Directions but we are truly fortunate to have rob joyce in his place. For those that dont know rob, rob is the cyber lead at the National Security council. Hes the socalled cyber czar, the coordinator for all things cyber. He comes to the white house from the National Security agency where among other roles he ran t. A. O. Which i think has gotten a little more noticed in recent years and there was a time we couldnt even mention that, but rob comes to this job with true professionalism. And he has a natural ability to translate sort of those ideas into policy and the like. So rob, thank you for doing this, especially at last minute. I thought wed start with a general question. The executive order promulgated in may. I know a lot of homework items were due early september, late august. Can you sort of give us a sense of where we stand and i dont expect you to break all news in terms of what exactly was provided but tell me where things stand and in particular, just because its been a common theme of our overall event today, the cyber deterrence language in particular. Certainly. The first question is this on. Sounds like it. So thanks for the opportunity to be here and tom bossert did send his deep regrets. Hes in the middle of, you know, the white house response to the hurricanes, both as the devastation hit texas, florida and puerto rico and sister islands, so working that hard, he asked me to step in and i appreciate the opportunity to talk in this space. So the executive order, let me give pay brief thumbnail for those not familiar with what it covers and then well talk about the reports that come in under it. Four big areas in the executive order, the first is protection of our government networks. Those networks are the ones that transact government business but also hold the business of the american people. When you look at the opm breach, its not hard to understand why weve got to put effort into making sure those are secure and modern and i think anybody whos either interacted with government i. T. Or is currently in the government knows that not every place in the government is at the same level of protection and security. Probably not the case that Everybody Needs to be, but we do need to make sure the most important information, the most important both National Security information but also privacy information is protected. So the eo was tasking the modernization of those networks and thinking about how we do cybersecurity at scale and a lot of that, you know, looking ahead, the recommendations coming in there with things like shared services. The idea of moving to modern cloud based services. The concepts of getting connected to the experts in cybersecurity. When youve got the bureau of Land Management overseeing hydro electric Power Production theyre not going to committee with dhs and dod in recruiting cybersecurity specialists but you want those Networks Just as secure as the other places we have in the federal government. So thinking about how we can do some shared Services Even in security operations. So thats area one is federal networks. Area two is Critical Infrastructure. In that area were talking about the critical 17 Critical Infrastructure sectors, things like power, energy, communications, health, water, transportation, maritime. All of those sectors where often those are run and operated by the commercial industry partners, but have implications to the safety and even National Security of our country. So that is a collaboration between those sectors and the u. S. Government as to how we improve security. This year the trend line continues that advantages going to offense and thats a scary thing when you think about Critical Infrastructure. We cant have our power grid being held at rick. We cant have questions as to whether the Financial Sector can stay free from intrusion. So what that means is, we have to have both security as well as resiliency in those Critical Infrastructure networks. It will always be with the attacker . Red will always be ahead of blue given what you previously did. Just one comment. I did t. A. O. But i also was assurance, there you go. I really encourage. People have to flow across that membrane for offense and defense. The phrase, i use with others is it takes a thief to catch a thief. Absolutely. Both of those jobs i thought differently about the way we needed to move forward because of the experience of the other but what job trumped the other, not in terms of more fun but my t. A. O. Job was easier. So Critical Infrastructure resiliency is important. We cant assume that offense wont get through the defenses we put up, so at that point youve got to have capabilities one to find and uncover intrusions as fast as you can, two, minimize the impacts from those intrusions and three, when you do have an impact, how do you recovery and recovery quickly . And it only takes the devastation that were seeing from some of these hurricane impacts to know that, you know, when these services are down, it has tremendous implications to health and safety and welfare. Which is part of the deterrent, the ability to bounce back minimizes the reason a perpetrator may turn to those if you can demonstrate the ability to bounce back. Absolutely. You asked about our deterrent strategy. One piece of that will certainly be demonstrating resiliency. So if you have of a question as to whether an effect can hold someone at risk, whether an effect will succeed or whether it will have the impact youre seeking, it may change the calculus of your willingness to go ahead with that. And on the Critical Infrastructure side, i mean no one will disagree that the 17 Critical Infrastructure areas are allimportant, but some are