Hap havehave a very specias goigoing tp going to recg award today. Ththis nexp this next path the chief Information Security officers. Were fortunate to have some gregreat peoplp great pegr us today. Or oourp our moderatour preside president president e preside president presiden. Joinip joining frajoining nicholpnicholas ward, chien securiSecurity Officer from Th Department o department of just barney,psecurity divisiosecuri lalandp land securitland s. Lalandp land securitland phes the deputhes the de security and the d. O. D. Chief Information Security officer, ar and stacey dawn, chi Information Security officer ch expoexport import bank. R please have a ptth us today. R i knp i know ti kno thp this panel between lunc happ happy hahappy haur be panrpane panel weve i. We arwe are p we are a alr alalso makep alsoale aandr and weand wed p about that. P if we couif we could jus dodown thep maybe formaybe ft agencys security environment ar and sop and some of youp youyoure dealing w cyber. Sure. Identip identify the chief Security Officer for the department of we have ab25 differep differedifferen25 differep differedifferent t we hawe have to protect. R pa lot oa lot of per enforcemenp enforcement, w incarceration, the whole life cycp cycle cycle of crimin realreally what the Department Justice does. I tr i try p i try ibe. Some p some of tsome of th is looking atpis looip aand support missions. P i rapidrapidly catcp rapidrap br but kebut keep up b enabenable thosp enable ens ththey wanp they want toth ap and address those kind somethip somethingsomethin somethip somethingsomethi my career. R ip i im try r so we can do that. Se everybody no all the time. Pi w helping them complete their missions. Shane . R im shane barney. We ap we arewe are a compo security. We are responsible for the administration of the immigratip immigration sys the administration of the benefitp benefits, citizen permittpermits permitpermitsrpermits othp other components withi agenagency on immigration rela issues. Itp its a veits a very l complex mission. Therer theresp therethf complex mission. Therer theresp theret. Onr once once in p oon somethisomething about it inb wewere very spread out. We hap we have 2r we havp arouaround thp around thar, arouaround thp around tha end points. We are cloud heavy. Weweve beep weve been i tp ten years, about 85 poinpoint, maybe even more. Therertheres a lot of challenges. As r as a heap as a a constantlp constantlconstr developin securing cloud, whi againp against aagainst all we donp we dont evrwe we the challenge. Pso itso. Excellent. Thathank yo thank you fo d. O. T d. O. D. O. D. Si. We har we havwe havewet p 4 milli4 million end pma sor some kisome kind op. R if yif you loop ifif2 millimillion end points. I pretpretty bi pretty big s challeng challenge, when you h attap attack surfaattack larglargep large, itrlargp difficudifficult to fin9cl them. Rigright nop right now ifi. P its realits realli try and keep pace. Ir it seeit seems liex stp stop thstop that parton hahave ip have ispwhat we d. O. D. O. D. Defense a little bi contincontinue tp contintir capabilities. Thatthats kind op thats view. R p heari hearing yop your environmeyour env little bit of anxiety. R i ip im s state states. How many exd states . Fair number. Bpbut there are somep they providing credit and insurance ar aanp and guaranteed companip companies thcomp producproducts to other counb agencagency, we have the challf beir being abbeing ablp that you hap that you havth tthe samp the same standthm tthe samp the same standt tthe largest tthe samp the same standt tthe larges agencies. R so we hap so we havsot r sop modernizatiap today. Youyoure alp youre ayou systemsystemsp systems, rs objectives. Rwe cast it modernization. Theretheres four kep ther. Ip im hoping i dont have holidp holiday iholiday in. Tr the firthe first one. Thr that that is onpths thp that we hathat we hav implement our d. O. D. Cloud strategstrategy, trying to dri departmep department depare strategstrategy, trying to dri departmep department depa f commercial cloud. Tp the rethe real intentt o tp the pbring nbring new ca field faster. Phow weho country. Sr so thatso thats ho country. Sr so thatso thats th betwep between cloud and a intelligenp intelligence ma computir computip coco a. A. Ip a. I. Algoritha. I. A. I believe general shanahan yesterdp yesterday walked t little bplittle bit of whatn r is ap is and h department. Tr the thip the third p contrcontrol and communication basically how sttjsuppor modernization. You cyou can havp you cayp clo clocloud in the world. Thatthats kinp thats kin frfrom r fromfrom a fr tir ties p ties to ou knop know, boknow, both yo levr level ap level and level. Mpmy understanding of the ispbecause webecause wev as long as long ap as loh of these issues. I was reinforcepthe point that t together is that if infrastructup infrastructur security is code. Pso froso agenp agencagency level, if ar and p and my sock d y lor lost tlost the wal aware of it. Werweve hap weve had sowev interestiinteresting experienc, learned a lot. P c n you cp you can possibyou c it. Havip having thohaving thoe ras parp as part of you critical. R we startep we starte aboabout p andwh is ip is im having pure data sets. If onlp if only there was company that could help with that. Ill move pshane, ish. The security executive order and tther the i. P the i. T. Have bephave been encouragit agenciagencies tpagencies r increasip increasing the u services as well as Common Security frameworks. Hhow wilphow will sharedtp r as yas yop as you ash tr to cybto cyber ant across the federal p im a shared services thing. Sharp sharshared service s realreally unique opportunitie framewoframeworp framewofr. R aatp at dat dhs entientire socpentire sock on thepwe adopted i we. P model of how to asses elements are involved. Itr its goiits goinitn itr its goiits goini s to compap to compare oto c to serto see whp to se excellence excellence in certan to serto see whp to se excellence excellence in cert leverap leverage that for t donp dont have that cente excellence. P that is a good urthat framework. Are required based on our we hit all 17 points. Were rock stars. Were not even like kind of green. Were 100 green. Thats where the danger starts to creep in and it makes an assumption that youve checked a box and youre now secure. It involves far more than making sure that youve checked all those boxes. That youre activity engaged in doing bug bounties, that youre always assessing all your risks and understanding what is critical and what is not critical so you can assess it appropriately. Theres those elements. I dont think the frameworks always capture that. The shared Services Offer us the ability to save cost so long as it becomes the standard by which we define ourselves. Makes sense. You know, for me shared services, i think, is a critical component on the even attempting to win this fight in cyber. How many federal agencies are there out there. Theres just not the talent to be able toni actually fight thi war. Theres no way every Single Agency can possibly recruit all the best people and be successful here. Thats one area that we saw. We did well in Security Operations so we built a Security Operations as a service. We offer that out to other federal agencies because we just think its really important to have good strong capabilities that can be leveraged across any agency and we shouldnt be trying to hoard those things and keep them for ourselves. We need to share them with everybody else. The cost savings is definitely a piece of that, but i think it has more to do with how do we share the best capabilities we have within the federal government. Leveraging pockets of expertise. Absolutely. From my perspective it becomes id almost love to talk about an a. P. I. Framework. I always get back to the data because a lot of these conversations that i would have at the department at my level, it always comes down to that data element. Api models within that framework would actually really extend our capabilities and allow us to know where we have our gaps. In terms of shared resources, absolutely. I dont need Digital Forensics in my sock ever really. Im happy to push that off to somebody else. But there are things i do need that are unique to me that a shared Service Model doesnt always permit. Theres got to be a good balance, is my view. Using the Defense Industrial base as an example, youve got the big guys pretty well situated. They understand how to operate a sock on down the line in terms of cyber capabilities. But you have very small suppliers that are not going to be able to handle the nation state attacks directed their way depending on what theyre supplying to us. If we can target the guys that are not going to be able to attract that Cyber Security talent to kind of build it all themselves but at a price point where they can afford it, i think thats kind of the optimal use of a shared service. How we apply that to the larger organizations i think has to be done with a lot more care just because they do have a lot of expertise. We rely heavily on the shared services and the economies of scale to get the prices down for some of those tools that we wouldnt be able to negotiate on our own with only 500 users. Its really important to have those shared services and the staff to test those tools and to give us feedback on them because we dont we have large agencies to small little ones. You brought up something i think is really important for this audience about the Human Resource issue. One of the Biggest Challenges ive heard from other government leaders is the skills gap in the shortage of cyber personnel. This is impacting everyone but more acutely government. These are my opinions and not those of my agency. Splunk did not pay me to say this, but its really hurting the small agencies to attract that cyber talent and the federal government is seen as a place if you come out of school, theyre old,theyre backwards, they dont have the latest tools and it takes so long to get something done. So the federal government as a whole has to look into modern technologies, keep modernizing and bring in the workforce and have them get challenging assignments. So we need the career progression path clearly defined for them. And we need to use other agencies. Mines so small, we need somebody thats at an advanced level and we need tools like splunk so we dont need as many humans, that Technology Helps us to fight the bad guys. Its really important to stay on top of whats modern, use those tools, train the workforce. The way i look at it is if were in the government and one of the agencies trains somebody and they get a promotion to go to another agency, thats better for the government as a whole. If we train them and they go into industry, its still better for our country. So we shouldnt not train somebody because were afraid that were going to lose them. But giving them that training might actually keep them happy and retain them more. Its interesting from a larger organizations