Good afternoon and welcome to the 10th annual Cyber Security summit. My name is Tom Billington. Its ab honor and privilege to convene this forum for a tenth year to address our high purpose and theme a call to action for the siCyber Security community. As you look around in the audience here and throughout the exhibit hall are some of the most Innovative Companies and organizations in the world. Facing some of the toughest adversaries. We thank you for your dedication to the mission. My wonderful wife and i founded Cyber Security ten years ago. Besides this annual summit, we host the leadership council, a Member Service and aim for dialogue about Cyber Security in our nations capital. Thats filming the event today, this conference is on the record unless specified and unclassified. And we welcome those members of the media today. You can follow us on twitter at billingtoncyber. As youll see from the Conference Program in your conference materials, we have a packed day and a a half ahead. It has been expanded by a half day this year. Q a will be available for some, but not all sessions. Either by live microphone or note card. Now id like to thank our sponsors and exhibiters who make the event possible today. They really do. Without them, we could not host this program. So id like to thank them beginning with our lead underwriter. Our knowledge partner. Our diamond sponsor, google cloud. At platinum, and gold the. I also want to mention that we also have three country zones this year which were very excited about as well. So to my left, we have the uk cyber zone, which is in the fifth year. To my right, we have the israel cyber innovation zone, which is in its first year this year, which were excited about and the canada zone to my right, which is is in its third year. We appreciate all the partners and continuing education partners. So please lets give them all a round of applause. One Quick Logistics note. If youre an isc squared member, we have continued education for the first year. Please go it the Registration Desk and give them your member nourm. They will be able to send you a digital certificate. So now its my great honor to introduce for the first year a master of ceremonies for our program. Known to most in this room captain ed, recently retired after 34 years of service and most recently as the director. Hello, everyone, good afternoon. Thank you very much for the very kind introduction and the opportuni opportunity. We have been friends a long time and im honored to serve as your master of ceremonies here today. You and susan have built a Great Company that provides a muchneeded venue to discuss the most pressing sicyber challenge facing corporations and our government. Im excited about the great line up of speakers today and the agenda ahead of us. Enough for me, lets get our day started. Its my honor to introduce our welcoming keynote speaker. The federal chief Information Security officer at omb. Thank you for opening the conference and the floor is now yours. Its a shorter walk than the sound. So good afternoon, first of all i want to thank everyone for being here today. Someone beforehand told me im the first speaker, so i need to bring a lot of energy and rile up the crowd. But im a policy guy, so im not sure thats in my mantra. You might want a more operational person. I think later on this afternoon. I want to thank tom for having me here today and the ability to talk to you a little bit about the roles and correspondents of what we do within the office of management and budget. And i think its really well connected to the theme for this tenth annual Cyber Security summit. And the theme being a call to action to address tomorrows top cyber challenges. This is republican at the core we do. Were trying to help agencies address their top future cyber challenges as well as the cyber challenges quite frankly from yesterday that they havent finalized yet. And we do that in a number of ways. If you look at the guiding document for our organization, is the federal Information Security modernization act of 2014. In that, it assigns a number of responsibilities to the omb director around Cyber Security and we carry those out on the his behalf. If you look at it, theres six or seven items that boils down to really three main functions. First and foremost is developing and overseeing the implementation of government wide Cyber Security policies is. Number two, and im going to touch on each of these in a moment, number two is ensuring the agency ises that are protecting federal Information Systems and data, with the potential risk of harm of a compromise. Think Risk Management, not all those other words i used. And third, ensuring that federal agencies are complying with government wide Cyber Security standards, be those things from the National Institute of standards and technology, omb guidance, laws, binding operational directives from the department of Homeland Security, working with agencies and holdihold ing them accountable to deliver on those. And so i want to talk about a few things that we have done in the last year around each of those. Around overseeing the implementation of new Cyber Security policies, we have updated we are about to update the trusted Internet Connection policy. This is really about the three things i listed that we do to help agencies. Thats really the what they need to do. We also need to provide them tools and capabilities from a broader government standpoint for their ability to actually deliver on those requirements. And so were putting out a new policy around trusted Internet Connection. Thats been out for Public Comment. So you have seen versions of it. This is really about how do we evolve our policies to adapt to Technology Changes and really the movement to cloud environment. Which is absolutely criticals we look to modernize federal Information Technology. Secondly, last year the very end of the congress, the president signed into law the federal acquisition supply Chain Security acts. And that created a mechanism inside the federal government by which we can have a federal Acquisition Security Council and really look at the security of the equipment that were bringing into the federal space. Theres a lot of work ongoing with that. But this really is a tool for federal agencies to be able to have a bit of a vetting of the equipment thats coming into their enterprise. And be able to leverage both classified and unclassified information for making determinations they dont want to bring something into their environment. When we talk about protecting information commensurate with the risk of potential compromise or Risk Management, it really is all about Risk Management. We cant protect everything. We have to understand what is is the most critical and in order to best understand whats most critical, we updated our high value asset policy at the beginning of this year. And in addition to updating the high value policy, the department of Homeland Security updated guidance on high value assets. So we really tried to partner with dhs to be able to provide a more tactical level of input and details for agencies to be married with or combined with the policy that were putting out from an omb standpoint. In addition to our hva update and really understanding whats most important to protect it, when it comes down to protecting our systems and our information, its really a people challenge. And so our ability to have and your aublt to haability to have workforce a capable workforce is absolutely critical. This year the president signed americas Cyber Security pork force executive order. Which has a number of tasks, things were really looking forward to for the federal enterprise around some cyber competitions that youll hear more about in the coming months and rotational programs for how can we rotate more and move some of our Cyber Workforce from agencies to agency ises to grow skills, the skills of those individuals, but also to enhance the abilities of other agencies and bring in some outside talent. And in addition to that on the workforce is this year we launched our Cyber Security reskilling academy. We have had one cohort go through. We have a second one in. This is a pilot. So altogether they are 50 or 60 people. But this is about how can we take federal employees who are looking to move into another type of skill and move into a new career, how can we leverage their dedication to the government, their understanding of what it takes to get stuff done in the federal enterprise and teach them and train them in Cyber Security. And they are not going to become after a six or eightweek class, they are not going to become hands on cyber experts, but have enough to what they apply and what they are working on and start to transition into a new career path. So really how do we leverage those individuals. And then on the third one, which is ensuring federal agencies comply with all the variety of stands that we have out there, we talk about compliance. Its used as a dirty word. I actually think compliance is necessary, but not sufficient. We have to have certain things out there that agencies need to comply with. We need to have some checklists. They need to be sure that agencies are taking advantage of the various tools and capabilities and resources that are available to them. So as i mentioned come in the form of laws, come in the form of omb memoses, binding operational directives, r as we move more into Risk Management, they will come in potentially in the form of removal and exclusion orders, when we talk about equipment that cant be in the enterprise. And then obviously, a big area are our special pubs and guidance that we have and they put out. So today an swrup date was released for Public Comment to 800160. What this is about is about cyber resiliency. Were never going to prevent attacks. Were never going to stop bad guys from getting into our systems. So how do we ensure that we have resiliency is of mission within cyber space. So right now, id like to ask ron ross from the National Institute of standards and technology to come out and hes going to give you some of the highlights highlights of this. And im going to be back for a panel here in a few minutes. So thank you. Thank you very much. And thanks to Tom Billington for giving us this opportunity to announce a very important document. We finished this about a week ago. Its been in development for about 18 months. And it really addresses