General for National Security john carlin and google Vice President vince serf. This is an hour and 15 minutes. All right, well, good afternoon, everybody. I want to welcome you to our cybersecurity summit that were having. My initiative is meet the threat to deal with the cybersecurity issues we have. Im always excited. But im really excited, really excited today to host this conversation and highlight all the great work that the nga has been doing. But before we do that, i do want to mention a resolution that we have that we talked about it at lunch today with all the governors. We have a resolution honoring the memory of justin stevens. Justin stevens, as you know served the National Governors association as the legislative director for the ngas Public Safety and Homeland Security committee. He worked very closely with me as well as governor hutchison here. Justin was also the point person for us on the council of governors. Those interest five democrats, five republicans appointed by the president to work with our intelligence and defense agency. Justin did an absolutely magnificent job, even during his very difficult times with his illness, he remained always positive and continued to respond to the needs of all of the governors. Justin was a National Voice and expert for our governors on issues ranging from cybersecurity to veterans to disaster relief. We cannot thank justin and his family enough for allowing us to be a small part of his life. He was an incredible young man. And the contributions that he made will never be forgotten by the folks at the nga. We express our sincere condolences to justin stevensons family and we honor his memory. At this moment i would ask can we have a moment of silence for justin. Thank you. As you know, this past july i kicked off my initiative meet the threat states confront the cyberchallenges to provide states the resources they need to enhance cybersecurity. For far too long cybersecurity has been an Information Technology issue that required technical solution. Through our initiative have and will continue to highlight that cybersecurity is critical to each and every governor. As you know the governors of our nation actually have more data than the federal government. When you think of all the data we have through our tax returns through, medicaid and Health Care Programs that we have, department of motor vehicles, we have a wealth of information that every single day people are trying to get in and get our information through cyberthreats and cybercriminals. In the commonwealth of virginia alone last year, we had 86 million cyberattacks of the commonwealth of virginia. Just recently a foreign actor attempted to get my personal email from my state account. This goes on each and every day. As a state with 27 military installations, the Largest Naval base in the world, the pentagon, the cia, we have a responsibility when we have all of those assets to make sure we are leaning in to provide that front line of defense to not allow anyone to get into our system and take our valuable data. As i said in july, if virginia is in great shape and does a great shape with cybersecurity, it is absolutely meaningless if some other state doesnt do anything about cybersecurity. We have the same Health Care Provider. They will use that smaller state and go through that Health Care Provider to get a back door into the commonwealth of virginia. So our initiative, and Governor Snyder and i worked very hard on it, that initiative is to make sure that all 50 states meet the basic protocols to make sure we have the basic levels of support so that we are all protecting one another and protecting one anothers data. It is critical to protect our Critical Infrastructure, our electrical grids, our water system. Theyre trying to attack our 9 11 dispatch centers. All constantly being targeted. Also, for our businesses, its important that we send a message to companies as we recruit them to our states that they know we at the state level are doing everything we can to help provide the protections for their own data. In addition, as ive talked about a lot, this is a tremendous source of economic opportunity. The jobs of the 21st century, number one is going to be cybersecurity. In the commonwealth of virginia today, we have 582 cybercompanies. Right now today in the commonwealth of virginia, i have 36,000 cyberjobs open. So i would say to all the young parents who are here with us today, youre all too young. There used to be a movie called the graduate. And the key phrase, governor dayton, was what . Plastics. I would say see . Youre too young. [ laughter ] but cyberis the key. And as i say, for parents, the starting pay in virginia is 88,000 for these 36,000 jobs. As the governor of the commonwealth of virginia, im forfeiting 3. 5 billion of payroll pages, about 120 million of state wages. Thats why we have transformed our Education System to do what we needed to do. These jobs are not going away and theyre going to continue to grow. What we have done at the nga, and i want to thank tim and jeff, where are they . Who have done a magnificent job. Are they with us today . Stand up. Here are the guys who run our cybercenter at the nga. [ applause ] they are the governors cyberwarriors. And they and their team have done a great job to make sure were protect all the assets. Since the launch of our initiative in iowa, the nga has held several events around the country and provided valuable resources to our fellow governors. A week after the summer meeting we have held round tables throughout the United States of america on Health Care Issues and what they need to do in health care, workforce development, and infrastructure. We have brought in cyberexperts, businesses both large and small. These discussions have culminate in to memos that discuss the recommendations that each one of you and the other state policymakers can implement to assist you in your states. In october, we held our first regional summit in boston. It was sold out within four hours. We had 26 states come. Every state was allowed to bring four people. It was a great, great working session. We will now have our next one, the final one for the other remaining 24 states that will be coming up in california in march. So we now have the cybercenter set up. Well would ask that all the governors continue to work with it. We have in front of every governor will be given a card. You will see that card. Nobody else has seen your card. That is for you. That is weve gone through your state, and you have different color codes to determine how your state is doing on cybersecurity. I will tell you even as chair, i have not shown your card. Governor hickenlooper is showing his card to governor romando over there, i see that. That is your choice if colorado wants to share with rhode island. Governor dugard is not. Hes put it in his pocket. Hes not going to let anyone see. He is going to keep it. But its important that you look at this checklist. Well went out in july. Let us all meet the basic protocols and put our checklist together. You can see they are actually color coded. Im very proud. Ill show my card up. You obviously have red, yellow, blue and green. Not to brag, but the commonwealth of virginia all green, governor hutchison. I want you to know that. Yours might be too. Honestly, these metrics are for you to use. If you have red and yellow, you need to do something about it. If you have red, you really need to get in the game and do it. And thats what our cyberteam is here to work with you on as we continue to do it. By the time we finish up next july, we need to make sure that everybody has those basic protocol, and we have filled out and done the checklist we have needed to take to it the next level. You see in front of you a slide. As you can see from the results, states are doing very well in some areas and not so well in others. The good news is that the states are placing a tremendous emphasis on establishing the governing bodies to identify and implement cybersecurity policies mandating cybersecurity training for state employees, and have established a Solid Foundation for cybercrime investigations. On slide two, on the other hand, there are some areas that