commendable, and unified cyber defense. to discuss these issues today, we have a remarkable set of panelists as well as a keynote from former secretary of homeland security jeh johnson. for we jumped in, i have a few reminders -- before we jump in, i have a few reminders for the audience. you can follow us on twitter and use #acenergy. we are currently livestream on youtube, twitter, facebook, and c-span1. we encourage you to share and post what you here today. members of the virtual audience can summit questions via zoom and we will try to get to as many of them as we can. i would like to give the 40 secretary jeh johnson, former secretary of homeland security, for his keynote remarks. jeh: this is jeh johnson. i think the atlantic council for the opportunity to speak you today for the topic is cybersecurity energy infrastructure. on may 6 of this year, colonial pipeline was hit with a ransomware attack by the russian-based group darkness bayside. reportedly dark -- darkside. reportedly darkside attacked the billing system, not the operational technology, but as a precaution, for the first time in history, colonial shut down its entire pipeline from which supplies 45% of all of the gasoline and jet fuel consumed on the east coast of the united states. this shutdown had an immediate, direct, and far-reaching impact on the day-to-day lives of the american people. shortages at gas stations popped up across alabama, florida, georgia, north and south carolina, and virginia. on may 11 of this year, 71% of gas stations in charlotte, north carolina, and out of fuel. may 14, 87% of gas stations in washington, d.c., went dry. gas prices shot up, panic buying and hoarding occurred. airports and airlines were affected. colonial pipeline paid at $5 million ransom. the pipeline was turned back on. but one ransomware attack directed at one company had far-reaching consequences to our nation. its people and its national security. it was as if one water main break in downtown houston, texas, caused kitchen faucets to run out and run dry in arlington, virginia,o r if a single pothole on the runway in the atlanta airport delayed every single commercial flight in the southeastern united states. this wasn't the first to cyber attack on energy infrastructure, and it won't be the last. in 2015, russian hackers attacked the power grid in ukraine, leaving two minute 5000 people in the dark. in 2012, saudi aramco was hit by a cyberattack by the government of iran, which forced then- world's largest oil company to shut down 35,000 computers and go back to operating with typewriters and fax machines. in february 2021, a hacker infiltrated a water treatment plant in florida, attempting to increase the water supply's sodium hydroxide to alarmingly dangerous levels. in august 2021, a nationstate attempted a cyberattack on the port of houston, the largest container port on the gulf coast. the cyber threat to our energy infrastructure is real and growing. indeed, it is not just a threat. it is our current reality. for three years i served as secretary. as a new yorker who was present in manhattan on a 911 and after four years as the senior eagle official for the department of defense, i came to the job at dhs as secretary with a counterterrorism bench. i told my staff that counterterrorism needs to be the cornerstone of our mission. i soon learned that the building can have more than one cornerstone, and that cybersecurity needs to be another cornerstone mission for dhs. cyberspace is the new 21st-century war zone. as reported by "the new york times" a few days ago, the governments of iran and israel are engaged in covert cyber warfare right now. cyberattack's art replacing kinetic attacks. corporate actors replacing conventional state actors. u.s. cyber command exists alongside combatant commands of our nation's military. a cyberattack on air nation's energy sector or any other sector of critical infrastructure must be viewed as an attack on the nation itself. warranting a national response. under u.s. law, critical infrastructure is defined as "systems and assets whether physical or virtual, so vital to the united states that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." as declared by the department of homeland security, there are 18 critical infrastructure sectors in this country, including the defense industrial base, financial services, transportation, energy, water, and nuclear reactors. just before leaving office in january 2017, i added election infrastructure to the less -- list as a subsector of the government facility sector. our government goes to the trouble of declaring these assets critical infrastructure for a reason. in the energy sector in particular, assets of critical infrastructure are becoming increasingly interconnected and increasingly vulnerable to a cyberattack of widespread consequences. and just as every organ of the human body depends on a healthy heart, all the other sectors of critical infrastructure depend on the energy sector. to be sure, there are compelling reasons for the increasing interconnectivity of our energy sector. with climate change comes the need for renewable energy. with renewable energy, wind and solar power, efficient uses of fossil fuels, and smarter uses of electric grids, comes the need for digitization and interconnectivity. the u.s. electricity grid is now referred to as "the largest interconnected machine in the world." all this leads to clear uses of energy, but it need not mean trade-offs for our cybersecurity. with the recent passage of the new bipartisan infrastructure law, nearly $2 billion will be devoted to making our infrastructure more resilient against the impacts of a cyberattacks. but there are other things we must do to strengthen the cybersecurity of the energy sector and other sectors of critical infrastructure of this country. first, and perhaps the easiest, least expensive, and most obtainable solution, a quick fix, continue to raise awareness about the threat of spearfishing. many of us know what spearfishing is, but many still fall prey to it. spearfishing occurs when the system is lured into responding to an email from a bad several actor posing as a benign and familiar caller. once the user answers than ockham opens the door, and lets the bad actor into the secure zone, the bad actor can pose as almost anyone for any purpose. to this day many of the most devastating cyberattacks on our nation began by a simple act of spearfishing. this is preventable. raising the awareness about spearfishing among those who use a system can go a long way to dramatically reducing the success rate of this form of attack. more broadly, simply raising awareness about weak passwords or the value of two-factor authentication can prevent a large number of attacks that originate due to the lack of what we referred to as cyber purging. second, achieve and ensure redundancy whether it is the ability to count ballots or control a pipeline, redundancy is key. this is not a new concept. like the retention of paper ballots after an election, some call for backup manual control of power grids and pipelines. this may not be doable in all circumstances. the point is to have redundant systems that exist off the internet in the event the primary system is corrupted, or at the least, a contingency plan for how services are to be delivered if redundancy is not possible. third, congress should not give up on efforts to legislate certain animal standards for cybersecurity in -- minimal standards for cybersecurity critical infrastructure. most of our nation's critical infrastructure is in the hands of the private sector. working with the private sector, the government ought to be able to develop a, practical, and implementable standards. many large and solicited countries with critical infrastructure are far along in the cybersecurity of their own assets. others are not, including many new entrants to sectors or critical infrastructure. in 2012, congress tried but failed to legislate national minimum cybersecurity standards, and even offered immunity from civil liability as i caret. that -- as a carrot. that effort failed. it provided further proof of the need for this, however. no one-size-fits-all when it comes to cybersecurity standards for the different actors of critical infrastructure. certain standards for certain sectors exist by virtue of regulatory action. congress should empower regulators