that it is so external facing right imean if our the core of our mission iscritical infrastructure 85of critical infrastructure is owned andoperated by the private sector so it’sall about collaboration whycollaboration is baked into the dna ofcisa and so a lot of time spent buildingrelationships building trust buildingconnectivity both across the federalgovernment but importantly with privateindustry and with our state and localcolleagues so that’s been prettyincredible i’d say the second thing isi’ve got some great hires very excited ijust brought on kirsten todd as my chiefof staff many folks know her from thenonprofit worldand then last thing i know we’ll talkmore about this is the jcdc the jointcyber defense collaborative that i amvery very excited about yeah thank youfor that background and so now lookingyou’ve been in 10 weeks looking out tothe next two or three years what are youseeing as your main prioritiesyeah it’s a great question because overthe past eight months cisa has beengivenmore authorities through the nationaldefense authorization act more moneythrough the american rescue plan actright 650 million dollars and a wholeboatload of responsibilities through thecyber eo but no pressure right nopressure exactly um and you knowif you think about priorities right ifeverything is a priority nothing’s apriority so as the director i need tofigure out how to ruthlessly prioritizewhere to put our resources so that wecan get the mission done to help defendthe nation and cyber so i think of it infour bucketsso first of all sis is transformationour good friend kris krebs right he laidthe foundation here somewhere out heresomewhere chris my good friend laid thefoundation did a fabulous job buildingthe agency setting the operating modelnow we need to transform it to be thenation uh the agency the nation deservesand that to me is all about culturebuilding a culture that prizescollaboration and teamwork and trust andtransparency and ownership andempowermentand innovation and inclusion incrediblyimportant to build a diverse workforceand culture’s all about how we attractand retain the best talent and that’speople right building a talentmanagement ecosystem where we canattract and retain the best people sothat the best network defenders in thecountry want to come work here so a lotof work on that second big priorityfederal cyber security so federal cybersecurity is just part of that criticalinfrastructure ecosystem a lot of workin the spacethere’s fisma reform what’s fismaanother great government acronym thefederal information modern securitymodernization act we got to get thatright the last time they did this was2014 there wasn’t a cisa there wasn’t anational cyber director there wasn’t afederal ciso so we need to use that tocodify cis’s roleas the operational lead for federalcyber security and then as we said cybereo right huge amount of tasks i think welead or a part of 35 tasks in there andi’m happy to report that we’ve met ourhighly aggressive deadlines so far sotap touchwood but that’s all aboutvisibility right instantiating endpointdetection and response capabilitylogging and this will really ignite someof the authorities we got from the ndaawhere we can do persistent hunting onfederal government networks so importantthere’s modernization secure cloud zerotrust we just published a secure cloudtechnical reference architecture and azero trust maturity model comment periodopen until friday so please give us yourfeedback on that i’ve already read somegreat feedback so that’s very importantso that’s all federal cyber security wecan talk more about that third bigbucket critical infrastructure securityi know the whole theme of thisconference is systemic riskso we’ll talk about how we think aboutthe critical infrastructure sectors andthen how we think aboutnational critical functions becauseeverything is connectedi’m a big douglas adams fan i don’t knowif you’ve read any of that dirk gently’sholisticdetective agency everything is connectedeverything is interdependent everythingis vulnerable so it’s how we think offunctions and so a lot of work on thatperformance goals and then working on100 day sprints from the white housewithpipeline companies energy waterwastewater and chemical and then lasti’d say is partnerships partnershipspartnerships right federal governmentprivate industry state and localand then operationalized in part throughthe joint cyber defense collaborative soa lot of work to do yeah you have a busytwo or three years ahead of youkidding well speaking aboutcollaboration which has been somethingyou’ve mentioned a couple of times withthe private sector and with others ingovernment i think one question that hascome up a lot is the division of laborbetween the nsa the white house sysa andothers particularly when it comes tocollaboration with the private sectorand others and i’d be curious how you’redrawing the sort of cleanest linesbetween responsibilities yeah so thanksfor that you know a lot has been made ofthis i personally think it’s a littlebit of a tempest in a teapot i thinkit’s pretty clearwhat cis’s mission is right we we leadthe national effort to manage and reducerisk to critical infrastructure we docyber defense that’s two roles of theoperational lead for federal cybersecurity but we’re also the nationalcoordinatorfor critical infrastructure cybersecurity and resiliencebut at the end of the day kelly likecyber security is a team sport and lifeis a contact sport so it’s all aboutrelationships at the end of the day whythat connectivity piece is so importanti think the great news iswe are moving into a place where it’snot about turf it’s not about territoryit’s not about tribalism it’s aboutworking together given the urgency ofthe threat environment and so many ofthe folks that are in the federalgovernment are old friends of mine uhwho are back together again and it’sgreat to work with such talentedteammates but i think it’s pretty clearthat what we need to do is to leveragethe talents and the authorities and thecapabilities across the federalgovernment so that we can motivatecollective action i think that’s mostimportant you know i would just point toone real value add in this space and ithink that’s chris english who i knowwe’ll hear from on fridayyou know a great friend a great teammatei think the country is really lucky tohave someone who is articulate uh assmart and then genetically wired to becollaborative we talk almost every dayand he’s a fantastic partner so i thinkthe space is uh may be crowded but it’sa space where we are creating morecoherence more cohesion every day sothat we can get the mission done yeahand it’s really fortunate that you andchris and ann and others have such along sort of history working together umand then moving on to the collaborationwith the private sector i think you’rein a great position having just leftthe private sector and and one of themore heavily regulated industries in theprivate sector to think about you knowwhat are the main challenges that you’reseeing there what do you see as theopportunities yeahso it’s a great question um let me talka little bit about the jcdc because i’mreally excited about thisyou know this came out of the cyberspacesolarium commission where so manyfabulous ideas emerged and then foundthemselves instantiated in the ndaa youknow a significant accomplishment reallyand one of them was this joint cyberplanning office and so based on that wedeveloped the joint cyber defensecollaborative because it’s more thanplanning if you look at the legislationit talks about planning it talks aboutexercising it talks about actuallyimplementing operations and