Department of Homeland Security National Cybersecurity Summit

Department of Homeland Security National Cybersecurity Summit
    Watch the video

    click to begin

    Youtube

    National Cybersecurity Summit
    National Cybersecurity Summit
    National Cybersecurity Summit
    National Cybersecurity
    SummitNational
    National Cybersecurity
    Summit.
    National Cybersecurity Summit
    National
    Cybersecurity Summit National
    Cybersecurity Summit National Cyber
    Security Alliance national National
    Cybersecurity Summit and National
    Cybersecurity Summit and National
    Cybersecurity Summit and National
    Cybersecurity Summit distinguished
    guests, good morning and welcome to
    the Department of Homeland Security's
    National
    Cybersecurity Summit.
    We thank you
    for joining us today and for being
    part of this important
    discussion.
    Before we begin, please allow us to
    take a few moments to go over some
    important administrative
    details.
    Security for today's event is a joint
    effort of the federal protective
    service, the United States secret
    service and the New York police
    department.
    We ask that you kindly
    follow any instructions given
    by uniformed law enforcement
    officials
    and report any suspicious activity
    to
    a law enforcement official or any of
    our event staff who can be identified
    by their staff badges.
    Please take
    note of the marked exits around the
    auditorium.
    Should we need to
    evacuate the facility, guests
    seated
    in the forward half of the auditorium
    should exit through the doorways to
    the left and right of the main stage
    and proceed through the courtyard to
    the bridge Street emergency exit.
    Guests in the rear half of the auditor
    auditorium and balcony should exit
    to
    the rear of the auditorium into
    the main corridor through which you
    entered and use the curveed stairs on
    either side to reach the emergency
    exits located in the stairwells.
    Restrooms are located across the
    main
    corridor and can be accessed by
    exiting to the rear of the auditorium.
    We also have an overflow room
    available which will be showing what's
    going on, on the main stage, in
    meeting room 1.
    Finally, we ask that
    out of respect for our panellists and
    your neighbours that you please
    silence your mobile phones and any
    other electronic devices at this
    time.
    Again, thank you for joining us
    today.
    We are honoured that you are
    here.
    Please now welcome our master
    of ceremony for the day, the
    Honourable Chris officer Krebs,
    United
    States Department of Homeland
    Security.
    >>Good morning.
    Welcome.
    Thank you, everybody, for
    joining us
    here today at the DHS National
    Cybersecurity Summit.
    I want to thank
    you for your contribution today.
    You
    have all made an investment of some
    kind to be here today, and that is
    critically important as we continue to
    advance national cybersecurity
    initiatives.
    Why is that so
    important?
    Because in no other
    national security arena is industry as
    the private sector on the front lines,
    where you are expected to
    defend
    yourselves.
    What we want to
    communicate today is that government
    is here to help you.
    We are
    inextricably linked.
    Your risk is our
    risk, and we must take action
    collectively and together together.
    That will take a collective defence
    approach approach.
    If I know anything
    about U.S.
    history, it's that when
    America is threatened and we
    mobileize, no one can stand in our
    way.
    That's what today is.
    It's the
    beginning of that mobilization, where
    government and industry will
    partner
    and collaborate to enhance our
    national cybersecurity.
    So over the
    course of the day, you'll hear from a
    number of government officials and
    private sector executives, and
    each
    panel, each keynote keynote, will have
    a concrete deliverable or
    outcome.
    We're not here to talk; we're here to
    act.
    All of these panels, all of
    these commitments, will have one
    single organizeing principle.
    United
    we stand, divided we fall.
    It's going
    to take a collective defence model to
    enhance our national cybersecurity.
    So, with that, I'd like to introduce my
    boss, the sixth secretary of the
    Department
    of Homeland Security, secretary Kirstjen
    Nielsen.
    [APPLAUSE]
    >>Good morning.
    Thanks for that kind introduction and
    giving us a road map of everything we
    accomplished today.
    It's my great
    honour and pleasure to welcome you
    here today.
    It's so wonderful when an
    idea with such passion actually
    comes to fruition.
    So it's very much a
    pleasure of mine to see you all here
    today.
    We have a lot of serious
    threats to discuss today.
    Americans
    are worried about what our digital
    enemies
    might do, whether it's taking down the
    power grid, holding health care
    systems hot standing or the nightmare
    scenario the day the new TV show drops
    on Netflix.
    I often hear about what
    keeps folks up at night.
    I'd like to
    thank the speakers for bringing their
    species and leadership to
    this discussion as well well.
    What you will see before you today is a
    true effort from all of the United States
    government to work with private sector
    and academia to combat these
    threats.
    I'd also like to thank director Alice
    bringing his species, Under Secretary
    Krebs, and those of you in the
    audience and.watching from home to all
    of the men and women from DHS for
    oeverything you do every day to protect
    our country.
    Thank you.
    Whether you represent government,
    industry or academia, we are glad to
    have you on our team.
    I want to thank you for your continued
    collaboration for the time you're giving us
    today, and for your future efforts to
    work with us as we look at these
    threats.
    This afternoon we'll also have the pleasure
    of hearing from vice-president Pence.
    He will lay out how this administration
    is strength strengthening
    cybersecurity across the
    board and why we will be relentless
    against our cyber adversaries.
    This
    event is the first of its kind.
    Together we are coming together
    government leaders, CEOs, academics
    and cyber experts to send a message to
    these online threat actors actors:
    game over.
    Our team is formed, our
    team is ready and we are ready to
    combat you wherever you might manifest
    your threat.
    We're not waiting for
    the next intrusion to act.
    We're
    taking a look at the threat and taking
    action, noteably as Under Secretary
    Krebs mentioned, collective action.
    That's truly the only way we will win
    this struggle.
    Today is a watershed
    moment, a chance to cement
    partnerships in order to protect our
    networks and to repel digital invaders
    together.
    This morning I'm going to
    give you a stark overview of the
    threat landscape.
    I won't sugar-coat
    it.
    DHS and the administration
    are
    fighting back.
    I'd like to announce
    bold new efforts starting today that
    will make the digital a infrastructure
    of our country more resilient.
    So let
    me give you the bottom line up
    front.
    We are facing an urgent evolving
    crisis in cyberspace.
    Our adversaries
    capabilities online are simply
    outpaceing our stovepiped
    defences.
    In fact, I believe that cyber-threats
    collectively collectively now
    exceed
    the danger of physical attacks
    against
    us.
    This is a major sea change for
    high department and for our country's
    security.
    Indeed most Americans go
    about their daily lives without fear
    of personal injury or harm from
    foreign adversaries, but our digital
    lives are now in danger every day.
    These threats can have consequence
    when the bad guys can steal money from
    your bank account, shut down emergency
    services, the impacts go far beyond
    our smartphone screens.
    But don't get
    me wrong.
    Terrorists and criminals
    still pose a terrorist threat to
    our
    lives.
    We take this mission at DHS
    seriously.
    They're plotting against
    America daily.
    But the attacks
    surface in cyberspace is now broader
    and under more frequent assault,
    forceing us to rethink Homeland
    Security.
    DHS was formed 15 years ago
    to prevent another 9/11, but today I
    believe the next attack will more
    likely reach us online.
    The warning
    lights are blinking red this
    cyberspace.
    I agree.
    Intruders are
    in our systems, seeking to
    compromise
    more of them every day and they
    represent a very active threat to
    our
    digital security as a nation.
    Everyone and everything is now
    target.
    Individuals, industries,
    infrastructure, institutions and
    our
    international interests.
    The scope of
    the problem keeps getting wideer.
    The
    cyber-threat landscape is
    different
    today because cyberspace is not
    only a target target.
    Cyber can be used as a
    weapon, an attack vectorror or a means
    through which activity can be
    conducted.
    Today our innovations can
    be stolen and used to diminish our
    prosperity, our infrastructure can
    be
    hijacked and used to hold us standing,
    and our institutions can be
    compromised and used to undermine our
    democratic process.
    Our smartphones
    and computers can be turned into force
    multipliers, your computer can be part
    of a Bot army or commandeered to
    still
    bit counsel to finance a rogue
    regime.
    Last year was the worst ever in terms
    of cyberattack volume.
    The headlines,
    we'll continue to see this year.
    Last year nearly half of all Americans,
    half, had sensitive personal
    information exposed online in 2017.
    But that wasn't even the total for
    2017.
    That resulted from one single
    breach when cybercriminals hacked
    major credit bureau.
    We witnessed North
    Korea's ransomware, which held systems
    standing.
    We saw compromising and you
    be leisuring of malware which
    wreaked
    havoc.
    These incidents, though, are
    only the beginning.
    Rogue regimes and
    hostile groups are probing critical
    systems worldwide every moment as we
    speak.
    Without aggressive action to
    secure our networks, it is only a
    matter of time before we get hit hard
    in the homeland.
    It's not just risks
    to our prosperity, privacy and
    infrastructure we have to worry about.
    Our democracy itself is in the
    crosshairs.
    I'll take a moment to
    touch on this, because I think
    it's very important to do so.
    Two years
    ago, as we all know, a foreign power
    launched a multi-faceted
    influence
    campaign to under undermine public
    faith in our democratic process
    and to
    distort our approximation
    election.
    That campaign was multi-faceted.
    It
    involved cyber espionage, cyber
    cyberintrusions into voter
    registration systems, online
    propaganda and more.
    Let me be clear.
    Our intelligence community has it
    right.
    It was the Russians.
    We know that, they know that.
    It was directed from the highest levels and
    we cannot and will not allow that to happen
    again.
    Although no actual votes were
    changed in 2016, let me be clear in
    this: Any attempt to interfere in our
    elections is a direct attack on our
    democracy.
    It is unacceptable and it
    will not be tolerated.
    Mark my words.
    America will not tolerate this
    medals.
    It's clear we're in a tough fight now.
    The headwinds are against us.
    Let me
    give you a few examples.
    First,
    increased connectivity has led
    to
    increased systemic risk.
    There's no
    getting around it.
    The wideer and
    deeper the web gets, the more
    vulnerable we all become.
    The
    Internet of things, which is really
    now the Internet of everything, has
    compounded that problem by giving
    cyber criminals a direct route on to
    our door steps and into our homes.
    Wherever and whenever you are
    connected to the Internet Internet,
    you
    are unlocking doors and windows you
    might not even be aware of to let the
    bad guys in.
    What's more, our growing
    digital at that dependence means
    that
    vulnerabilities can have cascading
    consequences when they are exploited.
    Whether it's common tools such as GPS
    or payment systems, everything is
    closely intertwined.
    An attack on a
    single tech company can rapidly spiral
    into a crisis affecting the
    financial
    sector, the energy grid, water systems
    or even the health care industry.
    Secondly, our cyber arrivals are
    getting more sophisticated.
    It might
    be similar to a sloppy break-in,
    the window might be broken, furniture
    overturned, missing jewellery would be
    a dead giveaway that somebody had been
    in your house, that you had been hit.
    But they're getting savvier.
    Now when
    you get home that door appears to be
    still locked.
    The house appears
    exactly as you left it.
    But no.
    In
    reality, the intruder has been for
    hours, perhaps days and weeks weeks,
    and will remain in hiding waiting for
    the right moment to strike.
    That's
    what we're up against together.
    So to prevent cyber intrusions today we
    don't just need abalarm system or a
    in additionhood watch or security cameras
    or even armed guards constantly
    roaming the highways.
    We need it all.
    Third, similar to the pre-9/11 days,
    and this is where we'll focus today,
    we still have trouble connecting the
    dots.
    Between all of us, government,
    the private sector and individuals
    here today, we do have the data needed
    to interrupt and prevent
    cyberattacks,
    but we aren't sharing fast enough or
    collaborating deeply enough to make it
    happen.
    This is partly because we're
    operating in a legal and operational
    paradigm designed for a different era.
    Long before brand name breaches could
    threaten to cripple entire
    industries.we still have the walls up,
    still have stovepipes and silos.
    So
    what are we doing about it?
    Today,
    let me say this, we are replacing
    complacency with consequences, to
    deter bad behaviour you have to punish
    it and we can't wait for the big one
    to do just that.
    Our adversaries, we
    can't sit by while they outmanoeuvre
    us.
    We must act now.
    That starts out with calling out the
    offenders, whether North Korea or the
    Russians.
    We are identifying countries that have
    compromised our systems or who
    have
    unleashed destructive malware.
    We are
    im imposing costs, whole-of-government
    costs, diplomat diplomatically,
    legally.through other means.
    The
    United States possesses a wide
    range of response option options
    option
    options some seen and some not.
    Let
    me also again take this opportunity to
    issue a warning as I have in other
    forums and speeches to any foreign
    power that would consider medal
    manying in our networks or affairs
    of
    our democracy.
    The United States will
    no longer tolerate or accept your
    interference.
    You will be exposed and
    you will pay a high price.
    Second, we
    are changing our posture and setting
    course to confront systemic risk head
    on.
    Traditionally, DHS and our
    sector-specific agencyies have
    focused
    primarily on protecting
    individual
    assets, companies, individual systems
    or sectors.
    But now we are looking
    more across government,
    across
    sectors, across government private
    at
    those national critical
    functions.
    What are they?
    These are the
    lifeblood of our economy, of our
    national security, of what allows our
    day-to-day lives.
    We must identify
    single points of failure,
    concentrated
    dependencies and interdependedcies
    that can create those ripple effects
    across sectors.
    To do this we're
    launching a voluntary supply chain
    risk management program under
    secretary Krebs will talk a bit about
    that later.
    We're also partnering
    with companies to hunt down unseen
    security weaknesses and limit our
    attack surface.
    I urge you to join us
    and lend your species in these
    efforts.
    Third, we are reorganizeing
    ourselves for a new fight.
    I'm
    working with Congress to pass
    legislation to establish the
    cybersecurity and infrastructure
    security agency within DHS.
    This
    would recast what is now NPPD or our
    cybersecurity arm into an ambitious
    agency capable of better confronting
    digital threats.
    But we all know that
    waiting for Congress to act is like
    waiting for a new game of thrones book
    to come out.
    In the meantime, we're
    taking other steps, including ones that I
    will announce today to make sure we can keep
    up and stay ahead of
    our online adversaries.
    This also includes dramatically ramping
    up efforts to protect our election
    systems, including through a new
    election task force and deploying a
    vast array of services, and
    partnerships nationwide working
    with
    all 50 states to help our partners
    secure our election infrastructure.
    And finally, we're embracing a
    collective defence posture.
    As I've
    said many times before, in a
    hyperconnected world and as Chris
    mentioned in his introduction, your
    risk is now my risk.
    My risk is your
    risk.
    Each of us is on the front
    lines of the digital battlefield, so
    we must work together to protect
    ourselves.
    Any of us could be the
    weak link that not only allows
    adversaries adversarieses to
    infect
    our systems but allows them to use
    our
    system to spread further into
    others.
    The approach is like a flood.
    It will
    find every crack, gap and seam.
    Even
    if I place sandbags around my house to
    prepare for that flood, if my
    neighbours don't do it too my house
    will soon be under water.
    Collective
    defence calls for all of us to use
    sandbags, if you will.
    To optimally
    configure our systems to employ patch
    management, to share, receive and act
    on threat indicators.
    To that end,
    DHS is improving and expanding or
    information sharing programs,
    including those focused on sharing
    threat indicators.
    And we're
    developing new and novel ways for
    government and industry to
    collaborate
    to identify threats before they hit
    our networks and to respond more
    quickly and effectively to
    incidents,
    and we will discuss this throughout
    the day.
    We've made a lot of
    progress, but it's simply not enough.
    We must move beyond routine
    information sharing and we must be
    better at teaming up with the private
    sector to combat our common enemies in
    cyberspace, to understand their
    goals,
    to understand their actions, to
    understand the operational effects
    and
    implications of their intrusions,
    manipulations and disruptions.
    The
    majority of U.S.
    infrastructure is
    owned and operated by the private
    sector, not the government.
    So we
    must be working together to enable
    those in this room across industries
    to better defend your systems and our
    critical functions.
    For far, far too
    long we have lacked a single focal
    point to bring government agencies
    and
    industry together to assess the
    digital dangers we face and counter
    them, a place where analysts and
    network defenders can address these
    risks together through the full
    myriad
    of mission sets that we look at when
    addressing cyber.
    I'm pleased to
    announce that we are going to change
    that.
    This week the Department of
    Homeland Security is launching the
    national risk management centre.
    This
    is an initiative driven by industry
    needs and focused on fostering a
    crosscutting approach to defend our
    nation's critical infrastructure.
    It
    will employ a more strategic approach
    to risk management, borne out of the
    reemerge reemergence of the
    nation-state threat, our hyper
    hyperconnected environment and
    our
    survival and its need to effectively
    and continually collaborate with
    the
    private sector.
    So what does it
    actually mean in practice?
    The centre
    will bring together government experts
    with willing industry partners so they
    can influence how we support them.
    Our obowl is to simplify the
    process,
    to provide a single point of access to
    the full range of government
    activities to defend against cyber
    threats.
    I occasionally still hear of
    company that call 911 when they
    believe they've been under a
    cyberattack.
    The best thing to do
    will be to call the centre.
    We will
    work with our partners in
    government
    who will be on stage today and others
    to provide you what you need to help
    repel, mitigate, root out the
    adversaries adversary from your
    systems.
    With we will take a piece of
    intelligence and ask ourselves the so
    what to be able to determine what
    we're going to do about it together.
    These days cyber-threat data is
    a bit
    like a puzzle puzzle piece.
    For those
    of you who have started to begin a
    puzzapproximatele with your children,
    the first question is what puzzle does
    that puzzle piece belong to.
    It will
    enable us to take a piece of threat
    data, to determine what puzzle it
    belongs to and then determine how to
    fit into the puzzle so we can see the
    trend, the thread, the purpose perhaps
    of the attack, but certainly the
    implications and effects.
    So this is
    where the species of the private
    sector comes in, to help us
    contextualize the threat both in the
    planning phase as well as through
    mitigation response and recovery.
    The private sector also knows its
    operation operational environment better
    than we will ever know in
    government, so we will look to their
    species to help us to understand how
    the pieces fit together.
    So we welcome industry experts side
    by side
    with ours to break down these silos
    and to engage daily to develop
    actionable solutions to defend our
    critical infrastructure.
    We will
    begin with the trisector model
    focusing on telecommunications
    and the
    energy sector.
    We will push this
    effort forward in 0 day sprints to
    identify key priorities and to
    conduct joint risk assessments and we
    will have a major cross-sector
    exercise this fall.
    We will look to you to
    influence how we can support you best,
    to help us tailor our assessments,
    plans and playbooks that you can then
    action.
    And as I often say from a
    department with myriad
    submissions,
    let's do what we do best and partner
    with you to do the rest.
    But time is
    not on our side, so we're moving
    quickly.
    I ask all of you to consider working
    with us to develop the centre and to
    deepen engagement so we can fortify
    our defences.
    I would also ask that
    everyone here, whether you're from
    federal agency, a fortune 500 company,
    a think tank or university,
    identify
    at least one new actionable
    operational way in which you can
    contribute to our nation's collective
    cyberdefence.
    That is why we are here
    today.
    Think about it now.
    Think about it throughout the day.
    Commit to it this afternoon and follow
    through
    on it when you leave.
    We don't put
    together summits to just keep admiring
    the problem.
    We do it to solve them.
    Our adversarieses are crowd-sourcing
    attacks and today I'm pleased to
    announce everyone here has agreed we
    will crowd source our response.
    We do
    not take your presence here
    light
    lightly.
    We appreciate your time,
    efforts, commitment, leadership, and
    we thank you for being here.
    We hope
    to enlist your continued efforts
    in
    this fight if you're not already in it
    with us.
    Our digital enemies are
    taking advantage of all of us.
    They are exploiting our open society to
    steal, manipulate, intimidate, coerce,
    disrupt and to undermine.
    They're
    using our interconnectedness to
    attack
    us.
    But let's use the fact that we
    are all connected to our advantage.
    As I noted at the beginning we are in
    a crisis mode.
    The hurricane has been
    forecast and now we must prepare.
    That leaves us with a choice.
    Admit
    defeat and assume that our devices and
    networks will always be compromised or
    respond decisively and dramatically
    together in order to restore security
    and resiliencey to the web.
    If we
    prepare individually, we will surely
    fail collectively.
    You're here today
    because you believe in working
    together with clear eyed urgency and
    together I have no doubt we will turn
    the tide.
    So thank you for your
    attendance today.
    Thank you for your
    participation.
    We look forward to
    many conversations to come and we look
    at the end of the day to be able to
    announce some very tangible actions
    that we will agree to throughout the
    day.
    So thank you very much.
    Again, thank you for joining us at this
    summit.
    [APPLAUSE]
    >>Me again.
    The secretary announceed a number
    of
    different initiatives that we will
    kick off with, most importantly in my
    view the national risk management
    centre.
    Our efforts are based on a
    clear identified need, a demand
    signal
    from industry, a request, a set of
    requirements for government
    assistance.
    So who better to hear
    those requirements and that demand
    signal than lead executives from the
    telecommunications telecommunications,
    finance and energy sector.
    It's my
    pleasure to introduce the next panel,
    the CEO, cabinet member panel that
    will kick off right now.
    Today, first I
    have the honour of introducing the
    Honourable Rick Perry, Secretary
    of
    Energy.
    [APPLAUSE] general Paul
    Nakasone, Director of the National
    Security Agency and Commander of U.S.
    Cyber
    Command [APPLAUSE].
    The Honourable
    Christopher Wray, Director of the
    Federal Bureau of Investigation.
    [APPLAUSE] Mr.
    Ajay Banga, President
    and CEO of MasterCard.
    [APPLAUSE] Mr.
    John
    Donovan, CEO of AT&T Communications.
    [APPLAUSE] Mr.
    Mr.
    Tom Fanning, President
    and CEO of Southern Company
    [APPLAUSE].
    Once again, it is my
    honour to introduce the Secretary of
    Homeland Security, the Honourable
    Kirstjen Nielsen [APPLAUSE]
    >>Thank
    you again.