of each sector of critical infrastructure to do more. successive administrations including the current one have undertaken to regulate cybersecurity by executive action. this is no substitute for laws passed by congress. it is also common sense by federal law. we regulate aviation security, maritime security, nuclear and chemical facilities. why not cybersecurity? the need is no less compelling. fourth, we must bolster mandatory reporting to the federal government of certain categories of critical infrastructure. i am pleased to see there are bipartisan efforts now to insert such a requirement in this year's national defense authorization act. tom fanning, chairman and ceo of southern company's and a leader in cause for greater cybersecurity of the utility industry, has gone so far as to argue that the country needs "a real-time view of the battlefield" that allows u.s. cyber command to monitor critical systems at the same moment and at the same time as the operators of the systems do. fifth, we must recognize that a cyberattack on a pipeline or a power grade can now cause as much physical damage and suffering as a natural disaster. the good news here is that the bipartisan infrastructure investment and jobs act signed into law by president biden in november creates a cyber response and recovery fund to be administered by the department of homeland security for this purpose. sixth, i joined many calls for the education, recruitment, and retention of a cyber workforce to meet the urgency of the current cyber threats. exchange programs between the public and private sectors should be encouraged. given the current threats we face why not a national cybersecurity college or university for both civilians and military funded by the departments of defense and homeland security to exist alongside military academies, the national defense university, and the national war college? seventh, and finally, we must make it clear to the world that in the eyes of the united states, a cyber attack from overseas on our nation's critical infrastructure may rise to the level of an armed attack on the nation itself, warranting a military response, as the term "military" is now understood in the 21st century. in reaction to the terrorist attacks of 9/11, our government reshape itself to go to war against terrorist organizations. we reshape how we think of war. we recognize that warfare can be conducted against unconventional nonstate actors in the conflict against nonstate actors may not be limited to the boundaries of a particular nation. as i said before, cyberspace is the new 21st-century war zone. covert state and nonstate actors launched cyber attacks from overseas on our critical infrastructure that have the potential to cause death and destruction to the same extent and in the same manner as an airstrike or cap risk attack -- or terrorist attack in testimony before the house armed services committee in 2018, i said that a cyberattack which causes large-scale death or physical destruction can be considered an armed attack on the united states, warranting a military response. the president has the constitutional authority to take military action to defend the nation so long as the action does not rise to the level of a war in scope and duration which only congress can declare. under international law, the united states is authorized to act in self-defense if the host nation is unwilling or unable to address the threat itself. and under established principles of international laws of war, a military response to an attack should be proportionate, but it me need not be -- but it need not be in-kind. the united states has offensive cyber capabilities that are second to none. they should serve as both a defense and deterrent. i am a recipient of the ronald reagan peace through strength award. like president reagan, i believe that peace and security is achieved through strength. in 2018, when i accepted the reagan award, i said this -- pieces not the default. you have to work for it. peace is the goal towards which of the human race must continually strive. it is not the natural state of affairs across the globe. peace must be guarded and protected against the belligerent impulses of far too many on this planet. strength forges peace, and perceived weakness attempts -- tempts aggression. thank you very much for listening. >> thank you so much, secretary johnson, for your remarks come for your time here today, your insight, and your service. you will be able to find a transcript of sec. johnson's remarks as delivered on the atlantic council website on our energy source blog at about 4:30, in 10 minutes. we will put the link in the chat so you will find that later. right now i will handed it over to our moderator today for our panel. a senior grid strategist at idaho national labs, also a senior fellow at atlantic council global energy sector -- four is all yours. >> thanks, randy. appreciate everyone in the audience for diverting attention to this most essential topic. it is so great to be with you all today. i want to thank secretary johnson for his remarks. he has been right at the forefront of the government response to the ever emerging cyber threat and is thinking certainly shapes all of ours as we do this critical work. let me begin by introducing our phenomenal panelists. we are joined by andrea brackett , vice president and chief information security officer at tennessee valley authority, megan samford, vice president and chief product officer in the energy management part of schneider electric, leo simonovich, vice president and global head of industrial, cyber, and digital strategy at siemens energy, and thomas warrick, former deputy assistant secretary for counterterrorism policy at the u.s. department of homeland security and nonresident senior fellow at the atlantic council. i want to say a couple words and then ask each of the panelists to say a few words and then i will dive into some interactive q&a with each other and potentially with the audience, too. i want to remark that we are in an era of transition where we are pivoting both in the cyber realm and the climate realm from periods of low-frequency, high-impact events to high-frequency, high-impact events. this year was one hit after another. we don't have to go back very far. just before going in the weekend, we learned that hellman worldwide, a giant german logistics company with a footprint in 173 companies, was found battling a cyberattack that was limiting its capabilities, so to speak. they are still working on that. we have seen news over the weekend if you are following cyber affairs of an attack on java elements in servers that has gotten everyone's attention, especially cloud providers. people are scrambling to contain the effects of that. at the atlantic council we have been holding forth on ports and maritime security. trying to think of another sector that intersects with energy that is completely vital. we mentioned hellman and logistics and the effects in our ports from a friday bang of influences. two things secretary johnson said stand out for me as a pivot point into the discussions. one is his comment come his metaphor -- every other organ in the human body requires a healthy heart. so to all other sectors depend on the energy sector. sometimes we say that was critical of critical infrastructure. the second was his comment that the energy change we are going through, energy transition, climate change is one of the factors becoming the main factor driving it. that is why we have increased amounts of wind, solar storage, and the digitization and in our conductivities that enables it, you can't have that level of energy transition into new technology without it. there's the rub, isn't it. the more software reuse, the more networking we use, the more we must be cyber secure, more cybersecurity than we ever have been in the past. i would like to ask each of the panelists -- i will call you out by to keep it simple -- give us one minute of what you are working hardest on and what you care most about now, and then we will get into the more semi- structured q&a. please take it, andrea brackett. andrea: thank you, andy. hello, everyone. i am andrea brackett. andy introduced to me. i lead a team of highly skilled cybersecurity professionals that are tasked with protecting and defending the tennessee valley authority, which is an energy company, and the