Transcripts For CSPAN3 Fmr. Homeland Security Secretary Others On Cyber Attacks 20240708

Card image cap



director and richard morning star chair for global security at the atlantic council noble energy center. our discussion today will focus on cyber security and energy infrastructure. digital technology is spreading across the energy sector and will continue to do so as load delivery and storage increases. these technologies are crucial to realizing our key car wonization goals. increased digitization creates more opportunities for cyber attacks. we saw that with the colonial pipeline issue in may. the clean energy transition will be much smoother and safer. this owe operation will be critical to ensuring a strong, nimble, and unified cyber defense. to discuss these issues today, we have a remarkable set of panelists as well as a keynote from former secretary of homeland security jeh johnson. but before we jump in i have a few reminders for our audience. first, you can follow us on twitter @acglobalenergy. we are on the record currently live streaming on facebook, twitter, instagram, and c-span 1. those this the virtual audience can submit q and e questions lieu the virtual function on zoom. we will try to get through as manies of these questions as we can. without further ado, jeh johnson for his keynote remarks. >> this is jeh johnson. i thank the atlantic council for the opportunity to speak to you today. the topic is the cyber security of our nation's energy infrastructure. on may 6th of this year, colonial pipeline was hit with a ransomware attack by the russian based group dark side. reportedly, dark side attacked colonial pipeline's pilling system, not its operational technology. but as a precaution, for the first time in history, colonial shut down its entire pipeline which supplies 45% of all of the gasoline and jet fuel consumed on the east coast of the united states. this shutdown had an immediate, direct, and far-reaching impact on the day-to-day lives of the american people. shortages at gas stations popped up across alabama, florida, georgia, north and south carolina, and virginia. on may 11th of this year 71% of gas stations in charlotte, north carolina, ran out of fuel. on may 14th, 87% of gas stations in washington, d.c. went dry. gas prices shot up. panic buying and hoarding occurred. airports and airlines were affected. colonial pipeline paid the $5 million ransom. the pipeline was turned back on. but one ransomware attack at one company can far reaching effects across our nation its people. it was as though one faus it leak in downtown caused faucets to run dry all the way to virginia. this wasn't the first cyber attack on energy infrastructure. and it won't be the last. in 2015, russian hackers attacked the power grid in ukraine, leaving 225,000 people in the dark. in 2012, saudi aram cowas hit by a cyber attack, likely by the government of iran, which forced the then world's largest oil company to shut down 35,000 computers and go back to operating with typewriters and fax machines n. february 2021 a hacker infiltrated a water treatment plant in florida attempting to increase the water supply's sodium hydroxide to alarmingly dangerous levels. in 2021, a nation attempted a cyber attack on the port of houston, the largest container port on gulf coast. the cyber threat to our energy infrastructure is real and growing. indeed, it's not just a threat. it's our current reality. for three years, i served as secretary of homeland security. as a new yorker who was present in manhattan on 9/11, and after four years as the senior legal official for the department of defense, i came to the job at dhs as secretary with a counter-terrorism bent. i told my staff at dhs that counter-terrorism needs to be the cornerstone of our mission. i soon learned that a building can have more than one cornerstone. and that cyber security needs to be another cornerstone mission for dhs. cyberspace is the new 21st century war zone. as reported by the "new york times" just a few days ago, the government of iran and israel are actively engaged in covert cyber warfare right now. cyber attacks are replacing kinetic attacks. covert actors are replacing conventional state actors. u.s. cyber command now exists alongside the kpatant commands of our nation's military. a cyber attack on our nation's energy vector or any other sector of critical infrastructure must be viewed as an attack on the nation itself warranting a national response. under u.s. law, critical infrastructure is defined as, quote, systems and assets, whether vis call or virtual, so vital to the united states that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters, end quote. as declared by the department of homeland security, there are 18 critical infrastructure sectors in this country, including the defense industrial base, financial services, transportation, energy, water, and nuclear reactors. just before leaving office in january, 2017, i added election infrastructure to the li as a subsector of the government facilities sector. our government goes to the trouble of declaring these assets critical infrastructure for a reason. in the energy sector in particular assets of critical infrastructure are becoming increasingly interconnected and increasingly vulnerable to a cyber attack of widespread consequences. and just as every organ of the human body depends on a healthy heart all of the other sectors of critical infrastructure depend on the energy sector. to be sure, there are compelling reasons for the increasing interconnectivity of our energy sector. with climate change comes the need for renewable energy. with renewable energy, wind and solar power, efficient uses of fossil fuels, and smarter uses of electric grids comes the need for digitization and interconnectivity. as a result, the u.s. electricity grid is now referred to as, quote, the largest interconnected machine in the worlds, end quote. all this leads to cleaner uses of energy. but it need not mean trade-offs for our cyber security w. the recent passage of the new bipartisan infrastructure law, nearly $2 billion will be devoted to making our infrastructure more resilient against the impacts of cyber attacks. but there are other things we must do to strengthen the cyber security of the energy sector and other sectors of critical infrastructure in this country. first, and perhaps the easiest, least expensive, and most obtainable solution, a quick fix. continue to raise awareness about the threat of spear phishing. many of us know what spear phishing is, but many still fall prey to it. spear phishing curse when a system user is lured into responding to an email from a bad cyber actor posing as a befine and familiar caller. and once the user answers the knock, opens the door, and lets the bad actor into the secure zone, the bad actor can pose as almost anyone for any purpose. to this day, many of the most devastating cyber attacks on our nation began by a simple act of spear phishing. this is preventable. raising the awareness about spear phishing among those who use a system can go a long way to dramatically reducing the success rate of this form of attack. more broadly, simply raising awareness about weak passwords or the value of two-factor authentication can prevent a large number of attacks that originate due to the lack of what we call cyber hygiene. second, achieve and ensure redundancy. whether it is the ability to count ballots or control a pipeline, redundancy is key. this is not a new concept. like the retention of paper ballots after an election some call for a backup manual control of power grids and pipelines. this may knot be doable in all circumstances. the point is to have redundant systems that exist off the internet in the event the primary system is corrupted. or, at least, a contingency plan for how services are to be delivered if redundancy is not possible. third, congress, should not give up on efforts to legislate certain minimum standards for cyber security in critical infrastructure. most of our nation's critical infrastructure is in the hands of the private sector. working with the private sector, the government ought to be able to develop basic, practical and implementable standards. the good news is that many large and sophisticated companies within critical infrastructure are far along in the cyber security of their own assets. others are not, including many new entrants to sectors of critical notice of n. 2012, congress tried but failed to legislate national minimum cyber security standards and even offered immunity from civil liability as a carrot. that effort failed. events since then provide further proof of the need for this, however. no one size fits all when it comes to cyber security standards pour the different sectors of critical infrastructure. certain standards for certain sectors already exist by virtue of regulatory action. congress should empower regulators of each sector of critical infrastructure to do more. successive administrations, including the current one, have untaken to regulate cyber security by executive action. this is no substitute for laws passed by congress. it is also common sense. by federal law we regulate aeration security, road safety, maritime, nuclear and chemical facilities. why not cyber