    What we'd like to do now
    is to hear from some of DHS's
    government partners, as well as
    private sector leaders, all of whom
    have been working with us as partners for
    quite some time.
    I'd like to thank you all for your
    leadership and partnership at
    the very top.
    It's greatly
    appreciated.
    Perhaps what we could
    do, secretary Perry, if I could ask
    you all, you don't need introduction,
    but
    introduce yourself and your area.
    >>:
    Let me take a few moments here and
    say, secretary Nielsen, thank you
    and
    to your team at DHS for putting this
    together.
    This is a vital issue.
    It's vitally important.
    It gives us
    an opportunity to express some of our
    shared commitment to this whole issue
    of cybersecurity.
    I'm really pleased
    that the sector, if you will, is so
    well represented at this summit.
    We
    have partners in the oil and gas, the
    oil and national gas council,
    electricity sub-sector
    coordinating
    council.
    Both of those sectors, they have
    ivalid themselves of their
    cyber-based tools and these issues are
    extremely important for us to continue
    to coordi coordinate on.
    With that
    said, let me recognize one person
    who
    is sitting on the stage with us.
    We've been working together the last 18
    months, Tom Fanning.
    He is co-chair
    of the ESCC, which I'll make note it's
    the only CEO coordinating -- or
    should say individual with CEOs that
    are sitting on it.
    I think that's
    really important.
    To me has been
    working on this for a long time, a long
    time before I got to be in my current
    job.
    Tom is someone who has a lot to
    share with all of us in the energy
    sector.
    I just want to say thank you
    for your commitment and expertise.
    As
    most of us know and most of you know,
    DOE is the sector specific agency for
    energy.
    It's the lead federal agency
    for enhanceing the reliability, the
    resilience, the security of
    America's energy infrastructure,
    both
    electricity and oil and gas.
    And
    because the vast majority of this
    infrastructure is privately owned,
    then we have to have partners, or for
    us to be successful, secretary, we
    have to have partners in the private
    sector that understand they can
    trust
    their information flowing back to us,
    they can trust the decisions, they're
    equal partners.
    So this
    public-private partnership
    that's
    being created here, not only is it a
    model, but it has to be that way.
    Our
    most important step at DOE I think in
    the last 12 months has been the
    establishing this office of
    cybersecurity, of energy security and
    emergency response.
    It goes with the
    acronym and under underscores the
    agency's commitment to this mission.
    Initial, the department has
    developed
    an initiative called ACES,
    accelerating cybersecurity in
    the
    energy sector.
    That's just to enhance
    our preparedness in response to
    threats.
    We're leading by example, by
    strengthening protection and
    response
    capabilities for our own power
    marketing administrations that
    fall under
    the DOE's supervision.
    It's in areas
    like the shared situations, and
    situational awareness, I guess,
    and
    we're aiming this year to double the
    number of electric utilities in our
    crisp, the cybersecurity
    information
    sharing program.
    That's precisely --
    it was due to that close collaboration
    that
    we were able to identify a very
    dramatic event last year.
    Chris, your
    agency pointed this out within the
    last week, publicly reported, that
    Russian intrusions into our energy
    system.
    Had we not had this close
    working relationship with our private
    sector partners, it would most likely
    have gone unfounded, to great
    detriment.
    Again, I think it's really
    important.
    We got our national labs
    that are working on these issues as
    well out at Idaho national lab.
    We
    have a test grid where we are
    actually
    able to go out and break things, see
    how they're repaired, infest the
    system, if you will, and respond to
    it.
    So the private public partnership
    here that's been created, I think
    this
    is exactly what the president had in
    mind.
    He's a private sector type and
    he understands government has an
    important role, but not the only oh,
    and that bringing the private sector
    in, in a partnership, and a trusting
    partnership, is very important.
    The
    economy of the world is now driven so
    much by energy.
    It's in our national
    security interest to continue to
    protect these sources of energy and to
    deliver them around the world.
    So that infrastructure,
    taking care of that infrastructure from
    the
    standpoint of protecting it
    from
    cyberattacks I don't think has ever
    been more important than it is today.
    Secretary, thank you again for
    allowing this, and each of you, our
    public and private sector partners
    partners, thank you for being a part
    of this today.
    >>Thank you.
    You gave
    such a preview of the sector.
    I'll
    turn it to Tom.
    We have been working
    together with energy and with DHS for
    quite some time.
    >>Yes.
    >>When we
    talk about this centre and
    breaking down silos and sharing
    information,
    tell us a bit about what you hope to
    get out of it.
    >>Thanks for your
    leadership.
    This is required for the
    national security of America.
    I think
    today is a really important day in
    America.
    I've helped lead the
    electricity sector for cyber and
    physical security for some time, and
    when you think about the leadership we
    have at DOE, governor, not just
    governor, he was the CEO, argueably
    the most important energy state in
    America.
    He gets the importance of
    the infrastructure that we represent.
    And you said something else
    very
    important.
    We break things.
    When we
    go through our exercises and we
    do
    some of the biggest tabletop exercises
    involving 20,000 people at one time
    over a number of days, one of the
    things that we learn very quickly is
    as resilient as we think we may be,
    and we can always be better, the
    points of vulnerability are
    always our
    points of intersection.
    That is,
    especially with respect to the
    other
    lifeline sectors, whether it is
    finance, telecom, others, we really do
    recognize.
    Eighty-seven per cent of
    the critical infrastructure owned
    by
    private industry, we are
    interdependent on each other.
    When we
    think of the leadership you
    provide
    under Homeland Security, this is
    the
    convening arm that can bring together
    these important sectors of America
    to
    help organize, harmonize
    systems,
    technology technologies,
    information
    sharing regimes.
    So we've been
    working for some time now.
    Okay, we
    get our silo, but in helping to
    organize, through your leadership, the
    arms of government, the different
    cabinet-level posts, to really think
    about a unified approach to the
    benefit of our national security,
    and
    this step we're taking today and
    the
    announcements you're making are going
    to make us better.
    Even beyond just our
    other prepare to, respond to during
    that bad day.
    I think what also is
    important, represented by
    General
    Nakasone and others, Director Wray, is
    the idea of holding the bad guys
    accountable.
    It's important that we
    share information and create a
    real-time, comprehensive network
    of
    information sharing so that I don't need
    to know what you do.how you do it,
    but
    I'm glad you're there.
    And so we'll
    work together to make America better
    in this regard, and the kind of steps
    you're taking really will serve that
    purpose.
    So thank you.
    >>: Thank
    you.
    John, maybe we can turn to you.
    I see that you and the general are not
    fans of pillows.
    You're putting a line in
    between you.
    [LAUGHTER]
    >>Thank you
    for putting us on the couch.
    >>: I'd
    like to pick up on something you
    mentioned, which is the
    interdependentcies.
    Currently from
    your perspective, that's a big deal,
    to
    be able to run your sector, we have to
    assume operability from a variety of
    functions.
    How do you see this centre
    being able to add to your ability and
    your capabilities?
    >>First I want to
    echo the thanks and congratulations on
    behalf of industry that Tom just
    mentioned.
    This was an obvious thing to
    do for a decade, but it didn't happen.
    And you can't get to a strategy and an
    implementation if things sit in silos,
    because you lose time and efficiency.
    So I think today is important from a
    lot of dimensions, and the biggest
    dimension is the cooperation and
    building an entity, an initiative,
    that will be a home for how all of
    that stuff occurs.
    Because when you're in a defence posture
    in
    artworks, the grid, financial systems,
    many of the companies represented
    here, critical infrastructure,
    things
    don't conveniently come in the form
    the way the government has
    organized
    its defence systems.
    It doesn't come
    neatly organized the way we set up our
    industries and our companies.
    It
    doesn't come neatly organized
    geographically.
    So the important to
    move at speed across organizations is
    really vital to effective defence.
    think today has been a step forward in
    several dimensions that gets a lot of
    the philosophy and the strategic stuff
    a bit out of the way so we can get
    down to the roll up the sleeves work of
    trying to make our companies, our
    transactions in this nation safer.
    >>General, if I could turn to you.
    So part of the beauty of this
    concept
    is we are now at a place of maturity
    within the USG where we can actually
    work together, the intel community,
    both classified and unclassified
    information.
    You bring to bear a lot
    of capability sets that are additive
    to what we have at DHS to ofulfill part
    of this puzzle.
    What do you see as what could help you
    in your mission coming out of the centre
    with the input from the private sector?
    >>Secretary, first of all, thank you very
    much for inviting me to participate today
    with my esteemed colleagues.
    Today is a discussion and an opportunity to
    talk about partnerships.
    Our national security
    strategy, national defence strategy
    talks about partnerships in terms
    of
    importance to the national security.
    This
    is our asymmetric advantage, the inter
    interagency, intelligence
    community
    partnerships and importantly the
    industry partnerships.
    I have the
    honour of leading the men and women in
    U.S.
    cyber command and one of the
    things we see every day is that
    partnerships is what makes us
    powerful.
    To your question,
    understanding what is happening in
    industry, where roughly 90 per cent
    of
    our critical infrastructure lies,
    it's
    really important for us to understand
    what we'll do to enable our partners
    and if necessary to act in defence of
    the nation.
    >>: Thank you.
    Before I
    turn to Director Wray, maybe you
    could tease more on the dependency issue
    from your perspective.
    Obviously,
    your sector provides the lifeblood to
    make all of the other ones function.
    What else do you see that we could
    work together on through this new
    model
    to be able to help you protect your
    systems?
    >>I will go back to my
    colleagues who called us the
    lifeblood.
    Look, I just believe that the
    Internet and the Internet of things
    is
    an unbelievable technology of
    capability and capacity for people
    and governments and businesses for the
    next 25, 30 years.
    The problem is it
    was never designed for security.
    It
    was designed for transparency and
    openness.
    The other guys have figured
    that out.
    If you're going to keep
    connecting ourselves together in every
    possible way, then what you've done by
    bringing us all together is you're
    creating the impetus of the asymmettic
    advantage that the NSA talked about as
    being the idea that gives us an
    advantage over the others, if we can
    do this the right way.
    Now, we've
    been doing what I call cyber defence
    exercises in the financial services
    sector for a little while now.
    We've taken the lead and also participated
    in a number of them.
    I believe you
    get two things done by that.
    One is
    you get to talk to people like his
    agents and others in the better days,
    when you're able to build
    relationships but also the ability to
    know whom to call for what, when.
    So
    there's a person, a name and a trust
    that gets established.
    But there's
    also a management protocol of how to
    respond and what to do and what kind
    of defensive tools you could use or
    could not use in that process.
    That
    works.
    But I think this idea of doing
    is across sectors is really important
    because, first of all, when somebody
    gets attacked they're not aiming
    necessarily always at a specific
    company.
    These are driven by machines
    who look for the weakest links.
    If
    that weakest links happens today to be
    some telecom small vendor who connects
    into somebody else who then impacts
    me, I'm going to get hurt.
    To me the
    interdependency, it's obvious that we
    need to work together.
    They're
    looking for the weakest link, the
    entry point into the strongest
    possible company, and we're up against
    strong players.
    To me, the
    interdependency comes from there.
    The
    idea of doing something through
    your
    centre where you could do joint
    cyberdefence exercises
    between
    communications, energy and
    financial
    services, which I'm happy to take the
    lead on, work with them, let them take
    the lead, just get it done in one physical
    space so we know what to do the next
    time somebody else comes after us.
    >>Well said.
    We are look for
    tangible actionable ways forward.
    used to have a coach who said practice
    does not make perfect but it makes
    automatic.
    I think in cyber we don't
    have time to figure it out while it's
    happening.
    It has to be automatic, at
    machine speed.
    Director Wray, we
    partner so well together.
    We look to
    you for capabilities, expertise,
    particularly on the investigative
    side.
    What could we work with
    industry on in terms of perhaps pattern
    spotting or different motives that
    would help you help us bring people to
    justice?
    >>I think events like this,
    efforts like this, are particularly
    important because, as our enemies have
    become more coordinated
    and
    sophisticated, we have to as well.
    The FBI, unlike, say, secretary
    Perry,
    who has a very specific sector
    that
    he's focused on, we're coming at it
    more
    from across sectors, but focused on
    the threat.
    We're somewhat unique as
    we're both a law enforcement agency
    and an intelligence agency, so we have
    investigations of both sorts.
    What we
    see is the range of actors has
    changed, the attack surface has
    changed, the range of techniques has
    changed, and increasingly we're
    seeing
    what we're calling blended, hybrid
    threats, whereas the nation-states
    that we might have previously seen
    only through the corner intelligence
    mission that we have and the criminal
    hackers we might have seen only
    through the law enforcement we
    have,
    they're now working together.
    So you
    see that with Iran, with Russia, with
    China, with North Korea.
    All in their
    own different ways.
    So for us to have
    an ability to be more agile as a
    country, we have to figure out ways to
    work better together.
    We have at the
    bureau a huge field presence.
    We have
    in all 56 field offices cyber task
    forces that have 180 different
    agencies, federal, state, local.
    And
    we have a cyber action team that's
    lot like our counterterrorism
    fly
    teams.
    It's an elite force that can
    deploy.
    We have investigateors
    deployed in all of our overseas
    offices.
    We can go on and on, but the
    point is at the end of the day we're
    threat focused.
    We're pursuing,
    identifying, attributing the
    threat.
    But to disrupt the threat, we will
    have to figure out ways to be more
    creative as a public-private
    community.
    There are all kinds of
    things that the private sector can
    do
    far more effectively than we could.
    So my concept of partnership is how
    do
    we take our artworks that is the U.S.
    government's two or just the FBI or
    DHS or DOE or NSA to put it together
    with the private sectors to have an
    equal more than four?
    Otherwise we're
    just spinning our wheels.
    The idea is
    to combine strength with strength.
    think that's why events like this
    are steps in the right direction.
    >>I
    want to talk a little bit about
    information sharing.
    This used to be
    in some circles seen as the end all be
    all.
    Of course it depends on what
    we're sharing, when and how we share
    it, in terms of whether it's
    actionable, and specific enough to
    do something about it.
    When we look at
    this, what other types of
    information
    are helpful.
    to hear from our private
    sectors to begin to place that in the
    context of your industries?
    Is it
    threat indicators?
    Is it mitigation
    measures?
    Is it all of the above?
    Is
    it motives of nation-states that
    the
    FBI and the intel community help us
    with?
    >>For the next two to three
    hours I'll answer that question.
    always use this meto for metaphor of
    trout fishing.
    The secretary
    mentioned this thing called CRISP.
    We
    don't talk a lot about this
    publicly,
    but right now we reach the serveer
    traffic representing 80 per cent of
    the electricity consumers in the
    United
    States.
    We analyze that information
    looking for for anomalies.
    Imagine
    you're fishing for trout.
    We know
    this part of the river is okay.
    It's the
    white listed people.
    We let them go.
    We know this part of the river are the
    bad guys and we know what to do about
    them.
    It's the part that's grey.
    It's the part that we don't know.
    We're looking for the anomalies in the
    river.
    Hope Hopefully there are fish
    there.
    Even now we have the
    capability not to search for fish --
    think black energy energy -- but
    rather even fish DNA.
    We are very interested in
    gathering that
    information.
    Now what we can do, if I
    can change metaphors on you is not
    fish for trout in a river but, rather, put
    that information, the interesting
    information, into a bathtub.
    So the
    faucet from electricity is one
    kind of
    bathtub.
    Perhaps telecom and perhaps
    finance.
    And perhaps the three-letter
    agencies that have the real deep
    capability of intel.
    What we can do
    now as an aspiration is to share this
    completely transparently real
    time so
    we have the most effective
    information sharing networks possible.
    We know
    what to do, having owned 87 per cent
    of the critical infrastructure on
    that bad day.
    I should say we kind of talk
    about this.
    We're really not focused
    on punks, thugs and criminals.
    We are focused on preventing that bad
    day in
    America that may be the existential
    threat that is a different set of
    priorities and capabilities.
    It
    requires us to work together.
    When we
    respond, we'll have to work to make
    sure that we get boots on the
    ground.
    One last point here on this
    information sharing.
    Homeland
    Security set up a while back this
    notion of fusion centres.
    These are
    the entity, there are about 80
    something of them in the United
    States, one per state plus some extra
    ones, where we actually do sort
    of
    crime prevention, crime analysis, but
    also intel, also working with the
    governors association, we need
    to
    think about on that bad day how we get
    boots on the ground that will respond
    to the tactics of recovery.
    These are really important issues and
    these are
    things that we're making huge advances
    on.
    >>I think my staff will be glad
    there's someone who mixes metaphors more
    than I do.
    But I think it's important
    because in talking to the general
    public and helping them understand
    that they also have a role to play,
    it's important to frame it in a way
    that they can understand.
    >>One other
    thing that's really important here,
    and it's so valuable what you're doing
    today.
    So many times in America, as I
    find, and I talk to folks, people are
    losing confidence in institutions of
    government, people who run them, and
    they're getting cynical.
    We can teach
    Americans, and the administration and
    Congress
    is working with private industry
    to
    make America better.
    It is a way in
    to lean in.
    I think people are
    thirsting for those stories.
    By its
    nature, what we're doing up here is
    typically not talked about in the
    public.
    The public loves to hear
    about it and you get so much garbage
    out there in the media and other
    places.
    What's happening here is
    real, and it will likely not be said
    -- stupid thing -- [LAUGHTER].
    It's
    likely not said all the time time.
    This
    is clear evidence of the effectiveness
    of government and private industry
    really to make us safer safer.
    >>: Let me turn, if I could, to the
    concept of resilience.
    We talk a lot
    about this from a DHS perspective, we
    are changing our posture to focus
    more
    on this.
    As we all know, it's not a
    question of if or when.
    We're really,
    unfortunately, in a situation where
    it's how often and how long can we
    with stand constant attack.
    As we sit
    here today, all of our entities are
    attempting to be hacked and/or
    disrupted by a foreign
    adversaries
    adversary.
    Within that rubric, how do
    we innovate while continuing to
    operate?
    How do we build redundancy
    into the system?
    How do we make sure
    that we've identified those Crown
    jewels in terms of critical central
    functions, that we all understand the
    vulnerabilities there and that we can
    work together from a resilience
    perspective to get back to where we
    started, and perhaps not a bounce back
    but a bounce forward approach?
    John,
    may be you can start.
    >>By the way,
    your microphone is on a timeer
    [LAUGHTER]
    >>I saw the person in the
    back pull the timeer.
    That's a really
    tricky question, because it goes
    back
    to sharing.
    There are certain things
    that are relationship driven.
    So you
    need cycle time, learning the people
    on the other end, what they know.
    Collect Collective experience is
    always better than individual
    experience.
    Similarly, once you do
    that, then the data starts to flow.
    Our ability to defend needs to
    scale.
    In order for it to scale, with the
    scarcity
    of humans, the humans need to do the
    things they're best at and the
    machines need to do the things they're
    best at.
    If we're going to take full
    advantage of what the machines can do,
    more data is better.
    So now all of a
    sudden us doing things together
    makes us all stronger, because each of us
    has one piece of the puzzle.
    It may
    be the same thing we see over and over
    again in our industry.
    So Tom's
    stream may look and feel the same
    every day.
    Mine may look and feel the
    same every day.
    But we can give each other fishing tips
    effectively, because in fact neither of
    those streams are the same on any given day.
    So I just think that the resilience is
    going to be a function of our
    ability
    to understand and share experiences,
    because I always tell people that
    telecommunications is transformation
    of power.
    We signal process, the
    energy that we get from the electric
    grid.
    So their foundation is our
    foundation, which becomes the
    communication foundation,
    which
    energizes the process.
    It needs take
    full advantage of every step, every
    stage and all of the data that we can
    begin to share.
    >>I think that
    process of resiliencey begins
    with a
    dialogue.
    What we've found in terms
    of enabling both our partners at the
    Department of Homeland Security and the
    Federal Bureau of Investigation is
    understanding what they're looking
    for.
    We have tremendous foreign
    intelligence reporting.
    We have great
    work being done on cybersecurity.
    But understanding what really is the
    threshold for industry, whether or
    not
    it's in a specific critical
    infrastructure sector or it's more
    broadly, it's important for
    us,
    because then we can tailor the
    information which helps our industry
    partners better.
    >>Director Wray?
    >>Picking up on Paul's point and
    taking it one further, the reality
    is
    that in most companies you all
    will
    have unique insight into what
    information you think people are most
    likely to want to go after, and what
    it is that keeps you awake in the
    night.
    Our perspective is trying to
    understand the threat, trying to
    put together the nuggets or pieces in
    the
    puzzle, as John said, with ours is
    critical.
    It has to happen through
    muscle memory day in and day out, out
    on the front lines.
    Every FBI field
    office now has a private sector
    coordinator.
    That's a symptom and a
    reflection of the interdependency that
    we
    have.
    I can go to any head of any
    field office and ask him or her: Tell
    me about the private sector partners
    in your area.
    Who are they?
    Who is your point of contact?
    What are their big threat issues?
    How often are you talking to them?
    Et cetera.
    If I had tried to do that last time I was
    in law enforcement, there would have been
    crick areets chirping and the sir I'm
    going to have to get back to you
    response.
    Now they can do it fast.
    That's a reflection of how much we
    need each other to be reflective.
    >>That's a good point that Chris
    makes relative to the trusting nature
    of what you're creating here and
    where
    we can talk to each other.
    Ajay you
    brought this up in an earlier
    gathering.
    When I'm going to share
    this information with you, looking
    over at your shop, this is information
    that's used in the proper manner and
    that your folks in the private sector
    do in fact have that comfort level
    that we can share this information
    with
    them and it's going to be used for the
    proper use.
    Let me change gears for a
    second.
    From the standpoint of one of
    the -- five of the ten fasci fasciest
    supercomputers in the world belong to
    the Department of Energy.
    It's goes
    into Exo scale.
    Paul, your ability to
    take this data, your own machines that
    you use and these massive amounts of
    data that literally a year ago we did
    not have the computing capacity
    to
    answer some of the questions that --
    because of this amount of data that
    we
    have today.
