Ok. That is the sign. Good morning and welcome to csis. A year ago roughly we had chris inglis and and newberger here Anne Neuberger here. But if you talk recently about the National Security strategy, we will talk about a lot of the opportunities in front of us so i appreciate you both taking the time to do this. Thank you. We will have the ability in the final 10 or 15 minutes to ask questions. There is a button somewhere on the screen online where you can submit a question. Well see what you can do. What usually happens is in the last 90 seconds we have questions. Do not wait. Do it first. But me start by asking you both where you think we are. It has been a year of some progress but where do you think we are on cybersecurity . Anne im happy to start. Hopefully we are on the same page so we will finish each others sentences here. The threat in cyberspace continues to rapidly advance. We live in such a digitized society and the more connected it becomes in our personal data, from a National Perspective and critical services. The more opportunity there is from countries to criminals, delivered state connection. We used to be concerned about collecting intelligence. Our concerns have evolved and we are most concerned about degradation or disruption of critical services. Over the last year we took that on in three moves or more. We are happy to talk about more and to focus on security as a critical thing in this country. But Texas Services that could bring hazards to justice from providers of support for chemicals, to hospitals, and focusing on putting in place security requirements to have confidence of what security is in this sector. So that focus on Critical Infrastructure has been one. And a shout out to the agencies who have led that before now. The second recognition that cybersecurity is a global fight and we want to be arm in arm with partners and allies around the world. There are coalitions to tackle things like ransomware, working with countries who we see compromises of setting standards for Critical Infrastructure for examples of the countries around the world get one voice from various governments. And finally, emerging technology saying it wouldnt it be wonderful to be secure by design . We are looking at areas from Digital Assets to photography come out doing that from the ground up so that we give our successors potentially an easier fica the one we are in. Chris i would say ditto. There is a focus on telecom. How we live are not just critical functions but the confidence that those critical functions will deliver for our that has been our limitless focus. Relentless focus. There are two things that have driven the focus on the means by which we do that. The first is resilience by design. Today or a year ago the focus oftentimes was on operational some dutch operational response. We responded well about a year ago, but we responded that we time after time, we just lose more slowly. You need to push responsibility for building resilience by design to the technology, the roles and responsibilities. And hopefully we avoid those events or we are in a place where we can fix it at the earliest moment to focus on how we have the responsibility is not just within the government federal government but in state and local levels and across the private sector. Want to make sure that people are up to speed. Hosted a conference at the white house in july this year where we could focus on those people and make sure that every person who uses cyberspace has enough information and knowledge and that intuitive and convenience that they can exercise their operations in cyberspace without worrying about that. We dont want them to obsess about threats, we want them to obsess about their aspirations. If we do those things cannot we get the roles and responsibilities right and we get the people in the right place, what are the attributes of technology and leadership . In 2021, delivered in may, it was a watershed moment to make the commitment to get the Technology Architecture rights. But on top of that, the other architecture is four years old. But how do we make it safe and our expectations of it . Last i would say is to get the resilience by design rights, happens on top of that, they have to walk away from the idea that we can do that by division sectors. We have two have collaboration, discuss things together, mitigate and deal with situations that they have to be old beat all of us to be one of us. That has been in many examples over the last year, like the ukrainian crisis. The underpinning architecture, resilience by design has a high leverage effect in their ability to protect it. There is a defense between the private sector and governments, plural, will hold its own against numerically and sometimes technologically superior threats. We need to focus on that to hold our own and achieve this. One of the things that impressed me in not necessarily a good rant was the willingness of you guys to take on one of the biggest problems. That is that we build infrastructure and internet based on touch regulation, voluntary efforts. Do people in your audience know what the shrinkwrap is, you remove the shrinkwrap and all liability transfers to you. This is a sector that is very different from others. You have been more than middling at the attitude. I say interest because it is a big bet. You intend to change the market. It is an open question but we can look at specifics. Talked about the regulatory, security and iot, i want to go back to the standards. A pet project of mine. What are you thinking in terms of shifting us away from the 1990s approach to how we govern cyberspace . What are the tools and policies he will pursue . Chris with all respect, we have done this before. We addressed the safety of transportation systems, whether it was the devices, automobiles and airplanes, or the systems to convey themselves one place to another. The manufacturers and their suppliers, there was discussion about safety precautions and safety features builtin. You might remember the day we started scratching into the walls and competing with those factors. You get to a point that