Voting portal, you know, syndication that is can be popped and in you go as a customer to view or manipulate data. You know, all the different site that is can be popped as well. This is different from the web side of it. Its, you know, it doesnt take an act or sophistication to run simple tools to manipulate the sites or try to force their way into the site to maintain access. I think thats a really important point you just made as well. It doesnt take a nation state to be successful doing this. Think about the resources in the nation state that want to manipulate it to bear and manipulate these. It is not a high level of sophistication to compromise these systems. It gos down to getting into the website brute force sequel injection, getting into the network, stealing credentials, mapping the network, gaining intelligence. Yeah, i think this is arizona so, this is already happened. Some learn from whats already worked, so they will mimic this breach. Next wee move on to breaching state servers. Yeah, um, statewide, steal credentials, elevate privileges, move laterally throughout the network, try to find treasure troefs of data, Voter Registration data bases that you can exfiltrate and exfiltrate in sizes that dont go detected or go undetected. Again, these websites, these servers dont have properly layered security, so, you know, if you get admin credentials, they dont have User Behavior analytics to detect the abnormality with that users behavior. They are going to get the credentials the same way they have for years now. The number one method of achieving that first stage of access has been spear fishing attacks. Its been that way for years. They are going to use what works. Identify key individuals in the state that are associated with the running of elections, but then that state, which is very easy to do through, you know, available osint and, you know, phishing emails to them and see what you get in return. Generally, you will be able to, you know, you get at least one hit out of however many you try. At that point, you can start to collect credentials and laterally move from there. Job offers always work in that one. Grafted pdfa, great jobs. For a better job. Take a look at this and we would love to talk to you about this. Take a look at the job announcement. They always open that announcement. Linked in is a starting point. Linked in always moving on to Insider Threat. We know theres malicious insiders, unintentional insider. Talk a little bit about this vulnerability. Its a huge as a rule nerkt. The unintentional is one we could fix. Most security people today will state the use zers of the problem and why we have a job. Its important for us to remember that. What we need is a Large Campaign for anybody that is part of an enterprise to be involved in and understand the dos and donts of Cyber Security. Theres a lot of challenges in that space force today. People dont know when that weaponized attachment comes in. It looks like a normal email they werent expecting. They dont check on it. They dont know what they should and shouldnt do. Instead, they open it. It leads to compromise. Now you have a set of credentials to go out and utilize them. To compromise an election data base. They were a huge problem and one thats fixable. For some reason, we dont focus on bringing the users in. Understanding what they should and shouldnt do. All the way down to our kids before they actually grow up to be part of a large enterprise. We simply dont do it and we should. The Insider Threat, the malicious insider the very difficult to identify at this level because its so inexpensive to hire somebody. In my county, 145 a day for loudoun county, virginia. 145 bucks a day you get paid for the election. Most counties have little background checks. They do little on that side as all. Most requirements were a High School Diploma or ged to actually be an election official. Think about that. No background checks. Thats it. They just want to know you can take simple steps in the i. T. Realm and simple interpersonal communication skills to interact with others there. So, very, very easy, probably for some nation state to come in and actually implant somebody inside that environment, getting more than 145 a day, im sure, to go in and try to compromise the systems and impact our elections. James, you and i were talking about infected state pcs. You want to kick off that . Yeah. So, state pcs can be infected any number of ways. It can be the contractor who comes in at night for janitorial services. Mostly these state level pcs have totally exposed towers to inject any type of malicious payload using a usb drive. Social engineering always works with spear phishing attacks at the state level. They lack cyber hygiene training. They will click on dancing kittens playing with baby puppies and toddlers. Its cute, you have to click. They will click, download a malicious payload. From there, its funny because we were asked to put a sample exploit. I think a sample exploit, if we were targeting a pc at the state level, you would want solid functionality across the board t. Malicious payload would have a rat, additional droppers, key logger, screen grabber, camera and microphone capture tool, network mapper, Lateral Movement procedures, code injection mechanisms, social media spread and activation tool and usb infection capability. Also with selfdeleting capability as well. All that stuff already exists. If you, you know, the malicious actor, you dont have to write that or code it, you can grab your own cracked version of zeus or poison ivy, infinity rat, you name it. All those tools are just out there for you to slightly customize it, create a fake file and do all the things you just described. Its an easy step. You know, today, in the dark web, its a very robust economy like if you run a large enterprise, you buy product and get maintenance and support. Go to the underground, buy tools, you can get Maintenance Support for the tools as