    And as we go to quantum
    computing, as we travel down this
    road
    to be the first to get to that ability
    to quantum compute, it is incredibly
    important for this country, both from
    a private sector partnership, from
    those of us in government, to
    our
    friends in Congress, to really
    understand the importance of
    supporting, in the many ways that they
    can, and certainly up to and including
    the appropriation, to make sure that
    these agencies of government and our
    private sector partners have
    clear
    messageing that our ability to
    supercompute is tantamount to
    whether
    or not what we're doing here is going
    to be successful or not.
    If we lose
    that race, then the potential to
    losing it all is very real.
    So our
    ability to compete in the
    supercomputing world is I think
    tantamount to victory when it comes to
    this.
    >>In fact, one of the early work
    products of this joint effort
    between finance, telecom and
    electricity has
    been two things.
    One is a joint
    threat matrix.
    That is, we analyze
    the threat surface by kind of
    consequence times likelyihood.
    We're
    able to array scarce resources,
    whether it's attention span,
    dollars,
    whatever.
    The other thing as a
    product of that is what we call our
    wish list, that is, how can we work
    more effectively to stave off these
    existential threats as lifeline
    sectors, with the administration and
    with Congress?
    So as we progress,
    we'll get better at really advanceing
    the cause in a significant way.
    >>:
    If I could -- one point the secretary
    was going towards towards, I think
    that's important.
    I'll repeat this
    line.
    I'm sitting next to the FBI
    director, but when you get arrested
    you have a right to remain silent
    whatever you say shall be used
    against
    us.
    If you want us to share
    information that could lead to an
    asymmettic advantage, then we have to find
    a way for that to convert to see
    something, say something.
    We need to
    move the way our people are thinking
    and the way regulators thinks,
    the way
    harmonization of regulation needs to
    happen oto the point we feel
    incentive.
    The supercomputers are
    only as good as the information they
    receive.
    Making sure we get the right
    information into that machine is as
    important as what we do within it how
    we behave together after that.
    That's one point.
    The second point is that I
    would emphasize the care that needs to
    be taken on the weak weakest link in the
    chain.
    I continue to believe that
    cyber attacks do not happen only
    because somebody specific is being
    targeted.
    They happen because the
    machine systems that troll looking for
    where the weak link is.
    If that weak
    link is a smaller business, that that,
    in turn, connects into oone of our
    bigger supply chains, no matter how
    much work we do we will not have
    created the right defences for
    industry or our country.
    The third
    part is my favourite.
    I will repeat
    it here.
    If you can get us some
    momentum on a group of like-minded
    countries willing to stand up and say
    these are the rules of the road of the
    Internet, these are global cyber
    norms, and this behaviour is bad
    behaviors you will be put in the dock
    when we see it, as compared to all this
    is okay.
    We need that.
    Because what we
    have today is the Wild West in the
    Internet.
    The technology has grown
    and blossomed by the allowance that has
    been given to do so.
    But at some
    point in time, that Labrador puppy has
    grown up and its tail and head are
    breaking everything in the room
    [LAUGHTER] we need to take to a dog
    trainer and get it trained.
    That's my
    analogies.
    >>Weaponization is one of
    the biggest issues we will have in
    responding to a threat.
    The bad guys
    will use the Internet to create chaos
    and misdirect our response.
    >>My
    personal experience over the last few
    years of working with government
    agencies, the secretary service,
    the
    FBI, NSA, is the people who work
    there
    deeply care about this.
    When you reach
    out to them they will respond.
    If you
    get to know them in advance they are
    your best friends.
    Getting to know
    them at the time of the bad day is a
    stupid idea.
    We need to get to this
    program of getting proactive and not
    react reactive.
    The only way that will happen if you
    allow this idea of see something, say
    something, to take root inside people
    without the fear of being sued or pursued
    with some form
    of regulatory arbitrage that you
    don't
    deserve, to say I'm seeing this river
    flowing this way.
    You think it's the
    same river.
    It isn't.
    It has this
    stuff hidden in it.
    >>On the see something, say
    something approach, that
    is one area we'd like to work with you
    all in the centre.
    What I mean by that is we need to
    identify what is suspicious, what is
    out of the ordinary.
    There's still a lot of
    confusion between an attack, a malicious
    effect, and just operability.
    Sometimes your computer just
    doesn't
    work, right?
    It's nothing to do with
    a nation-state.
    Sometimes, however,
    if it starts blinking, slowing
    down --
    we've all had the experience where it
    gets ridiculously hot all of a sudden.
    These are things that might indicate
    there is something wrong wrong.
    So working together and understanding
    within industry what is uniquely
    suspicious within that industry is
    then very helpful to guide the private
    sector to then report to us.
    >>It is.
    I do believe that we're discussing
    this from the perspective of
    businesses and
    government.
    That's the audience here.
    But what we're actually catering to
    is
    the average consumer and that pain
    they feel.
    I feel cybersecurity has
    become a technical top topic beyond
    the capacity of most people to
    comprehend, if you look at the stuff
    that's written when you buy a device.
    If we can create the equivalent of a
    nutrition label or a restaurant
    rateing ABC for devices so that
    everybody can look at it and say: That
    one looks like a better one to buy
    than this one.
    You attach a mental
    value to how much you pay for it.
    That logic will create a level
    playing
    field for American consumers that goes
    beyond the knowledge.
    Those are
    things we can do that since you're
    taking the lead and you have a group
    of principles of the United States
    administration who care about this
    topic, then over the next few years if you
    can prioritize things but knock the
    ball hard on these three or four, we
    can make progress and our
    adversarieses will sit up and realize
    you can go after the other one and
    leave us alone.
    >>You gave us good
    lists.
    The weakest link is I believe
    something each one of us has talked
    about in one context or another.
    The
    bottom line is if an adversary is
    trying to attacking you, he might do
    so through secretary Perry's computer.
    >>That one is easy [LAUGHTER] >>It's
    not necessarily about the target,
    right, because it's a means to an end.
    We definitely see that when it comes
    to nation-states.
    I wanted to quickly
    turn to one of the 90 had-day sprints
    that we're looking at, which is to
    couple up with registries.
    We need to
    focus.
    We had in our previous meeting
    someone make this point we will.
    We
    can't be everything to everyone, so we
    need to focus on those threats, that
    if mitigated or addressed will give
    us
    the biggest bang for the buck.
    It would
    be cross-sectorial.
    It's the crown
    jewels of what makes the nation run.
    If we look at those functions, identify
    those functions first, then they
    will
    help enable everything else.
    The FBI can't function if we don't
    have
    electricity, right?
    You can't
    function.
    To use electricity, most of
    us can't function without electricity.
    We
    have a big load on your shoulders.
    But I think thinking about those
    functions and in terms of a registry
    that we all are attacking against
    would
    be helpful.
    I'd be interested in your
    thoughts as we look towards that 90-day
    sprints sprints.
    Secretary Perry, any
    thoughts on that.
    >>It's really
    fascinating from the standpoint of
    historically these agencies were
    really siloed.
    One of the things that
    is very heartening that I've seen over
    the last 18 months being at the
    department is obviously with the
    SEC
    and the work that we did with the
    hurricanes and the private sector and
    the
    sharing with our national labs and
    the
    interaction with probably everyone
    sitting at this table in some form or
    fashion at our national labs,
    whether it's with the private sector on the
    finance side or whether it's
    obviously, Tom, over in the electrical
    generation side and what we do at INL
    with the test grid out there, to the
    communication side, John, the
    coordination between the private
    sector and government -- I've spent
    the bulk of my life in government in
    some oform or fashion, and I
    have
    never seen the federal government,
    who
    I've spent my fair share of time back
    as the governor of Texas criticizing
    them from time to time [LAUGHTER].
    But I've never seen the federal government
    with the intention and with the response
    of working with the private sector in
    a responsible way -- and when I talk
    about responsible way, in a trusting
    way.
    Ajay, I think that's exactly
    what we get to here.
    The private
    sector hadn't necessarily trusted
    the
    government historically.
    I think,
    Secretary Nielsen, if you're as
    successful as I think what all of us
    want us to be with this, then this is
    a great opportunity for this country
    to defend ourselves against those
    nefarious acts that are out there, but
    also to have an offensive way of
    sending the message that we can send as
    well.
    So I'm really heartened that
    we
    see the private sector coming to
    the
    table here and a clear sense of
    responsibility that you have, but also
    you have a partner that you can trust.
    That will go a long way towards
    getting the solutions that I think all
    of us desire.
    >>: To pile on that, I
    think we should always remember that
    not
    all risks are createddial.
    As we look
    at the power of bringing the
    partnerships to the forefront, our a
    asymmettic advantage and prioritizing
    what we want to go after with our most
    critical resources, how do we assist
    industry, how does industry assist us
    in identifying it?
    This is where we
    have real payoff.
    Our adversaries
    have their focus on what we want to
    get to.
    What we want to get to are
    the risks that we need to take on
    immediately.
    >>I agree.
    >>: The one
    thing, the risk idea is that these
    cross-defence exercises may
    actually
    compose risk ideas that we do not
    currently have in our spectrum.
    If
    you're going to make the sprint happen,
    you have to get a few of these
    cross-sector cyber defence exercises
    going so we can identify what
    those links are that we're missing and
    bring
    them to that registry so we start
    paying attention.
    >>A good example of
    that: If the system goes down, back in
    the fifties, we ran the system
    manually.
    We can disconnect interest
    the digital grid, but I can't do it if
    I can't talk to my folks in the field.
    That's our weak link.
    We have to make
    sure this harmonizes during the worst
    of indictments.
    Reliability is how we
    operate during normal times.
    That's
    what we have to drill.
    >>: He has a
    bunch of pigeons hired for that
    purpose [LAUGHTER]
    >>The risk
    registry is a great idea.
    I just want
    to make are sure that if you think
    about this as a process and you're
    going to do a 90-day effort -- I don't
    want to use the name of a competitor
    to name a process.
    [LAUGHTER] so a
    90-day something may not be exactly
    the right -- risk registry may not be
    the first place.
    But much like you
    steal that phrase from the technology
    companies who do 90-day intervals of
    everything that they do.
    Let's make
    sure we don't get disheartened and
    make it 180 days and then 360 days and
    then before we get to item 2.
    If we
    can get a tempo of moving quickly, if
    we're going to fail, then fail quickly
    and move on to another priority.
    We
    have to make this progress.
    The ultimate
    strength of it, the leverage that will
    occur, won't be based on necessarily
    getting the first item right.
    It's getting the process process,
    the
    relationships, the data to flow, and
    understanding of what each other are
    doing here.
    I think that's where our
    strength will be.
    I think the general
    said it effectively that once we get
    in there and we start to establish
    these things, that cooperation will be
    the greatest strength that we have
    here.
    >>Absolutely.
    The concept too
    has to be fluid, adaptable,
    scaleable.
    What is most important today with
    the
    way the technology advances might not
    be what is most important a month
    from now.
    So it has to be a living
    process.
    I think you're exactly right.
    The process and the way in
    which we quickly identify process,
    assess, prioritize, respond to, react,
    is what will be the goal here, what
    will help us move the ball forward.
    Director Wray, closing are
    words?
    >>The one point alludeed to by
    ajay was the importance of setting
    an example for our foreign partners as
    well.
    I know Paul and I have had
    conversations with some of our
    counterparts together about -- at
    least with our closest allies --
    about
    the importance of the public-private
    partnership.
    Since they look at a lot
    of these problems the same way we do
    do.
    Your point about a common
    statement, it's not just the public
    messageing.
    If we can set an example,
    which is I think what people expect America
    to do, to set an example for how we
    can deal with this kind of threat in a
    public-private way, I think we will
    build on that asymmetric
    advantage
    that Paul was talking about at a whole
    other level.
    >>I agree.
    Secretary
    Perry, closing thoughts?
    >>I just
    want to take a last moment to say
    thanks to everybody on the stage for
    participating in this.
    The one thing
    that came to mind while you were
    making your points is that as we look
    at our foreign partners and
    Internet
    with them, that we don't forget about
    the local partners that we have as
    well.
    They're probably as important
    or more important than anyone in this
    on that bad day that occurs.
    One of
    the things I found as a governor is
    that your county judges and the
    mayors
    and the people, the law enforcement, et
    cetera, that are really going to be
    right there when you talked about
    getting back to the small mom-and-pop
    businesses, and I say this with all
    great respect, the mom-and-pop, if you
    will, from government are those right
    there where the rubber meets the
    road.
    It's the local law enforcement.
    It's
    the local government entities at the
    state and county levels, making sure
    that they're every bit as bought into
    this as those of us on the stage, and
    that we need them, that our success is
    going to be very much part of them
    being clearly engaged in this and know
    that they're an important
    foundation,
    if not the foundational part of
    what
    we're going to be doing.
    >>Thank you.
    General Nakasone, before we close?
    >>Thank you, secretary.
    Whether or
    not it's U.S.
    cybercommand, our
    partners, I'd like to close by saying
    we're ready, highly trained, fully
    committed.
    I feel this in the
    partnerships we've developed here-I
    see this as the way forward for our
    nation.
    >>On that note, we'll ask you
    throughout the day day -- hopefully we
    have in the last little bit of time
    time, made the case with respect to
    the threat we face together and the
    need to counteract it together.
    As I said, we will do this a couple of
    times during the day.
    As of now, can
    I see with a show of hands who will
    partner with us in this and to commit
    to something very tangible to move
    forward in either these sprints or
    another way?
    As the day goes on,
    we'll get more hands.
    Thank you to
    all distinguished panellists.
    I very
    much appreciate it.
    We'll pause for a
    minute while we de demic.
    [APPLAUSE]
    (Pause).
    >>Folks, if you can grab
    your seats, we're ready to start the
    next panel.
    Thank you.
    I'll give everybody
    a chance to stretch their legs after
    being seated for a bit.
    What we've
    heard is a number of different
    perspectives from industry leadership,
    government leadership,
    particularly of
    hard infrastructure.
    The next panel
    we're going to explore some of
    the
    challenges associated with information
    and communications technology, supply
    chain challenges, risk management
    challenges.
    At least from where I sit
    in DC, it is truly one of the emerging
    issues, particularly when you think
    about third-party risk.
    I'm going to
    bring a couple of panel I said out
    here and we'll spend the next 30 or so
    minutes having a back and forth.
    To start, I'd like to introduce Mr.
    John
    Donovan, CEO of AT&T Communications.
    [APPLAUSE] next, Mr.
    Mark McLaughlin,
    former chairman and CEO of Palo Alto
    Networks.
    [APPLAUSE] and I'm going to
    veer off script a little bit.
    We have
    a special guest joining us today.
    Last-minute addition, in fact,
    Mr.
    Rob
    Joyce senior adviser, former white
    house cybersecurity coordi
    coordinator.
    [APPLAUSE].
    I think
    everybody will agree with me that this
    is a quite impressive line-up.
    We've
    already heard a bit from Mr.
    Donovan, but we will now have an
    opportunity to
    hear from others in industry.
    When we
    think about what's ahead of us, the
    boom in IOT devices, the future of 5 G
    in it front of you, at the same time
    we've seen an explosion across
    the
    threat actor space in terms of
    compromising supply chain.
    What I
    want to do is start with you, Rob.
    If you could talk a bit about the global
    threat or the concerns you have
    with
    supply chain compromise and
    third-party risk.
    >>Thanks, Chris.
    I appreciate DHS host the forum and
    bringing this expertise together.
    I'm impressed not only by the talent
    we get on stage but the folks you've
    brought together for the sidebar
    conversations.
    In supply chain risk,
    there's a number of different avenues
    we worry about.
    Certainly top of the
    headlines these days are the supply
    chain risks from China.
    We worry
    about the manufacturers, the
    supply
    chain aspects where the government has
    a role and a close, tight connection
    with those suppliers.
    In some
    countries, like Russia, we see
    them
    even having laws that say these
    certain providers have to participate
    with government monitoring, and it
    doesn't just apply to the people
    inside their country.
    So there's an
    aspect of that.
    And it's not just
    what's in the hardware itself;
    it's
    the way the hardware is maintained,
    controlled and maintained.
    So if you
    get a manufacturer who produces
    something and they have maintenance
    access or they have the ability to
    insert themselves into that supply
    chain and maintain it, that poses a
    risk.
    We've also seen a significant
    change, a significant new emphasis the
    last couple of years where people have
    recognized the value of compromising
    software in the supply chain
    without
    the aid of the manufacturers or
    the
    authors.
    A great example is the
    intrusion where people realized a
    specific website had to support a
    number of Ukrainian businesses but
    also, unfortunately, a number of
    international businesses.
    They
    compromised that site as a hot point
    to get to other places and infected
    number of visitors to that, that had
    continued to cascade.
    We've seen
    others like the sea cleaner, if folks
    remember that, a mobile application
    where tens of thousands of users
    were compromised and in the end the
    analysis looks like they were going
    after three very specific targets,
    but
    they were willing to cede the wheel
    ecosystem and compromise that
    software.
    We have to think about that
    holisticically, everything from
    the
    manufacturers and whether they have
    relationships with countries that are
    unfriendly, all the April to what
    threat actors and nation states can do
    to those independent software chains.
    >>You mentioned a couple of things
    between not pet you, secretary wanna
    cry earlier, as well as the bind
    binding directive the DHS issued on
    the anti-visor.
    These are
    whack-a-mole approaches but
    global
    problems.
    John, I think you're a bit
    on the leading edge of this right now
    when we think about what's ahead of us
    in terms of 5G with a lot of the
    hardware, the protocol.
    That's the provenance of the hardware, and
    how do
    we need to mobileize to ensure a
    little bit more transparency,
    clarity,
    whatever it is, across the supply
    chain?
    >>I think that before you talk
    about specific types or origins of
    threats, most large organizations have
    done a very good job over the last
    couple of decades in understanding the
    supply chain of atoms, because you
    get
    burned like you have a shortage of
    tran trancystors and you look and say:
    Whether didn't realize they were
    all
    from a certain region and a flood took
    us out.
    So we've had to go back and
    look at the chain of custody and the
    traceability of not only systems but
    subsystems and then components.
    So at
    our scale, we reached all the way
    through to the component level.
    Now
    fast-forward to today, where more
    things are bits than atoms.
    Certainly
    the value, and these things get
    assembled and they know no geographic
    boundary.
    So now, when you start to
    decompose software into its sources,
    its origins, and it's not just
    security; it's all dimensions of the
    assembly of that, the more places it's
    assembled, the greater the risks,
    and
    how do you debug it?
    The new world is
    not a new world for us.
    The new world
    is moving from atoms to bits, this
    software construction is very complex
    to look at its origin.
    So for us it's sort
    of the next natural thing that we're going
    to do to understand our supply chain
    and what geographic if not
    geopolitical risks are involved in how
    our products get assembled so that
    we
    know that we have a reliable supply
    chain, an affordable supply chain and
    a secure supply chain.
    Those are all things we need to do with
    every subsystem subsystem, every
    component that we put into our network
    network.
    >>So I think the last three points,
    reliable, affordable, secure, are
    three clear organizeing
    principles
    going forward.
    When we think about
    how government and industry work
    together, Mark, you and I have had a
    number of conversations
    conversations
    about what's the opportunity in
    front
    of us?
    I might pivot that to Rob in a
    minute to talk about some of the things
    the Department of Defense has done in
    lestons learned through trusted
    foundry.
    But in your view what does
    government need to do to support
    efforts to achieve that reliability,
    affordability, security?
    >>There are
    a lot of things that need to be
    discussed, but if we back up and tie
    together something you said and John
    alludeed
    to, before we get to the tactics, the
    strategy.
    In thinking of supply
    chain, there might be two angles to
    sit on this.
    I lost my mic.
    >>You
    got Fanning's.
    >>Is it out of time?
    [LAUGHTER]
    >>We'll hear about that
    one for a long time.
    >>Back by
    popular demand.
    On the strategic
    side, first of all, the issues around
    supply chain of what would people want
    to do, so disruptions.
    We like
    stability, the adversary likes
    disruption.
    They can use the supply
    chain to disrupt many things.
    It could
    be businesses, all sorts of things.
    The second thing which may be
    underlooked
    a little bit is making sure that
    from
    a supply chain perspective we
    have something they care about in the
    first
    place.
    Why do they want our
    intellectual property?
    That's where
    the national security and intellectual
    security
    of the country are tightly woven
    together.
    We have things that people
    want to get, ideas and intellectual
    property.
    What could we do?
    I think
    we should be focused on the labour
    force, for example, the education of
    the labour force.
    Are we producing AI
    scientists, quantum computing
    scientists?
    Let's make sure we have we
    have this.
    The second thing on the
    labour angle would be thinking in
    terms of decades, not in terms of
    quarters and years years, because the
    adversary is thinking that way.
    If we think but our supply chain today,
    decisions have been made 20, 30, 40
    years ago by a lot of companies in the
    United States to offshore
    manufacturing and capability sets for
    cost reasons.
    We never thought about
    national security, we just offshore
    them for cost reasons.
    Can we use new
    technologyies, whether it's
    robotics
    or 3D printing, areas where we can
    incent industry to dissolve some of
    those labour costs arbitrage
    advantages that we can start to do
    things back onshore or at least with
    friendly nations.
    On the tactical
    side, what are these countries doing?
    Particularly if they have a large end
    market, they're saying if you want
    to sell into my market, you're going
    to
    put your R & D over here, maybe I will
    look at your source code.
    Now they're
    talking about standards, like
    having
    their own standards, where it used to
    be international bodies.
    These are
    very long-term views that these
    countries are using to say this is how
    I get into your supply chain.
    What
    can we do through incentives and
    disincentives?
    Source code review,
    for example.
    If you're working in
    your supply chain with a company, you
    ask them: Who do you share your source
    code to?
    You may be required to do
    that to sell into their market.
    These are choices companies have to
    make
    every day.
    Show me your source code.
    Should we make that illegal, a U.S.
    company can't do that, or should we
    give you tax breaks if you say you
    won't do that or federal procurement
    incentives.
    Because we would have to
    walk away from market opportunities to
    do that.
    I'd say there are carrots and
    sticks that can be used, but I think
    we should have the big picture before we
    get to the tactical speaks.