arguably more critical than others, the life line sectors, energy, electric, telecommunications, Financial Services, water, transportation. How do you we cant have the Peanut Butter approach where we treat everything evenly and equally or can we . No. There has to be priorities because we dont have unlimited resources and when youre faced with scarcity of resources you have to prioritize. For me the base of that pyramid is the power sector. If you look at when the power goes down, things cascade from there. The the sugar daddy of all. It can only run so long on generators. The Communications Sector goes down, the banking and finance sector isnt going to be able to transact. So theres this cascading effect. Were working on the grid x exercise that will be coming up. We always do an Energy Sector cyber exercise. This year were trying to make this joint with power and the communication sector im sorry, the banking and communication sector to look at some of those knockout effects and make it more realistic as to how society would react. And even the old Willie Sutton principle, clearly the Financial Services sector is very far along and quite bluntly, theyre only a few sectors that can genuinely absorb some of the high end threat indicator information, intelligence whatever we want to call it. I dont remember if theres nyac or end stack, they did a report calling out the four Critical Infrastructures and creating a super sector, is that something you think worth looking at . Or does that unfairly put forth ahead of others . I dont think were create a super sector but we are going to spend more time looking at the interactions between sectors and making sure that, you know, all of the dependencies in one are teased through and the threads are pulled. That gets to the concept i mean, we have unlimited vulnerability, limited resources and a thinking enemy that bases their actions on our actions so its not like security is an end state. Its a continuous process. So the question there becomes sort of in that prioritization, anything new coming out of the out of the executive orders that you think weve all heard Public Private partner. Everyone agrees with that, i think. Ive been known to say long on noun short on verbs. Weve talked about it. Weve admired the problem. And its not to suggest that there arent solutions because the Defense Industrial base, we just heard from scott at ei. We do tons of work with the fsi and theyre doing phenomenal work but it still comes to the policy without resources is rhetoric, so where do we kind of see that coming down . Sure. So i think its a joint activity for both of us. Private industry has invested. Government has invested. I dont know that the gears on the teeth are meshing yet so weve one of the calls we often get from the isacs, we need more sharing of the government knowledge and information that you have. Umhum. In the classified arena thats hard to push everything the government has, sources and methods are, you know, implicated in some of that. So what weve been talking about instead of the push model, send us everything youve got, find ways to analyze with Sector Knowledge into the government areas where they can then look for their equities, identify information that then needs to be pushed out for action. How about the vicea versa when you see that going where government can spend more time in some of these more Critical Infrastructure areas. We think its important not only for the connection but also for the development of the government and expertise and the relationship. Awesome. I think the most impactful step well have is bringing more into the analytic sectors from the commercial side so they can have expansive access but in a control way where the data isnt as at risk and we can keep track of them what is pushed out and shared with industry. Coming to your role as sort of a primary producer of information and customer of other bits of information, but largely a provider of information. I mean, what did you find coming into a white house kind of role . This is more of a personal question, sort of, what did you think made sense . What didnt . All these executive orders that we are all weve all put a lot of blood, sweat and tears in this room and of course you guys, but what really works . Do we have the ability to know in the event of an incident what would trigger an escalation, what a significant incident is . When are you going to get your war room together to be able to manage the consequences of an incident . Are all those still well know it when we stee . What are your thoughts on that . Weve got a process in the end its going to come down to expertise. We have thats why its really good youre there, by the way. We have a wide array of really smart folks distributed across the community so when you look at what dhs has, what odni has c tech, has that taken flight . It is. Thats where i started. C tech cyber threat intelligent center. That is an organization that takes the reporting from across the Intel Community to include open source and commercial and partner information and then tries to summarize up, you know, what we need to know, so they are theyre at the front lines of sensing and warning but wls the Intel Community and commercial entities so every day across that wide array of participants we all drink from these fire hoses of information streams but what we rely on is the expertise and judgment of a bunch of different people and things get elevated quickly. We have routine interaction where i host the interagency once a week in that we talk about Threat Landscape and other things, but with those daily information flows, weve got a process when somethings breaking to pop and call and