Proceedings in impeachment trial of ken paxton. In our cspan now app, you can see the impeachment managers and attorney generals defens team. An hour for rebuttal and an hour for closing remarks. It is possible the trial could take a couple of weeks. Now to a summit on cybersecurity, including the head of the u. S. Cyber command. Youre watching cspan. Heres the part i dont think is often talked about. Think about how the nation has responded since 2018. New authorities, National Cyber director. Fantastic work with jay cdc, fbi, Cyber Command. An outpouring of what we need to do to make sure that cybersecurity is part of our National Security. And a little closer to home, i would say what we do has not changed that much. We still do cybersecurity, Cyber Command and Cyberspace Operations. But how we do it has changed dramatically. 50 different operations, 23 different countries, 77 Different Networks to 2018. The Cybersecurity Collaboration Center and unclassified facility, zero members of the Defense Industrial base in 2019, now moving toward 2000. Cybersecurity advisories with an unclassified level. And the return to the fall of 2021. Our most sensitive intelligence, declassified to build a coalition, disrupt an adversary. That is a little about the last five years i think. Strong organizations. Lots of chatter everywhere. Can you explain what it is and what it is not and how does it work . Great question. 702. An authority in u. S. Government uses to collect mitigation of nonus persons operating outside of the United States. The utilized capabilities such as email and phone service. It is an authority as a president ial intelligence Advisory Board described most recently, the most transparent Surveillance Authority in the world. Transparent surveillance. Normally words we dont put together. It is an authority that ensures our National Security and the protection of our Civil Liberties and privacy. Not or but and. It is an authority that is focused against a series of categories. It is an authority that is saving lives and ensures the protection of our homeland. It is an authority that is overseen by all three branches of government. So how does it work . You are an analyst. You say i have a target that is a nonus person outside of the United States and i would like to see if we can get the Communications Information on what theyre saying. The u. S. Government compels a u. S. Company to provide that information to us. We determined that perhaps this nonus person perhaps a ransomware attack. We take that and then we can do a couple of things. We can look and previously legally collected intelligence information, see if this person has said this before. Are they a known actor . A u. S. Company that has been targeted, have they been targeted before . This is a piece of the teamwork that goes on. Then victim notification is done. A key player of what goes on here. And then we write a report to make sure that we can provide Early Warning or victim notification. An important piece, at the end of the day, i said National Security and production of Civil Liberties and privacy. What are the metrics . Lets start quantitatively. 100 of the intelligence requirements the president requires are wrapped up in some kind of one. Second, 59 of the president ial Daily Briefing is sourced from some type of 702. 20 of all of the National Security agencys collection is based on some form of 702 and 85 of that 20 is single sourced to 702. Coming back to what the president ial intelligence Advisory Board says, and incredibly important authority, it would be disastrous to lose. What does it mean . Last year our nation lost over 100,000 people to fentanyl. 702 was able to identify chinese precursors utilizing that drug. 702 was utilized to prevent shipments of that drug to the United States. It has provided us an ability to recover the ransom of the Colonial Pipeline attack in 2021. It has prided provided the ability to thwart iranian cyber actors conducting attacks on u. S. Government institutions or Public Sector entities. Finally, it is part again of the ability for us to conduct a campaign and eventually successfully takedown the last leader of al qaeda. So again, sorry for the long discourse. But of the things that we look at today, 702 is among the most important National Security issues i think our nation faces today. It is good to hear those results and how things are getting done and how it has evolved. Geopolitical challenges often receive a lot of attention in National Security discourse, particularly around nation state actors and you mentioned a few of those. One of the geopolitical security challenges you think deserve the most attention . As we take a look at the security situation as i indicated, lets begin with the nationstate actors we look at and the National Security strategist that identifies if the Defense Strategy has indicated it begins as china begins with china. The nationstate that has the military and economic capabilities to impact our nation and our lives. It is an autocracy, its own agenda for the future. It is not interested in the rulesbased order we have lived under peacefully since the end of world war ii. We have seen across a number of different instances, the east china sea, whether it is china conducting Violent Attacks within hong kong or the imposition and a number of different places where they have had a different agenda for the future. The other piece is russia. Russia and ukraine today, the illegal invasion of ukraine that we have witnessed since 2022, again, our concern with regards to being able to understand the purpose and remaining vigilant against both is critical. But looking at regional powers, it is taking a look at border challenges. I mentioned fentanyl and the challenge of drugs. It is something we look at very closely. The challenge of the pandemic disease we all certainly saw over the past three years. There is a rich tapestry of things out there that are ongoing. As we look at it, one of things that we tend to say is what are the competitive advantages that we have as an agency, as a nation . It begins with this idea of partnerships. The next four days we are going to talk about public and private partners. Nowhere has it been better seen than the Russia Ukraine conflict, with his power of partnerships has meant so much. I think that is something our competitive advantage from it we at the agency have. Artificial intelligence. It has been around for a while. Those of us in the Technology Business are familiar. But it feels like the ai revolution is here. These are exciting times. It is shaping the future of humanity across every imaginable industry and dominated the news cycle. What do you see as the challenges