    They're
    very important, but why are we doing
    this.
    >>If I could jump in.
    You asked the question specifically
    about 5G and I didn't get to that part of
    the answer because I was afraid the mic
    was going to get pulled [LAUGHTER]
    5G
    is a new network.
    With a new network
    and these issues at the forefront,
    everybody is inspecting this
    process.
    Our industry was borne out out of
    interoperability.
    When you phone
    Japan, you don't think about whose
    assets that touches, but it might
    touch a dozen company's assets,
    maybe
    2.
    There's always been collaboration
    ignored to achieve can
    interoperability.
    You get a brand new
    network like 5G someone says how
    does this come together?
    These are the
    points that Mark is making.
    Now all
    of a sudden people care who is sitting
    on which committees to build the
    standards bodies to make sure that
    these things are being done with
    reliability and security and
    economics
    in mind, because historically it was
    really just about interoperability and
    economics.
    Now we're adding these new
    dimensions that are causing people to
    inspect these processes a lot
    more
    closely to make sure that what gets
    delivered that will survive a decade
    is built with the proper foundation.
    >>So the way I think I see it, at
    least more recently, is the more
    visibility and transparency you
    get,
    the more questions you have.
    Then when
    you get to the concept of sticks
    and
    carrots, I think from a tact tactical
    perspective, the way the conversation
    is going right now is: I'm a little
    concerned that we're focusing on the
    bad options and we're focused on
    taking the bad options off the
    table,
    when maybe we should also be incentivizing
    those good options.
    You talked a bit
    about that.
    Rob, if you could touch
    on some of the efforts and
    initiatives
    in the past that we've tried to
    incentivize, to develop those good
    options, trusted foundry.
    What are
    the lessons learned and the strategic
    vision of incentivizing a base,
    what
    does it look like.
    >>We've had a few different things the
    Department of Defense has done over the
    years.
    We created our own chip fab.
    The
    government needs classified silicon
    for a number of applications.
    There
    was a foundry at NSA where we owned
    the apparatuses apparatus, we had
    cleared people working in it and
    we produced chips.
    The issue was that
    private industry could spin on such
    faster cycle to innovate and
    improve
    those technologies that the plant was
    continuously obsolete.
    So we had to
    move to a new model, and the new model
    was trusted foundry where we would go
    out and find a corporate partner
    that
    could create with cleared people in an
    environment at times runs of chips.
    That had its own problems in that we
    had to stop their normal production
    run.
    We had to remove some of the
    workers who were uncleared.
    You had
    to even worry about what happened to
    the little pieces left over in the
    manufacturing processes and
    where
    those went.
    It was beneficial that we
    linked in this public-private
    partnership and we linked to the
    commercial models.
    But it was still
    hard on both the private sector and
    government sector to use that model.
    But we have to have solutions that we
    can follow and trust because we don't
    want the situation where the tokeens
    authorized in the DOD networks are
    only produced overseas.
    They may not
    be produced in the countries you worry
    most about, but they're still only
    produced overseas.
    That's a hard
    thing for the most sensitive
    applications.
    That also drove us to a
    lesson that we need to be granular
    about what imp position we need to
    do to
    have the security necessary.
    So you
    have to choose when you're a
    completely free market commenthe
    best
    idea, the best process, the most
    economical is going to wingers all the
    way up to this is a niche thing that
    can't fail and I know there will be
    high-end actors trying to get
    inside
    that development cycle and exploit
    it.
    That will take some special
    applications.
    Finding where we adjust
    the dial along that continuum is hard.
    John pointed out that 5G discussion
    is
    starting to discuss do we have toe
    reset that dial?
    It's causing people
    to think in new ways and talk about
    these hard problems.
    >>I think Rob
    brought up a good point, something
    that's Anathema to how we think in the
    United States.
    We let the market
    decide, which is right.
    When it comes
    to this topic, we may need to start
    thinking about are we going to have
    national champions, not for everything
    but for certain things in the
    semiconductor industry,
    micro-electronics, artificial
    intelligence, quantum, things
    that
    will matter in in the supply chain.
    That's not the way we think about
    things from an economics
    perspective, but perhaps we should be
    thinking about that.
    Then it's a question of you don't want the
    government to run them because usually you
    end up in that kind of situation where
    you're object absolute.
    What are the incentives that we
    provide in order to
    establish these national champions
    for not everything but things that we think
    are important at the end of the day on
    what the future will look like
    technically?
    The future is moving to
    a smaller number of technologies at
    the core, not broader and broader.
    We
    know what they are.
    We need to to
    decide what those are and think about
    what those incentives may be to have
    companies do them in the United
    States.
    This administration did
    something recently with minerals to
    determine certain minerals that are
    important, like lithium.
    Lots of
    technology uses to say we need to have
    a better source of mineral production
    in the United States.
    We have some.
    Where are they?
    The U.S.
    geological
    agencies are sharing those kind of
    data with U.S.
    mining companies now to
    say: Here's what we know.
    Maybe you should drill over here.
    Because we're
    trying to get these minerals that are
    important for weapons systems and
    things.
    Give an advantage to the
    national champion for things that we
    think are critical critical.
    >>:
    John, anything?
    >>I think the one
    point that has not been made is that
    there are natural ecosystems that
    evolve.
    I think it's important that
    when we talk about companies in our
    nation, and I'll use wireless as an
    example, we're in our current
    thinking, but if you go back to 2016,
    the debate globally was whether Europe
    or Asia would become the centre of
    wireless innovation.
    You get at the
    right race going on with us and
    Verizon trying to get the network out as
    soon as possible and suddenly the
    economy stands up in the U.S.
    and we
    become the access of innovation.
    The
    economic vitality and security are
    kind of linked one and the same, so
    you start to have supply chains that
    are geographically concentrated.
    That's worked really well for our
    industry.
    Every time you have a
    technology leapfrog problem, there's
    an opportunity for you to either take
    advantage of that or miss it.
    >>:
    One of the core elements of the
    national risk management centre
    is
    bringing industry and government
    together to identify integrated
    solutions to whatever the problem
    identified in a prioritized
    manner.
    One of the things we've discussed with
    the IT sector coordi coordinating
    council is establishing an
    information and communications
    technology supply
    chain task force.
    When we step back
    and think about frameing this
    strategic conversation to
    better
    inform short or near, mid and
    longer-term approaches, in your
    view,
    if you chop staff over to work with me
    and my team and other government folks
    in the centre, what would you expect?
    What would you want them to focus on
    right out of the gate?
    Because the centre
    is open for business starting
    tomorrow.
    Ninety day sprints.
    We'll
    establish within the centre a task
    force and I want to get these folks
    together starting tomorrow and say:
    You have a job.
    What do we want to be
    talking about in 90 days and in one
    year?
    >>I'm happy to start off.
    I'd go
    back to the standing up any
    organization, and if CEOs, the first
    thing you're going to want to do is
    Shea is the strategy?
    More specific,
    what is the definition of success
    for
    supply chain?
    If we said we're
    starting to solve supply chain
    integrity, what would we mean by that in
    a world that is increasingly
    interconnected and a guarantee it will be
    even more so in five years.
    So we're
    not solving for today but for five
    years into the future.
    I hope it's
    apple bishops in nature.
    We can say
    if we're going to do certain things
    and I'll come them tactical, the next
    things we will do, are they in
    furtherance of that or not?
    Because we could get very busy on a lot of
    things and not be very productive
    against any really long-range
    objectives.
    Again it's hard for us to
    think in general terms about
    decades,
    but I think that's the way to think
    about
    it.
    That's what I'd love to see in
    the next ten days, what do we think
    the 10--year success looks like?
    >>That's a useful framing.
    One of
    the things I continue to worry about
    is if we in government take a
    solely
    binding whack-a-mole approach.
    It
    would be useful if we could have
    broader frameing.
    >>Draw us a
    picture.
    When you think about where
    we've been, getting philosophy and
    departmental chart charters and silos
    broken apart is a great foundation.
    think Mark talked about what's next.
    In a business context, you'd
    say: Well, that's where you get a
    strategy
    on a piece of paper.
    But when you get everybody together,
    that exercise
    could take forever.
    That's why I say
    make it simple enough to draw us a
    picture.
    Draw us a picture about who
    is in and what their role is.
    Then I think we'll organize ourselves to
    success.
    The really practical stuff
    is events and processes.
    An event
    happens.
    How do we work together?
    So you
    can prioritize the events.
    There's
    nothing that's a downside to working
    through even an event that would be
    low probability approximate and we
    got
    the priorities wrong, because we'll
    start the dialogue about this happened
    and it's now 10:30 a.m.
    who do I
    call, and what do I do?
    Those things
    become -- philosophy breaks down quickly
    when you start to put a time-stamp on
    an exercise that says what's next in
    order?
    So I think that in 90 days, if
    people came out out and said, our
    team, AT&T, said we made big progress
    figuring out how to jump across
    layers.
    As I mentioned earlier, and
    I'll reinforce the point, the bad
    actors don't operate at a level and a
    geography or a function that's
    really
    convenient for us.
    So to go go in and
    say we're going to move from power to
    communications and Internet
    infrastructure and then the
    application layer, jumping across
    those layers and across those
    industries are all fair game.
    So
    figuring out what are some of the
    practical things we can do, it can be
    as simple as a picture of
    cooperation
    and a couple of tabletops and we
    will have made great progress in figureing
    out how do we handle ourselves on a
    bad day.
    >>So as we've kind of moved
    through this conversation, we've
    hit the high strategic level, we've hit a
    little bit of the tactical and then the
    organize organizing principles or
    framework for this conversation.
    One of the things that I've always, at
    least since I've been in this role,
    even in the acting position, is let's
    not reinvent the wheel.
    A lot of good
    work has been done over the last
    decade-plus.
    How do we stitch
    everything together in a useful, effective
    framework to make sure everybody is
    pulling in in the same direction?
    Both
    of you are members of INSTAC.
    Several
    years ago there was an I ICT
    mobilization report.
    I've seen a
    couple of your points of contact and
    co-authors of the report in the room.
    Based on what you just said, I don't
    think that is a useful framing --
    that
    is a useful approach.
    The incident
    management team, and you have the
    consequence management side of
    it,
    which is the cleanup on aisle 9.
    Where are the consequences
    manifesting
    of something that takes place in the
    ICT ecosystem?
    Thank you to the good
    work that your teams have done in the
    past contributing to that report, and
    that gives us a blueprint to move
    forward.
    But a part of it is that
    it's not just DHS, not just industry.
    Rob, NSA was obviously a
    contributor
    to that report.
    What do you see, particularly when we
    think about a
    frameing of a playbook or we had
    the national cyber response plan, we
    have a
    gap from the release of that plan to
    actual operational coordination.
    I think that's a bit of what John is
    talking about, and that's part and
    parcel of what we're thinking in terms
    of the centre, is synchronizing an ops
    plan giving a home for everybody to
    come together and identify what they
    can contribute to, whether it's
    cleaning up the ecosystem a little
    bit
    or contributing to the overarching
    fight.
    >>I echo John's sentiment.
    think we learn a lot when we get
    together and tabletop things.
    My
    advice is we start with some
    exercises, because that's going to be
    everybody bringing together their
    SOPs, the understanding of the
    way we
    thought it was supposed to work,
    and
    we'll find out where the gears align
    and where the gears don't align.
    Those exercises sometimes take a
    lot
    of effort to kick out, but we learn so
    much, especially in the early days
    like we're talking for this new
    initiative.
    It will be important that
    we just get together and try some
    stuff and then learn, iterate and do.
    Approximate I think that will match
    with your philosophy of 90-day spins.
    >>When we think about concrete
    deliverables, admittedly
    incremental,
    we're not going to solve the problem
    in 90 days, but we've got to develop
    that foot footing for greater success
    down the road I commit my team to
    work
    with your folks to frame that out,
    frame out what these playbooks look
    like, what an operational
    response
    environment, how we can work together,
    and at the same time whether it's a
    separate track or whatever within the
    task force, we can certainly start
    framing out what that state looks
    like.
    That can inform what's going on
    with the cybersecurity moon
    shot.
    >>If you look the ICT, you're going
    to love the current report.
    It is
    called the cyber moon shot and the
    mission statement on that is to take
    the Internet safe and secure in ten
    years.
    That's a big ask.
    But if we
    actually thought way, everybody
    thought that way, the belief is we
    would probably do things fundamentally
    different than we're doing today, in
    education, in diplomacy, in supply
    chain
    integrity.
    If it was your job to make
    that statement true, and hopefully
    we'll hear more about that from the
    vice-president this afternoon.
    I think that's the organizeing
    principle, is something
    broaden
    ambitious.
    Government has the unique
    role there to be the one who can lay
    down the organize organizing principle.
    Everybody else will fall
    in line and phenomena from a resource
    perspective.
    >>We're about out of
    time here.
    But John, Rob, parting
    shots?
    >>I would say to my team in
    this 90-day effort is we don't need to
    go out and invent a lot of stuff.
    There are a lot of blueprints that
    have been written waiting for this to
    come together.
    So we can go out and
    innovate by taking what's out there,
    including frameworks, tooling and so
    on, and get something very productive,
    very quickly.
    So I think just taking
    advantage of the body of work and
    using this new way of thinking and new
    process can yield a big result.
    >>Got
    it.
    I think that's a clear direction
    to the government and industry side.
    Stuff doesn't have to be be, as hard
    as we're talking about it.
    Let's use what's already been done and
    bring it together in one spot.
    With that, we can close up this panel.
    I want to give our panellists here a
    round of
    applause.
    [APPLAUSE] I have some
    quick announcements before lunch
    lunch.
    We are going to break now for
    lunch.
    Then we'll reconvene here at
    2:00.
    Let me give you a couple of
    bits of guidance.
    There are a number of excellent restaurants
    in the area.
    You are in New York City, after all.
    I'm going to go ahead and warn you
    that we are aware of protests that are
    taking place outside.
    If you exit the
    building, please plan for time to
    reprocess through security.
    Also,
    I'll add that there is a lunch being
    sponsored on the third floor by a
    number of industry associations.
    So if you don't want to leave the
    building, you don't have to.
    You can
    run upstairs.
    Beginning at 1 p.m.,
    we'll also be hosting e emerging
    issues, the emerging issues in
    cyberlaw and policy breakout group.
    That will be in meeting room number
    1.
    Please, enjoy lunch.
    Thank you again
    for being here.
    We'll reconvene at 2
    p.m.
    (Lunch break).
    National
    Cybersecurity Summit and National
    Cybersecurity Summit, National
    Cybersecurity Summit, National
    Cybersecurity
    Summit.
    >>All right.
    Well, thanks
    for everybody coming back.
    I hope you
    enjoyed lunch and you didn't
    experience too many problems
    reentering the building if you
    did
    leave.
    What we talked about today is
    joint problems or joint challenges the
    government and industry both face.
    think the workforce and broader
    education challenge is probably one of
    the most acute that both public and
    private sectors experience.
    This next
    panel will focus on building that
    cybersecurity workforce that we
    need for the future.
    We heard about it in
    the last panel, about how we're being
    outpaced a bit by other nations and
    how they're investing in their
    workforce.
    Frankly, they're investing
    in their communities and in their
    population, and particularly the
    education system.
    So this is a timely
    conversation conversation.
    It's once
    again something that we can focus on
    through the National Risk Management
    Center.
    At this point, let me go
    ahead and bring the panellists out.
    We're going to start with Mr.
    Russ
    Schrader, the Executive Director
    of
    the National Cyber Security Alliance.
    [APPLAUSE] next, Dr.
    Les Guice, President
    of Louisiana Tech University
    [APPLAUSE].
    Next, Mr.
    Raj Samani, Chief
    Scientist of McAfee [APPLAUSE] and
    then Mr.
    Aric Perminter, President of the
    International Consortium of
    Minority Cyber Professionals.
    [APPLAUSE] [APPLAUSE].
    And to
    moderate the panel, it is my honor to
    introduce Assistant Secretary of the
    Office
    of Cybersecurity and Communications,
    Ms.
    General Nakasone [APPLAUSE]
    General Nakasone Nakasoneet Maffra.
    -- miss Jeanette Manfra.
    >>I'm the Assistant Secretary of the
    Office of Cybersecurity and
    Communications at DHS.
    What that
    means is my organization, which
    falls
    under Christopher Krebs's
    organization, we run everything from
    the inte integration centre, where our
    response teams sit, where we do
    vulnerability coordination
    with
    industry, our mal malware, reverse
    engineering processes, all of
    the
    technical analysis, all of the stuff
    that supports our operational mission.
    We also run the programs that
    deploy
    services and capabilities across
    the
    federal government, everything from
    the national cybersecurity
    systems,
    Einstein, and continuous diagnosis
    and
    mitigation.
    We're also responsible
    for public safety, communications and
    interoperability, and working with
    federal agencies and critical
    infrastructure to help understand what
    their information needs and how we can
    work better to collaborate in
    the event of an incident.
    You might be
    wondering why I'm sitting here
    moderating a workforce panel.
    Because not
    only is it one of the most critical
    things I think personally and
    professionally to our organization,
    because we cannot do all of those
    things without a highly skilled and
    motivated workforce.
    It's something that we've increasingly
    identified as
    a threat to our entire country's
    ability to be able to manage the
    cybersecurity risk.
    Something I
    personally care a great deal about and
    I also think while there's obviously
    plenty of challenges with identifying
    training and recruiting a
    cybersecurity workforce that we
    all
    share, there's also tremendous
    opportunity, both in training the next
    generation of cybersecurity
    professionals but also reskilling a
    workforce that may not be able to find
    opportunities else where.
    We're an
    optimistic bunch up here and we have a
    really great slice across different
    parts of the community looking
    at
    workforce.
    I'd like to start, if you
    wouldn't mind just introduce yourself
    and talk a little bit about your
    experience in workforce and why
    you've
    become passionate about this topic.
    I'll start with Aric.
    >>:
    Absolutely.
    I'm Aric Perminter,
    president with the International
    Consortium of Minority Cyber
    Professionals.
    We started the
    non-profit about three years ago,
    when
    a group of friends were out at an RSA
    conference and we were participateing
    in everything that was there and that
    he would there were not a lot of folks
    that looked like us in the room.
    We walked away from that and said we need
    to find some way to be able to connect
    individuals like us to the
    cybersecurity profession because
    we
    loved it so much.
    It was so
    passionate for us and allowed us to be
    able to provide a good lifestyle for
    our families.
    We started that about
    three and a half years ago.
    We have
    about 3,000 members right now, all
    voluntarily led, and our mission is to
    bridge the cyber divide between
    women
    and minorities and the cybersecurity
    field.
    We do that through four key
    programs.
    One is issueing scholarships
    just to help fund folks' entry or
    expansion into the cybersecurity
    field.
    We have a mentor protege
    program where we connect juniors to
    senior folks and we have a business
    match making program.
    We feel we can
    get business owners connected to our
    opportunities and they will have an
    ability to hire more folks like
    themselves themselves.
    Third, we have
    a workforce development program.
    It's
    a broader program, but we have several
    initiatives that align with some of
    the things that we're going to cover
    today.
    >>Great.
    Raj.
    >>I'm Raj
    Samani, Chief Scientist of
    McAfee.
    More important than that, I'm actually
    a father.
    Recently my two daughters
    were looking to leave school.
    We went
    to my old school, which was in
    probably not the niceest areas, but we
    went nonetheless.
    As we were shown around
    the school, the person who was
    showing
    us what the school has to offer asked
    me: Does your daughter like
    beauty?
    And I kind of -- I've never been
    asked
    that question before, obviously, and I
    kind of said: Well, look, I don't
    understand.
    He said: Let me show you.
    He opens this door and in there
    there's a salon, like a proper beauty
    salon inside the school.
    There are
    three girls in there.
    Two of them are
    getting a pedicure.
    One girl is lying
    down and the other is having her feet
    down.
    The third girl is following
    towels.
    I was appalled.
    I said: What
    on earth is going on.
    I was told by
    the teacher that children won't
    graduate with a high school
    equivalent, but with a diploma, where they
    will work in a local salon and that's
    the job they will have for the rest of
    their lives.
    To be honest, I went out
    furious.
    My wife was upset.
    I said: We can do something about this
    because we can afford to put them in a
    private school, which I know is the most
    selfish thing to say publicly and I
    realize it's being streamed on
    YouTube, so I look awful awful.
    The
    reality, I said what about everybody
    else?
    Like you said, this was an
    incredible industry.
    It is fast
    changing, fast moving.
    It pays really
    well in the private sector, certainly.
    From my perspective, what was what can
    we do as an industry to inspire young
    kids to get into the most remarkable
    industry there is?
    >>Thank you.
    >>:
    I'm Les Guice, president of
    Louisiana Tech University.
    We're a national
    university up in north central
    Louisiana, which is a very rural area.
    We've had a long history of building
    advanceed technology programs in areas
    like biomedical engineering and
    micro-nano- micro-nano-systems,
    things
    like that, producing great graduates.
    Too often, they go off and work in
    other parts of the country.
    So about
    a decade ago we had the opportunity,
    thanks to some leadership of
    some
    people in a city an hour away from us,
    who decideed there were some things
    emerging that could create great cyber
    education and economic
    development
    opportunities for our region.
    They
    formed an organization a decade
    called
    called the cyber innovation centre
    and
    created a plot of land, the national
    cyber research park.
    Then they began
    to invest millions, tens of millions
    of dollars in cyber infrastructure
    facilities and secure facilities that could
    support operations and research and
    other kinds of things,
    magnificent
    facilities.
    I got involved as a
    university because I realized the
    economic opportunities for us,
    for the educational opportunities it
    would
    provide for our students.
    We began to
    recognize at that point we had to
    shape out curricula.
    We already had
    computer science and computer
    information systems, and they had a
    course or two in cybersecurity.
    But
    after talking to the air force -- by
    the way, this is the home of the air
    force base and now global strike
    command.
    But they issued some
    challenges to us to really think about
    preparing for the next cyber
    workforce.
    So we at that time, in
    2012, established the nation's first
    cyber engineering degree program.
    At
    that time, we had about 250 students
    in our computer science and CIS
    program.
