Now more from the Cybersecurity Conference hosted by billington cybersecurity in washington, d. C. This Panel Discusses the importance of public and private collaboration as well as enhassing cloud security. This is an hour and 45 minutes. Okay, good afternoon, everybody, again. Welcome to the second part of our program. Id like to invite you back and well bring our next panelist here. Thank you again for keeping your conversations a little bit more quiet on the outside by the booths so we can listen to our panelists. So this next panel is very interesting called new models of public, private cyber collaboration. The moderator is mr. Will ash. He is a senior director of Security Sales used Public Sector global Security Sales for cisco. Joining him on the panel is Major General ed wilson, United States air force retired, secretary of defense, assistant secretary of defense for cyber policy in the office of the undersecretary of defense. Also joining us is claire caroma from the Defense Digital Service. Also Lieutenant General steven fogarty, commanding general, United States army cyber command. Also ms. Tonya ugeretz, a Deputy Assistant director cyber readiness, outreach and Intelligence Branch for the fbi. And last, miss Jennifer Walsmith, sector Vice President and general manager Cyber Solutions division, Northrop Grumman systems. Over to you, will. Thank you, ed. Hello and good afternoon, everyone. Welcome back. Before we get rolling i thought it would be appropriate to give billington a round of applause for the guests weve had so far. So lets get that going. Thats probably going to draw some of the exhibitors back into the hall. Welcome to what some would argue as the Signature Panel of the summit. As grant mentioned, we have the operators in the afternoon so indeed we have the operators here on stage. At least six would argue this is the Signature Panel. All kidding aside, if you look around the room and exhibit halls, there are public officials, private representatives and this is top of mind for all of us in the cybersecurity business and industry, public and private partnership. In this case new models of public and private collaboration. For the next 35 minutes or so, were going to explore some relevant topics in this area with this exciting panel. The format is going to be were going to have a quick introduction right now and have each of our panelists not only go a little deeper on what their role is beyond the title that ed mentioned, but we also wanted them to share a use case in this case, the publicprivate collaboration. It means a lot of Different Things to a lot of different people. Its a very broad topic. So thats how the introduction will flow. Major general wilson, if you wouldnt mind starting us off. Absolutely. Ed wilson. In that role were responsible for the strategy, different policies for the department as well as the authorities for all of our Cyber Operations across the department on a global stage. I thought what id do is just maybe share given the content of the panel, i dont want to steal any thunder from the Defense Digital Service or general fogarty from a component perspective but maybe something were partnering with industry on with an interagency context. And so last spring as we were crafting our cyber strategy, one of the key aspects was a realization that we had not defined and clarified the role of the department and defense of the homeland. I think we all understand that the homeland has a role in defending it. As we begin that journey, weve articulated that and worked with interagency partners. So really the use case that i want to put on the table just briefly is a thing we call path finders. In the defense of the homeland we have begun to partner with the department of Homeland Security and the requisite critical segment owners. The first one we started on was the Financial Sector so we have a financial path finder. As part of that what we do is work with dhs, the different isacs as well as fs arc which is a industry representation of the key banking industry, the Financial Sector representatives. Weve begun an informationsharing process associated with u. S. Cyber command and some of the Intelligence Community representatives in being able to share sgi indicators of compromise and Systemic Risk. We also have a path finder associated with the electric sector, the energy sector, really focused on the electrical space with the department of energy. Karen evans who was on stage earlier. As part of these path finders the reason we termed it path finder, this is New Territory for the department so were not trying to overarchitect or overthink the problem. Were trying to get started and begin the process, begin the collaboration with Industry Partners, with our interagency partners, understands roles and responsibilities, and the unique attributes scale scope directives that the department of defense can bring in Critical Infrastructure. So its a unique use case. A lot of wind in that sail now, were making good progress. I would say that really it could be gamechanging in some ways. Not that were the prime player but the duty, the weight, the scale, the scope that we can bring to the problems can be brought to bear in this particular use case. Excellent. Great use case. Thanks for sharing. Despite starting with ed, were going to keep you guessing, were not going to go down the line and also keep the panelists guessing, a bit of a game. With that well swing to jennifer. Jennifer, would you mind . Absolutely. Im Jennifer WalsmithNorthrop Grumman. Its by no mistake that we put intelligence and cyber in the same organization because i really see it as two sides of a coin. Im career government for the majority of my career spending the last ten years as nsas accession and procurement representative. I joined Northrop Grumman three years ago and have been having a grand time working Cyber Intelligence from a different vantage point. My use case is about creating a global ecosystem for the workforce of the future. It starts with what were partnering with the air force association and the Cyber Patriots. Long standing started in 2009, certainly long before i was involved with many of my predecessors and many partners across the country, but what started as a small effort in 2009, in 2019, ten years later, we had over 6,000 teams competing middle school and high school. Our Cyber Warriors of the future. We didnt stop there. This year we opened up our cyber centurion in the uk and cyber sypan in the australian cyber wealth. So its about creating that workforce of the future starting very early in middle school and high school and thats whats really exciting. If i take one example and then pulling that thread all the way through is really with the universities and creating not only the students but then the interns that are so excited to work on our customers hardest problems all the way through to research. And what excited me this summer was watching 30 young interns doing a codeathon against one small aspect of nsas hard problems and creating that environment as a partnership because they certainly had to create the environment that we could do that. But thats an example for me of Publicprivate Partnership for the future workforce. Thank you for sharing, terrific. We will go a little deeper on the workforce topic later as well. Thanks for sharing. Tonya, would you mind going next. Sure. Im tonya ugeretz, the Deputy Assistant director in the fbi Cyber Division. Our Cyber Division is the investigative and operational arm of the fbi that works to deter and attribute cyber intrusion activity to hold actors accountable. So within that division we have two deputies, one who is responsible for operations and our National Joint task force and then i have the Everything Else branch. So that includes things like our intelligence workforce who focus on both National Security and criminal cyber threats, our elite Rapid Response team, our Cyber Action Team who responds on site to our most significant cyber threat activity. The people who make the place run in terms of workforce and logistics and finance and budget, and our policy team as well as what we term Mission Critical engagement. And thats where in my branch we have the nexus of the fbis Cyber Program to the privatepublic partnership. So for the fbi, that sense of Publicprivate Partnership is really core to everything we do, in every program we have, whether its crime or counterterrorism or cyber. And its manifested in our presence with 56 field offices around the country plus dozens of other offices as well as a global presence. Its really about how in each of our offices in our area of responsibility, we are out engaging with companies, individuals, communities ideally before something bad happens but also there with those relationships ideally already built to respond after, unfortunately, something does happen. So when we look at privatepublic partnership, on the one hand we see it as not necessarily something new and unique. Its foundational to what we do. But in the Cyber Program, weve had to look at what aspects of it are unique when we look at cyber. And i think theres two key ways we look at that. One, its by virtue of the fact that apart perhaps from maybe federal networks, the majority of what we care about and the majority of what our adversaries are targeting are in private hands, whether thats individuals or municipalities or companies. And so we need to have those relationships there to both protect and respond across the federal government. But also, whats also in private hands are the companies who form the backbone of that Network Infrastructure as well as commercial Cybersecurity Companies who have unique information about malicious activity thats traversing or targeting u. S. Networks that the u. S. Government doesnt have and that u. S. Citizens dont want us to have because you dont want for some reason the fbi sitting on your network. So we have to have those good partnerships, and i think thats where it is unique in cyber. So weve been looking at this issue for quite a while and the case example i would point to is something we call the National Cyber forensics training alicense or the ncfta. It was begun in 2003. Its actually a 501 c 3 located in pittsburgh, but its a physical location where representatives of government, academia and industry sit together and share information about primarily cyber criminal threats to u. S. Targets. And in one case example recently, we had a global botnet that was involved in malicious ad fraud. It was operating from 2015 to 2018 and it infected about 1. 