Good morning, good afternoon. One bit of healt housekeeping information. Tom is doing calls. He is responding to the devastating affects importer rico and since his job is to be head of homeland security, cyber, counterterrorism, he is kind of running in a million directions, but we are truly fortunate to have rob in his place. For those of you who dont know rob, rob is the cyber lead at the National Security council. Hes the socalled cyber czar, the correlator for all things cyber. He comes to the white house from the National Security agency where, among other roles, he iran tao which i think has gotten a little more notice in recent years. There is a time we can even mention that but rob comes to this job with true professionalism. He has worked these issues from a collector and operators perspective and he has a natural ability to translate those ideas into policy and the like. Thank you for doing this, especially the last minute. I thought we would start with a general question, the executive order that was promulgated in may. I know a lot of homework items were due early september, late august. Can you give us a sense of where we stand, i dont expect you to break all news in exactly what was provided, but tell me where things have been and in particular, just because its been a common theme overall event, the cyber deterrent language in particular. Thanks for the opportunity to be here. Tom did send his deep regrets. He is in the middle of the white house response to the hurricane, both as the devastation hit texas, florida and puerto rico and sister islands. He asked me to step in and i appreciate the opportunity tos talk in the space. Let me give a brief thumbnail to those not familiar with what it covers and then well talk about the reports that come in under it. For big areas, the first is protection of our government network, those networks are the ones that transact government business but also hold the information of the american people. When you look back at things like the obm breach, its not hard to understand why we had to put effort into making sure those are secure and modern. I think anybody who has acted with government it or currently in the government knows that not everyplace in the government is at the same level of protection and security. Probably not the case that Everybody Needs to be, but we need to make sure the most Important Information and National Security information and privacy implicating information is protected. The eo was tasking the modernization of the federal networks and thinking about how we do Cyber Security to scale, and looking ahead, the recommendations were things like shared services, the idea of moving the modern cloud based services, the concepts of getting connected, when youve got the bureau of Land Management overseeing important things like hydroelectric power production, they are probably not going to compete with dhs, nsa and dod in re cruising Cyber Security specialist, but you want those Networks Just to secure as the other places we have in the federal government. Thinking about how we can do some shared services, even insecurity operation, thats area one, federal network. Area two is Critical Infrastructure. In the area we are talking about the 17 Critical Infrastructure structures, things like power, energy, communications, water, transportation, all of those sectors were often those are run and operated by the commercial Industry Partners but have implications to the safety and National Security of our country. That is a collaboration between those sectors in the u. S. Government as to how we improve security. This year the trendline continues that advantages going to offense and thats a scary thing when you think of Critical Infrastructure. We can have our power grid being held at risk. We can have questions as to whether the Financial Sector can stay free from intrusion. What that means is we have to have both security as well as resiliency. Do you see a day where they can be with it defender or will always be with the attacker. I think people have to flow through, the phrase i use with others is that it takes a thief to catch a thief. In both of those jobs i thought differently about the way we needed to move forward because of the experience of the other. Which job did you think trump the other, not in terms of more fun. I would say my tao job was easier and the Information Assurance cut me up at night. Critical infrastructure, resiliency is important. We cant assume offense wont get through the defense that we put up. At that point youve got have capabilities to uncover intrusions as fast as you can and minimize and localize the impacts from those intrusions and three, when you do have an impact, how do you recover and recover quickly . It only takes the devastation that we are seeing from some of these hurricane impacts to know that when these services are down, it has tremendous implications to health and safety and welfare. Part of its ability to bounce back which minimizes the reason they might turn to those. Absolutely. You asked about our deterrence strategy. One piece of that will be demonstrating resiliency. If you have a . Whether they can hold someone at risk. [inaudible] [inaudible] the base of that pyramid is the power sector. If you look at when the power goes down, things cascade from there. It can only run so long on generators. The communication sector goes down, the banking and finance sector isnt going to be able to transact so there is this cascading effect. We are working on the exercise that will come up. Were trying to make the banking and communication sector to look at some of those affects and make it realistic into how society would react. Even from a defensive, clearly the Financial Services sector is very far along. I dont remember if it was nyack but they did a report calling out the four Critical Infrastructures. Does