well to compromise somebodys system or do a distributed Service Attack against somebodys system. Think about that, if somebody went after one of the states and distributed the service against one of those data bases online. It knocks it off in the middle of the election. The next thing well talk about is poison updates at the manufacturer level. I think we already covered that. Okay. Spreading malware to state election systems. Sure. A lot of these methods are interchangeable. You can use them for local pc. But, it comes down to, for me, if i were the adversary coming in, i would poison the update. I would start at the manufacture level and gain access to the state server, get access to the data base, and the pact size and have some type of malicious payload to bridge the air gap and have full functionality. I would also add a ransomware feature. Its something nobody is really talking about whether its the Voter Registration data or the final tabulation, total tally of the vote for that night. It would be interesting to ransom that. Again, all it is is a weaponization of encryption injected through normal channels. With all these different malware discussions, theres a lot of overlap. The response would be largely similar. At that level, you probably see a lot of the same sort of behavi behavior, identify the target, do your recon on them. Infect them via spear phish or if you have physical access, then that much more easy in terms of just plugging in a usb drive or dropping your payload any other way that is available to you. But, you know, outside of that, its going to be mostly the same. Utilizing the same sort of tools. I think that most of these systems are so easily compromised that, number one, they should have never been released. There should have been a standard that they are held to when its not security to security as we like to say. Quite frankly, its been proven time and time again to not work and have a set of standards they are measured against with people actually doing the measuring that have a large component of Cyber Security expertise to ensure the systems cant be compromised. Today, we can standup here and talk about the methods to compromise for hours because there are so many different as a rule neshlts in the system. Everything is documented out there. You can get technical maintenance manuals for these things. Things that should be internal are all available on these machine that is have been around since the early 2000s, mid2000s. They are all still in use today. There are not a lot of brandnew machines undocumented or where it hasnt been leaked out there. Go to black box voting or any number of sites that tend to collect this information and pull down whatever you want in terms of Field Service guides or firmware update manuals or codes to do the firmware updates, things you would assume would be internal and closely held secrets but they are not. Theres no obscurity on these things. I think you emphasized my point further, better than i did. Now that all the manuals are out there, some have been for quite some time, there is no obscurity. It Shows Security through obscurity never works. Great. The last one, if you have any additional comments, we talked about compromising state tabulators, any other comments on that . You know, a lot of the modern systems are running derivatives of windows or a special build of windows. They would behave like any other host in terms of how you would affect them or what you could affect them with. A lot of states or officials argue that because the systems are air gapped, you cant compromise them in that way. Oftentimes, you have to move data from those systems to, you know, connected systems to get to the full results external. That may be, you know, i have to move this usb drive or a zip drive or, in some cases, a pc card to this connected system to get the results out. That could be a point of compromise. Same thing if you have to which is the case with at least 10 manufacturers, if you have to move the data to a connected machine to get the results outward. You, as the user of these tabulators and the systems are going to end up breaking the air gap at one point or the other. Perfect. We are going to close out the conversation by talking about the current climate we are living in, especially given the time frame around this upcoming election. So, Media Coverage has talked about dnc hack, rnc hack, certain individuals talking about the possible integrity of the results. What is your take on who is behind some of these incidents . I think its very clear that most of us in the Community Today feel its the russians. You know, they have been behind some of these compromises. So, whether you look at reports of my company from crowd strike and many others, you know, its clearly been linked back to the russians manipulating the systems. Its important to, like, with a lot of these incidents, we are not always talking breaches or compromises of the voting systems and the Voting Machines that may the officials tie to the process. In terms of leaked data, its a sway of opinion as a result of the leaked data. Not necessarily a compromise. Theres no reason to assume that wouldnt be part of it. You know, a lot of these things are still going on. When we comment on these things, they should be, you know, treated as ongoing. Time will still continue to reveal a lot about whats going on with the leaks but it would also be safe to assume that they havent just left the building, so to speak. I would urge people to understand that, you know, once the actors are in, they tend to hang around for a while and, you know, continue to pull what they want to pull. Fascinating reports on apt28, apt29, cozy bear, fancy bear, whatever you want to call them. Good reads on the capabilities. I think we have to be careful with attribution with this sort of thing. When we say its the russians, where . What russians . The apt nation state . Apt mercenary. Cyber criminal gangs . They