and opportunities of ari, and how do you think it is going to change the world daca change the world . Changing our agency and command, perhaps. If you were to say lets consider Artificial IntelligenceMachine Learning eight months ago, we would have a lot of interest in this crowd and my agency in command, but broadly, not as much. But we have seen over the past eight months, chatgpt, bing, a number of different instances where it has captured the attention of the public. We have seen all of the folks in a rush to query different ai functions. One of the things we did at the National Security agency is said i would like to take it 60 date stent them a lets do a roadmap for ai and ml Going Forward. It was recently completed and let me talk about that. In the sense that the private sector has been doing Artificial Intelligence for a while, we have been doing it for a long time as well. It is something we are familiar with. One of the first things we said was how does generative Artificial Intelligence or Machine Learning fit in and how does it perhaps change our future so differently . We begin with what we do. We use Artificial Intelligence primarily within our intelligence mission. How do we look at it for our Cybersecurity Mission, or how do we look at it differently for our Cybersecurity Mission . Heres the third part. How about all the business functions were going to take a look at. One thing that was very interesting from that roadmap and the subject matter experts, they think the third of the uses, have a tremendous impact on the business functions of our agency in terms of how we do our business, our accounting, even compliance. How does it impact us and Human Capital management, many things i am sure you have seen as well as the private sector. That was piece one. The second was we have a responsibility at the National Security agency. Since i am the National Manager for National Security systems, to engage with u. S. Companies that have this intellectual property. They understand that they are the targets of foreign entities. Weve had the opportunity to talk to some of the leading experts among the leading corporations in america, to save this is what we are seeing. This is the tradecraft, the techniques, what they are normally targeting in terms of what you should be aware of as you think about the future. The third piece came back and said we have a tremendous responsibility. One of the things we have is a culture of compliance. We understand the surveillance authorities want to give to us and we understand the responsibility to maintain our Fourth Amendment rights. From that, how do we build up the right . It is going to be different. What do we need to do Going Forward . We have to look at policy, governance. We had to look at our infrastructure. We have to look at security. No doubt, security. We have to look at, where do we need to be bigger players at International Forums on Artificial Intelligence . We have interdutch intellectual capital, the knowhow. How do we assist the government in a number of different forms Going Forward . Perhaps among the most important, what does our workforce have to look like . How do we train our workforce differently in the future . How do we recruit, train, and focus the attention that will be powerful in an ai future . As we look at the future, we see tremendous changes. The speed coupled with the security, the safeguards that we will ensure a being put in place. I would add that the agency and congress has asked a Cyber Command. There has been a briefing on that as well. How do we use ai in the realm of Cyberspace OperationsGoing Forward . As we look at ai, 2023, we have this much knowledge. In terms of what we need to do. This is growing quickly. We also know it is growing quickly for our of her series. This is something we will continue to work at very hard. Dimension Human Capital and how fast these things are going growing. To make any of this happen, it is going to be all about the talent. You are challenged with are you challenged with finding the right skill set, especially in these areas . And an area where we are coming off of covid and somewhat of an anthemic, where there are motions of work from home, work remotely and virtual work, a lot of names for it. Are you challenged with workforce and skill sets . I cant imagine any speaker that would get appear insane they are not get up here and say they are not. It is the talent the drives the u. S. Government, nsa and u. S. Cyber command. In terms of that, one thing we have come to the realization is as we go forward, i would speak from both of our agency and our command. We are hiring 3000 people this year. In the next five years, half of our workforce will be hired. A tremendous opportunity. The same time, nearly 400 people will be hired this summer. How do you do that . The way that we have found that we have to do it is to think differently about recruiting. We have to think differently about training. We have to think differently about retaining and about our workforce. Let me talk about that. One of the things i am very focused on, one of the two things i would say im very focused on, i think every day how do we get better people, enjoy the best people are working in the most Important Missions . Weve always said it is about the mission and people say at our agency because it is the mission. Yes, to a degree. But at the same time, what we found is that coming out of covid as you mentioned, weve got to think differently. Particularly at our agency about our workforce. I established an Organization Called the future ready workforce. We are focused on how to be how to onboard people better. When you come to our agency, you should learn 70 years of history of the things that we have done that have made the impossible possible. Second, we have to think about wellbeing. How do we treat our people once they come into our agency . How do we offer them the services that are necessary. Third, hybrid work. We have centers outside of it. We do cybersecuritys. There are other parts of our mission that dont necessarily require us always being in the skids. We are exploring that now. And leadership. I have found at the end of the day that good leaders matter. You have bad leaders and have a bad organization. You can have an ok mission and have great leaders and have a great organization. How do we lead people that lead themselves all the way to leading an institution . How do we ensure that this development is built into the lifecycle of their work deco that is really what we are doing in terms of thinking about our agency differently. How do we think differently about bringing on people, getting them on mission . How do we think about keeping them