This morning we heard where we are today with cybersecurity. So, you know, my career in cybersecurity started when i joined the National Security agency and the offensive mission set and that gives you a perspective of how to defend against very advanced actors so the point of this panel this morning is to talk about the priorities but with a focus of how we resist attack. Okay . So on our panel today, we have a mix of commercial Sector Companies working with the government and a mix of government folks that are really focused on Important Missions and are critical to the National Security. In my opinion, given my experience i think offense always wins. And with that mindset, i want to take a look at what were doing today and how we can give you all Lessons Learned and some front line knowledge about things to take back to your organization and implement. This gets to the heart of the issue, though. Scaling. We all lots of systems. We are certainly dealing with a scale attack surface and adversaries that are more advanced and capable over the past five years. We certainly are scaling our budgets, as well. You can see here were focused on i. T. Modernization, spending 95 billion. We have cyber spending going up, close to 10 billion. Is it actually working . And we also have a growing talent gap so with all these things i want to put the panelists on the spot early this morning and kick it off. Everybody in two to five sentences or less, what is one way youre scaling your security programs to address the growing threats in light of the Cybersecurity Talent problem . Okay. Ill go first. Theres two aspects to this and ill try to be within two to five sentences. Thanks. The first is how can we better leverage ai and ml to deal with them, the growth in data coming at us. The second part is how can i actually get on board the right Technical Skills that can help me with the mission . Being in government i cannot match the salaries of industry so i have to work some unique ways, i have to appeal to their sense of mission, our mission is interesting. I have to appeal to their patriotism. But we also have to look at other means to increase their pay so were doing cyber retention pay to bump up the salaries a little bit we are looking at cyber talent basis. Theyre putting that in place to help us create automation. We have a robust Cyber Internship Program which we ran this summer for ten individuals. We kept them away from data entry. We gave them cyber kind of problems so theres a couple ways you do it. One, you have to look at helping the team deal with the growth in data but you also have to make sure you have a team there and face up to the unique problem government has in hiring. Rach snell. Yeah, i would say its much the same. Right . I think part of that is also coupled with automation. What are the things to do to take some of the tedious tasks off the instant response teems, the annual igss to focus on the bigger problems. So i think thats a big one. The other thing i would say is really trying to better couple our i. T. Modernization with security efforts. We talk about how security isnt built in from the beginning. I would say the flip side is true, too. When our security engineers are building something, they arent thinking about User Experience either. That is not something theyve been tasked to do. Coupling them we have stronger solutions. Absolutely. Yeah. How do we qualify the risk and value the investment . Rather than looking at a particular ai tool or product or a specific supply Chain Solution or a crowd source penetration model, it was like how can we better do the hard question of what was the value, the Risk Reduction . A lot of our focus right now is lets have those hard conversations to put a number, a value on it so i can really look at the thousands of unsolicited emails i get every month from vendors to say which ones are giving us a return on investment . How do i look at replacing an infrastructure thats aging . Have the tools and the cloud necessary for monitoring . Really kind of revalidating the discussions to a qualitative approach and making better decisions regardless of the tool, the technology, the ai, the supply chain for thought out answers other than its red an its now less than red. It was counter intuitive at first with a big technical focus and a technical career with what we had to do was scaling meant reaching out beyond thei. T. Experts and cyber experts to people that it affected the mission so we had to devote resources to upscaling them on the threats and yits a vital part of getting the mission done even though they were not the i. T. Team or not the cyber team. We had to devote ourselves to the legacy systems and that patience was such a weakness. It was a security problem that we could not tolerate. We want patience to understand the importance of cyber andi. T. But fullon devotion of annihilation to the legacy systems was key. Good morning. I would focus on two specific areas. One from a People Perspective and sourcing new people into our business and provide them back to our customers and source them from a perspective of diversity of skills, build on seans point. Not just engineers and computer scientists but an analyst and an operator perspective, skill sets to leverage into that part of the business. The second part is leveraging diversity of geographic reach. So major on work centers where we have clusters of customers but we have the ability to reach out both throughout the United States and globally as a provider and we are finding better ways to utilize that talent back into the business. The flip side is application of advanced technologies to take that diverse skill set and allow them to do more than just whatever their primary career field was. If they were an intel analyst, for example, that had nothing to do with cyber, how do you reapply them in the cyber field to give them the tools to convert their mind, the way they think, into usable capabilities to better the cyber posture defense of an organization. Sounds like a growth and efficiency but how do we measure that