Test test test test test test test. This is a test. This is a captioning test. Test test test test test test test test test test test test test test test test test test test test test test test test test test they do break down a little bit in cyber in terms of going out and labeling objects for full motion video, there are no objects on the ground. We have it and we have people, buildings, we work our way down from there. Cyber a little bit difficult problem to deal with. What is the baseline . If we take the baseline behavior, i have to know what baseline is, its a appreciative maintenance or humanitarian assistance astro relief case. So if i go back to starting with a data problem on cyber, its the most basic problems that everybody begins with, data access, data quality, data content, data classification and data standards. What we have to do is reset a little bit. Our challenge without getting into the Technical Details is we have 24 Cyber Security providers all of whom are collecting data in different ways. The starting spoipt come you po come up with a cyber frame to come one a starting point for data curation and content, sharing and storage, just on that agreement, i think well have much more success down the road as we bring in commercial vendors to do product evaluation. Were challenged right now they didnt quite know what data they are going to be seeing. There is not an image net ekwip quiff lent. We quiff lent. Our first of three lines of effort is what we are calling event detection, currently basic, something bad has happened and monitoring and the third is network mapping. All of those have the same basis of a data problem. So by going back to the beginning and working on a cyber data framework, which is nothing more than could we agree on a common set of procedures from now on of data coming in. If thats not the starting point, we dont have the decades worth of really nice clean kurated data thswami would say. Its not true for the department of defense as the intelligence community. You made the point earlier that every Cyber Security company is now a kieber ai cyber ai company and i would mike i make the point in the last decade, Many Companies started branding themselves as cyber and Cyber Security companies and that gets into the definition of what problem are we trying to solve, right . So a decade ago, we talked about Cyber Security. We were probably talking about antivirus definitions. Right . Now were talking about a living breathing ecosystem of the world and as general shanahan said is define normal. How do i even know the difference between whats normal and abnormal so i can detect anomalies. And we simply dont know. We dont know the answer to those questions right now. That makes it very challenging to develop solutions. So this community here this Cyber Security Community Needs to be thinking deeply about how do we know its normal . How do we detect variants in the system, how do we know our systems are appropriately secured against Cyber Attacks we cant yet define, that fundament amly is a challenge. Ai can help with it. Ai is not a magic bullet. Its not jacks magic beans. Right. It can solve some problems really really well and other problems its you know particularly the kind of ai we are talking about now, the machine classifiers and so on. You request solve those problems really well. Not everybody problem boils down to that thing very well. One of the pitfalls i see many commerce fall into the high expectation trap. Azy not a Silver Bullet by any means and when you set out actually saying like the best way to go about it is you smart small and actually it rate and check to see how well, it solves the problem. Its almost like the journey that you will be on for actually fought just months, even years to come and earic is completely right, i will fund a project, its going to be big, its going to be massive. I will see how you will be doing in six months or aer 82. If not, by definition, your chance of success will be low and you are absolutely spot on, that this is something, its almost like a journey of discipline, how you have to progress. And if i can add as well on the data piece, you know the challenge today is not just trying to wrangle it into a good form, its also determining whether or not you can trust it. And that gets into some of the challenges with the that poisoning attacks for instance, where you may have perfectly good looking data, but,llen on quall of the data we have from a formatting or occur it aing perspective is has someone actually tampered with it. So that gets into some r d challenges how do you make sure the data is pristine, its the way you intended for it to be. Its not included within that perhaps some examples of where are you learning maybe unwillingly that a particular data set is not, is either is or is not indicative of an attack of some sort. So thats an extra challenge on top of either not having the data or having good quality data as you might have that, can you trust that you have good data . And this idea that trustworthiness, the data is critical. You can imagine our job is to see over the horizon enough time to impact the difference. Well, in an era of adversarial networks, producing deep fake videos and fake images of people and fake audio and you know being able to substitute anybodys face in anybodys video, yet there are parlor tricks right now, but they have you know if you look enough down the road, it has the implication of it being very difficult for us to separate truth from fiction and that makes the job of intelligent really really