are looking to do Something Big . Could it be china . Their strategy has a smash and grab aspect to it for technology. To dwindle our democratic process. It coincides with the psychological warfare aspect of what they do. Also taking into consideration the access of a service, hacker for hire, that levels the Playing Field for cyber caliphate, selfradicalized Insider Threats. Cyber jihad, that sort of thing. Cyber selfradicalized wolves is a classification. Yeah. Yeah. I think the media does tend to paint an oversimplified picture of the groups. When you talk about, you know, a specific group like russia, you know, they paint the image in your or they try to infer the image of your mind of a roomful of specific individual that is are part of this super hacker team that is known as cozy bear, fancy bear, whatever mammal it happens to be. Its not always that simple or cut and dry. Oftentimes you see people traversing different teams. There is a huge for hire aspect, you know, whoever is behind some of these things or is controlling the resources behind the groups and incidents. They will find people to carry out what they need to have carried out and, you know, one day they might be part of team fancy bear. If enough money comes along for the next job, they may be team cozy bear or on and on and on. You see the same dynamic with the chinese groups as well. Its important to know that the picture of one specific group of, you know, state affiliated actors working together as a team, its not always that simple. Certainly allows for a nation state to create a level of separation as well. Yeah, chinese pla are known for discovering vulnerabilities, o days things like that during the day. They take that and freelance at night. They go through english language handlers. I had Something Else on the russian aspect. Oh, yeah. When you forensically decide whats happening with a breach or stealth and sophistication like we see out of russia, once you define the forensic value of that breach, you see a lot of copy cat breaches, copy cat hacks. So, i think thats another thing nobody is talking about. The copy aspect. Its not enough to just say we think its cozy bear or apt29. Apt28 is right . Yeah. Once you have defined from a forensic perspective the tool kits, the exploits, time stamps on the code, all these factors you can easily duplicate with some technical sophistication and capability. You are going to see a lot of mimicking of nation state and high level mercenary criminal gang activity. To expand, you are hinting at it. You also see deliver it, you know, massacquerading in terms a group and tool kits associated with another group or infrastructure that is known to a specific group to throw off analysts, throw off security so its attributed in the wrong way. Thats a problem with the chinese stuff in particular. You see a lot of, back in the common cruise atp1 days, all these other groups were using the same tools, same infrastructure. So the attacks would get wrongly attributed to a common crew when it may have been someone else. That same sort of thing extends to other regions, russia incl e included. They want it attributed to somebody else. Yeah. A lot of methods to do that. You look at the sophistication of the russians or the willingens to throw as much funding at it as possible to promote the smash and grab aspect and you look at these sophisticated attack factors, the exploits capitalizing off o days. They are used to going into systems that are highly guarded, you know, look at energetic bear and, yeah, energetic bear and key ranger. Perfect example of poisoning the update. This is something that, these are highly sophisticated people and what they are able to do is go into highly protected areas. This isnt a state website with no layers of Cyber Security, no uba, no encryption of data intransit and stationary. The election system is fair game. Think about that. Fair game. One thing, the people that should be protecting us, the people that should be the gate keepers protecting the election process, the manufacturers with Cyber Security through the life cycle of the technology and the secretaries after state and the Election Officials and they are doing nothing. They are not sophisticated enough to do anything. Its time to have a changing of the guard, i think. I wanted to add to that, its interesting your point there, so it was just in the press yesterday or the day before yesterday, i think it came from a Deputy Director at nsa. Its something all of us know that attackers only bring out, you know, the tool set needed to require their objectives. They are not going to go out and bring out a bunch of zero days they have vulnerabilities with exploit code and release it if they dont need to to accomplish what they can do. We are talking about this with sophisticated attacks taking place around the world. South korea, the nuclear hydroelectrical plants. They took out atms a number of years ago and Media Companies with sophisticated attacks. Thats the point we are trying to make. Theres no sophistication required to hit these election systems. None. Its very, very simple to do. For us to say the systems cant be hacked is being very naive on our parts. Its something we dont want the election to happen. So, this gets tucked away for four more years. It needs action, funding, resourcing and a focus. On that note, we are less than 20 days away from a major election. Is there anything that can be realistically done between now and then even if its not going to address all the problems . What can we do now and talk about doing for the 2018 and 2020 local and federal elections . First and foremost, protect the tabulator at the local and state level. Anything that comes in remotely close contact with the tabulation algorithm process, protect it. You know, then forensically analyze before the elections and the black Box Technology that the manufactures and the state level mutually support. Bring forensic people in to