perspective. We have a lot of the same challenges in terms of Cyber Security talent. So my organization is the functional Community Manager lead for the cyber workforce. Were in charge of figuring out what are the standards and then also of standing up whats called the cyber accepted service, which is a tool Congress Gave us to be able to help better attract, hire, retain, train our cyber workforce. As we look at building that out, we have a huge advantage in terms of our mission. We give people an opportunity to go toe to toe with some of the best Cyber Warriors of other countries. But at the same time theres a lot of jobs that have to be filled when youre an organization as large as ours. We have a massive number of opportunities and its really difficult to find the good talent. Our team is heavily focused on trying to find ways to incentivize people, make sure that we raise awareness and try and help connect people to the opportunities. Were running short on time so im going to go to one last question. Nick, ill start with you here. The Investment Community has been rapidly funding cyber related startups for years, if not decades now. And we just have to attend any industry event and see more vendors popping up and new startups showing up at all of these cyber events. Have we reached peak cyber yet or is there still room for technologies and where would you like to see the investment world spend time on innovation . I sure hope it hasnt because weve still got a lot of ways to go in trying to fight this war. Weve got attackers building a. I. Into their malware to attack us and things like that. Were still playing cat and mouse. I sure hope it has not hit peak. I dont think we have. Some of the areas where i think we need to do better from an industry perspective is we have to be better methods and better ways to get that stuff rapidly built in inherently rather than trying to catch up. It just needs to be there by default going into it in the front end. There needs to be more ways to easily get those legacy systems into those kinds of models too. I think those are some big challenges. Its not easy to move a 20yearold system into a modern architecture. I think we need to see industry come up with better ways to allow these old systems to become more agile. Shane, any thoughts . We definitely havent reached peak. Theres a lot of room for growth. A. A. I. Ops, those sorts of technologies are really in their infancy. Supply chain is huge in different ways and different methods. Supply chain is traditionally thought of as hardware. You know, im mostly cloud, code is my problem. Code becomes commodity and it becomes a supply chain problem. We rely heavily on open source. So supply chain, definitely a lot of growth there needs to be done and a lot more advancements. Theres room to grow. Fortunately f i have lots of thoughts on that but im looking at the time ticking down. Its optional. Excellent. The one id lead with is complexity. We have a tremendous amount of complexity in our environment and we need to find a way to drive some of that complexity out. Im much less interested in the new tool to solve the latest and greatest problem, much more interested in what is that wholistic picture that allows me to cover a broad swath of threats in an agile manner. I dont think were close to being done with this. We are hitting new technologies like i talked about before with quantum computing, with 5g and we dont know what we dont know yet and we dont know what the adversaries know. So we have to keep creating new tools and theres a lot of room for growth in this industry. Excellent. Well, i want to thank you all for your time and for your expertise today. Thank you for the service to our country and i hope this is valuable for anyone. Thank you so much. Thank you. Thank you very much to our last panelists. The next panel is called the next frontier, aerospace and Cyber Security panel. Id like to thank our moderator mr. Casey ellis, hes the chairman and Technology Officer of bug crowd. Joining casey on the stage are mr. Brian connolly, Vice President , senior chief engineer Cyber Systems at boeing. Mr. Layuper. Thank you very much. Good afternoon, everyone. Thank you for joining us for this panel. Very excited to be talking on this subject this afternoon. Just as a point of order, we do have q a cards being handed out by ushers at the moment. Well do our best to get to them at the end of the panel. If youd like to ask questions as we go, have those in mind and hand them to the ushers. Aircraft safety, Airport Security and Civil Aviation regulation, the whole idea of making Aerospace Security for users is a concept thats commonly understood and its been around for quite a long time. The idea of aviation and aerospace Cyber Security on the other hand is comparatively novel, its comparatively new. There are a lot of people who have been working on it for a very long time but as a socialized concept its comparatively new. Thats why im really excited to have this group of people up on stage with me today. Representation from aircraft manufacturing, representation from the airports and representation from the regulators that define Civil Aviation regulation and so forth. So well kick that off with introductions. Brian, do you want to lead that off . Sure. Brian connolly. Im the Security Officer for the boeing company, responsible for security and resiliency of our end item products on the commercial aviation side, Defense Space and our global services. Thank you. Good afternoon. Im the head of the Cyber Division for the israel outputs authority under the ministry of transportation. It controls and manages the international airports, domestic airports, land border crossings. One thing thats kind of unique that we also control the air space itself, meaning the air Traffic Control towers and the accs. This is kind of unique in the aviation landscape. The Cyber Division is in charge of the entire operations. Hi, everyone. I lead Aviation Program for dire dire directorate. Very good. Kicking off the discussion around the subject, where are we up to with aviation Cyber Security . This is something we were discussing before just around the difference, you know, innovations, improvements, innovations that have been completed successfully, things that are ongoing and gaps and m improvement for the future. The Civil Aviation is undergoing tremendous changes these days. The numbers of global passengers is increasing exponentially. According to a recent study, its predicted to double in the next 20 years from around 7 billion today to almost 14 billion in 20 years from now. This has tremendous impact on the way that airports operate and are doing their business. In order for arirports to cope with tremendous growth, we see the utilization of coprocesses. We have the latest and greatest, face recognition, iot and so on and so forth. So we have this clash and we see it in the way that the passenger does screening, the way it interacts with the airport, the way the aircraft interact with the airport. Whenever we have i. T. , it equals an increased attack surface for Cyber Attacks, for Cyber Incidents. This is happening as we speak. Just to add to that, i think from a manufacturer perspective we look as an industry around cyber resiliency of the ecosystem. We cant just look at the airplane or the uav. We need to look at the totality of the ecosystem. We look at the airplanes, we look at airports, were looking at air to ground communications, air to air communication, satellite communications, supply chain, maintenance interfaces into the aircraft. You look a the complexity of the actual vehicles, the exponential increase in lines of code on our aircraft, things that are moving to ip based communication brings a lot of capability but also brings up a lot of Cyber Concerns that were never there before in commercial im increasing that Digital Thread from our manufacturers and supply chain all the way up through the development and operations of our aircraft. Its really stepping back and taking a hard look at the ecosystem and what do we need to do as partners across that ecosystem to drive resiliency into the way that we define requirements, drive engineering, design, develop and deploy our platforms within that ecosystem. How do you go about wrapping your arms around that . So regulators and aviation is a sector that is very much regulated safety wise. Now theyre starts to develop the new standouts for Cyber Security and integrate them with the startups for this industry. This will take a few years. Meanwhile i take this time to develop those standards and promote taking action before, like before active and do what you can do, use best practices that are already out there and implement them now even before regulation will be effective. Yeah. So talking about some of the things that are being done well, you know, some of the Success Stories that we talked about with your unit and the work being done on airports there, like how are you seeing that model of being explicitly focused on the areas that you are, roll out world wide . Ive got to say that from an airport perspective, i cant really say that its a success story. Its quite the other way around. We like to call the Key Stakeholders within the Civil Aviation industry as aaa, the airports, the airlines and the aircraft manufacturers. Today the current posture is such that each key stakeholder is actually acting from a cyber perspective as a silo rather than acting as an ecosystem, echoing what brian said. It even goes deeper than that, because if we look within each stakeholder, for example the airports, youll see that not a lot of airports have Cyber Programs at all. The ones that do have Cyber Programs are underresourced, not enough man power and not enough resources, not enough knowledge. If you compare that to physical security, the proportions are really ridiculous. And theres no communication between the airports themselves. Each airport actually acts as they see fit. The ones that actually have Cyber Programs, they do what they understand as far as they understand the need, the challenges and the way to go about them. So its not really an ecosystem from a cyber perspective swrent curre currently. I think thats one of the main gaps and challenges moving forward. Just to add, i think that has been identified. So 100 that need for a cyber trust framework across the ecosystem has been identified. Working at multiple levels all the way up to iko, which is a u. N. Level working with the faa and others to drive what are technical standards around operating in that ecosystem, what does a trust framework look like. So when we start to introduce thousands of unmanned vehicles for both passenger and cargo in our us air space, what does it look like to ensure the resilience of that platform and were not going to have unwanted interactions between commercial transport, military aircraft, everything thats cooccupying that space. Right. On the regulatory side of that, whats the role of regulators in achieving