effectiveness . How do you know if youre more resistant to attack . I think for us personally we are really focusing on how do we change our risk methodologies to capture that value literally in dollars and cents in terms of activity so for example crowd source pent testing. What is the value of those what did we defer by finding the critical and high vulnerabilities that could be exploited on the internet . How can we bring that to a value statement versus 100,000 or 1 million on the next new tool versus subject Matter Experts to the table . The methodologies are there. We are very cautious because people worry that you have to have a perfect answer. People forget we are making decisions today, theyre not always the most informed decision today but we can make a slightly better decision today and well make a slightly better decision the next day and if we are at least trying to, you know, have a meaningful conversation, change the way we are talking about risk and valuing these tools and options, you know, another example would be, you know, how are we valuing the return on investment for authorizing official training . Like, there are theres a long history of measuring education outcomes. People in cyber, you know, suffer from the same problem that we other i. T. Do. I. T. Is like, we dont need to involve security. Well do it at the end. We suffer the same thing. We decide to have authorizing official or enduser training. Do we bring in the educators to come up with learning outcomes an objectives and how to measure it . Theres a long history of that. So we suffer the same thing and it is really just thinking outside the box and saying, you know, we shouldnt fall into the same trap others do. When theyre talking about cyber. We need to bring the partners in now so when i train and authorizing official, we can actually measure did they learn it . Could they apply it . And activities like that. But things are much more dynamic now, too. Something you said i want to highlight is continuous. Right . It has to be continuous. I know john at dhs, we have the cdm program and theyll talk about that later in a panel this morning, but how rachel, i think you would be great to bring into this, too. How are we leveraging cdm for Continuous Monitoring and evolution of our risk analysis and what datas feeding that . There is know quags for risk. I wish there was that gave you a very clean answer. Some day. Im going to wrap cdm into my answer. We have spent a lot of time over the last two years looking at our sox. We have 17 sox in dhs. Security operation centers. We started a long road here, crawl, walk, run strategy and getting into the walk phase. And this involves three aspects. Looking at the tools or cdm. Looking at policies and procedures and then the contract aspect. On the contract aspect, i gave it to the secret services to work out how we would move to a single contract for manning of our socs. Knock on wood we will have arpf this fall. They have the job to figure out the dod csc pmanual, squeeze out the dod centric things and the object civ to develop a program to inspect the soc to bring them up to a standard and did the first one this june. The chandler soc was passed. Thats a big deal. Well do tsa probably in december, jn. We are raising the bar. To get to the last piece on tools, the cbp had the lead on tools and the plan is to leverage as much cdm as we can to bring into the socs and the idea is not the same tools in dhs because some started on different paths. How do we integrate things and roll it up to a dashboard to give us the insight of whats happening. Further downstream we look at how do we consolidate . My objective is to take the enterprise soc and move it into the cbp soc and looking at alternatives to shrink the footprint. As a major provider of cdm services, internally we try to drink our own champayne as best we can. On a continuous basis. The piece i would add to that on top of some of the metrics that emory mentioned is the success of simulated intrusions on a regular basis. So when youre looking at how am i measuring the success of the things implemented, im monitoring, looking at trying to make best guesses around the metrics of risk. We should be evaluating whats the success of something coming in and making regular simulations a part of that strategy. Right. Chris, you know, when you have this soc training going on, how do you recommend we emulate the adversary . So the best approach is to train as you fight. Fight as you train. Emulating from a threat em lags perspective it needs to be laid into the soc operations. Not an external outboard capability so integrating the types of training exercises, similar to other military command and control systems. If you want to teach someone how to defend against a missile, you simulate the missiles in the system. You dont pull them out of the system and put them in a closed room and a synthetic environment and teach them how to defend themselves against missiles. So laying that training in and then e mu lags is correct. And sean, you know, as cia i imagine you guys are like nsa putting a lot of systems into denied areas. How do you simulate that type of environment thats super malicious and make sure that your systems are remaining secure and such a threatening environment . Well, one tremendous advantage in the new organization four years ago was that we had the teams that conduct the Cyber Mission and are monitoring and doing Cyber Intelligence reporting in the same team with the folks who are providing these remote systems and so the first thing is to build an integrated team and really spend a lot of time on the way they Exchange Data and we had red team and blue team but got to be purple teaming. We measured how fast to go in identifying for any potential weakness in a very wide sea of systems, what it took to identify where it was and how we could get to it remotely and changed what happened before we went to the field and it changed also what happened in the field and we deployed more of these folks overseas and very, very quickly the demand was send