking us on all domains, particularly cyber. How do we prepare against that ene enemy . One thing is we go back to basics. Priority is culture. War fighters are used to picking up a radio, pushing a button, having capability wherever we need to be. Were not going to have that. How do we enhance confidentiality, integrity, availability of information, synthesize it so you can have any shooter, any Decision Maker able to make a decision and take out the enemy. Number one priority is how we enable that. And were doing it through joint command and control. I think thats enough. I talked a good bit. Katie. Good morning, thank you for having me. Katie arrington with acquisition and statement. I am going to pile on what tom said. Where we differ slightly, our role is worrying about the dib, getting services, Acquisition Strategies that can meet needs of the war fighter. Big priorities for us, were in the process of rewriting the dod 5000. The keyword, everybody should hear it loud and clear, were changing our culture. Our culture is security. Cost, schedule, performance have no value if it is unsecure. If we cant deliver at the right price because our adversaries have taken it, useless. Performance doesnt matter if the adversary has it before we get it to the battlefield and it is outnumbered. And schedule . When does it matter if it shows up if its irrelevant . And schedule, were working hard to change the way were doing things. We dont like the word reform, we like innovation. Rewriting one of the Top Priorities, retraining pms on building cyber resiliency into weapon systems, Critical Infrastructure and our products. One of the big things i spearheaded that hit the press yesterday was cybersecurity Maturity Model certification. We in the dod are going to institutionalize cybersecurity standards throughout the dod. It will roll out in draft form, right now looking for everyones comments. It is on the website. It is a bunch of controls now. Weve taken the iso 2700, nist 171, nist 171 bravo, aia, a multitude of different standards and controls. We mapped it out. What were looking at now is for industry because it is collaboration, 70 of my data living on your networks, it is no longer a me or a you thing. Its a we thing. The only way we solve this problem is together. I ask you to go to the website. Were looking for feedback before september 22nd. All feedback is good. Were going to take controls, make them into requirements. And then june of next year youre going to see rfis rolling out of dod with cmmc levels. Companies need to get mature level certified. It will be a go, no go decision. Were not looking to make security a source selection. It is go, no go. Those are big initiatives were working on. Thank you for having us. Opportunity to come talk to you today, and thank you for being here. Va, everybody is familiar with va. You start looking at it, deconstructing it, it becomes larger than it is at first glance. Obviously were there for the veteran. Thats the primary customer. Its our only customer. We rotate providing Better Benefits and services to them. With that we have three major pylons or pillars around Health Services which everybody is quick to realize. We also have a big Financial Sector as well that provides benefits, over 120 billion a year. And then memorial, we make sure that veterans receive the honors and privileges in memorial as well. You look at the three things and normally they dont tie together in business practice. In va, they do. We have to work with the veteran from the time they leave service through memorial. And where they are in their lives from health, financial, and memorial perspective. In doing so, we have to make sure the confidential availability and integrity is there in how we provide those services. Some of the biggest successes, recently was the mission act that opened up or removed some barriers for veterans to get Critical Care they need, even going outside into the Public Sector which was a huge win for the department and for the veterans. Over the last couple years theres been increased focus across government on things like compliance and Asset Management. I wonder if you can discuss your role of compliance and Asset Management in terms of your missions and what the advent of Continuous Monitoring might mean in that context. Katie, do you want to start . One of our big initiatives besides cmmc is the supply chain Risk Management and how were going to take those tools and look at the commercial products that are available to us right now, that the government can ingest and integrate with our threat intell, nss, to create tools to help get that visibility. The problem we have now is Asset Management is a challenge because if we have an event, 806 event where we have somebody we need to get out of our network, where do they lie hourks , how t access to that . Thats one of the big focal points, get the right tools in the right hands at the right time to use to make decisions based on data. Thats one of our bigger challenges, making sure that it is not an emotional decision, that when we make the decision on where we are in a supply chain and the risk and assets to it, that it is based on data we can understand what the risk to the mission is, and sometimes selectful neglect is a good thing, things might be bad but to remove them would be worse. How do we get those metrics right . Thats one of the big focuses on that, Asset Management and controls, compliance. Paul . Were seeing change from more heavily compliance method into Risk Management approach, understanding that you cant gold plate everything. One, it is not cost effective. Two, it doesnt provide the security that you really do need and its the risk that youre ignoring that you really cant afford to ignore or take. In doing so, i see with the advent of ot and iot and those wider computer assets being introduced into networks, it is a