states can improve on. Governors need to ensure that their Critical Infrastructures vulnerabilities are assessed and identified and put the appropriate priorities on it. You need to make sure that you are receiving timely and useful information on a consistent basis to make informed policy decisions and to assure yourself that your state is doing the basics that are needed to align your state with the nist cybersecurity framework. And lastly, it is imperative that you have a Strategic Plan that outlines your states vision for the next three to five years and a Response Plan that is based on your own individual Risk Assessments. Implementing these four basic practices will help guide you on the path to securing your state from malicious cyberactors. And nga stands ready to assist you with your needs. Now i would like to turn it over to the great governor of the great state of arkansas, governor asa hutchison, who is chair of the Homeland Security and Public Safety committee. The greatest chair ever of the Homeland Security and Public Safety commission. He succeeded me. So that is a great compliment. Thank you, governor ruch chis son for your tremendous leadership. Ladies and gentlemen, governor hutchinson. [ applause ] thank you, governor mcauliffe. Great leadership on your part. He advised me since he had a perfect score that he will be grading on the curve all the states. And that is good news for us. But really, a perfect example of leadership in a critical area that we all face. And i just wanted to emphasize a couple of points based upon my experience as a governor, but also going back to my time frame as undersecretary at Homeland Security when we looked at threats from a variety of arena. And just in the last two weeks, obviously, we have the tens of thousands of attacks that commonly come with the state databases. But we had a specific denial of Service Attack that was effective in terms of shutting down our state website for a period of time. That happened within the last two weeks. It was quickly up. There was not any damage done or not any loss of data. But then we had a small agency of State Government that did have a loss of databased upon an attack. The good news is there was not any personal identifiable information for any citizens on there. So it was not a loss that cost. But that leads me to the concern that we should have in terms of governors. One is the potential loss and cost to the state. If youre in the private sector, you talk about in terms of liability. But the data notification requirements for loss of citizens data does apply to the states. And most jurisdictions, and it would to us. It would be a significant cost if we had a loss of Consumer Information based upon a cyberattack. And so we have to concentrate on that side of it. In arkansas, we have done our cybersecurity Risk Assessment that was just conducted by an outside group that made recommendations. Were going through an effort in data center consolidation, Enterprise Architecture that we unify under one agency our department of information services, setting up a cybersecurity office. So were making these steps. But i just and i see some of my good friends with the Southern States energy board and the interstate commerce, the oil and Gas Compact Commission that we met with an energy summit. And one of the points of conversation was the protection of our energy grid. And all of that is based upon the private sector and their protection of their networks from cyberattacks. But there is significant worry on the governors part if the energy grid goes down. Because that our response, our cost to the state. So there is a regulatory challenge to us to make sure that our private sector that is regulated, that they are investing as they need in cyberprotection and security as well. I just raise that as an interesting point because of the liability and risk potential to the state, not just for our own systems but also the private sector. Should it be a nonregulatory environment. We should certainly encourage them to protect their own data as they are motivated to do. I just want to make those introductory comments. Im delighted to hear from the panelists. Before we go that direction, i wanted to recognize the vice chair of the Homeland SecurityPublic Safety committee, Governor Brown who is doing an outstanding job in partnership with us. Governor brown . Thank you very much, governor hutchinson. Its truly an honor and delight to work with you. And governor mcauliffe, thanks for your extraordinary leadership on these issues. I was secretary of state before becoming governor. And while i was secretary of state, i received the news, unfortunately, that our state Campaign Finance and our business registry websites had been hacked. Oh, thank you. My mother always tells me they can hear me anyway without the microphone. The sites were hacked while i was secretary of state. The websites were fairly new at time and they were developed to make reporting easier and accessing services for Small Businesses much more accessible. We were able to react immediately, shut the websites down, and began a full investigation with Law Enforcement. In the end, we were able to rebuild our programs. We built stronger walls. And made the system stronger. But not without a lot of expense to taxpayers and a lot of time and energy from state employees. Since that cyberattack in 2014, my state has taken a number of steps to address system deficiencies and increase our i. T. Security posture. I initiated an audit that uncovered numerous structural security gaps. And then as governor, i issued an executive order to unify responsibility and upgrade oregons capabilities. And this legislative session, which were currently in, im supporting legislation to establish a Cybersecurity Center of excellence. It will develop a statewide cybersecurity strategy, share information between the public and the private sectors, coordinate incidents response, identify best practices and encourage development of a cybersecurity workforce. And governor mcauliffe, were really excited about getting some of those good paying jobs you got in virginia to oregon as well. I think we can do this by bringing together companies in oregon like intel and hewlettpackard with state, working with state and federal agencies. And of course one of our local universities, oregon state university. To do more than just upgrade our state systems. I believe that we have to build tools that the public can put their confidence in, even when doing something as simple as buying a fishing license. And we like to buy fishing licenses in oregon. Weve also been really fortunate to be one of the five states selected to participate in the nga policy academy on enhancing state cybersecurity. The academy has been a great benefit to my team on the ground. And i certainly look forward to sharing Lessons Learned with my colleagues and the states. So thank you so much for the opportunity to participate. I look forward to hearing the rest of the conversation. Thank you, governor. And to help kick things off today, weve assembled quite a panel. Were honored to be joined by john carlin who is the former assistant attorney general for the United States for National Security at the United States department of justice. John will be providing us an overview of the National Security contacts around cybersecurity. John, the floor is yours, sir. Thank you, governor. So i thought id start with imagine this. You get home from this conference and youre briefed that somewhere in your state there has been a breach there has been a breach and it looks unsophisticated. It came in through using an unsophisticated tool, and it looks like a low level hacker. And your i. T. Folks say this is no big deal. It was a relatively obscure part of our system, and all they stole was around 500 names and addresses, personally identifiable information. Small loss. And they say we got it. Dont worry. The system is back. So its one of, what, a thousand things that youre briefed on the day. Actually probably wouldnt even reach you as governor. It would be someone else in your state getting this news. Several weeks later, they go back to that someone five rungs down from you somewhere in