what remains in terms of the features that must exist in order to guarantee the confidence and safe use of the systems has to be specified. I dont think it is not as much is the inevitable truth. We need to provide the lightest possible touch to provide those discretionary features. The good news is there is a huge degree of collaborative effort not just across federal bureaucracy and the states but across the private sector. When you talk to leaders, the technologists individuals in the board rooms, acknowledge that resilience has to be built within the systems. There are discussions about the degree to which we assign responsibility everyone agrees i think that the first and last line of defense cannot be the user at the end of the chain. We have to push that. Anne building on his comments, i think there are three areas that are really guiding our approach to this. The three key areas that i think are at the root of the failure in cybersecurity he was describing. First, visibility. When someone is making purchase decisions for tech, other consumers buying a pc or the power demand on a center, they have no way of knowing what is the security of this device . The second is what makes a difference . What kinds of security features actually drive down risk . I will talk more about that. And the third, it is not correct to treat everybody and everything as the same, there is a spectrum of risk and we need to ensure that the security requirements match the risk in that area. First, visibility. At the root, the internet efforts in the spring, where we hosted an event at the white house a couple weeks ago, it is saying the data shows that consumers are willing to pay more for security. They value security but they cant make a decision when they are buying. Kind of like i am a new yorker. Think about the restaurants in new york, having to do the abcd rating in the front window. That help the customer rapidly decide where am i going . A lot of this has a c rating. Great work has been done across the tech industry. I want to shut up to the director and her team who has been thinking through how to make this real. That is the first. On the second, what makes a difference . The National Security memorandum a year ago task does to create performance controls. That was under the great leadership, that will not just last week. That mold out what will impact security. And finally, what is the spectrum of risk . Clearly, and here im going to highlight the administrative tsa and the tremendous leadership he has done. He uses security directives to improve the security, oil and Gas Pipelines and more. They started by saying who are the critical providers in this sector . The 57 entity is. And start with them who our highest risk because they transport hazardous materials, the largest in the country, and those three things, giving visibility so people can make the choices they want to make but dont have the data for, they can get easier by saying here are the standard controls we are bringing for you and finally the leadership of key lead agencies for the sector, saying not everybody in the sector is even equal. We will start with the highest risk. Chris i think we agree on one thing more, there are distinguished, differentiated attributes in the sectors. But it will be well realized there are some entities in this ecosystem that operate in many of them. We need to make sure that we harmonize these galatians and expectations even within some sectors, multiple state and International Organizations that way in and the expectations in the form of reporting requirements or regulations about the attributes and the architecture theyve built and we need to make sure that we rationalize that so again we specify what is necessary with the lightest possible touch so that innovation and Capacity Generation can continue. So it is great for the last 40 and 50 years. You talk about regulation and there needs to be a third rail. Lets talk a little about that. Later i will tease you about voluntary digital entities. But what are you envisioning when you say regulation . Is it the sector specific approach we have been taking . How are we going to do this . Anne rule number one come out use what you have got because you can move fast is in that way. Number two is one size does not fit all. In each sector, it is different. If you have a large system, the operational system, we are concerned about the larger risk. In his defense from those materials. Principle number one is to approach this by saying, what are the requirements . The standard is in place. And sector by sector, what is the additional we feel that. Energy, chemicals. They have the best understanding of their sector to design this, where there is a commonality, they learn from each other and the distinct differences to address the core risk there. The word regulation or the report has a sense of burden. Someone is about to require a burden, bear some penalty or cost. We seldom think about what is the more important feature, which is who are the beneficiaries . I think congress has been saying in the reporting law, they were careful about spending and the beneficiaries and left some liability in the report. The two will not be held accountable under compliance. But if she areas in all of these are intended to be the ultimate users in this ecosystem. So they can have confidence that the critical functions that they used to conduct their daily lives will work as advertised. They have every confidence in the world and when we thats when we flip the switch it will come on. That benefit is often looked at as not in the conversation we talk about how best we can deliver that confidence. There needs to be expectations across their. Users participate in his or her focus and we hold our citizens accountable to not drink and drive come out to not text while they drive. There is an equivalent in cyberspace. But they alone seem to be bearing the entire burden. So the beneficiaries, they can process profit. The lightswitch analogy made me think about Cloud Computing and thirdparty services. Which is sort of how you began your tenure with a welcome