comparemela.com

Around, both in the audience here and throughout the exhibit hall, are some of the most Innovative Cybersecurity Companies and organizations in the world facing some of the toughest adversaries. We thank you for your dedication to this mission. My wonderful wife, susan, founded billington cybersecurity nearly ten years ago. Besides this annual summit we host the leadership council, a membership council. We aim to be top experts in the serious and deep dialogue about cybersecurity in our nations capital. I deeply thank the superb speakers who will share their insights. Please lets give them a round of applause. [ applause ] for the media, including cspan thats filming the event today, this conference is on the record unless specified and unclassified. And we welcome those members of the media today. You can follow us on twitter at billington cyber. And use billingt billingtonsum. We have a packed day and a half ahead. It has been expanded by a half day this year. Q a will be available for some but not all sessions. Either by live mic or nobilitec. Id like to thank our partners and exhibitors who make the event possible today. And they really do. Without them, we could not host this program. Id like to thank them beginning with our lead underwriter, northrup grumman. Allen hamilton, our diamond sponsors, google cloud, aws, cisco, hp federal. At platinum, mcafee, bit site and blt. And at bronze, ativo networks. I also want to mention that we also have three country zones this year, which were very excited about as well. To my left we have the uks cyber Innovation Zone which is in its fifth year. To my right, we have the israel Innovation Zone and the canada zone to my right which is in its third year. With that said,b we again appreciate all our exhibitors and partners, including our continuing education partners. Please lets give them all a round of applause. [ applause ] one Quick Logistics note. If youre an isc squared member, we do have continuing education for the first year. So please do go to the Registration Desk and give them your member number. And theyll be able to send you a digital certificate. So now its my great honor to introduce for the first year a master of ceremonies for our program. Known most to most in this room, captain ed diviny, recently retired after 34 years of service and most recently as the director for Corporate Partnerships and Technology Outreach at u. S. Cybercommand. Thanks to each of you for being here, have a great one and a half days. Ill be popping back on stage from time to time throughout the day and a half. But youre in extremely capable hands with captain ed diviny, my great friend and who im very honored to introduce to you now as our master of ceremonies. [ applause ] hello, everyone and good afternoon. Thank you very much for the very kind introduction and for the opportunity. Weve been friends a long time and im honored to serve as your master of ceremonies here today. You and susan have built a Great Company that provides a much needed venue to discuss the most pressing cyberchallenges facing both corporations and our government. Im excited about the great lineup of speakers today and the robust agenda ahead of us. Enough for me, lets get our day started. Its my honor to introduce our welcoming keynote speaker, grant schneider. Thank you grant for opening the conference and the floor is now yours. Its a shorter walk than it is for the sound. Good afternoon. First of all, i want to thank you everyone for being here today. Someone beforehand told me that im the first speaker, so i need to bring a lot of energy and rile up the crowd. But im a policy guy, so im not sure thats sort of in my mantra. You might want a more operational person and i think theyre later on this afternoon. I want to thank tom for having me here today. And the ability to talk to you a little bit about the roles and responsibilities of what we do within Office Management and budget. And i think its really well connected to the theme for this tenth annual cybersecurity summit. The theme being a call to action to address tomorrows top cyber challenges. This is at the core of what we do within o b. Were trying to help agencies address thaer teyre top future challenges and their challenges from yesterday that they havent finalized yet. We do that in a number of ways. If you go and look at the guiding document for our organization, is the federal Information Security modernization act of 2014. In that, it assigned a number of responsibilities to the o b director around cybersecurity and we carry those out on his behalf. And if you look at it, theres six or seven items that were assigned to three main functions. First and foremost is developing and overseeing the implementation of government wide cybersecurity policies. Number two, is insuring that agencies are protecting federal Information Systems and data, commiserate with the potential risk of harm of a compromise. Think Risk Management, not all those other words i used. Third is assuring that federal agencies are complying with government wide cybersecurity standards, be those things from the National Institute of standards and technology, o b guidance, laws, binding operational directives from the department of Homeland Security. Wrr working with agencies and holding them accountable to be able to deliver on those. I want to talk about a few things weve done in the last year around each of those. Around developing and overseeing the implementation of new cybersecurity policies, we have updated excuse me, were about to update our trusted Internet Connection policy. This is about while those three things i listed that we do to help agencies, thats the what they need to do. We also need to provide them tools and capabilities from a broader government standpoint for their ability to actually deliver on those requirements. And so were putting out a new policy. Hopefully in a couple weeks around trusted Internet Connection. That is been out for public comment. So youve seen versions of it. But this is about how do we evolve our policies to adapt to Technology Changes and really the movement to cloud environments, which is absolutely critical as we look to moderninize federal Information Technology. Secondly, last year the very end of the last congress, the president signed into law the federal acquwizition security a. We can have a federal Acquisition Security Council and really look at the security of the equipment that were bringing into the federal space. Theres a lot of work ongoing with that. But this really is a tool for federal agencies to be able to have a bit of a vetting of the equipment thats coming into their enterprise and be able to leverage both classified and unclassified information from making determinations they dont want to bring something into their environment. When we talk about protecting information, commiserate with the risk of potential compromise or Risk Management, its all about Risk Management. We cant protect everything. We have to understand what is most cri most critical. We updated our policy at the beginning of this year. In addition, the department of Homeland Security updated guidance on high value assets. Weve tried to partner with dhs to be able to provide a more tactical level of input enin details for agencies to be married with or combined with the policy that were putting out from an o b standpoint. In addition to our hva update and really understanding whats most important to protect it, when it comes down to protecting our systems and our information, its really a people challenge. And so our ability to have and your ability to have the right workforce, a capable Cybersecurity Workforce is absolutely critical. The president signed an executive order, which has a number of tasks, things were really looking forward to for the federal enterprise around some cyber competitions. Youll hear more about hopefully in the coming months. Also rotational programs. How can we rotate more and move of our Cyber Workforce from agencies to agencies to grow the skills of those individuals, but also to enhance the abilities of other agencies and bring in outside talent. And then in addition to that is this year we launched our cybersecurity reskilling academic. Weve had one cohort go through. Weve got a second one goen. This is a pilot. The two cohorts are 50 or 60 people. This is about how can we take federal employees who are looking to move into another type of learn a new skill, learn cybersecurity and move into a new career, how can we leverage their dedication to the government, their understanding of what it takes to get stuff done in the federal enterprise and then teach them and train them in cybersecurity. They going to have enough they can apply on what theyre working on and start to transition kn transition into a new career path. How do we leverage those individuals. On the third one, which is insuring federal agencies comply with the variety of standards we have out there, we talk about compliance, its used as a dirty word. I actually think though compliance is necessary but not sufficient. We have to have certain things out there that agencies need to comply with. We need to have some checklists. We need to be sure that agencies are taking advantage of the various tools and capabilities and resources that are available to them. And so, you know, as i mentioned, those come in the form of laws, memos, binding operational directives. As we move more into supply chain Risk Management, theyll come potentially in the form of removal and Exclusion Orders when we talk about equipment that cant be in the enterprise. Obviously, a big yaer from National Institute of standards and technologies, special pubs and guidance we have and that they put out. And so today nist has released an update, and what this is about is about cyber resiliency. Were never going to prevent attacks, were never going to stop bad guys from getting into our systems. How do we insure that we have resiliency of mission within cyberspace . Id like to ask ron ross to come out and hes going to give you some of the highlights of this 800. 