some of the very difficult and challenging problems that were all having today with regard to Cyber Security. If you recall the past several decades, our strategy for protecting our Critical Systems and our critical assets has been really a one dimensional strategy. Its relied on pen b Trump Administration resistance. Stopping the bad guys at the front door before they get in and do damage. We know after many decades of evidence of the Cyber Attacks and things we have experienced, even when we do everything right, sometimes those high end adversaries find a way to get into the systems and compromise our critical assets. So this dresses something called cyber resiliency. How can we make our systems less brit the to take that punch and still keep on operating, even if its in a degraded or debilit e debilitating status. So its our first attempt to extend that one dimensional Cyber Security protection to three dimensions. The second dimension is damage limitation. How do we limit the damage they can do once they breached our systems. We assume the adversaries are either in your system now or getting in there at some point. And then the third dimension is going to be how do we make the systems cyber resilient. Where they can continue to operate. And are survivable. This document has got a lot of very practical guidance in it for all of our customers out there who want want to make not only systems that are going through the life cycle, but also the 95 of your systems that are legacy, the installed base. How do you apply some of the techniques and approaches for cyber resiliency to increase that level of protection for your pretkrit call say sets and systems. This is really a a national imperative now because we have seen over the last couple years the adversaries are very capable, they are targeting our Critical Resources and in many cases, they are doing great damage. So for things like Critical Infrastructure, for critical federal systems, things from voting systems to weapons systems, to power plants, cyber resiliency is the wave of the future. In some sense, were trying to make these finite computing machines operate more like the human body with an immune system where you can get a cold or virus and then your immune system kicks in and doesnt take you down completely. So for the next 45 days this draft will be on the website. We encourage all of you to take a look at the guidance. We have some great use cases now to deal with microgrids, enterprise, Information Technology systems, and theres a host of other things. Theres some things on the cyber apattack where we show how applying these principles of cyber resiliency to your systems could stop some of these high end attacks by adversaries. So thank you to Tom Billington for letting us have the time this morning. Tha thanks to grant snider and the folks at omb who have been very supportive. And one last shoutout to my team members who worked on this document nonstop for the last 18 months. And also to glen from the office of the Vice President to have been very supportive on helping move this guidance forward because we have a lot of critical space and Defense System ises that can take advantage of this. So thank you very much and have a great conference, folks. Appreciate it. Thank you very much for the remarks. One programming note. For those who have been to our events in the past, we had an exhibition hall with a lot of the vendors in a separate area. To be more inclusive and allow a greater flow of communication, we chose to do everything allinone venue. Because of that, if you keep the conversations on the side down to a money mum to allow the speakers and those in the audience here to hear them. So now please let its my honor to welcome the former deputy undersecretary for Cyber Security and communications at the department of Homeland Security. She will be leading a fire side chat with the only two people who have held the position of federal systems, whom you just heard from and retired general greg, the first u. S. In the president of the secretary federal. Thank you. Gompb, and thank you all for being here and spending time with us on these important topics. I want to thank the billington conference and our r sponsors. I have 30 minutes to bring out, this is almost unfair, only 30 minutes with the First Federal chief Information Security officer and our current federal chief Information Security officer doing great work. So greg, ill start with you. It was a pleasure to work with you then. What are some of the highest impact areas you generated . Some of the shifts you were working on . I think as we take a look at Cyber Security in the federal government, its really a learning continuum. We try to get better and build upon the Lessons Learned from the past. And we certainly tried doing that when i was in office. Some of the more impactful things that we did, i think grant is continuing with, is first, changing the narrative and looking at Cyber Security as a Risk Management issue. Previously, not only in the public sector, but also in the private sector, we saw a lot of emphasis solely on just compliance. And not necessarily taking a look at Cyber Security as a wholistic Risk Management issue that involves people, process and technology. So thats the first thing that leaps off the page for me is that was the narrative we were trying to move forward on. And im pleased to see that continuing. Secondly, we were trying to make sure that we were trying to implement best practices and sharing that. So information sharing vs critically important. Ways we were doing that was through Public Private partnerships and geting Twoway Communications between industry and the federal government. Still a lot of work that needs to be done on that, but i think we really had an impact watching those programs and trying to get those best practices in place. I believe that compliance doesnt always bring you best practices, but best practices will always bring you compliance. And the third thing i think that was impactful was taking a look and making sure that we were best aligning technology with the mission needs. And we launched the continuous diagnostics and Mitigation Program during our tenure to try to raise the bar across the federal government. We had a lot of agencies that are large and well funded, but then we had some smaller agencies that werent as well funded and werent as large, but still had the same Mission Tasking to protect sensitive information. So having the continuous diagnose knottics Mitigation Program launched to help answer the questions of whats on my network, who is on my network and whats going on in my Network Across the federal government was a critical factor in success during our tenure. And then further, making sure that that program was available to state and local governments as well as to the domain. It was something that i thought was a Job Well Done by our team. Thank you. If you look at the recent statistics, the work done by both of you shows that the continuous diagnostics and Mitigation Program, but that Program Actually has improved the security of many of the federal agencies. So grant, youre in the drivers seat. And in that important position, how do you go forward because the adversaries have made a lot of progress as you talked about partnering with omb, how do you take it . I really view it that we needed to get a bunch of ba baseline policies in place and establish the ground floor of expectations for federal agencies. And that includes both the la e larger ones as well as the smaller ones that greg alluded to. And really where were trying to focus on is is how are we the maximum amount of assistance to agenci agencies as they try to implement their programs. Every agency will be able to protect their information to the same degree. We expect the department of defense and the department of Homeland Security and the Small Business administration all to be able to do essential ly the same job. They are not resourced similarly to do that. We are trying to through partnerships of Homeland Security, yes, we have an oversight role and we do an amount of measurement and Holding Agencies accountable, but we want to be able to be there as a support structure. So a time where we come in and sit down withing a sits, we work on particular problems and work on particular problems to also Bring Solutions to those. Whether those are solutions from another agency thats had a similar challenge or a solution or a Technical Team from dhs. So its as well as the implementation and the leveraging of those to enhance Cyber Security. With the cyber strategy, wrapping all this forward, its important we have this started to take this again past our adversaries. So on that note, i want to talk about compliance that greg mentioned. Compliance is the baseline. The adversary knows where we have to be. It reads the same literature and knows where were going to invest. They go above and beyond. How do you both see what we need to do to get the investment or to use that risk ratio to get beyond compliance. Its a baseline. Its never enough. Ill start and then compliance is certainly not enough. Were not there, though. The vast vajty i have been associate associated and every single one of them was through a known vulnerability that had a known technical fix. Every single one of them. So if everyone had gotten to compliance, at least the methodology would have been used. They would have had to be more sophistica sophisticated. So part of the getting to compliance and doing the basic stuff right and doing it every single day over and over again is to drive up that cost. Make them move further ahead. Make them be more creative and more expensive. And that will get us where we can challenge their abilities instead of coming through the doors we leave unlocked. Ill add on that. When i was the director of the kick, the search would go out. And 95 of incidents that they were dealing with, i characterized as the root cause was careless, negligent or indifferent people. The technology was there, but it wasnt necessarily properly configured, it wasnt properly installed, et et cetera. But upon reflection, im finding that i was wrong by just saying careless, negligent or indifferent. I would append to that. When you drill down to the root causes, we go out there and we chase the latest fad. We put out the technology that we dont properly leverage to its full extent because we dont necessarily