7 million users. It would use hidden browsers to download fabricated web pages and then load ads onto those web pages. These generated fabricated ad clicks and what happened was that businesses ended up paying about 29 million for ads that no human user ever actually clicked on. So working with Industry Partners as we identified this activity, we were able to sequence a number of actions to eliminate it. It started with an arrest of one of the perpetrators and that arrest was enabled by our attribution, which is the cyber fancy term for identifying whos responsible for activity. And then sequencing events with foreign partners to take down servers and infrastructure as well as industry to reroute the malicious traffic or sinkhole it. And what happened is that in a matter of hours, we were able to take down that Global Infrastructure in such a way that the malicious activity stopped. Lest you think that Law Enforcement action never leads to consequences against actors located overseas, we were able to arrest two of the three persons responsible overseas, have them extradited and theyre currently pending action in u. S. Courts. The third one is in russia, so im not so optimistic about that. But thats just an example of how working with industry side by side, we can achieve consequences and were looking to expand that to activity against nation state actors as well. Thank you, tonya. Youre not going to see it coming. Were going to go to Lieutenant General fogarty next, please. Thank you. Good afternoon. Im Steve Fogarty and i represent almost 16,000 soldiers, civilians and contractors that represent army cyber command, a force thats dispersed globally. We have three principal missions for the army. Full spectrum cyberspace operations, so thats operate, defend and attack. The second big mission we have is Electronic Warfare and the third is information operations. And as we pull all of those together and integrate those effects, we think that really spells Information Warfare for us. So thats the direction that weve headed. If you look at two things that were required to do on behalf of two generals is enable partners and then act. We very rarely act without a consortium of partners. So it might be academia, it could be commercial industry, it could be interagency, it could be foreign partners, but the bottom line is i cant think of a single operation that weve conducted since ive been in command that actually didnt include multiple partners. So for us that is the key to success. We exercise it in a variety of ways, so it might be a simple contract, it could be a memorandum of understanding, it could be a very specific document for a very precise purpose. But what woe we generally find is that the young people who work for us reach out to their own peers, they have built their own networks, and what we find is theyre generally very, very successful at building these ad hoc relationships, ad hoc organizations, and they get after the mission. Thank you, sir. And, claire. Will you bring us home on this one please, thank you. My name is claire, i work for the Defense Digital Service which is a startup in the department of defense. We sit in the office of the secretary of defense. And my team is comprised of a s. W. A. T. Team of nerds that have been asked to come in to do a tour of duty for a minimum of six months, maximum of two years, to lend our talents to help the Department Force technological change that have a magnitude and order of impact on the department. We are comprised of a fairly set group of folks that work on our team. We have bureaucracy hackers, which is my role, so those are folks who have a really good understanding of government procurement, acquisition, policy, best practices and have some way in their past life a Technology Focus on their background. I started out as a developer and coder and then moved into management, acquisition and procurement and budget. We also have product owners on our team and those are the folks who know how to take a product, build it, start it from scratch and get it to mvp status and take it to a scaleable model. We have designers on our team, so User Research designers and visual designers. And last but not least we have engineers of all sorts and flavors, back end and front end engineers. The way that our team works is we partner with the secretary of defense and the different services. We have strong portfolios with army and air force. And we take a look at problems that they present to us and we go out and investigate if those problem sets fit squarely with the talent pool that we have in our organization. One major requirement for the problem sets that we take on is that we can have quick wins so we dont take on projects that take two, three or four years. There are many, many other great partnerships in the department that have those types of problem sets. Because our team members are asked to do short tours of duty, we want to make sure that we can do quick, fast and efficient wins for the department and problem sets they ask us to take a look at. So two good examples of the type of Publicprivate Partnerships that we have been fostering in the department. The first one and you probably heard of it is the hack the pentagon program. We come from an environment where many of us are accustomed to taking close looks at the vulnerabilities that exist in our networks, our systems and hardware. We want to know where the problems are so we can solve them before the enemy does. And so about a year ago our former director proposed to the then secretary of defense that we should do a hack the pentagon program. There was a lot of fear about it. But once we joined in on the effort to start this program, it has been an incredible success. We have inked contracts with some of the best private industry vendors to help us to identify systems that have critical vulnerabilities and patch them before they become an issue for the department. To date we have found over 10,000 vulnerabilities in a series of public and private bounties. We just finished a bounty that was sort of unique. We didnt just look at a software system, we actually looked at hardware for the air force. It was incredibly successful and were moving forward with building that portfolio out. Another good example of some of the Publicprivate Partnerships that we have brought to the department are some of the work that were doing with army cyber. We have a really robust portfolio with army cyber. One of the unique things we did with army cyber, we asked them to let us take their talent and have them partner with our engineers and our team. So any project that we embark on with army cyber, we get them to give us soldiers who are active duty who have various types of talent sets that are very specific to the problem sets that were looking at. One of those problem sets that we just finished tackling and are working to transition on right now is an effort to rethink and reimagine the way that army cyber trains its enlisted soldiers. 80 of their army Cyber Workforce are going to be the workforce that help the army to finish its mission in the offensive and defensive technologies and environment. And so we spent about seven months just rebuilding that training and helping them to think through how they train the soldiers, what is the curriculum the soldiers should be learning while they are going through the training, and what sorts of exposure they should have to the Operational Force and to other folks who are in private industry who are actually working in the areas of the technology that they are learning so that they can have a good, solid understanding of how that relates to their work rules so we are actively working now having wrapped up that course in june of this year with Army Cyber School to transition that over to them so they can continue to train soldiers with this new methodology that we have brought onboard. Terrific. Not nerds you want to mess with. Yeah. Thank you for sharing. Well, we met our intent through the introductions and thats really posing some rich, deep, diverse use cases of publicprivate collaboration and some new models at that and giving us all exposure as to some of the context within which these organizations are sitting. I wanted to pivot a bit for our next topic. Grant schneider this morning or this afternoon mentioned the may 9th executive order around americas Cybersecurity Workforce so i wanted to explore this particular topic area with several of our panelists now and given your rich story, tonya, with fbi and your distributed model and the nice use case you shared, would you mind turning to your viewpoint on the Cybersecurity Workforce in particular and how that relates to your publicprivate work . Sure, thank you. So just pulling up a second from that question, i think we all share talent challenges that we wont be able to hire our way out of. While theres always competition for a talent and resources, no matter what the issue is, in cyber in particular, we feel like its important to look at this really as a very interconnected ecosystem, so cyber is a very complex challenge in terms of combatting the threats. I think oftentimes what we collectively fall into is, you know, which agency is dominant or which element in the private sector needs the most resources, et cetera. But the way we look at it, we as general fogarty described, are so intertwined with each other in terms of how we support each other, enable each others operations, share intelligence, that we really are looking kind of ecosystemwide on how we can make sure that we have parity in our partnerships. Were not all going to be the same size or have the same level of workforce and other resour s resources, but we need to make sure that as a whole were strong where we need to be. So thats just kind of the general lens that the fbi is looking at workforce challenges in. So more specifically if, for example, the fbi or any other Single Agency were to be the predominant collector of intelligence domestically or overseas on a particular threat activity or threat actor, its not going to do the rest of the partners either in the government or in the private sector any good if we dont also have the capacity to manage, maintain, exploit and share that information. So we all have a vested interest in each others strength and workforce and resources. So more specifically, the way the bureau is looking at it first is that weve diversified our job roles. Ive been in the fbi since 2001. When i came in, it was very much a special agent dominated organization, as you may have read. We love our special agents. But im an Intelligence Analyst by trade and for much of the post9 11 era we talked a lot about agents and analysts. Now fast forward almost 20 years and on the Cyber Operations and investigations i helped support, were talking about agents, analysts, data analysts, digital operations specialists, computer scientists, Information Technology specialists, the diversity in the job roles really reflects the complexity of the threats were facing and also how weve had to evolve and how we think about our workfo e workforce, what workforce we need to address those threats. Were also pursuing some innovative partnerships with the private sector in academia. The fbi is investing heavily in a new and expanding presence in huntsville, alabama, which i believe has the highest concentration of ph. D. S anywhere in the country. A lot of defense support and Technical Support capability there. And were pursuing some innovative partnerships, for example, through the university of alabama at huntsville in terms of working with students there and Capability Development, but also, believe it or not, with space camp, which we all know from popular imagination really kind of captures students