160 rev 2 and im going to be back for a panel here in a few minutes, so thank you. Thank you very much, grant. Thanks to Tom Billington for giving us this opportunity to announce a very important document. Weve just finished this document about a week ago. Its been in development for about 18 months. And it really addresses some of the very difficult and challenging problems that were all having today with regard to cybersecurity. If you recall the past several decades our strategy for protecting our critical assets has been a one dimensional strategy. Stopping the bad guys at the front door before they get enand do damage. We know after many decades of empirical evident of the cyberattacks and things weve experienced, even when we do everything right, sometimes those high end adversaries find a way to get into the systems and compromise our critical assets. This addresses something call cyber cyberresiliency. How can they take that punch and keep on operating even if its in a debilitated status. Its our first attempt to extend that one dimensional cybersecurity protection to three dimensions. Where the second dimension is called damage limitation. How do we limit the damage the adversaries can do once theyve breached our systems . We assume that the adversaries are either in your system now or are getting in there at some point. The third dimension is going to be how do we make those systems cyberresilient . Where they can continue to operate and are survivable. This document has a lot of practical guidance for all of our customers out there who want to take not only new development systems, systems that are going through that life cycle, but also the 95 of your systems that are legacy. How do you apply the techniques and approaches for cyber resiliency to increase the level of protection for your critical assets and systems. This is a national imperative. Weve seen over the last couple years, the adversaries are very capable, theyre targeting our Critical Resources and doing great damage. For critical federal systems, voting systems to weapons systems, to power plant, cyberresileiancy is the wave of the future. Were trying to make these finite machines operate more like the human body with an immune system where you can get a cold or virus and then your immune system kicks in and it doesnt take you down completely. For the next 45 days, this final public draft will be on our website. We we encourage you to take a look at our guidance. We have great use cases that deal with microgrids, enterprise, Information Technology systems, and theres a host of other things. We even have a couple of real world rotations on the cyberattack of 2015 and 2016 where we show how applies these constructs to your systems could stop some of these high end attacks by adversaries. Thank you to Tom Billington for letting us have the time this morning. Thanks to grant and all the folks at omb who have been very supportive. One last shoutout to all my team members who worked on this document nonstop, and also to the office of the Vice President who have been very very supportive on helping move this guidance forward. We have a lot of critical defense systems. Thank you very much and have a great canferenconference, folks. Appreciate it. Thank you very much, grant and ron for the remarks. One programming note. For those of you who have been to our events in the past, we have an exhibition hall with a lot of vendors in a separate area. To be more inclusive and to allow a greater flow of communication, we chose to do everything all in one venue. If you would, please, because of that if youd keep the conversations on the side down to a minimum to allow the speakers and those in the audience here to hear. So now, please let me, its my honor to welcome the former deputy undersecretary for cybersecurity and communications at the department of Homeland Security. Shell be leading a fireside chat with the only two people who have held the position of federal sisso. Grant schneider and the retired general hill. Thank you very much. Good afternoon. And thank you all for being here, spending time with us on these important topics. I want to definitely thank the billington conference and the sponsors of course. I have 30 minutes to bring out its almost unfair. Only 30 minutes with the First Federal chief Security Officer and our current federal chief Information Security officer doing great work. General, ill start with you. It was a pleasure to work with you then. What was the highest impact areas you are working on . We take a look at the cybersecurity in the federal government, its at learning continuum. We try to get better and build upon the Lessons Learned from the past. We certainly tried doing that when i was in office. Some of the more impactful things that we did, and i think grant is continuing with is first is changing the narrative and looking at cybersecurity as a Risk Management issue. Previously not only in the Public Sector but the prevent sector we saw emphasis solely on just compliance. Not necessarily taking a look at cybersecurity as a holistic Risk Management issue that involves people process and technology. So thats the first thing weve talked to paige for me. That was the narrative that we were trying to move forward on. Im pleased to see that continuing. Secondly, we were trying to make sure that we were in fact trying to implement best practices and identify them and sharing that. Information sharing was critically important. The ways we were doing that was through Public Private partnerships and getting twoway communication between industry and the federal government. A lot of work that needs to be done on that. I think we really had an impact watching those programs and trying to get those best practices in place. I believe that compliance doesnt always bring you best practices, but best practices will always bring you compliance. The third thing i think was impactful was taking a look and making sure that we were best aligning technology with the mission needs. We launched the continuous d Diagnostics Program to try to raise the bar across the federal government. We had a lot of agencies that were large and wellfunded then we had smaller agencies that werent as wellfunded and werent as large but they still had the same Mission Tasking to protect sensitive information. Having the continuous diagnostic and Mitigation Program launched to help answer the questions of whats on my network, who is on my network and whats going on on my Network Across the federal government was a critical factor and success during our tenure. Further making sure that that cdm program was available to state and local governments as well as to the dot domain was something i thought was a Job Well Done by our team. Thank you. If we look at the recent statistics, the work done by both of you shows the cdm, that Program Actually has improved the security of many of the federal agencies. So grant, youre now in the drivers seat. In that important position, how do you go forward because theres been a lot of progress made. You talked about partnering with o b. I view it that we needed to get a whole bunch of kind of base line policies in place and establish the ground floor of expectations for federal agencies. And that includes both the larger ones as well as the smaller ones that greg alluded to. Really, though, where were trying to focus on is how are we the maximum amount of assistance to agencies as they try to implement their cyber programs. The expectation is that every agency will be able to protect their information to the same degree. We expect the department of defense and the department of Homeland Security and the Small Business administration all to be able to do essential the same job. Theyre clearly not resourced similarly in order to do that. So were trying to through partnerships with Homeland Security, yes, we have an oversight role and we do an amount of measures and measurement and holding accountability or Holding Agencies accountability. But we want to be able to be there as a support structure. Doing cyber staff rooeceviews. We come in, sit down with agencies. We work on particular problems to also Bring Solutions to those. Whether its solutions from another agency thats had a similar change or a solution or Technical Team for dhs. Its how how do we insure the huh doption adoption and the lencveraging o those. With the cyber strategy, wrapping this forward, its important we have a position. To take this again past our adversaries. So on that note i want to talk about compliance that you mentioned. Compliance is the basis line. The adversary know wheres we have to be. They read the same a little bli. They go above and beyond. How do you see what we need to do to get the investment or to use that risk ratio or in the strategy forward to get beyond compliance. Compliance is a base leaine. Its never enough. Ill start and push to greg. Compliance is certainly not enough. Were not there, though. The vast majority ive been associated with a lot of Cyber Incidents over the years. Every single one of them was through a known vulnerable that had a known technical fix. Every single one of them. If everyone had gotten to compliance, those at least the methodology that was used for the compromise, maybe our adversaries would have still got want go gotten in. Doing it every single day over and over again is to drive up the costs for the adversaries. Make them move further ahead. Make them be more creative and more expensive. And that will start to at least get us on a Playing Field where we can actually challenge their abilities as apposed to having them come into the doors we leave unlocked. Ill add on that. When i was the director of the National Cybersecurity and km communication communicatio Communications Integration center, about 95 of the incidents they were dealing with, i characterized as the root cause was careless negligent or indifferent people. Made a mistake. The technology was there, but it wasnt necessarily properly configured. It wasnt properly installed, et cetera. But upon reflection, im fiending that i was wrong by just saying careless negligence or indifferent. I would have penned overtasked to that. When you drill down to it what a lot of the root causes are, is we go out there and we chase the latest fad. We put out the technology that we dont properly leverage to its full extent. We dont necessarily invest as much intellectual capital into the people and process aspect of properly came back and operating the technology thats out there. So i think as we take a look at the where we stand today, as well as into the future, making sure we have a good balance between the people process and technology. Its going to be the key as some of the new and Innovative Technologies roll out as well. Leveraging well the technology we already have. And if i can add, when we talk about the people, its not just those of you here who are cyber professionals or those of you who are in the basement of your organizations doing cyber work. Its throughout the