in one spot for a longer time . One of the nice things is you get to have a conversation. It has been rotated for three years. How about 10 years, never . And wasnt going to say anything. But i think this is a time, and if you are thinking about talent, we have to think differently. We must do something different. Im going to switch gears and talk a little about the ukraine invasion. The release of intelligence proved to be successful in the ukraine invasion. How do you balance the declassification of information with protecting National Security . I know the director will be there the end. Great credit to her in the National Security advice of the president for making this observation in 20 31. As many of us know, we classify things for many reasons. We classify it most prominently for how we collect the information. Not necessarily what the information is. If there some way where you can balance protecting your sources and being able to release powerful information, we have seen the impact. Since the release of information , i have never seen the effect that it had on the russian information operation, it is so impactful. They have never been able to get their feet. Fig about what we are releasing in terms of what we are saying think about what we were releasing in terms of what they are saying. We have the truth, the first on the spot, it mattered. It mattered to the point of being able to convince a coalition to come together, disrupt president putin and empower partners such as ukraine. I think the interesting thing is that if you were a fly on the wall at our agency, we have interesting conversations. People have worked their lives collecting our most sensitive information. It is a conversation we have had many different times. But i think the important piece was hey, this is not our agency or any agencys collection. It is the nations collection. If you can protect that and have an impact that is positive to our national interest, why would you not . That is where we are at. Power to the folks that have made that determination. It has had a tremendous impact. He had some very prescient words five years ago. I dont want to put you on the spot too much. What are the next five years going to look like . I think the next five years are a series of three piece. The peoples republic of china. We are going to be obviously in a period of intense competition with china for a long time. This is the challenge of our time. This is what we must do in terms of being able to advance our values, defend our nation and defend our lives. The second piece, when i talked five years ago about persistent engagement and the idea of being able to enable and enact a series of different partners, the key piece is and partnership. Think about what we have learned. In the past three years, with regards to publicprivate partners. Publicprivate partnerships. Things like the fbi the National Security agency. Cyber command. They have all done this to reach out, have a number of different partners, interagency partners, international partners, private sector partners, academic partners. I think the power of our nation will be continuing to advance those partnerships to think differently about how we partner and to think about the outcomes, and we cant even imagine today the last one is people. I heard Stan Mcchrystal talk about Public Service. Let me talk about Public Service. Having been in military service for three decades and seen the ability to have an impact, i would continue to encourage Public Service. I see it in government, the peace, a number of places. I think our people are going to be the competitive advantage. Whether it is Public Service or develop in a pool of young people that can operate in this digital age, we are going to need them. I am very excited about how we can do that. Finally, as we continue to transition into the future, there are different models that people will serve. Some of it has been in Government Service over three decades. That might not be the model of the future. In might be quickly coming and going, being able to have an impact and then coming out. That is different, but that model may work in the future. As we think about the future, i am very encouraged and i am optimistic and i look to the future and i think our nation, obviously the people who work here will be the beneficiaries. Thank you. You talked about people and it is all the people you lead and other people lead across government. Thank you for your leadership. Thank you for the time today. Gen. Nakasone thank you. [applause] our next speaker acting cyber director kemba walden has been at the center of cybersecurity strategy. It focuses on collectively protecting cyber infrastructure, a counteroffer against adversaries and stronger Cyber Resilience in response readiness. These areas speak to the very essence of billington cybersecurity summit goal of hosting this summit every year. Please join me in welcoming our moderator brian bear. And our featured speaker, kemba walden, acting National Cyber director, executive office of the president. Brian that is a tough act to follow. We can all tell from the pace of things that are coming out that you do not have a lot of time, yet you have spent it here this afternoon. Thank you for your service. [applause] lets start maybe with the what this discussion is about. The strategy from the white house. Tell the audience how we should be reading this document. Kemba thank you for having me here. Thank you to tom for inviting me to participate. I am going to lean forward a little bit. How should you be reading the National Cybersecurity strategy . Carefully and thoughtfully. It is intended to be durable. It is there to inform this decisive decade. I want to give you a step back and reframing. The first thing i want to say is that when the white house called me to be the cyber director it was on the eve of russias aggression to ukraine. The thing that i saw that was very different at the time was what the general was talking about, which was a type of collaboration that did not exist before. When chris and i set out to build the National CyberDirectors Office it was created to do a few things, provide advice to the president. But it was also to offer advice to the National Security council , to the agencies and it was also to coordinate of an implementation of the National Cybersecurity strategy. Clearly, we needed to do a few things. We had to first set up an office, which we did. We had to hire great people, which we did. We had to craft a National Cybersecurity strategy, which we did. But then we had to make the strategy go. We will get to the second part of the movement. To make the National Cybersecurity strategy go, we had to