presence from our russian friends. They have been doing it for a while. Theres actually some retro session. They are moving away from using the cloud which is a mistake. It is a contentious issue. What do you think about securing the cloud and how do you think about where this fits into a larger federal i. T. Ecosystem . The cloud its an important commodity going forward. It is. We have to make sure it is resilient by design. Let me use a rough analogy. When you have this, you have an expectation you dont have to go to a separate showroom to argue what security features you will be paying for. We dont do that with cars. When you buy a car, it comes with a seatbelt and breaks builtin. We need to cleat the dutch treat the cloud the same way. There is a willingness that exists within the space where that is happening naturally. The need to make sure that those critical services, that the commodity can deliver the goods. So we will ensure that the specifications about what is not discretionary, what must be in there is in their. The economy to scale, i think we will make it economically viable and at the end of the day, for all of the users and not just the federal government, something that is well worth it. Anne this move to the cloud is far easier. Large enterprises, private or government, have thousands of devices they have to manage, maintain. So moving to the cloud first from eight security perspective and also use of tech, there is a sense of paying for what you use versus what is in every desktop. Moving to the cloud does make it easier. But as he mentioned, the move itself, unless the cloud is properly administered for security, one does not get the full security benefit. For too long, cloud providers said it is up to the customer. The argument we have been making is to say that works in that environment. A chip has one company, operations and another, cloud providers, that is the place to draw the accountability we are talking about. If you are a provider in tech, you are responsible for providing a baseline of security in that tech. You may have some customers who have higher security requirements and they will use encryption because they dont want to use commercial encryption. That is a baseline. But it is on the customer. We think it is fundamentally false. This is the place to shift the responsibility. You talked about it in your example a moment ago, to the provider. Delivering a service and a secure service. I agree with that. One thing we have not spoken to is the high degree of conversation required to get this right. I remember an earlier engagement i had in my tenure talking to a major manufacturer of software that we were talking to. They said i love this newfound ability to collaborate with you, to answer your questions. He said what will be better is if you let me nominate some of the questions. He was right. We need to make sure this consultation helps us identify it through the lens they enjoy, when the innovation and generation takes place, it is the same. How do we understand the right goals, degree of consultation is taking place, where a government that will act on behalf of the citizens and consultation with those folks who have 90 of the work before them will be necessary to understand a request and get those questions out. I think we are in a process of evolution from the old highrisk space to a more mature one where it is treated more like other industries. That is a good thing but also challenging. So i give you credit for tackling it. I agree we will probably be there. But a couple of issues have come up. If everyone in the room has been following cybersecurity for a while, we see remakes of ideas, let me go over a couple. You talked about using insurance. The very first event i did on cybersecurity 20 years ago moves about was about how sick dutch insurance would drive us to secure networks. Im still waiting. [laughter] chris it was not a good idea then and it is not a good idea now. So hard on me. [laughter] but maybe we will ensure there are couple of things. The first is the moral hazard and the second is the tendency of some companies to declare it as an act of war. It is often a state actor who is responsible and therefore they are excused. And we would only inshore for catastrophic events. Im not quite sure what a catastrophe in cyberspace would look like. Maybe you could just touch on where do you think the insurance avenue will lead us if we pursue it . Lets step back for a minute and be of gnostic of what we would imply, the insurance lets think about what insurance typically does. It is not just transfer risk from party to party b. It differentiates between risk and addresses that risk by imposing expectations about how it becomes a good risk so they can in fact have rates that are preferable, technology that drives those rates. It is upon the practice that essentially gets everyone to a better place. So they can raise most if not all. Now how does that work in the cyber market place . There is no expectation people are going to buy it so there is no diversified risk. Theres not enough information to do the actuarial analysis because of sector one. And they can assess and address that risk. Three, a high degree of hazard in that space that often goes to the darkest possible corner of the road and risk. Four, it is not in the tort industries that you can for yourself into that and say i can help you apply that risk down by doing the equivalent of smoke alarms or fire detectors, or fire retardant materials. All those are within the realm of possibility for cyber, weaved is not organized it. And achieved the beneficial effects. It could be viable but we have not taken care of the underpinnings to make it such. The government in the private sector together can consider how to create a viable insurance marketplace. Not to transfer risk, but to achieve the proposition. Anne to add to that, why you are right 20 years ago. Why we are still thinking about insurance at the top. One is my husband and i bought a 100yearold home. We could not get Home Insurance without putting in place a smoke alarm. Because of the idea that you