i have tosay one of the really cool things aboutthis is it’s the only federal cyberentity in statute in lawthat combines the power of the federalcyber ecosystem so cisa nsa fbi dodcybercom odnitogether with the power of the privatesector to enable us to come togethercreate a common operating uh picture ofthe threat to plan and exercise againstthe most serious threats to the nationand then to implementplans to be able to drive risk againstthose serious threats and so when youthink about some of the challenges likesolar winds and microsoft exchange a lotof that was about a lack of visibilitybecause we know if you can’t see it youcan’t defend itwe don’t want the us government ondomestic infrastructure of course but wewant that partnership with thosecompanies that have broad visibilityit’s why the initial plank holders wereisps and csps and cyber security vendorsso the whole point is we can use this tosee the dots to connect the dots andthen drive collective action to reducerisk at scale so i’m really excitedabout that we’ve kicked it off we’realreadyseeing some of the benefits from sharingbroadly and i think that that’s going toallow us to really make some significantprogress in this space and i’ve beencurious and now that you bring up thejcsc how are you up can you speak nowabout how you’re operationalizing thathow often you’re meeting how large arethe groups what is the what is the sortof practicalaspect yeah jcdc it’s like ac dcbut with the j thank you um and the j isimportant because it’s it may be cisahosted but this is really a platform forthe federal government to come togetherand so we’ve already brought togetherthe plank holder partners there’s 15 ofthemand we’ve already seen by being able toshare information with some of thosepartners on threats that we have seenon the fseb the federal civilianexecutive branch another horribleacronym that the government usessharing that information with theprivate sector they can look and see ifthey see it in their space and thenshare it back so we’ve been able toilluminate actuallypotential victims in other places andwe’ve been able to get that informationout and do notifications so we are juston the cusp of this we’ve justoperationalized it but we should thinkof it really as a platform right this isabout bringing together the power of thefederal government and it’s not just theplank holder partnersvery encouragingly we’ve had outreachfrom over 120 entities who want to bepart of this and we can pivot this as aplatform for information sharing and forplanning and exercising whether it’scritical infrastructure we’ll probablywork with the pipelineindustry as part of this 100 day sprintand then we can work with a variety ofother partners and i think we willlikely end up turning this into theelection security space as we approachuh 2022. great i’d love to come back toquestions around your role in electionsyeah in a moment butfirst curious and as you mentionedbefore the theme of this conference issystemic cyber risk and system of coursehouses the national risk managementcenter and as i understand it launchedthe systemic cyber risk reductionventure and would love to just hear moreabout the goals of that initiative whereyou see it going over the next few yearsso i think this is super cool right iwas at an event with chris roberti who’sat the chamber of commerce and hereferred to the national risk managementcenter as a national treasure which isactually kind of cool i didn’t know muchabout nrmc before i before i got herebut it really is a place where analyticinnovation happens and one of the mostimportant things that they’ve doneover the last several years under chriskrebs leadership and bob kolaski wholeads the nrmcis to essentially reimagine systemicrisk so we have 16 criticalinfrastructure sectorsbut you really can’t think of sectorsand silos at the end of the day becausegoing back to my point of viewexactly interconnected interdependentand so you have the 16 sectors but wepublish the 55 national criticalfunctions because everything’sfunctional right and so what thisventure will allow us to do is sort ofthree things pivoting off that work onncfuh one is to understand the underlyingarchitecture of systemic risk sobreaking down decomposing thosefunctions intospecific capabilities that criticalinfrastructure sectors will have toput efforts and resources against sothat’s important the second thing is todevelop cyber uh metrics anybody who’sbeen in this business you know theelusive side of good luck right exactlyso a lot of important work there it’sone of the things that i hope in thendaa the next onethey get the bureau of cyber statisticsanother great idea brought to you by thecyberspace solarium commission but wereally need a way to better understandthe environment and to measure theenvironment we all know you’ve got tomeasure what matters so that’s importantand then the third is really to come upwith ways to promote tools to enable ustoanalyze riskin a systematic and holistic way and youknow i i would give you an example ofwork around software assuranceso one of the things we’re focused onis part of ourinformation communications uh technologyit’s another great acronym uh supplychain risk management task force whichis looking at all of the things we candouh to reduce systemic risk around supplychains obviously a big focus area comingoff the back of solar winds so i’mreally excited to talk more about this iknow we’ve got jay healy who’s one ofour cares actually somewhere somewhereout thereum but i think it’s a really reallyimportant projectthank you for that andnext up there’s been a lot ofcongressional activity and discussionaround mandatory cyber incidentreporting and would love to know and ithink you talked to some about this lastweek whether you support this workwhether there’s any specific legislationthat you’ve endorsed i think having comefrom the private sector you would have areally great perspective on the costsand benefits of that yeah so i thinkit’s really important you know as i saidwe are a voluntary and a partnershipagency yes and so we the mandates get alittle harder exactly so you build ourwhole goal is to build trustedpartnerships so that uh companies thatare impacted by cyber attacks reportinformation and we do have thatbut as the congress has recognized it iscritically important that we get moreand more information given the complexthreat environment that we’re all facingand sowe have seen several bills come outabout cyber incident reportinglegislationthe administration is broadly supportiveof this certainly cesa is supportive andthe reason why we’re supportive whetherit’s voluntary or whether it’s mandatorywe need to get that information asrapidly as possible so that we can shareit to prevent others from suffering anattack right in a perfect world and thisis all about what we talk aboutcollective defense in a perfect worldand i realize this is not a perfectworld we live in you would not see thesame attack twiceand so we’ve been working yeah we havenot had that long i know exactly well isaid perfect right it’s the ideal worldbut the more that we can use ourplatform because cis superpower isreally our information sharingauthorities we have the most broadinformation sharing authorities acrossthe federal government came out of 911right that’s why they built dhs and sowe can use that platform in ananonymized way protecting the civilliberties the privacies but sharing thatinformation to prevent other victimsfrom falling victim to to these attacksand in the world of ransomware that’sincredibly important so we are excitedabout the potential for that legislationbut to your point having