organization. We need to be able to have a collaboration about the technology and about the processes and about the people with the Senior Leadership of organizations. You know, that focus is somewhat about management attention. A Senior Leader who is asking really good questions is going to help to focus the team and theyre the ones that can help with the overtasking. They can add resources or reduce tasking in some way, shape or form. If youre using a phone, if youre using a computer youre a cyber operator, period. And youre a target. Youre a target. We see the same thing in the private sector. The attention has to come from the board. The board has to assess the Risk Appetite and that has to direct the entire strategy where the investment is made. Its not about how much you spend its about how its allocated and you accept a certain amount of risk as in any other technology and practice. So on that i would ask, grant, youve talked about technology and modernization in other venues as well. One of the issues weve had is we have very large complex systems in the government. From our experience some years ago, you cant rip and replace just because its old and it looks bad you have some product from 2002. However, it does take a process. At some opponent that products not going to work anymore. We have to start working now. Thats what you have to do. We definitely recognize, we cant continue to maintain the stuff we have forever. Its just we cant maintain it both from an operational and a Customer Service standpoint, but we also cant support it from a security standpoint. We have a really big focus, this administration has come in with a significant focus on i. T. Modernization. How do we enhance and raise up and modernize the i. T. We have. How do we do it in a way were not building the next decades legacy systems tomorrow. Weve got to do it smartly. The good news i think is technology is there now. There are ways and as we move towards more shared services, as we moved towards cloud services. As we make smart decisions to how we dont have the government trying to update an infrastructure stack. I think we can get there at the same time and i talked about this earlier. You know, our ability to update policies to facilitate the agencies to leverage those technologies is absolutely critical. We have to get ahead of this curve and stay ahead of the curve. Today we spend i think about 90 billion a year on Information Technology. Somewhere north of 70 of it is on sustainment. A lot of it probably is sustainment of legacy items. Weve got to be able to tap into those dollars to fund the modernization efforts going forward. Anything . Well, i think the cheese has moved for everybody. You continue to use legacy models of dealing with i. T. And recapita recapitalization. Frankly, having been in the private sector now for the last couple of years, you know, theres some really radical ideas in the private sector including recapitalization and depreciation on your Balance Sheet. Id like to see the government leveraging those common Business Practices we see. Making sure that you plan for the obsolescence of the people and processes that work in tandem with the technology. Making sure that we have that as part of our construct is going to really help as we move forward. I agree. I want to shift to the content that we talked about briefly about the binding operational directive. That was start adfed a few year ago. If you could comment on how important those are. I always tell people this is not an easy its an authority that gives dhs a chance to say all the agencies are going to do this. The authorities from omb to yeah. Working in partnership with omb. Its important to know thats not easily done and its thoughtfully done. When these things come out and tell people to read the advice and think about the advice because its what the governments doing and it came from a lot of thought. If you want to comment on that . Ill start out by saying thank you to the Homeland Security Committee Staffers who listen to me talking about in the military our a commander would issue a fragmentary order, tasking order in the like. When an order was given it was expected to be done. They brought in the legislation, the creation of the binding operational directive where dhs would gather the information, do a quick interagency coordinat n coordination. When something positively had to be done across the federal government from a cyberperspective. It could be issued through dhs. It was a step in the right direction. I think that we need to be faster and agile on that. In the military, you can make a decision quick and it gets done. But with the current binding operational directive process weve seen a lot of maturation since the act was originally put out in december of 15. Its important to have unity of effort. And having been in dhs, i was welltrained to say if you see something you should say something. And thats really been one of the successes of the binding operational directive. To assess the risk, decide a course of action and get it out across the entire u. S. Government. Yeah, i would add that i think the binding operational director has filled an important void we had before. We had laws and policies and guidance and then every agency was sort of told to figure out what all that means and what to do about it and how to do it and apply it to their infrastructure. And all those things have to be lowest common denominator. They have to be the same for everyone in every enterprise. They can be more tailored, more focused and more specific. Also i think really the value thats come out of the binding operational directives is the management attention that they get. Because they go to the Senior Leaders of agencies. The compliance, again, are you done yet is checked and followed up on is recurring depending on the operational directive. A recurring conversation. I think as much as i would say some agencies go another oh, my god another bod i have to comply with. Once they really start looking at it, they go wow that made my deputy secretary have conversations with me they probably never wiould have. It created that attention that they may have been screaming about from the basement for quite some time and really helps us push that forward. And were seeing now the private sector is looking at them as well. That subsidiary benefit is really paying off to better protect Critical Infrastructure across the country. Its also a good example of leveraging authorities at omb to help the right skill for the right job. To help the agency that has the information to put it together. In this case, cyber too, ask the other agencies, mandate the other agencies to do that and level the Playing Field. When some have come out, many in the private sector has said does this mean anything for us. And my answer has been, again, those are thoughtfully written and necessary. Look at the words the governments saying they dont mandate anything for private sector but its very good information as those come out. As you sort of the ghost of sisso past and present, what advice would you have for the private sector or those running programs in the military or government . What advice do you have from this chair on how to work with you, and, b, help to change that model to a risk driven model, if not already, to get the needed investment. I would say probably two things. First of all, is really a Risk Management approach. Talk about risk. Talk about risk with your Senior Leadership. You know, we want Senior Leaders that are asking questions about, you know, how are you looking at the risk of your organization. Where are you applying your mitigations, what are your mitigations, where are you accepting risk, which is an appropriate approach in some cases. But really take that Risk Management approach going forward. And then i would so for the second one, a focus on fundamentals. Theyre arent and many of you have perhaps the secret sauce or secret product thats going to solve all the woes. I havent found it yet. But i think theres a lot of just doing our due diligence, patching our systems, using strong oauthentication. All the things we can do to have as resilient of an enterprise as absolutely possible. I would say focus on those two things predominately. Ill throw in another, too. It goes back with some of the fundamentals. First, as a war College Graduate im require today quote a dead prussian in every public appearance. Ill remind everybody that frederick the great said he who defend everything defends nothing. We need to make sure that were protecting the crown jewels. So i think its critically important to understand the value of your information and dont necessarily spend a gazillion dollars protecting a piece of information that perhaps is not worth that squeeze. So making sure that youre implementing proportionate defense with a Firm Understanding as to the value of your information. Both classification and sensitivity of the information is critically important. So what keeps you up at night . In the cyber perspective. Are there other realms . I think the thing that botherers me the most is still the risk exposure that we have with our Critical Systems that are out there. The advent of the internet of things continues to expand the risk exposure and the price of entry for somebody to engage in malicious mischief and criminal activity, the price for them is pretty low. I see the Threat Landscape continuing to expand and risk exposure continues to be high. I think id say china. You know, and i could say nation state actors, but as far as an adversary that has, you know, displayed their intent, has clear means to get into and to attack, our Critical Systems, our government systems, you name it. Both from an intellectual property theft point of view as well as an espionage point of view. To me. That is as a nation, this isnt a government problem. Its not a federal cybersecurity problem. Its how do we protect, we become so dependent on our i. T. , many of you are very dependent on it right fnow as were speaking. Yet its also has the potential for just catastrophic impacts when its compromised. So our ability to protect against your rogue criminal or kid in the garage that used to be a threat probably isnt anymore. Its the nation state actor and the particular nation state with the capacity and capability and intent is the one that concerns me the most. Double clicking on that. In the job of federal sisso, how are you helping all of us to fix that . So i would say what were trying to do is we want the federal government to be an example. We