going to be hyper brief because you'll get more than you want of me throughout the day but i'm going to quickly introduce my partner in crime or maybe better partner in countering crime lenny hanesworth who's a vice president at northrop grumman. northrop has been a wonderful partner of gw and our center in particular. not only today's event but multiple reports we've done together and i think play a critical role in advancing our national security and our national interest so i'll leave it at that. lenny, please? >> thank you. thanks for the introduction. good morning everyone. on behalf of northrop grumman, we are pleased and honor to co-host today's event in partner with george washington university. frank and gwu in general have an exceptional reputation in leading rich and deep conversations about policies that will contribute to our collective abilities to enhance the national security of the united states. as we commit cyber security awareness month starting next week, yii can't think of a bett platform or time for all of us to get together and discuss and pursue solutions that will enable the policy objectives for robust cyber security. as a company and a mission partner we are committed to delivering innovative cyber defense and full-spectrum cyber and intelligence solutions to our customers across the department of defense, the inner agency and intelligence community and the federal space. from our work we see firsthand how the threat is growing exponentially both here and abroad to combat the growing threat we believe that a multiteared approach is necessary to protect our national and economic security interest in the cyber domain. this approach integrates enhanced cyber capabilities, built in cyber resiliency and execution of a unified cyber mission with our closest domestic and international partners. in the spirit of partnership, today's event is a true collaboration between government, private industry and academia to exchange ideas and pursue mutually beneficial solutions to advance policy objectives for the u.s. and our allies. today's panels are going to be exciting. they will focus on issues surrounding cyber deterrence and the important of public/private partnership in spurring innovation on both the technological and works for front. later this morning we'll hear from the white house's homeland security adviser mr. tom bossert and the deputy director of the nsa. i'm sure you can't wait for us to get started so let me move on to introduce our first keynote speaker, congressman will hurd. congressman hurd serves on the committee of oversight and government reform and chairs the information technology subcommittee. he also sits on the committee on homeland security and is the vice chair of the border and maritime security subcommittee. in 2017, congressman hurd was appointed by speaker ryan to serve on the house permanent select intelligence committee where he sits on the d.o.d., intelligence and overhead architecture as well as the emerging threats subcommittees. i'm sure everyone here is following the progress of the federal i.t. modernization bill that he authored and is helping to push through and usher through congressional approvals now. congressman hurd is one of the most knowledgeable voices regarding cyber security in congress. prior to being elected he served as a clandestine service officer in the cia. the only current member of congress with this background -- >> that we know of. [ laughter ] >> that we know of. and in industry he was a senior adviser for a cyber security firm. congressman hurd, we thank you for your strong leadership on cyber and the intelligence committee and we look forward to hearing your perspectives today and your insights. everyone please join me in welcoming congressman hurd. >> thank you and let me just underscore the purpose of this sector is to try to shed more light than heat on what issues are facing our country when i think about leaders in the executive and legislative branch i sleep better with you fighting the good fight on capitol hill so as a bit of a backdrop let me say we're glad to have you here. >> your bar is really low. >> no, my bar is very high and you worked for a good friend of mine at one point hank crumpton. if you're providing a menu for people to eat from you better understand what it looks like and that's important. and i might also know your committee, the homeland security committee, you've been incredibly active as a legislator as well. so you have a lot of members of congress who can speak to the issues but not necessarily follow through with legislative prescription so thank you. let's start with a general questi question. you can't pick up a newspaper, you can't click on a link, and be careful which link you do click on, on the net without reading and hearing about the hack du jour. whether it's equifax or you name it everyday it seems to be another one. but let's put into perspective, not all hacks are the same, not all hackers are the same, intentions vary, capabilities vary so before we jump into your legislative and congressional initiative can you help us rack and stack the threat as you see it? what keeps you up at night and what should we pay less attention to, if anything? >> so thanks for the inhave station and thanks for helping to facilitate this conversation. we still have to be worried about the nation states. they're still at the top of the food chain and a. p.t.s are what we have to ultimately defend against and that is where the federal government should be spending the bulk of their time and so the theft of information is going to continue to go on and we have to be able to start thinking about authentification and what does that mean. when we look at equifax, we won't see the affects of that right away. we have to look at authentication. people did not opt in in order for their information to be at equifax or any other