execute in the need is no less compelling. fourth, we must bolster mandatory reporting to the federal government of certain categories of cyber incidents within critical infrastructure. i am pleased to see that there are bipartisan efforts now to insert such a requirement in this year's national defense authorization act. tom fanning, chairman and ceo of southern companies and a leader in calls for greater cyber security of the utility industry, has gone so far as to argue that the country needs, quote, a realtime view of the badle battlefields, end quote, that allows u.s. i cyber command to monitor critical systems at the same moment and tame time as the operators of those systems do. fifth, we must recognize that a cyber attack on a pipeline or a power grid can now cause as much physical damage and suffering as a natural disaster. the good news here is that the bipartisan infrastructure investment and jobs act signed into law by president biden in november creates a cyber response and recovery fund to be administered by the department of homeland security for this purpose. sixth, i join the many calls for the education, recruitment and retention of a cyber work force to meet the urgency of the current cyber threats. exchange programs between the public and private sectors should be encouraged. given the current threats we face, why not a national cyber security college or university for both civilians and military funded by the departments of defense and homeland security to exist alongside military academies, the national defense university, and the national war college? seventh, and finally, we must make it clear to the world that in the eyes of the united states, a cyber attack from overseas on our nation's critical infrastructure may rise to the level of an armed attack on the nation itself warranting a military response as the term military is now understood in the 21st century. in reaction to the terrorist attacks on 9/11, our government reshaped itself to go to war against terrorist organizations. we reshaped how we think of war. we recognized that warfare can be conducted against unconventional, non-state actors, and that conflict against non-state actors may not be limited to the boundaries of a particular nation. as i said before, cyberspace is the new 21st century war zone. covert state and non-state actors launched cyber attacks from overseas on our critical infrastructure that have the potential to cause death and destruction to the same extent and in the sam manner as an air strike or a terrorist attack. in testimony before the house armed services committee in 2018, i said that a cyber attack which causes large-scale death or physical destruction can be considered an armed attack on the united states warranting a military response. the president has the constitutional authority to take military action to defend the nation so long the action does not rise to the level of a war in scope and duration, which only congress can declare. under international law, the united states is authorized to act in self-defense if the host nation is unwilling or unable to address the threat itself. and under established principles of international laws of war, a military response to an attack should be proportionate. but it need not be in kind. the united states has offensive cyber capabilities that are second to none. they should serve as both a defense and a deterrent. i'm a recipient of the ronald reagan peace through strength award. like president reagan, i believe that peace and security is achieved through strength. in 2018, when i accepted the reagan award, i said this. peace is not the default. you have to work for it. peace is the goal toward which the human race must continually strive. but it is not the natural state of affairs across the globe. peace must be guarded and protected against the belligerent impulses of far too many on this planet. strength forges peace. and perceived weakness tempts aggression. thank you very much for listening. >> thank you so much, secretary johnson, for your remarks, for your time here today, your insight, and your service. you will be able to find a transcript of secretary johnson's remarks as delivered on the atlantic council wets on our energy source blog at about 4:30. so in about ten minutes. we will put this in the chat, the link in the chat so you will be able to find that later. and right now, i will hand it over to your moderator today for our panel, andy bochman, who is a senior grid strategist in the national and homeland security directory in international labs and a senior fell at the international council center. the floor is yours. >> thanks, i appreciate everyone in the audience for lending time and attention to this essential topic. it is great to be with you today. i want to thank secretary johnson for his remarks. he has been right at the forefront of the government response to the ever emerging cyber threat and his thinking certainly shapes all of ours as we do this critical work. let me begin by introducing our four phenomenal panelists. we are joined today by andrea bracket, vice president and chief information security officer at the tennessee valley authority. meghan sanford, vice president and chief product officer in the energy management of schneider electric. leo simono vich. vice president and global head of industrial, cyber and digital strategy at semens energy. and thomas warric, former deputy assistant secretary for counter-terrorism policy at the u.s. department of homeland security and non-resident senior fellow at the atlantic council. i just want to say a couple of words -- i am going to ask each of the panelists to say a few words, then we will dive into interactive q and a with each other, and then poe texly what gets shipped in from the audience, too. i want to remark that we are in an area where we are pivoting both this the cyber realm and the climate realm to low frequent low impact events to high frequency high impact events. this year was just one hit after another. we don't have to go back very far. just before going into this weekend we learned that helmand, helmand worldwide, a giant german logistics company with a footprint in 173 companies was battling a cyber attack that was limiting its capabilities, so to speak. they are still working on that. we've seen news over the weekend if if you are following cyber affairs at all of an attack called log 4j on java elements and servers that has got everyone's attention, especially cloud providers. people are scrambling to contain the effects of that. with the atlantic council, we have been holding forth on ports and maritime security through papers and talks trying to think of another sector that intersects with energy that's just completely vital. and we mentioned helmand being in logistics and the effects we are seeing in our ports these days from a variety of influences. two things secretary johnson said i think stand out for me at least as pift point into the discussions. one is his comment, his metaphor, every other organ in the human body requirements a healthy heart. and so do all other sectors depend on the energy sector. sometimes we say the most critical of critical infrastructures. the second thing is his comment that says, this energy change that we are going through, energy transition, climate change is one of the factors, maybe becoming the main factor driving it. so that's why we have increased amounts of der wind solar storage, and the digitization and interconnectivity that attends it, that enables it. you can't have that level of energy transition and new technology without it. there is the rub, isn't it? the more software we use, the more networking we use, more we become depend ebt on these systems, the more we must be cyber secure, more cyber secure than we ever have been in the past. so at this juncture i would like to ask each of the panelists -- i will call you out by name just to keep it simple. give me -- give us about one minute about what you are working hardest on, what you care most about now, and then we will get into more semistructured q and a. please take it andrea bracket. >> thank you, andy. hello, everyone, i'm andrea bracket. as andy introduced me. i lead a team of highly skilled cyber security professionals that are tasked with protecting and defending tennessee valley authority, which is an energy company ask. the crux of that is our ability to insure that we have reliable power for the approximately 10 million people within our service territory. the things that i am working on and care most about at the moment is that increasing capability for our critical infrastructure, partnering with our industry and federal partners to make sure that we get the right focus on cyber security, as well as insuring that that translates into our operational technology environments. that's been an area that lagged somewhat, especially when you look at the age of infrastructure and the on theation of a lack of different generating and transmission capabilities. so we are focused on making sure that we are doing the right things in all those environments. >> yeah, thanks very much. yeah, that general theme of o.t., operational technology, synonymously called industrial control system or cyber physical, that cyber awareness