cant detect a threat, it will lead to this. Second, when our teenage son joined our family car insurance, you will know what the impact of that was. Because the data shows what teenage boys do. Or potentially could do. Insurance has the opportunity to incentivize good and punish negligence. Incentivize the good. So we now have a good understanding of which practices drive down security risk. Insurance can say put those practices in place, your premium price will change. Or have a look and say, were you the entity during those best practices, and if you were, we will treat you differently. So that opportunity to incentivize the good and punish the negligence, punish too strong a word, but making it clear that negligence can play a factor. I think that is important. The second aspect is the gathering of data across incidents that happen or that dont happen to give the best insight on what matters with regards to security investment. Security cost money. People want the highest investment on what they spend. That is communal data about what they practice with regard to compromise and lack thereof. We will continue to evolve. It is always new and creative techniques, whether information or criminal. What we really want to do is say what makes a difference in tracking down that risk . There is opportunity for insurance to help us get there. Chris in the middle of thought is this notion that the insurer looks at the insured party and says i have expectations of you that read you require the service. In cyberspace they are people that sam want to take risk what i want someone that will relieve me of that risk. Or save me from that risk. They need to purchase paid in the defense of this space. They need to push some responsibility or strain in ways that they have not before so it is a defensible proposition when it gets a user in that space. But it does not absolve me from dissipating in my own advance events. I need to make some changes in my behavior to be worthy of being insured. That happens about every other insurance marketplace. That contract or compact between the insured and the insurer is important in this space and will modify behavior as much it will ring this. To make it make sure it is working, i dont want to spend the whole session on this, you need actuarial data and more. There are some effort to change that picture with the notification requirements that congress has created and with efforts to update the cybersecurity framework. Ahead of the curve. Where do you think it will lead . Most people can feel when they have been hacked so it makes it hard to touch risk. Chris i think we have been careful and we give credit to congress for this. We hold harmless those who faithfully execute the reporting requirements that they are not going to be held liable. That should be something that drives those to have a greater understanding of what is happening across this space. We have what is described as the actuarial data. I want to know more about the practices that can bend and the needle down. It is to judge risk come out bad risk and say i can help you participate in your own defense and bear that risk. All of those are predicates for ultimately a viable insurance marketplace. It is early days, it is not something that we have a script to say we will be there. But i think it has been tried and true in other domains of interest. I have a guest from the daily central bank recently who said they were shocked at the lack of a common digital identifier in the united states. That it was more convenient in denmark. Other countries have been successful in creating digital data but it tends to be small. Estonia, denmark and others. What are you thinking in terms of fixing this . Voluntary approach, this will be my fourth try at a voluntary approach if you do it so perhaps there are some pitfalls. On the other hand, america is so uniquely driven by individual privacy that government identifier is not possible. What are you thinking on digital identifiers . This has been a problem from the start. Anne chris is probably smiling. We have an amazing team who have been together. So here are the thoughts. Overall what im thinking generally is the absence of a trusted id. And i mean some type of controlling identity. Billions of dollars in fraud, Identity Theft and tremendous harm to americans every day. Harm, wasted time. I think that is a major issue. It typically hurts the most vulnerable populations. We start to have the conversation, we cannot allow it to become a privacy versus security conversation. Instead or one or the other. We need to put both on the scale and look at this. Because the cost of the current ecosystem and the population, in terms of Government Programs that are necessary to the right people at the right time, Identity Theft down the line, and we can do it in a secure way that protects privacy and can provide this. One of the most helpful developments in this space has been what individual states have done. We have taken details, specifically a shout out to maryland and arizona, scope different states. Which is different states and we were impressed with their security features and privacy features, civil liberty features. Those were thoughtful progress. This is the thing come out licenses are our ids. There is already significant data. Lets just make it one that can be used online. When you are logging into your medical records or your bank account, that is in your pocket and in a digital way it can validate who you are. Before we go, we give out the license information. Lets take it to the next step to make it useful to address the significance. That is where we are watching statebystate. We are currently thinking through how that could be used to address what you talked about. It is certainly a challenging issue. It is an issue a number of countries around the world have. There are digital ids for individuals to use voluntarily when they want to. If an individual wants to be safe online they have a digital id that can be recognized. There is a lot we can learn from countries that have gone before us to address this issue. It is important to take it