credit agency so now we've used the credit agency so much for authentication, how do we change that. but the growing area that i getting concerned with is this information and while it is not cyber security in practice because it's not -- it's not technical. we have to defend against it and there are technical ways we can inculcate ourselves from this information, track this information and that's why i think these issues should be talked about close ly but the broader problem is ourselves. what is a digital act of war? everybody asks that question, everybody thinks of it differently. we don't have an overriding policy. if north korea launched a missile into equifax headquarters, we know what the response would have been so nobody knows what the response should be now and that requires industry, government, legislators to finally work those issues out. and working with that with our allies, you have to manual which i've spent time in estonia recently and yes they're only 1.3 million people but the fact that they -- people have trust in their abilities to defend their infrastructure everything on line is a big deal and we can learn from that. >> you have a lot of experience given their neighbor so i think that the man may be pretty good at his job. >> i'm not one to look to the u.n. to help solve a lot of problems but if you look at the u.n. defining acts of war the manipulation of a utility grid or impact on a country's electricity is identified as an act of war so when the russians did this to the ukrainians, what was the international response? >> exactly. >> crickets. and not only defining what is an act of war, we should defining our responses. some we should say "we're not going to tell you." strategic ambiguity is valuable is general attribution enough? we have to continue to work with our -- many countries to make sure that hacking and things of that nature. that's why i this i the work at mr. painter was doing at the state department that the coordinator for cyber security is an important tool in our diplomatic tool kit and i hope we see changes at the state department to reinstate that. >> thank you. nation states engage in network attacks and exploit. peer nations that are fighting their strategy, russia, china, countries that may not be yet at the capability of those but what they lack in capability that i make up for with intent, north korea, iran. given all your terrific work, does it warrant concern? >> it does. but for me can a terrorist organization take down our grid? can a terrorist organization manipulate markets? i don't think they have the capabilities to do something like that but when it comes to the digital space and i say looking at -- i think part of cyber security is broader of how do you engage in the cyber domain. cyberspace is a domain like air, land, sea and space so when it comes to -- i'll use isis specifically their ability to leverage social media to put out a message, countermessage is important as well. and when you have people using social media, you're increasing your surface area of attack for good guys to get information i left the cia in 2009. social media is not as much as it is. the info that i could gather from that is significant it's an opportunity for us. and i think it's fair to say we'll never firewall our way out of this problem alone. at the end of the day you touched on themes we're going to pick up in greater depth throughout the entire day such as deterrence but when we think about our own capabilities, what good is having a doomsday machine if nobody knows you have it. so there's a lot of mixed signaling going on. it has benefits on occasion but not all. >> this is an age-old question and it's an age-old intelligence question. if you have access to intelligence, do you use it to do something and if you use it to do something, you're going to reveal the intelligence and possibly lose the intelligence stream and that is why i think it's important for policymakers to be making those decisions not the practitioners so this is a decision if, you know -- and i think the future of cyber command and nsa, you're going to see nsa providing a perspective and saying, hey, we need to preserve long-term intelligence value and then you're going to have cyber command say we need to use this to put the equivalent of lead on the target and they're going to be in friction which is good, you want that tension but the policymaker makes the decision on we are going -- the ability to act is worth the loss of the capability in the future and this is even more germane and importance in cyberspace because as soon as you reveal a tool or a tactic everybody knows it and guess that? it's probably going to get turned around and used against you. >> exactly. and that means pulling in the defensive community into any of the offensive discussions becomes more important today than in the past. >> and one thing that i might underscore, and it's not to get a drift and we'll move to other topics in a second but when you look at the greatest, i would argue, breakthrough since member on the counterterrorism front it was the synchronization of title 10 and title 50 where you saw the joint special operations command really know when do you string them up, when do you string them along and when do you take them out? and i think that there is some history there that we can rather than relearn the hard way we can apply and i wrote a piece on this with a few friends of mine so i think there is something there that can actually get the two entities -- there's always going to be conflict but they have to come together to have concerted impact. >> and we should be perfecting that right now today in eastern ukraine. >> thank you. >> the russians -- look, this is where electronic warfare and disinformation come together. the russians have been able to convince some people there is a separatist movement in eastern