just come frommorgan stanley we want to make sure andi’ve said this last week and i said ityesterday in a separate talk that sissais not overburdened with noiseand that we’re not overburdeningindustry with reporting noise so that’swhy it’s really important to have thisrule-making period where we can figureout the scope of the reporting entitiescalled covered entities when they wouldneed to reportrapidly but again signal not noise andthen how you make sure that you can doenforcement because at the end of thedayit really is to the benefit of the wholeecosystem if we can get information outrapidly to protect othersthank you and now i wanted to come backto your point about elections earlierand the thoughts that you’re havingabout cis role there i know that in 2020i think you all had launched the rumorcontrol rebuttal site my understandingis that youintend to continue with that but i’mcurious what else you’re imagining doingin the election space how you see thatchanging and how you see yourselfcollaborating with other responsiblefederal entities yeahsogreat questionas we knowelections are run by state and localofficialsthey are on the front lines of makingsure that their elections are secure andresilientthe federal government assists usspecifically because we’re the sectorrisk management agency for electioninfrastructure we are here to help tomake sure that state and local officialshave the resources the technicalassistance the guidance the informationthat they need to be successful andhere’s where just another shout out tochris because he and his team folks likematt masterson did just an amazing jobof buildingstrong collaborative partnerships withthe election security community who werehighly skeptical in 2017 when electioninfrastructure was declared criticalinfrastructure i was a private citizenin 2020but i really appreciated what i saw andit’s only been reinforced since i cameinto the job and met with secretaries ofstate and state and local officials whohave told me how pleased they were andhow appreciative they were of cis’s roleso we plan to continue thatyou hear again and again how much workwent into building those relationshipsand that trust yeah just absolutelyamazing work soum really proud of the agency i can’ttake much credit for it but we arelooking forward um you know electionshappen all the time as i’m reminded byofficials but we’re in particularlooking towards 2022 to make sureuh that state and local electionofficials have everything they needkelly you also asked aboutmisinformation so rumor control um iwhen i looked at this as a privatecitizen i saw what cisco was doing whichis really making sure that the americanpeople have the facts that they need youknow i worry a lot about misinformationand disinformation as a citizen but alsoas a mom right if you don’t have thefacts if you don’t have the bestinformation you can’t make the bestdecisions so we are gonna continue uhwith rumor control and we’re gonna alsocontinue with some innovative things wedo graphic novels which are kind of cooli didn’t realize that yeah they’re kindof cool i’m happy i’ll send you the uhi’ll send it to you and you know chriscame up with the pineapple pizzacraig newmark remarked on it yesterdayso that’s chris’s trademark i need tocome up with something else it’sprobably like rubik’s cubes 80s musicdragon something we’re working throughwe’re working through what our what oursigns will be but it really is about umenergizing the community focused on youknow one of the most important thingsright free and fair elections are thefoundations of our democracy soa lot of effort there and how do you seethat workaround elections interfacingwith otherfederal organizations i know the fbi hassome role here not you know at leastaround disinformation you have manyother players involved yeah the otherthing i point to you know there was afabulous relationship across the federalgovernmentin elections if you looked at any ofthis it was cisabut we worked very closely with nsa veryclosely with fbi and very closely withcybercom there was a task force of folksthat were constantly in touch to makesure that we were bringing to bear allof the instruments of national powerboth to support state and local but thento do everything we could to prevent uhforeign malign influence on our on ourelections and obviously this came out of2016. so it really was a team effort andthat really makes it easier for me tocontinue to build on the quality and thestrength of those partnerships acrossthe federal cyber ecosystem and soagain um still a lot of work to do but agreat baseline to build uponum now i’d love to take sort of a biggerstep back so we’ve talked aboutelections we’ve talked about incidentsreporting we’ve talked about the jcdchaving come into this new world whathave been the biggest surprises for yougood or bad what has surprised youyeah soi would say yes my first time in thedepartment of homeland securityuh and i honestly did not know what toexpect and iloved my time at morgan stanley greatfirm great great teammates great missiongreat culturegreat lifestyle um and the reason that ii got out of government was to be withmy son you know i was deployedhe’s 17 now oh so you have just a littlewindow left there and he decided to gooff to boarding school which i don’tthink is something about me but yes umso you know i was deployed to iraqafghanistan it was the white house ididn’t get to spend much time when hewas growing up and so he was going tobecome a teenageri knew that he needed me how great thatyou have thoughyeah so we did it was fabulousum and so you knowwhen when you get the call and you needto serve and services in your dna socame back into government i will tellyou this is the best job this is thebest job i’ve had i believe it’s thebest job in governmentum and i think it is because it is soexternal facing it’s all aboutrelationships you know my friend janelute the former uh depsac of uhhomeland security and a former professorof mine at west point she’s this greatsaying she said you know in nationalsecurity counterterrorism intelligencethe federal government has a monopolyin homeland security cyber security thefederal government is just a co-equalpartner with the private sector and withstate and local and so it’s all aboutcollaboration and partnership and so ilove it you know in terms of surprisesnot so great you know the bureaucracy isstill thereum you know bureaucracy is bad when youhave to move at the speed of cyber but iam ready to slay the bureaucracy slaythe dragons um and you know i thinkthere is the sense of urgency given whatwe’ve seen over the the last eightmonths that we can really we’re at aunique moment in time where we can makea real impact uh on the defense andsecurity of our nationthank you and then one last somewhatself-serving question before we have towrap which is i my background isn’tphilanthropy really curious as we’retrying to think about bringing morephilanthropy into this space and howcivil society can better supportgovernment here and the private sectorwhat do you see as the mainroles that we could play yeah it’s afabulous question thank you for yourleadership uh at hewlett thanks to youand actually eli who supported the shoutout to yeah big shout out to eli andthen also i know ron and cindy gullerare here we actually got some supportfor the uh for the non-profit that i setup there are media we did cyber nationuh and i know craig is out here as welland so it’s so important uh that morefunding goes to the cyber philanthropycommunity i know there was a greatletter published earlier this yearall about this and absolutely criticalright at the end of