should be setting the example for how organizations should look at cybersecurity. So to your point, you know, private entities should look at the requirements that we put upon federal agencies. Theyre for a reason. Theyre all there for a reason. Maybe too many of you to ever get to but the ability to understand the risk of your environment. So, you know, were trying to put tools out there for the country to lencverage and then want to set an example and implement them with directives, policies, through special pubs, you know, thru all the mechanisms and levers we have to protect your information when were holding it in the government. But also to serve as an example of how to best you can best protect your information as a citizen or as a corporation. Okay. Yeah, i agree with everything that grant said. Were running out of time. So i wont beat that horse anymore. Were all in this together. And i think that its the former federal sibso, we were trying to get things done right and set the good example for industry and academia and Everything Else, all citizens. Were all stakeholders in this process. I personally want to thank grant and the team thats still on the watch for trying to make things better for all of us. Many thanks to greg and to grant for the work youve done. The work you do and many thanks to all. Thank you. [ applause ] thank you. Thank you very much. Our last panelists, thank you for that interesting conversation. This fireside chat coming up now is a great segue to the last panel. This one is about harnessing Artificial Intelligence and Machine Learning and cybersecurity. The moderator is brad metarie. Thank you very much for moderating this panel. Please allow me to briefly introduce your panelist. As a programming note, on all the introductions ill be giving, ill keep them brief because you can see it up on the board and the full bioes are available in your program. So those are the panelists. General jack shanahan, United States air force. Hes the director, joint Artificial Intelligence center, j. A. K. E. At the pentagon. The Vice President of amazon web services. Chief Technology Advisor to the Principle Deputy director of national intelligence. And lynn parker, assistant director of artificial intelligent from the white house. Brad over to you. All right. Thank you very much. And good afternoon. Today were going to be talking about harnessing Artificial Intelligence and Machine Learning and cybersecurity. Today, theres probably no bigger business word in the industry than Artificial Intelligence. We had the black cat Cybersecurity Conference a few weeks ago. Everyone should be rest assured theres at least 3,000 a. I. Cybersecurity companies as of last count. Our objective for this panel is to talk about real world applications and really demystify a. I. So just kind of diving in, i wanted to talk about a. I. Has gone from a very technical term over the last few years, into something thats prevalent now in our program. In our programs. And, you know, a. I. Is more than just building an algorithm. What are elements to developing a successful a. I. Program . Dean, you want to get started . So building a successful a. I. Program. A. I. Is technology, but its technology informed by people and process. I guess number one is you have to have the people with the skills in order to do the job youre asking them to do. And that means that we need, you know, from where i sit in the Intelligence Community, we naee to invest in the workforce. One of the examples i use from time to time, if you ask an average imagery analyst what they need and their job is to look at images that are collected by satellites and clari classify them by whats in them, they want a bigger monitor or faster computer under their desk. What i generally mean, what is going to fundamentally change the way youre doing business tomorrow so you dont have to count airplanes on runways. The same issue is true with cyber at large. We need people who understand the promise of the technologies were building. That know how to apply them to our particular problem and know how to know whether they work or whether they dont work. One of the fundamental challenges we all have in a. I. And Machine Learning today is the idea of assurance. How do we know when it works and when it doesnt work . That knowledge is really, really important. The Cloud Computing technology has produced, but we also need access to the technologies of ai. So gpus are the most orve. But not only gpus, but gpus more for processors, data rays and whatever else the brilliant hardware engineers of the world are creating to accelerate these technologies. You need access to the digital foundation. Third, you need data. You have to have data. Its the cure rated data that is tagged properly and formatted properly so it can feed Machine Learning. We need processes to create and collect that da a ta and lastly you need mission. You need the consumers and the mission to be telling us what their problems are so we actually can go after. Technologists can build solutions for anything. We need to know what the problems are. Stated in a way we can apply the technologies. Youre standing up the joint ai center. I know youre working a the lot of initiatives. As youre looking at stretching your programs, what are some key things youre considering . Everything dean just said and then a lot more on top of that. If you were to break down in any ai program, Machine Learning, typically our focus area right now, the three Common Threads whether it was an industry or in the Defense Department or the Intelligence Community would not surprise you. Talent, culture and data. And i can reverse the three words in any order. Those are what i dole with every day. And the data challenge is a particularly hard one for the cyber piece. Lets pull the thread on that. I was at an event a few months ago talking about other nation states, and our adversary have the gift of data. I thus one of the things we have been struggling with is how do we bridge the gap between the government and the developer, Silicon Valley and the community to provide the data they need to build and tune algorithms. How are you seeing us start to bridge that gap . A couple different thoughts on that one. First of all, the conversation were just having in the green room before coming in here is the difference of an amazon or google or microsoft, the companies build their data in a certain way from the very beginning. The challenge is whether its in the Intel Community or department of defense, we didnt build our data expecting a future of Artificial Intelligence. We have to look at what that world looks like to train against the data, integrate the models into the systems that were just never meant to have ai build them. So its a a range of problems. To your other point. I was talking about this last week. The fact that a china has access to data, which is a very common talking point of china is leading the way in adoption of ai and also in just data. Data for what . It goes back to what dean was saying earlier. Data for what purposes. What do they intend to do . If im collecting social media data for the purposes of a social cred score, does that help me field a full motion video model for detecting, tracking, classifying objects on a battlefield in the pacific or middle east. The answer to that is no. Are they learning lessons, yes. But just data by itself is a starting point. And we can go into a lot more detail on the challenges we have of just getting to the data part of it before we bring in a model to try to assist the utility. So talking about good discussion around programs and what it means for success. When i think of amazon, i think you guys have a lot of data and youre working to optimize and lean out a lot of your om and other functions. I want to spend time talking about some Successful Use cases and applications of ai in the sign r security world. You want to get us started and share some of the initiatives and programs that youre working on . Sure. So first, i want to echo what both of them said about what it takes to buld a Successful Program and making ai adoption. If you look at actually what changed. Deep learning is spurring the ai revoluti revolution. It was written more than two decades ago. Its basically always been hungry for specialized computers and its a huge amount of data storage and access and actually making it easy for everyday developer to use it. This is where things like cloud has come in to change and thats why ai is experiencing a renaissance in the cloud where an everyday developer can have access to where they can get computers on a permanent basis and get a huge amount of storage on a monthly basis. Now with this, we are seeing not just a. I. Being adopted in Hightech Industries all of the way from lets start like cybersecurity and the example of customers like new data with the Machine Learning services and theyre able to, not only have the Machine Learning deployment and Development Time with more than 60 , and they were nearly able to stop up to 100 of their credit Card Transactions with a bank. They were able to use computer techniques to actually address like fishing attacks and now not just in cybersecurity and now it is the pharma and also in Financial Industries like intuit and the transaction risk, but the Common Thread on what it takes and not just in amazon, but in other companies that are first. You need to buy in. To a large extent, if youre a cio in a private sector theyre a major stake holder in the Public Sector, there is an element that i tend to obstruct ai like a black box that youre not comfortable trusting, but tell the personal story of amazon, in more than five to ten years and amazon with the Leadership Team realized that the machine would transfer not just the tech part of the company, but every line of business and theyre in sales or marketing or pricing. So they mandated something that every team has to answer and this was more than five years ago that they actually had in their annual Planning Session and what is your Machine Learning strategy . Within parenthesis, they said no, thats not a good answer. Triagain. So this forced every executor to think about what does Machine Learning do . What should be my Machine Learning strategy, and what are they going to do . So thats when we created a Machine Learning, and so theyll get trained on various gardens and techniques and then finally we actually had a strategy for collaborating on data sets and held customers and ourselves with annotation and data cleanup because the dirty secret about