ukraine. it's not a separatist movement. it's a russian invasion of a sovereign nation. they annexed crimea in the southern part of ukraine. they invaded eastern ukraine in t that region and they are using the latest and greatest electronic warfare and we should be testing our latest and greatest counterelectronic warfare activities to support our ally ukraine so this is a real opportunity where we should be testing some of our capabilities and we're not doing it to the level of where we should and one of the question i've been asking is who is the cyber jsoc? i don't know, maybe that was russian tv over there. >> they're here. >> they're looking for me. >> they are. >> yeah, trust me, i'm aware. and so that is where -- that should be the pointy end of the spear. let me go back to something before we move on. when we talk about what are the biggest issues and what keeps me up at night, what keeps me up at night is kwan couple computing. wan tum computing is going to be -- >> i knew i loved you. >> it's going to be here sooner than we expect and vladimir putin said whoever gets ai first, hegemony is going to be decided by who gets to quantum computing first and in real broad applications and that is going to change how we do things and we -- us and our allies should be focused on this, canada has some really interesting things going on of course here in the u.s. and this is something that the only way we're going to achieve being the first here is industry and government working together. >> and academia. >> working together as well. >> and we did a major report last year on active defense looking at proactive steps companies can take because we can't simply blame the victim and what makes cyber different is they're on the front lines of this war. i mean, how many companies went into business thinking they had to defense themselves against foreign intelligence services who, by the way, are not only bringing cyber to the fight but all source intelligence. >> but also don't be a victim. most of the major attacks we've seen are not zero-day attacks, they are -- if you're watching your network, if you're doing proper credentialing you would solve these problems and so utilizing good and digital system hygiene is where we should go and the government is some of the biggest violators of these principles and that's why i've spend so much time trying to shine a light on that problem is to make sure that prevent the opium from happening again, that we're following some of the most basic of activities and a lot of my work is focused on the dot-gov space but the intelligence community is just as bad. the cloud is not new technology and the cloud is secure, you can secure the cloud. we should be transitioning to this as quickly as possible and by dragging our feet and we have folks that don't understand this, guess what? get up to speed on it. that's why i.t. procurement is so important because i want to make sure our chief information officers across the federal government have the tools they need in order to modernize and make sure they're defending and not only defending our digital infrastructure but providing the service they're supposed to be providing to the american people. >> well said. hygiene is still two-thirds of all attacks are due to phishing expeditions. i might note the phishers are getting more and more sophisticated, doing intelligence they get one credential to move to another but you're spot on. thank you for raising that. let's go to legislative activities and when i quickly introduced you in the very beginning, you've been legislatively incredibly active and, again i think in both hats you're wearing but also the homeland committee, your foreign fighter task force and terror finance work that's rich with legislative prescription which is i'm not sure have been poll lowed up by your bicameral colleagues on the other side of capitol hill but tell me in particular about your united states modernization bill. where is it? where does it stand and what are the guts that we need? >> two things, thanks for those comments but it's also the homeland security committee, it's chairman mccall. >> brendan shields is right there. >> yes, they're intimatelied involved and focused on this, when john katko was the chairman of the task force that looked at foreign fighters which produced a lot of interesting pieces of legislation, so this is -- there's a lot of folks that are intimately involved in this then you have to talk about oversight and government reform, ogr where i'm the chairman of the subcommittee on i.t. where we've done our mgt work, our modernizing government technology, or smart government as i like to call it. so the bill passed the house on the senate so we're going to go to conference on the ndaa and make sure we keep that language in the ndaa and hopefully we'll get a conversation version passed before the middle of december and then one more tool for cios to use and the omb and office of american innovation have been really intimately involved in this process. they have ideas on how they want to implement and my biggest fear is that our cios are not prei paired as soon as this goes into law to take advantage of it so that is where many of the folks watching here today can be helpful in helping some of these federal cios be put in a position to take advantage of mgt. one thing i'm going to be doing on the subcommittee, we do a score card and the score card i score card and we'll start keeping track of the working capital fund for modernization so if you're taking advantage of that, there's a culture of modernization in your organization so i think that is one more metric we should be looking at for our various agencies so some agencies will take advantage of this. others will not and that was the reason for having working capital funds at each agency as well as the centralized fund because there should be 26 