the day that there’sa real focus on this you know i think ofthis i guess i’d say a couple of thingsand i had this conversation with myfriend tony sager who’s at the centerfor internet security there are a lot ofuh these great organizations out therei i think it’d be great to figure outhow some of these can come together toget to harmonize these efforts there’s alot of work on best practices there’s alot of work on cyber workforce so isthere a way that the all the non-profitscan come together to optimize the bestof and i’d love to figure out how we cando that because we we’re doing our ownthings in this space we’re about toaward grants to non-profitsfor under-served communities so that’sone thing but i think if we if we have afocus on two big things one is buildinga diverse and inclusive uh cyberworkforce it’s a great greatconversations about that and that’ssomething i’m incredibly passionateabout because i believe diversity ofthought background and experience helpsyou solve the hardest problems muchquicker and the other thing isbuilding resilience both cyberresilience as well as digital resiliencein terms of being able toknow how to protect yourself in cyberbecause you do that from the youngest ofages to the oldest i like to say kthrough grayand you make it easy on people and aquick plug uh for uh october coming upfriday cyber security cyber securityawareness month right it’s you knowgettinghelping people understand the basicsthat they can do to keep themselves safeonline and so i think there’s a lot thatthe non-profitsector can do to make sure that we’regetting out to communities all over toschools all over to do the basics rightat the end of the day it’s updating yoursoftware it’s password managers it’sthinking before you clickand it’s you know i’m on this i’m onthis big campaign here all aboutimplementing multi-factor authenticationyeah so i am doing a shameless plug andi expect all the cyber evangelizers outtherebecause i think if there’s only onething you can do the industry studiesshow you’re 99 less likely to get hackedif you implement mfaso we are all in this together i’m ahuge fan of the non-profit ecosystemwhat you’re doing what all of ourteammates in the space are doing and ihope to be able to work with all of youto advance a really important missionthank you jenna and thank you for thisconversation and for your leadership mypleasure great to see you as well thanksso much kelly vivian i will turn it backover to you great thank you thank you somuch kelly and jen in case anybodymissed it there was some breaking newsin there just to repeat pineapple onpizza is going to be retired it’s goingto be retired there’s going to be a newmascot metaphor jen i’m actuallythinking dragons is the way to go so ijust want to put my vote in thereexcellent she’s got the dragon pantsokay so um that was a actually perfectintroduction tothis year’scyber summit which is focused onsystemic cyber risk that really was afantastic landscapeof of all of the issues that everyone inthe industry whether the public sectorthe private sectorneeds to confront and um for our nextsection we’re going to do a pretty deepdive into what we mean by systemic cyberrisk so it is my pleasure to introducejay healey senior research scholar atcolumbia university windows snyder theceo of thistle technologies and jonathanwelburn an operations researcher at theran at the rand corporation andmoderating our next session is our veryown one of my favorite colleaguesthey’re all my favorites uh david forseymanaging director of the aspen cybersecurity group over to you david thankyou viviani’m so happy right now for so manyreasonsuhnot only because this is the firstin-person meeting i’ve been to i thinkmany of us have been to in almost twoyears many of us toobut i get to talk about the cyberswith three of the smartest people who ibelieve the smartest people in the fieldand so i’m really let’s just get into itso first the hardest questionare cyber attacks getting worseis it an illusion is it the way we coverthem or are we really entering a newphase wherenew pieces of critical infrastructureare coming under attack in new ways soi’m going to put that to all of youjonathan why don’t you go first yeahgreat questioni think we all feel like it’s definitelygetting a lot worse umi would say on that thata lot of that attention comes onransomware and for good reason i thinkthat the ransomware attackers have foundaperfectly successful illegitimatebusiness model and every time there’s alarge-scale attack and you know withcolonial we see that theyissue a payment and it solves theproblem it’s a really good advertisementfor that business model so i think thatwe’re seeing more of those brazenattacks where they’re willing to goafter you know large targets which canget a large sum of moneyi would say that in addition to theattacks being demonstrated successfulthat we’ve also got this growingcomplexity and growing interdependenceand so the opportunities are growingfaster than we are able to mitigate themas an industryyeah and i love both of those and sowe’ve been here before20 years ago say from the late 90s to upto maybe 2003it was relatively routine to seelarge-scale attacks take downsubstantial parts of the internet rightthing of you know they went by nymdacode red sql slammer melissa i love youright almost every quarterwe would just be awash with a wormthat would uh disrupt substantial partsof the internet so we were we’ve beenhereand so what’s changed is well one wehaven’t changed right most of thereasons that let those wormsuh spread so quickly and take down somuch we haven’t really mitigatedum in a substantial way yes we have andyou know microsoft has made big changesothers have made big changes but a lotof the the fundamental vulnerabilitiesare still there um i love the pointsabout interdependence and monetizationthat have come upbut we’ve also seen changes in adversarybehavior i think things that we thoughtadversaries not just but particularlynation statesumwe would say well they folks just aren’tgoing to go past this lineand we’ve just continued to see thatover the past 20 yearsso one of the scariest things aboutransomware obviously is that people areusing shared vulnerabilities among manysystems to launch a single attack thataffects many many individuals across thesystem right one of the reasons why thetheme of this summit is systemic risk sojay going back to you real quick how dowe definesystemic risk especially ina digital society what is systemic cyberriskyou can you can think about it as ifyou’ve got a system facility asset ifyou’re an entity a companyand and thenyour importance to the system is greaterthan just what you you have to yourselfuh the work that i started doing in thisuh we were looking at correlations ofcyber risk and and some wag startedcalling in this 2014 cyber subprime likethe last thing we need is another cyberthis or a cyber thatbecause referring to the 2008 2009credit crunch and the more i thoughtabout it the more i thought it’sactually a fabulous analogybecause going into the credit crunchum you had these pools of risk right youhad this financial risk that was pullingin places that wasmisunderstoodnot understoodand it had this cascading effect when itfinally broke and the more expert youwerethe more that you would have said it isimpossible that these risks arecorrelatedand so it’s up to us on the cyber sideto say all right well where do we havethese i.t companies that are too big tofail if you if you accept that part ofthe analogy um we’ve gotuh common mode failures or common causefailures um when we saw this in solarwind right where everybody is using thesame