and capabilities and have been lagging what we have seen in i.t. up to this point. that continues to be the case although thing are starting to pick up. i think we can say that, too. an, andrea from tva. meghan sanford, from schneider, you are up. >> great, thanks so much, andy. thank you again to the atlantic council for inviting me here today with this group of panelists. as andy mentioned i'm meghan sandifur for the energy management business of schneider electric. i am tasked with producing secure products and secure systems. that's where schneider electric plays a unique role in terms of cyber security as well as sberks of decarbonization ertz. i also have a few different roles outside of schneider electric i am the co-chair the department of homeland security control systems working group and also the chair the international society of automation global cyber security alliance of which many of our viewers i am sure are members there n. my spare time i founded an effort called incident command system for industrial control systems which sfes to a pie that initially recognized a fema command system framework for use in organizing cyber security responses both this the private sector and the public sector in the hopes of getting the two to be able to work in a common and consistent framework together. and thank you again for having me today. >> if you can't tell, thanks, meghan -- if you are at all involved in industrial control systems, cyber security, meghan is everywhere, all the time, without exception. so thanks, meghan, for our contributions. next up is going to be leo simon owe vich of seemence energy. >> thanks, andy, and thanks to the atlantic council for having me. hello, everyone. so, seemens energy is at the heart of the energy transition to help move the system towards a cleaner and more reliable, hopefully sort of to push and help solve -- in solving the climate change challenge this we have under way. at the core of that, of course, is digitization and software. we at se -- semen's energy are devoted to helping our customers detech and monitor their environment. cyber security against with risk. that's step one, and understanding that exposure. so we work on technologies and solutions to help our customers get faster at detecting threats and hopefully stopping them along the way. >> thanks, leo. leo and i have been on several interesting panels and conversations over the last few months. i am sure you are about to hear more good stuff from him. last, and not least, thomas warric. please. let's hear from you. >> yes, thanks, andy. i am tom warric, i worked with secretary johnson at the don't of homeland security as a senior official working on counter-terrorism and other tritt issues. all of the threats that secretary johnson spoke to are certainly very real in my professional experience. i now head up here at the atlantic council the future of dhs project where we are looking at how the department of homeland security can respond to these challenges when are among some of the most serious that our country is currently facing. i am very much looking forward to today's discussion. >> tom, we are lucky to have you. and without further ado, as pledged, we will now dive into the interactive q and a portion here. it will be somewhat structured. i mean, i am going to pose a question or an issue, and then point it to one of the four panelists. after they have had their way with it, then invite the other panelists to dive in as they see fit. when we feel we have taken one to its fullest conclusion we will then hit the next one. we will see what we get to before we open it up to the audience. tom, don't go away. the first question is coming right at you. here we go, secretary johnson, your former colleague, gone by pointing out $2 billion has been allocated in recently passed infrastructure laws to better secure and increase the cyber resilience of energy and other critical infrastructures. in your opinion, how important are infusions of more funds, be they from external source external to, say, a utility, external sources like the usg, or from increased allowances from corporate budgets themselves, thus the company deciding that it wants to allocate a higher percentage of budget to combatting cyber threats? >> aligning policy and resources is one of our government's greatest challenges. the private sector has the same rob in terms of how it aligns resources against threats. and this is especially challenging in the area of security, where, in theory, every color in excess of what it takes to secure your systems could be thought of as money wasted. but in reality, the minute a company or a business falls short, as secretary johnson described, there is a nightmare of consequences that follow that not only damage systems. they damage reputations and indeed put the country's security at risk. one of the things that i learned in my experience working on national strategies is there are a lot of well written strategies. but key to success is often whether those strategies are adequately resourced. we are at one those moments when it comes to cyber security in the infrastructure sector. we are really looking to try to understand how much will it take to provide security? and we are not just talking about small-scale hackers or, indeed, criminal gangs. we have to worry about what it would be like if, in the course of china trying to hypothetically invade the island of taiwan and strike out through cyber means at the united states to knock our military off line for a critical period. the kinds of things they would attack are no longer naval bases in the pacific only. they also include our cyber security systems. and to defend against a nation state adversary like china or russia isn't hypothetical. the example secretary johnson told us about israel and iran going at each other through cyber means is not speculative fiction. it's actually today's security reality. so the problem is that simply because we concede there are cyber threats, we know more resources are necessary. but it's hard to know exactly how much more. cisa, for example, the cyber security and energy security agency is currently about a $2 billion a year organization. and that money gets divided up between cyber security and cisa's other major mission of critical infrastructure protection. some of the democrats in the congress have talked about raising that by a small amount. at the other end, you have people like representative john capco saying cisa needs to be a $5 billion organization within five years. the situation comes down to not just that more is necessary, but how much more. then the final point i wanted to make, andy, is homeland security is an enterprise. it's not just one department alone that's responsible. secretary ayorkas and second johnson before him and other secretaries always thought of homeland security as something that has to be done through partners. in the case of cyber security of the energy sector it is dhs, the department of energy, the department of defense, state and local governments have a role, and especially the private sector. everyone needs to work together. and that can't just be a slogan. it can just be a phrase, whole of government, or whole of society that falls easily off the lips. what this really means is that strategies and resource decisions have to align. they have to mesh with each other. systems -- private security systems have to work closely with the government, which has access to classified information. it's absolutely vital in order to shape how money is spent and how actions can be taken at decisive moments. this is actually -- as secretary johnson said, this is actually a very new and very significant kind of challenge that we really have to see whether the united states, both publicly in the government and in the private sector, can rise in order to meet. but the idea that an adversary could try to strike us in cyber means and find themselves defeated is actually one of those things that shapes the future of nations and democracies like the united states. those moments are coming on an almost daily basis. at some point, they may rise to the level of something that will be decisive in the history of our country. and so i think it is one of those issues where determining the right level of resources will come down to being one of the most important considerations we are going to have as we look at cyber security of the energy sector. >> andy, if i may add -- >> sure. >> -- to what tom said. >> go ahead. >> look, i know there is debate about the number. is the number $2 billion? is it $5 billion? those are big numbers either way. but as tom said, what it's ultimately about is creating a multiplier effect. and that comes down to partnership between public and private, state and local. the steam needs to work together. and this cannot be a one-time investment. we need -- this country is known for its innovation and for getting the private sector active to drive change, cascading that change to its smallest elements. and this is the task at hand. how do we enable and protect the weakest link and do that continuously as a measure of risk? we are -- the energy system is in transition. and we don't quite know what the destination is going to look like. but what we