at a young age with the possibilities of space exploration. So we are pursuing the creation of a cyber camp on that same campus there in huntsville to try to entice the Younger Generation into the s. T. E. M. And cyber fields. And lastly i mentioned we cant recruit and hire our way out of this challenge. Were also looking at how do we develop the rest of our workforce. So were currently piloting some Aptitude Testing for our new hires in terms of special agents and Intelligence Analysts. You may come onboard to the fbi to be an agent or analyst with your accounting degree or your Foreign Language degree and think youre headed down one path, but if you take an Aptitude Test and you find you have a hidden talent, an aptitude for a more technical or cyberrelated field that you didnt know about, then were going to have a conversation with you and were going to talk about investing some of our training and Development Resources to see if youre going to be a member of our Cyber Workforce in the future. Great. And the list goes on, i imagine. I knew youd be a good one to start with. Ed, would you layer on some perspectives from the dod side of things. Absolutely. The dod makes up a large percentage of the federal Cybersecurity Workforce or Cyber Workforce. It really falls into several categories, but a little bit different for us is we have the military members. So we recruit and then have a challenge of retention on the military members. And so what is unique about that model, i think all of the service would stand up and say we do not have a recruiting problem when it comes to cybersecurity. We have people lined up out the door that are ready to come onboard and do the mission, whether its Cyber Operations or traditional cybersecurity. So recruiting is a pretty easy turf. The training model to bring qualified candidates onboard, each of the services has stepped up to the plate and is generating a lot of talent, a lot of capability in terms of Human Capital for the nation. Where we do find chal epgz sometimes is on the retention side. Clearly we dont compete well on salary in the military but weve begun to handle that with bonuses, like we do with other critical skill sets and that seems to be working for us fairly well with a few exemptions in some niche capability areas. Theres a good news story there. We also have an advantage and take a hard look at it, i can speak from being a former commander like general fogarty is that when an active duty member, military member, goes to depart a service, especially the army and air force base has a bit of an advantage with the guard, whether its Air National Guard or army National Guard but also reserve components. And so the active duty members we recruit heavily to be able to join and stay with us if you will maybe not in a fulltime capacity but that gives us a reserve component, if you will, across the nation. On the civilian side, weve made a pretty dramatic shift with the help of congress. What we term as the cyber accepted service. So its given us unique authorities inside the department of defense under title x u. S. Code to be able to hire on the talent and to be able to tune and tailor the pay packages, the bonuses, et cetera, associated with that. So thats been a real big win for us. Weve just begun to get that in motion, if you will, over the last 18 to 24 months. Were able to bring onboard people much kwquicker than we could in the previous regime. I would just do you belieuble d comment with regards to the Cyber Patriot program and the unique attributes of a Publicprivate Partnership in this case with the air force association. To my experience thats probably one of the best malodels that ie seen. Its really in my mind thinking about how do you expand or grow the denominator of talent coming into the workforce not arguing or competing with the limited pool of resources that do come out. Its getting ahold of those young men and women in middle school, high school, and getting them excited about potential Career Opportunities in cybersecurity. I would argue that the secret sauce in that is Publicprivate Partnership that allows us to scale those types of problems. Theres a bit of training and Knowledge Transfer with mentorships, but you add competition in the middle of that and it becomes fun and exciting and gets that young workforce, if you will, thats the future workforce. Were seeing very high Interest Rates out of programs like that. So i think we cant forget that, so its the whole ecosystem from our perspective. I love the positive progress piece that you reinforce there. With just a few minutes remaining, were going to allow general fogarty to talk on one topic. Jennifer, you mentioned workforce in your opening comments. Anything else oouyoud like to . Im going to add very briefly something i have a passion about and that is capability delivery and the Technology Aspects of the Cyber Workforce and how critical it is to our new workforce to have speed in so many aspects that they dont want to do things manually, they want the automation, they want the modern environments, and thats one that i think we can all contribute to and is a very important ingredient to our future today. Wonderful, thank you. Sir, i hate to do this to you in true speed round format. Were going to shift topics in the seven minutes we have remaining and talk about the opportunity of accelerated Capability Development that the publicprivate cybersecurity collaboration offers us. And if you could take us home. I know you and claires organization are very collaborative in this space so feel free to ham and egg as you will. Absolutely. So we have 3,000 cyber professionals in the cyber branch in the army. And so some people say thats actually quite a few people, right . Some people say thats just a drop in the bucket. But 3,000 is what i start with. And its the combination of enlisted, warrant officers, our Commission Officers and our department of the army as civilians. Its principally a military workforce, but we do have positions for government civilians also. Then of course we cant do it by ourselves, so we have a large contract workforce that works for us. And so if you start to look at where they come from, the dna is principally either from the signal force or from the intel force. And so you have a group of individuals that has kind of grown up either operating and defending a network or they have been intelligence collectors. They create accesses. You get very deep into a network and then generally generate foreign intelligence, but that access for foreign intel collection can be flipped immediately for effects generation. What were seeing right now is the requirement, the need for speed is so great that weve built within that small branch an even smaller cohort of developers. And so theyre the ones that are helping us build out our operational infrastructure, theyre the ones that are helping us build the tools, the apps, that are required to get after the mission. And so im in the same place everyone else is. Anything i can automate, anything that i can use to take routine tasks that, frankly, i dont need a human being to touch, thats incredibly beneficial for me. As a matter of fact, today we sat down and had the semiannual training brief for our Cyber Operations brigade, the 780th Cyber Operations brigade. One of the people we recognized was a warrant officer, cw2 so relatively Junior Warrant Officer who had developed a script, so a simple script that the brigade estimates will save about 12,000 manhours this year. And what that allows me to do is free up that manpower that would otherwise be conducting that activity and apply them against higher order tasks. So thats one individual and thats the difference that they can make. What i will tell you is any operation that we conduct, our tool developers, we found, our malware analysts, those are the ones that are absolutely critical to success in getting after it in the speed we want it. When we built the Mission Force initially, it was this idea that we would pool the developers in a very central location. If youre on a team conducting an operation, you would send the problem up, they would work it and send it down. In practice that just doesnt work. What happens is you spend a lot of time trying to describe the problem, trying to interpret the solution that a developer in that environment has provided for you. So what we found, at least in the army, is putting the developers as integral members of the team is essential because they see the problem, they understand the sense of urgency for a particular problem. They can develop a solution. You can test it in line. And what thats allowed us to do is tremendously expedite that development cycle. Now, that takes, we believe, a dedicated developer workforce. So the training that we provide, we actually have established a separate mos for that workforce and our developers are enlisted warrant officers, officers and civilians. So if you have the skills, thats a really special capability and for us its an absolute key to success. Now, does that mean we dont partner with commercial vendors . Absolutely not. We have great relationships. Many of the tools that our commercial partners provide are very, very useful for us. But in some cases that flash bang in just as tight as we need it to be. So having that core group of our own developers who are very highly skilled, again, integrated on the team, and what ill tell you in a couple of operations that weve conducted over the last 45 days, weve watched a developer come into a problem, break it down very, very rapidly, develop a script, fix a tool, modify a tool to meet that exact situation. And within minutes to hours, not days or weeks, were able to create that solution. Now, one of the things that we always have to judge is the risk. If youre developing a tool that you dont take a very rigorous ela process, what risk to i accept for both the operation and for the force that were employing. And so we have to be involved really alongside of the developers. You know, the team leaders, the commanders of the mission will come back to me and tell me we have a tool, we have a capability that weve been able to test. We want approval on it because weve got to get this thing, you know, on target immediately. And then based on frankly our confidence and the level, the maturity of the technology or the capability, if its a simple modification its pretty easy. Its a completely new technique, then sometimes we may not employ it right then. The other thing that has allowed us, though, to reduce some of that risk is a Development Network that weve built where i can mock up targets that im operating against. I have a very high level of confidence on a very realistic rendition of an actual target that were going to operate against. I can throw that tool or that exploit. I can determine what the utility of that capability is and then generally go to the general with very high confidence that the capability will work. Its within an acceptable level of risk for employment and then we can get on with the operation. Excellent examples. Thank you. In closing, id like to thank all of you for your attention and id like to panic