ai and Machine Learning is while we hire the scientists to build Machine Learning algorithms. More than 50 of the time they do data wrangling. Youll probably agree which is kind of weird when you think about it because you expect them to work on the latest and greatest models and they spend so much time on data. This is why when i talk to cios and the stakeholders and Public Sector, they have the buyin and get the strategy working well and then the third one is a talent and theyre skilled in Machine Learning and thats why woe have amazon, and now we make it available for free so that they can get trained. This is what we see across a wide variety of industries altogether. For other panelists, what are the other use cases that were starting to embrace from the federal government . Where are we seeing some Success Stories . [ inaudible question ] [ inaudible question ] [ inaudible question ] i know there are a couple of cybersecurity use cases that youre starting to explore. Can you talk about what youre seeing from a trend perspective there . It wouldnt surprise you to have the starting point of that be data. You could make some analogies to project maven as a pathfinder project where we spend a lot of our time on the front end, object labelling and preparing the data. 80 which matches pretty much every project that ive seen is you spend 80 of your time working on the enablers and they do break down a little bit in cyber instead of going out in labeled objects for fullmotion video and there are known objects on the ground and we have an ontology where people, buildings and vehicles and we work down from there and cyber is a little bit different problem to begin. What does normal look like . What is the baseline of normal . I have to know what baseline is and much more challenging on cyber than it is in a fullmotion video and our humanitarian assistance to relief case, so if i go back to starting with the data problem on cyber. Its the most basic problems that everybody begins with and data access and data quality, and data content and data classification and data format standards and you can go in Different Directions on that. So what we had to do was reset a bit and our challenge is without getting the Technical Details of this and we have 24 cybersecurity providers and all of whom are collecting data in slightly different ways. So our starting point is coming up with the cyber data framework coming up with the cyber, and to come up with a starting point with data curation and content and sharing and storage. Just on that agreement, i think well have much more success down the road as we bring in commercial vendors to bring product evaluation. They didnt quite know what data they were going to be seeing and there is not an image net equivalent for a number of Different Reasons and well talk about that separately and well have to come back to ground zero on this and our first of three lines of effort is what were calling event detection and the third one is network mapping. All of those have the same basis of a data problem. So by going back to the beginning on a cyber data framework which is nothing more than could we agree on a common set of procedures from now on on data coming in. If thats not the starting point we dont have the decades worth of really nice, clean, curated data which even swami was saying thats not entirely true of any of the companies and it is much more true than it is for the department of defense than i would say for the Intelligence Community. And he made the point earlier that every Cybersecurity Company is now a cyber a. I. Company, and i would make the point that within the last decade Many Companies started branding themselves as Cybersecurity Companies and that gets into the definition of what problem are we trying to solve, right . A decade ago we talked about cybersecurity we were talking about antivirus definition, right . Now were talking about a living, breathing ecosystem of the world and as general shanahan said define normal . How do i even know the difference between whats normal and whats abnormal so i can detect anomalies and we simply dont know. We actually dont know the answers to those questions right now and that makes it challenging to develop solutions. So this community here, this Cybersecurity Community needs to be thinking about how do we know whats normal . How do we detect a variance in the system . How do we make sure that our systems are appropriately secured against Cyber Attacks that we cant get defined, and that fundamentally is the challenge. Ai can help with it, but ai is not a magic bullet. Its not jacks magic bean, right . We we it can solve some problems really, really well and other problems and particularly the kinds of ai that were talking about now, the machine classifiers and so on. You can solve those problems and not every problem boils down to that problem. One of the pitfalls i see many customers fall into the hype or the expectation trap. Ai is not a Silver Bullet by any means and you set out, and the best way to go is you start small and actually you reiterate and check to see how well its a problem and continue to trade. Its almost like a journey that youre going to be on and actually not just months and years to come and youre absolutely right and youre going to find a project and its going to be big and its going to be massive and how were doing in six months to a year and if not its by definition your chance of success will be low and youre absolutely spot on, and this is something, its almost like a journey of discipline how you had to progress. If i can add this as well on the data piece. Its not just trying to wrangle it into a good form and its also determining whether or not you can trust it and that gets into some of the challenges with data poisoning attacks, for unstance where you may have perfectly goodlooking data, but in fact t may have been tampered with in some way and so thats another challenge on top of just the quality of the data that we have from a formatting or curating perspective and has someone actually tampered with it and so that gets into rnd challenges on how to make sure that the data is pristine and the way you intended for it to be and its not included within that, perhaps some examples of how youre learning unwillingly that a particular data set is not either is or is not indicative of some sort and thats an extra challenge of not having the data or not having good quality data. If you have that, can you trust that you have good data. And this idea of a trustworthiness, the data is really critical and you can imagine in the business of intelligence, our job is to see over the horizon with enough time to impact the difference. Well, in an era of Adversarial Networks producing deep, fake videos and fake text and fake audio and being able to substitute anybodys case on anybodys video, yeah. There are power tricks right now, but they have, you know, if you look down the road, it has the implication of it being very difficult for us to separate truth from fiction, and that makes the job of intelligence really, really hard, right . Because if you dont know the difference between truth and fiction, youve got a big problem on your hands so the kinds of things youre focused on in the Intelligence Community whats real and not real, really, really huge. Its as applicable to the cyber do main in which we look at these problems. So based upon the previous conversation, were starting to address some fairly basic use cases and were starting to move towards adoption. You have a captive audience here. In terms of research and development, i would like to hone in on new ideas and where this community should be investing for the future. Dr. Parker, do you want to start us off there . Sure. When you think about ai and cybersecurity together, theres ai for Cyber Security and theres also the Cyber Security of ai and both have important challenges to them. You can imagine using ai for Cyber Security and doing things like being able to understand your adversary and trying to understand how theyre attacking and have behavior and past history and use that to predict what future attacks might look like, for instance and thats an interesting challenge for the ai and cybersecurity. The other direction for cybersecurity for ai looking at challenges like how do you make sure that a model that an ai system learns is not reverse engineered to somehow detect Sensitive Data or information that you dont want your adversary to learn about. I mentioned data poisoning attacks and there are a number of other of these kinds of challenges that you want to have your assistant to be trustworthy, so that you can ensure that when you use it it will do exactly what you planned for it to do, and that is in and of itself has a lot of rnd challenge e as well. The National Science and Technology Council every three years put out a national or a federal cybersecurity rnd strategic plan. So theyre preparing that plan now to be coming out this year and it will outloon a number of the federal government will be investing in. So for the Intelligence Community, i encourage you to go to the website and download the strategy and augmenting intelligence machine, a. I. M. , and its not to augment the intelligence and its to augment their activities. That strategy says we need to do four things. It says we need to invest in the digital foundation, the data and the compute. It says we need as government to be fast followers because were in the interesting position as a federal government for probably the First Time Since the second world war, we are not the leading investor in the technology area. In fact, were not each the minority investor. The economy is the investor. In 2016 mackenzie estimated that there were 50 billion in Global Investment in a. I. And Machine Learning and they estimated that there was a billion dollars in u. S. Investment at that time and 50 is in the billions and yes, were spending more since 2016. The d. O. D. Has announced their strategies and we dont publish our investment, but you can imagine that the private Sector Investment has accelerated it and its far exceeded government expectations and we have to be fast followers and adopt the technology of the world. Next, we have to invest in the gaps and we have to invest in the things that the private sector hasnt been invested in as we are. So think about a bell curve. Where is most of the private sector . The middle of the bell curve where your shoppers are, dollars, click, ads, eyeballs. Whats the generals problem . Whats my problem . Low