crux of that is our ability to ensure that we have reliable power for the 10 million people within our territory. the things i'm working on and care most about at the moment is increasing capability for our critical infrastructure, partnering with our industry and federal partners to make sure we get the right focus on cybersecurity, as well as ensuring that the translates into intrapersonal technology environments. that has been an area that wagged set -- lagged somewhat, especially when you look at the age of infrastructure and the different generating and transmitting capabilities. we are focused on making sure we do the right things and all of those environments. andy: thanks very much, and the general theme of operational technology synonymously called industrial controls, the cyber awareness and capabilities have been lagging what we have seen and i'd seek up to this point. things are starting to pick up. megan samford from schneider, you are up. megan: thanks so much, andy, and thank you to the atlantic council for inviting me today with this group of panelists. as andy mentioned, i am megan samford, vice president and chief product security officer at schneider electric. i am obsessed with producing secure products and secure systems, and that is where schneider electric plays a unique role in terms of cybersecurity as well as the intersection of decarbonization efforts. i also have a few different roles outside of schneider electric. i am the cochair of the department of homeland security control systems working group. i am also the chair of the international automation global cybersecurity alliance, of which many of our viewers i'm sure our members there. in my spare time i made an effort called incident command system for industrial control systems, which seeks to apply the internationally recognized incident command system framework for use in organizing cybersecurity responses in the private sector and public sector and deadening to be able to work in a common and consisted framework together. thank you again for having me today. andy: thanks, megan. if you are at all involved in industrial controls and cybersecurity, megan is everywhere all the time, without exception. thanks, megan, for your contributions. next up is going to be leo simonovich of siemens energy same. leo: thanks command a thanks to the atlantic council for having me. siemens energy is at the heart of the energy transition to help move the system to a cleaner and more reliable, hopefully the porsche to help solving the climate change challenge that we have underway. at the core of that, of course, is digitalization and software. i in particular and focused on helping enable digitalization through solutions that help our customers detect and monitor their environment. cybersecurity -- the understanding of that exposure, and we work on technologies and solutions to help customers get faster at detecting threats and hopefully stopping them along the way. andy: thanks, leo. leo has been on several interesting panels for months and you will hear good stuff from him. aspen at least, -- last but not least, thomas warrick. tom: my name is tom warrick and i work with secretary johnson at the department of homeland security working on counter terrors and other fetishes. all of the fence that secretary johnson spoke to are very real in my professional experience. all of the threats that secretary johnson spoke to are certainly very real in my professional experience. i now head up the future of dhs project, where we are looking at how the departmentof homeland security can respond to these challenges, which are among some of the most serious our country is currently facing. so i'm very much looking forward to today's discussion. >> tom, we are lucky to have you. without further ado, as pledged, we will dive into the interactive q & a portion. it will be somewhat structured. i'm going to pose a question or an issue, and then point it to one of the four panelists. after they have had their way with it, i invite the other panelists to died in as they see fit. when we feel like we have taken one to its fullest cononclusion we will hit the next one. tom, don't go away. the first question is coming right at you. here we go. secretary johnson, your former colleague, began by pointing out $2 billion allocated and passed infrastructure laws to better secure and increase the cyber resilience of energy and other critical infrastructures. in your opinion, how important are infusions of more funds be they from external sources, external to, say, a utility, like the usg, or from increased allowances from corporate budgets themselves, the company deciding that it wants to allocate a higher percentage of budget to combating cyber threats? >> aligning policy and resources is one of our government's greatest resources. the private sector has the same problem in terms of how it aligned resources against threats. this is especially challenging in the area of security, where in theory, every dollar in excess of what it takes to secure your systems could be thought of as money wasted. but in reality, the minute a company or business falls short, as secretary johnson described, there is a nightmare of consequences that follow that not only damage systems, they damage reputations and, indeed, put the country's security at risk. one of the things that i learned in my experience of working on national strategies is there are a lot of well-written strategies. the key to success is often whether those strategies are adequately resources. we're at one of those moments when it comes to cybersecurity of the energy sector. we are looking to try to understand, how much will it take to provide security? we're not just talking about small scale hackers or, indeed, criminal gangs. we have to worry about what it would be like if in the course of china trying to hypothetically invade the island of taiwan and strike out through cyber means at the united states to knock our military offline for a critical period, the kinds of things they would attack are no longer naval bases in the pacific only. they also include our cybersecurity systems. to defend against a nation state adversary like china or russia isn't hypothetical. the example secretary johnson told us about israel and iran going at each other through cyber means. it's not fiction. it's today's security reality. so the problem is that simply because we can see there are cyber threats, we know more resources are necessary. but it's hard to know exactly how much more. cybersecurity and energy security agency is currently about a $2 billion a year organization. that money gets divided up between cybersecurity and other major mission of critical infrastructure protection. some of the democrats in the congress have talked about raising that by a small amount. at the other end, you have people like represent katko saying it needs to be a $5 billion organization within five years. the question comes down to not just that more is necessary but how much more? the final point i wanted to make, andy, is homeland security is an enterprise. it's not just one department alone that's responsible. secretary mayorkas and other securities thought of homeland security as something that has to be done through partners. so in the case of cybersecurity of the energy sector, it's dhs, the department of energy, the department of defense, state and local governments have a role, and especially the private sec sore. everyone needs to work together. it can't be just be a slogan, whole of society that falls off the list. what this means is strategies and resource decisions have to align. they have to mesh with each other. systems -- private security systems have to work closely with the government, which has access to classified information, that's absolutely vital in order to shape how money is spent and how actions can be taken in decisive moments. this is actually a very new and very significant kind of challenge that we really have to see whether the united states both publically in the government and in the private sector can rise in order to meet. but the idea that an adversary could try to strike us in cyber means and find themselves defeated is actually one of those things that shapes the future of nations and democracies like the united states. those moments are coming on an almost daily basis. at some point, they may rise to the level of