athank alr panelists for your insights and more importantly in defending this great nation of ours. Thank you. [ applause ] thank you very much. Id like to introduce our next panel. Tom, did you have a okay. Id like to introduce our next panel about enhancing cloud security. Also, if youll note theres some index cards on your seats and also the ushers all have them. If youd like to pose a question to the panel, you can write that on the card, just hold it up. The usher will take it, bring it up here and theyll do their best to address your question. So again, no cards on your seat or just find one of the ushers and theyll have them. The moderator of this panel is mr. Rob potter. Hes the chief revenue officer at veroden. The other speakers are miss ashley mahan, acting director from ghs of the fed ramp and secure cloud portfolio. Steve grobman, senior Vice President and worldwide chief technology officer, mcafee. And scott fleming, head of professional services, Public Sector and security from google cloud. Thank you very much. Rob, its all yours. Yeah, thank you. Thank you so much. So first off, thank you all for being here and thanks to the Wonderful Team up here. Im glad we were able to fill out all the seats down there. So today we want to just talk about some aspects of cloud. Weve got some great experts up here to talk about that. I thought maybe a good way to kick this off was to really think about the differences and the comparisons between kind of traditional computing and Cloud Computing. I thought a good way to open it up is to get some viewpoints on what youre seeing out there as what organizations are doing, the new risks that are being applied, some of the compliances around that, and just some thoughts. Ashley, ill start off with you. Really Cloud Computing really presents that change in the way that i. T. Services are now being delivered. In my role at fed ramp, were seeing cloud and were seeing the government really look to cloud to innovate and to modernize their traditionally legacy i. T. Capabilities. So cloud presents that paradigm shift in the way an organization and one would leverage these technologies but a mind shift in the way we have to think about security. Absolutely. So theres a big shared security responsibility model with cloud. And its something that each organization really needs to have a customer approach, whether theyre going to be using a ias, a pas, a sas. Theres different responsibilities that a customer or end organization has to understand and be deliberate va vigilant in providing those but this is their craft, this is their trade but theres a lot of good security that is available to them and thats being done on their behalf. So its really kind of that partnership, which is very different than that traditional onprem model. And partnership with the vendors. Steve, what are your thoughts from mcafees perspective . What are you seeing out there . Absolutely. So cloud has really given us the opportunity to redefine how we build a Security Architecture given the fact that weve been able to create the Cloud Computing technology in the 2000s versus taking all that technical debt of the 90s forward has let us create new paradigms that give us inherently better security. But we also need to recognize that the scale that cloud operates means that when there are issues, the impact of those issues can be much bigger. Its almost like if you think about the comparison of automobiles and airplanes, clearly airplanes are incredibly safe, triple redundancy, lots of safety systems. So in aggregate its a more safe way to travel. But when there are issues, catastrophic things occur. I think thinking about cloud in very much the same way that although we can secure our environments using a lot of new capabilities, we do have multiple tenants worth of data. We are using things such as elastic computing which can make troubleshooting more difficult. If you think about the underlying technologies that cloud is hosting, its really a pr superset of what weve done in traditional computing. While you can still run traditional workloads in a lift and shift sort of mindset with public cloud or other clouds, you have all the cloud native technologies that we need to think through and make sure that were securing very much in the same way that weve thought about traditional capabilities. Thats great. Scott, what are you seeing out there from a Google Perspective . Yeah. I think one of the big things is a lot of the fundamentals at a high level havent really changed, right . Confidentiality, integrity, availability, its all the same but really the details of how you implement that and how you meet those controls is really where it started to shift. So understanding the detailed technical level of that. Also understanding some of the different tradeoffs that you have that cloud provides. For instance, historically maybe you would have deployed a hardware security module in your data Center Versus now you can leverage the cloudprovided Key Management systems. Historically you may have dealt with Virtual Machines on prem where you had a patch management structure, versus now you can think about moving to a managed service and shift some of that responsibility for patch management to the provider and now spend some of the time that you get back, right, to focus on other portions of maybe the data life cycle, other components relative to the broader security. So really the fundamentals havent changed, but understanding the details of how you really implement them is really, i think, the change that cloud has provided. Thats awesome. Simon, before i get some input from you, first i want to welcome you to the stage. We missed you a little bit on the intro there. I believe managing director at nominet here visiting us from the uk. I am indeed. So youre giving us the global perspective of whats going on in the cloud. Yes. Im actually giving you the global perspective. We recently commissioned a Research Paper specifically looking at cybersecurity in the cloud. There is definitely a huge wave of organizations and different segments and verticals in organizations that are actually moving to the cloud. And we took a Research Poll of about 300 companies through various verticals including some Government Agencies. Out of that we found that 88 to 90 of Global Enterprises are moving to the cloud at a rate that drops down significantly when youre talking about Critical National infrastructure or more highly regulated organizations, down to about 64 . And then about some 50 for Government Agencies. Obviously we work very closely with the uk government. We provide some of their services around their protected dns security, keeping the uk name space safe and available. And weve been working very closely with them to try and understand what that dynamic is and why governments and not just governments here in the u. S. Or in the uk but why the adoption is so slow. I think some of it comes down to theres data privacy issues certainly when youre talking to enterprises. Theyre very keen to understand when theyre pushing their infrastructure as a service, their platform as a service or business process as a service, where is that data being kept . Is it being kept locally . I think for Government Agencies, especially when you have embassies and you have youre out in theater, et cetera, you want to make sure that that data is secure and you have some control around it. I think thats one of the big challenges we see out there. Yeah, i think that its interesting you bring up the concept of the government participation. I mean the cloud has definitely lowered the barrier of entry for Many Organizations to participate, even in the startup world as much as the major enterprise world of the and i think thats where the importance of having some kind of conformity or compliance there is important. Are you seeing organizations embrace that concept with fed ramp or whats been your experience with that so far . Yes, certainly. So just within the last year alone weve had over 40 new Cloud Service providers achieve a fed ramp authorization for their products so were continuing to see an uptick. But from a government standpoint, we want to make sure when were using these Cloud Technologies that theyre secure. For any of the folks in the room that are aware of fed ramp and the program, there are quite a few security requirements that we have in place for our vendors to meet. And so thats one of the things is that theres a little bit of a cultural move. As agencies are getting out of the habit of kind of having it in with their own data centers, these onprem environments and maintaining those, getting them into the mind frame of moving things to the cloud, not having the control like simon mentioned, you know, theres definitely a lot of things there that theyre looking at. Theyre looking at contracts, theyre looking at slas, theyre looking at the monitoring they need to do. Its a different role and it tends to be a little bit of a slower movement. But what i advise a lot of agencies is make the move deliberate, well thought out crafted plan to move to the cloud. Its not going to be something that can be done overnight. You really need to make sure your organization is mature and enabling to start using the cloud. It seems like also there is definitely a shared responsibility. You talk about the role of government, but i think also as you guys have indicated, both steve and scott, theres a responsibility coming on from the Vendor Community as well. Can you talk a little bit about how youre seeing that partnership and that shared responsibility . Absolutely. If you think about what cloud really is as its core, its about delegation. So for the core public cloud infrastructures, were delegating to a set of providers to run the physical environment, network power, all of those things, built on top of that were now having sas capabilities that is being delivered by a multitude by cloud vend yors but recognizing that even when youre using all of these services that others are providing, its still ultimately the responsibility of the customer, of the agency to look at things like data loss prevention. Is your data going where you expect it to go, recognizing that youll have Security Policies that need to span different types of cloud environments and different functions within the cloud. If we look at some of the cloud breaches that have happened recently, theyre generally not one type of exploit that has ended up in a breach, its been a cascade or sequence of events, very similar to what weve seen in other cyber intrusions. So theft of credentials, misuse of those credentials, using those to get access to a system and then exfill traiting data and even though youre providing on a cloud provider or application provider, its still ultimately putting all of those pieces together for the organization to have a Strong Security framework and foundation. Yeah. And, scott, as youre seeing the expansion globally of different cloud infrastructures in that race to scale obviously is a challenge for many companies. What are you seeing as the new vulnerabilities as to how these infrastructures are being attacked or