that shared vision . I think were just writing the book of Cyber Security for aviation, developing that doctrine, what does it mean, creating the skilled professionals to be working on airports and airlines, et cetera. From our point of view, what we try to do is to push forward the Skill Development that will have those doctrines, will have those Cyber Security procedures put in place. The sooner the better. What we need for this to happen is mostly collaboration between these entities. Its part of my work to create in order to build this knowledge. Sure. So changing into what the future looks like in terms of the different aspects of this issue that you all interact with, what are the solutions or what are the things we see potential for success, like the levers, the trends that youre observing . What does the future look like over the medium term, so to speak, without throwing it too far into the future, thinking about whats going to happen next . Ill start. Like i talked about before, that framework and tech standard driving the industry and regulators together is key both for boeing and for the broader industry. Driving cyber methodologies, resiliency, Systems Security engineering deep into our engineering cycles is critical for us. The paradigm of the cyber folks getting to look at engineered products toward the end of a life cycle has changed and we cant keep up with the adversary when doing that. Back into our needs analysis, requirements engineering and pulling that thread all the way through our development and production life cycle. Thats really the only way were going to be successful in building resilient products. So changing that culture takes a lot of effort. At times there was an adversarial relationship between the cyber folks and the development folks, here they come again, theyre going to tell me what i did wrong. Now its getting those folks back and showing value, showing the ability to build resilient and sometimes more efficient ways to code, ways to develop hardware and make a more resilient product in the end. Its interesting, because youve partially answered and preempted a question thats come in from the audience. How do you envision being agile in a highly regulated industry. Theres obviously the Development Feedback loop processes and the Different Things that i think we all struggle with in terms of feedback loops and security people not calling engineers silly and so forth. Beyond that, the regulation component, how does it fit there, do you think . There have been a lot of good conversations specifically with the faa on how do we become more agile and if we find issues the process is long for a reason. Theres rigor in the process. So when we find critical vulnerabilities if there are any, how do we have a devops pipeline that can quickly make changes in a software, but how do you take that through a thorough enough testing regime and get the regulator in there to validate that its good to go before you deploy it to a commercial airplane. Its not an easy discussion. Its not the 90day paradigm that researchers have with a typical i. T. Industry. I would say discussions are underway and theres Good Communications going back and forth. Do you want to comment on that, like the idea of the role of regulatory responsibility . Moving into learning the aviation field, i just realized i think two years into it how slowly things develop. We work closely with the Civil Aviation authorities in israel and the faa and try to push forward best practices and development and Security Development life cycle into this domain. I think it will take a while. Yeah. Really it does come back to the shared vision piece and the collaboration viewing this all as an ecosystem. I think its important to understand that this domain is very complex and system are very complicated. If i do an r d on a communication issue, im going to ask an Airline Pilot to join this research and Civil Aviation Authority Regulator to joan the research, because Cyber Security expert cannot do this alone and surely not produce good results, good enough results. The question around what do you see the future looking like, whats your thoughts on that . Two things that need to happen and need to happen now, yesterday. One, our airports need to act. They need to think local and act global. Sorry. Act local and think global, meaning, they need to come up with a Cyber Program. Even though there are no Governance Framework yet, they have to act local. They have to have a Cyber Program resilient enough. There are best practices out there even though they are not specifically for the aviation sector. You might find some practices suitable for your line of business and the way youre conducting your operations. And this needs to happen now. What needs to happen on a government level is governments and the Civil Aviation authorities need to join forces and start to figure out the Governance Framework of this very complex and interconnected type of sector. And this needs to happen. We cant really wait until that happens. Thats why we need to act local and think global afterwards about data sharing, intelligence sharing, information sharing and stepping up to the practices as the best practices as they come along. It does sound like a bit of a chicken and egg thing going on there. It is. It is. We have adversaries and we try to be vigilant andnr faster than they are. What do you think in terms of the catalysts for the airports to step up into this . Like what are the things that you feel could help them in the absence of regulation which is being developed in parallel actually encourage them to do that . I think we need to understand that Cyber Incidents within the Civil Aviation industry are evident. They are happening. Now, these are supposedly a very security aware environment, security and safety. The thing is that actually the one thing that makes adopting new technology and facing up the more dynamic and changing type of attacks is the safety issue. Introducing new technology into a very well certified orchestrated environment is difficult. So this actually is, again, the type of egg and the chicken. This environment is complex. Its really about starting the journey. Its about starting the journey, exactly. And what else except understanding that incidents are everything, they are happening and we need to tackle them now. Thats good input. So weve got a couple questions that ill go through and then well wrap up with a minute or so to go and land on your call to action. That is the theme. So i think you get a pass on that one. Lets go with these. So what is the challenge with modernizing Legacy Technology and how do you help modernize legacy Business Strategies to yield success . So i think i mentioned it in my previous answer. The fact that tampering with a very certified, strict environment that might potentially impact safety is very, very hard. Introducing new technology into that environment is a complex and might be a very long process. Until you get that done, there are already new type of attacks and new type of technologies out there. So this is a race that is very, very complex. Yeah, absolutely. I think from a legacy perspective we look at defense in depth. We look at the entire platform also. So a rlot of times updating legacy is an option but it may not be the fastest option. We do a lot of work understanding the system and understanding what the true attack vectors are across that platform to have effects on the mission that that systems supposed to take. And so the biggest part is understanding what our legacy capabilities are. So a good baseline from a cyber platform perspective. What is the attack surface look like, what do the Access Points look like and being able to manage that across a very complex platform. I would adjust a thought on the focus. So if all of the system is most of them are, again, old and not always built with security in mind but now in place, so i think the focus for us is to add visibility capabilities to this systems, to add Monitoring Capabilities to this systems and develop from it the concept of defense. Start from the monitoring and youll see more and more socks in airports. Youll see more and more online and offline analysis of security logs and data. And this is i think what well see in close years. Im going to paraphrase this one slightly because its a bit of an essay as a question. Can you speak to how youre dealing with the Lessons Learned and whether you have liaisons who can translate between these technical issues of what needs to be changed. Im not sure i heard the question. The question is really how do you articulate the technical nature of the issues were trying to solve to people who arent necessarily technical natives. I know at boeing thats kind of my role. Part of it is being an Engineering Company helps, so most of our executives are engineers at heart. Not a lot of translation is needed. But a lot of bringing it up to what is the impact, what is the impact of a cyber event on one of our platforms, both from the actual asset but the brand too, understanding and quantifying why you should invest in things like model based security engineering, why you should invest in the skill sets and the people to be within those teams building those components and aircraft and integrating all of that from a business perspective and making that translation. So ive gotten from my per sp k perspective our leaders get it. Everyone understands we have to go do it. Its ensuring that we make the right investments for the right security pieces throughout our life cycle. Sure. I think this question is true cross sector. Its csos challenge to talk to management that right not really be aware of the challenges. One of the first projects that we initiated at the Airports Authority was building a sock. Unfortunately its one of a kind. Im not familiar with any other Large International airport that has a sock security to one premise. In talking to management, you show it in real life. You can show the attempts. You have the ability to prioritize your projects because you understand what vector is being used against you the most and you should invest there. And theres nothing like seeing it with your own eyes. This visibility brings a lot more into the consideration with management rather than it having to be like very fluid, very unstructured type of conversation. So demonstrating proof. Demonstrating proof, showing that real life realtime attempts against your organization. I think its strong when you approach management. Thats speaking my language. So we are out of time. Did you want to finish up with your call to action, your rally cry . So again we discussed collaboration. Its not just a phrase, its a real issue. Especially i think the aviation, there are so many stakeholders and regulators. Actually, when youre asking about the threats, our concern as a government and of course the airline has their financial motivation concerns, et cetera, but our concern is that Critical Infrastructure is being