hard, right . If you dont know the difference between truth and fiction, you got a big problem on your hands. So the finkind of things we are focused on is what is real and what is not valley really really huge. Its applicable to the cyber domain as every other domain in which we look at these problems. So based upon the previous conversation, you know, were starting to address some fairly bake use cases and were starting to move towards adoption. You have a captive audience here. In terms of research and development and where you are looking, id like to kind of work, hone in on where you are looking for new ideas, where should this community be investing for the future . Do you want to start us off there . Sure when you think about ai and Cyber Security together, there is ai for Cyber Security and there is also the Cyber Security of ai and both of those have important r d challenges to them. You could imagine using ai for Cyber Security and doing things like being able to understand your adversary and how theyre attacking and maybe look at past behavior, past history and use that to perhaps predict what future attacks might look like, for instance, and thats certainly an interesting r d challenge from the ai for Cyber Security. In the other direction, Cyber Security for ai, looking at challenges like how do you make sure that a model that an ai system learns is not reverse engineered to somehow detect Sensitive Data or information that you dont want your adversary to learn about, i already mentioned data poisoning attacks and there are a number of other of these kind of challenges that you want to have your a. S. System trustworthy to ensure when you use it, it will do exactly what you planned for it to do. That in and of itself has a lot of r d challenges as well. The National Science Technology Council every three years puts out a national or a federal Cyber Security r d strategic plan. So theyre preparing that Digital Foundation and compute. It says as government we need to be fast followers. We are in the interesting position probably for the first time we are not the leading investor in a technology area. We are not a minority investor. The World Economy is the investor. In 2016, mckenzie estimated that there were 50 billion in Global Investment in ai and Machine Learning and they estimated that there was about a billion dollars in u. S. Investment at that time. So 50 on the end is billions. Yes, were spending more since 2016, dod, darpa has announced their strategies. We dont publish our investment. But you can imagine the private Sector Investment has accelerated and investment has far exceeded governments expectations. We have to be fast followers of the world. Next we have to invest in the gaps. As a government we have to invest in things the private sector has not invested in, or is not as invested as we are. Think about a bell curve. Where is most of the private sector, the middle of the bell curve, where your shoppers are, dollars, collision, add, eyeballs. Darragh shannon has ab pro. Whats my problem . Into the low bell curve. High probability, things happen out there. Thats not where the Machine Learning has been invested in the last decade. Thats where we need invest. Were the intelligence communities our job is to see over the outcome. We need to be investing in long range semantics and meaning and only in. Because ultimately its good but its fought good if you have. I need to know why there were airplanes on the runway yesterday and theyre not today. I want to below they are, what their intentions are. Ultimately the job of intelligence is to understand that. Yeah. How quickly things from the private spectre. In amazon we tend to use the phrase, its day one in the age of internet, even tow now we are more than 20yearsold so that shows like how we tend to think. But in the Machine Learning world, its so early that i joke around saying like, yes, its day one but we have just woken up and havent had a cup of coffee yet. Its that early in terms of how much early we are in this game. So there is so much r d that is still yet to be done in terms of kind of feels like develop the internet like in early 90s and so forth. So in terms of what we need to see in r d, its not just about making machine models, development accessible and getting data aknowtation done. Annotation done. Like when it produces a result, what we see when we worked with the healthcare customers, that the consumers of this Machine Learning model, hey, are you scheduled for surgery, you might want to pay, which is more optimized. They were not willing to trust that result unless you explain saying like historically if you had done this, you will be 40 efficient and so forth. There is even these elements of explaining these results, so that people will trust it more. Its going to be a lot more important and these are some of these areas that are still under research to me. And we are to invest a lot more and fought just in the private sector, but also in academia and assets. We partner with nsf on these topics as well and Fund Programs and we look to do more. An idea just to cut to the chase, without trying to bridge a gap a little bit from the r d side, a more practical fielding element comes down to trust. If we look to future of war fighting or defense of which we no longer are measuring action, counteraction in minutes or seconds even but millie seconds and microseconds, trust becomes t what we are trying to achieve, how do i get there . If are you doing research or developing a pro you cant that is a 98 performance in a pristine Lab