compromised inside of those infrastructures. Thats a great question. When weve looked over the last several years its been consistent. Credential theft, hijacking, phishing, right, and misconfiguration. Including patch management and misconfiguration. So theres a couple of consistencies there. One thats generally whether youre talking about ias, sas, pas, generally a customer responsibility component, partially assumed in some cases to have been the provider doing it or doing more. And so with that its really the expansion of how do we take these known kind of fundamentals, right, your account security, identity and access management, configuration control, and how do we apply those kind of fundamental principles now to cloud, right . How can we apply good account security, good phishing protection, phishingresistant multi factor awe authentication which has been around for some time but is not widely deployed. So how can we apply those fundamentals and get to that baseline is still an important part of cloud deployment as well as onpremise deployment. One thing id add to that is one of the things that cloud has brought us is a multitude of finegrain technologies so were able to do things at a much more granular level, which in many ways is tremendously empowering, but it also makes the Access Control and the control model much more complex. So an i. T. Organization that is used to typically thinking about network controls or file share controls, the types of controls youd have in a classic organization that all of a sudden now needs to understand serverless functions, manage services, manage databases, a whole multitude of services that also innovate at a much different rate and pace than weve seen in traditional computing is something that we just inherently need to be prepared for. Yeah. I think one of the key things commonly that i hear out there in the market today is that complexity is constantly challenging organizations to understand how do they actually measure the effectiveness of those controls both in that hybrid environment, on prem and in the cloud, which i think simon really rolls into how do you make sure youve got assurances in place that are protecting the identities and some of the things that you had addressed and talked about. How are you seeing that be a challenge in terms of where youre seeing the attacks and where youre seeing the compromise of those identities internationally . Yeah. So i dont think it changes internationally from domestically. Yeah, i dont either. Moving on, the threats are the threats. Yep. The approach that most companies and organizations take, you still need to have a layered approach. Youre just adding some more complexity to your environment potentially. When you think about half of the organizations that are going up into the cloud probably have multiple cloud providers. Some have single cloud and some have a hybrid model. But the principles are the same. And i think putting mechanisms in place mitigates some of that and are key to multi factual authentication but its also about education. Education of your staff around this isnt an internal thing necessarily, you know. Youre putting all of these applications up into the cloud. It stimulates a different type of behavior, because they are im sure well talk about shadow i. T. In a minute, but the flexibility and the ability for the staff to start to use maybe nonpolicydriven applications that are based up in the cloud is much broader now. And actually you want to encourage that but there needs to be some policy around it to ensure that theyre educated in both the ramifications or the risks involved in using some of those nonpolicydriven cloudbased applications. Okay, great. Were going to augment a little bit here because the audience doesnt like my questions because theyre loading me up with a ton of questions. The first one i think is a little directed towards you. People are asking where do we see fed ramp expanding to, and then i think it expands to the rest of the panel in that a lot of companies and governments outside of the u. S. Are starting to look at this. How much of this are you seeing embraced outside of the u. S. And maybe some perspective from some of the Global Companies here as well. Sure. Let me address that in two a threatbased approach to continuous monitoring. Right now were working with various Government Agencies and obtaining that Threat Intelligence information, what is posed to our federal i. T. And were mapping that to the security requirements that our Cloud Service providers need. Well help empower agencies to have a risk based approach to this authorization where they say, okay. Maybe these 50 security requirements, if these are implemented on day one, youre going to address about 80 of the threats out there. And then in time start to incorporate the other ones into the boundary. But it gives the agency the ability to start using the product faster. As well as with those benefits. And not only that, were going to take that information an also apply it to continuous monitoring. So right now our Cloud Service providers, they go through annual rechecks, audits of all the requirements. Many of them. And what were going to look is make that much more smarter. This real world threat information will also dictate what we need to audit on an annual periodic basis as well. Just in terms of the second part of that question then ill turn it over to my industry colleagues here is that weve gotten a lot of feedback from state locals, tribal governments along with other sectors in the United States that are outside of government that have recognized the rigor and security our Cloud Service providers afford for. And we are in conversation, right . To talk and to provide that understanding. But we have seen and ive heard time and time again from my industry colleagues that they do mention that. Its great were moving in this direction. If you think about our traditional environment, its very much were protecting them but also comprehending we might have to detect through thes and then have plans to get back very quickly. In cloud, it feels like in the early days weve overrotate d o the controls. And to expand more on detection, monitoring. Ensuring if there is a threat within this environment, that were prepared to detect it and work through how do we actually recover. So not making the assumption that because we have this wellset controls framework that we wont have any issues and then just have to deal with them as they come. I think its great that well be moving in that direction. Yeah. Im going to jump to another question here as we move down to simon and scott. And im going to blend two questions here together. So theres a lot of questions. About three of them talking specifically about how is cloud addressing, you know, protecting the supply chain as it moves out to the cloud. And then more importantly how are you also seeing iot organizations move out of that cloud. What are some of the aspects you see there related to security . Definitely. I think on the supply chain, one of the things you see is really especially with the hyperscalers, right . I mean, being able to manage that supply chain is critical. But also then being able to have additional come poeponents to i. And at a hardware level even that werent able to manage that supply chain is something that weve done. Weve built out relative to that. Certainly very important there. Also just to touch back a little bit on the broader demand. I think that goes across the board, right . From a fed ramp prpt i have, its not just for having fed ramp or a certain compliance standard. But what does that bring relative to supply chain . Having those checked. Understanding theres an overlay there. I think theres a critical part to that. I dont know if you want to expand on that. Yeah. I think supply chain is a massive challenge. Especially with some of the Large Organizations probably in this room. And when you talk about third party, fourth party, youre getting into thousands of supplies. And its almost impossible to manage that volume and make sure that theres little risk or reduced risk or understandable risk in the uk. We brought in some cyber essentials which is basically designed for smaller organizations that wanted to deal with the ministry of defense to give them an opportunity to still bid for a larger contract. It had some success, but its very much selfcertification. Its sort of a trust basis. Because thats really the only way we can do it today. Unless you use some technology on their environment. Youre starting to really sort of understand, you know, their own internal security posture. So its a huge challenge. Theres not an easy solution for that. You made a reference before to shadow i. T. Ill go right back to you on that one. But theres a lot of seems like theres a lot of people interested in the whole leveraging the cloud for shadow i. T. How do you recommend people looking at that and making that move . Is it a stepbystep practice . Are there other better practices that youve seen . Best practices, probably the worse person to ask for that. Probably about 40 of i. T. Spend doesnt even go through the i. T. Group. It gets spent on things they dont even have visibility of. Which i think is a huge challenge. Its about identifying certainly the cloud applications that you can see. Understanding the risk and the efficiencies of those whether they should be blocked or not. But then the second challenge is once you block them, you tend to find that employees will find another technology that theyll spin up which is probably less mature. And actually probably more risky for the organization. So its really difficult to manage. Certainly on a large scale. Different departments and actually how they embrace shadow i. T. Yeah. I think shadow i. T. Is really evolved in a way we think about it when cloud first came out, shadow i. T. Was very much of a binary either groups were doing things sanctioned or unsanctioned. And having visibility to that was critical. The maturity has gotten to where organizations understand that there are some functions that having some level of autonomy is a good thing. If you have an Engineering Organization and it wants to take advantage of the rapid cadence of new cloud capabilities, having that team being able to use them is a good thing as long as theyre operating with accounts that can be managed, if theres things such as individuals that are leaving the organization, all of the controls around those sorts of processes are comprehended. And if we recognize theres a wide range of functions, everything from i. T. Defining very precisely exactly how a Cloud Service will be used, all the way to a monitored and managed semiautonomous environment for a highly technical team. I think we do need to be more embraceful of that but ensure we can at least monitor it. I think to that point, you know, its important to recognize that a lot of times shadow i. T. Is not because people are trying to do something malicious. Thats where cloud can be an enabler, right . When you have con figuation as code. Even to the level of compliances code. Right . Where you can deploy these environments in a rapid manner, right . You can really make the right choice per se also the easy choice for those users. Right . And thats where cloud can be an enabler. Some of the research weve done as a program is we created basically a whole new baseline catered towards the use case that we saw in government for using shadow i. T. It was low risk situations where the data going into these environments was relatively low risk to the agency. And we wanted to make sure we had a manageable framework for that type of use. A lot of these products we found were easily available in terms of maybe 19. 