    Now we have over 750
    students.
    The visibility of that
    program, what it attracts for our
    students, has been a huge impact.
    We
    can talk about some of the economic
    development impacts a little bit later.
    >>Absolutely.
    Russ?
    >>I'm Russ
    Schrader, Executive Director of the
    National Cyber Security Alliance,
    which
    is a non-profit non-profit,
    non-partisan organization.
    We work to
    educate, to amplify and to convene
    people who are interested in
    cybersecurity, whether it's
    broad-based consumers, whether it's
    things that are focused on small
    and
    medium-sized businesses, whether
    it's
    helping keep our government safe.
    We
    also partner with DHS in national
    cybersecurity awareness month.
    Coming
    at these different audiences with
    different messages at the time that
    they're ready to hear them is what
    we're most interested in doing at
    NCSA.
    I also come from this looking
    at it as a small start-up that takes
    privacy centre insights and applies
    it to
    digital a advertising.
    When you try
    to find in a start-up situation people
    to really work in cybersecurity, it
    can
    be very difficult.
    The sacrifices
    made for a start-up are many and work
    in different ways, but you have to
    find ways to encourage and develop
    the
    kind of talent that you can.
    >>Thank
    you.
    We'll start with Dr.
    Guice.
    I'd
    like to tease apart a little bit the
    role that formal education should
    play
    in cybersecurity versus hands-on or
    other types of training, on the
    job,
    apprentice training.
    My own
    experience, I'm the first person in my
    family to graduate college.
    I had two
    grandfathers that didn't even graduate
    high school.
    How do we get both at
    more formal education and ensuring
    people have those opportunities in
    formal education but also find finding
    those ways to train those who may not
    realize or believe that they have an
    opportunity to pursue a computer
    science degree or a cybersecurity
    degree?
    >>I think we all understand
    the complexity of cybersecurity
    technology-wise, but we all also
    understand the importance of
    having
    critical thinkers and creative
    thinkers and people who have
    appreciation of the political and
    social and ethicalIing
    indications
    indications, and that requires formal,
    broad education, I believe.
    We think
    that's very important.
    At the same
    time, we put a lot of emphasis on
    having intern internships and
    apprenticeships, both with the government
    sector and the private sector,
    that
    have been incredible learning
    experiences.
    What we're finding is
    those students come back after that much
    better able to learn the more complex
    things that they're going to face in
    their classes.
    >>Approximate I think
    that's great.
    >>I could not agree
    more.
    In fact, one of the initiatives
    that we have under our workforce
    development program is called the
    educational security operations
    centre, where we partner with
    universities and private entities to
    set up a cyber range live, fully
    functioning cyber range, on or near
    the university so that students can
    leave the classroom and come over and
    perform the job that they most likely
    would be qualified for fresh out of
    college.
    We give them job titles.
    We
    align their work experience to the
    nice framework so that they understand
    what task they're supposed to be
    performing.
    We walk them through
    different workflows around incident
    response.
    We flow attacks at them, so
    they can leave this experience and
    interview in real-world
    contexts.
    When we talk to organizations out
    there, a lot of them will give anyone
    an opportunity who has the aptitude to
    learn and the passion to be able to
    put in the work to close any gaps that
    they may have around their learning
    experiences.
    Our first one was
    launched at capital technology
    University in Maryland and it's
    going
    well.
    We have a program called 20/20.
    We're aligned with the CAEs and our
    goal is to have 20 ESOCs up and
    running by 2020.
    >>: Raj, from
    McAfee's perspective.
    >>I think
    that's the keyword, passion.
    Approximate the question request I
    asked is how many role models exist
    for young children in cybersecurity?
    It was funny.
    We just got back from
    vacation in the Dominican
    Republic.
    All I heard was about Lebron James
    James.
    I don't have any passion for bask
    ball, but I began to ask the
    question: What about a realistic
    career for kids in cybersecurity?
    Where are the role models for young
    children today?
    Some of the things
    we've been doing, we ran an online
    safety for kids campaign, which
    taught
    half half a million children today
    around cybersecurity.
    We're trying to
    feed the career of cybersecurity to
    young children.
    We've launched McAfee
    program where we're trying to get
    children to understand what
    careers
    exist and now we're partnering with
    universities.
    I feel like all of
    these discussions have to start a lot
    earlier so that kids can actually -- I
    mean, Lebron James might be a
    fantastic role model.
    I have no idea.
    But the reality is: Is that
    achieveable for most kids today to get
    a career in the NBA?
    Or perhaps
    getting a career in cybersecurity.
    That's perhaps where we have to start
    looking at more positive role
    models
    across multiple, diverse groups, for
    example females and ethic minorities
    as well.
    That's my perspective.
    >>:
    Thank you.
    Russ.
    >>It is very
    important to reach kids along the way
    way.
    Their first exposure is video
    games and they see somewhere someone
    has created these worlds.
    They get
    sucked into: Gee, could I use my
    skill, imagination, to do that kind of
    coding?
    Then they start to get
    messages a little further on, maybe
    about their privacy or it's in social
    media.
    We have to find a way to reach
    them while they're engaged on the
    Internet, while they're thinking
    about it, while they're fascinated by
    this
    world of games that so many of us
    don't understand or participate in.
    But then say: All right, but it can
    turn into a real-world job.
    And
    finding the kind of role models,
    finding the first one at school, it's
    very interesting.
    They see codeersb
    how do you then make the switch of a
    particular kind of codeer or other
    ways dock it?
    It's quite an interesting
    challenge, but you can't say that the
    average student is unaware of the
    creativity piece of it and unaware of
    the interconnect interconnectivity
    of
    it and unaware of the importance of it.
    >>I tell my son that I fight the bad
    guys.
    He thinks it's actually in the
    computer.
    He's only 6, so he has time
    to figure it out.
    Dr.
    Guice, we
    talked about this a little bit in the
    beginning, but the notion of economic
    development and particularly
    partner
    partnering with the Department of
    Defense and veterans and others, and
    being able to use cybersecurity job
    opportunities in this workforce gap as
    a way for developing a community.
    Can you talk a little bit about your
    experience in that?
    >>No question about
    it.
    We have the headquarters
    of
    century link about 30 miles from us,
    but not much else until we began to
    put the cyber programs in place.
    Some
    of our friends helped to recruit the
    company CSRA to the city, an
    integrated technology Senator brought
    a thousand jobs.
    Those jobs are
    filled now with many of our graduates
    there.
    That's exciting for our
    students as they begin to see these
    opportunities and get intern
    internships, experiences and help
    to
    cultivate that climate.
    We also know
    that it's really important for us to
    bring in some non-traditional
    workers into
    this arena.
    So we're actually
    expanding facilities to support
    veterans and some of the
    non-traditional workers.
    One of our
    corporate partners helped us create a
    cyber training centre right next to
    the community college where we're able
    to create additional pathways to get
    some of the non-traditional
    workers
    into the cyber field.
    >>: Thank you.
    I heard somebody recount a study or a
    story once where they had done a
    search on monster.com -- this was a few
    years ago -- and looked for all the
    cybersecurity, all the jobs entitleed
    cybersecurity analyst.
    Of course,
    there were thousands of jobs.
    They
    did a study, and not five of them were
    the same qualifications or
    skill sets.
    The government for a while has been
    working, the department of
    commerce,
    really in the lead in thinking about
    how do we actually define what a
    cybersecurity professional is?
    Because we need everybody.
    We need
    people who can do the forensic
    analysis.
    But we also, frankly, need
    lawyers.
    We need managers.
    You need all these different peoples
    peoples.
    And part of our problem, I really
    believe, is that employers don't
    always know exactly what they're
    looking for or how to define what
    they're looking for.
    So Dr.
    Samani, if
    you could talk, as our industry
    representative here, a little bit
    about how your company as a
    cybersecurity company thinks about
    what a cybersecurity professional is.
    >>The reality is that the industry is
    evolving.
    I started off in IT
    security, went to Infosec governance,
    did
    a piece in privacy as well.
    I think
    my role fundamentally hasn't changed.
    The reality is that we begin to adopt
    the framework and a lot of the roles
    we're doing internally are
    beginning to align to the framework.
    Its imperative that we start to get
    consistency.
    We work with DHS, for
    example, we work with academia, to
    begin to understand what the roles
    are, ensure that we advertise those
    roles appropriately and ensure we
    communicate that to universities so that
    when we go to universities
    and say these are the types of skills
    we're looking for, people have
    absolute clarity about what we need.
    I think that's imperative, to get
    a degree of transparency.
    For me, there's nothing more
    disenfranchising than you're starting to
    learn something and you realize all of a
    sudden actually that's not what
    employers are looking for.
    >>But it's a skill.
    So much has changed in terms
    of technology.
    As you mentioned
    earlier, the passion is what's
    important.
    It's almost sometimes a
    bit of intellectual sloppiness, where
    you say you have to have this box
    ticked called university or
    two
    two-year degree.
    Some of our greatest
    inventions came from people who
    dropped out of college or tinkered
    in
    the garage down in Palo Alto.
    So much
    is happening in terms of technology and
    so many different threats at different
    levels that you want to look for the
    person, someone who needs to be not
    only passionate but adaptable as well
    because things are changing so much.
    Can I make a quick point on that?
    gave a talk at a local school for
    15-year-olds and I asked the children
    in the room: What career do you want
    to get into?
    One child bravely put
    his hand up and said: I want to get
    into sports science be a physio.
    asked the question: Do you use
    Twitter?
    They said: Yes, I do do.
    Do
    you follow the England team
    doctor?
    No.
    Who do you follow?
    Lady Gaga and
    so forth.
    For me, when I went through
    school, I never had visibility into
    the careers, into the people behind
    the careers.
    There's a lot that we can do and I think
    there's a lot we are doing.
    If I look at the service for
    scholarship program, which is fantastic,
    needs to be expanded, but there's a lot that
    we can do.
    But equally some of the responsibility
    has to be put on the parents and also the
    children, because they've got the
    ability to follow people on Twitter,
    to look on social media, to go into
    YouTube to look at the types of
    careers that exist and understand what
    those jobs are about.
    We never had
    that luxury.
    >>Building off of that,
    how do we reach those populations that
    may not have the aptitude or find
    those communities that can follow the
    model that you've done, and how do we
    get them excited and motivated, role
    models, absolutely, seeing people like
    that, frank frankly, that have made
    this a career?
    How do we get to them?
    >>It's a huge problem to tackle, but
    I think it starts with us as
    individuals.
    You made a great example, going out,
    speaking to that school of
    15-year-olds and helping them
    understand that there are
    additional options.
    I think there's
    also a huge interest in updating stem
    programs within the K through 12 with
    some cybersecurity aspects.
    I know
    cyber innovation centre has defined
    that program extremely well.
    In fact,
    we're positioning that in three school
    districts in the Pittsburgh,
    Pennsylvania area as we speak.
    So it's individuals, but it's also
    continued support for organizations
    like the cyber innovation centre
    to
    help remove the obstacles of
    articulating what is possible.
    One of
    the things that was really exciting
    about you, which is why we partnered
    with you you -- and this is not
    advertising, but it's just fact fact
    -- but what was really interesting
    was
    that even though we went in and I had
    the relationships in the school district
    I knew -- my former high school, the
    teachers didn't think it was possible
    to achieve.
    They didn't know how much
    help they would require.
    So having a
    script to be able to present to them
    and follow and then coupling that with
    trousers non-profits is allowing me to
    see a difference in the schools we're
    working with today.
    I think more
    activity like that will chip at it
    further.
    >>We also have to put in a plug
    for DHS and the scholarship and
    training programs that you already do,
    helping to develop people, taking some
    of the burden of student debt off of
    them, giving them a good job, training
    them and the outreach you're doing.
    We're happy to partner with you at
    national cybersecurity awareness month,
    coming
    up in October.
    The work you're
    modelling there is something that the
    private sector could embrace and work
    together with.
    >>I'd like to address
    the K to 12 outreach program you were
    talking about that was supported by
    DHS.
    It was a recognition that
    bringing young faculty and
    schoolteachers and K to 12 students
    together, doing something around
    cyber, creates real magic.
    It's what
    gets the inspiration there.
    As one
    example, the cyber innovation centre
    offers summer camps across the
    country.
    We're often involved to help
    lead those camps camps, week-long
    immerse camps.
    They held one three
    years ago in Michigan.
    There's a
    young lady leading the program there
    and she participated in this.
    Her
    name is Kylie.
    She's been on our
    campus for two and a half weeks
    pursuing our cyber engineering
    program.
    We see that replicated
    over
    and over again.
    >>: The other thing
    I'll add to that is there's an
    under-represented community of
    individuals who are making a
    transition through life.
    We're
    working on a national program with
    goodwill industries to be able to take
    your curriculum and make that adult
    driven so that we can bring those
    individuals that are transitioning
    through life, their life experiences,
    into the cybersecurity field.
    Another
    initiative that I just agreed to join
    a board on yesterday is the cybercrime
    support network.
    They are setting up
    a 911-like call centre specifically
    to
    handle cybersecurity jobs.
    In that
    scenario, you have individuals who can
    be transitioning through life become
    qualified
    to be operators to take those
    cybersecurity calls.
    It kind of goes
    back to redefining what a
    cybersecurity job can be, right?
    Does
    it require a huge degree and mastering
    technology and the like?
    It's a
    broader view.
    >>We've talked about stem
    a little bit, but one of the things
    that my school district is doing
    is
    steam, adding arts, that it's not just
    the science.
    You need the
    imagination.
    Some of the artists, you
    look at the meticulous work they
    do,
    and the media, where they're coding,
    and the gaming part.
    It's that kind
    of attention to detail.
    It's a kind of
    consistency and a dedication and
    ability to concentrate for
    extended periods
    of time.
    It can be switched, can be
    led, can be manipulated
    different
    ways.
    But it's another audience that
    perhaps people haven't really
    thought
    of as being an intuitive move.
    >>I
    want to ask each of you a final
    question: What more should the
    government be doing to incentivize the
    development of all these things we've
    been talking about?
    Some of this is
    not to be government driven, but what
    more can the government be doing.
    We
    talked about the scholarship to
    service, who funds scholarships across
    the occurrence and they've got a job
    in the federal government or state
    and
    local.
    All we ask is that they serve
    some time in a government
    agency,
    hopefully DHS.
    Then we also have K
    through 12 curriculum that we provided
    some grant funding towards that is
    being used throughout the country.
    I talked about the department of
    commerce's work and the department of
    labour also in coding different
    cybersecurity professions
    underneath
    the broad discipline.
    But what else?
    If we're going to be investing money
    in this, which it's so important, I
    believe we have to and there's a role
    for government, what else should we be
    doing and where with can we best place
    those limited resources we have
    in I'll start with Russ.
    >>: Thank you.
    It's a really tough question.
    On the one hand, you want to be broad
    based, reach the broad set you have.
    Part of that is an amplification piece,
    where
    you meet the people.
    If they're going
    through a life change, what am I
    going to do now that I'm graduating from
    high
    school, to be involved in the
    fairs,
    to be involved in targeted but broad
    messages to reach those people is
    really good.
    Role models are better,
    the local person from high school who
    is doing the service, or from college,
    or who had a career change, or works
    in a community college where they
    have
    gone back to school after a change in
    life, or veterans programs where once
    again it's a change and switch.
    We have someone who is disciplined, who
    is trained, who is used to working in
    government, and that would be great.
    There are so many opportunities, but I
    think
    you just have to get out there and
    figure out whether you've mapped your
    program to the audience and finding
    some
    way to get the role models and to
    spark that imagination.
    >>I agree.
    I think some of the non-traditional
    pathways for working in the cyber
    fields certainly needs some focus
    and
    we're doing that, as I said, with
    veterans and veteran resource centres.
    think universities have to look at
    non-traditional alumni and workers
    that maybe not having the formal
    education and figure out how we can
    give competentcy-based
    credits and let
    them move into the pipeline.
    While
    there's a short-term demand, there's
    also a long-term demand.
    We shouldn't
    take our eyes away from building the K
    to 12 community that's going to
    really
    be our future.
    I think the programs
    the chief supported that put the K to
    12 curriculum in place are
    absolutely
    key that.
    >>I think first of all
    kudos to the programs that you are
    doing.
    They've certainly been a
    tremendous success.
    For me, one of
    the challenges that I -- or one of the
    frustrations that I have is that
    there's so much good work going on.
    As you can tell from my accent, I'm
    from the U.K.
    In the United Kingdom
    they have launched a program getting
    children into schools to understand
    the types of industries and
    careers that exist in industry.
    But my challenge is there's a lot of great
    work going on.
    You look at Amazooo or
    McAfee, and sometimes they can be
    disconnected.
    If we began to do more
    public-private partnerships to
    identify where there is duplication
    where we can pool resources that will
    be imperative.
    We all have limited
    resources.
    How can we better utilize
    them as an industry rather than in
    specific sectors.
    >>That was my
    response.
    >>: I have the same suit
    as you and I beat you to it.
    >>I'll
    add to that.
    As part of that
    consolidation and streamlining of the
    different efforts so that you can
    point people in the right direction
    and you have momentum behind, what
    we're all trying to do as part of our
    mission, I think driving discussion
    around relaxing some of the conditions
    that are required for employment
    employment.
    A good example, I was
    talking with some of the folks at some of
    the other agencies and they said they
    were considering relaxing some of
    the
    stigmatism around criminal records.
    Is there something that you can do to
    forgive folks who have made mistakes
    ten years ago in order for them to
    be at the same qualification level
    to be able to be hired like someone else?
    >>You think our clearance program
    is difficult now now.
    >>Yeah, right?
    Just a little.
    I've gone through it.
    Just a little.
    I think that is kind
    of putting action to work to complement
    some of the other great things that a
    you all are doing.
    >>I think pulling
    together the private-public
    and
    different corporations frankly
    is the
    best plug for the NCSA I could
    imagine.
    It's precisely what we're
    doing, is pulling together several
    dozen of the top corporations who
    feel strongly about cybersecurity, coming
    up with things that do reach a broad
    consumer, reach simultaneously
    medium-sized businesses, reach
    large
    businesses but also work closely with
    the government.
    We do try to be that
    aggregation point.
    We do come out
    with nationally broad-based
    programs
    that I think are certainly worth
    expanding.
    >>I have to close.
    We
    could talk about this forever, I'm
    sure.
    I would close by focusing on
    the role model.
    There are a lot of
    other things that we will continue to
    work on and build out, but I would
    challenge the audience to think
    of
    yourself as a role model in this
    space.
    I joke that I can do an event
    like this, but the thought of going to
    my son's school and talking to them is
    terrifying.
    We need to be getting to our communities.
    We need to be talking to the people we
    interact with every day.
    I'm happy that we were able to not sit
    here and talk about the statistics and
    the gaps that we are going to o
    oexperience in cyber workforce and really
    challenge us all
    to get to that point and DHS is happy
    to be the lead convenor here, but
    it
    has to be a community-wide effort
    to
    take advantage of this tremendous
    opportunity that the workforce gap is
    providing us.
    So thank you.
    Please,
    thank our panellists.
    [APPLAUSE]
    (pause).
    >>We're looking at our
    penult panel.
    We've talked a lot
    about both the hard infrastructure
    side as well as the information and
    communications technology side.
    We're
    going to pull the thread on that a
    little bit more.
    This next panel is
    entitleed delivering cybersecurity
    solutions, ICT industry
    perspective.
    It's my honor to introduce Mr.
    Frank
    Cilluffo, associate vice-president at
    the George Washington University and
    director of the George Washington
    University George Centre for Cyber and
    Homeland Security.
    [APPLAUSE] next,
    Mr.
    Dean Garfield, President and CEO of
    the Information Technology
    Industry
    Council., ITI [APPLAUSE].
    And Mr.
    Jonathan Spalter, President and CEO of
    USTelecom [APPLAUSE].
    Lastly, our
    moderator, please welcome the
    moderator
    for this panel discussion, Ms.
    Catherine
    Lotrionte, a Brent Scowcroft Scholar
    with the Atlantic Council Cyber
    Statecraft Initiative.
    [APPLAUSE]
    Thank you.
    Good afternoon.
    Thank
    you for joining us this afternoon.
    Chris, thank you for introducing our
    panellists.
    They can begin with the
    questions.
    I'm going to start with
    the threat landscape.
    You heard from
    Secretary Nielsen this morning as she
    laid her views out about the threat
    landscape.
    We sit and meet today not
    so far from the ground in which
    another threat manifested itself
    on
    September 11, 2001.
    In those days the
    lights were also blinking.
    As
    secretary Nielsen reminded us, in
    cyberspace we are also seeing the
    threats and the lights are
    blinking
    red.
    Another way to say that is that
    we all need as a nation to pay
    attention and to start acting
    together.
    This panel will be about
    how we not only talk about the threat,
    recognize it, but also act to not only
    prevent it but to actually work
    through the threat when it does
    manifest in our systems, both
    against
    our government and our citizens and
    companies globally, as well as
    domestically.
    To begin, I'd like to
    ask each of you to discuss how you see
    the threat landscape.
    Do you agree
    with that quite dire assessment of
    where we are today?
    As the secretary
    said, we're in crisis mode.
    What does
    that mean from your perspective, and
    particularly members of the ICT sector
    and the telecommunications
    sector?
    Frank, do you want to start from your
    perspective?
    >>Thank you, Catherine.
    Hats off to DHS for an amazing summit.
    They pulled together some amazing
    people.
    What I was most impressed
    with is the focus on getting things
    done not in another session that
    admires the problem.
    But eliminator
    problem for a second.
    When we look at
    the threat environment, I think
    it's
    important to delineate and
    differentiate that not all hacks are
    the same, nor are all hackers.
    Intentions and capabilities vary.
    The
    tactics, techniques and procedures
    vary, as well as the actual tools
    themselves themselves.
    I think at the
    very high end of the threat speck you
    petroleum we see nation-states.
    There's no shortage of activity coming
    out of Moscow, Beijing,
    Pyongyang,
    Tehran, and any country that has a
    cybersecurity.