Environment and doesnt work in the cases that dean mentioned in a dirty dod environment, its not help. For me, proving it can work under those conditions, its a partnership, us two a vendor giving them the data they need to show or perform in those instances, i would go along in saying we also need to be thinking much more about ai and counter ai or adversarial ai, a red teaming approach which has a program of automateing some of the red teaminging as to give the humans, the people more time to think about the contextual things that are going on behind the scenes, counter ai is a future we will be dealing with, its analogous to warfare, counter and counter action on down the road. That is something upon us now. We need more thought put into that across a commercial enterprise. I think thats a really interesting observation. The sector last year identified two new war demands, soober and space. If you imagine the future of combat, you know its adversarial ai against our ai and you know how are we going to adapt in that new war fighting demand . So certainly exciting times. We have about a minute left. Lets go around, each person has about 20 second for any parting thoughts. Dr. Parker. Well, certainly, if you look at the president s American Ai Initiative that was assigned in the executive order that was, happened in february. There are a lot of these issues that priority in the initiative in the national strong. You look hat work force issues and trying to make sure we have the people we need in the ai spice, which includes the ai applied security space so that we can be in these areas. You look at data, there are actions in the executive order about making data more available for ai r d that can help in Cyber Security. There are a number of key areas that we have touched on that the federal government is taking a number of actions and to try to help the nation move forward to ensure and maintain American Leadership in ai going forward. Well, actually, i think we are just about out of time, so to the panelists, thank you, and a good discussion today. I appreciate everyones time, so, thank you. [ applause ] meers of the panel for a great discussion. The next panel is on preventing a cyber 9 11 and is moderated by bill loomis program hacker one. Joining bill on stage is jeff brown, chief Security Officer for an Intercontinental Exchange in New York Stock Exchange. The hon rablg karen evans assistant secretary for Cyber Security Energy Security and Emergency Response under the department of energy and kerry wright, Vice President of Product Management at end ace. Bill over to you. Thanks, everybody, for joining us. To start off id like to let our panelists we got a brief introduction there talk about their current relate and what they are doing in the area of critic infrastructure. Jeff, if you want to start us off. Thank you for having me. Just a quick correction in the intro, jeff brown. Im the head of something called new york city Cyber Command and the chief information Security Officer for the City Government of fork. We have the mission to defend all of those technologies that deliver Via Technology services to new yorkers each and every day and we also have admission to bring Cyber Security to new yorkers through solutions and awareness in ways that helps them navigate away from the threats they might encounter on the internet. Your question. Okay. To your question about how we think about Critical Infrastructure, we certainly as a large City Government have parts of the portfolio agencies like the department of Environmental Protection that has you know ics, ot, Water Service that new yorkers rely on then we also think about the criticality of things that are deemed Critical Services that new yorkers have to you know rely on the time of need, Something Like our 911 environment, Public Safety arms, et cetera, thats how we think about it. Karen. I am karen evans and i am the assistant secretary for Cyber Security Energy Security and Emergency Response, otherwise known as csesacseser. We deal with Sector Agency requirements as it relates to all hazards both natural and man made, so the Emergency Response function is really high right now on our efforts of our team due to the hurricane so i have hurricane responses, i have cyber responses, i have the Energy Security piece. I have dnd, dmd. We are responsible if you are familiar with the National Response framework, we are the esf12 coordinators under that with our sectors specific roles and we also have specific authorities that are designated to department of energy under the fast act of 2015. So i think ill stop there and pass it on. Sure. Thank you, karen. So, kerry roth, im from endice. Endice is one of the sponsors here. Vice president Product Management. I am fortunate enough to get around the world and talk to a lot of subsecurity teams and help them with their analytical tools to analyze things deeply and roll out different tools to defend the network very interesting insights i hope i can share with the subpractices in the subsecurity teams as of today. Cool. Im jerry perlow. Im the real chief Information Officer of the New York Stock Exchange a little mixup there. Specifically i work for a firm Intercontinental Exchange and infrastructure in five Different Cases over three different nation, were designated critical economic infrastructure specifically. That happens here via the department of treasury in particular. So i look forward to speaking about what its like to secure that side of the house. Awesome. So lets Start Talking briefly about what the Threat