very dynamic field. Thats where Continuous Monitoring will really pay dividends for us. Its no longer going to be a huge wave hitting us. It will now something we will manage as we ride on top of all that volume of information and whether it be Machine Learning or Artificial Intelligence to help us focus our energies on those things that matter the most. Tom . So im going to rip off kate a little bit. One of the thing thats important about the war fighter, we talked about any sensor, shooter. Is the right sensor from air, sea, space, cyber, correct. Transmitting with confidentiality and integrity once it gets to the decider if we arent using Artificial Intelligence, if we push that button, does it send the right signal to the right target . Its very important that we know what those end points are and if theyre secure. Another piece is partners. We cant fight anywhere globally without partners, right . How can we quickly add partners, nato type partners where we have agreements already with them or some other country we dont have agreement with but are friendly for this particular fight, how can we bring them on with confidential and integrity and availability . It is important to us to be able to fight at the speed of relevance, to have Asset Management visibility, all the way from the tactical edge where bandwidth isnt as good and tools still work. Looking at everything from weapon systems to the shooter to what theyre pushing to make it happen. So one of the other areas getting a lot of investigation these days, you hear a lot about our need to speed up cycle times, right . And we have done cyber accreditation at the speed of Weapons Systems. Theres a lot of conversation about role of accreditation, how it is changing, should it be changing, different accreditation for different systems, is there a role for more active accreditation controls. Paul, you tell us about your point of view on accreditation, where it is going and the role helping us defend better. I think were at that point where critical mass, i mean, how many more controls can we put on, and how many are we trying to complete just to get accreditation mark and move on. It is a lot of time, is a snapshot of time. Everybody talks about that. In reality, two or three years later, are we looking at the same system we did when we first accredited . What is the ao signing . As we move forward, we have to talk about what are the controls which ones that in some cases we want to follow a standard, we should reach to fill those, but which ones can we meet by the spirit of intent, take the appropriate risk documentation to show that we understand what the risk is, what the control is trying to accomplish, and are we meeting through some other means, whether it is physical or managerial even. Then of course there are some controls that youre not getting done. It shouldnt be a show stopper. This is a time to pull together, have honest discussion on the true risk of control not being complete. And are we willing to take that, whats the benefit from cybersecurity perspective but also tie it back to the mission. Over the years, i have seen one of a kind equipment and take multifactor authentication for instance. It was built 10, 15 years ago, its not designed for multifactor authentication where its going to cost a national lab or hospital or the war fighter millions of dollars to replace it. Tom . So i want to back on the partnership thing. Its important to us, the speed of the war fight that we have accreditation thats automated not only between us but interoperable with our partners. Weve passed out a process that if you want to connect to our multimission environment networks, you go through, and the next step is automating. Well have to fight at the speed of our enemy. Its fast. This is the way theyve prepared to fight. Building on what theyre saying, the challenge we have is that in our Accreditation Process we go through the rigors. Ed a er is varies if they creat something and they dont like it or we found it, they burn it down and bring it back up. I think within the dod, thats become a highlight point. How are we doing it . We look at how we look at the dib and supply chain and how we get the right controls that equal real requirements and make it i dont want to use the wordage agile, but being at the realtime threat. Are we thinking in the future . Thats one of the i think were at the Tipping Point with that. And i think theres a lot of work to be done with that. On the Weapons Systems side, i think what were really doing in creating real the three ps. You know, weve got to make sure that we have the processes in place at the right time at the right security level to make sure that the control that were creating actually works. And were working through that. Very good. So none of these panels is really complete unless we talk about the demands for cyber work force. Ive been either sitting on or moderating panels for most of my career in cyber, and its been a challenge weve continuously faced. Im wondering if you could talk about some of the new things youre doing or how you view it in ways youre managing the cyber work force issue. Tom, you want to start . One of the things that congress has given us authorization for and a cyber accepted work force. It enables us to hire folks in at higher grades than we would normally hire, direct hire. Were able to bring in military folks in a different grades than we would normally bring or assess people into the military. Once theyre in, we have ability to be provide additional education and training and a higher pay scale on the civilian side. And bonuses on the military side. Were finishing phase one, about 400 folks. That was 2017, 2018. Were now in phase two. We have about 2500 people in it. Not a lot of data points except one i can pass across hard data, cyber com is able to make an offer for a civilian, 60 faster than the past. As opposed to 111 days down to about 60 days. 80 days, im sorry. 