And that they might have actually changed the outcome of the election. That would be a regretful conclusion to reach in many months so it would be good cspan3 is live with the acting director of Cyber Security, brandon wales. And i want to thank intel and proof point for making this weeks summit possible and helping organize these conversations and let us talk with a great and diverse set of speakers today, along with acknowledging blue vector, cigma and the American Gas Association for their additional support. Im here for the next 30 minutes with brandon wales, the acting director of the Cyber Security and Infrastructure Security Agency for what i hope is going to be a fascinating conversation about the election, about the covid pandemic, about the state of Cyber Security and infrastructure security and Critical Infrastructure across the country. Brandon, thanks so much for joining us today. Garrett, thank you so much for the invitation. I am very happy to be here and talk about the important work that our agency is doing. So let me today is december 3rd. It is hard to believe that exactly a month ago, on november 3rd, we were sitting down as a country to watch the first Election Results roll in. It feels like we have, as a country lived about 25 years in the last month. And i would imagine for you sitting at cisa it has actually felt somehow even longer than that i wanted to start today by taking you back, actually, three weeks ago, on thursday after the election, cisa put out a statement that i want to quote three lines from. The november 3rd election was the most secure in american history. Theres no evidence that any system deleted votes, lost votes, changed votes or was otherwise compromised. We know there were claims about the process of the election but we can assure you we have the utmost confidence in the security and integrity of our elections and you should too. My question, brandon, is we have seen a lot of claims, a lot of arguments, a lot of court cases over the three weeks since that statement came out. Is there any reason, in your mind, anything that you have seen, anything that you have read, anything that you have heard, that would cause you to change that Statement Today . So i think the agency stands by the statement that was issued at the beginning of november. I want to add a little bit of context to that. So first of all, it was not a statement that cisa issued alone. It was a statement that was issued by the entire Election Security community. The people who have been working over the past three and a half years to improve the security of our election infrastructure, folks from the election assistance commission, federal election assistance commission, people who represent in a bipartisan way the secretaries of state, the state election directors, the private companies that provide the equipment for most of the elections. Secondly, a lot of claims out there have to do with Election Fraud, which is beyond the scope of the work we do here in cisa and the work we have been focused on building. Election fraud is the purview of the department of justice and state and local authorities that have the responsibility for investigating and prosecuting that. And the attorney general has been on record talking about his views on the scale of Election Fraud during the election while recognizing theyre continuing to investigate potential claims of fraud. So as of right now we do not have any specific evidence of systems being compromised. But we continue to work with our state and local officials. If they have concerns we are one phone call away from helping them and assisting them but i think there were times that our statement was misconstrued to say there was no problems with the election, it was fraud free, and thats just not the case. We do believe that it was secure from external interference, which is our mandate and were proud of the work we did to get to that point. So i want to stay with the election for a minute longer to talk a little bit about the rumor control website that cisa launched in the run up to the election. Tell us a little bit about what the agencys goals and hopes were for that website and what lessons you feel like you have learned out of how that website has been used and the mission that it has fulfilled over the last couple of weeks. Sure. So we originally put that website up in the weeks before the election. Partially in response to activity that we were seeing from the iranian government associated with fraudulent with spoofed voter intimidation emails. And we thought it was an important way for us to put out Accurate Information about the security of voting infrastructure that foreign adversaries were attempting to reduce to undermine peoples confidence in that voting infrastructure. And since that time we have continued to highlight key parts of the process and talk about the security and resilience measures that were either always in place within those systems or were put in place over the past three and a half years to give us greater confidence that these systems perform as expected. Now again, i think there is were putting out very broad information about how these systems normally operate, the safeguards in place, the laws that govern it and providing information on where people can get more detailed information. Notice our rumor controlled website is not the same as Fact Checking done by media organizations which tend to be extremely specific to claims made in specific locations and around that have unique circumstances. Were talking more broadly about the overall processes in