stepbystep in a way that people can understand and a way that means putting in place the right steps for the long haul. Chris i agree with all of that and i will double down on one point, which is that oftentimes cybersecurity is something described that as something that contends with this. I would argue we should put it in its proper place by supporting it into our societal and individual interests. It should be expected to deliver policy and all of the aspirations and individuals that we have. If we get that right, cybersecurity can enhance privacy and it makes all the difference. We have talked about data stewardship. That relates. It is now part of cybersecurity. What would you want to see change in our National Approach to data stewardship . Anne when we look at the data, there are some data that we know is needs to be protected. National level health data. National database or National Formation regarding health in the country, reactions to particular sicknesses, spread of a disease. When you think about data later to banking or financial systems, when you think about opportunities to information sharing. For example, one of the reasons social media platforms and their role in countering disinformation is such a priority for us. It is because the health of the society is also a big issue and the weight comes together in democracy is part of the issue. So we know there is data important to us on a National Level in addition to the individual data for people that we want to protect. Need to have standards and processes in place to ensure that data does not fall into the wrong hands. There is the innovation that makes our economy unique. We know that the ai and the data aggregation that enables that Additional Service so we dont waste it in traffic is something we value. But there is also the information there that is useful from a National Perspective. How do you prevent those accidents, but how do you protect Sensitive Information . We are thinking through the innovated aspects of that but also protect where obligated data has national risk. For too long, technology has been the organizing principle of cyberspace. It is understandable. With the pacing of Technology Turns over month by month. The organizing principle should be returned to people, their aspirations and the data in the environment that they store that space, the choices, decision and coordination they would exercise throughout space. I talked to someone who directs the efforts who makes a argument that we should not talk about data care the same way we talk about health care. It is a worthy consideration to say should we reorient ourselves to think about the core issue here which is driven by technology . The yes or no question, do you think we need to beat the drum on multifactor authentication, or have people gotten the message . We are seeing improvement. Until we are at 100 , why not beat the drum . For those watching, if you are not using dual factor authentication, now would be the time. Anne please do so you will stop hearing more about it. On that note. First, if we have questions, please get them to her and we will go through them. Second, you both came at a good time for cybersecurity because there is a lot of action. One of the big issues was ransomware. There is an initiative, is it next week . With 30 countries, 37. How well are we doing on ransomware . Some is media tight. But im hearing it has not gone down in some ways. What is the take on ransomware . Anne i will start on that one. Ransomware is a tough problem because fundamentally it is hard when many of the criminal actors are sitting in countries where we dont have a relationship with them. Fundamentally a deterrence problem. What we have done, tremendous work across the agency and is specifically shut out the treasury and justice who has done the bulk of the work there, his approach this as fiscally driven problem. In that way, we have done sentencing within the u. S. And internationally. I will highlight the International Aspect first because the core example of transactional crime. You have infrastructure in countries, and after in this country and a Movement Across the cryptocurrency ecosystem. We stood up a year ago on our initiative to say america is going to weed out the problem that is disrupting hospitals, banks and schools around the world. We will lead by both providing capacity and guiding an International Partnership and being off and on with our partners. We have 5 billion groups, let us by other countries. And tremendous work has happened throughout the year. One day and tuesday, those countries are coming together in person for two days of work, focus on how we can disrupt actors and infrastructure, how we effectively get Cryptocurrency Exchanges implement it in the customer rules to pursue money. Weve worked in International Diplomatic menus. We are excited in this space deeply appreciative of the Partnership Around the world. I have colleagues like david in singapore, one in india. Our colleagues in lithuania and our cholla lead a lot of that work. In the u. S. , we have focused on disrupting that ecosystem by designating entities that lock your funds across the block chain. We designated the largest with cash. After a series using it to launder the funds and convert it to currency. We have done extensive exchanges with Cryptocurrency Exchanges, customer implementation and of course somewhere after. But something we have been talking about is something called responsibility and hospitals, schools and other entities put in place the resilient practices that we know make them harder targets against criminals. And finally come out not to pay the ransom. Every time the ransom is paid, it might make it easier for that entity, it incentivizes the activity. So you need someone to volunteer to be victim number one. Good work. Chris i think the point she was making at the end there is we should address the hazard which continues to be real in the world. It is a prodigious set of capabilities that allows folks in these sanctuaries around the world to operate up to this point in time with some degree of impunity. We