more, send more. So a big part of it was people and giving them the tools to integrate the data together. One thing thats not there yet is despite all the progress on the monitoring tools, on the back end advanced analytics with an ai component that gives you more of a time advantage is an investment that we are trying to make and trying to find the best vendors for. Our approach for Artificial Intelligence is close to seans need around the concept of providing decision aids. So if youre trying to make a decision about an action to take or trying to inform the development of a playbook, for instance, to automate a processes, you need that Artificial Intelligence running underneath in the background to help prompt those users and or upscale them from people not cyber experts to draw upon those skill bases. You reach a point where you need a human decision and feed supervised learning models can help evolve things. Are you building that into your plan . We are but more broadly looking at ai and how to use different parts of it across the dhs organization. We have an interim information chief officer who works for me and the task is to develop a fed rated data strategy, how we implement some of this stuff and it will touch the cyber side of the house and figure out what does a cdo office lock like in dhs . What are the authorities and resources . We are working through the practical things of it as he had his first cdo Council Meeting which is really important bringing together the pieces and it is important and we spend time thinking about how we can bring better tools into the process that leverage the capabilities of ai to it. You raise a very good point about the human in the loop. Some point the human has to come in the loop because right now data is overwhelming the human. Of course, of course. Were not able to fully automate everything. We cant ever take the human out of the loop but one other thing to talk about is supply security and this is a daunting task in Defense Systems with systems of systems. Think of the number of things in a fighter jet, for example. Emery, is this a solvable problem . Are we grasping at straws here . I cant speak to fighter jets but i can talk about energy sector. I think there are answers that are evolving. For example we just issued a supply chain as a Service Contract for the entire department to be looking at a lot of those vendors who are providing unique technologies in the energy sector, from power distribution, things like that. And there are solutions that are out there now to look and aggregate that information, look at the results in terms of something thats meaningful to the mission delivery. I think there is stuff out there. I dont think its fully flushed out. I think if you start looking at supply chain as only testing products you will never catch up an get done but you can look at the reliability of the vendors, manufacturing processes, the risks that they introduce into the process. Their history and security over time to help influence and at least get a better understanding of what the risk posture is. Eastbound though there might not be a definitive answer that this is the person is safe and that person is not. Right. It would be nice if theres a definitive answer to the problem because there is and its not possible for an organization to literally boil the ocean and get to that answer. What you put into the contracts, all those pieces that come to play so you can at least begin to comprehend what youre dealing with. What is your take . How are you making sure to deliver cyber hardened systems to federal customers . My perspective is in a world to strive for perfection for everything, everything becomes equally as important and thats a dangerous place to be because you dont understand whats important. So from my perspective, it goes back to engineering 101. Engineering basics and we have lost a lot of that along the way of shutting out as much capability. Its okay. It is in the container. Dont worry that thats explodible. And so, we lose that. Right . You lose that essence of what pieces and parts of the system are more important than others and then where do i apply varying leveling of security and Risk Management against the components. How do we make it scaleable . It is identifying the things, the crown jewels to care 100 about and the things to accept more risk with and then i think as part of the supply chain our responsibility to look at the own supply chain and as rapid way as possible and offer up the solutions identified for leverage outsource services, evaluations and then bring it back to government. A major part is typically cloud migration, too. Rebecca, what is your take . Whats a Lesson Learned on a secure cloud migration . We went cloud first sometime ago now and we were early adopters of office 365 and a number of applications in addition to stuff in aws and azure. I would say in the same way we talk of earlier of security think about the experience of the user or the developer, in addition to the developer thinking about builting in security, cloud became the same thing. A lot of early mistakes lifting and shifting what you had in on Prem Data Centers to the cloud and that didnt work. We needed to be building to achieve the security benefits. So thats a big part of it. The other part of it was around governance. Folks wanted to be the ability to be aon the mouse and very rapidly build in the cloud. And so we needed to put measures in very quickly to say when you stand up an account, we now will automatically require these sets of things. From web application firewall to whatever it might be and well automate putting those in place and then give you access to that account but we had to take sometime to dedicate around how we do build that so folks have the flexibility and the speed they needed to build what they needed for clients. Super important, that governance. You mentioned ruthlessly, you know, shutting down legacy systems but i imagine a lot of those things are in production and used every day and so how do you do this migration while keeping the