the state and they say you know what . We got a request through gmail. And a request from this guy says theyre going release the fact that they took this information to embarrass us, and they want us to pay them 500. A form of sometimes ransom ware when it actually encrypts your system. Its a form of ransom that takes place with cyber attacks. They say i dont think this guy can do anything. Its a relatively small amount. Im not even going to brief this up. Weve got it. We handled it. Or they say theyre going to pay them 500. This is a real case that happened to a trusted Retail Company with a trusted brand. And in that case what they did was work with the federal government. And what they found out was it wasnt what it looked like. Yes, it was a low level crook who wanted to make 500 through bitcoin. But that crook was an extremist from kosovo who had moved from kosovo to malaysia, from malaysia was in a coconspiracy with other people outside of the United States to hack into this company. And on the back end, this extremist was in touch with one of the most notorious cyberterrorists in the world, a man named genade hussein who moved london to iraq, syria where he was in the heart of the state of levine. What he was doing was culling through them to see hey, did any of these people look like they worked in government . Do they have a dot mail address. And if they do, im going to put them on a list, a kill list. And using this new method of crowd sourcing terrorism that weve seen the Islamic State in the levant adopt that resulted in us bringing more terrorism cases when i was head of the division than weve ever prowl brout in history by using social media to recruit young people that. Took that kill list based off this u. S. Companys information and pushed it back to the United States through twitter that said kill these people by name where they live. Thats the current state of the cyberthreat. It was the first case we brought that involved charges of both terrorism and criminal charges. So we were able to take effective action, but it wasnt easy. And the reason we were able to take effective action is the victim woshlrked quickly and efficiently to share the information. What type of action was taken . First that individual in malaysia was arrested pursuant to u. S. Charges. And thanks to cooperation from the malaysians that had been obtained through state department, he was arrested on those charges and brought to virginia this just goes show the russians can reach us even here. I knew that was coming. Well get to that threat. But so he was arrested, convicted, and plead guilty and is serving 20 years. And jenade hussein who was in syria outside the reach of Law Enforcement was killed in a publicly acknowledged military strike by central command. But think about that threat. Its crossing five different countries. Its reaching into the states where you have the responsibility, even though much of it is occurring outside of your borders. And at the end of the day, as you know far better than i, the person responsible if something goes wrong will be you. No matter who else was involved in that occurring, no matter where else in the world it came from, if its your state and your system, theyre going to say the governor of the state was responsible. The fact is the one thing you all agreed on an you hear across the panel today and ill go through a couple of cases that will show you why is were not where we need to be. There is no internet connected system. There is no internetconnected system that is safe from a dedicated nation state adversary or even a sophisticated criminal group if theyre determined to get in right now. Thats the persistent threat. And there is no technology that builds that wall that is high enough or deep enough to keep them out. What have we seen . Youve seen in the federal government a change in approach. When i was prosecuting these cases criminally, there was a squad i worked with on the criminal side. And we were plenty busy. But there was another squad at the fbi who worked on the intelligence side. And the whole time i was working those cases, they were behind a secure door. I never went on to the other side of that door. And its not like i was banging to get in because, again, there was plenty to do. When i went over to fbi to serve as chief of staff to mueller, that door opened. We were focused on the cyberthreat. Well developed a new capacity to share intelligence just like we had post9 11 when it came to the terrorism threat, to share intelligence very well within the federal government. From nsa and cia, secret service, fbi, department of Homeland Security, including information coming from your states. And what you could see, there was a jumbotron screen larger than the screens behind me. And we could watch in realtime. And what we were watching was incredible feat to be able to watch it, but what we were watching is nation state adversaries hopping into things like state universities and then hopping into a company. And we were watching day in and day out billions of dollars of trade secrets and intellectual property exfiltrate out, flow out of the United States to the benefit of foreign countries. And it became clear that our approach of treating this like a secret Intelligence Program wasnt working. And we had to make public what we were seeing and start to disrupt it. Because it was causing real harm, real loss to real victims now. And that was a change of approach. This is an area that involves sensitive sources and methods. And all through the cold war the usual approach when you had a spy was not to talk about it, but to try to follow what they were doing. But this was on a scale that we simply hadnt seen before. Its that change in approach that has led to every one of your state news in the u. S. Attorneys offices that are specially trained National Security cyberprosecutors or units who are getting access for the first time to what had formal i will only been on the secret side of the house. Theyre called the National Security cyberspecialists. And theyre folks that should be integrated in sharing that information as appropriate with your National Guard, with state authorities. That change in approach led to the first indictment of its kind, the indictment of five members of the Peoples Liberation army unit 63918. They werent stealing state secrets. They were stealing things like a company was to be do a joint venture with a chinese company. Right before they were about to lease a lead pipe, you would watch the people uniformed members of the second Largest Military in the world go into the u. S. Based companies and steal the technical design specify indications for the pipe. Or to use another company, Solar Company that. Went in, stole the pricing information. They then price dumped their product to force the Solar Company out of business. And when the Solar Company had the audacity to sue, to add insult to injury, they went in and stole the litigation strategy. So people asked why did you bring the case in the criminal system . Thats why. Its theft. What we showed is there is an attachment in that case that activity started from 9 00 a. M. Beijing time. It went from nine to noon. It decreased from noon to one and went up from one to six. So unfortunately, i guess fortunately, unlike many of you that didnt do the working lunch otherwise the loss would have been greater. But they were working eighthour day, getting up in the morning, putting on their uniform, going in as military officers and stealing from u. S. Companies. So the idea of this, if were going to change the behavior, the norms in this space, weve got to start bringing deterrents. Its just like if you let someone walk across your lawn long enough, under u. S. Common law and british common law, they get an aeasement, the right to walk across your lawn. Thats why we all put up no trespassing signs. This in a way was a giant no trespassing sign, get off our lawn. And International Law works a lot like u. S. Common law. Its a law of customary law. This is the beginning of saying this is not acceptable. So fast forward a little bit to the north korean attacks on sony. And many, including some in this room we were game for years, whats