invest as much capital into the people and process aspect of properly deploying and operating the technology thats out there. So making sure we have a good balance is really going to be the key as some of the new and Innovative Technologies roll out. But its leveraging well the technology that we already have. Its not just those that are here. But its throughout the organization. We need to be able to have a collaboration about the technology and about the processes and about the people with the Senior Leadership of the organization. And a Senior Leader who is asking really good questions is going to help to focus the team and they are the ones that can help with the overtasking. They can either add resources or reduce task in some way, shape or form. If youre using a phone, if youre using a computer, you are a cyber operator, peertd. Period. And youre a target. And you are a target. We see the same thing in the private sector. The attention has to come from the board. The board has to assess the Risk Appetite and that has to direct the strategy. You accept a certain amount of risk as in new other practice. So on that, i would ask, you have talked a lot about technology. We have large systems in the government. And they often run on older systems. From our experience, you cant rip and replace because its old and looks bad that you have some product from 2002. However, it does take a process. Because at some point, thats not going to work anymore. We have to start looking now. Thats what youre doing if you want to elaborate that. We cant maintain. We cant maintain it both from an operational and a Customer Service standpoint, but we also cant support it from a security standpoint. And so we have a really big focus. This administration has come in with i. T. Modernization. How do we enhance and modernize the i. T. That we have and how do we do it in a way thats were not building the next decades legacy system tomorrow. We have to do it smartly. The good news, i think is technology is there now. There are ways and as we move towards more shared services, towards cloud services, as we make smart decisions to where we dont always have to have the government trying to update an infrastructure stack, i think we can get there. At the same time, and i talked about this earlier, our ability to update policies to facilitate the agencies to leverage those technologies is absolutely critical. We have to get ahead of the curve and stay ahead of the curve. Today we spend about 90 billion a year on Information Technology. And somewhere north of 70 of it is on sustainment. A lot of it is sustainment of legacy is items. We have to be able to tap into those dollars to fund the modernization efforts going forward. Any opinion . I think its moved for everybody. And if we continue to use legacy models of dealing with i. T. And recapitalization in the federal government, were going to fall behind in some areas. Im really heartened to hear the discussion on recapitalization of such. Frankly, having been in the private sector now the last couple years, theres some really radical ideas in the private sector including putting recapitalization and depreciation on your Balance Sheet. Us would like to see the government have a a greater hand in leveraging some of those Business Practices that we see on the private sector. Because Technology Insertion and making sure that you plan b for the obsolete, not only of the technology, but also the obsolete of the people and the processes that work in tandem with the technology. Making sure we have that as part of our construct is going to really help as we move forward. I agree. I want to shift a little bit to the concept we have talked about about the binding operational directive. It was started a few years ago in our time, but if you could comment on how impactful this is and how important those are. I always tell people this is not an easy its an authority that gives dhs a chance to say the agencies are going to do this. So i tell people to think about the advice. Its what the government is doing and it came from a lot of thought. Im wondering if if they want to koecomment on that. Ill start by saying thank you to the Homeland Security Committee Staffers is who listened to me talk about a commander issuing a tasking order. It was expected to be done. They brought into the legislation the creation of the binding operational corrective. Dhs would gather the information, do a quick coordination. When something had to be done across the federal government from a cyber perspective, it could be issued through dhs, it was a step in the right direction. I think we need to be a a little faster and agile on that because in the military, you can make a decision quick and it gets done. But with the current binding operational directive process, we have seen a lot of maturation since the act was put out in december of 15. But its important to have unity of command and unity of effort. And having been in dhs, i was well trained to say if you see something, say something. Thats been one of successes of the operational directive to assess the risk, decide a course of action and get it out for action across the entire u. S. Government. I would add that i think the binding operational directives feel really important void that we had before. We had laws and policies and missed guidance. And every agency was sort of told to figure out what a ul that means and what to do about it and how to do it and apply it to their infrastructure. And all those things have to be lowest common demom nart. They have to be the same for everyone and every enterprise. And they can be more tailored, more focused and more specific. Also i think really the value thats come out of the binding operational directives is the management attention that they get. Because they go to the Senior Leaders of agencies, the compliance are you done yet is checked and followed up on and recurring depending on the nature of the binding operational directive. Recurring conversation. I think that as much as i would say some agencies go another bond i have to comply with. But once they start looking at it, they go, wow, that made my deputy secretary have conversations with me they probably never would have. It created that attention that they may have been screaming about from the basement for quite some time and really helps us push that forward. Were seeing the private sectors looking at them as well. And that subsidiary benefit is really paying off to better protect Critical Infrastructure across the country. Its also a good example of leveraging authorities of omb to help right skill for the right job, to help the agency that has the information to put it together. To ask the other mandates for the agency ises to do that and level the playing field. To the point when some have come out, many many the private sector said does this mean anything for us. The answer has been those are thoughtfully written and necessary. They dont mandate anything, but its very good information as those come out. As you sort of the ghost of past and present, what advice would you have for private sector or those running programs and the government. What advice do you have from this on how to work with you and help to change that model to a risk driven model, if not already. I would say probably two things. First of all, really a management approach. Talk about risk, talk about risk with your Senior Leadership, we want Senior Leaders asking questions about how are you looking at the risk of your organization, where are you applying your mitigations, what are your mitigations, where are you accepting risk, which is certainly an appropriate approach in some cases. But really take that Risk Management approach going forward. And then i us would also say for the second one, a focus on fundamentals. Many of you have perhaps a secret sauce or a secret product thats going to solve all our woes. I havent found it yet. I think theres a lot of just doing our due diligence, patching our systems using strong authentication, all the things we can do to have as resilient of an enterprise as possible. So i would say focus on those two things predom innocently. It goes back to some of the fundamentals. As a war college graduate. Ill remind everybody that frederick the great said he would defend everything defends nothing. We need to make sure we are protecting the crown jewels. So i think its critically important to understand the value of your information. And dont necessarily spend a gazillion dollars protecting information thats not worth that squeeze. So making sure youre implementing proportionate defense with a Firm Understanding as to the value of your information. Both classification and sensitivity of the information is critically important. So what keeps you up at night . Ill lot you start. Are there other realms . I think the thing that bothers me the most is still the risk exposure that we have with our Critical Infrastructure and our Industrial Control Systems that are out there. The advent of internet continues to expand the risk exposure. And the price of entry for somebody to engage in malicious mischief and criminal activity is the produce for them is pretty low. I see the Threat Landscape continuing to expand and risk exposure continues to be high. I think i would say china. I could say nation state actors, but as far as an adversary that has displayed their intent, has clear means to get into an attack, our Critical Infrastructure systems, our government systems, you name it, both from an intellectual property theft point of view and as well as etc. Pspionage point view. To me, that as a nation, this isnt a government problem. Its not a federal problem. Its how do we protect we have become so dependent on our i. T. Many of you are dependent on it now as were speaking. And yet its also has the potential for just catastrophic impacts when its compromised, so our ability to protect against sort of your rogue criminal or kid in the garage that used to be a threat probably b isnt anymore, but the nation state actor tort and the one particular nation state with the capacity and capability and intent is really the one that concerns me the most. In the job of federal, how are you helping all of us to fix that . So i would say what were trying to do is is we want the federal government to be an example. We should be setting the example for how organizations should look at Cyber Security. So to your