software and an issue with thatpiece of i.t will affect everyone we seecyber cascading failures just this weekthere’s a big outage of amazon webservicesright so something happens to this pieceof i.t infrastructure that then affectsevery uh many many othersin the real economy and we’ve got thesephysical cascades like we saw withcolonial pipeline it’s a cyber incidentin this case ransomware and the cascadewasn’t on the cyber side it was on thephysical side because we didn’t haveenough fuel in the in the northeastso window you know so we just got kindof a theoretical treatment of systemicrisk you know what are some practicalexamples of how systemic risk manifestsumthat you think you can think of sure soon the critical infrastructure sidethere was uman attack on on dine that took them downfor a while denial of service attackand the set of folks who depend on dynewent down and that’s well feasible couldyou just explain what dyna is oh it’s ait’s a dns provider um so that’s that’sa critical and obvious way if you can’tfind your way to the the server then theserver’s not available to youand um so that goes down and theircustomers go down and that’s expectedbut what’s not expected is the number ofcustomers that depend on those customersand the number of customers that dependon those customers and eventually werecognize the interdependency of all ofthese cloud services that might not bedirectly relying on dyn but relying onsomebody who’s relying on dyne and thenyou take a company like slack which youmight not recognize as criticalinfrastructure but all these differentcloud service providers are using slackas their communication mechanism for umfor operations and so when dyn goes downand slack depends on dyn and slack’s notavailable and slack is what everyoneelse is using to um uh to manage theiroperations and and and and try andrecover from an outage and move to adifferent provider in on short noticeand their communication uh channel is isdown we have all of these uminterdependencies and failures that umpop up in unexpected ways you know atthis point you know i’m hoping all thosefolks have you know a back-end ircserver or something to to address thator maybe just phone numbers but on apiece of paper written down anything butit really revealed that that one inparticular really revealed ourinterdependency in the cloud but we havesimilar interdependencies in technologyum whether it’s a a library that’swidespread like openssl when um whenheartbleed came out we saw how manypeople were scrambling to find all thedifferent places that that specificlibrary was incorporated into theirtheir the technologies in their thattheir organization depended on um sowhether you are a a product developerand you recognize that you’ve got itincorporated over here oh actually youalso have it in this part of yourproduct or you’re a cso when you’retrying to figure out for all thedifferent products i have which of theseare using and the answer was essentiallyall of them uh trying to even addressthis specific vulnerability in yourinfrastructure was just this a can ofworms and everywhere you looked youfound anothertechnology that was dependent on thisspecific issue and um this is aa technology that’s probably one of themost inspected by security researchersout thereso imagine all of these othertechnologies all these other librariesor components that have vulnerability tothe same degree or um to a much moresignificant degree that is not gettingthat same level of inspection and thatis vulnerable in a in a way that’s quietor um like solarwinds a technology thatwe’re deploying in a lot of criticalplaces that umis is compromised and a legitimateupdate is pushed with malware inside ofit and um and now we’ve gotthisthis this problem deployed everywhereso the coreproblem here is is complexity and ourinterdependenceand that is something that we’re notgoing to move away from because that isproviding us flexibility andfunctionality and all these othercritical functions that we need so we’vegot a a growing problem herejay welcome to you jonathan yeah yeah ithink and if i could just build onuh windows fabulous points like look atsolarwinds right it’s a big companyright it’s got it security like theythey umit’s a it’s an a large entity it’s alarge organization and compare thatto one of the other ones you saidheartbleed right it was working on theopen ssl and how many developers areworking on openssl right i meana dozen two dozen contributors you knowmajor main contributorsand it is absolutely critical toweb commerce right i mean you’re justnot able to do so much and it had thisunknown dependency and so we have toworry about these hidden pools of riskthat can belarge companies that everybody in itknowstothese critical pieces that are justmaintained by a handful of importantpeople and yet underpin everything thatwe’re that we’re doing on the internetso we’ve so we’ve got a lot ofdependencies we’re talking about we’vegot the domain name systemopen source infrastructure you knowsuppliershow do we actually identify where weshould be paying the most attention youknow jonathan i know you’ve done a lotof work on this how do you measuresystemic risk and how do you identifythe pain points the single points offailure where we could have a cascadingeffectbeginyeah it’s a great question so you knowfirst of all i iit’s definitely a difficult problem andacknowledging why it’s difficult beforei explain how to how to get intosolutions is you know typically when youwant to look at different types of riskyou might say let’s look at historicaldatalet’s see what the past incidents havebeen and when we do that for cyber whenwe look at systemic cyber risk the theincidents that we may be observing inthe past are just a part of a largerdistribution and so we know that we’renot necessarily seeing the fulldistribution and there might bedifferent reasons for that there can beunder reporting that could be one reasonwhy we aren’t able to observe everythingbut another problem is it just might nothave happened yet so we’ve seen a lot oflarge cyber incidents like some of theones that we’ve discussed uh solar windsand dyn uh but those might not be theworst of what were what jay was actuallytalking about when he was definingsystemic cyber risk and so actuallygetting intomodel measuring what uh could pose thattype of systemic cyber riskprobably requires a different approachwhich is more in the modeling thesimulation and the hypotheticals and oneof the approaches that that i’ve beendoing the work i’ve been doing withcolleague aaron strong and the brotherteam at rand um is been kind offollowing the way window you weredescribing dyne right where you havethis this the way they go down and theyhave this list of customers and thenthere’s those knock-on effects and itkind of cascades out through thesenetworks well saying if we are able tostart getting into that networkstructure a little bit more and and andseeing who depends on dyne who dependson uh you know box or something was itwas all hit the different companies arehit after that who depends on the boxafter thatand and trying to understand thatnetwork structure well at that point youcan start asking the hypotheticals wellwhat happens if there is this type ofcyber incident at this givenat this given company this given servicehow would that then ripple out whatwould the aggregate impacts be andthat’s how that’s you know that’s anapproach for starting to answer thisquestion of how do you measure thepotential systemic risk posed by a givencompany or serviceit’s only part of it i think there’s alot of other things like what jay wastalking about when you’re getting