it going to look like if a Rogue Nuclear armed nation decides to attack the United States through cybermeans. And not once did we get it right because we never predicted it would be over a movie about a bunch of pot smokers. And i dont know how many you have seen that movie. But those in the National Security community had to see it over christmas, which i blamed north korea. It was because that was the triggering event. We took it seriously as a National Security event because its attacking our values and the right to speak freely. We couldnt have responded to it same theme without the immediate cooperation of the victim who passed information quickly and had the infrastructure in place to do it. Thats what allowed the naming of north korea in 28 days. As governors, i think you have the same concern that that company did, which is until we named north korea, all the media reporting was about what did sony do wrong. It was all blame the victim reporting. As soon as we were able to say who did it, the narrative changed, and rightly so and said hey, you in federal government, what are you doing to protect us against north korea attacking one of our companies . And it be that change to the conversation. I know it was help to feel the business sony, helpful for businesses in your state and to you. From there you saw us put in an executive order on the books that now allows the sanctioning of those who commit bad action against your state through cybermeans. We had that with terrorists and those who proliferate weapons of mass destruction. But we didnt used to have that tool available. In some ways we were lucky it was north korea. They had done so many other bad things that we had a legal tool available against them to sanction them. Until april we didnt have one when it came to cyberactors. Since then youve seen us apply the same type of approach figure out who did it, make it public and impose a consequence against the iranaffiliated actors who attacked our whole financial system, 46 different financial institution, including most of your start, affecting hundreds of thousands of customers and costing 10s of millions of dollars and made public as well that they hacked into the Critical Infrastructure of the bowman dam in orion, new york. What they had been able to do is they got into the control systems of the dam and they were able to lift up the sluice control systems. So they could have caused flooding as they so desired. As it turned out that dam was down for maintenance at the time. So it wouldnt have worked as intended. But i hope youre not going to let your bridges and dams crumble as your cyberdefense should be keeping them out in the first place. That, there were four main actors that had been talked about as National Security threats outside of the terrorist groups who all have the intent to be able to cause cyberharm you. Saw zawahiri back in 2012 declare on behalf of al qaeda, he called on jihadists across the world, cause as much damage, including financial damage as you can against western institutions in the name of terror. They have the intent, but not the capability. The four Major Players with the named capability were iran, north korea and china. And youd seen us take public action against all three heading into the summer before this election. You have now seen us take action against all four in terms of the russian attempts to undermine confidence in the integrity of our electoral system. What youve seen, though, in many of these instances is that the harm wasnt necessarily directly against the Critical Infrastructure. It wasnt necessarily the most sophisticated attack. What does everyone remember about sony . What they remember are the stolen emails and the embarrassment it caused to the company. What did people remember in undermining the confidence and the integrity of the election . Again, it was stolen emails from a server not connected directly necessarily to one of the campaigns along with other activity. These are vulnerable spots that will be there somewhere in your state system. And as we get more sophisticated, and as youre thinking about resilience plans, we need to start assuming that they can get in, because they can. Youre not going to be sold a product that keeps them out. And figuring out in terms of your corporate governance, if they get in, what are they going to do that will cause the most harm, what do we value the most, and how quickly could we get back up and running to deliver to citizens of your states what matters to them most . Thats true when it comes to states. Its true when its come to federal government breach. An its very true when it comes to the private sector. And what we found is that were just at the beginning of this conversation where people are really treating it like the risk that it is. If you think about it, and ill stop here, but over a relatively short period from 20 to 25 years, we put everything that we value and moved it from analog space to Digital Space and connected it through the internet. And we did so systematically across the board, making those decisions without adequately thinking through what the risks were. And so now as a country and really much of the world is playing catchup, knowing that the ability to cause harm way outweighs our ability to protect ourselves. And were at a critical moment right now. Because were in the midst of another transformation. That was data. The next transformation is the internet of things. And its already begun. So whether its pacemakers in our hearts that are internetconnected, were first rolled out without encryption so, a 12yearold could hack and kill, to drones in the skies. Again, were originally rolled out not because there were bad people designing them. Its because they were designing them to see whether they worked. But they werent focusing on would they work if a bad person tried to take advantage of vulnerabilities. And lastly, weve already seen the recall of 1. 4 million cars from the road because it was shown that you could hack into them and turn off the steering system because you could get in through an internetconnected estimate system. By 2020, im not talk about selfdriving cars, and thats on the horizon as well. But by 2020, 17 of cars on the road are going to be internet connected vehicle, essentially computers on wheels. So whether its the pacemakers in our heart, the drones in the skies or the cars on the street, were this the midst of a massive transformation, much of which will be good towards the internet of things. But we cant make the same mistake again of not building in security by design on the front end. Wow, lets hear it for john. Thank you, john. [ applause ] i thought i was excited about cybersecurity. Glad we got you on our side, john. Let me turn it over to Adam Clayton Powell iii to kick things off and introduce our panelists today. Adam is with the university of Southern California and he heads up their Communications Leadership policy institute. And in that capacity, adam directs the centers internet of things emergency spond response initiative. Thank you, governor. Governors, ladies and gentlemen we have two distinguished panelists this afternoon. Governors, you have their full bios in front of you. Mary culligan is specializing in Crisis Management before joining deloitte, she spent 25 years with the fbi where she was special agent in charge of cyberand special operation for the new york office. Well also have vince serf, highly respected engineer who really did invent the internet. Now he is at google, or he has a unique title in corporate america. He is the Vice President and chief internet evangelist. And hell tell whats that means. So first, mary. Thank you very much, adam. And thank you very much, governors, to have me here today. Its a privilege to be with such an honored group. I worked with john and the fbi. And yes, he is that passionate about cybersecurity and Everything Else that he does. Vince and i talked briefly before the panel, and we decided what i would do is set up where we are right now in the states, what the governors challenges are. And vince would talk about solutions. If there is one thing ive learned in working in cyber, if the father of the internet suggests