consider all of the prior strategies that had been done. Make sure that we adopt those things that were working well. May be modified things that were not and upgrade. So there are two things. We have to make sure we shift responsibility to capable actors so that we are shifting cyber risk away from Small Businesses and small towns to those that are more capable. We also had to invest in making sure we had a resilient ecosystem. What we are after is a resilient Digital Ecosystem that is aligned with our values. We published the National Cybersecurity strategy Implementation Plan. I released cyber priorities memo so that agencies can understand how to align their budgets. We have been engaging often with the stakeholder community, with the private sector, academia, Civil Society, towns and cities to lean into the diverse perspectives we need to execute this thing. When you read the National Cybersecurity strategy, read it with that in mind. We are seeking an affirmative vision of a resilient Digital Ecosystem aligned with our values. You have to read the entire strategy. It is one whole strategy. It is not effective to take the piece parts. Read the entire strategy. Brian that is awesome. You said your figure part of the strategy document is in its last pages, the Implementation Plan. You kicked off the implementation early this year. What are three or four parts of the implementation that you want to highlight . Kemba the implementation is the most exciting part of the strategy. I am a policy wonk. The strategy is wonderful from my point of view. It is not necessarily perfect, but it is near perfect. It is meant to be durable. It is technology agnostic. It is the implementation that makes it go. There are two things. First, is that we publish it, which is novel. We are driving federal cohesion in executing this Implementation Plan. There are lots of agencies that are responsible for cybersecurity in some way on the federal landscape. We all have to be driving in the same direction we all have to be playing music from the same sheet. Federal cohesion is how we do that. It is how we provide advice to the president , it is how we provide advice to National Security staff. We have identified roles for 19 different departments and agencies across 69 initiatives that account for the 27 objectives in the strategy. We develop that with other agencies. Another agency has 14 that we are leading. The agency, the initiative and a deadline. That is new and novel. That is one thing that is important. The second is that we have an in addition to roles and responsibilities, we have taken our authorities to be able to crack open budgets and help agencies prioritize how they will ask for money, aligned with their responsibilities so that we do not have unfunded mandates. The nittygritty things. Some of my favorite things. We recently released two requests for information because we have to have participation outside the federal government to make this go. That is part of our collaborative culture. The first is regulatory harmonization. We recognize that all of these departments and agencies, including independent agencies and state and local authorities, all want to raise the cybersecurity baseline. But we have impose requirements, sometimes not in perfect concert to those stakeholders that are responsible for cybersecurity. What we have to do then in order to raise the cybersecurity baseline for all of society is to make sure we have harmonized requirements and we find reciprocity where we can. The only way to do that is to create space for you to be able to participate in that policy process. Another one is open source secure software. We have issued an rfi for that one too. That is due october 9. The third one is finding a way to shift what we have been using as Market Forces to lean in more on that. Make sure we have a Software Reliability regime so that we hold those liable for making sure our software is secure, at the same time finding opportunities for safe havens when there is success in that space. Those are three of my favorite initiatives. There are plenty. Brian i am going to ask about the next ones and just a minute. In the strategy pages, he says the National Security council has oversight of implementation while the director would be in charge of working with the internet agencies. Help us understand the distinction between those roles inside the white house. Kemba like i said, we were stood up for our proud mary prices primary purpose was to provide advice for the president. We are also there to provide advice to the National Security council and we are there to lead implementation. To achieve that, we work with the National Security council and with our other partners in order to execute the president s vision. That includes omb, ost p, etc. But we have to be able to work hand in glove. The reason for that is because cybersecurity is a National Security concern. We also work with omb. We are all in this boat together. We are all here to drive to the same vision. Cybersecurity is clearly a National Security concern, but it is also one of Tech Innovation and economic opportunity. We have to be cohesive when we drive so we have to work handinhand with the National Security council. That is what that means. Brian something that is near and dear to my heart, i love measuring things. Security outcomes are probably one of the hardest things to measure. I love in the plan that it talks about taking a datadriven approach to evaluate investments and progress. Drill down on that little bit. How you thinking about those measures of success for the strategy . Kemba this is an ever evolving process. How do you measure success in this space . One he told we have used is articulate and cyber priorities alongside the office of management and budget. We sent a letter to agencies identifying how to request funding along our objectives and initiatives. This is the second year we have done it. We did it for fiscal year 24. And we have done it now for fiscal year 25 and we will continue to do it. That is one measure. How are you spending your dollars and what is your spend. That is one measure. The other is we have listed all of the initiatives so that as we complete them, we are able to update the Implementation Plan. As we achieve what our stated goals are, that is another way to measure how well we are doing. There is going to be a feedback loop in that way. So spend and just accomplishing the nittygritty of the implementation are two ways to measure progress. I have been thinking about this quite a bit. As part of our mission, we talk to industry all the time. This is an important piece of what we do. When we talk to industry, i will give you an example. I talked to