place. The overall safeguards that ever in place. That continues to be, i think, important to educate the American Public about how the systems work and why they should have confidence and why there should be a high bar for proving that the systems have been compromised. Do you intend to keep the rumor control website going through the Georgia Senate election or is this something where this was a website targeted at the president ial, federal races and you see it now winding down . So i you know, what ive told our staff is that our Election Security mission, particularly associated with protect 2020 effort will continue until all the elections are complete. We will keep issuing rumor control event tris as we think the situation warrants it and where we can have an impact. Id be curious if you could talk with us about this is the first election, president ial election that cisa has existed for. The agency turned two years old last month. I think it was on november 16th. Happy birthday. And i wonder, you know, as you look ahead now. What lessons do you take away from going through this president ial election. Both in terms of looking ahead to future elections and the Election Security mission but then also what have you learned from the security efforts of this election that you can apply to the Critical Infrastructure role that cisa plays. Sure. So im going to hit four areas and ill try to do them quickly to get on to other topics for you. First is the degree of partnership that we were able to build in the election infrastructure community. And the auction Administration Community was incredible. Extremely broad relationships, extremely deep into counties and election vendors and those relationships were essential in allowing us to execute a broad range of activities. Second, we were able to dive into that sector, understand how it operated, decomposing it into critical functions look inside of those functions and understood what system is more critical to the operation of those functions and then that fed into our operational work to understand the vulnerables and apply enhanced application around those. I would say in the government we had information sharing that was second to none in my 15 years of working at the department. Information shared between intelligence, Cyber Security, the fbi with us. Early awareness allowed us to take quick action, get information, pass it back to our colleagues in the Intelligence Community for them to get Additional Information where they had insights and access. And that cycle allowed us to get ahead of threats. It allowed us to hunt for activity more quickly and allowed this to be intelligence driven, which it should have always been. Those are key lessons we are applying to our broader Cyber Security work and understanding how do we in an area we may not have the amount of leadership, focus and attention like we did across the entire u. S. Government. How do we continue to get as much progress made on our mission . And then the fourth is, and this is frankly an area we have to continue to work and this has to do more broadly with disinformation. What is the appropriate role for the federal government in countering disinformation . Where can we be that trusted voice and where might we not be able to make a real difference and how do we rely on other voices, empower the right people who can counter disinformation and misinformation thats being pushed out there. I want to stay with that last point for a second. Because i think its such an interesting question. One of the things that was, you know, unique and somewhat unexpected was the way that was a bit off this countering disinformation role. It was not something the u. S. Government traditionally did in past elections. Four years ago when we saw the russian attack on the president ial election and the Internet Research agency, there was no capability inside the federal government at all to combat disinformation. And i wonder, particularly around the question of we are, you know, about to go from the this very heated and fraught election information environment into over the next couple of months, presumably a very heated and fraught information environment around the Covid Vaccine and the efficacy and the effectiveness of the vaccine. Do you see cisa continuing to play a role in combatting disinformation and misinformation around the vaccine . And do you think the federal government should have Something Like a disinformation czar who has an interagency cross cutting role to take on things like this in the public sphere . So garrett, id say a couple of points. First is, we i think we rolled this out based upon things we were seeing out there. Like i said, partially in response to iranian government activity. But we were taking some lessons from work thats done by others. For example, fema often has rumor control op during major dy sas es to dispel misinformation out there. They had fact versus myth, i think, related on to covid early in the pandemic. That being said broadly i think this is an issue for future leadership to look at. I dont think the u. S. Government has yet cracked the code on the best way of countering disinformation, and i pointed out the federal government may the federal government may not always be the best option, the right trusted voice on these kinds of challenging divisive issues. And certainly for cisa, im not sure that the Cyber Security agency is going to be a trusted voice when it comes to things like vaccine safety and there are other people in the government who are better positioned to provide Accurate Information