80 days. Thats a substantial, proven benefit. The direct hire and other enticements we can have to bring people into the work force. I think were in the same department, so a lot of the same issues. The second one is the availability to bring in the commercial influx. We look at dodcio comes in. Im a highly qualified expert. Im not a fulltime longterm government employee. For a certain amount of time, five years is a maximum i can serve. Bringing that influx of industry into the dod is an imperative that we are really excited about and were working hard on. Understanding that we dont always do things the best way and we need another lens sometimes to see that, thats a huge thing. And we talk about the work force as i see theres a great deal of people that want to come in and work for the government. I think that the best thing that we can do is reduce the bureaucracy for them to come in and make working in a collaborative manner better. And i think that under miss lorde has made great strides. We did the professional exchange program. We bring commercial people in and cross train them in government and put them back. I think were doing a lot, but i think the biggest thing, the salary isnt the biggest draw. I think its the lack of the people coming in, and not empowering them to make the changes they think need to be done. Thats reduction in bureaucracy, and i think were moving in that direction. I think its important that a few years ago we recognized we had this problem. Not only did we recognize it where we had a short fall, but what we were doing was not going to help. Even doing it faster was probably going to put us behind. Opm for coming up with the Cyber Security Work Force Initiative and the work being done by all the federal agencies. Va being one of them, to help develop not only what the positions are which dhs did through nice, which was a great start. Now were leveraging it as a wholistic career track which we realize that a senior subject Matter Expert in Cyber Security does not just appear. It has to be cultivated. And we need to bring the best and brightest people in and make sure they have the environment to really sell. And that includes looking at that barrier that weve always had in Cyber Security with women in the work force and other minority groups to be able to say look, what is it that we need to do to help us bring you in to get you in, because were not going to solve this, not one person is going to solve this. Its going to be a group effort, and so the work force work under omb has been incredible in that weve actually dif vied it among the federal spaces, the cio counsel and other counsels are supporting this. Were now taking work streams and putting people in work groups to develop how we develop a data analyst is the same whether its the department of energy or va or treasury. Whats really important about that is when they get cot g categorized and the levels and do coding are done correctly, we can move them across the federal space. We know where they are, and they know what they need to move to the next branch. Its very important to have the historical side of Cyber Security in a federal organization. Its beneficial when we can research whats being done in other federal elements. We want the mix of the stability to stay but also the opportunity to advance inside the organization or another federal knowing that that may come right back to us in some form or another. So i have to applaud omb and dhs and the other Cyber Security council for recognizing the problem and taking definitive action to address it. Each of you has stressed partnership, collaboration with other organizations. I want to take a minute and ask you to talk about one or two areas that are actively, youre actively working on today. Paul, we discussed earlier the ehrm initiative. C katie and tom you have your own. Lets talk about where its at and what lessons youve got out of that. Certainly. So for some of you just to kind of the electric health care record modernization effort between v. A. And dod now provides an opportunity or as were trying to get to the final operational capability, where an active duty member can leave the department of defense and be immediately picked up by v. A. Its something that we kind of think automatically happens, but theres so much paperwork, hard paperwork that happens today when someone retires or transfers off military service. And then it has to be reprocessed usually by humans, and that usually leads to errors, mistakes that go along with it. So the electric health care record is now were using civilian solutions. It was the one that was picked, and v. A. And dod as equal partners are working together. As an active duty member gets closer to retirement, v. A. Can start picking them up, looking at that persons history, making sure that theyre ready to engage them and their benefits are already in place prior to their release. With that, that means dod and v. A. Has to be in sync. Theres a lot of similarities. Its the same clientele when they leave active duty and become da. Its the same idea that its about the veteran and active duty member. The same goals we leverage heavily. What becomes a challenge is the things that we had to discover along the way where we understand that while this person makes this transition and theyre kind of the same person, theyre at different stages this their lives and their medical history, and they have to be handled slightly differently. For instance, as an active duty member, i was told where i need to show up, my doctor was selected for me. Thats not how that works as a veteran. As a matter of fact, we cant tell veterans where theyre going to live or who they have to see in a lot of cases. And a lot of them are some of them, a small subgroup are migratory. They might get services in