do know is we need to protect ourselves along the way to enable that larger promise. and so our take is that the investment needs to be continuous. and it needs to cascade itself down to all of its elements. and public/private enterprise cooperation is really key to that. >> thanks, leo. thanks very much. other panelists who want to weigh in? >> sure. i will jump in real quick. i think from the private sector side, we would love to see tax incentives for the private sector that enable those owners and operators to upgrade their fleets. if we talk about really critical infrastructures, you know, basically being at the front and center of our way of life, we have to consider industrial control systems to be the heart and lungs that power those critical infrastructure. and with that, when you talk about industrial control systems products, many of these products were built 20 or 30 years ago without security built in. we call this secure by design. so if we are able to essentially provide tax incentives to upgrade the fleet, we will achieve two thing. we will achieve better use of the data that's coming off of these systems to get to decarbonization. and we will also have more cyber secure solutions out there. when you see companies report asking being transparent about vulnerabilities and equipment, this is really a trailing metric because it gives us a good indication the state of industrial control system security five or ten years ago. but newer products and systems are being built very intentionally following asked like iec 62443 with security built in. and that's really -- that's really going to make an impact today as well as an impact five years down the road. i often say in cyber security, we are trying to save the world ten years from now. >> the reference to the -- we can get into standards, but we won't do that too much. but the reference to this one, iec or isa 62443, a suite of security standards for many different types of sebastian, but products themselves, too, represents a sea change, we think, in the industry. ed, before we -- andrea before we switch you have something to say i see. >> i have something to add. tax incentives are wonderful things to add to that product to get into the systems that we use. also, we need to look out for the smaller entities. where those funds come for them are from rate payers. so incentivizing in multiple ways could be beneficial because, you know -- otherwise, we may be look at certain parts and certain regions that have a different impact because of how they are funded and how their regulatory body allows that rate payer change to be translated. so multiple incentives would definitely be a plus for us to address this across the spectrum of different kinds of entities. >> thanks. money definitely is not the answer to all problems. but in this particular domain, following the money with one way of understanding who really understands the nature of the risk and who understands the most effective ways to start to tamp down on that risk. before i switch to the next question, i just want to pick up on tom using the term speculative fiction as if this is not just speck at that live fiction. but come back to speck at that live fix for those folks who are, say, lay people in cyber security or for whom let's say white papers and power points don't quite hit home there is a book that i used effectively called ghost fleet written by peter singer and august cole. you can have people read something with a narrative could to it, nice characters and it will really get the centrality of our cyber risk home, both in weapon systems and in energy infrastructure. i hope that wasn't too much, but ghost fleet is a good read for getting up to speed if you are a newcomer. >> i endorse that because it gets you thinking about some of the problems and threats. then you have to realize that that actually is out of date. >> right. >> and let's look forward to august's next book for the next turn the screw on this. this is going to get worse unless we start taking this much more seriously. >> absolutely, tom. right on. question number two as time is fleeting, time is money. access controls. these are all things that are referenced by secretary johnson as we have said. so we are not just going off on our own direction. he's recommending access control yochlts and other technology improvements. he references spear phishing, passwords, multibackdrop authentication, and more. meghan, the microphone is yours to kick us off on this. >> sure. the secretary was absolutely correct in mentioning spear phishing. if we look at what the data tells us -- i am probably going to be off on the statistic but it is something like over 90% of attacks, the initial entry point is that spear phishing with an employee will receive an email and inevitably click the link. these threat actors in the various groups have gotten very intelligent. even to train cyber security people at times these emails are very tricky. if your company has a feature that shows it is an external email coming in. awareness campaigns are the top down, from the ceo to hr, continue of this continual reminder to employees to be mindful of external emails, to look at the links within the emails and not to click on anything unless they are 100% sure of the source, that is a great first step. it takes ton of risk directly off the table. secure backdrop, multifactor authentication, are all tools at our disposal that i encourage owners and operators should use. because it is going the chomp away at that risk. i would also say there are still what we would call table stakes items in product cyber sturt or operational technology security where we are seeing devices, hmis, human machine interfaces, devices that i refer to as beachhead products. they tell you a ton of information of what's going on in that environment, to include other devices that these products are directly connected to. if they are directly exposed to the internet, you can use a tool like showedan, you can go on line right now and fine thousands of twices directly connected to the internet. i have been urging the u.s. department of homeland security and others to really crank up the gear on the awareness campaign when it comes to beachhead devices or products that that easily, you can bet the attacker can as well. >> that's excellent. a quick comment on show dan for those of you either who have never heard of it or you've heard of it but you can't really have a conception what it is. the simplest way to describe it to people, it's like google. you search for things except for it's not indexing web pages. it's indexing things, things that are directly, as megan says, connected to the internet, and they're visible which means they're not hidden behind a firewall or a vpn. you can see them. one other characteristics of things that aren't hidden behind those types of protections is they often have almost no security built in, as megan said insecure by design, and even worse, i'm not trying to alarm anybody, but some of these products do have passwords, but many of those passwords are visible online meaning you can find them. you can put in the product name. it will tell you what the default password is, and they often haven't been changed. so show dan is the center of a universe that you could use to help your company or your organizations you care about become better. if you don't use it and aren't even aware it then the only people who are using it at advers adversaries. other panelists on this topic? >> please go ahead. >> so great point, most definitely. i think the other added benefit of that user awareness in training folks how to use security controls within your businesses, they take that home. that's -- you know, we've got to defend on many fronts and ensuring that folks are protecting their private lives, their social presence, all of those things that they can translate the same actions that they take at work to home, that's going to be another layer of defense across another part of our critical infrastructure and protection of people's identities and personal finances. >> thanks, andrea. >> and just to add to what megan and andrea said, why are we talking about table stakes when we just established that the threat environment is changing, that it's becoming ever present. it has high consequences because there's a vast environment, legacy assets that are decades old that need to be protected, and yet, there's not a clear funding model to encourage the adoption of those table stae s especially around small and medium operators. and you know, there's something like 3,000 utilities in the united states. most of them fall into that small and medium category. they're not large utilities like tennessee authority, which is leading the way on security. it's our task to figure out how to lift that middle and provide some very concrete action to encourage adoption of those table stakes so we can get to that next level of maturity, and can close the gap between us and the others. >> right on. are you okay with me moving on? >> yeah, let's go on to the next subject. >> fine. just before i say that next subject, leo reference ed the 3,500 electric utilities in the united states, some very large, some really small. it probably is good for folks to also