Landscape looks like right now. Like what are you currently tracking in terms of threats against Critical Infrastructure for your organization . Karen, do you want to oh, sure, mines really ease e easy, you know we can take a poll here in the audience. Anybody who has read the dni world threat assessment, not that i have this memorized at the bottom of page 5 it talks about what is happening with china and how china is dealing and the capabilities that they have in the Energy Sector as it relates to oil and natural gas and at the top of page 6, it talks very specifically about russias capabilities into our Critical Energy infrastructure. And what theyre capable of doing so were very focused on what the nation states could do. I dont own the infrastructure. Its all owned by private industry. So it will be good for us to talk about the trisector work that were doing and how it relates to the National Cyber strategy that was released by the administration. And when you talk about a nation state attack, whats the what does that look like . Whats the nightmare scenario in your mind there . What do you spend thinking about if terms of that landscape . So im thinking about it right now. We have a Natural Disaster that is happening coming up the coast. Were worried about making sure that we can keep the power on. We are pre positioning. We are working with our industry partners. It is all reliant on our industry partners. Thats probably when we are the most vulnerable. Okay. Interesting. Same question to you. Certainly, so i can build on your answer. When it comes down it to, though as i noted before, there are things that falls into the traditional Critical Infrastructure category, operated by the City Government of new york. When it comes down it to, new yorkers rely on a whole ecosystem of providers. There are energy companies. There are each and every piece of that Critical Infrastructure portfolio that makes the city run. I think when i think about the Threat Landscape, what im looking at is greater connectivity, smart metering, Smart Services that Everybody Needs to have guidance over but may not maybe perhaps not ownership over. The way we have guidance is we build better partnerships. We get to be involved with those providers. Everyone has the best interests of new yorkers at heart. Thats how we think about the threat and approaching the future. Yes, so, its challenging in all these roles with ve is finding the tax on my so when you taxonomy. On the one hand we can ask about anything, on the other hand we dont get specific. We mention threat actors, threat vectors. You think about Insider Threat versus a specific nation threat an objective. Its a big soup. So wave done is created a taxonomy we called threat objective, we found to have this unique buckets. That is what are they trying to do regardless of who they are and how they do it. When you do that, in our case we have ten of them. We find there are three that have to do with data. I think the most unique thing about the threat when it comes to Critical Infrastructure is its not all the that like it is in the news and most of the consumer facing cyber threats. So the ones that are data are intellectual property or pii or nonpublic material information. But the rest of them that are really important to infrastructure is sabotage. Its important not because there may be different threat actors, there are certain techniques effective adversarial or as a defender as well. So sabotage and assets app, which is like wholesale payments app, where you see the Bangladesh Bank heist and that sort of thing and data manipulation is the one kind of in the middle we worry about. Sure. You Start Talking about tactics, tools and procedures of the adversaries. So you track them on the objectives they are trying to secure and that sort of informs how you work backwards from there essentially. Is that how you purchase that . Thats right. So the threat objective is really, you know, its a really good construct. They give us a chance to talk at the board level about the whole ecosystem. Were worried about sabotage. It looks like you can take out saudi aramco, sony, different companies, different threat actors, everything else. We are having the same conversation about how it manifests and the ransom attacks about destruction not about distortion in there as well. That is helpful at the board level, its helpful to take the pii attacks and say, yes, we know what that is about and weve discussed this and where does that fall . So to set that priority at the board level is very helpful. Then the stepping back level you mentioned for us, that means lets go straight to red teaming. So what did it look like elsewhere . Thats how we gauge our residual risk of those. Gotcha. Terry, you have a different perspective. You who, with different security teams. Are there trends with customers you work with, with the kind of threats they are sob everyboobs the critical space . Yeah, the trends are more with how they deal with the threats and the thought process is changing. We see some advance teams we work with going from a purely defensetype strategy to more of a, okay i know that there is a high risk of being breached, let me put the processes and procedures in place to make sure i can deal with that quickly. I can deal with the downsupreme impacts before they actually take effect and i can understand the full extent of whats actually happened, so im seeing them puting in recording infrastructure to record absolutely everything about their environment. So thats the first thing, being able to see what