Are across the street. We believe this program to go to our live coverage of the intelligence and National Security conference taking place at the National Harbor today. Coming up a discussion on defending cyberspace. Live coverage here on cspan2. It is crucial to collaborate to address Cyber Threats for our national and economic security. To moderate this discussion it is my privilege to introduce david sanger. David is a National Security correspondent and a Senior Writer at the New York Times. In his 36 year reporting career for the times, very impressive, david, he has been on three teams that have won Pulitzer Prizes most recently in 2017 for international reporting. His latest book, and its a good one, the perfect weapon, war, sabotage, and fear in cyber age examine the emergence of cyber conflict, and how it is changing the nature of global power. Please join me in welcoming david sanger. [applause] well, thank you, william. Thank you all for coming here. We are acutely aware where the first session after you come back from lunch, so we will try to keep you awake and widely as well as we can. We have a terrific group for this discussion today. To my immediate left, youre right, general stephen fogarty, commanding general of the United States army Cyber Command. Rick howard, old friend, chief Security Officer at palo alto networks. Jeanette, assistant director for cybersecurity at the department of homeland security, and, of course, still relatively new agency, cisa. And sonia, assistant Deputy Director for cy brad fbi. This should be a great discussion. Tonya, let me start with you and ask you to just described, uganda, the fbis role in cyberspace and the threat environment, particularlythink it has changed over the past year. Sure, thank you, david a thank you to insa for hosting us today. So as we have the fbi at the threat environment from a macro level, its not necessarily the best news story in the world but it is certainly complex. We are looking at an environment where theres no shortage of vulnerabilities and opportunities for malicious actors to exploit those vulnerabilities. And we see that landscape only growing in complexity as we consider the number of devices that are going to become connected in the billions over the next few years, many of which dont have security built in. We live in a world where we see nation state actors conduct wholesale theft of personally identifiable information. So targeting not just our Government Networks but our citizens as well as Healthcare Information and intellectual property and then we have growing university of actors who are growing in their capabilities universe tools that are available to them to use and at the fbi would look at both the National Security and the criminal space. So we increasingly see kind of crime and cyber crime as an economy, crying is a service. The growth of organizations and individuals who are marketing different elements that are necessary to conduct cybercrime at scale, that only kind of embolden and enable more actors. And apart from this you have the complexity that apart from federal federal networks, much of what we care about in the u. S. Is in private hands, whether thats Critical Infrastructure also as we see, for example, with ransomware, targeting of other potential victims such as municipalities, et cetera. And then the wildcard in all of this is adversary intentions, which is where we rely on Intelligence Community to help us prioritize and make sense of this complex space. Who is it that we really need to worry about . Who is most intent and most capable of causing the most harm to us . So thats the big picture for us so as i mentioned, thats a complex picture. And we feel that often, especially in government but throughout our society, we reflexively look for a simple answer, even to address as complex a system and problem as i just described. But how we see at the fbi is that its only through a woven fabric of the authorities and capabilities of all the entities i just mentioned, whether its u. S. Government, foreign partners, the private sector who have to come together with their authorities and capabilities in an agile way to be able to counter that environment. So thats a longwinded windup to where do i see the fbi in that we see it squarely in the middle. I wont speak for other agencies, i will just say generally we look to partners like fisma who are in the lead in assessing risks to our networks and helping to support through medication and defense. We look to our right and we see our partners in the Intelligence Community and dod who are taking the fight to our adversaries overseas in ways both seen and unseen. And then we really see the fbi squarely in the middle, enabling the activities of that whole range of partners, plus the private sector with our unique authorities and presence. And briefly, that comes from a long history 100 plus years now we now were building on in cyber of having presence in argument is throughout the countries, and globally, where we are engaging in our communities before something happens so that we are ready after something happens to engage victims with the response that they need to conduct investigations and operations focused on two things, attribution come find out who was responsible, and accountability, whether thats through our own tools in the criminal Justice System or providing those nuggets of attribution two other partners who can use their tools to hold our adversaries accountable. Tonya, will come back a little bit later on to the ransomware issue which you just alluded to, but just one question coming out of your scene setting there. The four big state actors would often talk about, china, russia, iran and north korea. Are you seeing a significant difference in the level of activity among roles over the past year or so . Obviously geopolitically a