more and more targeted around the world. So its true for the aviation sector. Its true for the electricity infrastructure. So we see these threats and this is what we are focusing on. But of course the airport has other stuff that is at risk and airlines have the one risk, manufacturers as well. Brian, did you want to no. I think just continue the collaboration and accelerate the collaboration sharing between industry and government. Lets thank our panelists. [ applause ] thank you. m 5 our next keynote will focus on israels cyber challenges in 2019. The head director general, Israeli National cyberer director. He previously serves as chief executive director in the technology unit. He has three decades of experience in Israeli Security apparatus in sig and cyber positions co positions combining intelligence and partner building. Without any further adieu. Thank you. So, lets get the atmosphere. Yes. So, we have big competition in this conference today. Were competing with National Phenomenon that doesnt rales its dorian thats climbing its way from florida to the becomes. I hope far enough from here. Natural phenomenas are disruption. Another thing that many look like things we need to take care of more relevant than a hurricane is the measles. We came to talk about cyber and why i am talking about measles . It is highly contagious and very infectious. We thought not just the population but two kinds, those not immune and those with immunity in the system. It sounds like measles, like the pronunciation is not funny and it kills a lot and outbreak in these days as we can see more and more in the news, we thought we eradicated this in the 60s. Why is it still here . Because those with a weak immune system and those not immune. This brings us to cyber. We need a vaccine and the need is for biology and contagions like measles and all kinds of things. At the World Economic foreign, known threats, their annual report they issue generally, and you can zoom in. The biggest and most dangerous risks are here. Cyber is number 5 but number 1, man made. We talk about measles, we talk about hurricanes. I looked this morning in the World Economic forum ask me for the next years survey, i fear its from the fifth place to higher. We have cybercrime and the numbers are fantastic. 2 trillion this year. I think already six years the amount of money stolen by cyber is larger than all the rest physical measures, et cetera, and it keeps rising. Why . Because money is actually data that we attribute value. 10 years later we have structures. After me, you will hear from someone else. We all deal with this. 10 years ago, blackandwhite, use cyber terms, really. We still deal with traditional Critical Infrastructure. We have trains energy, oil, transportation, healthcare and others. Thats today. In one volume. Dealing with much more Critical Infrastructure, Peoples Trust. The problem, the Peoples Trust is much more vulnerable and easier to undermine. Its about a political democratic system, i dont need to mention here in washington, d. C. What happened three years ago and would have happened unless the Us Government had prepared for the midterm elections in the Contractor Party and we have elections in a couple of weeks, all democracies will face the same threats. Its also in the Financial System, as i mentioned, cybercrime. Its not just about money, about our trust in the system and government and everything and the problem is were getting more vulnerable, dependent on web and Peoples Trust. The problem is cybercrime with terrorist groups to rogue states, we talk about iran and others, they all and understand were getting more vulnerable and they dont. They are less dependent on digital and less dependent on Peoples Trust and realize we are. This asymmetry is one of the biggest problems. Its not everything. The middle east unfortunately is kind of a magnet for many troubles. In our case, a magnet for Cyber Attacks. I can state it here, not stupid no longer at all, iran. Its not me saying, a clear sign other companies that say that. In fact, if you watch some leakages coming out from the. It is a big operation, not only for israel or arab states but the u. S. This is one of two problems but not all. Another threat is attacks. 10 years ago we had emails and even had gmail. That was 10 years ago. Today, too many attacks surfaces. If we take a look, we dont have the time but interesting to all of them, we talk about cyber, no longer computers, about space, we just heard about the aviation things. Much more difficult because of gps focusing. Its about ai and new passwords. The views of technology is as ancient as man kinds. We develop the country to help ourselves and the same goes with computers, cyber and the same goes with ai. In this sketch, you can see probably you land on this example for ai of kids play, and algorithms and turning it from the panda bear to school bus, whatever they want, because its easy to fool them. If you understand the reverse engineer algorithms. If you understand Autonomous Vehicles all over the place in very short years, they use the same algorithm to determine whether its a road, pedestrians and other cards. Much more serious and remember the measles. In israel, basically icity versus icity. We deal with all of that and we have no privilege to ignore one attack surface or the other. And Cyber Weapons, they get wrinkled and they take the warhead and send it back to the good guys. In cyber its code, and they do that. It leaks all the time and only in hollywood movies they develop to crazy terror groups. Why is it important . Important to remember in intelligence assessments in the decisionmaking process we usually say about this big rogue state or whatever they have missiles but more deterred, more responsible with more constraints. In the terror groups they launch missiles. They dont have air force or strike weapons but they have strike Cyber Weapons because they have leaks outside the weapon. They dont develop it. Dont have asa but they get their hands on because this is the nature of it and thats the difference between traditional weapons we know. I can talk for hours. We dont have things we discussed here in the first two days. Its a very lovely day in washington, d. C. , we need to remember and be vigilant all these vectors and others bring us to the conclusion winter is still coming. We havent seen the worst yet. What should we do about it . These led by the cyber of Israel National director it a. Directorate. You see this and that is what you see on my right. The left is the innovation arena of israel companies. We will get to that. This, too, goes together. We had until two years ago we converged all the different entities into one strong fist we call the National Cyber directorate and have one agency to supervise everyone. We have military, police, moussad and other agencies. Unfortunately i dont see enough equivalency around the globe although the u. S. We met here got the idea and have the same solutions. This is critical. Something more critical is strategy. This our strategy very simple. Three layer strategy, first one we call robustness meaning hygiene Preventive Medicine like washing hands. The second one is understanding. This is important and realize theres no Hermetic Solutions to cyber. Whoever try to sell you that, kick him out of your office. Eventually we will all get sick. How early stage detect the disease and how fast we move it and how strong we stay on our feet. At the end is resilience. Last but not least national police, not computers. People against people, bad people against good people. We need to treat them as light. In this case, the last example a couple of months ago after hamas launched missiles and tried to use crieryber techniques agains israel, you see how accurate and how surgical it is, only the two floors above it are in tact, and no one was harmed because thats how we still act in gaza. The hackers managed to run away after they got the call from us to want them and a couple of rocks, enough to see their computers blast into a thousand pieces. This is something that works for terrorists. I strongly recommend not to be afraid of using whatever is needed against attackers, whether cyber or others. We dont do directly. We have military and other forces but are involved in putting out targets. As time is running, we have some National Level solutions, i will give one or two short examples, called the cybernet, 1300 trusted members of the israel private sector and public sector, the major players, theyre all connected, its unclassified network, very heavily secured, can interact and infosharing and it is 90 of cybersecurity. It is so successful we got alerts and solutions and directed to the systems, i had a stomach ache before i decided to do that but we do that and send it directly to their systems. Another example is national dephasement. Every year we got an attack on israeli settlements around the globe and cyber can do that everywhere, to deface israeli websites. Such a volume, it has a bad impact. I got tired of that and we developed in a couple of weeks national solution. It defects defacement of major websites with a couple of hundred thousand sands of them and detector defacement the moment it happens. Basic ai, to see something change ing this manner. You see the rate of success. Last year, before we had that, we had this numbers of the attack. This year, 2019, you see 19 drop. No impact, no success to the bad guys, just using basic technique because most of the victims didnt even know they are victims because we managed to identify in the middle of the night to see it and correct it. Echo system, a couple of words about echo system. We have a great example in the corner but have a funding of 4 billion. 