    It's just as important
    torrential and I think one of the
    great points of today's summit is
    just
    as not all hacks are the same, not all
    critical infrastructure is
    equally critical.
    That's not to suggest that
    they're not all important.
    They are.
    But focusing on the lifeline sectors,
    focusing on telecommunications,
    on
    energy, on financial services, maybe
    you can throw water in there.
    These are the critical
    infrastructures that
    independently and collect collectively
    are literally the backbone of our
    country.
    I think it's important to
    get to the point where we not just
    identify the be vulnerabilities but
    we
    really put our emphasis on
    solutions.
    I'm thrilled to be here and I think
    that embodies where we need to be
    going forward forward.
    >>I begin
    where you began by commending the
    secretary, DHS, Chris, for all the
    great work they've done.
    I completely
    agree that the threat matrix is
    becoming increasingly complex and
    increasingly sophisticated.
    It used
    to be that we would say by 2020 there
    would be 20 billion interconnected
    devices
    and it seemed so far away we didn't
    have to think about it.
    But 2020 is a
    year and a half away.
    Heree and we do
    have to think about it.
    That's in
    part why Jonathan I and our
    organizations and member companies
    decideed to do something about it
    by creating the council for securing
    the
    digital economy, which we'll get
    into
    in greater depth.
    >>I also would like
    to add my thanks and appreciation but
    also commitment to really take today's
    call to action and move to action that
    the DHS and its leaders and its
    staff have asked of us.
    Thank you very much
    to DHS.
    Look, I agree completely.
    We
    have gone from a world in this very
    ancient part of New York City where
    threats used to be both observeable
    and linear, to an increasingly complex
    threat landscape, the densification of
    our networks, unobserveable
    phenomenon
    existing within those networks.
    The
    identification that Dean just
    mentioned, 50 billion connected
    devices globally, 5G standards are
    anticipating networks so dense that we
    will be able to have a million wireless
    sensors in a square kilometre.
    The
    complexities have become exquisite.
    As they have become equivalent, our
    determination as an industry, as
    communications providers, as IT
    companies, to use our resources, our
    plashings our innovation and
    imagination, to address those, to
    learn more about how we observe the
    unobserve unobservable, how do
    we do
    pre-Mortems to ensure that had when
    there will be the next major incident,
    we will be as prepared, deliberate
    and
    resilient as possible.
    >>: Now that
    we seem to agree on the level of
    concern and threat, particularly with
    the companies and your industries, the
    ICT and telecoms, how are your member
    companies delivering secure, resilient
    products and services to the
    customers?
    Part of that question: How
    much of it is about the Telcos and the
    companies securing their own networks as
    opposed to helping their customers be
    secure and resilient?
    >>Let me start.
    think it's actually a blend of both.
    We have within the communications
    sector an enormous amount of
    diverseity.
    We have our large
    national, international,
    mid-sized
    providers and also within USTelecom'
    membership some of our nation's small
    smallest providers serving some of our
    more rural communities.
    Each of these
    parts of the sector have been
    deliberate engaged for not just years
    but decades in thinking through
    our
    intrusions and threats exist
    within
    our networks.
    We have developed from
    small to large companies habits
    of
    interconnection and interoperability
    that have facilitated our ability at
    the network level and through the
    various stacks of the network level,
    even as it's becoming more software
    defined, to understand where and
    how
    threats appear and how to mitigate
    them proactively as best as possible.
    You mentioned the incredible
    importance from large to small
    companies of that dynamic and
    real-time interaction with customers.
    Our largest providers are
    developing
    on more of a bespoke basis with their
    customers those solution sets.
    But we
    have to remember that 90 per cent of
    American enterprise is composed of
    small companies that have 20 people or
    less.
    Equally, our companies have
    been developing off-the-shelf,
    scale
    scalable, ASSS-based ISP-led
    initiatives so even the smallest of
    companies can can adapt and have the
    resources that ISPs in the
    communications sector plus a number of
    creative vendors have been making
    available.
    So there is I think a
    dynamic and important baseline not
    only of good practice within the
    networks themselves but between the
    networks and our customer bases
    across
    a diverseity of what those customers
    look like.
    >>The thing I would add is
    that size doesn't necessarily
    correlate with sophistication.
    So there
    are small companies that are
    incredibly sophisticated about
    these
    issues and large companies that are
    not.
    Our companies are working hard
    to make sure we take an integrated and
    comprehensive approach to
    identify
    cybersecurity risk and work to deal
    with them, to approach these issues
    in an integrative way so that you are
    thinking about comprehensiveness
    across
    your network and those within your
    supply chain.
    The third, which is I
    think an opportunity is incubating
    best practices.
    That is where the
    announcement today about the national
    risk management initiative is
    particularly sound and helpful,
    because we'll move away from dealing
    with things in an ad hoc basis to
    creating some institutional
    platforms
    through which we can work and
    collaborate.
    >>: Catherine, to add
    one other point: I think we're all
    here in part -- how many companies,
    even the biggest in the world, thought
    they were going into business having
    to defend themselves against foreign
    intelligence services,
    nation-state
    threat actors?
    The reality is the
    call to action I think is that
    collective defense piece.
    I would add
    one other critical infrastructure
    sector that I think has to be part of
    the equation and that's a the
    defense have industrial base.
    Because when
    you look at the financial services
    sector, energy, Telco, Dib those
    are
    the gold standards.
    Things kind of
    drop off a little bit.
    I don't mean
    to be pejor pejorative, but it's
    the
    reality.
    The question is: How do we
    flip the equation?
    How do we get to that
    collect collective defense?
    Government has unique capabilities
    capabilities, but it used to be
    government lead, private sector
    follow.
    I'd say today it's becoming
    the opposite.
    The reality is not only is
    the private sector on the front lines,
    but they've got resources, but
    they've
    got certain capabilities beyond
    cyber
    forensics that they need Uncle Sam to
    step in.
    When I think about the Telco
    sector, you brought up 5G, Jonathan, I
    am concerned that there are some
    issues there with the supply chain and
    how it could potentially be
    misused by
    nation-state actors.
    So we've got to
    think that set of issues in the cyber
    discussion and vice versa.
    So it's a
    pretty big challenge, but I think the
    actors that have to be part of the
    solution are actually here.
    >>When we think about risk assessment and
    the supply chain, we heard a little bit
    about it this morning, how are
    you seeing the companies themselves,
    both
    in the IT and the telecoms, how are
    they doing their own risk assessment
    for the global supply chain?
    What are
    you seeing?
    What's been effective?
    Part
    of that question: What can the
    government learn from that process?
    Are the private companies learning
    things, implementing principles that
    the government could benefit from?
    >>I think we can refer to an
    operator's perspective.
    We heard John
    Donovan, the CEO of AT&T
    Communications, reflect that this --
    and
    this is a practice that all of our
    largest national communications
    providers have been focusing on -- are
    enormously vigilant.
    They understand
    down to the component level the depth
    of and the accuracy of supply chain
    materials.
    They understand increasingly that the
    supply chain is
    not just about hardware, that
    there's
    been a migration to include enormous
    numbers of software inputs, and
    understanding where and how those
    inputs are actually -- and those
    coding contributions are actually brought
    to bear is equally important.
    mentioned that that is a supply chain
    issue that has to be front of mind as
    we're moving towards increasingly software
    defined networks.
    So I think
    the largest companies have been both
    visibly and aggressively
    and
    innovatively thinking about where and
    how their supply chains are
    evolving,
    both at the national level and also
    globally.
    There are, as I mentioned,
    different stacks and tiers of broad
    band providers.
    Our mid-tier
    companies are the earliest examples of
    what they're learning from adjacent
    cohorts, tier 1, the largest ISP ISPs.
    Our smallest companies, also with
    the
    right kinds of both business,
    financial and operational
    incentives I
    think will be equally up the stack in
    terms of being vigilant.
    But those
    incentives need to be in place and
    fully developed to ensure that both
    the smallest providers who
    are
    vulnerable to attacks, as well as
    the
    largeest ones, have the right kinds of
    motivation and understanding that
    the
    balance sheet impacts of remediation can
    be addressed in effective ways.
    >>Dean, your members are quite
    diverse in the ICT sector.
    As to
    their assessment on the risks for the
    global chain supply, has it been
    effective, what they're doing?
    Do you
    see challenges in the diverseity of
    these companies?
    >>Absolutely.
    But I
    also see opportunity in place where
    the Department of Homeland Security
    and the government generally can play.
    think to the initial question about
    what we're learning that is proving
    effective, there are two things that
    immediately pop to mind.
    One is
    recognizeing the importance of
    cybersecurity, cybersecurity
    risk
    mitigation and management at the
    inception.
    We talk about cradle to
    grave, but it's before the cradle.
    When you're developing a
    system,
    product, making sure that you're
    contemplating
    and thinking through.
    Also, when we
    talk about data, we talk about the
    need to assess what data you have, and
    develop solutions and opportunities
    and business models based upon doing
    that assessment.
    I think we're
    increasingly finding that doing a
    similar assessment around cyber is a
    business imperative and creates
    business opportunities.
    Similarly, and
    finally finally, just the
    international nature of our businesses
    require us to take and consider our
    supply chains not only as integrated
    but also international.
    I think,
    given the work that's being done in
    Europe right now on a parallel path to
    the work that's being done in the
    United States, that's an opportunity
    that, if we let go bi-, I think we'll do
    ourselves and the nation a disservice.
    >>Frank, I don't know if you want to
    -- on the international aspect
    of things, so a lot of times we think
    domestically, but certainly the supply
    chain is international.
    But so are
    the companies.
    >>: Absolutely.
    >>In
    thinking about the global activity and
    engaging with the U.S.
    government, so the private sector has
    been engaging
    with the U.S.
    government, but we hear
    today a call to do that even more
    effectively, in an operational way.
    What are some of the ways that
    potentially have not been done so far,
    and it's not just the U.S.
    government.
    I would like to get your views on how
    do you deal with like-minded
    governments, and how do you deal with
    companies that are operating, foreign
    companies in other countries, and
    maybe even non-like-minded
    governments
    or companies in non-like-minded
    territory?
    I'd like to hear from all
    of you on that.
    >>Great point,
    because I think one of the things
    you're starting to see here is the
    need to unify all the interagency
    components within the government,
    public-private, within the private
    sector, sector by sector, and then
    cross-sectoral.
    Just within -- many
    and then all the clients and
    customers
    they in turn serve.
    The reality is it
    will require transnational
    approaches.
    Part of me says you build on what's
    worked.
    So you take the five eyes
    infrastructure, you build a cyber
    dimension to that, and you take NATO.
    But we also have critical allies that
    are outside some of those
    organizations and alliances.
    So you
    think Israel, you think South Korea,
    Japan, countries that have to be part
    of that solution, all of whom live in
    tough neighbourhoods.
    I would argue
    this is in our best interest.
    Saudi has become the practice field for
    Iran.
    What happens there comes soon
    to a theatre near you.
    Ukraine has
    been the field for Russia.
    South
    Korea has been the practice field for
    North Korea.
    So we -- but it has to
    go beyond just intention
    information
    Why Cyber security scrow
    krocht TeletovicTeletovic
    Tell co-Mccurdy depass
    consolidate consolidate
    o work not only country
    to country but
    infrastructure
    to
    infrastructure
    We need to rethink how
    we do some of
    these issues.
    Let's get
    creative.
    >>
    What are the
    companies
    doing now
    with
    respective to
    foreign
    government.
    What has to
    be done
    that's not
    done today?
    >> I'll
    address that
    but let me
    also brief on
    your point.
    Deeper
    transporter
    sector to sector
    operational engagement is
    critical.
    I'll also
    point out and it's vital
    that
    the
    adjacentcies
    are getting
    closer.
    Cross sector
    engagement
    can't be
    within the
    national frameworks.
    It has to be
    transnationally.
    That has
    been one of
    the emphasis
    for Dean and
    I and an
    amazing
    number of our
    partners to
    actually
    extend our
    work streams
    that we have
    been
    individually
    doing in
    various cyber initiatives
    to join together
    through the
    council of
    digitally conmy.
    We have all
    of them
    engaged in a
    highly
    operational
    way in work
    streams.
    We
    can discuss
    what they are
    in a moment
    so we can
    create a best
    practice baseline that
    can be a
    model for how
    other sectors
    can actually
    move forward
    for their own
    engagement
    and model for
    how we in
    working as
    closely as we
    are in the
    United States government
    through this
    platform and
    as we will
    with other
    governments,
    that can also
    be an
    operational
    model of best
    practice and the case
    study if you
    will.
    This is what we
    need to bring
    for this
    cross
    sectional
    effort.
    All
    of our
    companies
    within the
    economy,
    within
    USTelecom and
    larger
    companies,
    obviously,
    have bigger
    programs with
    national
    governments
    but
    multilateral
    organizes we
    are working
    with to
    ensure the
    right kind of
    vigilence and
    focus.
    would adjust
    one point on the government
    to government
    bases there are some
    initiatives
    we are tries
    to think through.
    How do we enhance
    our ability
    within our foreign
    service to
    privilege and
    create new
    capabilityies
    for foreign
    capacity to
    do better
    cyber diplomacy.
    That's the expect tease to
    work within our national
    borders but insist our
    diplomatic
    services have
    capacity and performance.
    >> Can you
    talk also and
    wrap-up the
    discussion
    what made you
    join forces
    and develop
    the council?
    >> It was a
    recognition
    that we have
    been talking
    a lot for a
    long time
    about the key
    elements elements.
    We have our
    own set of
    five Is.
    The
    need for
    greater
    incentives to
    get these to
    work.
    Bidirectional
    sharing.
    The
    need for
    integration
    and on and on.
    The solution set
    has been
    discussed a
    lot.
    It was
    a solution
    set into
    tangible
    action and
    recognizing
    as Jonathan
    and all of us
    noted that we
    live-in an
    increasingly
    horizontal
    world.
    To
    have the
    impact we
    need to have
    requires
    working
    across
    sectors and
    sharing.
    So we can have a clear sense of whom
    to work with, when, I think will be an
    important part of our solution set but also
    deploying real strategies to achieve
    them.
    >>Often you'll hear references to the day
    that there may be a major cyber incident,
    where it may require the mobilization of
    the companies that are in your sectors.
    First I want to -- and for the national
    security of the country, and
    economic.
    I want to first ask you: From your
    perspectives, informed by the companies and,
    Frank, in your view, what would a major
    cyber incident look like?
    Before I get into what do we do about
    it?
    But what would that mean if an incident
    happens?
    >>It's a great question, actually,
    because the two work streams that we're
    advanceing relate to both of them.
    John, I don't know if you want to jump in.
    >>And we could, but imagine this, a
    single Botnet which
    you can rent can deploy 6 million
    zombies and impact two million people
    per hour.
    If you can exhale about a
    single Botnet and scale that for
    increasingly dense networks,
    increasingly inanimate senseors
    that
    will actually be incorporated
    through
    the Internet of things into our
    communications artworks.
    You're
    talking about some very challenging
    scenarios.
    >>: What about state
    actors?
    >>With the introduction
    of
    all kinds of new types of criminal
    enterprise state actors that are
    loaded.
    That's why we have
    these real
    pressing dangers we
    are facing
    today.
    You
    want to talk
    about Mobilization.
    >> The two,
    just to give
    people an idea you want
    to get more involved.
    One is
    around
    botnets and identifying the best
    practices and sharing them on how
    to prevent
    those sorts
    of automated
    attacks.
    Second is essentially a playbook on
    what would we do in the
    scenario if there is a
    successful attack.
    >>
    It follows up
    on what Chris
    mentioned.
    This is a
    need to
    operation
    operationallize
    the concept
    of
    Mobilization.
    The real
    question is
    when you have
    a really bad
    day in cyber
    land who will
    you call?
    We
    are taking
    very
    seriously the
    idea with our
    global
    companies
    that are part
    of the
    founding
    partners of
    CISD to take
    a cross
    sectional
    apromotion to
    come up with
    the protocalls
    and best
    practices on
    how we
    mobilize the
    broader ICT
    sector and
    use it as a
    template to bring other
    companies to
    have
    visibility
    into our
    conclusions
    in the report
    we are
    developing
    but stem from
    that.
    >>
    I'll push you
    farther.
    >>
    Can I take a
    different
    approach.
    >>
    I'll push you
    farther.
    Today
    happened.
    If
    today we have
    a major cyber
    incident that
    rises to
    level and the
    nations
    security is
    at stake.
    Your opinion
    frank, you
    guys can join
    in.
    What do
    you expect
    the
    government to
    do.
    Do you expect them
    to show up at
    your
    companies and
    what will
    your
    companies do?
    >> Katherine,
    I'll get to
    your question
    but I'll
    frame it a
    little
    differently.
    We are on
    hallow ground.
    We are very
    close to
    where 9/11
    occurred.
    Many of us
    got into this
    business because of
    that horrific
    attack on the
    United States.
    When you
    think back to
    that it was
    telecommunication
    providers
    just as it
    was
    government
    that got wall
    street back
    online and
    got the
    country
    backup running.
    The reason I
    say that is,
    ultimately,
    I'm not sure
    of the E 911
    model is the
    most
    constructive.
    I'm worried
    about loss and
    confidence in
    our systems.
    An erosion
    of trust and
    coif a dense
    with systemic
    risks you
    don't need
    that one
    massive cyber
    bang.
    That's
    not not to
    suggest that can't happen.
    The biggest
    risk is cyber
    in combination of physical means.
    The
    conversion
    issue keeps
    me up at
    night.
    Technology remains consistent.
    People have been doing bad things for a long
    time and they will do it in a cyber means.
    Should there be a massive cyber
    incident that has kinetic impact?
    Some of the sectors we are talking about
    right now are the gold standard.
    Yes, they too need support and that's
    where the public private partnership
    is important.
    It's not the way we normally talk about
    it.
    Transportation is critical.
    I'm not sure if it's at the same level
    people are starting to build relationships.
    I think we are getting.
    >> We hope in is a focal point for
    coordinating all of the frameworks that
    currently exist.
    We are prepared.
    >> At the we are on that day what's the
    type of information that's most critical
    to move between the private companyies
    and government.
    In the mist of an incident.
    In another discussion should that be taking
    place beforehand?
    Before the incident?
    Let's begin with
    the day.
    >>
    The day of
    event, it's such a hard question to
    answer because it depends on
    the nature of
    the event,
    nature of the
    instruction.
    What sector
    and where and
    how it's
    transpired.
    I will say,
    I think the
    idea that we will have
    government folking show
    up at our
    companies, we
    have to take
    the reverse
    view.
    Companies in
    the
    communication
    sector working
    together with the
    IT sector
    were careful about
    ensuring the
    type of trust
    groups we have between
    our companies
    exist so that
    kind of
    information
    can flow
    quickly.
    We
    are working
    on advancing
    and extending
    the
    protocols.
    To not only
    interact
    between each
    other but
    cross
    sectorly and
    in meaningful
    and quicker
    ways.
    There
    has been a
    tremendous
    amount of
    innovation
    that we are
    seeing within
    our
    governmental
    partners,
    particularly
    with DHS.
    This is the
    central convening
    group for a
    lot of our interaction.
    We have to
    be careful we
    don't atomize.
    That single
    stream of information
    flow has to
    be developed
    in very
    thoughtful,
    creative, and
    different ways.
    There is an
    expression
    there is left
    of boom and
    right of
    boom.
    Preand
    post
    incident.
    They are
    taking
    important ant
    meaningful
    steps in the
    catalyst of
    today's
    efforts.
    We
    have been
    working on
    this already
    to be sure
    this can
    extend cross
    sector
    allyally.
    Through the
    life cycle of
    the event and
    post event we
    have
    meaningful
    protocols for
    preevent,
    analytics,
    and other
    efforts.
    >>
    chosen very discreet work streams that I
    think will immediately address some of these
    real, pressing dangers that we're facing
    today..
    >> the work we've been seeking to do and
    accomplish with the CSDE, and we're
    looking forward to expand that platform
    and bring other colleagues into it
    it.
    So there really is imagination at work,
    and we're seeing it.
    Now there's a
    convergeence at the public-private
    level and I think that will
    accelerate.
    >> I have al30-second ad,
    because I honestly believe that five
    years from now what we envision as the
    traditional situational Sit room
    in a
    white house setting, you will have
    critical infrastructure
    entities at
    the table, not only in the CTIC
    environment, which is basically
    providing situational awareness but in
    the incident response side.
    But there
    are some lessons that I think we need
    to learn from counterterrorism,
    the
    first oneb and I'm going to step in it
    and I've never had an unspoken
    thought, but the reality is we
    couldn't simply defend our way out
    of
    the challenge.
    When you're talking
    about Association we're never going to
    firewall, defend our way out of this
    problem alone.
    That's why why having
    General Nakasone here this morning was
    so morning, having Christopher Krebs
    here was so important,
    because
    ultimately we have to bring the fight
    to the adversary as well.
    If you want
    to induce the behavior, you have
    to have consequences and I think now is
    the time for consequences.
    >> it may
    sound simple, this notion of
    leverageing existing institutions, the
    coordinating councils from the public
    sectors and others, but inviting new
    players in, it sounds simple, but it
    is incredibly critical and needs to
    happen.
    >> we know that from behavioural
    economics.
    Behavioural economics
    tells us that if we are only solving
    problems within our group, the
    solution sets will be weak and
    short-lived.
    We need diversity, and
    we need to think dangerously.
    >> secretary Nielsen asked us to identify
    areas that need to be changed and we
    have one.
    I want to thank you guys.
    >> thank you.
    >> we are there.
    We see the finish line.
    This is the last
    panel.
    But in my view, this is the
    most important panel.
    This panel is
    entitleed -- of course, it's not on
    my paper.
    Look, here's what we're
    talking about [LAUGHTER]
    >> this is
    what the National Risk Management
    Center is all about.
    Everyone has
    experiencing or engaged some way
    with the national cybersecurity and
    communications integration
    centre.
    That is an alert warning, information
    sharing, incident response Hub.
    The
    National Risk Management Center
    is
    about identifying those things, in
    some cases agnostic to a sector -- I
    mentioned it before -- but to a
    certain extent, sectors are an
    economic artificialallity and
    our
    adversaries are looking at things
    holistically, IT or ITCS.