a Large Company in the last few weeks. They said their ceo wanted to know where this breach occurred and where it appears on its stock ticker. When you start thinking about measuring cybersecurity when it comes to industry, how do i project what is important to the nations cybersecurity and what is important to industry as it relates to their goals . One of the things that makes sense to me is we need to start thinking about cybersecurity as an investment. So how do we think about investing in Cyber Resilience . How do we think about it Capital Expenditure investment . So that our profits are better, so that we have less downtime, so we are able to be easily against cyber attack when it happens. How do we measure that . We have to collect data. We created the cyber counsel to find out how to require cyber incident reporting. How do we harmonize that information and use that data . Is there to be used for measuring what an impact of a cyber attack is. So we can start to think about this in terms of investment rather than how do we respond. Brian that is great. So the plan you have started rolling out these implementation steps. Where have you hate obstacles hit obstacles . What kind of pushback and feedback are you getting . Or has it all been smooth sailing . I wish everything was smooth sailing. The feedback we have gotten so far is actually from my perspective, quite positive. Where are we in this National Cybersecurity strategy . The best i can do out of the white house is encouraged departments and agencies to have responsibility for certain activities. I cannot necessarily assign responsibilities to academic institutions and Civil Society and all the stakeholders from whom we need perspective. The biggest challenge we have had, the most feedback we have had this how do we get to play, how do we engage . One of the ways to do that is to identify where we have rfis throughout the federal government, but to reach out to the department that is identified as leading that activity. That will lead to an iteration of the cyber incident Implementation Plan so that we have a feedback loop that we welcome in order to improve the implementation of the National Cybersecurity strategy. That is one. The other feedback i have gotten is the opposite. With all of these rfis, with all of this data collection, we have a person that is responsible for reacting to all of these rfis. Treachery publishes them. Treasury publishes them. That is a people challenge. One of the focuses we have is how do we help our stakeholders solve the people challenge, right . That is in my office too. But how do we solve the people challenge. We published a different strategy about that and now we are focused in implementation. We are focused on removing unnecessary barriers to the workforce. Unnecessary barriers could be for your college degrees, could be mandatory in person work, could be a location barrier that does not enable us to lean into the diverse perspectives that exist outside the belt while beltway. So we need to start thinking through some of the challenges and what are we going to do to help ourselves really cover cybersecurity across all stakeholder communities. How are we going to raise Digital Literacy . So there is a people peace to this. Brian i love it when i ask you about pushback and the challenges that agencies are lean and in. That is a good problem to have. As we look out over the next quarter or two, what are some of the things you are excited about that at the next part of implementation . Kemba i talked about a symphony and a symphony has movements. In my mind, we completed the first symphony. We executed the ai National Cybersecurity strategy. As we move forward, we are leaning heavily into getting those objectives done. I do not know if you have ever heard a Government Official said this, but gao has been very helpful to us. [laughter] when we set out to craft this National Cybersecurity strategy, we looked at the lessons that gao published about what could be effective. The next step is to make sure we are held accountable for all of it. So we are looking forward to publishing a posture report, what is the state of cybersecurity now . That is what we mean partly by datadriven. That we are operationalizing it, but then we are going to be held accountable for the effect so that we can advise the president in advance. It is agnostic to technology, but some of the things outside of the strategy that is not clearly placed in the middle of strategy is cybersecurity systems. We are leaning in with the National Security councils i am answering that question. We have set openly that we are after a Digital Ecosystem that is aligned with our values. When you start thinking about cyber spaces, what does that mean . Aligned with our values . You will see something coming out of our office. So implementation workforce, implementation of the National Cybersecurity strategy, and what does it mean to be aligned with our values. That is the second symphony. Those are the movements we hope to accomplish. Brian that is a lot. Tom mentioned something coming early next year with state and local governments. When we go to these cybersecurity conferences, it is a lot of expert companies. What are your recommendations for a small state and local government or a Small Company for how they action that strategy, where can they go to for help . Kemba that is a fantastic question. Cybersecurity is as much local as it is international. Cyber attacks happen in somebodys backyard on a regular basis. So we have to engage at the local level. The Implementation Plan was not written just for us at the federal level. It was written so that state and local entities can plug in as well. So you can go to the lead agency for those things that are helpful to you. There is an opportunity to shift from those that are least capable to those who are more capable. That is also looking to your Cloud Services provider, asking them questions my having them use contracting processes to take certain measures that would be beneficial to state and local entities. Our Education System is distributed at a local level. Our workforce is dependent upon our Education System. We work with state and local entities on cybersecurity concerns, it is the Club Services provider, moving to cloud on the technology level. There is a people peace we all need to share the burden on. And the doctrinal peace. Harmonization is not just focus on federal regulations, it is also focused on standards and assessments, but also say and that state and local. How do we find opportunities to make sense about the state and their parties . We need to fold those perspectives in. I encourage them to weigh in. Reaching out to our office