point, private entities, look at the requirements that we put upon federal agencies, they are for a reason. They are all there for a reason and maybe too many of them to get to, but the ability to understand the risk of your environment. So were trying to put tools out for the country to leverage and then we want to set an example of how to leverage those tools and implement them within an infrastructure through binding directives, policies, through special pugs, through all the levers that we have to protect your information when were tolding it in the government but serve how to you can best protect your information as a citizen or as a corporation. I agree with everything that grant said. I know were running out of time. So i wont beat that horse anymore. Were all in this together. The former federal. Were all stake holders in this process. Were trying to make things better for all of us. Many thanks to greg and to grant for the work you have done. Thank you. I have to get my phone. Our last panelist, thank you for that interesting conversation. This fire side chat is a great segue to the last panel. Its about harnessing Artificial Intelligence and Machine Learning in Cyber Security. The moderator is the executive Vice President who a commercial and solutions practice. Please allow me to briefly introduce your panelist. As a programming note, on all the introductions well be giving, i keep them brief because you can see it on the board in the full boy owes are available in the program. So those are are the panel jack shanah shanahan. The director of joint Artificial Intelligence center. Director of national intelligence. And assistant director of Artificial Intelligence of science and technology policy. Thank you very much. Good afternoon. Today were going to be talking about harnessing Artificial Intelligence and Machine Learning in Cyber Security. And today theres probably no bigger buzz word in the industry than Artificial Intelligence. We just had the black hat Cyber Security conference a few weeks ago and everyone should be rest assured there should be 3,000 Ai Security Companies as of last count. Were going to talk about real world applications and demystify ai. Just diving in, wanted to talk about ai has gone from a very technical term over the last few years into something thats prevalent now in our program. And ai is more than just building an algorithm. We wanted to start by talking about what are some core elements to developing a successful ai program. Dean, you want to get us started . So building a a successful ai program. Ai is technology, but its technology informed by people in the process. I guess number one is wyou have to have people with the skills in order to do the job that youre asking them to do. And this means that we need from where i sit in the Intelligence Community, we need to invest in the educational or technological literacy of the workforce. One of the the examples i use from time to time is if you ask an average imagery analyst what they need and their job is to look at images that are collect ed by satellites and classify them as to whats in them, they want a bigger monitor or faster computer under their desk. And what i generally mean is, what do you need thats going to change the way youre doing business tomorrow so that you no longer have to count airplanes on runways. I think the same issue is true that we theed people who understand the promise of the technologies that were building that know how to apply to their particular problem domain and know how to know whether they work or dont work. One of the challenges we have in Machine Learning today is this idea of assurance. How do we know when it works and doesnt work . That knowledge of people is really important. Second, you have to have the Digital Foundation in order to execute this stuff. The technology of the world. The Cloud Computing technology has produce d, but we also need access to the technologies of ai. So gpus are the most orve. But not only gpus, but gpus more for processors, data rays and whatever else the brilliant hardware engineers of the world are creating to accelerate these technologies. You need access to the Digital Foundation. Third, you need data. You have to have data. Its the cure rated data that is tagged properly and formatted properly so it can feed Machine Learning. We need processes to create and collect that da a ta and lastly you need mission. You need the consumers and the mission to be telling us what their problems are so we actually can go after. Technologists can build solutions for anything. We need to know what the problems are. Stated in a way we can apply the technologies. Youre standing up the joint ai center. I know youre working a the lot of initiatives. As youre looking at stretching your programs, what are some key things youre considering . Everything dean just said and then a lot more on top of that. If you were to break down in any ai program, Machine Learning, typically our focus area right now, the three Common Threads whether it was an industry or in the Defense Department or the Intelligence Community would not surprise you. Talent, culture and data. And i can reverse the three words in any order. Those are what i dole with every day. And the data challenge is a particularly hard one for the cyber piece. Lets pull the thread on that. I was at an event a few months ago talking about other nation states, and our adversary have the gift of data. I thus one of the things we have been struggling with is how do we bridge the gap between the government and the developer, Silicon Valley and the community to provide the data they need to build and tune algorithms. How are you seeing us start to bridge that gap . A couple different thoughts on that one. First of all, the conversation were just having in the green room before coming in here is the difference of an amazon or google or microsoft, the companies build their data in a certain way from the very beginning. The challenge is whether its in the Intel Community or department of defense, we didnt build our data expecting a future of Artificial Intelligence. We have to look at what that world looks like to train against the data, integrate the models into the systems that were just never meant to have ai build them. So its a a range of problems. To your other point. I was talking about this last week. The fact that a china has access to data, which is a very common talking point of china is leading the way in adoption of ai and also in just data. Data for what . It goes back to what dean was saying earlier. Data for what purposes. What do they intend to do . If im collecting social media data for the purposes of a social cred score, does that help me field a full motion video model for detecting, tracking, classifying objects on a battlefield in the pacific or middle east. The answer to that is no. Are they learningle lessons, ye. But just data by itself is a starting point. And we can go into a lot more detail on the challenges we have of just getting to the data part of it before we bring in a model to try to assist the utility. So talking about good discussion around programs and what it means for success. When i think of amazon, i think you guys have a lot of data and youre working to optimize and lean out a lot of your om and other functions. I want to spend time talking about some successful cases and applications of ai in the cybersecurity world and you want to get us started and share some of the initiatives and programs that youre working on . Sure. So first i want to echo what both of them said about what it takes to build a Successful Program and making ai an option and if you look at the Machine Learning and deep learning which is a brand new classified program and that is spurring the ai revolution. The first was written two decades ago so its not brand new by any mean, but what changed . Its basically always been hungry for specialized computers and its a huge amount of data storage and access and actually making it easy for everyday developer to use it. This is where things like cloud has come in to change and thats why ai is experiencing a renaissance in the cloud where an everyday developer can have access to where they can get computers on a permanent basis and get a huge amount of storage on a monthly basis. Now with this, we are seeing not just a. I. Being adopted in Hightech Industries all of the way from lets start like cybersecurity and the example of customers like new data with the Machine Learning services and theyre able to, not only have the Machine Learning deployment and Development Time with more than 60 , and they were nearly able to stop up to 100 of their credit Card Transactions with a bank. They were able to use computer techniques to actually address like fishing attacks and now not just in cybersecurity and now it is the pharma and also in Financial Industries like intuit and the transaction risk, but the Common Thread on what it takes and not just in amazon, but in other companies that are first. You need to buy in. To a large extent, if youre a cio in a private sector theyre a major stake holder in the public sector, there is an element that i tend to obstruct ai like a black box that youre not comfortable trusting, but tell the personal story of amazon, in more than five to ten years and amazon with the Leadership Team rallyized that the machine would transfer not just the tech part of the company, but every line of business and theyre in sales or marketing or pricing. So they mandated something that every team has to answer and this was more than five years ago that they actually had in their annual Planning Session and what is your Machine Learning strategy . Within parenthesis, they said no, thats not a good answer. Triagain. So this forced every executor to think about what does Machine Learning do . What should be my Machine Learning strategy, and what are they going to do . So thats when we created a Machine Learning, and so theyll get trained on various gardens and techniques and then finally we actually had a strategy for collaborating on data sets and held customers and ourselves with annotation and data cleanup because the dirty secret about ai and Machine Learning is while we hire the scientists to build Machine Learning algorithms. More than 50 of the time they do data wrangling. Youll probably agree which is kind of weird when you think about it because you expect them to work on the latest