very changing environment with all four of them. I always hesitate to write because i think its a pretty fluid situation, and different adversaries are focused on different things. And have different capabilities as well. For example, i think we continue to see china quite active in terms of economic espionage, which our director has been very forthright speaking about alongside other agencies. Russia certainly continues its malicious cyber activity, and its no surprise that theres been a fair amount of attention to the potential for geopolitical tensions in the middle east, particularly with iran, to perhaps manifest themselves in the cyber arena. Are you seeing any evidence of the iranians are doing that right now . I do want to speak to particulars here. Very good. Youve heard from tonya where the fbi in the spirit my guess is that cisa which is just about a year old now, right, is probably a little less wellknown in the role just because it is a newly created agency. So tell us a little bit about that, and also tell us how your responsibilities differ from the fbis. Sure. I think tonya set things up very nicely. In where we sit is theres a lot of people in the government and in the private sector increasingly that are very focused on how to understand the threat. And for us we believe that threat is just one component of what we need to understand, and you talk a bit about geopolitical dynamics. And oftentimes i think we have cyber conversations in a bit of a silo and not thinking about the broader geopolitical dynamics, which is been that over the last few decades, weve created technologies and ecosystems that allowed the United States to be at least the potential to be held at risk in the homeland. And oftentimes that manifests itself through cyber means, not completely. And so my organization, well, cisa, the Cybersecurity Infrastructure to get agency, created last year by legislation, last november, is nearly a year old. We do have a legacy actually going all the way back to the founding of the department with many authorities that were given to actually do with the characters an issue. And in thinking about what happen with 9 11, and that there wasnt anybody this picks up on the point about coordination, is we didnt have somebody who was focus on engagement with the private sector exclusively, not in the Law Enforcement, not in intelligence, not from a defense perspective but somebody who could think about risk, bring government partners together, not be the one to execute because anybody come as tonya minchin, everybody has a lot of different tools would be the one bringing people together, letting the Intelligence Community sort of understand what would be useful for the private sector to take action and being in a in a position te able to alert and worn when we do learn things. So theres a lot of Lessons Learned from counterterrorism, and, about two years ago now we started to think about well, how has cyber, and, frankly, even if the terrorism, physical security responses as well, how has that dynamic and the threats to the homeland really changed . And what we realize is that we ourselves were missing the Bigger Picture a little bit by focusing on what im waiting for the financial sector, what is i. T. Doing . And really adversaries what they want to do is, is hold functions of our society at risk. And we learned this through elections. We have learned this through energy engagement. Its not in the interconnectedness makes it even sometimes easier. So if they want to have a situation where we have a loss Public Confidence in our financial markets, theres ways you can effect the outcome potentially if they want to take out our ability to generate electricity, theres ways you could contemplate going about that. But he cant just be a conversation with the utility owners or the Global Capital market bank. You have to have the Service Providers in the conversation. You have to have the broader internet ecosystem, on an average in the conversation. We have switched to a functional approach, and we released our National Critical functions, the first time weve ever done this in april i believe it was. And what we are looking there is, thats really the foundatn of what we believe are, is understanding what is the risk to the country, help inform the threat with information were able to gather, help drive questions of those who click on the threat to better understand the risk. But also to understand vulnerabilities and was important to understand the consequence. If you have a capable actor who has an intent and theres a full ability of the consequence is in a big deal, well then we have a way to mitigate this. If you have a very significant consequence but nobody is looking to see if theres any actor who can effect the consequence they we should probably be pivoting resources to be looking at is that a potential. Its forcing not just us but all of government to thank very, very differently whether in intelligence immunity for those of us here on the stage about the role of the government and the private sector and the federal government and state and locals, the u. S. And a partners in having much more open conversations about what do we know, what do you know and how do we share that information and not just heres some ioc these, good luck. Its really getting into much more contextual conversations, is i think we think russia might be doing this action i dont know if its rush but we think somebody is trying to do this to your system. You and private sector willing to share what could be happening there back with us, back with nsa, fbi, dod come all the different components coming together. So thats where we see we are setting is we are not the ones that are going to have every single tool to solve all these problems, but we are position to be that kind of risk advisor to understand how is the