on workforce and education issues so we can collaborate on a local level. Those are all opportunities to be able to engage in this process. Brian excellent. We are unfortunately out of time. I have more questions i would love to ask you, but thank you to the billington summit for having us here. Thank you for taking time out of your schedule. [applause] we will now have our first general session which will look at the big picture and the cyber landscape and what a distinguished panel to do so. The first general session is on the state of the evolving Cyber Threats. Wrote moderating this panel will be robin nolan, chief technologist for dod amazon web services. Dave mcewen, dod. Anthony greco, Senior Vice President , chief Information Security officer. Daniel richard, chief cyber policy advisor, cia. Please join me in applause in welcoming them. [applause] thank you, everybody for your time today. We have all sat in a slightly different order than we were introduced. We will get right into it. I am going to ask a question to everyone on the panel. Want to get your take on some world events. China is edging toward taiwan and emerging as a worthy economic competitor in terms of how they are doing business and innovation. Can you talk about some of their recent Cyber Operations targeting some of our economic and policy leaders. Thank you. First of all, i want to challenge the idea that they are innovative. I think what we have is a lot of espionage and stealing. [applause] our partners are constantly losing data to them. I am messing theyre not sophisticated in their Cyber Attacks i am not saying they are not sophisticated in their Cyber Attacks. I think one of the lessons we have to learn is they have a lot of people so we will have to automate a lot more, taking advantage of ai and ml and some of the true innovations our Industry Partners have developed in the u. S. To combat these things. We have to have the automation and we depend on Industry Partners to deliver that for us and they do it every day. We are very thankful for that. We need to take advantage of our technology and our ai and zero trust technologies. Maybe we can shift over to ukraine for a second. What are some of the lessons we are learning from a Cyber Threats perspective . Thank you very much and thank you everybody. There are two lessons we have seen in the ukrainerussia war in terms of russias disruptive cyber activity. On the military side, while it is true there cyber forces did contribute to the initial invasion, the impact they had was not nominal from the bigger sure. Analysts will spend time trying to decipher why it was the case current it was because russians wanted to preserve ukrainian infrastructure because they thought the invasion would be rapid and successful. Whether the ukrainians were just very adept at being able to adapt to what those actions are. What was clear however was once the war got started, the pace of military activity made it difficult for cyber actors to keep up with the military pace, especially when you have kinetic options available. More importantly however, was the impact private industry had in helping ukraine in the resilience efforts. I think as we look to possible conflicts we may be involved in, that partnership is invaluable. That is really what we need to build to make sure we are able to respond to something that possibly finds the United States. Do you want to weigh in . Sure. Just general observations at the unclassified level. Everybody was a collector. It is not just russia and ukraine. On the ukrainian side, they are using google. There are at least 30 countries involved. If you extrapolate that with how a crisis with china would look like, how do we know build and design resilient and redundant networks . If you have multiple countries, how do i setup my infrastructure that i can share data in a secure and meaningful manner . How do i know my data is protected . How do i do that . When i use infrastructure come i do be careful that i do not use, even though in the u. S. We are moving from one commercial provider to five, you have to be careful i do not use native services that are unique to that one cloud provider, because i have to share data across the dod, nato and nontraditional and traditional partners. The totality of the list are Lessons Learned that we see in russia that we can extrapolate to the potential china crisis. Anthony, one aspect i would like to ask you about, private industry is a big part of this. Can you talk about what private industry should be doing . If you take ukraine as a specific example, there are a couple of observations that are important. We think about the traditional kinetic married with cyber as a part of the russian invasion, but there was also criminal activity that came alongside it. If you are on the other side of it, it is hard to tell which is the nationstate just versus an opportunistic criminal. When you look at the intermix of the why behind the attack, it is difficult for defenders in the moment of an attack. Stepping back though with ukraine, especially with private sector organizations, it takes years to build the level of trust that is necessary to deal with advanced actors coming at you in a war setting, period. When you look at what we did with many other private sector companies, we were there for years before the invasion, partnering and building relationships, helping both sides understand what does good look like. That was an important fundamental thing that most people do not think about because it was happening behind the scenes. The second thing is the bias toward action. You look at a lot of the cyber defenses, particularly in ukraine, and there is an efficiency that is nice. Very listed very little wasted motion from a cybersecurity perspective. Using those lessons and thinking about how do we prioritize the most important things Going Forward for future potential conflicts is an important lesson as well. I would like to add a little bit. I think it is very important what the Intel Community data in putting out intelligence on the russians procedures prior to the were kicking off. Many of you were probably involved. We even had calls with u. S. Companies that had a presence in countries across that region warning them of the tactics. With the chinese recently also sharing they are living off the land tactics, it is important to Work Together to share all of this intelligence so we can react and no what adversary we are up against and what their techniques are. The trust thing is important. We cannot build these coalitions immediately. They have to be in place. What are some of the things you have seen in the Cyber Threats world this year that you are thinking about . You