actually was impacted. What was affected, what was touched, the recording system logs and actually down to the network data and then also being able to respond quickly with different tools and tech nation by using a platform approach, being able rom things out quickly if there is an impending attack and they need some sort of new tool, a few innovation that they can apply so we are seeing that as a general trend and seeing it as having a lot of good effect. Gotcha. I want to drill into something, karen, that you had said a little bit in talking about sort of how you worry about all these threats to infrastructure you dont technically own. Thats interesting as a threat model, sort of its not your fault, but it can be your problem approach. What administrative constructs do you have to put in place to handle those types of things . Say you were convinced x behavior of set of infrastructure will be a problem. There will be an attack against it. How do you handle that organizationally . So, part of the and im glad you asked that, i know you want to build off it as well. We talk often about public partnerships. I have a deeper appreciation especially in this role what Public Private partnerships mean. Because the only way theyll going to be successful is to your point is that if that Public Private partnership that trust relationship is there, so they can convey what is unique from the whole government approach this is what is envisioned that ssa does so they see value from what were doing. The only way i will be able to do that kind of analogy sis is they are contributing to the analysis capability, so that we can say, this is contributing to it. This is whats happening so we can bring whats unique to the government to bear so we have a whole government approach so were only one Critical Infrastructure. Right . Under the dhs umbrella. So we have the whole government approach. But i have to convince them that this is within the rick models that they have, the risk registries that they have, the way that they are doing things and our modems have owe m mo different. There is a huge trust model, partnership between what is happening with the department of energy and the entire Energy Sector that if we were when we share that information, they really listen. And so its incentivized to we need to do this in order to keep the lights on, because were such a critical need for the nation, for the community all the way down to the individual customer. If you want to build on that i know you were thank youing about some similar themes. Certainly. I think when it comes down to it, its addressing the domino effect that can happen based on the things we have observed on the global landscape, when you think 9 Million People five boroughs and gentleman geographic confines of the great city of new york, the reality is when you bring public partnerships, the right people at the stable with the right interests aligned, everyone recognizes if one person in that diagram fails, the dominos start to fall. Then from a business contact, even though i represent a City Government, i think it does resonate with the private sector partners because you say in that, we together do better jobs together maybe pull resources, et cetera, and you are caring my failure on your Balance Sheet as a risk. Because of that life shared risk. How we have been addressing it in the city of new york, we did set up something we call Cyber Services and infrastructure, which is our effort to bring these people together. Start to look at ways we can address these problems, practice together. Weve done a number of exercises and our hope is that it will help us to not only prevent but then, of course, respond together. And you generally find theyre receptive, . Yes, i have. Excellent. Awesome. And then. Do you have any thoughts on that . I know yours is slightly different, but well, i think one of the things that would help for the sake of the audience, too, so you start back at the title about cyber 9 11, for you its close to home. Everybody can imagine and make the pivot over to things like power and transit and all the implication, it can have. So on the economic side, i think its worth throwing in there the scenarios that we are thinking of from a critical standpoint are a lot to do with undermining confidence in the global markets. So i think its important sometimes to idea that context. What does sabotage mean . I think its important for private companies that are responsible for Critical Infrastructure to remember that that net isnt about the Balance Sheet. Its not about the quarterly performance anymore. We have regulators that have different spec agenda that theyre trying to protect. When it comes to the department of treasury, theyre worried about undermining confident in the market and the domino effect again that would have all the way through every sector immediately. So, you know, its not different in many ways, but in other ways, it can be a little bit like splitting hairs. Sure. So were sort of talking about the importance of developing close partnerships with people in related to the threat model of Critical Infrastructure. That sort of goes to the broader theme of how are you gathering intelligence around these threats, right . Who are you partnering with . How are you making sure the data on these threats is propagated efficiently . Is there anything you are doing . How are you getting most of your intelligent around these sort of threats to your Critical Infrastructure . To the Threat Intelligence anyone who lived through this, saw ten years ago, Threat