and greatest models and they spend so much time on data. This is why when i talk to cios and the stakeholders and public sector, they have the buyin and get the strategy working well and then the third one is a talent and theyre skilled in Machine Learning and thats why woe have amazon, and now we make it available for free so that they can get trained. This is what we see across a wide variety of industries altogether. For other panelists, what are the other use cases that were starting to embrace from the federal government . Where are we seeing some Success Stories . [ inaudible question ] [ inaudible question ] [ inaudible question ] i know there are a couple of cybersecurity use cases that youre starting to explore. Can you talk about what youre seeing from a trend perspective there . It wouldnt surprise you to have the starting point of that be data. You could make some analogies to project maven as a pathfinder project where we spend a lot of our time on the front end, object labelling and preparing the data. 80 which matches pretty much every project that ive seen is you spend 80 of your time working on the enablers and they do break down a little bit in cyber instead of going out in labeled objects for fullmotion video and there are known objects on the ground and we have an ontology where people, buildings and vehicles and we work down from there and cyber is a little bit different problem to begin. What does normal look like . What is the baseline of normal . I have to know what baseline is and much more challenging on cyber than it is in a fullmotion video and our humanitarian assistance to relief case, so if i go back to starting with the data problem on cyber. Its the most basic problems that everybody begins with and data access and data quality, and data content and data classification and data format standards and you can go in Different Directions on that. So what we had to do was reset a bit and our challenge is without getting the Technical Details of this and we have 24 cybersecurity providers and all of whom are collecting data in slightly different ways. So our starting point is coming up with the cyber data framework coming up with the cyber, and to come up with a starting point with data curation and content and sharing and storage. Just on that agreement, i think well have much more success down the road as we bring in commercial vendors to bring product evaluation. They didnt quite know what data they were going to be seeing and there is not an image net equivalent for a number of Different Reasons and well talk about that separately and well have to come back to ground zero on this and our first of three lines of effort is what were calling, ve calling event detekction and th third one is network mapping. All of those have the same basis of a data problem. So by going back to the beginning on a cyber data framework which is nothing more than could we agree on a common set of procedures from now on on data coming in. If thats not the starting point we dont have the decades worth of really nice, clean, curated data which even swami was saying thats not entirely true of any of the companies and it is much more true than it is for the department of defense than i would say for the Intelligence Community. And he made the point earlier that every Cybersecurity Company is now a cyber a. I. Company, and i would make the point that within the last decade Many Companies started branding themselves as Cybersecurity Companies and that gets into the definition of what problem are we trying to solve, right . A decade ago we talked about cybersecurity we were talking about antivirus definition, right . Now woere talking about a living, breathing ecosystem of the world and as general shanahan said define normal . How do i even know the difference between whats normal and whats abnormal so i can detect anomalies and we simply dont know. We actually dont know the answers to those questions right now and that makes it challenging to develop solutions. So this community here, this Cybersecurity Community needs to be thinking about how do we know whats normal . How do we detect a variance in the system . How do we make sure that our systems are appropriately secured against Cyber Attacks that we cant get defined, and that fundamentally is the challenge. Ai can help with it, but ai is not a magic bullet. Its not jacks magic bean, right . We we it can solve some problems really, really well and other problems and particularly the kinds of ai that were talking about now, the machine classifiers and so on. You can solve those problems and not every problem boils down to that problem. . One of the pitfalls i see many customers fall into the hype or the expectation trap. Ai is not a Silver Bullet by any means and you set out, and the best way to go is you start small and actually you reiterate and check to see how well its a problem and continue to trade. Its almost like a journey that youre going to be on and actually not just months and years to come and youre absolutely right and youre going to find a project and its going to be big and its going to be massive and how were doing in six months to a year and if not its by definition your chance of success will be low and youre absolutely spot on, and this is something, its almost like a journey of discipline how you had to progress. If i can add this as well on the data piece. Its not just trying to wrangle it into a good form and its also determining whether or not you can trust it and that gets into some of the challenges with data poisoning attacks, for unstance where you may have perfectly goodlooking data, but in fact t may have been tampered with in some way and so thats another challenge on top of just the quality of the data that we have from a formatting or curating perspective and has someone actually tampered with it and so that gets into rnd challenges on how to make sure that the data is pristine and the way you intended for it to be and its not included within that, perhaps some examples of how youre learning unwillingly that a particular data set is not either is or is not indicative of some sort and thats an extra challenge of not having the data or not having good quality data. If you have that, can you trust that you have good data. And this idea of a trustworthiness, the data is really critical and you can imagine in the business of intelligence, our job is to see over the horizon with enough time to impact the difference. Well, in an era of Adversarial Networks producing deep, fake v videos and fake text and fake audio and being able to substitute anybodys case on anybodys video, yeah. There are power tricks right now, but they have, you know, if you look down the road, it has the implication of it being very difficult for us to separate truth from fiction, and that makes the job of intelligence really, really hard, right . Because if you dont know the difference between truth and fiction, youve got a big problem on your hands so the kinds of things youre focused on in the Intelligence Community whats real and not real, really, really huge. Its as applicable to the cyber do main in which we look at these problems. So based upon the previous conversation, were starting to address some fairly basic use cases and were starting to move towards adoption. You have a captive audience here. In terms of research and development, i would like to hone in on new ideas and where this community should be investing for the future. Dr. Parker, do you want to start us off there . Sure. When you think about ai and cybersecurity together, theres ai for Cyber Security and theres also the seecyber secur of ai and both have important challenges to them. You can imagine using ai for Cyber Security and doing things like being able to understand your adversary and trying to understand how theyre attacking and have behavior and past history and use that to predict what future attacks might look like, for instance and thats an interesting challenge for the ai and cybersecurity. The other direction for cybersecurity for ai looking at challenges like how do you make sure that a model that an ai system learns is not reverse engineered to somehow detect Sensitive Data or information that you dont want your adversary to learn about. I mentioned data poisoning attacks and there are a number of other of these kinds of challenges that you want to have your assistant to be trustworthy, so that you can ensure that when you use it it will do exactly what you planned for it to do, and that is in and of itself has a lot of rnd challenge e as well. The National Science and Technology Council every three years put out a national or a federal cybersecurity rnd strategic plan. So theyre preparing that plan now to be coming out this year and it will outloon a number of the federal government will be investing in. So for the Intelligence Community, i encourage you to go to the website and download the strategy and augmenting intelligence machine, a. I. M. , and its not to augment the intelligence and its to augment their activities. That strategy says we need to do four things. It says we need to invest in the Digital Foundation, the data and the compute. It says we need as government to be fast followers because were in the interesting position as a federal government for probably the First Time Since the second world war, we are not the leading investor in the technology area. In fact, were not each the minority investor. The economy is the investor. In 2016 mackenzie estimated that there were 50 billion in Global Investment in a. I. And Machine Learning and they estimated that there was a billion dollars in u. S. Investment at that time and 50 is in the billions and yes, were spending more since 2016. The d. O. D. Has announced their strategies and we dont publish our investment, but you can imagine that the private Sector Investment has accelerated it and its far exceeded government expectations and we have to be fast followers and adopt the technology of the world. Next, we have to invest in the gaps and we have to invest in the things that the private sector hasnt been invested in as we are. So think about a bell curve. Where is most of the private sector . The middle of the bell curve where your shoppers are, dollars, click, ads, eyeballs. Whats the generals problem . Whats my problem . Low probability, highcost things happen out there and thats not where the majority of the investment has been made and