probability, highcost things happen out there and thats not where the majority of the investment has been made and thats from i need to invest. Our we need to be investing in long range and understanding and semantics and meaning and knowledge because ultimately counting air points faster is good, but its not good enough i want to know why the planes ran yesterday and why not today . Because ultimately the job of intelligence is to understand that. Yeah. Ill quickly add a thing from the private sector respect. And we tend to use day one even though were 20 years old and that shows how we tend to think. In the Machine Learning world it is so early and yes, its day one and weve just woken up and we havent had a cup of coffee yet and its that early in terms of how much early we are in this game and theres so much rnd that theres still more to be done and we have the internet and the early 90s and so forth. So in terms of what we need to see in rnd and its not accessible and getting data done and there is in the Machine Learning models and so when it produces a result, what we see even with a health care customer is the consumers of these Machine Learning models, hey, youre scheduled for surgery and you may want to take and it is optimized and you may not trust the result and historically, if you had done this you will be 40 efficient and so forth. So there is even these elements of explaining these results so that people will trust it more and its going to be a lot more important and these are some of these areas that are still in research to me and we have to invest a lot more, not just in the private sector and also with academia and there are aspects, as well and be a partner on nsf on many of these topics, as well and Fund Specific programs. Well continue to do more. Just to the cut to the chase, it comes to this element of trust. If weigh look to a future of more fighting or defense of which where were no longer measuring actions, counteractions or seconds, but milliseconds and microseconds and trust becomes the sine qua non, and its a pristine Lab Environment and doesnt work in the cases that dean mentioned in a very dirty dod environment and the idea of proving that it can work under those conditions and thats a partnership and give being able to perform in those instances and i would just go along with that and say we need to be thinking about ai and a red teaming approach and automating the teaming actions to think about the contextual things behind the scenes and counter a. I. Is what were dealing with and its analogous and counteraction and that is something that is upon us now and we need more thought in the commercial enterprise. Thats a very interesting observation and it identified two new and if you imagine the future of combat and the adversarial a. I. And how well adapt in the war fighting demand and certainly exciting times. We have about a minute left and lets go around. Each person has 20 seconds for any parting thoughts. Dr. Parker . Certainly, if you look at the president s American Ai Initiative that was signed in the executive order that happened in february, there were a lot of these issues that are front and center and the rnd issues and trying to make sure that we have the people that we need in the ai space which includes the ai applied for cybersecurity space so that we can be the lead in these areas. You look at data about making data more available in rnd with cybersecurity and there are a number of these key areas that we touched on that the federal government is taking a number of actions to try to help the nation move forward to ensure and maintain American Leadership in ai going forward. Actually, were just about at time, so to the panelists, thank you, and good discussion today and i appreciate everyones time. Thank you. [ applause ] thank you very much, brad and the members of the panel for a great discussion. The next panel is preventing a cyber 9 11 and joining billion stage is jeff brown, chief Information Security officer for the Intercontinental Exchange in the New York Stock Exchange and the honorable karen evans and assistant secretary for cybersecurity and Emergency Response at the department of energy. So bill, over to you. Thanks, everybody, for joining us. To start off i would like to let each of our panelists and i know we got a brief introduction and talk about the current role and what theyre doing in the area of Critical Infrastructure. So, jeff, if you want to start us off. Thank you for having me. Just a quick correction when it comes to intro, jeff brown head of something called Cyber Command and chief Security Officer for the City Government of new york. We have the mission to defend all of those technologies that deliver Via Technology services to new yorkers each and every day and we also have a mission to bring cybersecurity to new yorkers and through solutions and awareness in ways that helps them navigate away from the threats that they might encounter on the internet. To your question to your question about how we think about Critical Infrastructure and we as a large City Government have parts of the portfolio agencies like the department of Environmental Protection that has ics, o. T. , Water Services and new yorkers rely on and we also think about the criticality of things that are deemed Critical Services and new yorkers have to rely on with the 911 environment and thats how we think about it. Hi. Im karen evans, and i am the assistant secretary for cybersecurity Energy Security and Emergency Response, otherwise known as c. E. S. A. R. And it relates to all hazards both natural and man made. So the Emergency Response function is really high right now on our efforts of our team due to the hurricane so i have hurricane responses. I have cyber responses i have the Energy Security piece. I have gmd, emd and we are responsible, if youre familiar with the National Response framework, we are the esf12 coordinators under that with for our sectorspecific roles and we also have specific authorities that are designated to the department of energy under the fast act of 2015. So i think ill stop there, and take it from there. Im carey rahm, Vice President of product management. So i am fortunate enough to get around the world and talk to a lot of different cybersecurity teams and help them with their Incident Response and the deployment of different analytics tools and we provide a platform that allows incident responders to investigate things differently and roll out different tools to defend the network and very interesting insights that i hope i can share in the panel as to what were seeing and what we see some of the best practices in the cybersecurity teams as of today. Im the real Information Security officer of the New York Stock Exchange. A little mixup early on. I work for Intercontinental Exchange and were a global provider of Financial Market infrastructure and in five Different Cases over three different nations, we designate Critical Infrastructure and that happens here vie at department of treasury in particular and i like to secure that side of the house. Awesome. So lets Start Talking briefly about what the Threat Landscape looks like right now and what are you tracking in terms of threats for your infrastructure to your organization. Karen, do you want to sure. Mines really easy. We can take a poll here of the audience, but anybody who has read the dni worldwide threat assessment, not that i have this memorized, but at the bottom of page 5 it talks about what is happening with china and how china is dealing and the capabilities that they have in the Energy Sector as it relates to oil and natural gas and at the top of page 6 it talks very specifically about russias capabilities into our Critical Energy infrastruckur and what theyre capable of doing. So were very focused on what the nation states could do. I dont own the infrastructure and it is all owned by private industry. So it would be good for us to talk about the trisector work that were doing and how it relates to the National Cyber strategy that was released by the administration. When you talk about a nation state attack, what does that look like . Whats the nightmare scenario in your mind. What do you spend the most time thinking about in that landscape . Im thinking about it right now. We have a Natural Disaster happening coming up the coast. Were worried about making sure that we can keep the power on and prepositioning and working with our Industry Partners and it is all reliant on our Industry Partners and thats probably when were the most vulnerable. Interesting. Same question to you. I can build on your answer. When it comes down to it, though as i noted before, there are things that fall into the traditional Critical Infrastructure category operated by the City Government of new york. When it comes down to it, new yorkers rely on a whole ecosystem of providers. There are Energy Companies and there are each and every piece of that Critical Infrastructure portfolio that makes the city run. I think when i think about the Threat Landscape what im looking at is greater connectivity and Smart Metering and Smart Services that a city needs to have guidance over, but perhaps not ownership over, and the way we have guidance over is we build better privatePublic Partnerships and we get to be in conversations with providers because everyone has the best for new yorkers at heart and thats how we think about approaching the future. Jerry . One thing thats really challenging in all of these roles that we have is defining the taxonomy. So when you ask about a threat its kind of a doubleedged sword. On one hand we can answer with almost anything, but on the other hand we dont get very specific. We mention threat actors and we mention threat vectors in that, and when you think about Insider Threat versus a specific nation state and an objective, its just a big soup. So what weve done is we create tax objectives which is what we found to have the unique buckets and what are try to do who they are and there are only three in there that have to do with data, and i think the most unique thing about the threat when it comes to Critical Infrastructure is that its not all data like it is in the news and most of the consumer facing Cyber Threats and the ones that are data are intellectual property or pii or even nonpublic Material Information and the rest of them that are important to Critical Infrastructure, number one, sabotage and its important to track it differently and not maybe because there are different threat actors and there are certainly different techniques that