something that will be decisive in the history of our country. so i think it's one of those issues where determining the right level of resources will come down to being one of the most important security -- >> if i may add, i know there's debate about the number. is the number $2 billion, $5 billion? those are big numbers either way. as tom said, it's ultimately about is creating the multiplier affect. that comes down to partnership between public/private, state and local. the system needs to work together. this cannot be a one-time investment. we need -- this country is known for its innovation and for getting the private sector activated, to drive change. cascading that change to its smallest elements. this is the task at hand. how do we enable and protect the weakest link? you do that continuously as a measured risk. the energy system is this transition. we don't quite know what the destination is going to look like. what we do know is we need to protect ourselves along the way to enable that larger promise. our take is that the investment needs to be continuous and it needs to cascade itself down in public/private enterprise cooperation. >> thanks, leo. thanks very much. other panelists, you want to weigh? >> i will jump in real quick. i think from the private sector side, we would love to see tax incentives for the private sector that enable those own owners and operators to update their fleets. if we talk about critical infrastructure, basically being at the front and center of our way of life, we have to consider industrial control systems to be the heart and lungs that power those critical infrastructures. with that, when you talk about industrial control systems products, many of these products were built 20 or 30 years ago without security built in. we call this secure by design. if we are able to essentially provide tax incentives to upgrade the fleet, we will achieve two things. we will achieve better use of the data that's coming off of these systems to get to decarbonization, and we will also have more cyber secure solutions out there. when you see companies reporting and being transparent about vulnerabilities in equipment, this is really a trailing metric. because it gives us a good indication of the state of security five or ten years ago, but the newer products and systems are being built intentionally following standards with security built this and that's really -- that's going to make an impact today as well as an impact five years down the road. i often say in cybersecurity, we're trying to save the world ten years from now. >> the reference -- we can get into standards, but we won't do that too much. the reference to this one, a suite of security standards for many different types of entities, but products themselves, too, represents a change in the industry. before we switch, you had something to say on this? >> i wanted to add just a little bit there. tax incentives are a wonderful thing for that product to get into the systems that we use. but we need to look out for the smaller entities. where those funds come from them are from rate payers. so incentivizing in multiple ways could be beneficial, because otherwise we may be looking at certain parts in certain regions that have a different impact because of how they are funded and how that regulatory body allows that rate payer change to be translated. multiple incentives would be a plus for us to address these across a spectrum of different kinds of entities. >> thanks. money definitely is not the answer to all problems, but in this particular domain, following the money is one way of understanding who really understands the nature of the risk and who understands the most effective ways to start to tamp down on that risk. before i switch to the next question, i just want to pick up on tom using the term speculative fiction as in, this is just not speculative fiction, but coming back to speculative fiction, for those folks that are lay people in cybersecurity or whom white papers and powerpoints don't hit home, there's a book called "ghost fleet." you can have people read something with a nice narrative and nice characters, and it will get the centrality of our cyber risk home, in weapon systems and in infrastructure energy. i hope that wasn't too much. it's a decent read for getting up to speed on this if you are a newcomer. >> i will endorse that. it does get you thinking about some of the problems and threats. then you have to realize that that actually is out of date. >> right. >> let's look forward to the next book for the next turn of the screw on this. this is going to get worse unless we start taking this much more seriously. >> absolutely, tom. right on. question number two as time is fleeting, time is money. access controls, these are all things that are referenced by secretary of johnson as we have said. we're not just going off on our own direction. we are talking -- he is recommending access control improvements and other technology improvements. he referenc multi-factor authentication and more. megan, kick us off on this. >> sure. the secretary was absolutely correct in mentioning speerphishing, it's something like over 90% of attacks, the initial entry point is that where an employee will receive an email and they will click the link. the threat actors and these various groups, they have gotten intelligent. to train cybersecurity people at times, these emails, they are very tricky. if your company has a feature that shows it's an external email coming in, awareness campaigns from the top down, from the ceo to hr, this continual reminder to employees to be mindful of external emails, to look at links within the emails and not to click on anything unless they are 100% sure of the source, that's a great first step. that takes a ton of risk directly off the table. secure remote access is another great tool. multiple-factor authentication, these are all tools at our disposal that i would greatly encourage owners and operators to use. it's going to greatly chomp away at the risk. i would also say that there are still what we would call table stakes problems where we are seeing devices, hmi, human machine interfaces, devices that tell you a ton of information of what's going on in that environment to include other devices that these products are directly connected to. if they are exposed to the internet, you can use a tool like showdan, you can go online and find thousands of devices directly connected to the internet. i have been urging u.s. department of homeland security and others to crank up the gear on the awareness campaign when it comes to beachhead devices or products that have direct exposure because it you can access it that easily, you can bet the attacker can as well. >> that's excellent. quick comment on showdan for those who have never heard of it or you don't have a conception what it is. the simplest way is it's like google. except it's not indexing web pages. it's indexing things that are directly connected to the internet. they are visible. they are not hidden behind a firewall or vpn. you can see them. one other characteristic of things that aren't hidden behind those protections is they often have no security built in. insecure by design. even worse, i'm not trying to alarm anybody, but some of the products do have passwords but many of those passwords are visible online. you can find them. you can put in the product name. it will tell you what the default password is. they often haven't been changed. showdan is the center of the universe you can help to use your company or organization u.s. care about become better. if you don't use it and aren't aware of it, the only people using it are the adversary. other panelists on this topic? >> great point. most definitely. i think the other added benefit of that user awareness and training folks how to use security controls within your businesses, take that home. we have got to defend on many fronts. ensuring that folks are protecting their private lives, their social presence, all of those things that they can translate the same actions that they take at work to home, that's going to be another layer of defense across another part of our critical infrastructure and protection of people's identities and personal finances. >> thanks, andrea. >> just to add, why are we talking about cable sticks whether we established the threat environment is changing, that it