chicago and then show up in l. A. , and how do we make sure that were not were getting the best care. We can look at their complete, total record. So in that, were discovering with dod, and its about that partnership, again, that you mentioned where theyre recognizing that uniqueness in our environment, and we recognize the uniqueness of theirs, and were trying to solve that problem in a way that meets both of our needs. You know, and certainly weve made great strides. Some of the things weve done to help it is find common standards, for instance. Were using National Security standards for accrediting our systems. Were using some of the same tools and opening up the feeds so people can look and see. Our partner can see what were doing and we can see what theyre doing and understand the risk in a common measurement. And theres a lot more good things to follow as we go forward. Very good. Katie, you want to talk a little bit about any partnerships that come to mind. Absolutely. The first one, the cmmc, we talked about that, but the federal acquisition supply chain. That was created out of the secure technologies act signed in december of 2018. Thats where all the federal agencies have come together. Im on the council, dhs, omb, nsa. It goes on. Were coming together and cre e creating unified standards. Its something that is we talk about nist and iso. Theres a multitude of different standards that we burden our Industry Partners in trying to achieve each different standards versus going to a unified standard for whether it be Cyber Security or Software Development so we can actually give one ask, and that strengthens the nation, and it also puts more money into what we need to be getting done versus trying to get this solution to this. So that collaboration has been actively going on. We did our first report to congress, and youll see some of the doouts coming out to the public on what are requirements looking like and creating the standards for all federal agencies. Its huge. Tom . Yes. One that Congress Gave us stories for was support civil agencies and a partnership between dod and dhs. This is looking at the chairman is concerned about joint power projection. We have a power projection plan in the United States, and we rely on all civil industries as well as Industry Partners. The dhs dod are looking at Critical Infrastructures like finance, food supply, energy, and were Trading Information on threats intelligence with the sectors and theyre providing information for us to look at to help advise them, because if we dont have a stable base to project power, we cant fight the fight we need to fight. Thank you. So we have time probably for one question. I think weve got about two minutes left. I dont know if there are microphones out there or if somebody is really loud and has a question and wants to raise their hand. I see one in the back there. Hello. [ inaudible question ] nope. Going to be reciprocity. Perfect. Thank you. [ inaudible comment ] september 22nd, but since theyre all coming in before september 22nd, i think the email said september 13th. Whats on the website. But i want to hear from everybody, so september 22nd is my dead date to incorporate all the comments. Thank you. [ inaudible question ]. Poboth. Yes. I dont mean to bogaerts the moment. The cmmc is supposed to be right now the controls are out there. I need to know what ones are not useful, and how you would take that control and make it a requirement. Right . Weve talked about two factor authentication. These are the things youre doing it every day. We need to hear the best value, the best processes from you, the actual users. Thank you. I think that concludes our panel this morning. A big round of applause for our panelists. Thank you to our last panelists. Id like to introduce one of our keynote speakers, mr. Dan prieto, hes an executive at google. He leads a strategy and thought leadership for google cloud Public Sector. He has served as a senior policy maker at the white house, the pentagon and on capitol hill. Over to you, dan. Thank you very much. I want to thank billington for having me here. Its an interesting time to ask questions about where we are in Cyber Security from a broader sweep. Four years ago this summer the morning of july 8th, 2015, actually, i was sitting at my desk at the white house inside the skiff for the National Security counsel. Cyber security director. My wife called. She typically doesnt call me at work so i picked up. Without even saying hello, she goes what is going on over there . Our phones had been ringing off the hook all morning. Email had been exploding. If people remember, all United Airlines flights in the u. S. Had been grounded since that morning. The u. S. Stock exchange halted training and the wall street journal home page went down. We were taking phones. The chief of staff at the white house, Homeland Security adviser, everyone was asking questions. I talked to my wife about it that night and i said to her, when did we fall asleep and wake up in the future . Where we presumed the computer outages were a result of a James Bondlike bad actor behind the scenes . The same question is worth asking today as the internet turned 30 in 2019. And i think what i want to talk about in the context of a call to action is going into the fourth decade of the internet, can we turn the tide on Security Issues . Can we digitally transform and also transform how we do security . How do you do that . What is the opportunity . What role was cloud play specifically Cloud Native Security analytics . The 90s i think was a decade of promise and potential. A hopeful and exciting time, creation of global community. The internet is a force for good. The 2000s, a decade characterized by the rise of social and mobile, a boom cycle. The 2010s, a period of insecurity. Rising cyber vulnerability, breaches year after year, growing privacy