that, you say yes, sir, that sounds like a great idea. So where are we right now . When we look at governors, and as john just talked about, the threats that were facing, they seem insurmountable. But we have to break them down. And how can we deal with the technology that we have that connects us that our constituencies want from us in order to access our information as fast as possible to get our fishing licenses as fast as possible, our drivers licenses, whatever it may be. At the same time balancing the risks that come with that. So as governors, you face a very unique challenge. John alluded to it, as did the governors in that you not only have to worry about protecting Information Technology data, you also have to worry about protecting operational technology, ot. Thats controls that run our Critical Infrastructure. So you have a bigger challenge than some ceos of the largest corporations in the world do that may only have to protect and i put only in quotes the Information Technology. So you have both of those challenges as youre dealing with the cyberrisk within your states. So one of the things that we did is deloitte along with the National Association of states cios did a survey. And 49 of the states and territorys sisos responded to the survey. Where are we right now . The first thing the very good news is that across the states, governance in cybersecurity is in place. It is part of the fabric of states. It is discussed frequently at all states. Onethird of you are getting monthly cyberbriefings from your sisos or cios. That is a very important statistic to look at because as we increase those communications between our sisos and our cios and our governors and the executive committees, we can start to come up with what are the risks and how do i prioritize them, because i cant deal with all of them at the same time. The second thing that we see right now is there is a confidence gap between the governors and the sisos. And what do i mean by that . What the survey found is that 66 of the governors, elected officials, and appointed officials feel confident that their state is poised to deal with external threats. Only 22 of your sisos believe that. Now the important thing about that is weve also seen in those states where the governors have made cyberrisk a strategy. They are involved in reviewing the progress towards that strategy. That communication gap, that confidence gap closes. So its something to take away with when youre talking about cyberrisk in your state, whats that conversation that you have with the siso or the appropriately titled person in your state . How frequently are you looking at the reviewing that of strategy and those kinds of briefings that youre getting. Right now also when we look at it, the conversation is about what is coming next. And what im going to set up is two key points. And vince is going to continue the talk about those. The two things that we see that are extremely important to you as governors of our 50 states and territories is resiliency and access management. So what do we mean by that . John gave us a couple of examples of resiliency. But youre going to hear more and more conversations about resiliency in the next few years around the cyberrisk. And the good thing about this topic is states are already used to being resilient. So resiliency is how quickly can i identify the problem. How quickly can i mitigate it, and how quickly can i recover. So if you think about that from your position as a governor, you do that. You do that with Natural Disasters. You do that with terrorist attacks. You do that with a train derailment. You are used to responding. You have tools and skill sets within your State Government that do this on a daily basis. The same thing with cyber. Whether its the private sector, the state or federal, as john mentioned before, those that can identify the problem as quick as possible can mitigate it and recover from it, will do better in the marketplace, if youre a private sector, will do better with our constituency if were in the State Government. Very, very important, as governor hutchinson said in the beginning when he showed that very slide is what is our Response Plan. Have we practiced that Response Plan . And i will tell you what youre going the hear. Youre going the hear yep, weve got a Response Plan instate, whatever. Oh, yeah, weve practiced it. Where its been practiced is on the technical side of the house, the technical folks have practiced that cyberrisk is a business risk. So you need to do those simulations or from my days in the fbi, we would call it war gaming, working with our military brothers and sisters of simulating who is going to respond. What are the roles and responsibilities. Just like you do with the Natural Disaster or a manmade disaster, you know the roles of responsibilities. Here is a difference between a Natural Disaster and a cyberincident. And we mean when we talk about cyberincidents, something we all talked about up here beforehand is were talking about a breach. Were talking about someone getting into your system, as opposed to something we call cyberfraud, which is when someone uses the internet to commit fraud. Hey, by the way, vince, i met you yesterday at the panel. You seemed like a great guy. Do you think you can send me a couple hundred dollars for my trip next week. Thats cyberfraud. Thats when someone uses the computer to commit fraud. What were talking about is the cyberincidents, the technical incidents that have an impact on your operations as a state, whether its theft of information, disruption of service, or corruption of data. So when those occur, the differences between those types of events and things that youre used to dealing with as crises as governors is speed. They happen faster than anything youve ever dealt with before. The second thing is there will be incomplete and inaccurate information coming to you. And the reason for that is it takes a while to figure out what this technical issue. Is it nefarious . Is it nonnefarious . Where has it occurred . What is it affecting . And youre still going to be required to make the Business Decisions do, the press conferences. So the more that you can prepare and practice those types of Business Decisions, or even simply discuss those type of Business Decisions before a cyberincident is something that were seeing becoming more and more effective when we deal with cyb cyber risk. The two things we said is resiliencely and access management. Ill turn this thing over to vince. Here is the thing about access management. You should only have access to what you should have access to. It sounds really simple. I made a joke before this panel that since he invented the internet, because he have access to everything at google. And he said no. He has access to only that which he can gain access to, that he is allowed to have access to inside google. How is that done . Twofactor identification. Have i some type of encryption key. I have some type of token that i can say this is me coming in from this place. Thats very in the states, we cant implement that across the board and give that to all of our citizens. So we need to think about how can i authenticate that you are really who you are in my state, and that youre not coming in from somewhere else, as john said, whether youre a nation state actor or criminal actor. So thats pretty much where we are right now. We have the governance across all states, which is a good sign. We have a confidence gap between our governs and our sisos. And as we move forward, were looking at the topics of resiliency. Now its about the impact and access management. So vince, tell us how to solve it all. Wow. Thats a tough act to follow. Marys summary is wonderful. Does anybody have a change of underwear . Let me start out by thanking everyone for allowing me to part today. This is a topic of real concern to a lot of us, including me. Let me start out by making a simple observation. The root of all of this problem, its the software, stupid. Thats the root of the problems. We dont know how to write software that doesnt have bugs. Weve been trying for 70 years since computers have been available. And weve not succeeded in figuring out or in Building