homeland at risk and what can we do about it, what are the levers we can poll, who has of those levers and how do we take action . So thats where we would focus at these National Critical functions are the core of whats going to drive us and prioritize and without a Great Partnership across all of government, frankly in thinking a little bit differently about the u. S. As a target, how do we orient ourselves to drive down that risk. Im glad you mentioned that. When you said before that its different than just having people v iscs, the indications of compromise and say good luck, there was a bit of going on for a number of years and usually companies would say to me when i got those warnings that came out of dhs rfpa, this is great, we saw this four four mitsuko andt with it. Which takes me to rick. Because one of the big changes it strikes me has been the creation of the Cyber Threat Alliance. So that this sharing is much more of a twoway thing. Youre going to see things that jeanette or tonya may not see first, or youll see them from a different angle. Tell us all a bit about how that works and a little bit about how its got to speed up. Its still a pretty manual process it strikes me. Definitely from the government side, but before answer that let me plug your book for a second. Before i read davids will come if you ask you what is the single book i would want to read if youre starting from scratch or need to have under your belt, i wouldve said cuckoos egg book. The rest of you have homework to do. You should still read that book. After i read davids book its davids book, perfect weapon. We know most of things he talked about the we dont really understand and to you read his book. The dictate what i have from it is weve been in a continuous lowlevel, lowlevel cyber conflict since 2010, and we are just the starting to get her hands around it. I did not pay rick for any of this. I didnt know were supposed to suck up to the moderator. I also want to plug the book. Ill give you a cat from a commercial perspective, david is right. The thing the commercial world relies is the adversaries have automated their attacks. What most of us have done in the commercial space and in the government space were still kind of deal with that manually. If you have an Information Sharing Program they are sending that around in spreadsheets and an email. If your organization has the time to even consume those things, you may get around to it in weeks to months to never. What we decided to do in the cybersecurity Vendor Community is to automate the threat information sharing, right . Between security minister cures the reason, right, every security vendor out there worth its salt is a giant intelligence collection engine. Palo alto said 70,000 customers all with ten200 devices deployed in a networks. We can deliver controls automatically to those devices because they are our customers. The Threat Intelligence to hold out the Networks Works for unit 42. Marketing sucks for us. Totally free intelligence if you want it. But when you discover something new we can convert that into multiple prevention controls for our public set down the intrusion kewell chain and deliver to the 70,000 customers in the about five minutes. Five minutes. That is amazing capability. All the memos of the cyber satellites and others were six of us, theyll have similar capability, ours is better, but thats the best you can have. You guys are not laughing now. This will be an long panel. They all have similar capabilities. When we share some new thing with the cyber satellites we putting controls around the planet in minutes to hours. What is happening for the government side is trusting that system. If with information from lots of government around the world that say hey, we solve this thing and it is very damaging, if you just got it into the cyber threat of lines, im looking your way, we could get the prevention controls the protect almost anyone on the planet very quickly. We have to fix that going forward. We will let you guys defend yourselves. I understand the reasons why we cant. Well get to that in a second. General, of course before you in your current role when you succeeded the general who we would be hearing from later this afternoon, you were at Cyber Command as well. You come at this from a bit of a different perspective. And the phrase we have heard since the concept of operations changed, just as admiral rodgers was leaving office with persistent engagement, which is perceived by most people as being largely overseas, and the networks of adversaries so that you can see a threat gathering before its delivered, before rick sees it show up in the Cyber Threat Alliances networks. Presumably before jeanette and tonya see them as well. Tell us how this works day today. Whats this look like . And in a world where people are concerned about sovereignty, how to explain to the rest of the world why we can be in their networks and yet we get so upset as, as jeanette points out, weve got four operators city and our electric power grid. So first of all, persistent engagement, i think the big idea there is were going to start using the entire operational depth of the cyber domain as we would frame what information environment. And so youre not going to see threat space or threat actors or planning or preparing, testing, rehearsing. Theyre trying to defend themselves if we are not going to see gray space so that im allowing it to maneuver out of their sanctuary, get into an attack position and just start to pummel us. Even think about where we were just a couple of years ago, thats what it was. It was shields up. We were principally focused in blue space, and he were trying to shoot the arrows or block the arrows from penetrating us. And i think tonya said it well, the volume, the velocity, the variety of threat, it just continues to improve. As ri