know, since we're talking not just about energy but critical infrastructure, that there are approximately 50,000 water utilities, and some of them are microscopic, and yet, due to the highly interdependence nature of energy and water, those things need to be secure too, and that rose not national -- or heightened national awareness recently with the incident at the oldsmar water facility in florida, a place almost no one had ever heard of before, but improperly configured. you rattled off a list of different types of technologies that are helpful, including secure remote access, but they're only helpful if they're con figured and maintained properly. lots of people know how to buy products and feel like they've checked the box, but if they're not installed and configured and maintained, it's almost a false sense of security, isn't it? so that's my word on this. the secretary mentioned redun dan psy, and this is the whole idea if your systems that you count on, that you become dependent on, if for some reason you lose confidence in them, you think maybe you're not the only one using them for some reason or they stop operaing completely, have you prepared for that in advance? have you put in a plan b and in your policy and procedures? have you practiced it, not just in some dusty notebook somewhere or some file in some directory, but have you practiced for the black cloud, black sky day backups, backups that are inconveniently stored so that not only do you have to work hard to reach them but so would a ransomware group, that way they could be there for you in case you needed them. switching to manual operation, i thought it was smart that secretary johnson said it's not possible in every circumstance and certainly in electric it's often not possible, but to the extent it's somewhat possible, it's definitely worth pursuing. are those who provide the most essential services to the nation exploring these strategies as vigorously as you or we would hope? and in the energy sector, are these things even possible? i point this question first to you, andrea. >> and as you said in some cases it may not be possible, but this is something that is of importance. one of the things that helps with our planning and being able to be resilient and have that redundancy is the fact that we have lots of natural disasters. and as we talked about cyber have physical effect, we look at those plans as interchangeable. how do we translate what would happen in a physical, natural disaster, how do we take some of those same sort of circumstances and translate it over to the cyberworld, and as evidenced this weekend with the natural disaster that went through part of our territory, you know, we had to enact some of our technologies to asocial security with this. and exactly as you're saying, that practicing and exercising our ability to take action in those circumstances and have a backup capability so that we can restore power as quickly as possible and maintain it on other parts of the grid in a reliable way. that's something that we do practice and i think that that's going to become even more important that we factor in that multifaceted type of whether it's attack, natural disaster event, things can happen all at the same time as we saw this weekend with a zero day that was of critical importance at the same time that we're making sure that the power is staying on and that we're descending upon environments to make sure that our local power companies have what they need to continue to provide to their local territories. >> thank you. that zero day you're referencing was the log 4j thing that we mentioned earlier. yes, that has people -- people in certain positions really on the move right now. we heard southern companies ceo, tom fanning reference earlier along the lines of andrea's comments around practicing and redundancy, florida power and light's ceo saying once when he testified before congress, he said -- and it's related to weather, right? he's in florida, so that can handle disruption. we handle disruption all the time because of the never ending flow of hurricanes down in that area, right? but what i can't handle is destruction. destruction of long lead time to replace capital equipment, right? and so he's talking not just about cyber attacks, cyber crimes, cyber espionage, but cyber sabotage. that's one thing we're all on guard against, especially when secretary johnson is referencing nation state implications and warfare. any of the other three panelists want to weigh in on the comments in this field of redundanies and plan b's and things like that. >> happy to. look, i think resiliency is the name of the game. the definition of resiliency is changing as we become more connected. signer and physical worlds are converging, and commands that are sent in the digital world have real world consequences and multiple factors, whether it's natural disasters, flood, cyberattacks converge all at the same time. the question is what do operators do about that? we established first and foremost that public, private partnerships are important. why? because of information sharing and the ability to get to detection faster. the second reason it's important is because of mutual aid, an ability to come together and respond. if you are an operator out there and you don't have a phone number for your major oem supplier, you don't know how to call, that's a problem because it's not a question of if. it's a question of when there's going to be a cyber attack in your environment. so as we sort of look at all of that and we think about building resiliency, that's all about practicing scenarios including attacks against operational technology, attacks like colonial unfortunately are going to become more frequent, and so we need to figure out how to isolate, how to detect, how to isolate, and how to recover faster, and that's the name of the game. >> i liked your comment about having your supplier, your most important suppliers' phone numbers and contacts on speed dial and having already developed a rapport with folks so that when had the day comes, as you said it will come, you're not -- you're not saying who are those people again, and who do we call? i advise folks to also be in touch with in terms of public private partnership, their local fbi office. i've been talking to the folks here in milwaukee and getting a feel for to what extent they are already in good communication with folks who one day may need to lean or lean hard on them. it seems like that's happening here. i don't know, it probably varies depending on which part of the country you're in. have those numbers ready and having those relationships already built is the general direction. anyone else on resilience redundancy plans b, et cetera. >> i'm going to tie together what you just said and what our topic was at the outset about resources because you also need to have your sisa rep on speed dial as well to be able to deal with emergency situations, something crazy is going on in your network, and you need to know right away how much of the company do you have to take down, and you're absolutely right. this is one of the hallmarks of the future of dhs report where we said homeland security needs to get itself resourced to the level that people know whom to reach out to, and they're not exchanging business cards for the first time when the crisis started. you have to know and trust who your sisa rep is, who your law enforcement reps are, have an idea of who you need to call in those first few minutes of a cyber crisis, precisely because that can shape the response and thereby save companies untold amounts of money and damage to public reputation. on the other hand, that also means that sisa has to have the people who can answer the phone when that call comes in, and they have to be regional. they have to be in touch with the customers they serve, meaning the public, and it really is going to be necessary for sisa and other parts of the government to ramp up the number of personnel that are necessary. we think of fire protection as almost a right that every citizen of a city or even a small town ought to have access to. and yet, we don't quite think of cybersecurity in that way. it's time -- as secretary johnson said, it's time we should start thinking about this as something that is an important part of what government should be doing and that we resource it and make sure that it is accountable to us, we the people for doing the things that government actually could be very good at doing if it has the resources to do the job. and then we need to do the same thing with private businesses and with corporate boards and with our local officials and hold them accountable if they succeed or if they fail is something that the public can help influence. (. >> greatly appreciate you weighing in that way, tom. tom referenced for the studio audience that sisa representatives, i think they often go by the designation protective security agents, psas in your local area. all psas are not created equal. some have hit the ground running with significant experience already. some are more i.t. oriented. some are more o.t. oriented. we could use more of the latter going forward, but that's the three letter acronym among many that you're fishing for looking for your local person