hammer the the the swing regions specifically of the swing states from a forensic perspective. The black box aspect, gems tabulation software, the election system as a whole. Physical security has to be way better, you know, realistic or not, the ideal situation would be people sort of in the know or people that are if mill yar with the different ways to compromise these systems should be available and observing things at the polling stations. That or problemerly educate the people working there on what the physical compromises are. In some ways, thats been done in the past but its simply not across the board and not done at the volume that it needs to be done. Theres so many ways to screw with these things physically and if there was just the correct pair of eyes watching for those attacks, it would stop quite a bit. I would add to further what you said, a pinch of paranoia on everybody they hire or is already hired as part of the process and give them a fiveminute spiel on a sheet of paper. These are the election systems we have. Here are the ways they can be manipula manipulated. You should watch everybody that comes in here so they are not touching these things and watch your counter parts that are watching you. Just a pinch of paranoia so you understand what shouldnt be touched. They dont have to understand how its manipulated. These are things that shouldnt be touched on the system. That was fasz nating. Thank you for much. [ applause ] im going to ask the second panel to come to the front of the room, please. While congress is on break until after the november elections, we are featuring American History tv programs normally seen weekends here on cspan 3. Tonight, congressional history. At 8 00 eastern, former senators bob doyle and nancy talk about congress. At 9 25, the history of africanamericans in congress and shortly after 10 00 eastern, the 50th anniversary of the National Historic preservation act. At 10 45, the dedication of the Thomas Edison statue in the capitol. We just heard about Cyber Security issues. Now, solutions. Technology experts discuss best practices to improve Cyber Security in the federal government and private sector. This is about a half hour. Fantastic. As z i mentioned earlier, the second panel for todays briefing is really focused on cyber hygiene. We have heard a lot of talking points from the earlier panel and really a lot of those things fall under the umbrella of cyber hygiene. This is not specific exclusively to the election process at the state and local level. Its best practices any organization should be prioritizing. We understand and we have discussed the issues time and time again, they are a challenge. Well talk about the opportunities as well. So, let me first start by introducing the panelists. To my right is michael seguinot. To his right is greg cranley. To his right, trish cagiostro. And to the far right, stacey winn. Panelists thank you for joining us. The first question is talking about the growing iot microcosm that is increasing the surface. Despite many cios, they continue to struggle with understanding what their network topography looks like. This is obviously only going to get worse, not get better. We are going talk about why this continues to be a struggle and what leverage they can make or understand what their network actually looks like and the device that is on it. I open it up to anybody. Ill start. The idea of the internet of things is a nifty idea. The problem lies, if i can access a system for my job, an hva system, a pharmacy within a store, then i can certainly transverse the network to get to where i need to go to get credit cards or any information i want to get because its costly to have separate networks for each one. They are all networked at the physical layer. There are technologies out there that can allow you to, through policy and software, isolate the machine so they only speak to certain machines, using pki k credenti credentialing. Outbound only and use a cloud broker of sorts that will only allow and provide realtime identification of who the person is. Also, by using Something Like that, they can ice leat the resources. I think theres two sides, the personal side with the smart watches, the fitbit track activity. Those elements are things your users want to bring in. How do you plan for that . The second side is iot and you have business applications, too. You have different devices you bring online. It makes us smarter, better, faster. You are talking manufacturing. So, i completely agree in the sense that this problem is only going to get more complicated. If you think about this, how enterprise can figure out the topology where the devices might never touch the network. Think about the instance with a fitbit device where i plug in my piece that goes into my laptop. Im syncing it. How can you find it on your network . Right . When you talk supplies, what if that device is then preloaded with something that could cause damage to my network, things like that. Its a apology in the network is expanded not by what is connecting to it but the devices on the network. The connections between we are talking on the business sense where if i have Smart Devices or different Industrial Systems im using, i might think they are only talking to each other. I have to understand not just the connections between them, but my other network as well. Exactly. I will echo that more to say that as Cyber Security developers and practitioners and vendors as a lot of us in the room are and the panel, its our responsibility to make sure those solutions we are providing have security built in from the beginning. Its ease stoi use. Its easy for our Customers Using the solutions who arent necessarily Cyber Security practitioners to start with as our main job. They can actually utilize these in a secure way. A lot of you mentioned end points and devices. When we think about protection, we think about those physical entities. As more and more users are