20 of Global Investment goes to cybersecurity and numbers are rising based on Academic Research in this industry and focus it on the south of the city of the capitol. This how the cyberpark looked about eight years ago. When the first building was opened six years ago, it looks like this, you see the desert, now three buildings all operation and and the fourth about to be opened in the coming months. Whoever hasnt been there yet, please come see it. Even you see the buildings, they werent there a couple of years ago. Dont forget to visit or its already ripped down. I hope you visit the israeli innovation center. If not, you can find them all around the u. S. Mostly in the east coast. With the ecosystem ideal with Different Things, i will skip that. Were opening a test lab. Two words about the operational site. Two simple examples what we do. First, we open a national cert. One of the first countries to put a direct line in israel, emergency lines begins with one. So police is 100. We took 911 on the opposite. Hebrew is right to left. So its 119. Every civilian in israel can call and ask for support and we send a response team. We assist whatever we can do. Its not just good taxpayer service. Were kind of cdc, control disease center. Remember the measles, it behaves like an epidemic. This element gives us a sense of the first signal of an outbreak of epidemic, cyber epidemic about to outbreak and identify patient zero and contain it and get a cue. So, this is the first one. The second is proactive, meaning scanning the web, dark web all the time, to find new cds, new exploits. Immediately, they went out there to go and fix them. Cyberspace, we find exposed channels this year. It took us 14 days to locate all the channels and alert them and 90 complete. Last but not least, International Cooperation and partnership. Important message to sum it up, no one, not a Single Agency can do it by itself. We need to partner up because this is the nature of the web. We work with 85 countries, some dont have diplomatic relations with israel. As you see here, we just met yesterday with president of the idb, we have a Great Program with them, so we have six partnerships and have someone from washington you can approach her and the embassy and were more than willing to partner. Remember, we need to get immunized and Work Together, and then we can eradicate the epidemic. Thank you very much. [ applause ] thank you very much for that wonderful keynote and for coming to israel to share your insights. Were honored. Ladies and gentlemen, general hayden, its a great honor to have you back. A great honor to introduce to you our final two speakers. Chris krebs, known to all in the room as a great friend, is the director of the Cybersecurity Infrastructure and Security Agency, sissa, at the department of homeland security. Were delight to have chris speak. Its now my honor and privilege to introduce to you, chris krebs. Chris. Good afternoon. Im in that unenviable position between karen martin and the end of the day. Before i do that, i want to thank tom for having me here again. This truly a great event. I have a bit of history with tom. This is a couple of times ive spoken to one of his events. I was speaking for a request for the billing advisor security conference. I remember looking, im not sure what this is, i need to do research before making a recommendation to my principal whether to say yes or no. I researched the event, the founder, Tom Billington, whos Tom Billington, wait a second, are we talking about dynamite kid, anchor of the british bulldogs, winner of wrestlemania 2 . No, were not. Who the hell is Tom Billington. Turns out Tom Billington has a special talent in pulling o really meaningful cybersecurity events that bring together a really truly impressive array and variety of people. Todays event, last years event, the prior nine years really demonstrate he play as key role in driving the conversation in washington, d. C. , really across the globe if you look at between egal and kuren. Thank you for what youre doing and being part of the important cybersecurity situation in washington, d. C. But really globally. As i was thinking about yeah. Tom, thats for you. [ applause ] when i was thinking about what i wanted to say i had a couple of options. A couple weeks ago at Auburn University i released the Cybersecurity Security Agency Strike intent and making tweaks to the last couple of months and frankly burning a hole in my pocket. Do i wait for toms event or get it out of the way so i can more meaningfully talk about what this intent means. Thats what i decided to. I rolled it out at auburn. Frank hosted me at the planes and i had a chance to talk about what the Cybersecurity Infrastructure Security Agency means and for the out years. The most important part for me boils down to three different buckets. The first are five principles as an agency how we will execute our mission. Then, the two goals we will attempt to achieve. Finally, the five operational priorities driving the majority of our efforts. Going back to the top, the five principles. First and foremost we have the Statutory Authority to lead our countrys infrastructure efforts but not lead alone, lead in a collaborative manner working with nsa and working with the department of energy. Working together. Alone, we will fail and together we succeed. That is really the ethos of the agency. The second piece is we have to be results driven. We have to focus on a demand signal and identify the requirements were seeking to achieve. We dont do that alone. This goes back to the collaborative piece. We have to identify our stakeholders to assess what they need to manage and Work Together and build coalitions to execute. We also have to do it in a way thats scalable. Ill talk about elections today and election security. That is probably one of the most challenging engagements or disciplines i ever had to engage in because its such a vast risk landscape. 8800 jurisdictions, voting jurisdictions in the United States. How do we scale . Were not going to be able to reach out and touch every one on a daily basis. We have to have capabilities that hit Risk Management outcomes at scale. Thats results driven. Identifying where the risk is and engaging in ways that help everybody in almost train the trainer concept. The third principle, we already talked about risk. We have to be risk focused. We have to understand where the things that matter are because if everything is critical, nothing is critical. I know thats cliche but its true. Think about the political Infrastructure Community in the United States. 16 sectors. Thats not citicality. We put a lot of effort narrowing down the critical under thfunct systemic and strike functions are. The fourth piece, however we execute we will be consistent with american values, privacy, Civil Liberties and civil rights. We cannot compromise our most basic concepts of the constitution in executing this mission. We are not going to go out there and monitor nasa and the internet. We have to figure out what our risks are and make the solutions. Fifth and finally, as a new agency going through a transition faze we have to be able to execute and engage in an agency one team one fight approach. Its merging capabilities historically been disparate across a physical infrastructure space, emergent communication and cybersecurity. Were a Risk Management organization fundamentally. Not a cyberSecurity Agency, not a physical Security Agency, were a management agency. The way i describe our roll across the government and United States, global community, were the nations risk advisor, not the nations risk manager. Ultimately we dont push the buttons or turn the dials. Were an enabling organization, facilitating organization and provide capabilities and help provide capacity moving forward and advising risk managers how to do their jobs more effectively. With those five principles in mind we identify a set of goals. Two goals, defend today, secure tomorrow. Pretty basic and simple. We have to address the risks we know of today, close out the vulnerabilities, manage consequence today. But, if we know anything, its that technology continues to evolve. 5 g is a great example. 5 gs not here really yet. Are we going to be ready for it when its here . Are we going to be ready for industrial iot riding on higher band width, lower latency . Are the safety and security frame works in place needed for Autonomous Vehicles . Thats what secure tomorrow is about. Its insuring we are looking out. At risk as it is emerging, in pulling the frameworks together, pulling the partnerships and coalitions together. A couple weeks ago, we issued we were quoted in an article talking about looking forward to the 2020 election, thinking forward, not today, but thinking forward on ransomware threats to Voter Registration databases. Im thinking, whats the worst Case Scenario, two weeks in advance of an election . Its a bad guy thats identified a real moment of weakness and would seek to lock up Voter Registration database. I figure i have about 12 to 13 months to get a job done. Thats to work with every state and help secure their Voter Registration database to insure it is not vulnerable to a ransomware attack. Thats about secure tomorrow. The operational priorities are really a manifestation are things with principles and defend today secure tomorrow concept, the five operational priorities are where we see the most opportunity for us to be effective today and tomorrow. At the top, its government networks. We have a unique role in helping the 99 civilian federal agencies secure their enterprise. Its not just about how things are architected today, but using some tools and capabilities like continuous diagnostics and mitigation, to have a more centralized approach to security so every agency is not doing it theirselves so were leading in a collaborative way. How do we deploy more tools that roll up to a centralized dashboard to see emergencies across the board. Once we have the capabilities, you know who else can probably use them . State and local governments. On the gsa schedule. Lets get more folks on these capabilities. Second piece, second operational priority, elections, elections, elections. That is where were putting a significant amount of effort, where im putting personally a lot of effort. Third, soft targets, crowded places, more on the physical side of the shop, school safety, places of worship, crowded places, domestic terrorism. We have a role on the physical side as well as the cyber side, so we have to provide capabilities, training, resources and advice to the thousands and tens of thousands of organizations out there that need help, that need federal government to provide recommendations. Thats our role. The last two operational priorities are more kind of path finding space, industrial control systems. Im not looking to deploy a bunch of sensors out there. Theres a private sector that does that. I want to extract the insight from the manufacturers, security researchers. I want to help companies that manage operational environments, what good basic practices essential for Environmental Technology based on our insights, the things we learned from incident response, from our partners in the intelligence community. We have a role working with nist and others to provide that advice. Lastly, this is probably the smallest of the five, actually, its not, china supply chain and 5g. This is that space where weve got to put whole of government, whole of nation strategy thinking and execution against, i cant call it an emerging problem set, because its been here. How do we turn or shift the risk pendulum to address risk posed by a nation that has demonstrated aggression against us . Cloud hopper, apt 10, just one example how intellectual property theft alone has been one of the greatest risks and really replacements of American Innovation across the country or across the world. Supply chain, do we know what were doing . Do we know what were putting into our networks in 5g . Were pushing out a new concept for the next generation of telecommunications. Do we have the frameworks in place . Do we understand whats happening in the 3g pp and the Standards Community . Now, to wrap this all up, to go back to my opening principles, i dont know how many of you have picked up general mattis book yet. As i was skimming it, he makes a point that really resonated with me almost to the point of the hair standing up on the back of my neck. He was citing some of the Leadership Qualities of president washington, listen, learn, help, lead. That is the same ethose of cisa, the same ethose of my organization. I will never go out and do anything alone. I have to understand what my community and stakeholders need. I have to learn what those capabilities might be and develop them. We can help and will lead. Thats what we did in 2008 and where were going. In 2016 we were listening and learning how security happens at the state and local level. We helped correction 2018 we provided training, exercises, capabilities. 