that unfairly put forth, i dont think we will create a super sector but will create time between sectors and making sure all the dependencies in one art piece through and the threads are pulled. Than that gets a sort of the concept, we have unlimited vulnerability and resources, its not like security is an end state, its a continuous process. The process there begins in that prioritization, anything new coming out of the executive orders that you think . Weve all heard publicprivate partners. Ive been known to say long on nouns and short on verbs. Its not to suggest there arent solutions because the industrial ace, the industry sector, weve just heard from them in Financial Services sector, they are doing phenomenal work. It still comes to the policy without resources rhetoric so where do we kind of see that coming down . I think its a joint activity for both of us. Private industry has invested, government has invested, i dont know that the gears are mashing. If one of the calls we often get is that we need more sharing of the government knowledge and information that you have, in the classified arena, thats hard. To push everything the government has, there implicated in some of that. What we been talking about is, instead of the push model, send us everything youve got, find ways to integrate a fee to of the key analysts with Sector Knowledge into the areas where they can then look for their equity, identify information that then needs to be pushed out for action. , vice versa where government can spend more time in some of these Critical Infrastructure area. We think is important not only for the connection but also for the development of the government expertise in the relationship. Awesome. I think the most impactful step we will have is bringing more into the analytic sectors from the commercial side so they can have expansive access but in a controlled way where the data isnt as at risk and we can keep track of what is pushed out and shared. Coming to your role as sort of a primary producer of information and customer of other bits of information, but largely a provider, what did you find coming into a white house kind of role . This is more of a personal question. What did you think made sense, what did it . All these executive orders that we have all put a lot of blood, sweat and tears in in this room and of course you guys, but what really works . Do we have the ability to know in the event of an incident what would trigger an escalation, what a significant incident is, what will you be able to get your war room together to manage the consequences of an incident. Are all of those sort of we will know it when we see it . Weve got a process, in the end it will come down to expertise. Its really good to there, by the way. We have a wide array of folks distributed across the community. [inaudible] it takes the reporting from across the Intel Community to include open source and partner information and tries to summarize. They are at the front line of sensing a warning in the Intel Community and commercial entities. We all drink from these fire hoses of information strains, but what we rely on is the expertise and judgment of a bunch of different people and things get elevated quickly. We have routine interactions where i host the interagency once a week. In that we talk about Threat Landscape and other things, but with the daily information flows, we have a process when information is breaking to call an ad hoc session and then theres a policy on when we turn to a very formal Coordination Group and is led at the dhs level. They can trigger some very formal processes, communications, interactions with the commercial entities and even has a Lessons Learned process at the end so every incident we get a little better. Can you give us a sense of what sort of incident would potentially trigger that . If there were an attack on the grid, as you mentioned, we saw on the ukraine that would probably trigger it. Absolutely would. A great example is something that had the health sector. Was it hitting in the u. S. , but we watch the impact it was having at the uk and that kicked off significant interagency processes. What about iot. How big, youve got a vast universe when we talk about prioritization that im sure keeps you up at night. I used to say i get up, i sleep like a baby, wake up every few hours crying. In all sincerity, where is iot. The fact that our attacks are growing exponentially, the real time to get solution is at the design phase. [inaudible] iot, at the same time is a huge opportunity and huge threa threat. They want to make lives easier. The train is moving and we are going in that direction. We are not going to slow down and stop it. We saw poorly designed iot and thats a real threat to infrastructure and capability and National Security. There have been various calls, everything from the Underwriters Lab and certifies security all the way down to let Market Forces drive. We are in the middle. We would like to see great articulation of standards. What is bac best practices. We would like to encourage the Industry Groups to follow those standards. Theres some really simple things that every iot does device ought to have. It starts with, it needs to be updatable. The idea that when vulnerabilities are found that it can be updated. You would like to have the ability to make sure it doesnt have default credentials and passwords, and beyond that, the curve starts going out. Ideally, its update process is cryptographically secure, they thought about doing an update underneath encryption so it cant be smoothed. Those are easy and simple things, their well understood how too do, market pressures arent always driving the companies to do that right stuff from the beginning, and thats where i think the government and Industry Groups can push and help, its our desire not to see that pendulum swing all the way to regulation