are effective asser have adversarially, and data know ma manipulation is the one we worried about. You were talking about tactic, tools and procedures of the adversary and you work backwards from there essentially . Is that how you approach that . Thats right. The threat objective and and its a good construct because it gives us a chance to talk at the board level about the whole ecosystem and it looks like you can take out saudi aramco and sony and very Different Companies and threat actors and Everything Else and were having the same conversation about how it manifests and some of the ransom attacks were about destruction and not about extortion that would fit there as well and thats helpful at the board level and its helpful to take the pii attacks and say y we know what thats about and weve discussed this before and where does that fall . So to set that priority at the board level is helpful and the stepping back, for us that means lets go straight to red teaming and what did it look like when it happened elsewhere and thats where we gauge the residual risk of those. Gotcha. You have a different perspective because you work with different security teams. Are there any trends you observe across the customers you work with in terms of the threats they spend observing in the critical structure space . Yeah, yeah. Thank you. I would say the trends are more on how theyre dealing with the threats and how the thought process is changing. So were seeing some of the advanced teams that we work with going from truly defense top strategy to more of a okay, i know that there is a high risk of being breached. Let me put the processes and procedures in place to make sure i can deal with that quickly and i can work with the downstream impacts before they can take effect and i can understand the full extent of what actually happened and im seeing them putting recording infrastructure to record everything about their environment and thats the first thing and being able to see what actually was impacted and what was touched and right down to the network data and being able to respond quickly with different tools and techniques by being able to have an approach if there was an impending attack and they need some sort of new tool or a new innovation that they can apply and were seeing that as a general trend, and seeing it as having a lot of good effect. Gotcha. I want to drill into something, karen, that you worry about the threats to infrastructure that you dont technically own and thats interesting as a model, sort of its not your fault, but it could be your problem kind of approach and what administrative constructs do you have to put in place to handle those things. What if x behavior or x set of infrastructure, theres going to be a problem and there will be attack against that and how do you handle that organizationally . Part of the im glad you asked that because youll want to build off of this, as well. Yeah. We talk often about Publicprivate Partnerships and i have a deeper appreciation, specially in the role of what privatePublic Partnerships mean, because the only way im going to be successful to your point, is if the Publicprivate Partnership is there so i can convey from the approach that this is what is envisioned so that ssa does so they see value with what were doing. The only way i can do that kind of analysis is theyre contributing to the analysis capability so that we can say this is contributing to it, this is whats happening so that we can bring what you need to the government to bear, so we have a whole government approach and were only one Critical Infrastructure, right . Under the dhs umbrella. So we have the whole of government, but i have to convince them that this is within the risk models that they have, the risk registries that they have, and the way they are doing things and our models are so different, but i would say that there is a huge trust model and a huge partnership between what is happening with the department of energy and the entire Energy Sector that if we were when we share that information they really listen and so its incentivized that we need to do this to keep the lights on because were such a critical need for the nation and the community all of the way down to the individual customer. Gotcha. Yeah, if you want to build on that. I know you were talking about similar themes . Certainly. I think what it comes down to is addressing the domino impact that can happen based on the types of Cyber Attacks that weve observed over the Global Landscape in recent years. When you think about 9 Million People over five boroughs within the geographic confines in no, the reality is when you bring together Public Private partnerships and you have the right people sitting at the table with the right interest line, everyone recognizes that if one person in that diagram fails, the dominos start to fall and then from a business context, even though i represent a City Government i think it does resonate with the private sector partners because you say unless we together pool resources, et cetera. When you are carrying my failure on your Balance Sheet as a risk because of that shared risk and you have cybersecurity and effort and you start to look at ways that we can address these problems and practice together and weve run a number of exercises and our hope is that it will help us to not only prevent, but then, of course, respond together. And you generally find that theyre receptive . Awesome. And then, jeremy, do you have thoughts on that . I know yours is slightly different. Well, you know, one of the things that would help for the sake of the audience is you start with the title about cyber 911 and when you are close to home and you can make the pivot over to things like power and transit and all of the implications it could have. On the economic side, i think its worth just throwing in the scenarios that were thinking of from a Critical Infrastructure standpoint and there are a lot to do with undermining confidence in the Global Markets and its important to add that context and what does sabotage mean . I think its important for private companies that are responsible for Critical Infrastructure to remember that that is not about the Balance Sheet and its not about the quarterly performance anymore. We have regulators that have different specific agenda that theyre trying to protect, but when it comes to things like the department of treasury and the domino effect that that would have all of the way through every sector immediately. So its not different in many ways, but in many ways it could be like splitting hairs. Sure. So were sort of talking here about the importance of developing close partnerships with people in related to the threat model and infrastructure and that goes to the broader theme of how are you gathering intelligence with these threats and who are you partnering with efficiently. Is there anything that you guys do in your area and how are you getting that around the Critical Infrastructure . The Threat Intelligence is anyone who has lived through this saw it ten years ago, Threat Intelligence was so hot, so to speak and it was almost a buzz thing. If youve been around for a while you might think let me wait a little bit and see if that ends up being a fad before we invest in it and so, you know, in our organization we consumed external sources early on including some commercial sources and later, we added the formal capacities that are handling going through that, but one thing that helped us get ahead of all of that is the isack and the Information Sharing Analysis Center and the fsi for Financial Services in particular, it really started and that is the embodiment of private Public Partnership and its a conduit between public intelligence and the private sector and more times than not its actually peer to peer sharing among the members there that bears the most fruit and that did evolve into some automated and mechanical shares so we have protocols for the sharing of Threat Intelligence and now we have systems that actually manifest some protections around that when they consume the intelligence and even what i call the narrative intelligence and the different banks and utilities and they reported a Service Attack and is anyone else seeing it and theyre so helpful because intel feeds so many pieces of the life cycle and we think of the Warning System and whats coming next and it arms our red team so the intel somewhere else is what well use to emulate the threat and the more detail we have the more accurate it will be and it informs our controls and it informs our Vulnerability Assessment so we can prioritize if something is actually targeted. Interesting. So sort of forward looking. So we have a good picture of the threats youre seeing, where are you spending most of your time . I know we talked about Public Private partnerships are there others that you are trying to have for a defense apparatus for Critical Infrastructure . You have to think about the expanse of what a City Government means with d. C. Or whatever it may be. We have Emergency Management programs and so were learning very much is the more connected we are into the whole apparatus of government capabilities and all of the teams that the Emergency Management can bring together to be proactive and exercise, there is a need to respond. A lot of times with the cybersecurity professionals and at times we may feel alone in the fight and i think its useful to bring back to organizations whether public or private the simple fact that if you talked to the people that are the enterprise risk managers, but have portfolios encompassing continuity of operations, et cetera. Theres more capability to make sure that those services that the entity provide are resilient, reliable and can recover with peace. Thats where were seeing the trade craft now building from the state intelligence backgrounds and its very heartening. Gotcha. So im im going to you guys would be disappointed if i wasnt a little controversial here, and so were looking at it a little bit differently, again, because i have a research and development piece associated with my office and of course, we have the National Labs within the department of energy. So were really looking to shift the paradigm, and really look at the framework, right . It has the circle and it talks about detect and protect and a lot of the stuff were talking about today is in respond and the resiliency of how to recover. So im trying to change the paradigm and what the secretary has envisioned and what we believe will provide value out to the industry