have people from the federal government here or State Government here. I would say to them, technical debt is additive. We manage large budgets so the i. T. Budget is usually an area that people tend to take risk on. If you take risk on things like tech refresh, networks, infrastructure, what you will see is you cannot skip steps. The vendors will not let you skip steps. By view taken the risk today, it just means you have to do all that work whenever you decide not to take that risk. Risk is seen by few. Exploit is seen by all. For the people in positions of authority in the control budgets, technical debt is additive. For vendor partners who the federal partner have dependency on, secure your supply chain. That includes hardware and software. We have seen it where fraudulent hardware had showed up. We have seen those kinds of tactics and playbooks. That is not limited to just hardware. Even in software, especially open source, you adopt components of open Source Software where you are not confident on where those things are coming from. You could be adapting a capability that could be developed by a foreign adversary that could be embedded as part of your larger software enterprise, only to be exploited at a later point. The third thing is as mentioned earlier, in totality, for both the Academic Community and the Vendor Community and the government in general, is information sharing. What has changed so much today is that the speed of which vulnerabilities are able to be exploited. The ability of mel verse to be created as a result of ai is exponential. Think back to years ago when you got a email from a Family Member in nigeria, if you send me your credit card or 1000, we will have 50 million for you. I am sure most people in this room have gotten it. It would have broken english and sent to a mass email. Today, you can now create customized emails that are sent at mass scales based on your pattern of life that look authentic. I think these three things. Generative ai is changing how we will function in the future, but also the threat landscape. Dave, can you weigh in on cloud . He touched upon the different clouds in use today. I think the Cyber Threats model has to adjust itself a little bit when you are talking about clout. Cloud. We have been heavily adapting cloud. We had a contract earlier this year and we are driving people to adopt the cloud. We have found several instances on the unclassified side where mistakes have led to ip addresses being exposed to the public for a period of time. Of course, the bad guys do not wait. They are constantly scanning the networks looking for a door they can go in. And we lost some data as a result. We had to look at our governance process there, along with the Cloud Service providers. How can we hope you defend your cloud that you have built for us . In all cases, they are custombuilt clouds so they are not the traditional commercial clouds, but they are still visible from the internet, so we have partner with them to understand better how we can help defend. We looked at maybe we can use our tools to scan the ip space where your Management Network resides. We are starting to do that. We will get a full report of all the protocols that are open and vulnerable and work directly with the Cloud Service provider to get them rectified. Another thing we are doing is we are trying to get to zero trust by 2027. We have developed a strategy and Implementation Plan for that. And 91 characteristics to get to a target of zero trust. We have been working with them to build us an a grade of zero trust solutions we can readily consume. We are not good at integrating the products we have today. We have a lot of products that do one thing or another, but getting them all to work well together has not been our forte. We are challenging them to provide zero trust environments. Those are some of the good news stories. Can i add one think . Integration does not take place. Think in terms of a country like china and think about some of the countries that will be involved if a crisis takes place. If those countries do not have the same cloud providers, the ability to share data becomes challenging. Cloud for us may not be a panacea depending on the situation. A few years ago, and was to get everything to the cloud. When you are fighting versus iraq and infest and afghanistan, you can do things in a centralized manner. I. T. Can be centralized and costefficient. Against russia and china, it is better to be decentralized. Moving from a costefficient manner to a Mission Effective manner. Two different outcomes and design. I think there is no move everything to the cloud. Everybody is in this hybrid world, usually with multiple clouds and multiple infrastructures. That put stress on administrators because now they have to learn the nuances of each of the different cloud providers and how do they provide security. I think hybrid is here and is forever. I think focusing on how we simplify those paradigms such that defense is easier is important. The other thing we do not often talk about is we have to teach Application Developers to live in this cloud world. Few were people to protect you when you are out in that public cloud, whereas many grew up in the worlds where they are operating in private data centers. There is a mentality shift that needs to happen. I think that is one of the biggest shifts we see from a threat perspective. The newness is still working its way through the system. And education on the differences, making sure people understand the benefits they will get from it. Dan, i want to jump over to you. We talked a lot about publicprivate hardship. Partnership. Can you help us understand the public side of the Publicprivate Partnership . At the agency, our focus is identifying and trying to collect on possible threats to both public and private infrastructure. We bring that information in and our analysts will take the information to try to provide the best picture of the threat environment and get it out to the people who can actually use it. Historically, that has been other government agencies, but today, because 80 of our Critical Infrastructure is in private hands, it is those people who are the ones who could use the information to mitigate the threat. We do have mechanisms to share the information, but we need to be faster. We talked about automation. We need to build those pathways where the information goes. He may be sanitized, but it gets out there quickly. It may be sanitized, but it gets out there quickly. Behind the scenes, there are agencies like the cia that are helping build the picture to make it as accurate as possible. But it is not a oneway street either. We very much need the information