95 a month or year to go through this. And so we created fed ramp tailor in the spirit of addressing a lot of the shadow i. T. We have seen out there. Thats great. I find it interesting, all of you kind of mentioned through the talk the concept of data. I think ive seen at least three of these questions talk about, you know, just the challenges in the cloud of really establishing a multitenhenet environment. Theres been huge breaches over the last several months where really it had to do with the controls that were in place not creating that multitendency and protecting the bleeding of that data. How do you see that changing and becoming more of a focus both from a regulatory perspective but also from a Development Perspective and implementation perspective . I think it becomes the responsibility at every level of the stack to really understand how the data is controlled. If youre a vendor building a multitenet architecture, understanding what is providing that separation of data. Similarly if youre an organization using Cloud Services, understanding where your data is going is critical. Ann just talked a little bit about shadow i. T. And theres a lot of these low risk capabilities. Theres also a lot of very high ri risk. One thing weve seen is people using services that convert documents to pdf. One of the most common and the fact its run by some chinese company, you know, with no name. That would be a good example of you definitely want to block those and then make sure that data that is low risk data can freely go to places that youre okay with. I think one of the other things from kind of a cloud provider perspective that we can help with is understanding the implications of the controls that you put in place. Right . Or of the settings youre changing, of the actions youre taking, right . Helping customers understand if i do this with this data here, i set this firewall rule or control, what are the downstream implications . Right . One of the nice things that cloud does provide is that hierarchical control set. So its more of a rule set, an evaluation of if you do this, here are the ten downstream implications you may not have thought of. Thats something where we can bring that information to the forefront. So you understand the implications to them. I would imagine youre seeing the same challenges internationally especially with things like gdpr. That is becoming an important factor in the protections. Absolutely. We have just been through that exact process to make sure because of the nature of government business is absolutely critical to make sure that we can prove that that data is segmented and is safe. But it needs to be taken into the context at the start of process. Not at the end of a process. So what were seeing, a lot of the rfps and itts that are coming out, thats something that theyre stipulating and you want to understand to make sure that there is that safe segregation of data. Even within their own organizations. Well, i want to thank all of you for participating today and thank you to the audience for the great questions. And we look forward to interacting with you through the rest of the day. Thanks a lot. [ applause ] well, thank you very much for a great panel. Now it is my great privilege to introduce to you the last concluding session for our first half day here. So our fireside chat will conclude with ann nu burger who was named the new cybersecurity and he launched a new cybersecurity directorate which he will lead. On october 1st the new director will become operational. So this is a very timely fireside chat that will be delivered and run. Known to you as an investor and executive. Of those of you who are on the sides could come in, we look forward to a great fireside chat and we will now begin. So ill turn it over. Thank you so much. Ann, this is a thrill to be having this conversation with you. I want to talk about you for a second. Youve been at the agency for awhile now and held some interesting rolls from being in the operational directorate, being the first tech officer, working in the center all of which sets you up to be the Perfect Choice to run the cybersecurity directorate. Whats even more interesting and unusual is that you didnt start your career at the nsa. As an agency thats known for having a lot of people there, you came in as an outsider from the Financial Services sector. Id love to understand first what led you to make that decision and maybe what were the Lessons Learned from the private sector that you brought to the to your work at the agency . Great. Thank you so much, niloo. Its great to be here and have this conversation with you. I was raised in new york and my father came to america as a refugee after the hondurian revolution. We were raised to be grateful to have the opportunity to be americans. My father would talk about the freedom of possibility. To pursue whatever one wished in a country that didnt have historic sense of class or where one belonged. As a new yorker, i lived through 9 11. I had this sense driving home one day that the u. S. Government was struggling with our war in iraq. There were civilians dying. And i heard my fathers voice saying sometimes for freedom its to time give of one selfs time. I quickly called and came in as a white house fellow. I worked for secretary gates for a year and then later after a stint in the navy moved over to nsa. So you asked a question about how those private sector experienc experiences shape the way youre seeking to approach cybersecurity. There are a few different ways. First, i started my career as a computer programmer. Built some of the companys first efforts to allow people to buy stock shares online. And i recall the pressure to get code out versus get secure code out. And thats certainly something. The how we drive toward more secure code, thats something as an industry. We need to address it today. We were something called a back office. It sounds really boring, uninteresting. But that back office is what drives hundreds of millions, billions of transactions every single day. And theres a cross sector of vulnerabilities that no one company can address alone. So seeing that, understanding the weakest link could bring Systemic Risk to the entire Financial Sector was something i lived working in a back office. Certainly the Financial Sector made a lot of progress in the last several years. But that brings something in the way we approach risk. I think then finally as i mentioned i was a computer prafter. The s. E. C. Had a rule that companies had to retain stock certificates for seven years. And we had floors and floors of stock certificates to retain. And at the time we wanted to scan those and make them available quickly. Any time something called into a call center with the question. We made the case that retention could mean retaining a virtual copy. The challenge was scanning and ocring would throw off the machines with embossing. We had to do interesting things. Coding with ancient chaining serial printers to generate bar codes. Bottom line, policy has to keep up with advances in technology for us to make the most of technology. Thats certainly something that we see in the cybersecurity industry today and we certainly see in the Intelligence Community as well. Thats a fantastic segue to talking about the cybersecurity directorate. Because theres no question that we really have the to reimagine cybersecurity. Its phenomenal to see the agency taking a lead by setting up this directorate. What led to this . It happened within the first year of general nakasoni becoming the director of the nsa and the command. Is this simply reorganization or is there a strategy behind it . So after a year, the director of nsa talked about a sense that the National Security landscape of the country had changed. Where our adversaries could achieve impact by tactical actions. To shake confidence in a democracy, stealing intellectual property to gain potential military parity with the United States as the most advanced in the world. And you had a sense that as those in the cybersecurity world changed, that nsa really had to up its game. Thats what drove this desire to set up a directorate and aggressive mission which is to prevent and eradicate cyberactors. I just want to pause on that for a second. That is an incredible articulation of the cybersecurity directorate. Its i think appropriately aggressive. Can we get there . We must. The nation needs it of us. We see the threats that we face. We see the sfix kags and the scope and scale. And we believe and clearly when we say we, thats nsa and all of our partners. And certainly the private sector plays a role. But the threat demands it and the nation deserves that we achieve it. So as you work to achieve that Mission Statement, the initial standup date is october 1st. As someone who comes from the private sector, anyone who says the government doesnt work fast enough, i hope people appreciate how incredibly fast a directorate is being created within the Intelligence Community. Its months from announcement to initial operating capabilitieca. So october 1st is the stand up day. What are the priorities of the new directorate . First ill take a moment to thank my team for the rapid stand up. Are you getting sleep . So what are our priorities . Three things. I would characterize them as unify, focus on the heart of cybersecurity problems, and enhanced collaboration. What do i mean by unify . We want to deepen the collaboration between our threat analysis community, Vulnerability Assessment community, and our mitigation community. And importantly the people in the communities. So the people who really understand threat, various adversaries, the techniques they use, the infrastructure they use. And combine that with people who do defense, who understand vulnerabilities, the scale. In a given stake what are the most vulnerable. Deepen that and focus them on cybersecurity outcomes. Ill give an example. Nsa generates hundreds of threat and intelligence reports on cybersecurity. In those we detailed adversaria capabilities, threats. We want to generate one product ideally classified and quickly toic ma it really usable. Then as i noted the final priority is enhancing collaboration, deepening it in the unclassified space to bring together all the elements that are needed to quickly identify a threat. One of the unique attributes is that it both has a signal to the intelligence mission. That can be a virtue if one informs the other. It sounds like the goal is to get to a place where offense is informing defense. Is that right . It is. Theres also a