Intelligence was so hot, so to speak. It was almost a buzz thing, if you have been around you might think let me wait and see if that end up being a fad before we go and invest in it. So in our organization, we consumed external sources pretty early on, including some commercial source and later we added the formal capacities to have analysts hailing going through that. But one thing that really helped us get ahead of all of that is the isat, the information sharing analysis center. The ss isat services in particular. It started the embodiment of private partnership. Its often the conduit between public spellgents and the private sector. But more times than not its peertopeer sharing among the members in there that bears the most fruit. And that did evolve into some automated and mechanical sharing. Sow know we actually have protocols of sharing of Threat Intelligence. We have systems that actually manifest protections when they consume the intelligence. Even what i call the narrative intelligence, even the emails book and forth from different banks and different utilities that say, hey, were seeing this, does anyone else see that . Or a Member Institution reported a Service Attack at these times, is anyone seeing it are so help. Intel feeds so many pieces of the whole life cycle. We think immediately of the warning system, whats coming next . It also arms our red team so the intel about an incident somewhere else is what we will use to emulate the threat. The more detail we have the more accurate it will be. It informs our controls and things like our vulnerability assessment, so we request prioritize based on the someone is ac rattly targeted. Interesting. Okay. So sort of forward looking, so we have a good picture of sort of the threats you are seeing. Where are you spending most of your time right now . What are you trying to build out the most . I know we talked about private public partnerships, are there other capabilities as a part of a defense apparatus for Critical Infrastructure . Sure. Im happy to take that first. So again, you have to think about the expanse of what a City Government means, whether its in new york city, d. C. Or wherever it may be. We have Emergency Management programs. So what we are learning very much is the more checked with reinto that whole apparatus of government capabilities that is represented within new york city. All of the themes that new york city Emergency Management can bring together either to be proactive and exercise or there is a need to respond. You are not alone in the fight so to speak. I think a lot of times Cyber Security professionals in our technology and security dispalestinians, at times we may feel alone in the fight. I think its useful to bring back to organization, whether public or private the simple fact that if you talk to the people that are the enterprise risk managers that have portfolios encompassing continuity, et cetera, there is a lot more to make sure the services your entity provides are resilient and can recover with pace. I think thats where i am seeing a lot of sort of trade traps now, building intelligence backgrounds, its very heartening. Gotcha. So im going to, you guys will be disappointed if i wasnt a little controversial here. And so, were looking at it a little differently. Again, because i have a research and development piece associated with my office and, of course, we have the National Labs within the department of energy. So were really looking to shift the paradigm and really look at the missed framework. Right . It has the circle. It talks about detect and protect. A lot of this stuff we are talking about today is in respond. Right . And the resiliency of how to recover. So im trying to change the paradigm and what the secretary has envisioned and what we believe will provide value out to the industry as a whole is, we have efforts called the great mod enization initiative. Right . Which is like modernizing the infrastructure to build that resiliency up front. To have self healing capabilities as you go forward, to change the dynamics instead of us spending a lot of research and response, were spending a lot of research on how you use smart technology, Software Define Networks so that you can then deploy these in a way that the system is detecting so that we can protect and then respond when we need to. So the other part is, is that we are not as in our area focused on technology, a lot of this stuff is it it focus. We are focused on Operational Technology. You briefly mentioned escape systems and industrial control systems. Its the nexus of where people are trying to gain efficiencys by using cloud to maximize that capability that comes from, okay, if we can gather this data and analyze it, like thats what gets it exploited. The more intersegs connections that interconnection, thats where we are vulnerable. We focus on that and we are self healing, how do we have environments, like to it it world, you can look around this world, right, you guys are all focused on information technology. So were focused on making sure that Operational Technology works, that you can detect who is in there. Is it running the way its supposed to. Is that valve supposed to be turning offed on on or is that an adversary can we detect it . We are focused on changing the dynamic. Sure. Are there any capabilities that you see across a lot of the organizations you work with, they are building out in response to these kind of threats or . Definitely, i see, both swings in both directions. You know, some organizations are heavily focused on the defense side, trying