Tools that keep us from making stupid mistakes. Those mistakes get exploited. To make matters worse, the Buggy Software doesnt always get updated even when we know there is a problem, even when we release new pieces of software. Sometimes the updates dont get to where they need to be. People dont bother updating their laptops or their mobile phones and the likes. This is a very pernicious problem. And its a very hard one to solve. So as a former academic, one of the things that i would urge is the pursuit of better tools for writing software. We want the programmers to have a Software Ecosystem that helps them detect when they are making bad mistakes, logic mistakes, for example, referencing a variable which has never been set, which gets you a random number, which you then do a computation on and branch off in some cyberspace where you dont belong. There are all kinds of cases like that. What i want is a piece of software that this is a metaphor, this is sitting on my shoulder here while im typing my code and it says you just did a buffer overflow. What do you mean . Look at line 27. You just screwed up. I need a piece of software that will do that for me. We dont have one of those. And its going to take some Serious Research to get there. By good fortunate, governor mcauliffe, ive been a citizen of the state of virginia since 1976. And we have some places here that can be helpful. How about the Defense Advance Research agency . How about the National Science foundation . How about george mason university, the university of virginia, Virginia Tech . So we have some horsepower in this state that can tackle some of those problems. And by the way, i will bet that every single governor at this table has similar stories to tell that there are Academic Institution we should challenge them to work on that problem. Now if im going to speak in general terms about how to solve this problem, there is a generic formula for dealing with this kind of situation. First nostrum, if you can find a technical solution that prevents the problem from happening, use it. The trouble of course is there are not always Technical Solutions to these problems. So whats the next thing you do . Well, im going to call it post hoc enforcement. Basically it says if we catch you doing this stuff, there will be consequences. Were not going catch everybody, but the at the very least we need for Law Enforcement and the judicial system to be able to say that confidently, that if we catch you, there will be consequences. And then there is the third mechanism. Ill call it moral suasion. Its just wrong. Tell people its wrong. Now, that sounds wimpy, doesnt it . But i want to remind you that the weakest force in the universe is gravity. But when you a big mass, its powerful. When there is social agreement that certain behaves are unacceptable, then you have a certain amount of mass that you can use. So moral suasion shouldnt be ignored as a potential solution to the problem. So those are the only three mechanisms that i can think of that will work. Now, i have one other not so wonderful piece of news, and that is that i believe not everyone agrees with me. But i believe there is a kind of irreducible inconvenience with good security. That we are going to have to ask people who are looking for protection to cooperate with us. The users, you and me, we have responsibilities just as much as the programmers and the companies and the institutions that use computing. We have a responsibility too. Mary already mentioned one of them. If its available to you, twofactor identification is really powerful stuff. In 2010, my company was attacked by what we believe was a Chinese State level attack. And they got into some of our software. We did not like that very much. We instantly responded with several things. We encrypt all traffic across our data centers. We encrypt traffic from peoples laptops to our servers. We also issued twofactor aught indication tokens. Nobody in the company can get into the companys resources without the second factor. And even when im inside the company, inside the firewall, i still have to use that twofactor aught indicatio the second factor inhibits me from getting there. Im a huge fan. We make that available to the public, but it has been very hard to get people to accept additional responsibility and inconvenience for exercising twofactor authentication. There is Something Else some of you may l have seen. Maybe you dont pay much attention to it. But sometimes when you go to a website it will say htps. Thats hyper text transport protocol secure mode. What happen theres is an encryption key gets generated that is shared by your computer or your tablet or your mobile and the serving site. And so there is an exchange which is inadvisable to you, but it generates a crypto variable which nobody else has and that secures the communication. Thats invisible and you dont see it. The problem with that is it doesnt strongly authenticate you. All we know is we have an encrypted tunnel for communication between the two parties. But the two parties may still not know who is talking to whom. And there is another thing you can do. If you get a piece of phishing email, that is spelled with a ph, not an f, dont click on it. How do you know its a phishing email . Any time you receive something from somebody that you dont know and it has an attachment or a hyper link and it says click here, this is really fun, dont. If it comes from somebody that you know, but youre not sure what the conditions are, there isnt enough context in the message, this is from the ceo, this is important. Its about next years salary, and there is an attachment or a hyper link, dont click on it. Forward the message to the party that appeared to have sent it and say did you send this . Ps, dont click on anything. The whole point is to expose the fact that youre getting fake email coming from someone, and let them know that they may have been compromised, that their mail system may have been compromised. Those are just examples of things that you can do to improve the situation. Now there is another thing which has been pointed out several times, and that is that the attacker and the victim could be in quite different jurisdictions. It could be across state boundaries. It could be across national boundaries. Which means this is everybodys problem. Its not confined to where the attacker is or confined to where the victim is. Which means we have to have agreements about what to do when we discover there is an attacker out of our jurisdiction. We need international agreements, and we need National Level federal agreement, interstate agreements so we can cooperate with each other. And i dont know how to overemphasize that. Because in the absence of that cooperation, this is going to be really hard. And so we may need extradition kinds of rules and also information sharing. Adam, i have a long list of questions and answers, but i have the feeling that the better thing to do would be to let other people ask the questions. So im going to stop there and thank you very much for your attention. [ applause ]. Thank you, vint and mary. Ive also been asked by the governors to just spend a minute to explain what the university of Southern Californias initiative is about. First, its multidisciplinary. Its not just engineering. It certainly includes engineering. But this problem is far broader. So it includes the usc school of communications which i run Washington Research programs. It includes usc school of public policy, leading research into cyberpolicy, implications and recommendations. And last but not least, the school of business which is bringing in Corporate Partners and introducing return on investment and other valuation metrics in cybersecurity. Other schools, law, medicine, and even social work are also involved. Our premise is that things are going wrong. We all know that. Our focus is what happens next. What happens in the field of Emergency Response and recovery after things have gone wrong, whether on a large scale or on a small scale. As we move in relatively few years from a world in which we have an order of magnitude of maybe 10 billion devices connected to the internet to one that has more than 