2020, were leading and we wont let the russians come back or china or iranians. Were going to be ready and working hard on this problemset. As you heard from ann nuberger and every other person up here today, a tom priority for us and make sure when you vote your vote counts and counted as cast. Thank you, looking forward to the fireside chat a little bit later. Talk to you in a little bit. Thank you very much, chris. Our last speaker is mr. Martin, the national chief of the Cybersecurity Center for the united kingdom. Were delighted to have him today with us to deliver this keynote. He introduced the ncsc to a u. S. Audience, first at a summit we held just about three years ago. We are absolutely delight to have him back here to speak from his important perspective as the special relationship partner with the u. S. Is so important to all of us. Its my great pleasure to introduced to you, kieran martin. [ applause ] thank you very much, tom, afternoon, evening, thank you for your patience. Its an honor and privilege to address this conference for the second time, one of the best cybersecurity events in the world, try not to put that at risk. And outstanding Cybersecurity Service leaders i have the privilege of calling personal friends. We share the dubious distinction of leading Government Security in their infancy. Theyre World Leaders trying to make the internet automatically safer, and feeding the best of National Security capabilities with technical know how. Events like this are great for catching up with colleagues and friends and talk about how to plan for securing elections perhaps you werent expecting. Staying with elections, i want to pay tribute to chriss leadership in establishing cisa. I will quote him wildly out of context. One sentence from his presentation, i quote, whats the worst Case Scenario two weeks out from an election. Thats just not a question you ask in london anymore. I want to pay tribute to chris leadership in establishing cisa and welcome his partnership with allies like us. When i appeared here previously i said so much what the uk achieves in cybersecurity depends on the willingness and enduring American Allies to share data on everything from Technology Innovation to punishing proven bad behavior by our versus. Cisas establishment reaching out to government, industry, wider society, will help us build the partnership further. Cisa together, with the establishment of the new cybersecurity director in the nsa ann spoke about yesterday provides and opportunity to take the Transatlantic Partnership on cybersecurity to a new level. Chris, thank you. From the bottom of my heart the United States, thank you. This is a reflective moment for me personally, as tom said three years ago i stood on this podium optimistic but nervous. It was my first designated speech as head of thenals Security United Kingdom and due to come into existence legally within a month. I was optimistic because we had been given a clear mandate and healthy dollop of cash from her mag guesstys government to tack tackle cybersecurity questions. I was worried and like any other government feared i would fall short in cybersecurity. I said, if we managed to achieve what we set out to do we would have done something special. Three years on i want to reflect briefly what weve learned about three things. First, what were defending. Second, what were defending it from, and third, how we should defend it now and into the future. Fist, wh first, what were defending. This isnt a talk that tells the audience how important the internet is to our way of life. I take it you all get that by now. What i says the existential importance to protect our digital way of life has become more apparent. We learned truths, countries like this uk and u. S. And open democracies are not also open digital societies so comfort and security in our digital laifs is more and more important. If our empowered free citizens think their digital environment is unsafe our cohesion is in trouble. Cyber securities and Critical Infrastructure if left untreated are serious national risks to our societies and Critical National infrastructures broader than we thought a few years ago. Maybe back then we thought it was about power grids and bank systems and intragrids, and it is but about soft power and value of speech and electrical security. Putting it all together, cybersecurity is about defending our value of life. The internet didnt invent our vacuums of free values of freedom and entrepreneurship, cybersecurity is about defending the values we cherish and about defending our free open societies. Maybe back in 2016, that assertion would have seemed slightly over the top but not anymore. Look how their shared precious digital freedoms are under attack. We know so much more about the threat than in 2016 and prepared to share more about it. Heres how it looks from the perspective op the sks ncsc. We benefit from the nsas equivalent. We find aggressive russia seeking political advantage by new hightech means. We live in a business and corporate environment where chinese Cyber Attacks on our commercial interest is now something our companies treat business as usual. While we can welcome some mutually beneficial investment of chinas burgeoning tech sector we have become increasingly aware we and our allies need our own trusted cape abilities. We face intrusions from iran and trying to steal weapons from north korea in a way they do digitally and never would do physically. These have been a constant over the past four years. We know more about them now than we did then and that helps us fight back. We also know more about the grave threat posted by high volume, low ubiquitous cybercrime. That, for me, is a threat we risk underestimating. These are people who attack wherever they think there is money to be made. People who rarely attack anything of strike National Significance but imtively their attacks result coupumulative their attacks affect confidence. Because if your cache data is attacked constantly you wont be a digital cheerleader for new economies. Two of the biggest crisis the uk faced were frankly, unintentional. One in 2017 was a north korean attack attempt to extort money but ended up affecting our National Health service. We know it wasnt intentional because the British Health service is the stupidest place on earth to try to extort money from. A month later, a russian attack on ukraine infected countries across europe including the uk. We assumed some of this happened by mistake. That doesnt a matter the companies who lost equivalent of tens or hundreds of millions of dollars, as the attack found its way country after country, they arent called viruss for nothing. Theyre increasingly for sale and whether friendly or not stateless group, might be able to equipment themselves with a cyberattack capability fairly easily. Not a lethal one but menacing one. Were acutely aware of the risk terrorist groups we judge do not have cyberattack capabilities can buy them in the future. We need coordinated action with partners to manage this risk and together we need to maintain constant vigilance. Constant vigilance is a perennial message in National Security so i wont dwell on what it means in our cybersecurity. Id like to conclude with some headline thoughts about what we in the uk think weve learned about how we defend the internet and our digital freedoms. I must express this is designed to stimulate debate. The u. S. Is our closest ally but a very different country. Please statake these thoughts i that spirit. Im not here to lecture you. One lesson is Government Matters. The internet is a creation of free society and open businesses but now also an essential public good. It doesnt protect itself. Even in open societies, government needs to do something. How the Government Matters matters. When i first started leading uk Government Cybersecurity back at the end of 2013, i found a temptation to fall into lazy and why it benefits for chq and another making it resilient as possible to Cyber Attacks. Thats not easy. The Digital World means some companies didnt exist 5 or 10 years ago. Are now crucial and we have to make the best of an imperfect picture. We have smart system, Bank Clearing system, new Payment System and 5g security. These are important for the government to identify and with private sector partners to manage. Then, crucially, we need to make technology safer. The free market sadly doesnt always do this. We know this because time and again we have seen major security incidents blowing up because of the exploitation of basic structural flaws and technological ecosystem, flaws no one has the commercial incentive to fix. The uk tried to be the first to call out about this problem and do something about it and three years ago we launched automated Cyber Defense at scale to take away most of the harm from most of the people most of the time. Its about unleashing brilliant technologists on security problems, about world leading interventions like our world takedown Initiative Led to a reduction in uk global fishing from 5 three years ago to just over 1 now. Or the spoofing measures i spoke about two years ago seen our Tax Authority move from being the 16th spoof brand in the world, yes, there is such a chart to 226th most spoofed brand. Its not just about making the internet automatically safer, about making the internet easier to use safely. For too long we suffered from produce or capture online. You want to use my network, use it on my terms, use my complex password and onerous security problems. Thats fine on its own. The average person uses many networks. If you pursue this problem to its conclusion you find the average britain being asked to remember a new 600 digital number every month. The government needs to call out this sort of stuff and nudge things in the right direction. Thats what were doing. We need to give people and businesses better help. For example, we have built a popular board tool kit. A summary gives Corporate Leaders five slightly technical questions about their cybersecurity and how to use them. We have a Small Business guide. Guide to cybersecurity for voluntary organizations and box for the tool any organization can use to practice their response to a cybersecurity incident. In