intocode repositories and in this uh wherethere’s things which arewidely shared across many other umacross many services and products thatwould be you know really difficult tomeasuredo either you want to add to thatuh just thatjonathan’s working the work that randhas done it’s been really groundbreakingit’s really changed how i look at thissoso a lot of the way we approachcybersecurity as a society as agovernmentnorms building is based on individualdefense right so let’s figure out how tomake sure company xdoes y to protect their own data rightbut what you’re describing hereseems to require a different approachright because a lot of the risk isoutside of the perimeterof the individual company right so whatdoes it mean to actually how do wechange our approach to prioritizesystemic defenseum instead of just individual defenseand let’s start with you jay and then godown the line uh yeah i mean it’swe can there’s a couple of differentways we can do it rightwe’ve been looking at other kinds ofsystemic risk right we we’ve handledthisin um for the energy sector and for thefinance sector for example because we’vesaidyou need to be regulatedum because your risks are higher in thefinance sector where i had partiallycome from goldman sachs and other bankswould be called a globally systemicallyimportant bank based on a simplerelatively simple set of criteriahow how large are you how interconnectedare you how leveraged are you and thingslike thatand therefore you had a much larger rolein the system and if you went down youhave globalregulations that you have to fit notonly your your national regulator and soin those places where we’ve got existingregulation we can look at all right forthose sectors how might the governmentuse those existing regulationsbut in other places most especiallywithin the it sector we don’t have suchuh regulations in place and it’s andit’s hard to get our heads around wellhow how would you quite regulate to beable to get there you might say regulatefor notification and we’ve been seeing alot coming up in congress on thatum if youif you are affected colonial pipelinesolar winds you need to tell thegovernment so that we can at leastunderstand what’s what’s happening andthe last idea that i really liked itcame out very strongly from thecyberspace salerum commission whichdirector easterly mentioned earlier thismorningwhere they had an idea it had the kindof unfortunate name of sikhisystemically important criticalinfrastructure and saying boy some ofthese entities in criticalinfrastructure really do have a largersystemic importanceand that’s both to sayif something happens the impact isreally bad emphasizing the negativeaspectbut i liked it because they alsoemphasized the positive sidethese are the partners that thegovernment can most work withto mitigatesystemic riskand i and i like both parts of that andi’m really pleased to see that cisa hasa systemic cyber risk reduction venturethat they’re doing within the nrmcwindowi thinkregulatoryinvolvement is is is required but weneed to recognize that it only umoperates at a lower threshold right thatum it it knocks out kind of the thelow-hanging fruit which is importantbecause there are a lot of organizationsthat haven’t even gone that farum butthe attackers are more sophisticatedthan that and i don’t know that it’sgoing to address the the larger scaleproblems that we have and this is kindof getting to the the area that i thinkis the the biggest monster on the bed asfar as i’m concerned that imagine allthe all the attacks that we justdescribed have been happening for 20plus years and we just didn’t doanything as an industry we didn’timplement better technologies we didn’tget better at mitigating thesestrategies we didn’t reduce our attacksurface we didn’t work on memorycorruption issues we didn’t do any ofthe work to harden these systems that werely on and develop resilience intothese systems and now you’ve got thedevice space and in the device spacewhich is growing in complexity andgrowing in in our our depend ourdependence on these devices is alsogrowing we’ve got can you just say likewhat devices what kind of devices youmake sure automotive umaeronauticsuh manufacturing equipment umcorporate devices like printers andsecurity cameras your refrigeratoreverything i mean literally everythingis essentially has a computer in it andfor a completelyreasonableset of decisions you try to reduce as adevice manufacturer you try to reducethe complexity in these devices becauseyou want them to be highly reliable soyou pare down your system to just thethe critical functionality but a lot ofthem eitherhave operating systems that are so tinythat they don’t have security mechanismsthat we’ve leveraged in general purposeoperating systems for the last 20 yearsor they didn’t bother to build it in anda lot of them don’t have privilegedseparation a lot of them don’t haveseparation between code and executionand you end up witha device that has all of the opportunitythat the general purpose devices whetherit’s in the data center it’s yourworkstation or even your at this pointi’m going to call your mobile phone moreof a general purpose device and less ofan embedded device just because theyhave so much functionality and so muchsecurity work goes into those os’s umbutyou end up with a device that’s sittingon the network has access to criticalnetworks and systems in your corporateenvironment in your in your governmentenvironment and then didn’t do any ofthe security work the general generalpurpose operating systems have beendoing for 20 years and so how do we getto a place where we are able tomake those devices as resilient as as asthese general purpose operating systemsgiven that they have the same risks butare much more resource constrained thanthe general purpose operating systemsbecause a lot of these devices are notplugged into a wall and a lot of thesedevices don’t have the same amount ofmemory or storage um or cpucapabilities so to implement securityfunctions in these devices is a adifferent challenge um but it’s a hugeopportunity for attackers and it’svery difficult for the people who managethese devices to be able to even inspectthese devices and recognize whether theyare actually um compromised or are areusing the code that we intended for themto run at deployment so um that’s thebig hairy monster under the bed for meand if the if we’re going to take onsomething as an industry and say thatthere’suh something appropriate that needs tohappen here than being able to updatethose devices effectively so whenvulnerability is identified that we canactually do something about it um andupdating devices is harder than updatinggeneral purpose operating systems oryour web browser for example because thethe failure of a an update for your webbrowser means that maybe you have to tryit againor you have to reboot your system at theworst whereas the failure of a of adevice could mean that um somebody hasto go out with a usb plug onto themanufacturing floor and and update itmanually or maybe somebody has to govisitthousands of atms all over the u.s andaddress them individuallyor maybe it means that that satellite isjust gone for good right updating adevice is amuch more risky endeavor but it meansthat it’s much harder to address thesecurity issues that we know aboutalready in devices and it’s it’s it’snot unreasonable that the devicemanufacturers are reluctant to deploythose kinds of updates knowing that whatfailure means for availability for forfor the folks who depend on them so inother words we have billions of devicesthat are too simple to have goodsecuritynono that don’t have good security yetthey