in your region, et cetera. without further delay, i'm going to move to -- we do have some good questions coming in. i'm going to try to save good time for that. let's do the united states government imposed standards question from our pre-existing list. let's touch on that next. i just want to say this part first, for a long time now, at least a decade, we've had a thing called the critical infrastructure protection standards. these -- there's several things that led to the origin of these. these are for the bulk electric system. you could also call that the higher voltage part of the north american grid. they owe their origin partly to 9/11, partly to a great blackout that happened, great as in very bad blackout that happened in 2003. and our own understanding with some work done by my colleague mike asante in the wake of 9/11 that if you wanted to really mess with the united states, one fantastic way to do it would be by attacking the electric grid, the people who run it because cybersecurity was not super strong at the time they were investigating that. while its become much stronger, the question of how much money and how secure is secure enough will always be an open question. but the critical infrastructure and protection standards, which are mandatory and have fines attached to them, have created a floor below which you are penalized if you fall below and your utility provides important services to the grid. there will is another sub sector that is regulated with mandatory security guidelines, rules. that's the nuclear energy sector and they run the regulatory commission at nrc. if you get too far away from those, things start to get a lot fuzzier. i testified a couple of years ago to the senate energy -- i'm going to forget what the name of the panel is -- enr, energy and natural resources. and to my side was the head of the american gas association, and also to his side was the head of nerc. they were both being asked about pipelines, how secure are pipelines? do we need to do anything with you guys like we do with the electric grid? and both of them kind of changed the subject quickly, and said everything's fine. it's come to pass that it looks like things are in motion now, and before too long, define that as you will, we may see things that are more mandatory, whether it's through tsa or other parts of government on other sectors, and we're looking at pipeline and water i'd say next. we'll see what happens. anyway, that's enough of an intro for sure. leo, you seem like you have agreed to take this on. let me read this aloud. we have mandatory pipeline requirements in the nuclear. beyond that, things are pretty loose. there has been movement in pipelines and water of late. the wheels are in motion for more it seems. what's your take on the -- these are the two words i wanted to hit -- on the efficacy and the efficiency of this approach for securing our most critical infrastructures? >> thanks, andy, the hard question. can i just say i love standards? but jokes aside, the cycle that we're in is that when a major attack happens, there's focus from the legislative branch and the executive branch to do something. but fundamentally, that's a knee jerk reaction. it also tends to be prescriptive. tends to be rapid and it tends to address the by-product at the time. but we need to get more proactive. it doesn't mean it doesn't have a place, and in fact, the standard, the power utility standard that you referenced, has had a lot of benefit for a lot of different operators because it's given them a road map. >> by the way, it also helps you get a budget -- it helps you make the budget case and win it to your cfo or ceo. >> yes. in a very bounded sort of way, right? then the question is, are we really funding and standing up cybersecurity programs based on risk? so we've got to figure out how to put cybersecurity as the core competitive advantage for a lot of these utilities and digital companies. to do that we need to take risk-based approaches. so i talked about the private sector innovation and uptick. the government has an important role to play, but regulation is not the only role. we'll see more of it, for sure, because attacks are happening, and many of the google infrastructure sectors are not regulated. but what we need to see even more of is the platforms that enable public and private to come together. that is the theme of the day, and the funding models that are transparent, that has user-based approaches, and that enable flexibility for operators and how they invest in their programs. because everybody is in a different maturity code. yes, i love standards. they're important. there's so much more to do. >> a standard approach to cybersecurity from leo. and ra, tom, megan, your take. >> i will jump in. i would say i wouldn't necessarily be opposed to prescription. prescription can be good, especially for the smaller and medium-sized owners and operators that you were referencing, andy. however, i always get a little bit leery of standards that may just address one segment or one industry, and i'll tell you why. because supply chains are so interdependent and the companies that make the products are international companies. i can't think of a company that, you know, just operates within the united states. and so if you look at it from the supplier standpoint, the owner/operator standpoint, and oh, let's not forget the integrator standpoint that people in many cases are hopefully securely deploys the equipment, we can make secure systems and products, but if the products and systems are not deployed and configured securely, that thwarts our efforts altogether. you have to want a standard that is truly horizontal. horizontal, and i mentioned that, and everybody is probably like, there's megan again on her 6.423 rant, but it's been announced as a standard. it's been endorsed by the united nations, i think we'll see it referenced in more places, but it's good because it creates a common understanding and expectation between a supplier, the integrator, and the asset owner. you're securing the entire ecosystem and supply chain all the way through to supply chain requirements using the same baseline of standards that, you know, folks have been working on for the past 10 or 15 years. so i think we have some good standards. they map very well together, and in many cases, i think it's a mapping exercise of probably 50 to 70 what i call common controls that these standards are trying to address. when we get to the heart of addressing these common controls through those three layers i talked about in the ecosystem, i think that's where we could see some real productivity. >> just to disams byuate, we're talking about the power standards for the power system, and then industry standards that sort of go up organically. i was almost saying magically, let's just say at least organically, they're not mandatory. but it comes to pass, thanks to the hard ground work of folks like megan and others that people see the mutual benefits, the folks in the product companies can build a product to that specification, market it according to that specification, have it checked on by people like at the idaho national lab to verify that it really does what it says it was going to do, and then folks like andrea can say next time we modernize a substation, for example, we're going to require only products that conform to whatever the appropriate subset at 62443 so everybody can do a handshake and speak the same language. and nobody is holding a gun to their head. it's to the mutual benefit of . everybody, economically and security-wise. how do you like that? okay. let's do that. let's have some government standards that are appropriate and certainly some industry standards as much as possible. >> and let's not forget risk-based approaches, andy. >> and always start with risk. there is something like the bowling league scheduling calendar, i always pick on that application. that's not the place to start. sorry all people who are deeply invested in bowling. there are other things that must be protected first before that. i tell you what, we're at a point -- i'm pausing for a second -- okay. we're at a point where i'm going to read out loud to our panelists a couple good questions so far. and let's see how they take them. this may end up exhausting the rest of the time to the bottom of the hour, or i have some things up my sleeve in case they don't. i've been speaking with folks at atlantic council in the last few months is related to the field of cyber insurance. cyber insurance. seems like a good idea. we can't protect everything so insure what you can't protect. what do we call it? transfer the risk. then you don't have to worry about that part, you can just worry about the other parts. however, cyber insurance has never really become what i think people thought it could. it's been around in some form or fashion for 20 years. of the global insurance market, which is around $5 trillion, cyber insurance these days, the market is about $5 billion. for you and me, i assume $5 billion is a lot of money in our household budget, but in the global insurance market, it's nothing. and there's a lot of folks on both sides of the table that wish it was a healthier product, that it did more. almost like i'm thinking. 