is becoming ever presence, it has high consequences? there's a vast brown field environment. legacy assets that are decades old that need to be protected. yet, there's not a clear funding model to encourage the adoption of those, especially around small and medium operators. there's something like 3,000 utilities in the united states. most of them fall into the small and medium category. not large authorities. it's our task to figure out how to lift that middle and provide some concrete action to encourage adoption of those so we can get to the next level of maturity and can close the gap between us and the adversaries. >> right on. tom, are you okay with me moving on? >> yeah. let's go on to the next subject. >> fine. just before i say that next subject, leo references the approximate 3,000 or 3,500 electric utilities in the united states. some very large. some really small. it probably is good for folks to know since we are talking not just about energy but critical energy, that there are approximately 50,000 water utilities. some are microscopic. and yet, due to the highly interdependent nature of energy and water, those things need to be secure, too. that goes to the heightened national awareness recently with the incident at the olds march water facility in florida. a place no one heard of before. improperly configured. you rattled off different types of technologies that are helpful. clueing secure remote access. they only helpful if they are maintained correctly. that's my word on that. the secretary mentioned redundancy. this is the whole idea of if your systems that you count on that you become dependent on, if for some reason you lose confidence in them, you think maybe you are not the only one using them for some reason, or they stop operating completely, have you prepared for that in advance? have you put in a plan "b" if your policy and procedures? have you practiced it, not in some file in some directory, but you have practiced for the black sky day? backups that are inconveniently stored so that not only do you have to work hard to reach them but so wouldn't a ransomware group? they could be there if you need them. switching to manual operation. it was smart secretary johnson said, it's not possible in every circumstance. certainly, in electric it's often not possible. but to the extent it's somewhat possible, it's definitely worth pursuing. are those who provide the most essential services to the nation exploring these strategies as vigorously as you or we would hope? in the energy sector, are these things possible? i point this question first to you, andrea? >> as you said, in some cases it may not be possible. but this is something that is of importance. one of the things that helped with our planning and being able to be resilient and have that redundancy is the fact that we have lots of natural disasters. as we talked about, cyber having physical affect, we look at those plans as interchangeable. how do we translate what would happen in a physical natural disaster, how do we take some of those same sort of circumstances and translate it over to the cyber world? as evidenced this weekend with the natural distant they're went through part of our territory, we had to enact some of our technologies to assist with this. exactly as you are saying, practicing and exersiesz -- exercising our ability to take action and have a backup capability so that we can restore power as quickly as possible and maintain it on other parts of the grid in a reliable way, that's something we do practice. i think that's going to be even more important that we factor in that multi-facetted attack or natural disaster event, things can happen at the same time, as we saw this weekend with the zero day that was a critical importance at the same time that we were making sure the power is staying on and that we are descending upon environments to make sure our local power companies have what they need to continue to provide to their local territories. >> zero day, thank you. that was the log 4j thing we mentioned earlier. that has people in certain positions really on the move right now. we heard southern company ceo tom fanning referenced earlier along the lines of andrea's comments on practicing and redundancy, i recall florida power and light's ceo saying when he testified before congress, he said -- it's related to weather. he's in florida. he said, i can handle disruption. we handle disruption because of hurricanes down in that area. what i can't handle is destruction. destruction of long lead time to replace equipment. right? he is talking not just about cyberattacks, cybercrime, cyber espionage, but cyber sabotage. that's one thing we're all on guard against, especially when secretary of johnson's referencing nation state implications and warfare and things like that. we may get to a question on that before we are done. any of the other three panelists want to weigh in on the comments in the field of redundancy and plan "b"? >> happy to. resiliency is the name of the dame. the definition is changing. as we become more connected. cyber and physical worlds are converging. commands that are sent in the digital world have real world consequences. multiple factors, whether it's natural disasters, plus a cyberattack, can converge at the same time. the question is, what do operators do about that? we establish first and foremost that partnerships are important. why? because of information sharing and the ability to get to detection faster. the second reason it's important is because of mutual aid, an ability to come together and respond. if you are an operator out there and you don't have a phone number for your supplier, you don't know who to call, that's a problem because it's not a question of if, it's a question of when there's a cyberattack. as we look at all that, and we think about building resiliency, it's all about practicing scenarios, secluding attacks against operational technology. attacks like colonial unfortunately are going to become more frequent. we need to figure out how to isolate, how to detect, how to isolate and how to recover. >> i liked about having your most important suppliers' numbers and contacts on speed dial and having developed rapport with folks so that when the day comes, as you said it will come, you are not saying, who are those people and who do we call? i advise folks to be in touch with, in terms of public/private partnership, their local fbi office. i have been talking to the folks here in milwaukee and getting a feel to what extent they are already in good communication with folks who one day may need to lean on them. it seems like it's happening here. it varies depending on which part of the country you are in. have the numbers ready and the relationships built is the general direction. anyone else on resilience and redundancy? >> i want to tie together what you just said and what our topic was at the outset on resources. you also need to have your rep on speed dial to deal with emergency situations and you need to know how much of the company do you have to take down and you are right, this is one of the hallmarks of the future of dhs report where we said homeland security needs to get itself resourced to the level that people know who to reach out and they are not exchanging business cards for the first time when the crisis is started. you have to know and trust who your rep is, who your law enforcement reps are, have an idea of who you need to call in those first few minutes of a cyber crisis precisely because that can shape the response and save companies untold amount of money and reputation. they have to have people who can answer the phone when that call comes in. they have to be regional. they have to be in touch with the customers they serve, meaning the public. it really is going to be necessary for the government to ramp up the number of personnel that are necessary. we think of fire protection as almost a right that every citizen of a city or even a small town ought to have access to. and yet we don't quite think of cybersecurity in that way. it's time, as secretary johnson said, we should start thinking about this as something that is an important part of what government should be doing and that we resource it and make sure that it is accountable to us, we the people, for doing the things that government actually could be good at doing if it has the resources to do the