absolutely can umbut we have to make that a priorityright and if i can sorry one of theimplications of this remember when isaid 20 years ago we kept having thesetheseum these major worms that were hittingwell the worms were only taking downthings madeofsilicon and things made of ones andzerosbecause that’s all that was really onthe internet because of this trend thatwindow just talked about right now wehave the attacks and they’re not justtaking things down made of silicone onesand zerosthey can take down things made ofconcrete and steelso it was so it was really difficultto really hurt someone or kill someonewhen all you were disrupting was siliconones and zerosnow they were taking downcan take down concrete and steel andthese other devices that window justtalked about right i think i think we’regoing to look backat the 2000s and the 2010s as the goldenagewhen no one was really dying from thisstuff because now you can have thesesystemic attacks that have a much lowerthreshold of the kind of adversary thatcan have these kinds of capabilitiesthat that really canum be a matter of life and death andwill be if they haven’t already well youknow we know a delay of medical care byx amount of time increases mortalityrates by x amount of time and what athird two thirds of the nahs systemin the united kingdom went down duringuh was a wannacry substantial withminecraft yeah so umjonathan i mean we’ve talked about doyou have anything to add or would youlike to go back to the how we canactually manage this i’ll add to thisand maybe wander that direction uh so ithink it’s it’s really interestinglistening to windows points becausethere’s this there’s this kind of ironyto this where the the objective of allof these devicesof really you know fundamentally theinternet in itself is isinterconnectedness right and i thinkthat it’s been a lot of these productshave done a great job at that task um ithink that you know as you were talkingabout how this is the first time we’reat a conference or a live event in twoyears i mean we’ve gotten on pretty welldue to how well interconnected we arethrough a lot of these devices andservicesbut the the irony of that is that we’rehere talking about how these are reallytoo interconnected to failand and not how they pose a systemicrisk if they were to uh i love a goodfinance metaphor as jay was makingseveral uh and andyou know maybe maybe following on someof jay’s finance metaphors i think thatii wasn’t in the room when they came upwith the term sikhi in the and the uhsolarium uh and it sounds silly but buti i imagine but i was without if i couldpee into their head i imagine they werefollowing the the scifi reference sosifi siki uh which i think which i lovethat the idea behind that and that therewas a lot of lessons that we could learnlearn from theall the previous work that’s been doneon systemic risk so i just want to makea point on this of you know perhapswhere systemic cyber risk is similar totosystemic risk and you know also whereit’s differenti think thatwith all of thework that had been done by you knowacademics by analysts by policy makersfollowing 2008 and before tooabout what it meant to be systemicallyimportant there were greatthere’s a lot of a lot of great thingswhere you know goldman becomessystemically important where you’resayingthatdue to thethe interconnectedness of this entitydue to the of this institution in thatcontext uh due to thethe complexity of thisof this institution if it were to failhow difficult would it be to unwind ituhdue to the substitutability as well youknow these arethree general types of criteria that youcould saywould help you understand could you justsay a little bit more aboutsubstitutability substitutabilitymeaning you know how easy would it be ifthis institution failed to to you knowfor its assets to shift to another oryou replace it so if one cloud if onecloudhappens you can switch to anotherproject exactly right how easily can youswitch to another cloud provider so inin this context and i think and thatthat’s exactly right because we cancarrysome of those uh those points forwardinto thinking about how to identify andhow to manage uh systemic cyber risk inin in the in the uhsystemically important uh cyber uhwhateversuccess uh so so i think those are greatpoints that we can carry forwardwhere uh another one too actually isthat systemic risk whether it be infinance environment or cyber orelsewhere is inherently amulti-stakeholder problem whereyou can’t easily manage this problem byyourself as one organization at a timeobviously you can do the multi-factorauthentication that says directory wastalking about beforegreat way to to actually move the ballforward but the but but when you’retalking about systemic risk it’s not upto one organization being a firm orbeing you know one agency in governmentit really does require a lot ofa lot of weather cooperation to toactually tackle this type of problem andso it’s exciting to hear morediscussions about that a lot ofinteragency discussion and to have thevarious folks in the room that we’re alltalking is is really the right directionso i want to go back to we’re going tosay something else i’m going to say howthey’re different okay right great so soone point about how they’re different isthat systemic risk in economics andfinance is caused byyou know it’s not exactly one group’sfault it is often caused by you couldcall it misaligned capital that’s theexcessive capital in you know one areaof the economy that’s overly risky andand and and you get a crisissystemic cyber risk is not that it is itis an adversarial type of problem it’sfundamentally caused by a you know itcan be caused by a group or anindividual which which targets the rightthe right entity at the right timeand and that also means that theintelligent adversarycan circumvent all the risk managementpractices you put into place that youknowyou can’t pass a dodd-frank to preventan attacker from leveraging an attack ondns infrastructure things like that iwant to go back to uh regulation realquick um devil’s advocate herethe free market creates all theincentives you need that all theincentives that companies need toprevent a systemic shock they have everyinterest in preventing a systemic shockso get your big government out of herewhy why do you need to regulate thatit’s one thing if you’re regulating dataprotection where maybe they actuallydon’t have an incentive to protectcustomer data um but but why would weneed to regulate systemic resiliencewhen it’s in everyone’s interest to beresilient and start with you jay andthen come back down oh go aheadso as a former csoone of the problems that i ran upagainst frequentlywastrying to identifywhich of the technologies in myorganization had incorporated this othertechnology that was vulnerable like theopen ssl example that i just gavethe uh the build materials would make iteasier for organizations to identifywhere they are vulnerable when newvulnerabilities are identified could yousay what a bill of materials is lettingus know which technologies areincorporated by into the technologiesthat you trust and like an ingredientslist like an ingredients list yeah andso um one of the things that that idon’t think that industry is going to dothis um necessarily by themselves ifthere isn’t some regulatory requirementum a lot of folks don’t want to uhidentify all this attack surface thatthey may have they don’t want tonecessarilyreveal that they are vulnerablewhen a vulnerability is identified inone of these components until they’reready to until they have a patchavailable etc there are a lot of factorshere that thatare working against that aspect