can kick the legs out from under to remain remove the hazard. But there is more than needs to be done to make it such that they cannot prevail. For every Ransomware Attack that shows off above the fold chemotherapy been several avoided because organizations made a choice about what information they would open risk in their systems. About whether they would have backups, encrypt data that is useful useless to somebody. There is a website put out a year ago, stop ransomware stopransomware. G you dont needov. Money cannot you just need time and to you dont need money. The hazards are still there. We might be looking in the wrong direction if something comes our way. We are at both ends of that problem. But we are not going to shoot our way out of this. We practice those things so that we are not a viable target. Anne i appreciate that he mentioned the stopransomware. Gov site. Thank you. There are some topics that governments remain nervous about addressing. Others like ransomware they want to engage. Anne that is exactly it. We talked about the iranian and russian activity online, there are some fallout or they are not ready to do so publicly. Talk about criminal behavior disrupting criminal services in country after country, everybody jumps in and says thank you america for leading and partnering come out want to be in. That is why what is core about this Ransomware Initiative is this first set of countries is not the traditional ones we usually partner with. It includes brazil, the dominican republic, kenya, south africa. A broader set of countries and we are hopeful by taking on a target that we all agree is harmful, builds the processes and sharing and relationships that we then can build on. To your points, the agreement right away that we can do this on and on. Chris your question, there is much of the world that we dont agree on, at cybersecurity we agree on a profound amount. Many nations should about the white house the summer to sign a declaration about the internet. It talked about the common attributes and values of our various societies which dont have the same forms of government across the spectrum, but we can agree these are the things our citizens think, there is a twoday conference next week to put our money where our mouth is and address those spaces and support the practices that will avoid those if we cant remove them entirely. That is a good news story. There is work to be done but there is a coalition formed to do it. And we are making real this premise that many of us could be pointless. We stopped defending a loan in a way that the risk to the adversary is much higher. There will be evicted before they can do their dirty work. I should know that we hope at some point to get a cyber ambassador here from the state department. The state has reorganized itself to be on the job. I dont know where he is but im sure hes doing the lords work. And trying to get them to come to this event. I got responses for two times so he is taking the bull by the horns. The larger premise here, it is not a friendly remark. We regret that this team has been raised we have many regrets but this team is sean merritt. And to get to serve alongside that team, private and public, is simply a privilege and a pleasure. On a daily basis, the collaboration is unlike anything else i have experienced in times past or the complementary nest of these responsibilities because of the culture they have directed the main play. Clerks are agreed. Some of this maturation process, you guys have been in the business for a long time and we do not have that before. You have people who know the field. We do not have that before. The final thing i will say is if you can figure out a way to get four or five people on stage at the same time, let me know. We did try. Anne to his point, it is not for five. It is probably 12 or 13. Agencies like commerce and others. The intelligence community, the fbi. That is the team across government. As the private sector partners in everything, the industry monday and tuesday, we have a session where we have companies coming in from around the world, not just american companies, asking them three questions. What can you do to help in this fight . What can they do better in this fight in government . And what can we do Work Together . Please come with hardhitting ideas so dont be embarrassed to say guide your family to do better. We have those superb events this week. Chris had one [laughter] in the electric vehicle marketplace. Theyre committing to the innovation they were undertaking. And government officials from the requisite agencies across innovation and the various support activities that sector specific entities take. The question was about the American People in agencies setting and expectation that electric vehicles will perform reliably and safety when theyre depended on Digital Infrastructure which they already are, what is the role and response ability of every person in this room to look at innovation and standards . It was a wonderful discussion. They might have said in that room you walk away from that committed for that particular initiative, to undertake the work necessary to deliver to the American People what they expect. My sense is that the politics of cybersecurity have changed in a good way. Perhaps in 2012, it was much more confrontational. Now there is greater interest in collaboration. Something else is changed as well. It has always been true that cyber has been horizontal. Meaning you cant support them to the market. But we have acknowledged we are taking that as a feature. We can apply concurrently in a complement to refashion all of these capabilities. We can do it in a way where we are coherent. We can overwhelm any adversary, any opposition we might have and stop obsessing about those threats and start obsessing about our aspirations in that space. But if we operate independently, using more capability than we have, we will be as we have been, ticked off one of the time. Clerks speaking of authorities, one question we got was what do you need from congress . I immediately thought of the mtaa which has provisions are