thats from i need to invest. Our we need to be investing in long range and understanding and semantics and meaning and knowledge because ultimately counting air points faster is good, but its not good enough i want to know why the planes ran yesterday and why not today . Because ultimately the job of intelligence is to understand that. Yeah. Ill quickly add a thing from the private sector respect. And we tend to use day one even though were 20 years old and that shows how we tend to think. In the Machine Learning world it is so early and yes, its day one and weve just woken up and we havent had a cup of coffee yet and its that early in terms of how much early we are in this game and theres so much rnd that theres still more to be done and we have the internet and the early 90s and so forth. So in terms of what we need to see in rnd and its not accessible and getting data done and there is in the Machine Learning models and so when it produces a result, what we see even with a health care customer is the consumers of these Machine Learning models, hey, youre scheduled for surgery and you may want to take and it is optimized and you may not trust the result and historically, if you had done this you will be 40 efficient and so forth. So there is even these elements of explaining these results so that people will trust it more and its going to be a lot more important and these are some of these areas that are still in research to me and we have to invest a lot more, not just in the private sector and also with academia and there are aspects, as well and be a partner on nsf on many of these topics, as well and Fund Specific program sfs well continue to do more. Just to the cut to the chase, it comes to this element of trust. If weigh look to a future of more fighting or defense of which where were no longer measuring actions, counteractions or seconds, but milliseconds and microseconds and trust becomes the sin kwa non, and its a pristine Lab Environment and doesnt work in the cases that dean mentioned in a very dirty dod environment and the idea of proving that it can work under those conditions and thats a pip and thatartnership being able to perform in those instances and i would just go along with that and sigh ay we to be thinking about ai and a red teaming approach and automating the teaming actions to think about the contextual things behind the scenes and counter a. I. Is what were dealing with and its analogous and counteraction and that is something that is upon us now and we need more thought in the commercial enterprise. Thats a very interesting observation and it identified two new and if you imagine the future of combat and the adversarial a. I. And how well adapt in the war fighting demand and certainly exciting times. We have about a minute left and lets go around. Each person has 20 seconds for any parting thoughts. Dr. Parker . Certainly, if you look at the president s American Ai Initiative that was signed in the executive order that happened in february, there were a lot of these issues that are front and center and the rnd issues and trying to make sure that we have the people that we need in the ai space which includes the ai applied for cybersecurity space so that we can be the lead in these areas. You look at data about making data more available in rnd with cybersecurity and there are a number of these key areas that we touched on that the federal government is taking a number of actions to try to help the nation move forward to ensure and maintain American Leadership in ai going forward. Actually, were just about at time, so to the panelists, thank you, and good discussion today and i appreciate everyones time. Thank you. [ applause ] thank you very much, brad and the members of the panel for a great discussion. The next panel is prevending a cyber 9 11 and joining billion stage is jeff brown, chief Information Security officer for the Intercontinental Exchange in the New York Stock Exchange and the honorable karen evans and assistant secretary for cybersecurity and Emergency Response at the department of energy. To her right the Vice President and the product management. So bill, over to you. Thanks, everybody for joining us. To start off i would like to let each of our panelists and i know we got a brief introduction and talk about the current role and what theyre doing in the area of Critical Infrastructure. So, jeff, if you want to start us off. Thank you for having me. Just a quick correction when it comes to intro, jack brown head of something called Cyber Command and chief Security Officer for the City Government of new york. We have the mission to defend all of those technologies that deliver Via Technology services to new yorkers each and every day and we also have a mission to bring cybersecurity to new yorkers and through solutions and awareness in ways that helps them navigate away from the threats that they might encounter on the internet. To your question to your question about how we think about Critical Infrastructure and we as a large City Government have parts of the portfolio agencies like the department of Environmental Protection that has ics, o. T. , Water Services and new yorkers rely on and we also think about the criticality of things that are deemed Critical Services and new yorkers have to rely on with the 911 environment and thats how we think about it. Hi. Im karen evans, and i am the assistant secretary for cybersecurity Energy Security and Emergency Response, otherwise known as c. E. S. A. Rvme rvment a rvment and it relates to all hazards both natural and man made. So the Emergency Response function is really high right now on our efforts of our team due to the hurricane so i have hurricane responses. I have cyber responses i have the Energy Security piece. I have gmd, emd and we are responsible, if youre familiar with the National Response framework, we are the esf12 coordinators under that with for our sectorspecific roles and we also have specific authorities that are designated to the department of energy under the fast act of 2015. So i think ill stop there, and take it from there. Im carey rahm, Vice President of product management. So i am fortunate enough to get around the world and talk to a lot of different cybersecurity teams and help them with their Incident Response and the deployment of different analytics tools and we provide a platform that allows incident responders to investigate things differently and roll out different tools to defend the network and very interesting insights that i hope i can share in the panel as to what were seeing and what we see some of the best practices in the cybersecurity teams as of today. Im the real Information Security officer of the New York Stock Exchange. A little mixup early on. I work for Intercontinental Exchange and were a global provider of Financial Market infrastructure and in five Different Cases over three different nations, we designate Critical Infrastructure and that happens here vie at department of treasury in particular and i like to secure that side of the house. Awesome. So lets Start Talking briefly about what the Threat Landscape looks like right now and what are you tracking in terms of threats for your infrastructure to your organization. Karen, do you want to sure. Mines really easy. We can take a poll here of the audience, but anybody who has read the dni worldwide threat assessment, not that i have this memorized, but at the bottom of page 5 it talks about what is happening with china and how china is dealing and the capabilities that they have in the Energy Sector as it relates to oil and natural gas and at the top of page 6 it talks very specifically about russias capabilities into our Critical Energy infrastruckur and what theyre capable of doing. So were very focused on what the nation states could do. I dont own the infrastructure and it is all owned by private industry. So it would be good for us to talk about the trisector work that were doing and how it relates to the National Cyber strategy that was released by the administration. When you talk about a nation state attack, what does that look like . Whats the nightmare scenario in your mind. What do you spend the most time thinking about in that landscape . Im thinking about it right now. We have a Natural Disaster happening coming up the coast. Were worried about making sure that we can keep the power on and prepositioning and working with our Industry Partners and it is all reliant on our Industry Partners and thats probably when were the most vulnerable. Interesting. Same question to you. I can build on your answer. When it comes down to it, though as i noted before, there are things that fall into the traditional Critical Infrastructure category operated by the City Government of new york. When it comes down to it, new yorkers rely on a wheole ecosystem of providers. There are Energy Companies and there are each and every piece of that Critical Infrastructure portfolio that makes the city run. I think when i think about the Threat Landscape what im looking at is greater connectivity and Smart Metering and Smart Services that a city needs to have guidance over, but perhaps not ownership over, and the way we have guidance over is we build better privatePublic Partnerships and we get to be in conversations with providers because everyone has the best for new yorkers at heart and thats how we think about approaching the future. Jerry . One thing thats really challenging in all of these roles that we have is defining the taxonomy. So when you ask about a threat its kind of a doubleedged sword. On one hand we can answer with almost anything, but on the other hand we dont get very specific. We mention threat actors and we mention threat vectors in that, and when you think about Insider Threat versus a specific nation state and an objective, its just a big soup. So what weve done is we create tax objectives which is what we found to have the unique buckets and what are tryto do who they are and there are only three in there that have to do with data, and i think the most unique thing about the threat when it comes to Critical Infrastructure is that its not all data like it is in the news and most of the consumer facing Cyber Threats and the ones that are data are intellectual property or pii or even nonpublic Material Information and the rest of them that are important to Critical Infrastructure, number one, sabotage and its important to track it