ad hoc session and theres a president ial policy on when we turn to a very formal Coordination Group that kicks off and is led at the dhs level that triggers some very formal processes, communications, interactions with the commercial entities and even has a Lessons Learned process at the end so that every incident we get a little better. Can you give us a sense of what that what sort of an incident would potentially trigger that . I mean, would obviously i dont think the Equifax Breach but if there were an attack on the grid as you mentioned as we saw in the ukraine, that probably would trigger it . It absolutely would. A great example is wanna cry hit the health sector. That triggered it. It wasnt hitting in the u. S. But we watched the impact it was having at the uk and that kicked off, you know, significant interagency processes. What about i. O. T. . Youve got a vast universe when we talk about prioritization that im sure keeps you up at night. I used to say i sleep like a baby, wake up every few hours crying, so in all sincerity, where does i. O. T. And the fact that our attack surface is generally growing exponentially and the realtime to get solutions is probably design phase . Systems are systems. For all the engineers are here, i believe you, i believe in what youre trying to do, but at what point where does i. O. T. Sort of come in to your thinking and specifically the physical cyber convergence vulnerability in terms of how we should be thinking about that . I. O. T. Is at the same time both a huge opportunity and a huge threat. The things its going to enable in our society, making lives easier, you know, the train is moving and we are going in that direction. Were not going to slow that down and stop it. But as we saw in the poorly designed i. O. T. Is a real threat to infrastructure, to capabilities, to financial and even National Security. At this point theres been various calls, everything from do you do the Underwriters Lab to certify the cybersecurity of i. O. T. All the way down to let Market Forces drive. Were in the middle. Wed like to see great articulation of standards. What is best practices. Wed like to encourage the Industry Groups to follow those standards. Theres some really simple things every i. O. T. Device ought to have and it starts with it needs to be updatable. The idea that when vulnerability are found that it can be updated. Youd like to have the ability to make sure that it doesnt have default credentials and passwords and then beyond that the curb starts going up. Ideally its update process is cryptic graphically secure. They thought about doing an update underneath encryption so it cant be spoofed and those are easy and simple things, theyre well understand how to do. Market pressures arent always driving the companies to do that right stuff from the beginning and thats where i think the government and Industry Groups can push and help, you know, its our desire not to see that pendulum swing all the way to regulation which is why we in the executive order kicked off some bot net studies and other things that really go back to i. O. T. Roots and some of the same rouot causes. One other thought since you brought up cripto, the going dark dilemma obviously sty mys Law Enforcement intelligence the flip side is without strong encryption, the chinese, the russians, the north koreans, whoever, whoever the perpetrator is potentially going to exploit that information. How should we think about that . And then weve got very key provisions to advise sunsetting. Reporter is the . Whats the call there if there is a call to action . And help me think through the going dark phenomenon . Let me start with 702 statute, its just a critical tool in the terrorism and even Cyber Defense realm. Happy you said that. It is a tool that helps us understand threats and its its a laugh tool under close court supervision. Its even based on some of the reporting out there. You can see its well monitored. And so its really important that we get a reauthorization. The administrations called for a clean reauthorization, so since you didnt get tom bossert here today you can get a little of toms information. He did an op ed piece in the the New York Times a couple months ago. Id encourage you to look at it. Its a tool we cant afford for our safety to let sunset. I think congress is well focused on it and were looking to keep that capability. Awesome. When you ask about going dark, i think the first message id want everybody to understand is strong encryption is good for the nation. Theres no black and white about that. We need it for business, we need it for our personal privacy, we need it for, you know, our protections of the National Security side as well as the way we interact just as a society. That being said, theres also a really important part for rule of law and so what wed like to see is, you know, responsible corporations consider how they can be responsive to a judicial order. The government shouldnt have a place in saying how thats done, but the design considerations upfront should consider that, you know, we as a society need to do investigations. Theres a reason, you know, that all of us look to Law Enforcement and the government to provide some basic components for society and that includes the ability for a judge to say i need access to some information. So thats what wed like to see. Very strong proponents of encryption. Theres no doubt that strong encryption needs to be a capability and then weve got smart and Amazing Tech Companies in here, many of them are able to both provide that encryption and security but then when theres a need for warranted access, they can provide it. So and im going to ask an unfair questio