job. we need to do the same thing with private businesses. and with corporate boards and local officials and hold them accountable. if they succeed or fail is something the public can help influence. >> greatly appreciate you weighing in that way, tom. tom referenced, for the studio audience, the representative, they go by protective security agents, psa, in your local area. all psa are not equal. some are getting learned up now. some have hit the ground running with significant experience already. some are more i.t. oriented. some are more o.t. oriented. we could use more of the latter. that's the three-letter acronym you are looking for in your region, your city. without further delay -- we have good questions coming in. the united states imposed standards, let's touch on that next. i want to say this part first. for a long time now, at least a decade, we have had a thing called the critical infrastructure protection standards. several things led to the origins of this. they owe their origin partly to 9/11, to a blackout that happened in 2003 and our own understanding in the wake of 9/11, if you want to mess with the united states, one fantastic way would be by attacking the electric grid, the people that run it. cybersecurity was not super strong at the time they were investigating that. it has since become much stronger. the question of how much longer and how secure is secure enough will always be an open question. the critical infrastructure and protection standards, mandatory and which have fines attached to them, create a floor below which you fall below and you are penalized. there's another subsector that's regulated with mandatory security guidelines, rules, he is the nuclear energy sector. the nuclear regulatory commission. if you get too far away from those, things start to get a lot fuzzier. i testified a couple years ago to the senate energy -- i'm going to forget the name of the panel. energy and natural resources. to my side was the head of the american gas association and to his side was the head of nerc. they were asked questions about pipelines. do we need to do anything like we do with the electric grid? both of them changed the subject and said everything is fine. well, it has come to pass, colonial, thank you, and others that it looks like things are in motion now and that before too long, define that as you will, we may see things more mandatory, whether through tsa or other parts of government on other sectors. we are looking at pipeline and water, i would say, next. we will see what happens. that's enough of an intro for sure. leo, you seem like you have agreed to take this on. let me read this out loud. we have minimum mandatory performance items. there have been movement in pipeline and water. the wheels are in motion for more. what's your take on the efficacy and the efficiency of this approach for securing our most critical infrastructures? >> yeah, thanks, andy. the hard question. can i say, i love standards. jokes aside, i think the cycle that we are in is that when a major attack happens, there's focus from the executive branch to do something. that's a knee jerk reaction. it tends to be prescriptive. it tends to be rapid. it tends to address the byproduct of the attack. we need to get more proactive. regulation is always going to lag. doesn't mean it doesn't have a place. in fact, the standard -- the power utility standard that you referenced had a lot of benefit for a lot of different operators because it's given them a road map and helped them deal with this. >> it also helps you get a budget. it helps you make the budget case and win it to your cfo or ceo. >> yes. in a very bounded sort of way. the question is, are we really funding and standing up cybersecurity programs based on risk? we gotta figure out how to put cybersecurity as the core competitive advantage for a lot of these utilities that are becoming digital companies. we need to take risk-based approaches. i talked about the private sector innovation and uptick. the government has an important role to play. we will see more for sure because attacks are happening. many of the infrastructure sectors do not regulate it. what we need to see more of is the platforms that enable public and private to come together. that's the theme of the day. funding models that are transparent, that user-based approaches and that enable flexibility for operators in how they invest. everybody is a different maturity. i love standards. but there's so much more to do. >> support for standards approach to cybersecurity from leo. andrea, tom, megan? >> i will jump in. i would say that i wouldn't necessarily be opposed to prescription. prescription can be good, especially for the smaller and medium size owners and operators that you were referencing, andy. however, i always get a little leery of standards that may just address one segment or one industry. i will tell you why. because supply chains are so interdependent and the companies that make the products are international companies. i can't think of a company that just operates within the united states. if you look at it from the supplier standpoint, the owner/operator standpoint and the integrator standpoint, the people that in many cases are hopefully securely deploying the equipment -- you brought that up early. we can make secure systems and products. but if the products and systems are not deployed and configured securely, that kind of thwarts our efforts all together. you want to have a standard like iec62443 that is horizontal. i mention that. everyone is probably like, there's megan on her 62443 rant. it's a horizontal standard. it's good because it creates a common understanding and expectation between the supplier, the integrator and asset owner. you are securing the entire ecosystem and supply chain all the way through to supply chain requirements, using the same baseline of standards that folks have been working on for the past 10 or 15 years. i think we have some good standards. 62443 and nerc map well together. in many cases, i think it's a mapping exercise of probably 50 to 70 what i call common controls that these standards are trying to address. when we get at the heart of addressing these common controls through those three layers that i talked about in the ecosystem, i think that's where we could see some real productivity. >> we are talking about government standards or standards that originate with the government. organically, they are not mandatory. it comes to pass, thanks to the groundwork of folks like megan and others, that people see the mutual benefits, folks in the product companies can build a product to that specification, market it according to that, have it kicked on by people to verify it does what it says it was going to do and then folks like andrea can say, well, next time we modernize a substation, for example, we're going to require products -- only products that conform to whatever the appropriate subset of 62443. everybody can do a handshake and speak the same language.holdingr head. it's to the benefit of everybody, economically and security-wise. how do you like that? let's do that. let's have standards, some government standards where appropriate and some industry standards as much as possible. >> let's not forget -- >> always start with risk. for some things like the bowling league scheduling application is not the place to start. sorry people who are deeply invested in bowling. there are other things that must be protected first before that. i tell you what, we are at a point -- i'm pausing for a second. okay. we're at a point where i'm going to read out loud to our panelists a couple good questions so far. let's see how they take them. this may exhaust the rest of the time to the bottom of the hour. i have some things up my sleeve in case they don't. i have been speaking with folks at atlantic council the last few months, will loomis, too, on this call, is related to the field of cyber insurance. cyber insurance, se seems like good idea. what do we call it, transfer the risk. then you don't have to worry. just worry about the other parts. however, cyber insurance has never really become what i think people thought it could. it has been around for 20 years. of the global insurance market, which is around $5 trillion, cyber insurance, the market is about $5 billion. for you and me, i assume $5 billion is a lot of money in our household budget. in