important infrastructure and accountability on topics they have raised here. What is it you need from Congress Without getting in trouble . This is a nonpartisan bipartisan approach to this. It is hard question to expect solid answers. And they cant tell whether a republican, democrat or independent is asking those questions that it is a feature. A byproduct of some of the recommendations, there was a watershed delivery of legislative reform or positions that we have been executing on the executive branch side. This year there will be a few more provisions but essentially they will add to the property. Through the congress of the American People about more should be done. That is what we ask for. But we hope to have them accountable in a way that is bipartisan and a focus on the benefits of the American People as opposed to a political exercise which ive not experienced. We have a couple of questions going through the stack here. Im apologize i apologize if we do not answer your question. Just start of the initiatives on the workforce. My one contribution was do they do it at scale or dont bother . Chris let me start and im sure she will add. Most people know, im sure some dont, we are successful. The denominator is flying away from us. At the moment one third of the jobs are not. That means we need to lead with them and every thing about the proposition and we specify those jobs properly. Have we appealed to the broadest population that we fill those jobs and how we manage the transition to those jobs . We need to take that on by reexamining every piece of that. But there are adjacent disciplines and fields, lawyers and ceos who learned their craft that was developed by millennia over millennia. It implicates cyber futures as well. They need to know more about how it works and the consequences and the choices than they do. Need to get into that kind of curricula. Then there is everyone. The all population. Within the united states, upwards of 350, 60 Million People who are not digital natives, and we teach them about managing hot stoves and the city street then cyberspace in the moment. We need to address that as well. We need to get technology that is inherently resilient and robust and is intuitive to use. We have convened in the white house. In the white house there is a summit of leaders from the private sector who employ this and often generate skills, academics, traditional and nontraditional and federal leaders. So we can understand what is the nature of the challenge . What is a framework we can address that . What are those practices we can at scale connect, leverage and resources that we can actually solve those problems, get the adjacent in the right place, get everyone aware as is necessary. We will ultimately write a National Strategy for cyber education. Maybe upscaling the American People to take full advantage of cyberspace. It is a more accurate decision description of what it is. There is a script of enumerated responsibilities and someone with a bullhorn is directing those. It will be a framework in which we say this what we can do to at scale reverse the trend and get this ready. The private sector as well, academia is all in and other countries are all in. Any conversation i have had about the topics we have that today where the face is bright and this is the return to the people, everyone is in the same place. Everyone has the same desire to turn that around. That is upsetting because i got you a bullhorn for christmas. Anne i know we are short on time, what associate what is so cool about fed security is our open jobs. The traditional path of a College Education is not needed to start out or grow your career to become an expert. That is so cool because it offers opportunity for folks of all different backgrounds in a growing field where there can be handson technical experts, compliance or policy experts or one can be a figure picture risk seeking expert. When you look at for example online services, uplifting the lycee here are some certificates, you will show you have those handson skills. In this it brings in a workforce that may have thought that is not something for me. And some folks who college may not be the right path for. That offers an alternative path that there are open jobs and thinking through what are the ways to ensure that those folks, the average american knows how to stay safe online, absolutely. But people who would not have thought of themselves as taking advantage of this open job opportunity now see a path to do so, and is exciting. We have multiple good questions. What im going to do is gather those here. Great. Let me ask one final one for me. What did you learn from ukraine . We have talked to at really general and said ukraine made them wonder about the utility of attacks. That is interesting from an israeli. It is an emerging technology, a different type of war. Cyber is a big part of it but it is only in the inability of the russians to execute. What did you learn from ukraine . What are you going to do differently after ukraine . Anne that is a good question. I would say three pieces. Separation, partnership and private sector. What do i mean by that . Ukraine was a rallying call for Cyber Security experts. Sometimes they say on my god, to recognize with the hard work and one can be in a place ukraine took a lesson from 2014, 2015 and the attacks on their electricity infrastructure. They got hard to work with international partners, the national labs, and worked to secure their grid. They cut ties to the russian grid before the war and reconnected to the european grid. Fundamentally, that preparation and International Partnership put them in a place to defend Critical Infrastructure. Next, International Partnership. Every country was on alert to see where destructive use of anything going on in ukraine and lets share that information rapidly so we do not have a repeat. We have seen we continue to remain vigilant. Learn from ukraine, continuously watching none of us have stopped. That is a continuous concern. Finally, private sector partnership. Moving away from cyber, the role of commercial space in providing