differently and not maybe because there are different threat actors and there are certainly different techniques that are effective asser have s adversarially, and data know ma manipulation is the one we worried about. You were talking about tactic, tools and procedures of the adversary and you work backwards from there essentially . Is that how you approach that . Thats right. The threat objective and and its a good construct because it gives us a chance to talk at the board level about the whole ecosystem and it looks like you can take out saudi aramco and sony and very Different Companies and threat actors and Everything Else and were having the same conversation about how it manifests and some of the ransom attacks were about destruction and not about extortion that would fit there as well and thats helpful at the board level and its helpful to take the pii attacks and say y we know what thats about and weve discussed this before and where does that fall . So to set that priority at the board level is helpful and the stepping back, for us that means lets go straight to red teaming and what did it look like when it happened elsewhere and thats where we gauge the residual risk of those. Gotcha. You have a different perspective because you work with different security teams. Are there any trends you observe across the customers you work with in terms of the threats they spend observing in the critical structure space . Yeah, yeah. Thank you. I would say the trends are more on how theyre dealing with the threats and how the thought process is changing. So were seeing some of the advanced teams that we work with going from truly defense top strategy to more of a okay, i know that there is a high risk of being breached. Let me put the processes and procedures in place to make sure i can deal with that quickly and i can work with the downstream impacts before they can take effect and i can understand the full extent of what actually happened and im seeing them putting recording infrastructure to record everything about their environment and thats the first thing and being able to see what actually was impacted and what was touched and right down to the network data and being able to respond quickly with different tools and techniques by being able to have an approach if there was an impending attack and they need some sort of new tool or a new innovation that they can apply and were seeing that as a general trend, and seeing it as having a lot of good effect. Gotcha. I want to drill into something, karen, that you worry about the threats to infrastructure that you dont technically own and thats interesting as a model, sort of its not your fault, but it could be your problem kind of approach and what administrative constructs do you have to put in place to handle those things. What if x behavior or x set of infrastructure, theres going to be a problem and there will be attack against that and how do you handle that organizationally . Part of the im glad you asked that because youll want to build off of this, as well. Yeah. We talk often about publicprivate partnerships and i have a deeper appreciation, specially in the role of what privatePublic Partnerships mean, because the only way im going to be successful to your point, is if the publicprivate P Partnership is there so i can convey from the approach that this is what is envisioned so that ssa does so they see value with what were doing. The only way i can do that kind of analysis is theyre contributing to the analysis capability so that we can say this is contributing to it, this is whats happening so that we can bring what you need to the government to bear, so we have a whole government approach and were only one Critical Infrastructure, right . Under the dhs umbrella. So we have the whole of government, but i have to convince them that this is within the risk models that they have, the risk registries that they have, and the way they are doing things and our models are so different, but i would say that there is a huge trust model and a hoouj partnership between what is happening with the department of energy and the entire Energy Sector that if we were when we share that information they really listen and so its incentivized that we need to do this to keep the lights on because were such a critical need for the nation and the community all of the way down to the individual customer. Gotcha. Yeah, if you want to build on that. I know you were talking about similar themes . Certainly. I think what it comes down to is addressing the domino impact that can happen based on the types of Cyber Attacks that weve observed over the Global Landscape in recent years. When you think about 9 Million People over five boroughs within the geographic confines in no, the reality is when you bring together Public Private partnerships and you have the right people sitting at the table with the right interest line, everyone recognizes that if one person in that diagram fails, the dominos start to fall and then from a business context, even though i represent a City Government i think it does resonate with the private sector partners because you say unless we together pool resources, et cetera. When you are carrying my failure on your Balance Sheet as a risk because of that shared risk and you have cybersecurity and effort and you start to look at ways that we can address these problems and practice together and weve run a number of exercises and our hope is that it will help us to not only prevent, but then, of course, respond together. And you generally find that theyre receptive . Awesome. And then, jeremy, do you have thoughts on that . I know yours is slightly different. Well, you know, one of the things that would help for the sake of the audience is you start with the title about cyber 911 and when you are close to home and you can make the pivot over to things like power and transit and all of the implications it could have. On the economic side, i think its worth just throwing in the scenarios that were thinking of from a Critical Infrastructure standpoint and there are a lot to do with undermining confidence in the Global Markets and its important to add that context and what does sabotage mean . I think its important for private companies that are responsible for Critical Infrastructure to remember that that is not about the Balance Sheet and its not about the quarterly performance anymore. We have regulators that have different specific agenda that theyre trying to protect, but when it comes to things like the department of treasury and the domino effect that that would have all of the way through every sector immediately. So its not different in many ways, but in many ways it could be like splitting hairs. Sure. So were sort of talking here about the importance of developing close partnerships with people in related to the threat model and infrastructure and that goes to the broader theme of how are you gathering intelligence with these threats and who are you partnering with efficiently. Is there anything that you guys do in your area and how are you getting that around the Critical Infrastructure . The Threat Intelligence is anyone who has lived through this saw it ten years ago, Threat Intelligence was so hot, so to speak and it was almost a buzz thing. If youve been around for a while you might think let me wait a little bit and see if that ends up being a fad before we invest in it and so, you know, in our organization we consumed external sources early on including some commercial sources and later, we added the formal capacities that are handling going through that, but one thing that helped us get ahead of all of that is the isack and the Information Sharing Analysis Center and the fsi for Financial Services in particular, it really started and that is the embodiment of private Public Partnership and its a conduit between public intelligence and the private sector and more times than not its actually peer to peer sharing among the members there that bears the most fruit and that did evolve into some automated and mechanical shares so we have protocols for the sharing of Threat Intelligence and now we have systems that actually manifest some protections around that when they consume the intelligence and even what i call the narrative intelligence and the different banks and utilities and they reported a Service Attack and is anyone else seeing it and theyre so helpful because intel feeds so many pieces of the life cycle and we think of the Warning System and whats coming next and it arms our red team so the intel somewhere else is what well use to emulate the threat and the more detail we have the more accurate it will be and it informs our controls and it informs our Vulnerability Assessment so we can prioritize if something is actually targeted. Interesting. So sort of forward looking. So we have a good picture of the threats youre seeing, where are you spending most of your time . I know we talked about Public Private partnerships are there others that you are trying to have for a defense apparatus for Critical Infrastructure . You have to think about the expanse of what a City Government means with d. C. Or whatever it may be. We have Emergency Management programs and so were learning very much is the more connected we are into the whole apparatus of government capabilities and all of the teams that the Emergency Management can bring together to be proactive and exercise, there is a need to respond. A lot of times with the cybersecurity professionals and at times we may feel alone in the fight and i think its useful to bring back to organizations whether public or private the simple fact that if you talked to the people that are the enterprise risk managers, but have portfolios encompassing continuity of operations, et cetera. Theres more capability to make sure that those services that the entity provide are resilient, reliable and can recover with peace. Thats where were seeing the trade craft now building from the state intelligence backgrounds and its very heartening. Gotcha. So im im going to you guys would be disappointed if i wasnt a little controversial here, and so were looking at it a little bit differently, again, because i have a research and development piece associated with my office and of course, we have the National Labs within the department of energy. So were really looking to shift the paradigm, and really look at the framework, right . It has the circle and it