a global insurance market, it's nothing. there's a lot of folks on both sides of table that wish it was a healthier product, that it did more, almost like the 62443 standards, it would make more people happy. ransomware has called out the achilles heel the way it works. automatic payouts have further motivated the ransomware attackers. things are in flux. ensurers are starting to cut policies or cap them. what little coverage they had before with exclusions they had before, it's all in motion right now. we will see it play out. maybe you will see a talk on it to try to further educate folks on what's possible in that space. the question though, without me massacring it, goes like this. the insurance industry is carrying growing risk in cyber, property, casualty and d & o. can we use this to incentiize good decision making and investment in cyber protection on the front end for critical infrastructure owners? can we use this risk to incentivize good behavior, basically? for critical infrastructure owners who feel like it's a topic they must weigh in open immediately. who of the four panelists fe fe like this is one they want to weigh in? >> the point that occurs to me is, this is one where if i were an executive at an insurance company, i would base it on how well the company is managing risk. insurance is about understanding risk. indeed, certainly in areas like maritime and casualty insurance, they have a better sense of the risks of things like climate change than the general public does. similarly, health insurance companies know how valuable when their policyholders are vaccinated against covidcovid-1 other vaccinations. what we need here is going to be for the insurance companies in order to stay in business and make a profit for their shareholders to understand how to analyze risk critically. when you have experts like richard clark and rob kanaki saying cybersecurity needs to be at least 8% of your budget or you are at greater risk, that's a good data point to start with. companies that don't spend enough or don't do things in the rye way, that don't have the kind of employee education programs that secretary johnson was alluding to, they need to have their cybersecurity insurance premiums jacked up considerably simply because they are bearing risks that more prudent, well-managed companies don't have to share. i think the key is going to be the kind of business enforced investigations that insurance companies are actually getting pretty good at other the past 300 years. i think we need to see that in cybersecurity as well. i think the day of open-ended policies where insurers bear cyber risk, i would imagine those are in the past. i think it's going to take some informed decision making by insurance companies to make sure that their products to prices fairly and that just as smokers bear higher insurance rates for health insurance, people -- companies who do the equivalent in cybersecurity of smoking are going to need to pay more in order to be protected. >> sure. right on. insurance companies, they are in the business of predicting the future. to the extent they predict it accurately and set their products accordingly, they can make a reasonable or even a greater than reasonable amount of money with finite measurable amount of risk. to the extent they can't predict the future accurately, by understanding, quantifying the risk to their customers, they put themselves in peril, the business in peril. that's the game that's playing out in that space right now. other panelists? >> sure. i think -- i echo everything and agree with what tom just said. i think at the heart of that is that we are seeing this play out where insurance companies, their businessmodel is based on finely calibrated risk. we have centuries of historical data on -- to calculate the likelihood of a hurricane striking a building at a particular time. we have the risk models. cybersecurity is not treated nor studied yet as a formal disaster discipline. i actually started my career out initially as an emergency manager. so i have a different perspective i bring to the table. to the extent that we can -- i will bring this up as well. incident reporting and studying when cyber incidents happen, why they happen, who was behind it, the cause of it, just like we study natural disasters, just like university of chicago has the index, there are disaster sciences that have been able to be studied by the best minds with free data across the world. we don't have that benefit in cyber. that's why no one feels confident on the calibration of the risk models. >> do you think we're getting it? do you think -- you are calling out we don't have it, as others have. are we actively building tables that will inform these better policies? >> no. this goes to the point that secretary johnson made. this is why mandatory reporting is important. megan gave good examples. in my mind, the better example are airplane crashes. you are required to cooperate with the government, national transportation safety board. it needs to be mandated. the time is to make this mandatory and an expected part of any cybersecurity incident. while it may be painful and frankly embarrassing for the companies who get caught with their pants down, i think we need to take the societal view that this is what it will take to defend the united states against attacks by criminal organizations and by hostile nation states that are intent on doing us harm. if being embarrassed is something that it takes, then pretty much you have to sort of accept that for the good of the country. then vow to never let it happen again. >> i like the way you tied one of secretary johnson's top recommendations in mandatory reporting into the conversation in a way that would behoove the cybersecurity insurance. you can see how that could play out, if you could have some confidence that most of the successful -- there's attacks where somebody is trying to do something and then there's successful attacks where damage is done. captuing that information could help build the historical knowledge from which better products -- risks could be better understood and better products could be derived. when that happens, it could be a bigger business on the insurance side and the folks transferring their risk would do so with more confidence there wouldn't be exclusions that would turn it just into a feeding frenzy for attorneys when a breach is reported. that's mainly what's happening now because of the way the language works. i have another audience question. it goes like this. on planning exercises -- planning/exercises, how can real world exercises, for example, dod's black star exercises, a grid comment, assist with increasing awareness of cyber threats and the need for practicing response plans? i think of grid x run recently and run in its sixth or seventh iteration. how do real world exercises assist with increasing awareness of cyber threats and preparation in response? andrea, your face flashed in front of the screen. does that mean it's you? >> i think i would be more than happy to talk about this one. o. i think that the more realistic that we can conduct our practices and exercises, whether it's internally to our companies or in forums with our energy partners, our suppliers, the better capability we build. but then that muscle, that muscle memory around how we respond to events, that's something that we take in consideration. we're definitely participants in grid x and have participated in other energy sector-related events but internally we take a look what happened with colonial, what happened with the things we see, either that's publicly known or shared within federal space or industry, and then translate that to something that we try out ourselves. so most definitely i feel like that that is, for us, a best practice, to translate what we're seeing to make sure we've thought through and are learning from the lessons of others. >> and you said i think one of the first words you used if i heard correctly was "realistic." you try to practice, practice an exercise in as close to realistic environment as you can without causing trouble for your customers. >> correct. i think another part of that is the use of folks that come in and test your capabilities. so not only exercising in a controlled format but having folks do things like penetration testing to your environment, do your incident responders detect