to prevent and other organizations are on the response side trying to scramble and respond to all of the incidents that occur. Its about getting that balance right, about rolling out new tools quickly to defend the networks. Its also about having the Historical Data of whats being happening in your infrastructure so that when you do see something strange, you can go back and track whats actually occurred over time. And having that balance throughout is important. Because it allows to you then say im going to defend the network as best i can, but im going to have the infrastructure in place for the stuff that i cant defend against and i think we all know the key issue is, you cannot build a perfect infrastructure that is completely robust. At some point a state actor is going to have the resources, the know how, the time and the ask ill to get into your network so you feed both. You need to defend. You need to keep those doors closed tightly as you can, engineer the information and the system there is for when someone does get in and start to well be right back havoc. As we saw with the ukraine attack. These threats actually, they hang around for a long time before they actually do any damage. And thats a period of time of which weve got to actually find this anomalous behavior, find these strange occurrences and neutralize them before they actually do any damage and getting that balance right i think really helps us achieve a much more robust infrastructure. Dpoch cha. Jerry, you had talked about sort of the importance of red teaming, sort of like a proactive control where you can sort of test your infrastructure of what you are seeing in terms of attacks otherwise. To what degree is sort of the red team informed by the other attacks you are seeing and to to what degree you see other objectives you think you might be seeing in the future . Can you talk sort of how you go id your red team i go es . Yeah, its really bloet in one go. Its certainly both in one go. Its certainly intel about the types of objectives we are concerned with. So in that regard its a bit lagging, we are go into an attack or something and pull out the ptp as you mentioned earlier and begin there, but the whom point of that is its meant to be predictive. When we talk about my organization is, i like to define it between the first line of defense and second. The preventative and detective side are both actually on that the first line of defense on the reactive side. Everything on the second line i like to start thinking of as predictive. Really rick assessment and threat modeling and vulnerability scanning, testing all of that is meant to predict. Otherwise there would be no pointed doing it at all we won bother, sorry, im combining two questions in one. What are we focused on, going to that se same time, its equally both sides of the house, taking that intelligence and flowing it 32 you the second line to figure out what we will prioritize and from the results of that, going back to the first line of controls we need to put in place tomorrow without a doubt. But the one pervasive theme on both sides is automation, without a doubt. And you know i always say i want everyone that reports to me to take my job. I want to work myself out of ab jo. There will be new tasks that come out that arent on my plate. Likewise, everyone in my group needs to be working towards automation, not to work themselves out of a job, there are other things coming out of the pike. They cant do everything today and what they have to do tomorrow so when we wrestle with technology on both side, automation is about technology in many cases, its bills versus buy, like any company we struggle with that. My approach today i think has been successful is what i call builders buying. So we do a lot of prototypeing inhouse and then we go to the market once we figure out the challenges around can think oh, thats interesting if you do that or anyone can do that. So thats really interesting. How long does the build and buy cycle usually go for . I know probably it varies depending on what it is. You know, there is a lot of paths that can come out of that. So at some point in a project we say this is a great and noble cause, we arent scaling, resiliency, lets go to market. By then somebody has created and done a better job or eager to do so. But there is a niche, a small gap, a broukt only useful to us. Those a product only useful to us. Those are based on our Business Organization but heavily on our culture. So i call it things we can get away with. Say one of the things i talked to the board about before is the title of things the board has done for Cyber Security but not on purpose. So we dont unwind them by accident. That can be whether are you b2b or b2c or head counts or employee turnover. All these things have knock on effects, mna strategy as well. So when it comes to Something Like that we say were not going to go to, ma. Thats great, jerry, were not going to make money off this then we invest more to bring it to a mature state inhouse. I guess i will close by asking sort of looking forward, like where do you see like five years, how dif does the Threat Landscape look, there anything you dont see know you anticipate seeing in the next two, one, five, ten years . So, think to combat more connectivity throughout cities that new yorkers rely on. I think what we will see more across the municipalities is this notion of Cyber Security nor the public perhaps. In new york city we launched nyc secure, which is our commitment to new yorkers, we will bring Cyber Security to them for their