added and more credentials are goichb get access to the network and systems and different data information, many are saying the user is the new one. My first question is, what technologies exist to help mitigate unauthorized access as we know the numbers go as high as 98 , 99 of all breaches and involve a compromised credential . I guess ill start. I wanted to make a comment. The ioc, what started it. I think the ioc was started when you think star trek. If you watch the movies, there was always a computer in the room. Ask it anything, he solves it for you. I think thats where we are going with ioc. Its that convenience of doing anything, whether its my iphone or ipad. I tell my young sons in my hand, i have answers to all of humanity questions here. Its profounding. I think if you dove tail it, with that power comes responsibility and its about the user. Every user is capable of good and bad. Every user as a bad day at work. Man, im going to get my boss or whatever. We have to look at the user and how we manage that. Going into the question and technologies, technologies are there. There are a lot of leading Edge Technologies uva is a term. I look at star trek. Theres Artificial Intelligence that is going to make decisions for us. Are we going to empower that to make the right decisions . Another quick example. Baseball, everybody is watching the world series. 10 of the pitches are called inaccurately. We have the technology to solve that but we dont. Same with Cyber Security, we have the technology, but are we going to implement it . I agree. Theres lots of evidence from previous breaches that indicate that, you know, it is the new perimeter. The ability to do things now from afar, unlock your door, check your icebox, see if you need milk, start your drier, those type of things. Its cool. The tough thing is, if i can do it so can somebody. So, somebody unlocking my car, there was a case of the jeeps being stolen. Guys were running scripts, syncing up and getting the code for the key fob. Its a general way to get to it. There are technologies that allow you to prevent that. Another panel, the Previous Panel identified the issue of where they were even with the weakness of technology. Its all identity. If you can remove user id passwords and something you know technology, its hard to penetrate. I might be able to steal what you have. To have what you know, thats difficult. That combination is very hard. If you limit peoples access, it controls what the damage can be. Yeah. Whats interesting, too, compromise credentials show up online for sale all the time. One of our capabilities, we will scrape the information, pull it in. Theres a tendency to think, okay, well, i had identification, im good. It doesnt matter these credentials are showing up out there. Thats sort of true, in the sense that, even if they wonbt e able to get the password, six months ago, we discovered a 30,000 dub in a dark forum. The poster said i found these 30,000 credentials. Here are 800 passwords. Go target these users with social engineering tactics. You miss an opportunity. Users do their annual Security Training. They dont think about it after that. Think click the supple questions at the end, answer the security certificate. What if you could reach out and say, you should expect to be targeted with social engineering tactics. By the way, here is a link to training on social engineering tactics. Now, you are creating additional touch points to help them get engaged in the security process. To add on to that would be fairly simple policy change, a process where you could institute twoperson human review for critical changes so if you have a critical user that can make changes to your administrative system. Two people have to able to okay that before it goes out companywide. You are lowering your risk quite considerably. Terrific. Greg, you and i spoke the other day about this. I wanted to give you a chance to talk about it. There are federal agencies integrating as part of this larger conversation. Several mentioned leveraging existing technology and there is a lot of technology, how do we use it more effectively. You want to share whats going on with the government in that perspective . Everybody has kind of red about it. Their initial focus on privileges. The unfortunate thing is, as this gentleman said earlier, everybody is a privilege user. You have a smartphone in your hand. You have access to your companys data. You are a privileged user. With that, they want everybody to use a digital representation of themselves because that cant show up on a password dump, anywhere, because there is no password. Getting rid of user i. D. Pass word is the key to this problem. The issue the government has is getting internet wide use is the hete heterogenualty of the network. It can homogenize everything on the network to make it look like one type of operating system that can be leveraged out of one Identity Store that will authenticate to and provide the rights to the people they are allowed to have. You goat a point where you give a rights privilege as opposed to access to a bunch of applications. The other thing is to give people these. Give them granular roles. They can do what they want to do. Nobody calls the help desk and says, can you take away this access i have . I have too much privilege. Please take some away from me. Right . You have to right size the roles to make sure they only have what they have. It keeps them out of trouble. Its like, you know, having the authority, but also having the responsibility, right . You know, if you give them guidelines like we are as we are being raises, we are given guidelines and boundaries. Give them boundaries. It is something they have or know. You throw a third authentication on top, it is hard to end up on a dark website. Its funny you mentioned that. Talking about the voting, in 2000, i remember working on a project around the election. The voting conspiracy on who won the election. There