    We need to
    identify what are those things that
    are truly critical.
    The government
    types, form, recovering
    government
    motorcycles know about mission and
    central functions.
    We need industry
    to come together and identify those
    functions that underpin our
    economy.
    So this panel will address just that
    and what the path forward looks like.
    want to start by introducing the
    Honorable mark Menezes,
    under-secretary of energy.
    [APPLAUSE]
    next Mr.
    Scott DePasquale, President
    and CEO of the financial
    systemic
    analysis and resilience
    centre.
    [APPLAUSE] and Mr.
    Dave McCurdy McCurdy, President and CEO
    approximate of
    the American Gas Association.
    [APPLAUSE].
    And Mr.
    Gene Sun, chief
    information security officer for FedEx
    corporation.
    [APPLAUSE].
    Please
    welcome our moderator for this panel
    discussion, Mr.
    Robert coal, acting
    assistant secretary of infrastructure
    protection, Department of
    Homeland
    >> Thank you,
    Chris for
    that
    introit's
    it's good to
    be on the
    stage and
    joined by the panel.
    Chris gave a
    good over view of what we are
    trying to do here.
    The idea of doing risk
    management is sense of what's important
    and what we need to go out and
    reduce the
    risk.
    I'll
    start this by
    turning to you.
    One way we
    have been
    thinking
    about this is rep
    la
    replicating
    the model.
    Tell us about your experience,
    where have you landed and why do
    you think that's left
    you in a
    better place?
    We We
    launched the
    center a year
    and half ago.
    The Genesis
    of this was
    the CEO
    important
    financial institution
    and markets
    got together
    and said as a
    sector we need to come
    together and prioritize
    our risk.
    We need to think
    about what
    does a bad
    day look like
    and the
    connecttivenes
    s of our
    system look like.
    We need to
    work together
    on respond
    and recover
    before we get
    to protect
    and defend in
    the intell
    intelligence
    side of of
    the equation.
    The approach
    we took first and
    foremost we needed a
    transparent
    project to
    bring the
    sector together.
    We could
    work with our
    government
    partners and
    agency and
    treasury in
    partnership
    to have an
    open
    discussion on
    a persistent
    regular bases
    several times
    per month on
    let's talk
    about what
    people think
    is a bad day.
    Let's get
    everybodies
    input on that.
    That's what
    we call our
    risk
    committee.
    That process
    is really
    important important.
    It was
    happening
    around
    systemic
    risk.
    What that lead to is ark founded by the
    member and
    operators of relative vicinity critical
    infrastructure decided we
    need to put
    balance sheet
    capital
    behind understanding
    how we will
    react to that.
    Putting
    together
    playbooks and
    mapping the
    processes
    that
    underline the
    key systems.
    Chris talked about
    wholesale payments and
    other
    critical
    functions
    that if
    exposed would
    effect all 7500
    plus final institutions
    in the country.
    Not just
    wholesale but commercial
    and retail.
    Have we
    mapped the
    processes
    out?
    The market understands
    them but when
    you get to
    the underline
    business
    functions
    that each
    organize
    contributes
    that's less clear.
    Underneath
    that what are
    the
    technologyies
    that support them.
    So, our job
    was to invest
    in understanding
    that and
    better
    driving if a at
    the dellty around it.
    If prevented
    with a bad day or
    it's effected or
    compromiseed
    we have a
    playbook on
    how it will
    work together.
    We have talked
    to our government
    partners
    about that.
    They talked
    about the
    importance of
    that
    relationship.
    Also, we
    have
    implemented tools
    that will
    make us
    measureably
    more
    resilient.
    If we are
    looking
    Atticus Tom
    measure data
    to address it
    quickly.
    How we address
    certain
    account
    behavior.
    How we treat
    a institution
    on a bad day.
    Having those
    things in
    place ahead
    of time pays
    dividends
    towards that
    bad day.
    On
    the
    resilientcy
    side we are
    able to do
    that in
    advance and
    continue to
    rethink what
    are the top
    ten or
    fifteen bad
    days look like.
    On the back
    end of that
    that will
    give us the
    ability to
    drive our
    participating
    members in
    the sector to
    collecting information on those
    key systems in a
    better way
    then they were before
    and work with
    our partners
    across
    government
    through DHS
    to get the
    government
    collecting on
    those in a
    smarter way.
    One side we
    have What do
    we do to impact
    resilientcy
    and on the
    other side
    can we get
    strategyic early
    warning when
    they targeted
    what we have
    identified.
    Those are
    our two major initiatives
    in the work we do.
    >> Let me ask a quick follow up,
    innovation,
    is this
    evolution
    reor a paradigm
    shift.
    >>
    It's
    evolutionary
    with a
    revolutionary out come.
    You have to find a way to protect the most
    sensitive information.
    This is about getting information out
    quickly to a lot of members.
    Removing context.
    It's without come come per
    -- comper micing.
    We are about building context
    backup and
    doing joint analysis.
    That doesn't
    happen at
    scale quickly.
    You have to
    protect and
    defend the
    data you are
    asking for.
    You are
    asking them
    to share
    their most
    sensitive
    vulnerable
    vulnerabilitie
    s.
    That takes time.
    Finding a way
    to do that
    and getting
    the sector to
    participate
    is the big win.
    That's
    evolutionary,
    as we look
    back, no one
    has
    identified
    and kept a
    compos of
    what lives
    during this time.
    >> We at DHS
    found this model so
    compelling.
    Mark, you
    just hosted a
    discussion
    with a number
    of natural
    gas
    representatives.
    How much
    does this
    thinking
    match what we
    are doing.
    When you
    hear Scots
    experience
    how similar
    is it to what
    you are
    trying to get done.
    >> In many
    respect it
    tracks but in
    part our industry has
    been looking
    at what's
    been going on
    in the
    financial
    area.
    When congress gave
    us the sector
    specific
    agency and
    authority to
    make sure we
    have the
    energy sector
    and
    Cybersecurity
    secure if you
    will we looked
    to see what
    was out there.
    We brought
    to bear to to
    bear our
    national ads and put in place
    what we saw saw.
    Information sharing you talked about is
    important.
    It's I
    deputifyingfy
    --
    identifying
    the threats
    and making sure our energy system at
    large is operational.
    It should be no surprise to everybody
    in the room our energy sector is a target
    because of the tremendous
    success we have.
    We talked about this in
    the group.
    We lead the
    world as an
    exporter in
    natural gas.
    We are an
    economic
    problem for
    other countries.
    We are a
    target.
    We
    think if we
    flip the
    light we'll have
    electricity
    and if we
    turn on the
    stove we'll
    have gas.
    FedEx has an
    interesting
    point on oil
    production.
    Over 70% of
    our energy is
    still used in
    transportation
    fuels.
    So, it's
    important we have
    it safe
    guards to
    ensure the
    resilientcy
    in the
    electricity
    system.
    This
    drives our
    economic
    secure
    security and
    process parity
    as well as if
    we are I
    energy security.
    We need to
    be sure while
    we produce
    natural gas
    and we have
    to have an
    electric
    system that's
    also
    resilient.
    You cannot
    have elect elect
    --
    electricity
    unless you
    have power.
    We are
    engaged in an
    effort to
    make sure we
    have
    generation
    there as well
    as a secure
    transmission system
    that will
    ensure
    affordable
    and reliable
    and resilient
    electricity.
    In many ways
    we model.
    Our
    challenges
    are gater.
    I mentioned our labs.
    If you go to
    our labs we
    host an EFFC
    meeting some
    of the oil
    and natural
    gas
    coordinating
    councilmembers
    participated in.
    I think it
    helps race
    raise the
    level of
    comfort when
    you see we
    have in
    place, as I
    mentioned.
    We,We can
    identify
    information
    sharing on
    the I.T.
    systems.
    With the
    industrial
    control
    systems
    playing a
    part in
    modernizing
    our systems
    we can go
    down the
    supply chain
    and look at
    the devices
    and we can
    help identify
    and add added
    -- address those spreads.
    We provide
    training at
    these if a skillties.
    We go the
    grid X with
    the FCC and
    oil and
    natural gas.
    We are trying
    to do it as
    much as which
    much as we can.
    It's been the
    financial Indus try setting
    the standards.
    >> He brought you in the conversation.
    We had conversations about perhaps
    in the past
    how we
    thought about
    critical
    infrastructure
    and how they
    missed things
    that are
    important important.
    Talk to me
    about your
    prospect
    prospective
    at FedEx and
    what we might
    have missed
    that's a
    national
    security asset.
    >> You know,
    before I talk
    about that.
    I would like
    to remind
    people to
    about a year
    ago.
    This time last
    year I
    personally
    spent a month
    in Europe.
    This morning
    we talked
    about crisis mode and what the worse day
    looked like.
    I lived through the
    worse day.
    >> Sorry.
    >> This is
    nothing
    compared to
    that.
    LAUGHTER ]
    >> You know,
    it's public
    knowledge.
    We brought a
    European
    shipping company and they got
    attacked by viruses.
    Within minutes
    thousands of
    severs and
    tens of
    thousands of
    laptop partly
    PC PCs were enencrypted.
    Through the
    period we saw
    the ripple
    effect of the
    damages.
    Many of our
    'cuz Tom --
    I'm items
    couldn't be
    shipped out.
    Our systems
    were not
    available.
    came to a few
    critical
    realizations
    right after
    that crisis.
    First, we as
    a logicist
    company
    cannot go
    this alone.
    When you
    deal with
    nation
    states, you know,
    I think our
    government
    has a nation state with Russia.
    This was collateral damage
    between the
    fighting of
    Russia.
    For
    a pry private
    corporate there is
    no way to go
    against a nation state.
    It's a
    losing battle.
    So,
    government --
    we started to
    realize the
    government
    has to play a
    part in cyber
    defense.
    That's
    first, the
    second one, I
    do think what
    Scott and the
    Secretary talked about
    collective defense moving
    forward on
    the sectors.
    Take a
    playbook from
    final
    services industry.
    It's
    important to
    share best
    practices and
    Intel and
    bring the
    government
    into helping
    different
    private industry.
    These are
    some of the
    items.
    Of course, in
    the meantime
    we are
    spending as
    much as we
    can on
    Cybersecurity.
    We are
    entering a
    cyber arms race.
    We don't
    know if
    that's
    sustainable.
    We need a
    new paradigm.
    I'm so
    pleased and
    excited about
    what is taking place today.
    >> You help
    the industry.
    I think you
    get a lot of
    head nods
    about a
    strategic
    approach today.
    Throw some
    cold water on
    it if you
    don't mind.
    What will
    make it hard
    for government
    and industry
    to work together?
    >> Well,
    first of all,
    I want to
    commend DHS.
    It's
    important
    considering
    where we are today.
    There is a
    change of
    when some of
    us started
    working on
    these issues.
    Before it
    was called
    cyber it was
    called
    internet security.
    We have seen
    it accelerate now.
    GovernmentsGo
    vernment has
    worked hard
    to keep up
    with it and.
    When it was
    a person in a
    basement or
    criminal
    element or
    competition
    that was
    trying to steal did a tag
    number -- information companies
    were able to deal with that.
    Now we are dealing with
    nation states and challenges.
    The
    government
    isn't
    organized for
    this 21st
    century
    paradigm.
    Congress has
    a role to
    play.
    Congress is still in
    the 19th
    century structure.
    I know that.
    I have
    experienceed
    that and it's
    still a challenge.
    You have
    challenges
    with
    organizes themselves.
    Federal
    agencyies.
    If you are
    an industry
    and looking
    at this array
    and.
    In the
    natural gas
    sector where
    we are highly
    regulated
    from the
    local level
    through
    federal so
    you need to
    understand acronyms and
    have
    relationships.
    At the end
    of the day it
    by boils down
    to
    relationships.
    You need to
    have the
    person you
    call and
    know.
    Everybody
    talks about
    the bad day.
    You build-up
    the
    relationship prior
    to that.
    There are
    still
    obstacles.
    Whether it's
    congressional
    authorities
    or whatever.
    Our role in
    what I've done at the American gas
    association.
    We have all of the investor own owned
    utilityies and 60% of members are a
    combination
    of electric
    and gas.
    When we talk
    about energy
    we understand
    the
    importance of
    that and role.
    We need to
    be proactive.
    The electric
    sector we
    have to commend
    through the
    EFFC they
    have
    experience
    trying to coordinate.
    They are
    bringing
    natural gas
    into that.
    After the
    shell
    revolution we
    have moved
    from an area
    of scarcity
    to abutton
    abundance.
    We also
    deliver
    natural gas
    to 75 million
    households
    and over 175
    million people
    in the
    country.
    We
    power most of
    the man
    fractureing
    manufacture manufacture
    --
    manufactureing.
    All of that
    is critical.
    As it's
    become inno
    interrogateed.
    As it passes
    coal there is
    more concern
    about what is
    the impact of
    -- what would
    happen if
    there was an interruption
    in the gas supply.
    We can talk
    about that more.
    We work
    closely with TSA.
    They are
    part of DSH.
    They have
    surface transportation.
    We work with
    FINZA on safety.
    The Department
    of Transportation
    Transportation.
    We work with
    the DOE on a
    lot of their functions.
    Understanding
    the different
    agencyies and
    coordinating.
    >> That
    makes sense.
    Mark, I had
    a opportunity
    to listen to
    you a number
    of times sense you
    come onboard.
    I know know
    you came to
    break barriers
    abdomen make progress.
    What couple
    barriers
    would you
    want or most attune
    to go after
    at this point?
    >> Thank you
    for the question.
    I have been in industry and now I'm
    in government.
    I came in with the strong belief back
    then that we had to
    together
    together --
    to get
    together more
    as industry.
    We had to
    gain information
    and share information.
    Those are
    generally the
    big issues we
    were told.
    We need your
    information
    but we can't
    tell you what we know
    but by the
    way fix your
    system
    because, you
    know, it's
    your system.
    So, it's
    very
    flustering.
    Came into
    government
    and I found
    that we do
    have information
    that we can't
    give to you.
    We have a
    very
    cumbersome
    process to
    identify the
    information
    then classify
    or declassify
    it to share.
    It has been
    a learning
    experience
    here.
    Part
    of the reason
    we are here
    is to let you
    know we are
    committed.
    Bob and I
    talked about this.
    It's as much
    of busting
    down within
    the
    government to
    make it more
    helpful, more
    information
    sharing.
    More
    responsive in
    being able to
    provide what
    you need.
    It's
    complicated
    in the
    government.
    The good
    thing about
    the
    government,
    we have these
    national labs in resources
    to help work
    with you and
    provide you
    cuttingth
    cutting-edge
    technology we
    need across
    the whole
    operating systems.
    We are
    becoming more advance.
    If you have
    an iPhone you
    can have
    access to
    your energy
    and provider.
    We are getting to
    that point.
    At every
    point along
    with the way.
    The
    commitment
    here is to
    help bust
    down the
    silos within
    the
    government to
    be more
    responsive
    and
    information
    sharing two
    of the
    industries
    have been
    desperate to
    a large
    degree.
    That's our
    goal to
    insure we are
    much more collaborative.
    It was clear that oil and
    natural gas
    has asked to
    be more
    includeed.
    >> Mark and
    I were in
    Idaho falls.
    I was there
    a year ago with
    our team.
    The I ICS is
    there
    industrial
    control
    system and go
    figure out
    those charts.
    >> We'll
    draw it up in
    a while.
    >>
    You know, the
    lab is doing
    things we
    find very
    helpful as we
    go more
    machine to
    machine.
    We
    talk about crisp.
    It's not as scalable.
    What you do
    with side
    tricks on the
    cyber supply
    train testing.
    What you do
    with chi
    coyote is
    cool.
    All of
    these things
    are, go find
    those accident enemies.
    Those are
    helpful and
    those are the
    kinds of
    things that
    industry
    would like to
    work with
    government to
    help address
    this
    challenge.
    >> Just for clerrification.
    On the
    acronyms,
    Chris is
    cyber
    information
    sharing
    program.
    If I can add
    this one in
    the mix.
    It's
    Cybersecurity
    testing for
    resill
    resilientcy
    of industrial
    control systems.
    >> All
    things we can
    get behind.
    [ APPLAUSE ]
    >> I'm from
    the government
    and I'm hear
    to help.
    >>
    So, Scott.
    LAUGHTER ]
    Berry's
    industry is
    working
    across the
    industry
    working
    together.
    What would
    you like to
    see us overcome?
    >> I would
    say a few things.
    The
    relationships
    between the
    sectors and
    between the sector
    and
    government
    are important.
    They allow
    us to mobilize.
    They have to
    turn into
    collaboration.
    That's why
    what you are
    building with
    the center is
    so important.
    I believe
    john said it
    earlier when
    he said the
    collective experience is
    better than
    the
    individual
    experience.
    We have
    gotten tuned
    into
    information
    sharing as a
    trend transaction.
    I have
    information,
    I need to get
    it to you.
    I'll give
    you to title
    of that
    information
    and good luck
    secure
    securing your
    network and
    organize and
    be
    situationally aware.
    That's an
    important function.
    We have
    tried to move
    towards a set
    of collaboration
    with our
    sector and
    government partners.
    Can we look at
    joint
    analytical collaboration
    together so
    we are both
    watching the
    accumulatetive
    effect.
    We
    are analyzing
    vulnerable
    venerableiliti
    >> They were protecting
    the cyber
    infrastructure
    We are part of
    the group to
    make the economy work
    for society.
    I'm very
    anxious to wait
    for for DHS
    to Expand the
    partnership
    farther into
    other
    critical
    functions for
    the U.S.
    economy.
    >>
    Let me
    clerfy, we
    are not stopping
    it to three sectors.
    We have, I
    think, commitment
    from industry
    and the way
    they organize and
    experience
    plus the
    criticality
    parts make it
    possible to hit
    a running start.
    When we
    think about
    critical
    national
    functions we
    don't want to
    limit the
    definition by
    that by who
    produces it.
    We have to
    figure out
    what are the
    things that
    are most
    important.
    The
    Secretary
    talked about
    GPSPS all
    critical
    infrastructure
    s depend on that.
    We will be
    in an an
    explore an ex
    -- explore
    Torrey frieze.
    >> It's
    important for
    the sectors
    to do their
    homework and prioritize
    the risk when
    they come
    with DHS.
    If you don't do
    that work to
    prioritize it
    there is a
    lot you can
    focus on.
    If
    you don't get
    down to the
    few when we
    come to the
    table I would
    worry we
    would fail.
    They have
    their part to
    play as
    operators.
    They have
    the critical
    information
    you need to
    secure the
    bigger system
    of systems.
    >> In your
    experience,
    as we get to
    the vital few
    is it about
    securing it
    or taking it
    off the list.
    >> The national
    functions are always going
    to be the
    critical
    national function.
    You will
    only
    understand
    them better
    and have
    better
    facility and
    have better
    intelligence
    because you
    are very
    focused on
    the systems
    and
    understand them.
    >> So, as we
    wrap-up.
    I'll go to you.
    >> So, under the umbrella
    of DHS don't
    forget those
    primary functions
    like TSA and
    there are
    resources and
    staffing they
    need as we
    updated the
    recent
    Cybersecurity
    guidelines in
    this framework.
    We are
    piling in those.
    They need to
    be reviewed.
    Our partners
    need to be
    there but
    need
    resources.
    I'll also plug
    for Chris as
    well well.
    HR 3359.
    Getting that
    agency
    designated will
    clerfy the clarify
    the lines.
    The
    partnership
    is very clear.
    We can't do
    it without
    each other
    because the
    threat has
    changed so
    dramatically.
    We commend
    you for that.
    >> Thank
    you, yeah,
    you know, I
    hope that
    everyone
    leaves with a
    sense of urgency.
    We will do
    it in a
    deliberative way.
    We have
    goals to look
    and and
    talking about
    how we'll
    give an
    update in 90 days.
    We don't
    want the 90
    day goal to
    be a
    substitute
    with the fact
    we need to
    deliberate.
    Mark.
    >> Just on
    the busting
    down the
    silos we
    should know
    as a team we
    can help DHS
    do it's
    enormous job
    to make the
    nation safe.
    We set up a
    special office
    that will be
    headed by an
    assistant
    Secretary
    with the
    accident them
    of CESAR.
    It ' emergency response.
    ThatThat has
    helped bring
    together the
    various
    elements
    within our department.
    We cover a
    lot of things
    as well.
    With that,
    if we can
    bring those
    kinds of
    assaults.
    assaults
    -- assets.
    I encourage everyone
    to think of
    it as a team play.
    We are all
    interrelated
    and
    interdependent.
    The better
    we are less
    at guarding
    the turf and
    pulling
    together we
    can make
    great progress.
    >> Those are good final
    thoughts as
    we are ready
    to wrap-up.
    I would like
    to thank the
    panel and
    we'll get
    ready for the
    vice Vice
    President.
    APPLAUSE ]
    >> All
    right, that
    concludes the
    official
    panel
    programming
    for the day.
    I'll ask you
    to hang tight
    in the
    auditorium.
    The vice
    president
    will be on shortly.
    If you leave
    the
    auditorium
    you will have
    to reprocess
    through
    secureity.
    don't believe
    you will make
    it back in.
    Hang tight.
    Thank you.
    AreTurnpikes
    [ MUSIC ]
    ??
    >> Ladies and gentlemen,
    please
    welcome the Secretary of
    homeland
    security
    Christian
    Nelson.
    APPLAUSE ]
    >> Hello and thank
    you for being
    here all day
    with us.
    We greatly appreciate it.
    Before we welcome our final speaker of
    the day I
    want to thank everyone for
    their leadership and
    partnership
    and if we
    could I would like to give you a round of [
    APPLAUSE ] applause.
    I know you will be here with us
    shoulder to
    shoulder.
    I could
    probably take
    all of the
    time in
    summing up
    what we
    talked about today.
    Let me hit
    on a few
    points before
    I introduce
    our speaker.
    As I said
    earlyier our
    digital lives
    are on the line.