choosing and ways to respect their privacy. We released an app public available and free and put a Security Solution in all the places we provide. I think we will see greater expanding along that Technology Foot print. I think you will see municipalities go toward the people that walk their streets and say, lets help you make better decision as you and a half guite away from threats and respect your privacy at the same time. Cool. So, what we see across the board is the mix of energy, right . So we are now Energy Independent as a nation. And with that means that there are other vulnerabilities that have come into that. So the department has announced an advanced initiative jointly with our office of Energy Efficiency and renewable energies. Its dealing with trying to manufacture and foresee how do we continue to stimulate innovation that that the Wind Turbines and the solar panels and the eb cars and you know changing the battery and the modernization is great, because each, all of those devices connect into the grid and so we are really looking to say, how can we engineer this . So that we have a mechanism in place dealing with private industry so that we can continue to be Energy Independent, take advantage of industries, knowledge, and then advance it through manufacturing. So im not going to really talk about the threats, i think theyll continue to evolve. What i think ill talk about is in five years time i think there will be much more coordinated approach to defending the networks. More platform centric approaches, where it makes it a much easier task for you to roll out new technologies. If you go to isa or any of the big trade shows, will you see thousands of innovations. Can you take advantage of those . Probably not. Very difficult. We will see new ways to roll out technologies, roll out defenses rapidly in an agile fashion trying to catch up to where the bad guys are at. Okay. I think we will see some advances in theificati identifi phase, that will be critical not for authentication but to have accountability for every packet on the internet. Awesome. I think we are about at time so thank you, everybody, for participating on the panel. Yeah. Okay. [ applause ] [ music playing ] tonight california representative cochair of the intelligence caucus on the future of artificial intelligence, Election Security and whether Big Tech Companies need more regulation. Google is a californiabased company and i think if we want to look at how its doing its business practices, its important to do it in a very thoughtful way. I know that the department of justice and the federal trade commission are also talking a about doing investigations into competitive practices of these companies. And its good to look at this and investigate it and make sure that the companies are behaving. Im not sure that breaking companies up is a good idea. These are Big Companies with a lot of tentacles. A lot of employees and if you break a company up like that, if you manage to do it. There will be unintended consequences. Tonight at 8 30 eastern on cspan2. Our cspan company 2020 bus team is traveling across the country visiting key battleground states in the 2020 president ial race. Asking voters they want president ial candidates to address during the campaign. I think a pressing issue id like to see candidates talk about is heckic. Because there is a lack of healthcare in the country right now. I think affordable healthcare at the veryleast. And some people arent going as far as i would like to go into the details of how they plan to handle that. I hear a lot of general ideas, but i like policy a lot so i like to see where that goes. I would really like for the candidates to discuss how were going to renormalize ourselves as a leader if not the leader in what we used to call the free world, in the rest of the world, as a leader in democracy and a leader in Democratic Values around the world, also a cooperating force with the rest of the world. I would like to know from each candidate their ideas on Nuclear Energy and the reinvestment of the technology in every state in the country. And i would like to know if they believe it is a sustainable, reliable use and worth the investment to our nation. Im really concerned about the Climate Crisis and about gun safety legislation. Those are two essential things that have to be addressed by the election next year. I wish theyd be addressed by congress before that, but it doesnt appear that the senate will move on that. Also we need to try to get back to enforcing the constitution that whoever becomes president should obey the emoluments clause, should conduct business with integrity, should not ridicule minorities or handicapped people or aged or anyone else. We need to restore integrity and we need to restore a sense of service to all of the people. Voices from the campaign trail, part of cspans battleground states tour. Now more from the Cybersecurity Conference hosted by billington cybersecurity in washington, d. C. This Panel Discusses the importance of public and private collaboration as well as enhassing cloud security. This is an hour and 45 minutes. Okay, good afternoon, everybody, again. Welcome to the second part of our program. Id like to invite you back and well bring our next panelist here. Thank you again for keeping your conversations a little bit more quiet on the outside by the booths so we can listen to our panelists. So this next panel is very interesting called new models of public, private cyber collaboration. The moderator is mr. Will
comparemela.com © 2020. All Rights Reserved.