capabilities that hereto for were National Capabilities is a huge opportunity and risk to think about those. Whether it is surveillance, medication in the hands of malicious actors. How we ensure we leverage the opportunity and consider the risks. Thinking about the advances that have happened in an emerging technology is really key. I know we are short on time and i want chris to answer. Chris i agree and i would go back to what your israeli friend told you but i would generalize. It is not about tanks, technology, it is about expertise and the way we apply that expertise in a collaborative fashion. Expertise dominated the battlefield which is the ukrainians are good at cyber defense. It was not about the perfect architecture. The partnerships made a discernible difference and has them prevailing. In my own case i underestimated the interior defense. When youre back to back with the defender you can hold your own. That may not be an endearing proposition or something that is sufficiently overwhelming, but so far, they have shown that expertise and collaboration matters. We have a lot of work to do. A company gave me a drone and what is cool about it is it is in my office. It fits in a briefcase and it turns your phone into a targeting device. It uses Artificial Intelligence and you tap on the thing you want the drum to follow and it follows it until the battery runs out. That is pretty cool. Chris i think ive changed my mind. I have four questions and then you have day jobs, so you can pick. Someone said can you discuss let me do them all and then pick the one you have time for. Can you discuss the mandates included in the Cyber Strategy . What about improving accountability for negligent in cybercrime . We have touched on all these issues. Question about legislation and recent legislation does not mention Cyber Security. How does that happen . The inflation reduction act. I cannot read your writing. Why was it in the bill . Good question. You can search for the word. Can you discuss partnership to enhance the chemical sector cybersecurity . Finally, we can do post quantum later. We can talk about that later. Were any of those that piqued your interest . Chris the middle when you talk about legislation whether you did the word search and it did not have enough of cyber or cybersecurity. Cyber is not an end in and of itself. Cybersecurity is not an end in and of itself. It is a means by which we deliver the things we care about. We are spending 1. 2 trillion on infrastructure across the nation. 1 billion of that has been allocated for cybersecurity deployed to the states and local governments. 1. 2 trillion will be spent on things fundamentally dependent on Digital Infrastructure. If we get that right and build resilience into that of his structure, we will make a massive uplift in our resilience not for its own sake, but so we have confident assumptions that we care about. 52 billion being spent to improve the ability to have confidence in the supply chain. You can use it for good purposes as much as other purposes. The chips act is all about resilience and robustness of the supply chain. Cyber, whether the word exists, is in there. It is trying to talk about resilience in the society we have confidence in the things delivered to us. I look at everything and see cyber. That is because cyber is in my job title but it is the means, not the end. You can use every activity and dollar you spend to achieve the resilience we need and we want in society. One change is we have money in the equation which is a tribute to congress and bipartisanship. Anne in iija, they represent bidens focus on addressing domestic resilience, physical or digital, and we are plugged into the teams to ensure that as, for example, including sensors for weight management. It is the cool opportunities to think about instead of sending a Maintenance Team having the sensors say, this needs maintenance, this doesnt. We may not this topic may not be in the words, execution was an understanding. The president talks about resilience and he means physical and digital. Post quantum, it is the finest example of securing by design today and a decade or more off the line. We want to roll out new encryption that can defend against a potential quantum computer and is not a one year effort, it is a lengthy effort. Build the algorithm and standardize them, deploy them in new devices, deploy them at scale so the elements of infrastructure encryption gives us, like the padlock on a browser, will continue to exist in a way that is transparent and invisible. And the partnership between the public and private sectors in doing that is foundational he building new Digital Infrastructure we can trust and rely on. It is a great opportunity. There is a lot of technical problems, hard making it happen problems, but the fact that we got started in this way gives us a sense we can do this. Saul the hard problems by thinking about it in advance solve the hard problems by thinking about it in advance. When you study history things appear to be bumpy and scratchy and difficult. That would apply to cybersecurity. But when you take the longer perspective it looks like a steady upward path. Many of the successes in american history, when you look at the implementation, when you read the peoples notes, there were tough cycles. You guys are doing great. Taking a step back, the path has been upward. Thank you for that. Thank you for taking the time. Thank you for coming out this morning. Chris i think our truest regret being here today is that rob joyce is not here, brian is not here. We represent their story and the private sectors story. This is a team site and a team endeavor. We reached out to some of those people. If you could figure out a way to get them scheduled. Chris somebody has to be doing the real work. [laughter] maybe i should start planning a year from now. Anne thank you for having us and the questions. Being somebody we always talk to when we face hard problems. Thank you for coming today and thank you, everyone. [applause] the future of the republican party. Thank
comparemela.com © 2020. All Rights Reserved.