that the private sector has, the threats that they are seeing, to feed into that picture about what our adversaries are trying to achieve. Anthony, maybe you can give us the private sector view. Thinking about faster dissemination, getting information out. The intelligence sharing conversation is super important. We have seen the effects in ukraine and it is an essential component to refine. If you have been in this game for a while, 10 years ago, it is important to recognize the progress that is happening. I think on both sides of the transaction. Certainly from eight private sector perspective, we are making sure we are focused on Customer Trust ultimately. But this notion of sharing in real time information which would allow us to better protect Global Customers is a very important component. Beyond intelligence sharing, there is a broader topic around the public and private partnerships, which is cyber is getting the attention we want it to. With that level of focus, there is risk of destruction. We have to come together as public and private and make sure we are prioritizing efforts that will have no impact on reason resilience. Raising resilience. I think when it comes to where we need to go on private and public, really rich dialogue about effective securities going to be essential Going Forward. And making sure we are doing the threat modeling together. The zero trust is a great example of that. As we wrap it up, i want to give everybody a chance to leave one last thought with the audience. We are going to think about the one thing we are going to do either as a publicsector private sector person to start growing the partnership. What is one of your Top Priorities are things you think this Publicprivate Partnership should focus on . Asking ourselves are the things that we are prioritizing, the influence of government, is it the most effective thing we need to be doing to prepare ourselves for the threats that we have talked about . There is an opportunity cost and we have to be pragmatic about the things we are pursuing. It starts with information sharing. You talked about public ip addresses that were exposed. I get now briefed on a weekly basis on the intel Cyber Threats. That was unheard of 10 years ago. Because of being aware, we can now design and choose countermeasures against that. From up Publicprivate Partnership, we on the public side have to work with our vendor partners to let you know threats you need to be aware of. Here are some of the things foreign adversaries are doing. For our vendor partners, understanding that, you can now design tools around that. Treating our people training our people to leverage the tools to defend ourselves. Want to build off that last point. The investment in people is one of the most critical things we have to do. We are all, the four of us on the stage here, in a fierce competition for talent. It is a zerosum game in terms of how many people actually have the skills needed to build and defend the networks. To find out threats about the networks. While it will take time for our investment to expand that pool of people to the size that we need it, the ability to cross fertilize between those in the private sector, spending time on the public side and vice versa will pay dividends to allow us to address these threats, which the government cannot do by itself, nor can private companies do by itself. Only by working together can we address these threats moving forward. We have seen a lot of great learning on both sides when we do the Exchange Programs at amazon. I think that is a great way to understand. Exactly. We have been engaging with industry for years now. On a lot of fronts. We have engagement with a lot of cloud companies, understanding what they have to offer and how we can utilize that, letting them know our requirements as we go forward with the zero trust, red teaming to prove if they can satisfy what we need or not. It is vital to partner with industry. We will not be successful if we do not. In terms of cloud computing, ai, the United States is in the lead and we need to be able to help them out as well as we go forward. Those facetoface engagements are very important. Additionally, we are trying to work with partners to make sure that they have some minimal level of cybersecurity. The big vendors have no problem doing this. But there are a lot of Smaller Companies we deal with that dont have that. So we are establishing the Cybersecurity Maturity Model Certification Program and we are also offering a wide variety of Free Cybersecurity Services that a company can adopt including Threat Intelligence sharing. And we want to bring more and more companies into the fold there and try to help them out as we go forward. I want to thank everybody for joining us today. Appreciate it. Some really interesting thoughts here. Partnership, training, building trust, working together like we have been. You hit on an interesting point at the end, also thinking about our partners. Extending that trust where we can to help our partners. With that, thanks everybody. I am releasing you for reception. Appreciate it. [applause] [captions Copyright National cable satellite corp. 2023] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] next that we have our Second Annual award presented by raytheon. It will be presented by executive director of Technology Solutions at raytheon. Lets welcome john to the stage. Announcer cspan is your unfiltered view of government we are funded by these Television Companies and more, including wow. The world has changed. Today, a fast and reliable Internet Connection is something no one can live without. So wow is there for our customers. Now more than ever, it all starts with great internet. Wow. Announcer wow supports cspan as a Public Service along with these other television providers, giving you a front row seat to democracy. Announcer join us thursday for a preview of books that shaped america with librarian of congress carla hayden, and bestselling author Douglas Brinkley, live. Carla hayden is the 14th librarian of congress and Douglas Brinkley teaches at bryce university and has thed books on several prts and many other topics. Tch the preview of our new series, books that shape america, thursday live at 7 p. M. Eastern on cspan, cspan now, or online acan. Org. A healthy democracy does not just look like this. It looks like this. Where americans can see democracy at work. Where citizens are truly informed. A republic thrives. Get informed straight from the source on cspan. Unfiltered, unbiased, word for word. From the nations capital, to wherever you are. Because the opinion that matters the most is your own. This is what democracy looks like. Cspan, powered by cable