was immediate funding before 2002 around a project called serve. It was letting the military do it electronically using the pip card. It was a great application. I mention this because the pip card has been around for 16 years. Its a great solution. It would have given great authentication. There are no issues with privacy, which is a major concern in voting. Giving the user a password, i know who he voted for. All these solutions are there in technology. Just 2000, didnt do it. Still not being used today. Theres a lot of reasons for that. Again, i mention you talk about a great application. Its something i wish citizens had. You want a tax, give me a u. S. Postal email address with a certificate. I dont need 15 email addresses from yahoo and gmail. We need to implement these technologies. When you are talking about two factors, the other thing that does, how often does someone have a password for a really secure system. It means it has complex requirements. They reach in their desk and pull out a password thats written in a drawer or lift the keyboard where its written down somewhere. Thats the nice thing about twofactor that reduces the risk that your user will write it down where anyone can find it. Several of you mentioned Insider Threats. With the Previous Panel we talked about flavors, malicious and unsbingsal. Regardless of the type, they could have catastrophic outcomes on an organization. The federal government, despite mandates and requirements to have these programs, it is still not being done across the board. I was curious as to some of your thoughts as to why this is the case and what can be done to change it . I think it is a threepronged approach. It is people, process and technology. You have to train the people. I think it was isc squared. They did a study where they interviewed various departments across different agencies. Outside the i. T. Department, less than 12 of the people thought cybersecurity was important. So people in operations, hr and procurement thought it was okay. The i. T. Folks, the highest they got in cybersecurity care factor was 48 . There has to be better emphasis on training people on what they should do. The second thing is the process. I get back to, you know, providing that least privilege, providing the least access. One of the issues we have at the federal government and the Insider Threat is people get a chance to go other places. This person is rarely the person that has the wideopen access or needs the wideopen access. It is the person that doesnt have wideopen access but they are able to hack themselves across the network to get to the place where the goods are. If you can provide them least access, as much as they hit the button, they cant go there. You are going to keep them processed. That gives you a good process. Use technology that basically enforces it. We had lots of mandates from the president ial executive order back in 2011 that came out and actually said, we all need to be doing protections against Insider Threats and programs. The trouble is, all these mandates and requirements havent come with funding. How do you do that . You have to buy systems and technologies to have funding to put behind people to run that program. One of the Biggest Challenges we all face and have to raise up and make it louder is we need funding behind this to actually implement these processes to protect all of our critical data. If i can add, too, you mentioned Insider Threat, everybody has heard the term. It is familiar. It is almost like a bad word. One of the challenges agencies have, there is a privacy concern. I dont want to be an Insider Threat organization looking in on my family. I dont want to find a bad guy. Account lockouts, everybody has locked out their account. To the cybersecurity side, thats a headache. They have to determine what happened in the lockout. Did michael fat fingers do it and i have to reset it or is michael an insider . Is he being compromised . Is he coming in from the wrong place . If you can give the user, contextual information, hey, michael fat fingered on a monday morning from the same i. P. Address. Thats easy to reset. Whether than michael was locked out on saturday trying to get access to a system he has never touched before. If you take that approach as i can make your business easier and be more efficient in your job. To answer your question, they bring a lot of visibility. Theres a recent case a few weeks ago, another guy. It is never going to end. How do we make our users use Better Technology to be faster in how they make those decisions. Insider threat is not a new problem. It took us 22 years to find robert hanson. Weve had espionage, corporate espionage thats not new. We have an unprecedented amount of data that is ultimately going to make us more effective. It makes a much more solvable problem. You have h. R. Data. Knowing if someone is on a Performance Improvement plan or they are at risk of being fire. You also need audit log data. I think organizations get really scared of the edge cases where how would you stop a scenario where i have an employee, his manager is torturing him. There are no hr records of it. He hits the point, thats it, im done, im going after this guy. He goes and opens up some files and takes pictures on his cell phones. Our users are pretty smart. They see cnn and realize you are watching. They tell you, we are watching you. Our users know. Now, i can go and lets say he takes his phone out and uploads it to wikileaks, how would you detect that . That would be really hard to detect and any ramifications could be big. We cant get hung up in the edge cases. Before we can worry about the really, really scary bad stuff, lets solve the 90 of the problems and then we can start to look at the edge cases. Like Computer Network defense, with Insider Threat, it is not if, it is when. You need to have a recovery and response in place that people are trained on. When it happens, learn from it. Were there additional