as a whole is we have efforts called the Grid Modernization Initiative which is modernizing the infrastructure to build the resiliency up front and to have selfhealing capabilities to go forward and to change the dynamics instead of us spending research on response and were spending a lot of research on how do you use Smart Technology and defined networks so you can then deploy these in a way that the system is detecting so that we can protect and then respond when we need to. So the other part is that were not especially in our area as focused on Information Technology. So a lot of the stuff that you talk about today is very i. T. Focused. We were focused on Operational Technology and you mentioned Industrial Control Systems and its the nexus of where people are trying to gain efficiencies by using cloud to maximize that capability that comes from, okay, if we can gather this data and analyze it, like, thats what gets exploited. The more interconnections that happen, thats where we become vulnerable. So were focused on that and then how do we secure and how do we have selfhealing Operational Technology environments because thats, like, the i. T. World and you can look around this room and you guys are focused on Operational Technology. That it works and you can detect who is in there and is it running the way its supposed to and is that supposed to be turn off and on and is that an adversarial testing and can we detect it . Were focused on changing the dynamic. Sure. Carey are there capabilities that you see that theyre trying to build out in response to these kinds of threats or definitely. I see swings in both directions, you know, some organizations are heavily focused on the defense side, trying to prevent and other organizations on the response side trying to scramble and respond to the incidents that occur and its about getting that balance right and its about being able to roll out new tools very quickly to defend the networks and its also about having the Historical Data about whats been happening in your infrastructure so that when you do see something strange, you can go back and track whats actually occurred over time and having that balanced ride is important because it allows you to then say im going to defend the network as best i can, but im going to have the infrastructure in place for the stuff that i cant defend against and i think we all know the key issue is you cannot build a perfect infrastructure that is, you know, completely robust. At some point the state actor is going to have the resources and the know how and the time and the skill to get into your network. You need to defend and keep those doors closed as tightly as you can and you need the information and the systems there for when someone does get in and starts to wreak havoc. As you saw with the ukraine attack, these threats they hang around for a long time before they actually do any damage and thats a period of time of which weve got to actually find this behavior and find these strange occurrences and neutralize them before they actually do any damage and getting that balance right i think really helps us achieve a much more robust infrastructure. Gotcha. Jerry, you had talked about the importance of red teaming and a proactive control where you can sort of test your infrastructure based on the terms of attacks. To what degree is the objective of the red team informed by other attacks youre seeing and what are things you might be seeing in the future. Can you tell us how you guide them . On its directly informed by the intel that we receive about the type of threat objectives that were concerned with. In that regard were lacking, right . We have an attack or Something Like that and pull out the ttp as you mentioned earlier and begin there, but the whole point of that is that its meant to be predictive and when we talk about so my organization is i like to define it within the first line of defense and the second and theyre both on the reactive side and everything on the second line, id like to start thinking of as predictive and the threat modelling and scanning and all of that is really meant to predict, otherwise there is no point to doing it at all and we wouldnt bother. Sorry, im combining two questions in one and what are we focused on and going back to that at the same time and its equally both sides of the house taking that intelligence and flowing it to the second line and then from the results of that, going back to the first line of controls that we need to put in place tomorrow without a doubt, but the one pervasive theme on both sides is automation, without a doubt, and i, i always say i want everyone that reports to me to take my job, right . I want to work myself out of a job because there will be new tasks that come out and that arent on my plate and likewise, everyone in my group really needs to be working through automation and there are other things coming down the pipe and they cant do what they were doing yesterday and what they have to do tomorrow. So when we wrestle with technology on both sides because automation is about technology in many cases, its build versus buy and like any company, we struggle with that and my approach to that to date is successful and its called builders buying and we do a lot of prototyping inhouse and then we go to the market once we figured out the challenges and can see through the oh, yeah, anyone can do that. How long is that build and buy cycliblely go for . I know it varies and depends on what it is. At some point in a project we either say this is a great and noble cause. Were not scaling and it doesnt have resiliency and lets go to the market and by then someones created it, has done a better job or is eager to do so, but theres a niche and a small gap of things where its not very marketable. A product that would only be useful to us and those are actually the most valuable things that we have and theyre based somewhat on the basis and on our culture and one of the things i talked to the board about before is the title was things the board has done for cybersecurity, but not on purpose. We dont unwind them by accident. That could be whether youre b to b versus b to c and it has to do with the head count and your employee turnover and all of these things have knockon effects with cybersecurity and when it comes to Something Like that, and thats great, jerry and were not going to make any money off of this then we can make it in house. Running down to the last couple of minutes and looking forward, how do you see, of the Threat Landscape and is there anything that you dont see now that you anticipate to start seeing over the next one, two, five, ten years . To combat more connectivity that new yorkers rely on, well see more across municipalities across the notion of cybersecurity for the public, perhaps. We launched nyc secure which is our commitment to new yorkers that we would bring cybersecurity to them of choosing and we released an app and all of the places that we provide free public wifi. And and youll see municipalities go towards the people that walk their streets and say lets help you make better decisions as you navigate away from threats and lets respect your privacy at the same time. Cool. So what we see across the board is the mix of energy and we are Energy Independent as a nation and with that means there are other vulnerabilities that come into that. So the department has announced an advanced Manufacturing Initiative jointly with our office of efficiency and Renewable Energies and its dealing with trying to manufacture and foresee, how do we continue to stimulate innovation so the Wind Turbines and the solar panels and the ev cars and the changing the battery because all of those devices connect into the grid, and so we are really looking to see how can we engineer those so we have a mechanism in place dealing with private industry so we can continue to be Energy Independent and take advantage of industries, knowledge and then advance it through manufacturing. Im not going to continue to talk about the threats because theyll continue to evolve. In five years time, i think there will be a much more coordinated approach to defending the networks and more platformcentric approaches where it makes it a much easier tank for you to roll out new technologies. If you go to rsa or any of these big trade shows you will see thousands of innovations, but can you take advantage of those . Probably not, very difficult so well see new ways to roll out technologies and roll out defenses rapidly in an agile fashion and trying to catch up to where the bad guys are at. I think well see advances in the identification phase and that will be critical in not just authentication now and just about every packet on the internet. I think were about out of time and thank you, everybody, for participating in the panel. Yeah. Okay. Thank you. [ applause ] weeknights this week were featuring American History tv programs as a preview of whats available every weekend opt cspan 3. Tonight well show you a university of Pennsylvania Class on 18th Century Power struggles among native americans and european empires. Its part of a seminar for teachers. Thats tonight at 8 00 eastern here on cspan 3. This week were also airing book tv programs in prime time to showcase whats available every weekend on cspan 2. Tonight the theme is science and technology with authors gary marcus, Thomas Malone and keling harding. Watch that at cspan 2. Cspans coverage continues as President Trump hosts a keep America Great rally in minneapolis, minnesota. Live thursday at 8 00 p. M. Eastern on cspan. Watch any time on cspan. Org and listen free wherever you are use ing the free cspan radio app. The house will be in order. For 40 years cspan has been providing america unfiltered coverage of congress, the white house, the Supreme Court and Public Policy events from washington, d. C. And around the country. So you can make up your own m d mind. Created by cable in 1979, cspan has brought to you by your local cable and satellite provider. Cspan, your unfiltered view of government. More now from a recent Cyber Security conference. In this next part the discussion focuses on models for public and private collaboration as well as enhancing cloud security. Participants include the director of the nsas new Cyber Security branch who gave an overview of the new department. This is just over an hour and 45 minutes. Okay, good afternoon, everybody, again. Welcome to the second part of our program. Id like to invite you back and

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.