shift. Weve heard a lot of feedback that some of the information we would share, for example, ip address domain names are temporary. And by the time theyre shared, theyre no longer useful. So its a shift to say yes. And when we share threat information. At the unclassified level, it needs to be more context. What are the overall goals of the actor . How do they pull together those goals using particular infrastructure to launch against a specific set of targets . We want to change from those more tactical elements being shared to some to pictures that help cybersecurity individuals. So what are the biggest threats were facing in cyberspace and are we set up to face them, prevent, and eradicate them . First clearly ransomware is the focus. But in the Intelligence Community, weve put a tremendous focus on countries. What their plans are and how they use cyber to achieve their strategic objectives. Each one does things a bit different. Because the objectives are different. And below the level of armed conflict, they also use entities who arent necessarily tied to the government. Whether the Internet Research agency for potential elections influence or mercenaries to fight military conflicts in ukraine or syria, for example. Certainly a sophisticated actor. And always thinking creatively about how cyber helps. Suppose they are best characterized with three examples of the kinds of operations. Of how they use cyber to achieve their National Security objectives and military. Three examples. The opm attack, the cloud hopper set of activities and ip theft. So opm essentially stealing information about every american who holds a clearance. Once can think pretty easily how that can be useful seeking to identify potential spies. Certainly a set of activities targeting manage security advisers. Of course thats of interest because by accessing one, one can gain credentials and move across those trusted connections between different targets. And then finally ip theft. China has done ip theft, a recent fbi indictment is a great example where they had a businessman essentially directing military hackers towards specific air quality that would be useful to china to gain to accelerate their military development. Ill quickly sum up two other major actors. Clearly iran. Very volatile. And north korea who always fascinates us as a nation of state criminals. A country under sanctions using creative ways of cyber whether its cryptocurrency, cryptomining to gain hard currency and keep the regime afloat. So as we gain information about the various adversaries out there, do we have the mechanism in place to communicate this information to the folks who own the classified networks, who control the Defense Industrial base, the National Security systems, and ultimately Critical Infrastructure . Its interesting. I think the mechanism is off the easy part. Yes, they exist. I bet that any number of the people in this room have been involved in an effort to create a mechanism over the last number of years. Whats more challenging is creating the urgency, the operationalization of intelligence to rapidly share while something is relevant. Ideally we are sharing the threat information to prevent an attack, to prevent exploitation rather than being part of a team that helps with incident response. So bottom line, its recognizing the power we have to prevent an attack through rapid sharing. And at the unclassified level so it can be easily used to defend a network. So a great example of this might be the Russia Small Group. That was a special task force that was created to protect the 2018 midterm elections. And you led that task force. What were the legislatissons le and how do you broaden them . First i coled that with Major General tim hawk of u. S. Cybercommand. It was a good example of bringing both organizations together. Each bringing their capability for a better effect. And it was stood up out of a realization that something had dramatically changed and we have to reboot our approach as a u. S. Government. Influence operations have been around since the days of adam and eve, but what changed was the age of social media. A country could do broad messaging. Very specific to particular ethnic groups to particular geographic elements in a pretty cheap way. And second, cryptocurrency which essentially allow also doing it anonymously. Looking as if one is an american. If youre aiming to influence americans. So we realize that that took a more creative approach to address, protect our democracy. So in the Russia Small Group as we noted we work to ensure, to work with dhs and fbi. From a cyberperspective had all the threat information we had in a way that could be quickly actionable. Fbi from an influence perspective had information about how social media was being used. How individuals were seeking to be anonymous or appear to be americans. So that could be rapidly shared with social media providers and hopefully those accounts shut down under their own terms of use. And at the end of the day, we recognize its an alliance of democracy. So we often work to share with other countries and ask them when they have their own elections, they should share what they learned with us so we were defending our populations and democratic processes to the best we could. How successful were we with Russia Small Group and protecting the elections . Were tremendously proud of the work we did to defend the integrity of our elections and ensure every american know that their vote counted and their vote mattered. So how do we take this forward to 2020 and what are the biggest threats we should be concerned about with respect to the 2020 election . Were taking the same approach. Gain those insights, share that intelligence, and be prepared to impose costs on an adversary. Im sure you saw chris krebs state it as one of his key priorities as well. So you mentioned ransomware earlier. How concerned should we be about that . According to malware bites, i think theyve talked about how theyve seen a shift from targeting individuals to targeting entities this best protection is the same advice we give. Teach them. Many Ransomware Attacks start with clicking on the wrong thing. They have a larger role in this process. When we talk about election security, what were really talking about is protecting the root of trust which our democracy is based on. Its foundational to us. It seems that a foundational principle for any cybersecurity directorate would be to help protect that root of trust. Does nsa play a role. So this is something im passionate about. I often see until the day, that trust in government is shaped by growing up as a child in a country where the average citizen does not have trust in government. At its root its a question of talking about democracys i d dilem dilemma. The ability for individuals to communicate to talk, to influence. In that people can be influenced and their opinions change with false information. So the best defense is each of us is americans. Understanding that there are malicious entities who seem to influence us online, who seek to be americans and influence online and really learn to question what we see online. You know, the role of anonymous accounts and how we communicate with those. But yes. We will do the same work we did in 2018 looking to see who are actors seeking to shake confidence in the integrity of our elections, the root of our trust, and share that with the fbi so they can work closely with social Media Companies and other providers to shut down that activity. We often talk about having a whole of government response. But youre talking about a whole of Society Response to whats going on. It goes beyond what the governments can do. Absolutely. So lets shift for a second to the Defense Industrial base. A place where nsa has very Clear Authority to protect. 20 or 30 years ago its pretty clear what constituted the Defense Industrial base. But as we move to off the shelf softwares, we move to cloud providers and operating systems that are commercially available. It seems to me that how we think about the Defense Industrial base has shifted. How should we think about it today . And how will nsa engage with this increasingly broad set of organizations to protect . It certainly has shifted. And we start with what our nation states goals with the industrial base. We see three things. First theres a great deal of risk. Because it allows countries who seek specific technologies to gain those technologies and put our, the United States investments at risk. Similarly from a military capability perspective, it allows Foreign Countries to jump start their advancements by leveraging the United States. And we see that as well across our economic sector. Were steal iing intellectual property to put our future economic strength at risk. So essentially we look at it in two parts. One, we cant expect every Defense Company to fully defend itself against a nation state actor who will put investment and effort, time and people to gain what it seeks. But neither can the government be completely responsible to do that work. So theres a balance between the two. Were looking for certainly creative approaches to share Threat Intelligence. But also ways to allow Smaller Companies to quickly jump their cyber capabilities. One of the things we used to 100 rely on the nsa for was really setting the building codes and standards for what good software, what secure software and hardware look like. Nsa seems to have retreated a little bit from that role with the stand up of this. Will they take that over and set the standards for good hardware and software . And is that a way to address this issue of security . You know, absolutely. We talked earlier about the Mission Statement of the director. The first word as you recall is prevent. At the end of the day, if we bake security in, we make our cybersecurity risk far less. Nsa has a mission thats not well known which is essentially our mission in support of National Security systems. We build the keys and codes. They are the root of trust for secure communications, secure command and control for the armed forces, various Government Agencies, and allies around the world. In that mission, we build standards and cryptography. In areas where we have unique expertise and operational experience, sharing that to achieve broader effect. Because its in all of our interests to have products built strong. And just to pull on that threat for a second, you know, as we look at next generation of technologies. 