which is why in the executive order we kicked off some studies and other things that really go back to iot roots and some of the same root causes. One other thought, since he brought up crypto, the going to our dilemma and challenge, obviously it stymied Law Enforcement intelligence, the flipside is without throwing strong encryption, whoever the perpetrator is will potentially exploit that information. How can we think about that and then we got very key provisions at the end of december. Is there call for congress, whats the call there if there is a call to action, and help me think through the going dark phenomena. Let me start with the 702. Fisa 702 statute, it is just a critical tool in the terrorism, and even in Cyber Defense realm. It is a tool that helps us understand threats. It is a lawful tool under close supervision. Its even based on some of the reporting out there, you can see as well monitor cap theres oversight from multiple levels both inside those agencies and with independent verification. Its really important that we get a reauthorization. You can get a little of toms information. If the tool we cant afford for our organization to let sunset. I think congress is well focused on it. When you ask about going dark, i think the first message i want everyone to understand is strong encryption is good for the nation. Theres no blackandwhite about that. , we needed for our protections. That being said theres an important part of her rule of law. What we would like to see is responsible corporations consider how they can be responsive to judicial order. The government shouldnt have a place in saying how thats done. The design considerations upfront should consider that we as a society need to do investigations. Theres a reason that all of us look to Law Enforcement and the government to provide basic components for society. That includes the ability for a judge to say i need access to information. Berries strong proponents of encryption print strong encryption needs to be capability we have smart and amazing tech companies. Many of them are able to provide that encryption and security but when theres a need for wanted access, they cancan provide it. Im in as sort of an unfair question. I mean, quantum computing and chinese satellite being launched ahead of state from russia talking about the importance of Artificial Intelligence to dominate the world, what does that mean . Are we in the midst, do we know theres even a race going on, and what does it mean for our tail . We need to make sure we have the capability to ensure our dominance in the space. These are big news story that kinda get buried. The really big from a policy standpoint. What are our thoughts on that. Does that cause you to take notice . Other policymakers . Certainly, when you look at technology, there is a history in this country that Technical Innovation has underpinned our society and its also really given rise to the amazing lifestyles that we have here in the u. S. The good news is, we have such a healthy set of industries, research labs, academia, there is nobody that doubts we are the leader in technology. But we cant take it for granted. We cannot. Thats why we continue to invest in that. The white house kicking off stem educational programs, weve got to continue investing in that next generation both for the people in the technology, and i would argue in the end, if we do the people right, the technology will follow. The people are the secret and the key to our innovation. Even from a threat perspective, technology always changes but human nature is pretty consistent. Good, bad or indifferent, that has to be factored in. That gets into the whole human collection versus technical mean. Im really glad you raise that. What can you share in terms of what the agency has put forward and what youre trying to articulate. By the way, in fairness, i dont mean to lead with these questions, i dont think you articulate, i think you articulate actors from crossing lines, but what are we thinking about that . Do you see a day where we will have a genuine cyber deterrence strategy. I do think we will have a genuine deterrence strategy. So i tipped you to a couple things better in there. One is demonstrating resilience will be a cornerstone to deterrence. Weve got to have the assurances that weve done the right things to plan for eventualities that sometimes are heinous to consider. Weve got to do that planning. Then we got to exercise. We have to practice like we play and so that element is really important for resilience. The second element is kind of what i hear you alluding to which is the imposition of cost. We can have norms. Norms are great, but without an imposition of cost for the people who are outside those norms, the norms dont mean anything. And the bad guys have to know that we mean business when certain things are crossed. Right now they dont know. At times. I would say one of the things weve used is lawenforcement. Even at times we can bring people to justice, we know after a public indictment that they are going to stay put in the government is not going to give them up but its a powerful diplomatic message, its a powerful signal to send to others were considering it. The retired and cant travel so that has a cost too. We are also using field indictments. In the back of the mind of people who participate in these activities, that should make them wonder, as they travel internationally, it doesnt need to be to the u. S. , but other places, thats one element. Another element is the art of diplomacy. The ability to shape other countries actions. Sanctions, the ability to do primary and even secondary sanctions. Weve used that time first cyber topic spread we will use that again and more. Then theres other elements. We will respond to cyber with cyber. Most of the time you cant solve cyber was cyber, that is one of the arrows in the