to the American Public so that they have confidence in the decisions that are made to approve, for example, vaccines for public use. Cisa, though, does have, and you have been playing throughout this year an active role in the security and Insurance Program of operation warp speed. Weve seen reporting just in the last 24 hours, about foreign actors, north korea and otherwise, attacking the intellectual property, the Companies Involved in vaccine development. What can you tell us about the threat that you are seeing online to the Companies Involved in the supply chains involved in the Development Development of . Sure. So it should be no surprise to people within the Cybersecurity Community that from the very beginning of the pandemic, foreign nations were targeting Vaccine Research and Development Efforts across this country using a variety of mechanisms to gather information. We are seeing that continue to this very day and its one of the reasons why there is a Close Partnership between cisa, the nsa, the fbi with the department of defense and hhs leading operation warp speed to provide as much support to the entities involved in that effort and i think in part based upon what was released this morning by ibm that there is more that we need to do to push deeper and further into these supply chains, not just the Big Companies behind the vaccine, but the companies that are going to be essential to get this vaccine from manufacturing, through distribution, that last mile to the american people. So were doing everything we can to raise awareness within that community, provide additional Cyber Security services, deeper in that supply chain, and ultimately our goal is to secure that supply chain so that no effort by any foreign nation or other criminal organization has the possibility of disrupting this Critical Health care delivery. How has the partnerships that youve been trying to develop through operation warp speed changed your way of thinking about cisas role in interfacing with Critical Infrastructure sectors . I dont think its changed how we think about our role. I think it is certainly shown us that we need to have deeper relationships with inside critical sectors before the Major Incident happened. I think my i think you are biggest challenge early on during the covid pandemic is that we were not able to as quickly as we wanted get the companies that we saw as highest risks, the facilities, hospitals, up on our Cybersecurity Services because we didnt have enough relationships in the right places. One of the things ive asked is we need to do a lot more stock taking about where our relationships are across all the Critical Infrastructure sterkec because we dont know where the next issue is going to be that is going to require us to surge our efforts into that area and do we have the right relationships at the right time for us to get our services being fully utilized. Thats really been one of the key lessons that weve taken out of this process. And that, by the way, is some of the same lesson effectively that cisas predecessor learned out of the 2016 election was that starting to try to push back against the russian attack, dhs at that point didnt have the election Level Relationships that it needed. So i wonder, this is obviously a hard thing to predict. But if you look at the failure of imagination that led dhs to relationship i didnt have the election relationship it needed, now the failure of imagination of realizing i didnt have the relationship from the Health Care Sector that it needed. What are you thinking about in terms of where we might see something that were not prepared for right now threatwise . If you look across the nation at cyberthreats, infrastructure threats, what is the thing were not prepared for next . I dont know that i could give that answer if i could predict the future Major Incident, then maybe we wouldnt have it. That being said, i think partly the challenge is that there was a big difference between elections and health care. In elections, we had no relationship with the Election Community because it wasnt really on our sector framework and hadnt investigated time and energy. Health care is a little bit different. Its been a sector since the beginning. We had relationships, but they werent at the right level. We didnt have the right executive Level Relationships to actually make a difference during one of those critical times. And so its less about do we have no relationship in some of these critical areas, whether its in the electric power space or critical manufacturing or elsewhere. Its, do we have the right relationships . Can we talk to the right decisionmaker if theres an issue like a pandemic and get them to authorize some action to get them to authorize some partnership with the u. S. Government quickly when we see a social problem. Its more thinking about is the relationship that we have maybe to their sock at a particular company, is that sufficient for what we may need to do and engage with that company in the future. Were seeing from covid, when were in a bad day, that one relationship is not sufficient and we need to have multiple levels and we need to do a lot more to engage with those companies and to build the depth and strength of those relationships so we can take action more quickly. Cisa is im going to oversimplify a complex debate thats been playing out over the last couple of years. Cisa is primarily what i would describe as a carrot agency. You dont have a lot of sticks that youre able to batter Critical Infrastructure sectors to do the things that you want them to be doing