technologies that i could have had that would have prevented it . All of that needs to be thought of. Not just the program, but how to present it and what do we do when it actually happens . You also mentioned areas to track, h. R. Data, travel data. A lot of disparate and Technology Data dont touch each other. Having solutions in place that help our analysts track all of that from one Central Location are solutions that Work Together to have a holistic picture of what our users are doing fro tect them and the company as well. Thats great. Shifting gears, we have been working on steps or sorry, phases one, two and three. We have recently started talking about phase four, some areas that you have mentioned that is protecting data that resides on federal networks. What technology and best practices do you recommend to dhs to include in phase four of cdm as we start to put this together . The natural thing for phase four or protecting data is Data Loss Prevention products and redactions products that can redact Sensitive Information based on use. Easily filing things so that the wrong eyes dont get access to them. This technology is out there to do that. They are just difficult to implement. They are extremely policy based and to get them fully working, it will take a lot of time and money. Cdm phase 4 is going to focus on that. Implementing the network is going to become very, very important there. It sounds clunky on the back end but if you have crossed a Main Technology that can help you access and transfer those multiple networks from one single location, it becomes easier for your users and you are very, the keys to the kingdom, if you will. All that data is in a very secure place. The Access Controls are there as several panelists mentioned. Only certain people can get to that. It is very, very protected. There are technologies out there where you can by policy separate things, layer three, four, and five. As opposed to building separate networks. Its funny. When you mentioned this to me, i started laughing. I remember working on phase one years ago. The agency was rash to deploying it. I am glad the dhs is doing it. It is a great program. One of the comments i would make, the biggest challenge for a great especially for small vendors, and thats still a major challenge. Yeah, im buying x. Why are you buying x . Oh, it is cdm. Not because it is the best product, because it is there. Unfortunately, thats a bad thing with cybersecurity. We still need better initiatives to get better Faster Technology to get in quicker. Im looking at getting my company into it which is why i laugh when i look at phase 3 and 4 right now. Dont just make a decision because it is on the contract all the time. The problem with that is that price is right. I understand that. But it isnt just price. Price and aware. I agree. Again this was mentioned earlier on some of the panels. What specific programs and methods have been proven most effective to change behaviors and is there a way to Leverage Technology and also influence peoples behaviors. Trish . Sure. Training something that there is really a couple things you have to do. First it needs to be engaging and people need to feel they are learning something and getting something out of it. If youre at the point where users are going through annual Security Training and you had these rooms and you go through the rooms and it is like someone calls you up on the phone, now what do you do . And so, you know, i would try and get through as quickly as possible and answer questions and im done. It needs to be engaging and they need to feel like they are getting something out of it. It has to be something they have thought about through the year. Send them fishing emails, see what they do. Someone earlier took my cat video joke but when i was working, it was the steve irwin video. Everyone wanted to see the steve irwin video. I think the most important part of training with actually improving the part of your users where there is a punitive action if you violate what actually happens. And i that i it doesnt necessarily have to be punitive. It can also be incentivizing someone where lets say you send five emails throughout the year that test whether or not they click on it or Something Like that. But maybe they get two hours per time where they are successful of extra vacation or Something Like that. That would cost a little bit of money but when we look at how expensive it is when we have a breach, im sure there would be a Cost Effective solution there. Trish, i agree. I had a customer looking for positive behavior. One of them is making someone aware of touching something when you shouldnt. Did you mean to touch that server . Oh, what do you mean. They are less likely to step out of bounds. Give them an incentive. I get spammed all the time. I get phishing attacks and i want to press the button. I know im not supposed to, but i want to. Why dont we share that . When you get spam, send it to the center, let them detonate it. Share that knowledge with people. Again, people are not involved in it. Let them swhar share what they found. The other thing is text messages. Im getting text spam. Share with me the recent attack or exploit and let them see what result was. It answers that curiosity problem we have. It is definitely a culture issue. I believe you brought that up earlier. We all have to be a part of that from Senior Executives on down to the line level employee. Everyone has to be aware of it and part of it and all of the practicinging the same saying hey, why did you do that . Or laugh about the email that comes in and someone will say, make sure you dont click on that. Did you see that . Dont open that linkedin email from the person you dont know. Those are all great points. I think what tony scott said earlier is important to. We got to get them when theyre young. A lot of us are, a lot of us older folks didnt grow up with technology. And im pretty sure that everyone on this