different experiments going on in how you modernize based on your infrastructure and so we -- i'm excited about this, i always joke i've been in almost 50 parades in my two and a half years in congress, i've never seen a sign on a parade that says "i.t. procurement". >> there wouldn't be parades without it. >> exactly. so it's really exciting to be able to hopefully see this come to fruition pretty soon. >> it genuinely is exciting and i think legacy systems bring about vulnerabilities that are -- no one worth their salt is patching them either because they're on to the next and the greatest. >> and people understand that. i represent 29 counties in south and west texas. san antonio on one end, cyber security city usa, el paso on the other one of the safest largest cities of its kind. in the middle probably more cows than people but when you tell people the federal government spends $90 billion on purchasing i.t. goods and services and 75% of that is on maintaining legacy systems, they're outraged. >> and two other legislative initiatives of yours, the smart wall which i'm very curious and also the specific cyber implications of what that could be from an exploit and from a defend -- from a red and blue perspective and also i was broke intoed with your proposal to initiate a stronger role for the national guard which i think the member and women serving in the guard is an incredible resource that is tapped when bad things happen but they could be so much more and especially with respect to cyber it's a way you can have men and women who want to serve their country but maybe want a salary or life-style with their families that's different to be able to do a little bit of both and you mentioned estonia earlier and they have what's called the cyber defense league where they have a national guard on steroids where they can support the ministry of interior so they've expanded the way we think of the guard under title 32 tach commutes and the like but i would be curious about both those bills, first the smart wall and any insight you may have on the current proposal on the wall and then specifically on the guard. >> so i represent 820 miles of the border between the u.s. and mexico. >> that's a lot of miles. >> more the border, between the u.s. and mexico. >> that's eye lot of miles. >> more than any member of congress and i chased al coup i da and russian intelligence officers and proliferators all over the world, so i know a little something about chasing bad guys and the premise is, building a 30 foot high concrete structure from sea to shining sea is the most expensive and least effective way to do border security. we should be using the latest technology in order to understand the difference between a bunny rabbit and a person coming across the border, and we can but look the border is broken up into sector. el paso has 300 miles, only 60 miles of persistent technology and the technology is 20 years old. we don't need the hubble telescope on the border. we need a camera that can see at night which is basically any camera. we can use radar, lidar, uhm, lay a fiber optic cable, use the analytics off of that. the reality is sensor technology has come so far and so cheap it's basically disposable and we should be thinking of it that way. all that information that we're gathering from those sensors and we should take a mile by mile perspective because a one sides fits all solution doesn't work and figure out what is the best tool for that location, have the information and beam it to the man or woman in border patrol for them to do their job. now the cyber security implications of that is basically cyber security of the internet of things and so making sure that and this is i think going to be one of the biggest debates that we have to make sure as we're building things we do not make the same mistake we make with the internet, don't hard code passwords and user names into your systems. make sure your systems are able to update remotely. these are some of the basic things we should be using and ultimately, being able to secure a sensor network along the border is not an unbelievable challenge, but we also do have to remember that the narco trafficane and smugglers don't have jurisdictional debates in congress. they don't have to worry about congressional approval for their operations, so the bad guys are well financed, well equipped, and that they will be using counter techniques in order to counter what we're doing. >> before getting to the guard, one question. with the intent, if you see real momentum there, will you also have cyber security requirements because we did a couple of major reports with northrop grumman in the past with their cio and it was on baking security into the design of infrastructure and it played a significant role in the defense acquisition process. would that be a stipulation? >> so i think fisma kind of already covers some of those requirements, and that is something that would ultimately get pushed down to dhs procurement, but it's something that needs to be -- >> you're overlooking? >> absolutely. i want to just, i want to get this done, and because look, it is 2017 and we don't have operational control of the border and it's because we haven't looked at the entire border at the exact same time and you can't look at the entire border at the exact same time if you're not utilizing technology and manpower and on the guard, it's real simple. the notion is now that we are close to the finish line with g mgt we're going to focus on what i call the cyber national guard is simple. kid in high school with aness to get a degree in cyber security we'll find some federal dollars and then if you go to school on a scholarship you go and work in the federal government for that same amount of time, call it four years. you come to gw or texas a&m university for four years and then you go work at not nsa or dod, but