that, is your capability such that you can see what would be happening to you and how you would respond. those types of exercises are highly beneficial to ensure you have the right types technical and process controls in place to respond to actual real, realistic events. >> okay, great, thank you very much. other panelists? >> to pick up, you know, it's really about involving an organization in an exercise. in a real incident, especially around operational technologies, you're going to have folks that runt plantings. you're going to have executives around, ceos to make the calls whether to pay a ransom or not, recent example. and also a security team in the middle in various forms. and so when doing these types of tabletop exercises, you know, getting executives to not only understand the risks but also their role is important. making it as real as it gets is also important. but times it's really about looking at a cascading set of effects. so it starts as something that's unknown, somewhere out there, maybe it's a malfunction of our operational system. could be a cyber/physical attack that starts in the physical world and then quickly, especially if it's an insider threat, cascades out to the digital world. so it's really important to start with variables, that sometimes what we consider to be black swan or unusual. and lastly i would say, do it in a way that based on your ability to monitor and detect, which is the tip of the spear around exercising that muscle memory that andrea talked about. >> that's great. i just want to make a quick comment on grid x, again, for those of you unfamiliar or semi familiar, i was involved with the first few of them. it's partially an exercise played out by electric utilities across the country, across the continent, in a two-day exercise that simulates a threat actor attacks, and with various effects. and you get to practice, like leo and andrea are saying. i notice there's a second part on the second day called the executive tabletop. the ones i was at recently, as a fly on the wall, mainly, was the people who were there were seniors from dhs and d.o.e. and fema, in response. sometimes there would be a dod republican. utilities were represented by trade groups like eei and aapa, sorry for those letters. tom fanning would always be there as the fearless charismatic leader on that side of the table. and i just remember them -- over the years they tried to broaden. they would bring in folks at the state level and the national guard. they would recognize that there were cross sector interdependencies so maybe they'll bring in somebody from ong. i was always thinking, to leo's point, really the attacks are on the ot systems. i many, there's going to probably be significant damage, disruption, deception practiced on the operational technology systems. who built them, who knows them best? the users of them, andrea and her folks, they know them from the user perspective and they know them pretty freaking well but nobody knows them better than the people who built them and they can't be at the table. i think the reason, correct me if i'm wrong, megan and leo, or anybody, tom too, is that as you said, they're all international companies. they all have offices and executives and -- all over the map, and the products, actually, it's impossible to build any product in anything these days that doesn't have some software from different countries, et cetera. so i think that's why the suppliers were excluded. but man, i wish there was a way to do it. and maybe i'm out of date, maybe there are seats at the table for suppliers now. because that would be the essential voice from my opinion. >> i think in the past, i am aware, if i am remembering the correct tabletop exercise, that they're invited in as observers to the exercise. but i don't think that the point of the exercise is to exercise specific objectives tied to the restoration of the grid. and so i believe they're really focusing on the asset owner's direct relationship with the government and that communication channel. but i believe that suppliers have been invited in as observers. but they were not the intent of the exercise. but rounding off on the exercise topic, because i love tabletop exercises, because i love incident responses, i don't see tabletop exercises used in like their purest form. i see them used in many cases to educate participants on the response plan, to educate the executives on their response plan rather than actually testing the response plan, right? because you want to run the tabletop to fail the tabletop, because you want to run such a hard exercise that you identify the key gaps in your response plan that you want to go back and fix in afteraction. to all of you out there, don't be afraid to run a hard tabletop exercise, don't be afraid of failing in front of your leadership. that's actually the goal, is to fail. >> so you're saying if someone was crying during the exercise, that would be a positive indicator, not a negative indicator, in terms of the efficacy of the exercise. >> as long as it tied back to the response plan. >> right. it wasn't their personal life intruding on them in a time of stress. >> yes. >> completely agree with that. i think we're close enough. any final comments, wonderful panelists, before i bring it down the final home stretch here? it was fantastic from my point of view. how did it strike you? >> great conversation, really appreciate the opportunity to be part of this conversation with this panel today. >> and good luck with everything in your region, andrea, following that incredible waves of tornados. i will take that silence as affirmation that you got your points across, you felt like you had fair airtime, and that you pretty much are ready to move on to the next thing in your lives. so here we go. unfortunately our time together today is coming to a close. does it seem like i'm reading from a script? thank you everyone for tuning today and thank you to secretary johnson and all of our panelists for their time and insight. i would also like to thank everyone who helped put this event together including my friend, will loomis, randy bell, olga kolkova, laura macedo, and jackson styron. if you would like to rewatch this event, a cached replay will be available on our youtube and twitter accounts. share with your colleagues and friends. thanks for joining us, have a great rest of the weekend. if we don't talk again until then, have great holidays too. thanks again. c-span is your unfiltered view of government. we're funded by these television companies and more, including comcast. >> you think this is just a community center? no. it's way more than that. >> comcast is parenting with a thousand community centers to create wi-fi-enabled lift zones so students from low income families can get the tools they need to be ready for everything. >> comcast supports c-span as a public service along with these public television providers, giving you a front row seat to democracy. sunday, february 6th, on "in depth," georgetown university law professor sheryll cashin will be our guest. her many books include "the failures of integration," "the agitator's drawer," and her latest, "white space, black hood." join in the conversation with your phone calls, facebook comments, texts, and tweets. live sunday february 6th at noon eastern on book tv on c-span2. download c-span's new mobile app and stay up to date with live video coverage of the day's political events, from live streams of the house and senate floor and key congressional hearings to white house events and supreme court oral arguments. even our live interactive morning program, "washington journal," where we hear your voices every day. c-span now has you covered. download the app for free today. next, part of a house hearing on holding big tech companies accountable for user-created content. witnesses addressed questions of censorship, content moderation, racial and linguistic biases and protecting kids online. this portion of the hearing is four hours.

Related Keywords

New York , United States , Georgia , Taiwan , Alabama , Texas , Iran , China , Florida , Virginia , Russia , Tennessee , Israel , Saudi Arabia , Houston , Florida Place , Chicago , Illinois , New Yorker , Saudi , Russian , Andrea Brackett , Megan Samford , Leo , Jeh Johnson , Laura Macedo , Andrea Brackett Andy , Randy Bell , Tom Warrick , Thomas Warrick Tom , Tom ,