panel, if i asked, what do you think the biggest risk to your network is, people would say user. On help kdesk we had a cartoon that said problem between keyboard and chair. We are afraid of our users, security professionals, but there are a lot more of them than us. The quicker question turn them from the biggest risk we were turned about, and where they are engaged in helping us do our jobs, the better. Thats actually growing with the coming on of all of the millennials. Folks from that age brak wet our baby boomers. Retiring at ever increasing ages. So we will only see more of that. They, from the millennial generation, are used to technology doing security for them. If there is even security at all. They just dont think about it. They are used to the technology. We take a different more cynical view of technology we dont expect it to do what its supposed to do. They just expect it. They dont think about it. They move on. So thats only going to get worse. So our final question for the panel is really were talking about some of the Success Stories that are out there, we know several agencies and private sector cios who are implementing widereaching, i should say, cyber hygiene programs. Can you share programs and initiatives that you think some of the audience and folks at home can look to for guidance and or what are other ideas that you have that could help an organization put together a good program and change some behaviors youve been talking about . I think this Success Story is in pockets. Because everything is pretty much stove piped. And i think it is difficult to get everybody on the same sheet of music. And until the executives organization, he or she or the group of them get together and say, heres what were going to do, to mandate that, and i think thats the attempt of cdm on the federal side, is to put together a standard that of technologies that are mapped to the osi model that you can deploy and that all together will orchestrate this one single cybersecurity capability that will ensure the security of the agencies. Anyone else . Sure. So i was in a meeting, this is probably about year and half ago and it was talking about these really advanced things that we can do, you know, to improve cybersecurity. There is probably about a hundred people in the meeting. And someone literally stands up and says, youre talking about this. We dont even patch our systems regularly. So cyber hygiene is incredibly important. We have to think about this as a phase. If youre a 0, youre not going from 0 to hunting aps in a night. You have to think about this in layers. I do think that there are organizations that are out there and some im very fortunate, some of my customers i work with, i tend to bowork with customers that are forward looking and are interested in the intent instead of the letter of the requirement. And theres a great example where cdm might say thou shalt do these things, and im excited and getting this and it will freeze me out to get additional capabilities that will take me further. I guess my response on that is take advantage of the programs that exist. Take advantage of anything that people give you. And that will give you the opportunity to look further ahead and get to more of the advanced capabilities. Definitely. Things like the modernization rules that are coming online. And we need to get our systems uptodate. And we still have a lot of systems out there especially in the government that are running very old versions. You can only do so much with that. And it is not anyones fault. Again we are back to our funding issue, right . We just have to be aware of that and actually get the policies in place so we can get systems tested in a way that is fast enough so that we as vendors can then Bring Technology to you. And everybody wants to be there. We just have to take that phased approach and actually just chip away at it. I would add, you ask about agency answersies and programs,e some doing great jobs but tomorrow they could be hacked. There is a constant world of change. In 200 the i worked for opm and they won awards for being innovative as far as cybersecurity. 9 the i worked fod they won awards for being innovative as far as cybersecurity. The i worked for they won awards for being innovative as far as cybersecurity. He i worked for o they won awards for being innovative as far as cybersecurity. E i worked for op they won awards for being innovative as far as cybersecurity. I worked for opm they won awards for being innovative as far as cybersecurity. We laugh now because they got hacked. The agency is a few months from being bad. Cyber security is changing. Threats are changing. And so dont penalize people when they fail. There is not one silver bullet. It is dynamic and needs a cha e change. You here cybersecurity is not a sprint. It a finish line. It is not like poof im magically secure. Things will continue to happen. You will continue to have incidents. You have to learn from them, incop rate and make sure it doesnt happen in the future. I agree. It will never necessarily end. But anything you can end to reduce your risk, to minimize the points of attack and i agree, you cant go to college until you go to high school. Great. With that, please help me in thanking our panelists. [ applause ] and i want to thank all of you for joining us for todays briefing. Papers are available on our website for download. Our next meetings are our annual gala and benefit at st. Regence here in d. C. Honoring general scott and keith alexander. Thank you to our speakers. See you next time. For the next three weeks, cspan 3s American History tv will air in prime time. Tonight, former republican senators bob dole and nancy kasser balm on their decades on capitol hill. Then africanamericans in congress. Then the 50th anniversary of the National Historic preservation act. Of that the ceremony unveiling the statue of inventor Thomas Edison at the u. S. Capitol. Thats ahead here on cspan 3. Former u. S