100 billion devices connected to the internet, things are going to go wrong in very unexpected and very startling ways. If a hurricane comes, you know there will be high winds and floods. But when the internet of things fails, you have no idea whats going to happen, and thats if you know whats happened. So how to prepare for Emergency Response and recovery in such a field of uncertainty . First, First Responders. In an emergency, most people dial 911. Okay. The police arrive. Then what do they do . In los angeles and new york, theyre very large Police Departments that have experts in these areas. But this thousands of medium and small jurisdictions around the United States, there are no experts. So working to help design resources and programs for the 99 of Police Departments, firefighters and other First Responders who are not experts. And in fact were looking to the states in arkansas. Governor, we understand that you are starting a Cybersecurity Center of excellence. Maybe thats a model which can be spread to other states. But every home and business in america is not only at risk of being attacked, every home and business in america is also at risk of being an unwitting enabler of cyberattacks. At our usc round table vint said he told the joke for years that he never wanted to pick up a newspaper and read the Headline Bank of america taken down by thousands of refrigerators. He said he cant do it anymore because now theyre using Baby Monitors and weapon comes. Vint said in thousands of homes around america who know how to respond and recover, and as he pointed out, in the home its the kids who almost certainly have more knowledge than the adults. So at vints suggestion, were working on cybersecurity merit badges for boy scouts and girl scouts. People laughed when he first suggested it. Then they stopped laughing. Thank you. But sherman mcauliffe, last night you said you were taking vints suggestion to the next level to achieve universal cybersecurity education in virginia. Perhaps you can share more on that in just a second. This is why usc wants to partner with you governors, with all of you. Because yes, we partner with federal agencies and with private industry, and they are truly valued partners. But in the 50 states and territories, you run the laboratories of democracy. And it will be at the state and local level where youll be testing and experimenting with response and recovery as you always do, and it will be at the state and local level where best practices will emerge that can be identified and replicated. So my colleagues and i thank you for this invitation, and we look forward to working with you. Thank you very much. Lets give our panel a great round of applause, if we could. [ applause ] id like to have a couple of brief comments if i could from the 28th chief, the head of the National Guard who was with us here today, i want to thank him. But i notice we have a lot of tag here is in the office. The head of our National Guards all over the United States of america, if they could all stand. And lets give our tags a great round of applause. [ applause ] i think i speak for every governor. We could not do our jobs were it not for our National Guard. And i want to thank all the tags and all the guard folks for what you do to help us be successful. General . Thank you, governor. And we love that you love the guard. And that is good for us. So if i could just say this domain, the cyber domain has obviously taken up a lot of bandwidths. And i want to thank is that the word you use . Bandwidth . Thank you for starting and this emphasis on cybersecurity. And with the council yesterday with secretary kelly is a huge thing. I think it is our role as National Guard members is we fight wars and we protect the homeland and build partnerships. Those are the three fundamental things we do. In the cyberworld there is really no difference whether its flying airplanes or fighting this the cyberdomain. What were seeing in the pentagon and around the world, the four countries you mentioned, the russia, the iran, the nork, they donth korea, the fight news this gray zone. They want to keep doing these kinds of things and compete with news an area in between war. So were going to see more of that. And you governors in the 50 states territories and the district of columbia all have some cyber capability that is in the military. Some of those 36,000 jobs, governor mcauliffe, will be filled by men will be filled by men and women who have been trained in the military that admiral rogers and the Services Simply cannot pay enough to stay and do that in. Its my hope and the adjutant generals hope we can let those experts continue to serve and use their expertise across the way. One point i want to make and i talked to admiral rogers about that just yesterday, is i think its important that we have so many people that are sort of responsible for these things that we have to think about this as a country through dhs and through Cyber Command and the military piece and through all of your states cybersecurity apparatuss to figure out so that as mary said down the road when the event happens we exactly know how it is that were going to respond. And frankly the military folks that you have in your National Guard are really the only folks that under your authority can work off the department of Defense Network and help respond in some of these cases. Thank you, gentlemen. Appreciate that. All the states and some of the things weve led on virginia youve got to start our children early. Youve got to start doing this k through 12. Weve redesigned all our high schools in virginia. We now have Computer Science code writing in core curriculum courses now. We offer for free cyber ranges in the summer for High School Students to come to one of our camps and spend time learning how to be a cyber warrior. We will pay especially for our veterans if youre willing to come in. We will give you a scholarship. We will pay for you to get your cyber degree so you come and work for the state. We have 14 centers of excellence now. We will tell every governor. I think need to ask every one of your Community College president s are you work to become a warrior of excellence . I would ask every one of your institutions of Higher Education fouryear and twoyear hopefully theyre leaning in on that. Weve only got a couple minutes left. I dont know if anybody has a question. I would let you choose how to manage this. One of the things weve been working on on setting up this National CyberSecurity Center down in Colorado Springs is the vacuum in terms of educational capacity. Not just we governors are on a steep curve. We recognize that. But mayor, county commissioners, elected officials all over the country. Not that they need to learn how to write code but that they can allocate resources and have priorities. Again, the Large Companies mostly have at least a board member if not a Senior Executive whos a cyber expert. But the smaller companies, and by Small Companies i mean up to 50 million, even larger than that, dont have that capacity. And so what are you guys whats your analysis of how we can most efficiently and the w lowest coast affect that void of education and knowledge. I cant look at you and talk into the microphone for the first time. This is very annoying. Watch this. You can stand over here. It still projects. Oh, that works. Thank you very much. I feel much better about it. I hate these conversations where youre looking in the other direction. In addition to having a welleducated Cyber Workforce it occurs to me that we ought to have a cyber Fire Department. I want you to think about this for a minute. Imagine your house is on fire and youre standing in front of the house with a garden hose and you realize i need somebody with a bigger hose and more water. You dont call the police department. You call the Fire Department. And they come out with a big hose. Think about what they do. I want you to be careful because this is a metaphor that has some brokenness in it. Ill get to that momentarily. The Fire Department comes out and they break the roof in, they pour water in, they do all kinds of damage but they put the fire o out. The rest of the neighbor neighborhoods in