concerns, insider thoughts. Autocrats, surveillance, disinformation, arise and bold and aggressive states. Think snowden, the opm breeach and 2016 election meddling. For the first time people started questioning the internet. Strategic asset or liability. According to World Economic forum in 2018 cyber attacks, cyber war are a top cause of disruption in the next five years only after natural disasters and extreme weather. The fourth decade of the internet in my mind will be our decade of reckoning. A decade of potential transformation when it comes to security. And the opportunity is there. But it is not certain that we will succeed in that decade. Its not for a lack of technology capability. The challenges are mostly around people, the complexities of culture and organizational change that come with the adoption of cloud. So as we think about that fourth decade, lets do a little vector check on where we are on the cusp between the third and fourth decade in 2019. Finance, health care, manufacturing, retail and government remain the top targets. There have been some improvements. The global mean dwell time, how long adversaries stay on your network on arch is down 23 on average. Down 66 since 2016. Federal agencies saw a 12 decrease in Cyber Security incidence and no major incidents occurred on government in 2018. Supply chain attacks are up 78 . Theres an increased interest in operating technology and control systems with real interests in creating disruptive affects. Theres an increase where the top technique is log destruction. Theres an increase in retargeting. Up 14 to 64 of all incidents evaluated are often now retargeting even after youve cleared adversaries off your network already. In decade four, whats at stake . Where are we in the calculus of attacker advantage versus defender advantage . In general, attackers have always tended to have a advantage. According to crowd strike, the timed breakout from the time theres 18 minutes. 18 minutes. The North Koreans are down to two hours and 20 minutes. Iranians are at five hours. Your run of the mill terrorist or criminal is at around nine hours. If thats where the adversaries are, where is the average enterprise . Average Enterprises Continue to struggle with too many things on their plate, too many things in their job jar. Small organizations typically have 15 to 20 cyber tools installed. Large organizations up to 150 to 200 tools installed on average. And according to some surveys, and nearly half of the security risks that organizations face stems from a proliferation of security vendors and products because that proliferation of things in the job jar make it hard to have comprehensive and strategic visibility. Theres an excess of alerts generated by an excess of technologies and it makes it a challenge for analysts to identify genuine threats from false alerts. They suffer from alert fatigue and burnout while genuine threats slip through the cracks. Theres a flood of data with Poor Visibility and the lack of visibility is the greatest impediment to incident response. The average cyber analyst takes 45 minutes to evaluate a single alert. The average analyst spends only one or two hours a day identifying and countering real intrusions. 70 to 90 of their time is wasted on manual integration of data from across multiple systems and wading through false alerts. All of this, this complexity for the cyber defenders is challenged by an explosion of devices and data. Iot devices will triple to 75 billion by the year 2025. Data holdings are growing by around 40 to 50 per year. In the fourth decade, what do we do . I have a couple observations about what i dont think will work. We will not be able to hire our way out of the problem. There is a secular global shortage of cyber talent, ai talent, Big Data Analytics talent and that shortage is in the hundreds of thousands to millions. There is no way for government organizations or private sector organizations to simply hire enough people to solve the problem. We will also not spend our way out of the problem. Adding more tools is too often a oneway ratchet. Whats the new cyber technique . Lets add to the tool kit. Big organizations. 150 to 200 cyber tools installed. The big question is can you ever get to the point where you have the confidence to take tools away . To simplify, to streamline, to create more clarity for the analyst and less fog, less complexity. I also know that layering on more compliance and standards will not solve the problem. Compliance is too often used as a proxy for security j as a proxy for Risk Management. Its critical, but at the same time compliance tends to lag technology. It does not make our organizations and our cyber defenders more nimble. Controls are rarely evaluated and prioritized for efficacy. It allows you to say i dont have time time to do all 300, 400 of them, but if i do this subset, that is the most efficacious thing to do. So my call to action is to change the operating model of cyber over the next decade. Using cloud to drive radical transformation and productivity for the cyber defender work force. Take things off their plate. Rethink Public Private partnerships with the hyper scale cloud providers and turn over core capabilities to a right partner. Too Many Organizations spend too many time trying to roll their own multifactor authentication. Can you turn it over to the cloud provider . Default encryption. Only 16 of agencies have achieved governmentwide targets for encrypting data at rest. In google cloud that encryption at rest is by default. On the identity side, it is by default with our enterprise customers to have multifactor authentication, context to wear access. So the prerequisite of taking stuff off your plate is a challenge because this would be a massive Culture Shift where 60 to 70 of respondents say i have security concerns because its such a large cultural shift from the way