talks about detect and protect and a lot of the stuff were talking about today is in respond and the resiliency of how to recover. So im trying to change the paradigm and what the secretary has envisioned and what we believe will provide value out to the industry as a whole is we have efforts called the Grid Modernization Initiative which is modernizing the infrastructure to build the resiliency up front and to have selfhealing capabilities to go forward and to change the dynamics instead of us spending research on response and were spending a lot of research on how do you use Smart Technology and defined networks so you can then deploy these in a way that the system is detecting so that we can protect and then respond when we need to. So the other part is that were not especially in our area as focused on Information Technology. So a lot of the stuff that you talk about today is very i. T. Focused. We were focused on Operational Technology and you mentioned Industrial Control Systems and its the nexus of where people are trying to gain efficiencies by using cloud to maximize that capability that comes from, okay, if we can gather this data and analyze it, like, thats what gets exploited. The more interconnections that happen, thats where we become vulnerable. So were focused on that and then how do we secure and how do we have selfhealing Operational Technology environments because thats, like, the i. T. World and you can look around this room and you guys are focused on Operational Technology. That it works and you can detect who is in there and is it running the way its supposed to and is that supposed to be turn off and on and is that an adversarial testing and can we detect it . Were focused on changing the dynamic. Sure. Carey are there capabilities that you see that theyre trying to build out in response to these kinds of threats or definitely. I see swings in both directions, you know, some organizations are heavily focused on the defense side, trying to prevent and other organizations on the response side trying to scramble and respond to the incidents that occur and its about getting that balance right and its about being able to roll out new tools very quickly to defend the networks and its also about having the Historical Data about whats been happening in your infrastructure so that when you do see something strange, you can go back and track whats actually occurred over time and having that balanced ride is important because it allows you to then say im going to defend the network as best i can, but im going to have the infrastructure in place for the stuff that i cant defend against and i think we all know the key issue is you cannot build a perfect inpra structure that is, you know, completely robust. At some point the state actor is going to have the resources and the know how and the time and the skill to get into your network. You need to defend and keep those doors closed as tightly as you can and you need the information and the systems there for when someone does get in and starts to wreak havoc. As you saw with the ukraine attack, these threats they hang around for a long time before they actually do any damage and thats a period of time of which weve got to actually find this behavior and find these strange occurrences and neutralize them before they actually do any damage and getting that balance right i think really helps us achieve a much more robust infrastructure. Gotcha. Jerry, you had talked about the importance of red teaming and a proactive control where you can sort of test your infrastructure based on the terms of attacks. To what degree is the objective of the red team informed by other attacks youre seeing and what are things you might be seeing in the future. Can you tell us how you guide them . On its directly informed by the intel that we receive about the type of threat objectives that were concerned with. In that regard were lacking, right . We have an attack or Something Like that and pull out the ttp as you mentioned earlier and begin there, but the whole point of that is that its meant to be predictive and when we talk about so my organization is i like to define it within the first line of defense and the second and theyre both on the reactive side and everything on the second line, id like to start thinking of as predictive and the threat modelling and scanning and all of that is really meant to predict, otherwise there is no point to doing it at all and we wouldnt bother. Sorry, im combining two questions in one and what are we focused on and going back to that at the same time and its equally both sides of the house taking that intelligence and flowing it to the second line and then from the results of that, going back to the first line of controls that we need to put in place tomorrow without a doubt, but the one pervasive theme on both sides is automation, without a doubt, and i, i always say i want everyone that reports to me to take my job, right . I want to work myself out of a job because there will be new tasks that come out and that arent on my plate and likewise, everyone in my group really needs to be working through automation and there are other things coming down the pipe and they cant do what they were doing yesterday and what they have to do tomorrow. So when we wrestle with technology on both sides because automation is about technology in many cases, its build versus buy and like any company, we struggle with that and my approach to that to date is successful and its called builders buying and we do a lot of prototyping inhouse and then we go to the market once we figured out the challenges and can see through the oh, yeah, anyone can do that. How long is that build and buy cycliblely go for . I know it varies and depends on what it is. At some point in a project we either say this is a great and noble cause. Were not scaling and it doesnt have resiliency and lets go to the market and by then someones created it, has done a better job or is eager to do so, but theres a niche and a small gap of things where its not very marketable. A product that would only be useful to us and those are actually the most valuable things that we have and theyre based somewhat on the basis and on our culture and one of the things i talked to the board about before is the title was things the board has done for cybersecurity, but not on purpose. We dont unwind them by accident. That could be whether youre b to b versus b to c and it has to do with the head count and your employee turnover and all of these things have knockon effects with cybersecurity and when it comes to Something Like that, and thats great, jerry and were not going to make any money off of this then we can make it in house. Running down to the last couple of minutes and looking forward, how do you see, of the Threat Landscape and is there anything that you dont see now that you anticipate to start seeing over the next one, two, five, ten years . To combat more connectivity that new yorkers rely on, well see more across municipalities across the notion of cybersecurity for the public, perhaps. We launched nyc secure which is our commitment to new yorkers that we would bring cybersecurity to them of the choosing and we released an app and all of the places that we provide free public wifi. And and youll see municipalities go towards the people that walk their streets and say lets help you make better decisions as you navigate away from threats and lets respect your privacy at the same time. Cool. So what we see across the board is the mix of energy and we are Energy Independent as a nation and with that means there are other vulnerabilities that come into that. So the department has announced an advanced Manufacturing Initiative jointly with our office of efficiency and Renewable Energies and its dealing with trying to manufacture and foresee, how do we continue to stimulate innovation so the Wind Turbines and the solar panels and the ev cars and the changing the battery because all of those devices connect into the grid, and so we are really looking to see how can we engineer those so we have a mechanism in place dealing with private industry so we can continue to be Energy Independent and take advantage of industries, knowledge and then advance it through manufacturing. Im not going to continue to talk about the threats because theyll continue to evolve. In five years time, i think there will be a much more coordinated approach to defending the networks and more platformcentric approaches where it makes it a much easier tank for you to roll out new technologies. If you go to rsa or any of these big trade shows you will see thousands of innovations, but can you take advantage of those . Probably not, very difficult so well see new ways to roll out technologies and roll out defenses rapidly in an agile fashion and trying to catch up to where the bad guys are at. I think well see advances in the identification phase and that will be critical in not just authentication now and just about every packet on the internet. Foo awesome. I think were about out of time and thank you, everybody, for participating in the panel. Yeah. Okay. Thank you. [ applause ] President Trump met with the president today at the white house. During their public appearances, President Trump was asked about the house impeachment inquiry. Watch their News Conference tonight on cspan. It will be followed by todays briefing with Speaker Nancy Pelosi and House Intelligence Committee share adam schiff as they outline the next steps in the inquiry, weeknights this week were featuring American History tv programs as a preview of whats available every weekend on cspan3. Tonight pulitzer prizewinning historian gordon wood on the revolutionary roots of the civil war. He talks about the founders views on slavery whether that split led to the civil war. Watch tonight beginning at 8 00 eastern here on cspan3 and enjoy American History tv this week and every weekend on cspan3. The Supreme Court justices return for the new term next week, the first monday in october with the Court Hearing cases on employment discrimination based on sexual orientation, the Trump Administrations winding down of daca, and state funding for religious education. Listen to significant Supreme Court oral arguments on our website, cspan. Org and watch on cspan. He served as Central Command during the Trump Administrations and sat down with michelle
comparemela.com © 2020. All Rights Reserved.