the u.s. census bureau, the social security administration, the department of interior, because we need people there, and then after you've worked there and you work in the private sector, that company, you know, like northrop, are going to loan you back into the federal government for the proverbial one week in a month, two weeks a year. the loan back will probably be something like ten days a quarter or ten days every other quart sore doesn't disrupt business processes in the company but enough time where you can sink your teeth into something, and so that's the process. now, some of the challenges. the 15,000 holes in i.t. jobs in the federal government we don't have common job descriptions for that. so if we have something coming out of school we have to make sure that they have the credentials in order to come into one of these jobs, so the first step is we got to make sure that there's common job descriptions across the i.t., across i.t. positions in the entire federal government. i think this is something that can be solved in 60, 90 days, let's just go ahead and take somebody who already has job descriptions, take the top 300, tell the federal cios map each position to one of the 300, boom. you the it in a database, we're ready to go. so that's one of the preconditions that we have to do. i think we have some ideas on how to sort out the money, but the other question is, loaning people back into the federal government, how would businesses be comfortable with that and we'll also have to start talking and stream lining the process of getting security clearances as well. but that will allow cross pollenization of ideas and we except the fact the federal government will never be able to compete with the private sector on salary, but mission and there is not too many other entities out there where, that has a scale of any agency within the federal government, so that is a skill set and perspective that you can't get in many places in the private sector, but you can get it in the government, and it's a skill set that is absolutely valuable in the private sector. >> well said. i'm glad you touched on the workforce issue, and building career paths and professionalizing the processes is really important. we've got ten minutes about for questions, seven minutes actually so please identify yourself before you ask the question. we'll do two here and then go to the back and we have a mike coming. >> hi, is it on? yes. hi, rick weber, insight cyber security. on other legislative issues, can you talk a little bit about the mppd reorganization bill passed the homeland security committee government oversight is looking at it. can you tell us when it's going to come to the floor and what changes there might be? 's he the cyber report per >> this is a good piece of legislation. chairman mccall is exactly right in the need for that reorganization and this is one of those issues where the term, the issue jurisdiction gets in the way. i've heard that term more in the last two and a half years of my life in the previous 38 years combined, and so the answer, the real answer is i don't know. but it's something that i think that we need to move forward and i think that nppd and dhs is so important. they are the belly button in sharing between the federal government and the private sector. they are the only entity that can transition from need to know to need to share, and they are, and that is why i think dhs is so important when it comes to coordinating, and i always use an example of you know, why need to share is so important. we knew that came out of the 9/11 commission report, about intelligence sharing within the intelligence community but that translates into the cyber world as well. i've been out of the cia for, since 2009. i've never, have ever said the true name of the farm. super secret -- >> don't start it now. >> i'm not going to start it now but even though it's in every book and every movie, i just can't do it, and so that's why culture matters and i think that's why dhs is so important. but i want to see that bill move. >> awesome. >> nothing that i know of. >> i think there's a hearing coming up next week on that. >> braen dan is in the back of the room. >> you can hammer him. >> mike nelson with cloud flair, technologist working for a technology firm so i always look for technology solutions but i'm going to ask about economics. seems like there's very little research done on both how we can make spamming, ddos attacks, malware, ran someware less profitable for the criminals, and we have even less good research on how we can change the economics so we can get people to fix the problem. one very good example is in the federal government, where we have hundreds of servers that are used in almost every ddos attack because they amplify the attack. somehow we have to get the economics right so the people who run those servers are punished. >> that's helpful perspective, and austin our legislative director is here and that's an interesting thing to follow up on. thank you. >> it does play into some of the perception management of psychological operation we're also seeing, what's the cost, if russia gets it wrong on twitter. the cost is nothing. >> yep. >> and if they get it right, it's at low cost and we all know that they started the hiv cia rumor, which was all false and now they're just doing it old intent, new tactics. the cost is an issue. >> absolutely. >> we had a question back here and if we can do quick questions, so please. >> you got it. mike klein, university of wisconsin. i think you're being a little tough on state cios and federal cios. aren't many of them appointees, and i think at thete

Related Keywords

El Paso , Texas , United States , Iran , China , North Korea , Canada , Russia , Ukraine , Russian , Ukrainians , Russians , American , Rick Weber , Mike Nelson , Mccall Brendan , Mike Klein , Hank Crumpton ,