weve traditionally done i. T. And i. T. Security. Second, in addition to taking stuff off your plate, use the cloud to get to a place in terms of scale and agility that organizations are not able to get to on their own. Data warehouse projects done on premise are 60 to 70 more likely to fail and tend to run 60 to 70 higher on the cost side. With many of our Big Data Analytics customers, the increase in efficiency and productivity is staggering. We have customers in the fortune 50 using our capabilities on their supply chain for global liquidity settlement, large wangs and large customers are using it for large scale Data Analytics on the cyber side. Weve seen an increased ability to use more data. A 30fold increase in the data they can ingest at the same time reducing processing times, analytics times by over 98 . That is across industries and across multiple use cases. In addition use the cloud, Machine Learning a. I. To strengthen your ability to find strength of noise. Correlate multiple signals across the complex data that is coming at cyber analysts. Automate. Lateral visibility and better predictability to see exfiltration. Its not looking for needles in hay stacks. Its looking for correlation. You get better at having foresight in whats happening in your environment. Finally, we need to continue to push to get cyber out of the shadows of being something rel vated to i. T. Weve done a good job improving since the target breach in 2013 and the opm breach in 2015 when nontechnical lead executives lost their jobs after major breaches. Awareness and recognition is not the same as to borrow a phrase, its not the same as persistent engagement on Cyber Security from nontechnical executives. Theres still a problem. I think its the problem of the disconnect between the i. T. Side of the house and the business and mission side of the house. If any of you have read the book the First Digital war by mark bouden, within the first chapter theres a paragraph that really captures this disconnect. An i. T. Professionals he said know this look. He calls the look the glaze. The unmistakable look of profound confusion and uninterest that dissends whenever a conversation turns to the inner workings on a computer. Even people who spend hours every day with their fingers on keyboards whose livelihood and leisure time depend on fluency with a variety of software are collie l clueless about how it works. And mainframes are smu unknowable. Or not even worth knowing in the way many people are content to regard electricity as voodoo. So you really need to find a focal point to get nontechnical executives engaged in the business of Cyber Security. And one example i can think of is post the opm breach, the governmentwide exercise we did to identify and prioritize crown jewels high value it assets. It was a focal point for cio interaction. Not just cios but technical and nontechnical. Between the national Security Council and omb, we drove a process that included nontechnical executives as well that included press shops. It included lawyers. It included folks on the business side. Cfo shops bringing cyber into the fold of overall interprize risk. And what was interesting about it, is in the first couple months of the exercise, a lot of the cios were not comfortable. A lot of them were like i dont want the white house looking over my shoulder about my systems. But after another couple months two federal Department Cios pulled me aside and said i wanted nothing to do with this exercise, but im actually happy that weve gone through this process. For the first time the secretary of my department stops me in the hall. He knows what our high value assets are. He knows the impact on their business. And he asks me if i have everything that i need. And that was transformational in the ability to communicate out of what is traditionally the black box of technology up to the mission. The board level, if youre not in government. To the secretary level, and to have Business Executives care about cyber and care about i. T. In the fourth decade of the net, of the internet, though, as we look forward to this challenge of transformation, this is not assured. We are ten years into the cloud journey. The cloud first strategy came out ten years ago. And u. S. Government cloud penetration as a percent of total i. T. Spent is less than 7 . How do we accelerate when up to 70 see security as the biggest problem of cloud adoption. Gartner indicated through 2022 at least 95 of cloud problems with the i believe given how much type and promise there has been around cloud with the modernization strategies, theres a risk of cloud backlash. If the cloud doesnt achieve out of the gate the things that people are expecting. The big promises. So the technology is there. The challenge is there for organizations and cultures to change to adopt the cloud to change and transform their operating model of security. To rethink what a Public Private partnership looks like. But again, its not certain that were going to get there. With that, ill close on a quote from bill gates. We always overestimate the change that will occur in the next two years. And underestimate the change that will occur in the next ten. I think thats the moment that were at. Were at a moment to make critical decisions, to get agreement across the c suite and make bold moves to challenge the cloud. And if we succeed i think the fourth decade of the internet can be called the tranks formation ere transformation era. Thank you very much. So my career in Cyber Security started when i joined the National Security agency and joined the offensive mission set. That gives you a unique perspective for what the adversaries are doing and how we can defend against advanced actors. The point of this whole panel this morning is to talk about our priorities but with a focus on how we resist
comparemela.com © 2020. All Rights Reserved.