danger. Heres where the analogy starts to get a little weak. Lets imagine adam is Running Company a and mary is Running Company b. And there exists a cyber Fire Department, thats you, governor, and so adam would never do this of course but he noticed that he can call the cyber Fire Department and tell them that marys company is on cyber fire. And so you come roaring out with all horns blazing and disrupt her business for the next three days while adam is making all kinds of money. Its clear that that isnt quite right. So well probably have to have a rule that says if you want to call the cyber Fire Department it should be mary that calls the Fire Department and not adam. So as i say, the analogy may not be very good. But we really need to invest in people who are skilled in the art of response and also attribution. And here i want to raise all kinds of red flags. Its easy in this space to pretend to be somebody else. The last thing in the world you want to do is generate a Cyber Response or response to a cyber attack against the wrong party. This could be really bad news, especially in an international setting. So think about the people that we train and pay to be part of our First Responder teams. Maybe we need a cyber Fire Department too. And so thats one thought that comes to mind. And governor, to add to what was said, when were looking at enlting small to medium whether its businesses or agencies within governments, without a doubt what were doing right now in the United States and what we should be suggesting is we need to look at the framework. To all of us and the governors we get it. The nist framework. But truly when Companies Say small to medium size companies, whether its in the fbi or deloitte, where do i start, thats why the nist framework was written. Its 42 pages long. Anyone can read that, whether theyre a mayor, a town official. And the thing about the nist framework is you can selfassess. It is not the beall and endall. It is not a robust cyber assessment as governor mcauliffe said he just did in virginia. But if people were to understand just that, we start with the nist framework, i think what they can do as executives and what we say is ask intelligent questions. 85 of the issues on the rnt internet are about cyber hygiene. Changing our passwords, as vin talked about. We have state universities in the United States that a student comes in as a freshman and gets an email sxkt they never change their password for four years. Those kinds of things i agree with you, you dont need to be a technical expert. You dont need to know a lot about this topic. But if we take in this framework and we were to say password discipline, patch management, now, when you go back to your technical folks and talk about patch management theyre going to roll their eyes. But what patch management is the vulnerabilities in the software that he was talking about, were patching them. So if your front door was not locked and you knew that, you would lock it. That would be someplace that we could start and bring everybody to the same level of understanding with cybersecurity. Thank you, mary. Those are very good prescriptions. I want to add two other points about this. There we are. So the first one has to do with better measurement of security implementation. I used to be the chairman of visiting technology at nist and i still report to chuck remine when runs the Information Technology lab at nist which has the Cyber Security lab in. So im still engaged. The one thing which is missing from our toolkit is our ability to measure how well you implemented that framework. And because as mary points out its a relatively general document, sometimes you could implement what it says and still not be secure or you can implement what it says and dont enter work with Everything Else. So theres still work to be done. But even Getting Started is important. Theres one other thing, im going to scare some people with this. I am so proud of google because of what we do with regard to backup. And resilience. Once a year for an entire week we do a Disaster Response exercise. In that exercise we shut off the primary systems and run on the backup. Were serious about backup. This is not a desktop exercise. This is live operations with the backup systems. And you have to be pretty damn brave and pretty confident to do that. And we make ourselves do that because thats the real test. When things go south, and they will, if your backup systems cant be trusted to run because you never really depended on them, then you dont have much. So i lay that at the feet of the people who are responsible for designing and building these systems to show you governors that you have real resilient backup. Let me move to the last question. I remind everybody, this is between the 55 tags and their cocktail hour. So you determine how long you want to answer this. Were having a party at the usaa and involving all our tags. I just lay that out there. Thank you for the nice setup, mr. Chairman. I appreciate that. Two quick questions. One is you talked about the unavoidable inconvenience. Ive walked around state offices, and ill see the computer monitor and below it the password because people, you know, its so many characters i cant remember, it i have to write it down. So the first question, then ill ask the second one quickly is what about biometrics, retinal scans . Is Technology Going to catch one this . Thats question one. Question two, general, for you, are you comfortable that we have a system in place . Because weve seen a couple incidents where state one was attacked in such a way and then you learn the next day state twos attacked. Day three, state three. Are we sharing information with one another from the military, from Law Enforcement to prevent would hate to see 50 states in 50 days get attacked in the same way. Maybe first question, technology, is there good news on the way . So there are indeed examples of biometrics. Some of you may have already signed up for a system called clear. Even if youre a tsa subscriber, you can cut into the front of the tsa line if you have a clear account. And they use two fingers to fingerprints to identify you. If your picture pops up on the screen, youre in. Now, this sounds pretty good except for one problem. If somebody is able to penetrate the system and get the digital summary of your fingerprints and then inject that information at the right place in the system, they become you. Its one thing to change your password. Its Something Else to change your fingerprints. Thats harder. Or your eye scan. So i favor a mixture of biometric and Something Else. The twofactor authentication would be absolutely cool for me. Two fingerprints and a token that generates a onetime crypto variable, for example. Thats actually pretty powerful. And im going to talk fast because i dont want to be between these tasks and their beer. But honestly, sir, its a great point. And to be honest with you, no, i am not confident that theres a good system that relays every cyber incident in every state with every other state. There probably should be. And ill look into it and see what we do from the National Guard piece. Admiral rogers may have a better answer for that tomorrow when he sees you but i cant tell you that we do. I agree its not fast enough or on scale right now. What happens sometimes is the technical indicators will get shared. So that will be the bits and bites of an intrusion. But what went goat shared and wont get discussed will be how they got into your system and what they were looking for inside the system. It might be very valuable to hear in wyoming that someone next door, someones targeting their Health System and theyre doing it for ransomware. And that type of color is not getting shared at scale right now. Lets give our panel a great round of applause. [ applause ] looking forward to getting all 50 states up to where we need to be. I thank everybody for being with us today. And tags, lets go. That was great. Thank you. [ room noise ] [ room noise ] [ room noise ] more now from nga. This next panel included transportation secretary elaine chao. Who talked about Infrastructure Investment and innovation on the state and federal level. This is an hour