62.443 standards. would make more people happy. so ransomware has sort of called out an achilles heel of the way cyber insurance has worked these days. the automatic payments seems to have only emboldened the ransomware attackers, and it means that the end users have to figure something else out because whatever little coverage they had before with whatever exclusions they had before, it's all in motion right now. and we'll see it play out, and maybe you'll see a talk on the atlantic council to try to further educate folks on what's possible in that space. the question, though, and i'll be massacring it, goes like this. the insurance company is carrying a growing risk in cyber, policy and d and o, director and office policies. can we use this risk to incent size good decision-making in investments in cyber protections on the front end for critical infrastructure owners? again, can we use this risk to incentivize good behavior basically for critical infrastructure owners? who feels like that topic is one they just must weigh in on immediately? who of the four panelists feels like this is one they want to weigh in? >> want to go first, tom? >> the point that occurs to me, andy, this is one where if i were an executive in an insurance company, i would want to price my product based on my scrutiny of how well the company was doing at managing risk. insurance is all about understanding risk and, indeed, certainly in areas like maritime and casualty insurance, they have a much better sense of the risks of things like climate change than the general public does. similarly, health insurance companies know enormously, well, how valuable it is when their policyholders are vaccinated against covid-19 and other diseases for which vaccines are extremely effective. what we're going to need here is for these insurance companies, frankly, in order to stay in business and make a profit to their shareholders, to really understand how to analyze risk critically. and so when you have experts like richard clark and rob penache saying it needs to be a at least 8% of your i.t. budget or you're at greater risk, that's a great place to start we. companies that don't spend enough and don't do things the right way, that don't have the kind of employee education programs that secretary johnson was alluding to, they need to have their cybersecurity insurance premiums jacked up considerably simply because they are bearing risks that more prudent, well-managed companies simply don't have to share. so i think the key is going to be the kind of business-enforced investigations that insurance companies are actually getting pretty good at over the past 300 years, and i think we need to see that in cybersecurity as well. i think the day of open ended policies where insurers bear cyber risk, i would imagine those are now long in the past. and i think it's going to take some informed decision making by insurance companies to make sure their products are priced fairly and that just as smokers bear higher insurance rates for health insurance, people -- companies who do the equivalent in cybersecurity of, you know, smoking are going to end up needing to pay a lot more in order to be protected. >> sure. sure. right on, insurance companies, reinsurers, they're in the business of predicting the future. and to the extent that they predict it accurately and set their products accordingly, they can make a reasonable or even a greater than reasonable amount of money with a finite measurable amount of risk. it's the extent they can't predict the future accurately by understanding, modifying the risks to their customers, they put themselves in peril. they put the business in peril, anyway. and so that's the game that's playing out in that space right now. other panelists? >> sure. i think -- and i echo everything and agree with what tom just said. and i think at the heart of it is that we're seeing this play out where insurance companies, their business model is based on finely calibrated models of risk, okay? when you have traditional natural disasters like andrea was referencing earlier, we have centuries of historic data to calculate the likelihood of a hurricane striking a building at a particular time. we have those risk models. cybersecurity is not treated nor studied yet as a formal disaster discipline. i actually started my career out initially as an emergency manager, so i have a different perspective i bring to the table, but to the extent that we can especially -- and i'll bring this up as well -- incident reporting and studying when cyber incidents happen, why they happen, who was behind it, the cause of it, just like we study natural disasters, just like university of chicago has the war inedition, -- index, there are scientists that are able to stud by with the best minds with free data across the world. we don't have that benefit in cyber, and that's why no one feels really confident on the calibration of the risk models. >> do you think we're getting it? you're calling out that we don't have it, as others have. are we, therefore, actively building tables that will then inform these better policies? >> i mean, no. this goes to the point that secretary johnson made. this is why mandatory reporting is going to be important. megan gave some good examples, but in my mind the better example is airplane crashes. you are required to cooperate with the government national transportation safety board in a major airplane crash. the same thing needs to be mandated, and congress has started to make some steps in this direction, but the time now is to make this mandatory, and to make this an expected part of any cybersecurity incident. while it may be painful, and frankly, embarrassing for the companies that, in effect, were caught with their pants down, i think we need to take the societal view that this is actually what it's going to take to defend the united states from attacks by criminal organizations and by hospital -- hostile nation states that are intent on doing us harm. if being embarrassed, you know, is something that it takes, then pretty much you have to sort of accept that for the good of the country. and then value yourself and your shareholders and never let it happen again. >> i like the way you tied one of secretary johnson's, you know, top recommendations and mandatory reporting into the conversation in a way that really would behoove the cyber insurance industry. i'm not sure if those things are linked in everybody's minds, but you can see how that could play out, if you could have some confidence that most of the successful -- you know, there is attacks where somebody is trying to do something, and then there is successful attacks where damage is caused in some form. and capturing that information really could help build the types of historical knowledge from which better products -- risk could be better understood and better products could be derived. and i think when that happens, people as we said on both sides of the table will be happier. it could be a much bigger business on the insurance side, and folks that transfer the risk could do it with more confidence. it wouldn't be exclusions that would ultimately turn it into a feeding frenzy for attorneys. that's mainly what's happening now because of the way the language works. i have another audience question. okay. it goes like this. on planning exercises, planning flash exercises, how can real world exercises, for example, d.o.d.'s black start exercises, that's a grid comment, assist with increasing awareness of cyberthreats and the need for practicing respond plans? i think of grid x, run recently and run i think it is sixth or seventh iteration, but just generally seeking. you can point to the actual concrete one, how do real world exercises assist with increasing awareness of cyber threats and preparation in response? andrea, your face flashed in front of the screen. does that mean that it's you? >> i would be more than happy to talk about this one. i think that the more realistic that we can conduct our practices and exercises, whether it's internally to our companies or in forums with our energy partners, our suppliers, the better capability we build. but then that muscle, that muscle memory around how we respond to events, but something that we take in consideration, we're definitely participants in grid x and we've participated in other energy-sector-related events, but internally we take a look at what happened with colonial? what happened with -- the things we see, either that's publicly known or shared within federal space or industry, and then translate that to something that we try out ourselves. so most definitely feel like that is, for us, a best practice to translate what we're seeing to make sure that we thought through and are learning from the lessons of others. >> you said i think one of the first words ewe used if i heard correctly was realistic? you try to practice and exercise in as close to a realistic environment as you can without causing trouble for your customers? >> correct. i think another part of that is the use of folks that come in and test your capabilities. so not only exercising in a controlled format but having folks do things like penetration testing to your environment. do your incident responders detect