5g is one piece of it. But quantum. How involved will this directorate be really thinking ahead of the curve in terms of the Technology Trends that are happening and how we can make sure we dont fall behind . Absolutely. Quantum is a great example where the potential development of a computer puts a particular type of cryptography at risk. So we are already playing a role in working to build quantum resistant cryptography. I noted the mission we talked about will be to employ a million keys plus another set for Nuclear Command and control. Its an area and clearly of interest to National Security systems and the Defense Industrial base and on surfaces. So as we think about those issues, the question of partnerships comes to mind. And you had mentioned the importance of the partners for the new cybersecurity directive. Whether there are companies, service providers, what whatever they may be. And what role will nsa play . Partners are key that was across our partnership. Across within dod, the cio, the acquisition community. Across government working in partnership with dhs supporting their mission of supporting Critical Infrastructure. Our allies around the world. Nsa has long participanted in something called common criteria. That will accept that product and then sell to multiple countries. Then clearly the private sector 37 theres unique incite. Like control systems. The private sector is often the first indicator of a significant threat or a significant compromise. So clearly working closely with the private sector and the unclassified mission is the big focus we speak to achieve. So the theme of the Conference Today is a call to action. When it comes to protecting our country, the nation. Protecting our enterprises, protecting people, its clearly one of the reasons were all here. Its one of the driving forces behind the new cybersecurity directorate. If you would wave a manlic wand as we think about a call to action, what is one immediate thing that you would want to see done . Whats one midterm thing and as much as i dont like the term moon shoot to be a call to action that you would ask for . Im afraid moon shots probably hard because of the diversity. But i would say this. First cybersecurity is fundamentally a leadership question across the private and Public Sector. And reaching agreement to do the things that are difficult that need to be done, what do i mean . When we look at, for example, internet of things, we know that represents significant risk. Whether its for data collection, connection to control systems. Standards exist, but we havent chosen as a community to actually implement them. That would be certainly one thing. That leadership across the public and private sector. But ill go to more specific i cant resist the question here. First i would say from a media perspective. One thing then ill add a 1b, if i could. One thing, we see rampant abuse of internet infrastructure. Lt in that case implementing certain things which some have started that make that abusive infrastructure more difficult, demark, bgp, dns. Those elements that make that broad access to protected dns. Dns is a key way that adversaries use for command and control, for exploitation. And making broadly available they exist. And we in government could help by adding or contributing our threat information to make those Services Even more effective. I think from a certainly from a medium and then longer term, it would be identity. There is a hodgepodge of identity and Authorization Services available. But think about what we could do if we could interconnect them and they could communicate. When you go back to your questions about root of trust, had because anonymity is available online. Or false identities are available online. If we could achieve that, it would have broader impact. I want to sort of wrap the talk up with this. The enduring Security Framework is something you were deeply involved with. And its a really interesting model on how to operationalize Public Private partnership and outcomes. Can you spend just the minute talking about es sf and what it is what was achieved with the esf and how that can serve as a model. So Public Private partnership is just foundational to what needs to happen. That was a really good example of a Public Private partnership. There was Sensitive Information about a set of exploits. So foundational to the first part of the computer that boots up. And through the enduring Security Framework that had key companies, we shared this information and then worked together to build the Technology Standard for signed and updated bias. When the effort and then we link that to using the power of procurement across government. Once that standard was issued to where saying in 2012 they would only purchase clients and servers, pcs and servers that met that standard. And that drove the industry. The industry was ready because of the advance work they participated many and the key piece was to actually do that required since they were ready. So bottom line, from 2008 were 10 of pcs and servers had secure bios. That jumped to 2016 to where near 80 of routine servers and client now had bios, firmware that met that security standard. Technical experts working across private and Public Sectors. So the computers we all use were more secure as a result i look at that as a great example of bringing the best of the governments insights and Technical Expertise with private sectors Technical Expertise, willingness to partner quickly and roll out improvements to address a key threat. I wanted to bring this up because es sf are such a great example to drive a particular outcome successfully much like russias small group is another example of that in a different context. Thats how we need to operate. It wnt cant be about silos, private sector here, individuals here. It cant be about silos between Government Agencies. Everyones got to Work Together to drive to an outcome. Are we there . And how confident are you were going to get there in a broader sense and not just with specific set of activities . Ive seen tremendous progress. In government working together, everybody playing the unique role towards improved cybersecurity outcomes. The threats significant. And certainly have seen other advances. And a lot of work done between government and the private sector. Bottom line is the solution is private and Public Sectors working together, figuring out what right looks like. And i think we know as weve talked about together what that is. And then committing to doing that rapidly together to achieve a world where weve prevented and eradicated cyber actors from the systems we most rely on and care about. Fantastic. You actually finished on the dot as the count down went to zero. Thats just how precise ann always is. I want to thank you for coming out for the leadership of the nsa and recognizing how much the Threat Landscape has changed and the need to organize to address that threat. Really appreciate you being here and just a huge round of applause for everything you guys are doing. Thank you. Thank you so much. Im going to invite tom to come back on stage and give us closing remarks. Thank you. Lets please give them another round of applause, please. [ applause ] we couldnt end on a higher note. We thank you all for being with us today. We look forward to a great day tomorrow. And lets give a round of applause, please, to all those who have supported us as sponsored today and all who have come as speakers. If we could give them a round of applause, please. [ applause ] so we have a phenomenal day starting tomorrow bright and early. Starting this exhibit haul will open at 7 00 a. M. And the sessions themselves will begin at 8 00 a. M. And i just want to remind you that the first session that mark kerr will moderate will feature the cio for dhs, the cio for bozallen, the cia, a. So we will have a full day after that as well kicked off by final keynotes from the head of cybersecurity for dhs chris krebs. From the head of the ncsc. And from the head of the israel National Cyberdirectorate. So we have a great day tomorrow. Thank you, all, very much for coming. Have a safe drive back and we look forward to seeing you back here. Thanks so much. [ applause ] the student cam experience has been valuable to me. Student cam had a huge effect on our life. Its really helped us grow and learn as people. Going into our college years. For past winners of cspans student cam documentary competition, it sparked their interest in documentary production. I currently attend Drake University in des moines, iowa. The fun part of that is i get to be in the middle of the caucus season and ive got to meet so many different candidates. Because of cspan, ive had the experience and the equipment and knowledge to be able to actually film some of them. And this year were asking middle school and High School Students to create a Short Documentary video saying what issue do you most want president ial candidates to address during the campaign . Include cspan video and reflect differing points of view. Were rewarding 100,000 in total cash prizes including a 5,000 grand prize. Be passionate about what youre discussing to express your view no matter how large or small you think the audience will receive it to be. And know that in the greatest country and the history of the earth, your view does matter. For more information to help you get started, go to our website. Studentcam. Org. Cspans campaign 2020 coverage continues later today. Live at 7 00 p. M. Eastern, democratic president ial candidate senator Elizabeth Warren will give a speech in new york citys Washington Square park. And at 9 00 p. M. Eastern, President Trump speaks at a Campaign Rally in rio rancho, new mexico. Both live onlienl or on the radio app. Campaign 2020. Watch our live coverage of the president ial candidates on the campaign trail and make up your own mind. Espns campaign 2020. Your unfiltered view of politics. Our cspan campaign 2020 bus team is traveling across the country visiting key Battle Ground states in the 2020 president ial race asking voters what issues they want president ial candidates to address during the campaign. I think a really pressing issue id like to see candidates talk about is health care. Because theres a lack of health care in the country right now. I think Affordable Health care at the very least. And some people arent going as far as i would like to talk about how they plan to handle that. I hear a lot of general ideas, policy a lot. I like to see where that goes. I would really like for the candidates to discuss how were going to renormalize ourselves as a leader if not the leader in the what we used to call the free world. In the rest of the world as a leader in democracy. And a leader in Democratic Values around the world. Also a cooperating force with the rest of the world. I would like to know from each candidate their ideas on Nuclear Energy and the reinvestment of the technology in every state in the country. And i would like to know if they believe it is sustainable, reliable use and worth the investment to our nation. Im really concerned about the Climate Crisis and about gun safety legislation. Those are two essential things that have been to be addressed before the election. Also we need to try to get back to enforcing the constitution that our whoever becomes president should o base the emoluments clause. They should conduct business with integrity. Should not ridicule minorities or handicapped people or aged or anything else. We need to restore a sense of service to all the people zplp voices from the campaign trail. Part of cspans Battle Ground states tour. The Woodrow Wilson center held this discussion on the release of the 2019 Chicago Council survey which gives a detailed look at the views americans have regarding Foreign Policy and international relations. This is an hour