the next months we will be setting detail how to help schools and agencies how to protect themselves better. Let me leave you with two final thoughts. First, as friends and allies with shared values of openness and decency, lets think carefully about the balance of security and digital footprint. We must lawfully execute it in the cyberdomain. We need to acknowledge as the secretary germ said, cybersecurity is not a domain of operations and somewhere we must operate but cyberspace also is primarily a peaceful domain. Its where we and our Family Friends talk, shop, work, communicate and express ourselves freely. Let our words indeed support that free and open internet. Lets not militarize cyberspace but let it remain a largely peaceful activity. Its not just moral but practical one, too. We need the best capabilities, we need the best people to deploy them when we need them. We will always have more to gain than our adversaries by keeping the internet safe. They have more to gain by toxfing the digital environment. Finally, let us look to the future. Weve delivered on the commitment to begin the process of making technology safer. Now, we must seize the technologies for the future. Take the internet of things. Easy to say there will be x times more devices and x times more risks. That doesnt have to be the case, maybe because people are paying for products and services, we can move to a model where people have a choice and prioritize security. Lets look at opportunities in future technologies, lets look across the u. S. Alliance and uk and israel and look to make ourselves a harder target. Free robust societies with free capabilities of defending ourselves against those who would attack us because our special cherished freedoms depend on us doing that. I stood at this conference three years ago believing we can achieve something really special. I think were on course and lets keep going and thank you for the privilege of sharing this vision with you today. [ applause ] thank you very much to kieren and to chris for wrapping occupy our day so well. I just wanted to end with a fireside chat here, and ask a couple questions to wrap up our conference. I appreciate the opportunity to be here with us to what has been a great day and a half. If i could first take stock, the ncsc is nearing its thirds en and cisa nearing its first anniversary. The u. S. Uk relationship is just about 75 years old. What Lessons Learned have you gleaned from your time leading your two vital organizations for the u. S. And the uk . Kieran, do you want to start . Ive just been speaking here for 20 minutes. In terms of the partnership, never take things for granted. I think and were standing on the shoulders of those who built a partnership and on behalf of the organizations its important chris and me build the strongest possible for future organizations, i think were doing it. For the lessons from setting organizations, you dont take granted for it. We had an offsite recently in london and one of our u. S. Based security partners, bank of america gave us the premsz to do it. As we were walking in i was thinking it was bank of america with the miller lynch logo 20 years ago Merrill Lynch logo 20 years ago. I was saying, you dont take things for granted. We had a wonderful first three years but who knows where we will be in the next five years. We need to constantly earn the trust of our partners. Er with trying with early first year sprint but need constant renewal. Thats the first thing. The second is bragmaticly ambitious. Its only worth doing if youre a transformational setting really clear goals. They need to be realistic. You need good technologists to deliver that. The ncsc needs it but nothing if its not a National Cybersecurity company. We need people to apply the expertise to apply themselves to the things the government has the freedom to develop and temperament. The third thing is attention to detail really matters. The skills picture in the workforce changes, and one lesson ive talked about, a very boring one but very real one was setting up an openfacing organization with a secret Parent Organization really hard, harder than it sounds, i. T. Corporate services and so on. Having people who can make the Organization Work and empower those tech visions, is really crucial. Great. Thank you. Great three points. Chris. When you look at the relative differences between the two countries, the ncsc model works brilliantly for the uk. I think from a u. S. Perspective, given the geography, the number of the sheer number of Critical Infrastructure players that we have to get our arms around, the model that cisa embodies i think is the right tool for the job right now at least. I talked about elections, 8800 election jurisdictions, the tens of thousands of Critical Infrastructure stakeholders. We just have to have a fundamentally different approach, based on the same Core Companies but truly develop these capabilities that are scalable, train the trainer type approaches, get as many one to many touches as possible but also recognizing within the federal government, that everybodys got a role to play, and, you know, competition interagency doesnt help. And nuberger was here yesterday talking about what the new cybersecurity directorate will look like. I embrace this because it gives me a new set of allies i dont have to work with me and i can say to ann, here are the things we understand about risk with the domestic United States and Critical Infrastructure. Help us protect this infrastructure. Nsa and csd doesnt necessarily understand what the elements of the u. S. Banking system looks like. Not their Historical Missions set. We can help working with treasury and others, to help define that capability for them. Going back to that set of core competencies, ultimately, we have the same outcomes in mind, philosophical approach. Its just the execution thats a little bit different. Than thats a critical point to make because when i look at kiran as a partner and ncse as a partner. I have shamelessly copied many of kieran efforts. I think scse is one of the most effective communicate in the government cyberSecurity Agency space. They have a no nonsense easy to approach. A transparent model. I challenge my team with this every day saying be more like them. Talk more like ncse. Be more approachable and consumable. Ultimately thats a good thing if we are all following the same model. If we all have the similar approach. Same things with egal. Iwork with closely incdp how can we talk about the same things together in a consistent way . Right. Thank you very much. So in light of Critical Infrastructure which both of you discuss, then given that over 90 of it is in the private sector, could you cite a use case between your two countries of ways you have partnered in helping secure the Critical Infrastructure that all of us rely on, whether the grid that karen evans spoke about, the Financial System that jerry the ciso spoke about at the New York Stock Exchange yesterday. If you could sure a use case that would be helpful. I would make it more of a crosscutting example. That would be the alert we sent out a year or so age on russian targeting of network infrastructure. That was a joint project, the first of its kind, the first time we did the public alert on hey russians are doing this. Ciso and Network Defenders you need to look out for these indicators, reset the devices. It was a really good example of how we are not focused necessarily on any one infrastructure but the cross cutting infrastructure in general. Right, great, thank you. I took the easy one sorry. Thats a great example. I remember the thing that made it special and useful was i remember talking to a long serving cyberdefender at the top end of the threat about the publication. He said ten years ago possibly five this information would be classified top secret and some. And now we put it on the entertain to make it useful. I paused and said . A good thing or bad thing . He paused and eventually said a good thing. But it shows the cultural challenges. Moving from a top secret environment to making things useful. In terms of the other aspects of the question, i think if in the private sector deserves a lot of credit for this. I think that if you look at the transtrantic financial secretary are, two gigantic Financial Centers in new york and london and the which the regulatory models baktd in environments for good cybersecurity, the fact that frankly most major institutions will operate in both jurisdictions and have a holistic approach to cybersecurity, were very much trying to copy the london sector trying is copy the fsccc initiative in wall street. I think there are good examples of Good Practice there. Its no coincidence we are talking about someone of the most lucrative sectors in the world. We need to find ways to make sure other sectors or where some of the economics are harder to incentivize good cybersecurity we need to to look at those cleverly and whats good for those sectors. Thank you. If we could move to the future now, this is our tenth year that we have hosted this summit. And i founded the company with my wonderful wife here, susan ill give a shout out to. So looking forward, we have a lot of innovators, some of the greatest innovators in cybersecurity in the room. If you look around the room here. As the leader of cisa and leader of ncsc looking forward over the next year, what would you say the top three priorities are . So earlier i talked about my five operational priorities but really is boils down for me to three things. First is continuing to transform the agency. I went to from a dhs headquarters component that didnt couldnt stand on its own two feet to really pushing it forward as an Operational Agency on par with if dhs parcelens, tsa but ultimately i see the challenges in achieving fbi level of capability. Its pushing the Agency Forward to stand stand on its own two feet. The second is focusing on things we need to do. Sop duplicating what other agencies are doing. Really focus on the unique value add. And the third priority is listening, understanding what our partnering really need. What do our partners in infrastructure need us to do for them . And yes there is a point excellent point that kieran made earlier its not about committees and task forces. We have to be able to strike that balance of supporting and assisting and willing and being willing and able to call out a lack of performance. Umhum. As we see it. I agree with all that. My three priorities i set up for the organization in the year and more ahead are firstly, lets get out there into the public consciousness with proper practical cybersecurity advice, Small Businesses, chargeable oppressions, corporate boards, but just people in everyday riffs. We are looking at things, how to get the message out there. We are trying to do things in the education system. Because we are doing research saying a lot of older people get information on cybersecurity and technology from teenagers. How do we influence