that? is your capability such that you can see what would be happening to you and how you would respond? those types of exercises are highly beneficial to ensure you have the right types of technical and process controls in place to respond to actual realistic events. >> okay, great. thank you very much. other panelists? >> to pick up on his point, it's really about involving an organization in the exercise. in the real incident, especially around operational technologies, you're going to have folks that run the plants. you're going to have executives involved, ceos who are going to have to make the calls, right, on whether to pay ransom or not. recent example, right? and also the security team in the know in various forms. so when do these type of tabletop exercises -- getting executives to not only understand the risk but also their role is important. making it as real as it gets is also important. but sometimes it's really about looking at the set of effects. so it starts with something that is unknown, something out there. maybe it's a malfunction. it could be a cyberattack that starts in the physical world, and then quickly, especially if it's an insider threat, cascades out to the digital world. it's really important to start with variables that are sometimes we would consider to be black swan or unusual. and lastly, i would say, doing it in a way that's based on your ability to monitor and detect, which is the tip of the spear around exercising that muscle memory that andrea talked about. >> that's great. i just want to make a quick comment on grid x again for those of you unfamiliar or semifamiliar with it. i was involved in the first few of them, and it's a partial exercise. it's played out by facilities throughout the continent and it's a two-day exercise that simulates a threat actor, attacks with vaers effects and you get to practice like leo and andrea are saying. i noticed that there's a second part which happens on the second day called the executive table top. the ones that i was at recently as a fly on the wall was the people that were there were seniors from dhs and d.o.e. and fema for a response. sometimes there would be a dod rep. the utilities were represented by trade groups like eni and nca, sorry for those letters. tom fanning would always be there as the fearless charismatic leader on that side of the table, and i just remember them over the years they tried to broaden. they'd bring in folks at the state level and the national guard. they'd recognize that there are cross sector interdependencies so maybe they'll bring in somebody. i was always thinking to leo's point, really the attacks are on the o.t. systems. there's probably going to be significant damage and disruption, deception on the operational technology systems. who built them? who knows them best? well, the users of them, andrea and her folks may know it from the user perspective, and they know them pretty freaking well, but nobody knows them better than the people who build them. and they can't be at the table. i think the reason, correct me if i'm wrong, megan and leo or anybody, tom too, is that as you said, they're all international companies. they all have offices and executives all over the map and the products actually -- it's impossible to build any product in anything these days that doesn't have some software from it from different countries, et cetera. i think that's why suppliers were excluded, but man, i wish there was a way to do it. and maybe i'm out of date. maybe there are seats at the table for suppliers now, because that would just be an essential voice, from my opinion. >> i think in the past i am aware, if i am remembering the correct tabletop exercise, that they're invited in as observers to the exercise. but i don't think that the point of the exercise is to exercise specific objectives tied to the restoration of the grid. and so i believe that they're really focusing on the asset owner's direct relationship with the government and that communication channel. but i believe suppliers have been invited in as observers, but they were not the intent of the exercise. but rounding off on the exercise topic, because i love tabletop exercises because i love incident responses, i don't see table top exercises used in like their purees form. i see them used in many cases to educate participants on the response plan, to educate the executives on the response plan rather than actually testing the response plan, right, because you want to run the tabletop to fail the tabletop because you want to run such a hard exercise that you identify the key gaps in your response plan that you want to go back and fix after action. to all of you out there, don't be afraid to run a hard tabletop exercise. don't be afraid of failing in front of your leadership. that's actually the goal, is to fail. >> so you're saying if someone was crying during the exercise, that would be a positive indicator, not a negative indicator, in terms of the efficacy of the exercise? >> as long as it tied back to the response plan. >> right. it wasn't their personal life intruding on them in a time of stress. yeah, completely agree with that. i think we're close enough -- any final comments? wonderful panelists, before i bring it down the final home stretch here. it was fantastic from my point of view. how did it strike you? >> great conversation. i really appreciate the opportunity to be part of this conversation with this panel today. >> good luck with everything in your region, andrea. foal -- following that incredible wave of tornados. all right, i will take that silence as affirmation that you got your points across, you felt like you had fair air time and that you pretty much are ready to move on to the next thing in your life, so here we go. unfortunately our time together today is coming to a close. does it seem like i'm reading from a script? thank you, everyone, for tuning in today, and thank you to secretary johnson and all of our panelists for their time and insight. i would also like to thank everyone who helped put this event together including my friend will loomis, will loomis, andy governor, aman coughlin and jacqueline starman. if you'd like to rewatch this event, a replay will be available on the atlantic council facebook, youtube, and twitter accounts. we encourage you to share with colleagues and friends all of those things. thanks for now. thanks for joining us. have a great rest of the week, and if we don't talk again till then, have great holidays, too. thanks again. at least six presidents recorded conversations while in office. hear many of those conversations on c-span's new podcast, presidential recordings. >> season one focuses on the presidency of lyndon johnson. you'll hear about the 1964 civil rights act, the 1964 presidential campaign, the gulf of tonkin incident, the march on selma and the war in vietnam. not everyone knew they were being recorded. >> certainly johnson's secretaries knew because they were tasked with transcribing many of those conversations. in fact, they were the ones who made sure that the conversations were taped as johnson would signal to them through an open door between his office and theirs. >> you'll also hear some blunt talk. >> jim. >> yes, sir. >> i want a report of the number of people assigned to kennedy on me the day he died and the number assigned to me now, and if mine are not less, i want them less right quick. >> yes, sir. >> and i can't ever go to the bathroom, i won't. >> presidential recordings, find it on the c-span now mobile app or wherever you get your podcasts. download c-span's new mobile app, and stay up to date with live video coverage of the day's biggest political events from live streams of the house and senate floor and key congressional hearings to white house events and supreme court oral arguments. even our live interactive morning program "washington journal" where we hear your voices every day. c-span now has you covered. download the app for free today. in march of 2017, lance geiger from the basement of his house in o'fallon, illinois, created a new business. however, his business can be seen all over the world on youtube. since that day in 2017, geiger has been known as, quote, the history guy, end quote. he has produced hundreds of 10 to 15 short minute documentaries on history in his home studio, the history guy is surrounded by hundreds of artifacts including military hats and ship models from military operations, and lance geiger is always dressed in his trademark dark suit, black rimmed glasses and a bow tie. >> lance guyger, the history guy on this episode of booknotes plus. it's available now on the c-span app or wherever you get your podcasts. former federal trade commission leaders testified before the senate commerce committee about the need t

Related Keywords

New York , United States , Georgia , Taiwan , Alabama , Iran , Washington , China , Florida , Vietnam , Republic Of , Illinois , Whitehouse , District Of Columbia , Virginia , Syria , Russia , Tennessee , Israel , Idaho , Chicago , New Yorker , Aram , Russian , American , Leo , August Cole , Lyndon Johnson , Jeh Johnson , Meghan Sanford , Lance Geiger , Randy Bell , Richard Clark , Richard Morningstar , Tom ,

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.