    Our
    adversary
    adversaries
    are trying to
    advance our
    networks,
    systems, and functions.
    They would
    like to
    steal,
    disrupt,
    manipulate,
    and destroy.
    Together we
    won't let
    them succeed
    nor falter.
    This room is
    full of minds that
    can help us
    solve this problem.
    Full of
    experts and
    those with
    expect
    expertises.
    As I said
    the add have
    add have a sayer
    -- add add
    have add they
    are crowd
    surfing their
    attacks.
    We
    have a will to
    win and
    secure
    cyberspace
    against all
    enemies.
    We have come
    together to
    send a
    powerful message today.
    TherERA has
    passed.
    Whether you
    are a
    criminal or
    nation state
    if you breech
    our breach
    our networks
    you should
    look over
    your shoulder.
    There will
    be costs for
    hacking,
    reproconcussio
    ns for sealing
    and
    consequences
    for
    disrupting
    our systems
    and meddling
    in our democracy.
    The national
    risk
    management
    center we
    announced
    earlyier
    today will
    allow us to
    move beyond
    information sharing.
    To a stage
    where we can take
    joint action
    to protect
    critical infrastructure
    and our
    national
    critical function.
    The center
    will develop
    policies
    policies,
    plans, and playbooks
    to gain the
    upper hand in
    cyberspace.
    Other
    initiatives
    is cyber work
    force
    programs and
    new joint
    exercises
    will allow us
    to bring
    government
    and industry
    together like
    never before.
    We'll
    prioritize
    our efforts
    and instil
    the mussel
    muscle memory
    needed at
    machine speed.
    I asked DHS
    and members
    of our team
    to begin a
    nationwide tour to
    connect with
    cyber expects
    and drive
    these efforts
    forward.
    We
    welcome the
    commitments
    many of you
    have made today.
    We do need
    your help and
    we need you
    to help am --
    New amfy our
    call to action.
    I have the
    great honor
    to introduce
    our final
    speak irof ir
    -- speaker of today.
    He's a
    passionate
    advocate of
    national
    secureity.
    Our next
    speaker is no
    stranger to
    the practice
    of risk
    management as
    governor of
    independent
    an Indiana he
    established a
    Cybersecurity
    council.
    To
    bring the
    public and
    private
    partners
    partners together.
    He has
    carried that
    commitment to the
    White House
    where he's
    championed
    President
    Trump's bold
    Cybersecurity agenda.
    He's a
    leader in
    enableing us
    to build a
    better cyber
    ecosystem and
    above all a
    leader in
    protecting
    the American
    people.
    Ladies and gentlemen,
    it's my great
    pleasure and
    honor to
    introduce the
    vice
    president of the
    United States
    of America.
    Mike pence.
    [ MUSIC ] ??
    [ APPLAUSE ]
    >> Well
    thank you for
    that kind introduce and
    your
    leadership at
    the
    department of
    homeland security.
    Would you
    join me in
    thanking
    Secretary
    Nelson for
    her
    leadership
    and bringing
    together this
    historic
    summit today.
    [ APPLAUSE ]
    >> To the
    Secretary and
    Secretaryiry
    perry and director ray
    and all of
    the leaders
    of industry
    and academia
    that have
    come from
    near and far..
    It's my
    honor to
    welcome you
    all all.
    At the close of
    the events
    today at the
    first ever
    national
    Cybersecurity summit.
    Thank you
    all for being
    here today.
    APPLAUSE ] I
    bring
    greetings and
    gratitude for
    your
    participation
    in this conference
    from a great
    champion of
    nutritional
    security
    President
    Donald trump.
    I'm here on
    behalf of the
    President.
    Cybersecurity
    is a major
    focus of the administration.
    Over the
    last year at
    the
    President's
    direction we
    have taken
    action to
    straighten
    our digital
    infrastructure
    We know
    Cybersecurity
    has never
    been more important
    than the
    American
    people.
    America
    depends on
    the digital
    world.
    All
    of the
    industry
    leaders know
    too well.
    It's opened
    countless new
    doors of opportunity.
    Created
    extra
    extraordinary
    process
    parity and
    unleashed a
    new ERA of(e)
    entrepreneursh
    ip that
    effects our
    lives and
    society.
    While this
    revolution
    has spurred
    new
    opportunities
    as you have
    discussed
    here today.
    It's also
    spawned new
    threats.
    Criminal
    terrorist
    foreign
    adversaryies
    constantly
    prowling the
    domain and
    present a
    threat to the
    nation.
    Americas digitalin
    if a
    structure is
    under
    constant attack.
    The federal
    government
    alone
    experiences
    hundreds of
    thousands of
    digital
    assaults everyday.
    Across the
    entire
    country the
    number of
    attacks on
    our digitalin
    if a
    structure digitalin
    if a stuck -- digitalin
    if a digital
    -- digital
    infrastructure
    is countless.
    They
    threaten our
    families
    privately.
    Like those
    that breech
    breached ex
    EQUFAX.
    They extort
    our hard
    earned money.
    As we saw in the
    North Korea
    attack that
    held more
    than 200,000
    devices and
    150 country
    countries hostage
    demanding a
    ransom.
    Foreign
    interests
    also
    routinely
    steel steal
    trade secures
    from our
    important
    industries.
    As our
    administration
    recent
    trade-in vestgation
    found for --
    trade
    interest
    invasion china
    has been
    finding and
    steeling
    steel
    stealing our
    intellectual
    propertyies.
    Our cyber
    knows also
    would like to
    disrupt our
    infrastructure
    They might
    have the opportunity
    to shut down
    the nerve
    center of
    American
    energy in our
    national life.
    They also
    target our
    economy.
    single
    Russian
    malware
    attack last
    year cost a
    major American
    shipping
    company
    roughly $400
    million and
    in 2016
    cyberattacks
    it's
    estimated
    cost our
    economy $109
    billion.
    Cyber
    attackers
    also go after
    government at
    ever level.
    In march
    Christian
    when hackers
    hobbled the
    city of
    Atlanta and
    crippled many
    basic
    services for
    several days.
    As the
    American
    people know
    too well they
    increasingly
    use the digital
    world to
    manipulate
    and divide.
    In the face of these threats
    the American people demand
    and deserve
    the strongest
    possible
    defense and
    we will give
    it to them.
    APPLAUSE ]
    >> Previous administration
    s have let the
    American people down
    when it came
    to cyber
    defense.
    The
    out set of
    this
    administration
    it became
    clear from
    early on in a
    very real
    sense we
    inherited a
    cyber crisis.
    The last
    administration
    neglected
    Cybersecurity
    even though
    the threats
    were growing
    by the day.
    In 2014 a
    foreign government
    hacked into the
    White House
    network
    itself and yet
    in the face
    of constant
    attacks like
    that the last
    administration
    too often
    chose silence
    and paraural
    para paralysis
    over straight
    and action.
    Those days
    are over.
    At
    President's
    President
    trump
    direction we
    have taken
    action to
    fortify
    Americas
    Cybersecurity
    capabilityies.
    We are
    forgerying
    new
    partnerships.
    Evidence all
    across the
    society with
    state and
    local
    governments
    and great
    corporations
    so well
    represented here.
    We secureed
    new funding
    from
    Cybersecurity.
    In our first
    year in
    office we
    allocated $1.2
    billion to
    digital
    defense and
    next year we
    have
    requested a
    $15 billion.
    We will
    continue to
    work with
    congress.
    We'll
    continue to
    provide the
    resources we
    need to
    defend our
    nation from
    the threats
    we face in
    the digital
    domain.
    This issue
    requires more
    than new
    funding.
    America also
    needs a
    central hub
    for
    Cybersecurity.
    Today we
    call on the
    United States senate
    to follow the
    lead of the
    house of representative
    s and before
    the end of
    the year
    enact legislation
    to create a
    new agency
    under the
    authority of DHS.
    The time has
    come for the
    Cybersecurity
    and
    infrastructure
    agents to commence.
    Thank you.
    [ APPLAUSE ]
    This agency
    will bring
    together the
    resources of
    our national
    government to
    focus on
    cyber
    Cybersecurity.
    It's an idea
    who's time
    has come.
    In addition to
    funding and
    reforms our
    administration
    is hardening
    federal
    networks.
    We
    are taking
    renewed
    action to
    identify
    renewed
    action that
    our adversary
    can exploit.
    They have
    long allowed
    a Russian
    antivirus software
    to be
    installed on
    government
    devices even
    though it has
    a relationship
    with the
    Russian
    government
    and
    intelligence
    services.
    This threat
    existed for
    many years.
    Our
    administration
    ended the
    threat last
    year when we
    banned lab software
    from the
    entire
    federal
    government.
    APPLAUSE ] Where
    heWe have
    also stopped
    sharing
    information
    with network
    defenders
    defenders.
    Americas
    intelligence
    and law
    enforcement
    agency
    agencies have
    the ability
    to find
    weaknesses.
    While the
    last
    administration
    s almost
    always held
    onto this
    administration
    in this White
    House I'm
    proditory
    port we have
    improved how
    much we share
    with the
    private
    sector and
    the speed
    with which we
    share it.
    Today,
    nearly one
    third of the
    threat indicators
    are not
    available
    from any
    other source.
    We'll
    continue on
    that track.
    Finally, our
    administration
    is putting
    the finishing
    touches on
    our national
    cyber strategy.
    This will
    make clear
    that the
    United States
    will bring
    every element
    of our
    national
    power to bear
    to protect
    the integrity
    and security
    of the
    American
    digital doe
    -- domain.
    APPLAUSE ]
    Our actions
    have made our
    adversary
    actions more costly.
    As we
    continue to
    reinforce our
    cyber
    defenses
    we'll deter
    them as ever before.
    As you well
    know, we
    can't prevent
    every assault
    or attack in
    the deathal spear.
    The size and
    magnitude of
    the danger
    combined with
    the rapid
    evolution
    means that
    some attempts
    will slip
    through the
    cracks.
    Be
    assured our
    government
    will make
    sure we keep
    the
    resilience of
    our digitalin
    if a
    structure.
    When the
    breaches
    occur we'll
    get back on
    our feet
    quicker and
    we'll prevent
    the next attack.
    When it
    comes to
    stopping our
    cyber
    advosayer --
    adversary
    adversary
    resilience
    isn't enough.
    In this
    White House
    I'm proditory port
    we are -- I'm
    proditory
    port we are.
    We have
    taken action
    to elevate
    cyber command
    to a combaton command.
    We put this
    on the same
    level of
    commands that
    oversee our
    military
    operations
    around the world.
    Gone are the
    days when we
    allow our
    enemies to
    cyber attack us.
    Our goal
    remains.
    American
    security will
    be as dominant
    in the
    deathal
    digital world
    as we are in
    the physical world.
    For youUSE ]
    For all that
    we have done
    and all that
    we are doing
    there is
    still much
    more work ahead.
    What will
    bring us here
    today is the
    reck
    recognition
    we can't do
    it alone.
    Straightening
    American
    Cybersecurity
    doesn't
    belong solely
    to our
    national
    government in
    Washington
    D.C.
    The
    greatest
    progress
    happens from
    the bottom up
    and not the
    top down.
    Beyond our
    government
    wide approach
    we need you.
    We need you
    to continue
    to partner
    with us for a
    nationwide
    approach.
    For together
    we can
    protect
    America's
    digital domain.
    [ APPLAUSE ]
    >> It's been
    said
    Cybersecurity
    is a team
    sport and
    requires
    collaboration
    between the
    federal
    government,
    state and
    local
    leaders, but
    also innovate
    innovators
    and
    entrepreneurs.
    In a world
    it -- word it
    requires all
    of you in the
    room and all
    you represent
    across the nation.
    We have
    taken
    important
    steps to
    improve our
    partnerships
    at ever level.
    In addition
    to this
    conference
    today where
    you have
    heard much
    about those
    efforts I'm
    particularly
    excited with
    the new
    initiative announced
    this morning.
    The national
    risk
    management
    center.
    This new center
    will be the
    gateway for
    American companies
    that would
    like to work
    with the federal
    government
    more closely
    to straighten
    our shared
    cyber
    Cybersecurity.
    Let me take
    this moment
    to thank all
    of you who
    have already
    expressed
    intention to
    join this initiative.
    Just a few
    weeks ago in
    the situation
    room I
    personally
    met with the
    President's
    national
    secureity
    tell
    communication
    advisory
    community
    that will
    bring
    together key
    intrussly
    leaders --
    industry leaders.
    I learned
    then and
    we'll learn
    more that
    they will
    soon launch a
    Cybersecurity
    moon shot initiative.
    This will
    focus our
    national
    energies and
    skills on
    digital
    dominance.
    Those
    leaders, that
    day informed
    me America won
    the race to
    the moon.
    To this administration
    and in
    partnership
    with all of
    you America will
    lead the way
    to
    Cybersecurity
    and straight.
    [ APPLAUSE ]
    This
    examples I
    mentioned
    today are
    essential to
    the secureity
    and process
    parity of the
    American people.
    As we gather
    today the
    American
    people also deserve
    to know that
    our democracy
    is secure as well.
    Before I
    close, let me
    speak to our
    administration
    s action to
    save guard
    the integrity
    of our
    elections.
    While other
    nations
    process the
    capability.
    The fact is,
    Russia
    meddled in
    our 2016
    elections.
    That's the
    unambiguous
    judgment of
    our
    intelligence
    community and
    we except the
    intelligence
    communityies
    conclusion.
    Russia's
    goal was to
    sew discard
    and weaken
    peoples faith
    in democracy.
    No votes
    were changed
    but any
    meddling will
    be be
    allowed.
    APPLAUSE ]
    >> The
    United States
    of America
    will not
    tolerate any
    foreign
    interference
    from any
    nation state.
    Not from
    Russia,
    china, Iran,
    or anywhere else.
    As President
    Trump said we
    won't have
    it.
    To that
    end, over the
    past year
    President
    Trump has
    directed our
    administration
    to create as
    well a whole
    of government
    approach to
    straighten
    election
    secureity.
    As recently
    as last week
    the President
    convened a
    national
    secureity
    counsel
    council
    meeting for
    updates on
    the progress
    we have made.
    We have
    taken a firm stance
    and backed it
    up with
    strong action.
    The FBI has
    foreigned the
    foreign
    influence
    foreign task
    force to
    identify
    secret
    foreign
    groups groups
    trying to
    undermined
    our democracy.
    They have
    launched the
    information
    analysis center.
    This project
    that all 50
    states and
    900 Counties
    have joined
    will prevent
    attacks
    before they happen.
    Identify
    them when
    underway and
    stop them
    before they
    can do
    lasting
    damage.
    Working with congress
    we have made $380
    million
    available to
    states.
    They
    can update
    voting
    machines in
    secure
    technology.
    We are
    deploying new
    centers to
    monitor
    networks and
    identify
    instructions
    at the state
    and local level.
    38 states opted
    in the
    program but
    we Expand the
    farther 22
    states and
    Counties as
    they are
    request.
    Our
    administration
    launched a
    cyber
    awareness room.
    This is a
    vehicle vir
    vir vertical connection.
    In my home
    state of
    Indiana as
    well as owe
    Ohio and west
    very Virginia this system was used and
    will be used in
    the elections
    in November.
    We also
    helped them
    respond to
    cyberattacks.
    Two weeks
    ago a County
    in Kansas
    reached out
    after a mal
    malware
    attack forced
    them to
    shutdown not
    just the election
    network but
    the Counties
    network.
    They worked
    with County
    officials to
    identify and
    eliminate the
    dangerous
    intrusion.
    This was a
    model of the collaboration
    that we need
    to ensure the
    security of
    our elections
    and we commend
    the state and
    local and
    federal
    officials
    that made it
    happen.
    APPLAUSE ]
    >> Our
    administration
    show that
    they are
    administered
    at the state
    and local level.
    This
    administration
    has been a
    champion of
    federalism.
    With the
    respect of
    per view in the state and
    local officials.
    Many states
    don't have
    concrete
    plans to
    upgrade their
    voting
    systems.
    14
    states are
    struggling to
    replace out
    dated voting
    machines that lack
    paper trails
    before the
    next election.
    Today, not just as
    vice president but
    as a former
    governor, I
    want to urge
    with great
    respect,
    every state
    to take
    renewed
    action.
    Take advantage of the
    assistance
    offered by
    our
    administration.
    Do
    everything in your power to straighten
    and
    protect your election
    systems.
    You
    owe your
    constituents
    that and the
    American
    people expect
    nothing less.
    [ APPLAUSE ]
    >> This is a
    time for
    vigilence and resolve.
    I can assure
    you our
    administration
    will take
    strong action.
    We have done more than
    any administration
    in American
    history to
    preserve the
    integrity
    integrity of
    the ballot
    box and we
    have just
    begun.
    We'll
    continue to work
    tire tireless
    tirelessly to
    keep them
    from changing
    votes and
    election outcomes.
    As the
    President
    said, we will
    repel any
    efforts to integer in
    our elections.
    When anyone
    violates our
    laws we'll
    bring them to
    justice and
    utilize ever
    element to
    respond.
    Our
    democracy
    demands and
    deserves the
    most vigorous
    defense we
    can give it.
    [ APPLAUSE ]
    >> I want to
    assure you with can do
    this in a man there
    that will
    respect the
    God given
    libertyies in
    our constitution.
    We will
    never stop
    voices in a
    free society.
    We can
    expose
    fraudulent
    voices when they seek to undermined
    confidence in
    our democracy.
    This we
    will do.
    Our admin station
    will always
    make efforts to shed light on foreign
    attempts to interfere in our elections
    and society.
    Our 16th
    President
    said it best.
    When he said
    give the
    people the
    facts and the
    republican
    will be saved.
    When the
    American
    people have
    the facts
    they always
    uphold our
    cherished institution
    and values.
    This is just as true
    today as it's
    been in our
    nations long
    history.
    So
    thank you
    again for
    being here.
    Being apart
    of this
    important and
    historic
    gathering.
    You do the
    nation a
    great credit
    by
    participating
    in today's
    discussion
    and by more
    important
    important
    importantly
    following
    through with
    a greater
    partnership
    appeared
    collaboration.
    The truth is
    Cybersecurity
    is unlike any
    challenge we
    have ever
    faced.
    It's
    a work that's
    never done.
    It's a
    process that's
    continuous
    and so must
    our collaboration be.
    Technologies
    are shifting
    by the minute.
    From the
    internet of
    things to 5G
    to artificial
    intelligence
    to quantum
    computing.
    Each advance
    is
    accompanied
    by new
    opportunities
    and
    challenges challenges.
    Just as the
    threats are
    evolving our
    defenses
    defenses too
    must evolve.
    The only way
    to be strong
    and secure is
    if we stand
    strong and
    secure
    together.
    on
    behalf of the
    American
    people.
    APPLAUSE ]
    Cyber
    security -- [
    APPLAUSE ]
    Cyber secure
    --
    Cybersecurity
    is a a civil duty.
    You have established
    yourselfves
    as leaders
    and patriots patriots.
    Long before
    this
    conference
    today by your
    efforts for
    the American people.
    The President
    and I need
    you to
    continue to
    be advocates
    in your
    industry and
    among your
    peers for
    greater
    Cybersecurity
    collaboration.
    The American
    people
    deserve
    nothing less.
    Keep talking
    about how
    they need to enlist
    in the fight.
    Tell them
    they have an
    obligation to
    identify the
    weaknesses in
    their own
    networks and
    platforms.
    The weakest
    link creates
    a venerableility.
    Tell them we
    need them to
    buy American
    when it comes
    to digital
    projects and
    services.
    Not just the
    to support
    American jobs
    and
    innovation
    but American
    secureity.
    Tell them
    they need to
    share their
    insights,
    ideas and
    innovations
    that innovations.
    Above all
    else, tell
    them what you
    have heard
    here today at
    this conference.
    Tell them we
    need to work
    together.
    on
    an increasing
    bases.
    Not
    just with our
    national government
    but with
    state and
    local
    government to
    ensure
    security and
    process
    parity of our of
    -- process
    prosperity of
    our nation.
    The American
    people are
    counting on us.
    They need to
    know their
    home is
    secure from
    prying eyes,
    their accounts
    can't be robbed.
    The lights
    will turn on
    when that
    switch the
    switch in the
    morning and
    they should
    know our
    democracy
    won't be
    corrupted and
    our nation is
    stronger and
    more secure.
    Even in the mist
    of a
    technological
    revolution
    then it's
    ever been
    before.
    This
    we can do
    together.
    So
    thank you for
    the
    opportunity
    to address
    you today.
    To wrap-up
    what I trust
    has been a
    meaningful
    and
    producttive
    die altogether.
    I hope you
    will not feel
    that you have come
    here today
    and done your
    part by this attendance.
    I hope you
    leave with a
    burden on
    your heart to
    do more.
    As
    the old book have
    as we have as
    -- we should
    not grow
    weary of
    doing good.
    We'll
    produce a harvest.
    Don't grow
    were weary in
    standing up
    for the
    security of
    the American people
    in the cyber
    dodo doe -- domain.
    With the
    patriotism of
    all of you
    gathering
    here you will
    work with us.
    With the
    leadership
    oppose
    President
    Trump and I
    know, with
    the support
    and prayers
    of the
    American
    people we
    will defend
    our nation.
    We will
    defend our
    nation on
    this cyber
    frontier and
    I know as
    Americans
    have always
    done we will
    do it
    together.
    Thank you
    very much.
    God bless
    you and God bless the
    United States
    of America.
    MawsPLAUSE ]
    >> Thank
    you.
    How Israel Rules The World Of Cyber Security | VICE on HBO Top 10 Secrets The Secret Service Doesn't Want You To Know 1980s: How Donald Trump Created Donald Trump | NBC News China...If They Pull the Plug, We're Screwed Why the poorest county in West Virginia has faith in Donald Trump | Anywhere but Washington See What Happens When A Plane Violates Presidential Airspace | TODAY How Mexico is Winning the Car Manufacturing War What makes a good life? Lessons from the longest study on happiness | Robert Waldinger Craziest moments at U.N. General Assembly I Adopted Rich People's Habits, See How My Life Changed

    Post a Comment