that . Yes. How do we get get at when people are opening businesses we are trying to use the banks to promulgate our cybersecurity. So making our impact with the general citizen smaller organizations a reality. And a paradigm shift in how we defend what we care about most is the second priority. So as all the legacy systems start to get decommissioned and we build new systems, whether social security, water, whatever it is, how do we build in cyberresilience to that . And the third thing is we fix a lot of the problems. And i spoofing and so forth. But interests a 100 billion industry here. There are some innovative people here. How do we establish a ecosystem a virtues circle. And as a general message to the whole community. Three messages to the cybercommunity of like minded people in pliek minded countries one is stop scaring people. It doesnt work. Secondly fix stuff where you can and thirdly make it easier for people to be safe because weve made it overcomplicated. Thank you. Thats a great answer. So from finally our summit theme this year is a call to action for the Cybersecurity Community we have had over 75 speakers. And we have had them address various areas of cybersecurity, challenges, whether ai, machine learning, cloud security, supply chain. What would your call to action be for the audience today . If they leave, go back to their office, what would you like to be obviously this has come through the Moon Shot Initiative which has been explored wonderfully as well. What would your call to action or actions be . So i will be slightly targeted here, because what i find is that big things come from small things. When i say small things i dont mean small object he was, i think from focused engagements and efforts. Earlier this year at another conference on the other side of the country, wont mention it. But i launched a twitter hashtag morning anything but really a brand a bigger broader effort, protect 2020. The concept here is we have an election coming up in 20 that we know is going to be on the target list of any number of adversaries. Right. And every Single Person in this room can do something to protect 2020. And i boil it down to a three pp its preach, plan, participate. Preach, get out there and rather than scaring people about vul neshlts in election equipment. Its rather engage the community, help them get better, right. So thats the preach part. Talk about the significance and importance of security. The plan piece is understanding what your role as a voter is. What are the things that you are going to do for yourself to ensure you dont fall prey to the next disinformation campaign. We released a product called the war on pineapple. It walks you true steps of how the russians in 2016 weaponized social media. But used a very nonconfrontational, engaging medium of pineapple or hawaiian pizza. Apparently people either love tor hate it. But its the same concept of a divisive issue and we were able to walk people through it. But the idea is understand how you were being manipulated, your brain is being hacked effectively. But also on the when it comes to voting, do you know where to go, what happens if you get there and there is a problem with the Voter Registration system that you can is it rowe ask for a provisional ballot . And the third piece, the participate, is when you talk to your election officials, why dont you volunteer at a pollen a be part of the election process. You know, everybody in here owns a part of in process and its in the participation part and its supporting it. And this is something that everybody has an ultimate objective of defending democracy, whether in the day job as a technologist or cybersecurity attentive are professional or an american voter. Absolutely. General nack a zone stood up and said that was his top priority. We are 431 days from the u. S. Election last i counted. Sounds right. You keep that as a top priority. Absolutely. Critical to our our countrys security and democracy as we talked about kieran. What would your call to action be . Well youre not allowed to ask me how many days to the next uk general election because if anybody is following uk british politics thats not something easy to answer. So ive so chris was targeted so ill be vague. Ive already said stop scaring people. Fix stuff and make things he is easier. Like chris ill tell a story that sums up for me everything that used to be wrong with the way we did cybersecurity. I was once at a conference speaking alongside a senior politician, a former attorney general, talking about the period around the turn of the daerkd o decade where we started getting worried about state cyberespionage and government i. T. Systems weak and unsupported. Those with mobile devices and in particular, and he was talking about he said yes cybersecurity is extremely difficult challenge for governments. He said when he came became are tame became attorney general i was given a device we were briefed on the people but people like me dont get technology couldnt follow the security procedures and so forth. So, you know, it didnt work. And he said in a selfdeprecating way he said im too stupid to do this. This person, politician is one of the most distinguished lawyers in the he country. Has the highest rank a british lawyer can have. He once argued a what most thought was a completely unwinnable case in french. This is not a stupid man. If we give a device on behalf of the government and he cant use it safely because its too complicated thats everything thats wrong with the way to do cybersecurity. My call to action is stake that story, think about it, think about the talent, the talented people be the people who matter here who do important things, whether thats commercial, transactions were its government strategy, whether its journalism, academic, whatever they do they are doing important work that adversaries are interested in but theyre not thinking about cybersecurity you because thats not their goal in life. How do we make it easier for them and the organizations they work in to be sensible and appropriately safe . Make the adversaries work harder. And then when the adversaries do work hard as they will, then bring in the capability of the national Security Agency, the Department Much homeland security, ourselves, to look after the really really bad stuff. Lets raise the bar. Great, thank you. So thats a terrific positive way to end the conference. We want to say that the uk, u. S. Relationship is live and well and vibrant. Thank you both for leading your organizations. This is not an easy problem. We are addressing. This is the 10th year in the ten years ive covered this, its moved from an issue in the i. T. Room way up to the to the board room and up above. So thank you for your dedication. Thank you for your service. Thank you for concluding the conference so well. So with that said, we do have several announcements to make. And id like to make them now. If you could remain seated, please. Thank you. Lets give them a warm round of applause, please. [ applause ] so id like to give a couple of awards to conclude the event. Thank you to each of you for your being here today. Its been a true honor. And i want to thank. Gao una thank you for coming from israel to be with us to keynote and bring your israeli delegation. Its been terrific to have your dozen companies. Thank you tor kieran parent for being here from the uk. And bringing 20 or 30 organizations from the uk to be here with us. Thanks to canada, which has brought a number of their companies. And thanks to everybody here. So with that said i want to eve year we give a cybersecurity Leadership Award. And if you look at the hopefully the slide will come up that will list some of the prior winners of the award. We were very honored that president ilvis when he was president of estonia was awarded the first award. And you can see general alexander, general hayden, michael daniel, general tuhill and last year general nakasonep its my honor to award in award to my great friend and a great patriot. Chris krebs. If i could have you come up, please. Thank you, chris. Appreciate it. Thank you. Thanks. [ applause ] last year also we gave our interNational Cybersecurity Leadership Award to a person i know chris and kieran both know well, david koe, the cybersecurity commissioner for singapore. It was a very snowy day and we were delighted folks were able to come out on that snowy day to be there and to honor david. So this year we are very honored to give our interNational Cybersecurity Leadership Award to kieran martin. So kieran, if you could please stand. [ applause ] really thanks so much for being here. Appreciate it very much. Thank you. And finally its my honor to recognize a great patriot with our first Lifetime Achievement award. General michael hayden, the former director of the cia and nsa as all of you know, who has served our country with great distinction. So general hayden, were going to be offering honoring you with our first Lifetime Achievement award. And its my great pleasure to introduce to you general hayden, whom all of you know and all of us respect. General hayden, our honor to have you, sir and thank you for serving so valiantly and wonderfully for all of us. Thank you, sir. Its great to see you. [ applause ] this is the award. And thank you. This will only be a minute. Im its delightful for me to be back. Its a long time and i still have lots of problems to do things. But its going all right. So thank you very much. Thank you, thank you for everything you do. And thank you, again. Thank you. Thank you. Thank you, sir. [ applause ]. And let me also recognize and thank jeanine, his wonderful wife thank you so much for being here with us. And great again, great honor to have you, sir. That concludes our summit. And i want to thank each much you for staying and being here for this conference over the last day and a half. I want to thank all our sponsors who made this event possible. And i recognize them i think over the last day and a half its really their support and thats allowed this to happen and we thank them very much. We thank all our speakers who have come from as you see across the world to be with us. And if you have, again, want some continuing education credit, it is you can go to our back Registration Desk for isc squared credit or register on sacas website. With that said, again, i want to thank everybody for coming. And particularly give a shout out to one of my oldest longterm mentors, ted eagles, who was my High School Teacher and a great friend. And my wife susan. With that said thank you very much for coming and god speed and we looked look forward to seeing you next year. Thank you. [ applause ] all week we are featuring American History tv programs as a preview of whats available every weekend on cspan3. The lectures in history, american artifacts, real america, the civil war, oral histories, the presidency, and special event coverage about our nations history. Enjoy American History tv now and every weekend on cspan3. Amer