oftransparency but from the csosperspective it’s a lot easier tomitigate the issue if you know about iteven if you don’t have a patch availablefrom the vendorand while there are organizations thatare not going to be able tojump in front of it and do somethingabout it because that information isavailable and you are giving theattackers um you know a laundry list ofplaces to go shopping when they’ve got avulnerability in hand and they can waitto just beopportunistic about these issues whenthey’re identified by somebody else theydon’t have to do the work they can justwait and the security researcher will beable to do that work for themand this gives them a an opportunity ofplaces to go to go deploy that and it’sit takes a lot of time for us to uh toto address these issues to mitigate themetc but i can’t do anything if i don’tknow it’s there um so either the burdenis on each organization to reverseengineer every single technology thatthey’re using in order to understand allthe other technologies that they’reusing which that’s completely umundoableum or for us toregulate understanding how all thesetechnologies are interdependent so thatwe have a chance of being able tomitigate them or turn something offwhen we know that there is a seriousissue that we may or may not have apatch available yet from the vendor sopromoting transparency softwaretransparency through regulation rightthat’s rightand that’s a phrase that i use a lot andi love that we got there um to me ifyou’re going to have to regulate i wantto regulate for transparency right if weregulate for security there’s much toogreat a chance that we’re going to lockinsome kind of even if we say you musthave two factor well we’re alreadystarting to move pasttwo factor in a lot of um in a lot ofadvanced places um and sobut if you regulate for transparencywell now you can allow the market to tryand work better and not just the marketbut you we can allow other aspects ofamerican and society and capitalism towork better an example thesec originally had guidance that said ifyou have amaterially significant cyber incident idon’t care that it’s cyber it’smaterially significant and you have totell your shareholders now that wentfrom guidance it became a regulationthere are still some gaps there but theydidn’t say the sec didn’t say yoursecurity has to be this tall to be onthis ridethey said you have to treat this likeany other risk and you have to tell yourshareholders most of the way that weknow about what’s happened well a lot ofthe ways that we know and researcherslike johnjohn knows about what’s happened isthrough through things like secreportingum so i love that is there other waysthat we can getthe shareholders if companies aren’t aretaking bad risksthen the main way we we handle that asociety is saying all right well the thethe board of directorson behalf of the shareholders you knowshould be keeping the executives of thatcompanyum to taskif they’remaking taking dumb risks so i want tosee what can we do to reinforce that forexample before y2kcalpers you know the biggestinstitutional investor in the world ithink or close to it went to every oneof their companies and said what are youdoing for y2k you must tell us as as anactive shareholder what can we do to tryand tap in to to those things to make itworkumfrankly and i’m interested in windowsthink right i think the large platformsyou’ve been seeingmore stewardship of the larger set ofproblems right sometimes forself-interest like microsoft in 2003like the that wave of worms that italked aboutended in large part because microsoftstarted to take to take this seriouslywhat i would like to see is a lot of theventure capital a lot of the innovationis going into technology that works inthe enterpriseand we had done some work at somethingcalled the new york cyber task forcethat said you don’t get the leveragethereright you’ve got to do itbut you actually do better in technologythat helpsacross cyberspace as a whole what do youmean by leverage yeah um like look atfor example imagine we invented theperfect widgetum that is going to help protect againsta wide range of attackswe’ve got to sell a billion of thosewidgets to every organization that needsto be protected against the attack theyhave to figure out how to configure itthey have to train people on how to doit they have to keep it um maintainedand up-to-date they have to keep itpatched they have to integrate it to therest of their environmentif we can do one thing like end-to-endencryptionautomated update right those are thingsthat got done onceand then it got to help a billionenterprises or people afterwardsand unfortunately so much of theinnovation is aiming in that technologywithin the enterprise and we’reoverlooking this technology acrosscyberspace as a whole and just to closewe’re also tending to ignore theoperational innovations we had to inventthe idea of a chief information securityofficer steve katz at citibank in 1995we had to invent the idea of aninformation sharing and analysis centerin 1998 1999 we had to invent the ideaof a kill chain right uh we have thethere’s a the mitre attack frameworkright that’s just an idea it’s prettymuch freeand yet it’s been able to transformthe way that we’ve been able um to dodefenseum and so we do we do tend tounderestimate those operational mostprocess innovations window then john i’mgonna add to that a little bit becausewe do have that widget that widget iswidespread it’s widely availableeveryone’s already trained on it and wecan deploy it instantly and that isdeleteif you are delete delete it is deleteand it’s available on every system thatyou use and every code base that you’vegot available to you yes you can reducethe attack surface dramatically bygetting rid of functionality that nolonger serves your business needs anddoing that work to say like do we stillneed this is um a lot easier than tryingto secure that mechanism that nobody’slooking at so deciding that um that thatthis is no longer critical functionalityand that we’re going to um reduce ourattack surface by eliminating thiswhatever this is this could be a servicethis could be a server this could bean entire code base this could be alegacy platform in your environment thiscould be a feature that nobody is usingit’s the easiest thing you couldpossibly do because the vulnerabilitiesthat are in that code on that server inthat service are not going to impactyour environment if you do not deploy itif you have deleted it so i would saydelete is um that magical widget andthat organizational structure thatyou’re taking and delete data right youcan’t you don’t have to worry about abreach for data that you’re no longer welike that we want the data no i want todelete it no data’s liability get rid ofit you don’t need it johnson idefinitely want a lot more datawhat data what kind of data okayso i um i i just to go on some of jay’spoints because i think that those gointo the to the more data thewe were able to start looking more intosystemic risk and to discover potentialcompanies which pose a systemic risk byusing sec disclosuresand so we’re going into the weeds of youknow the accounting standards 131 forthose who care um and and basicallythose are meant for companies todisclose relationships with othercompanies that they have which mightpose a significant risk in my view theywere a little bit outdated right well wegot a lot of data out of them they theyare really thinking about those businessrelationships which would pose a largerisk which are themselves largerelationships so if you have a asignificant supplier that you know ifthey stop delivering you with some rawmaterials and you’re going to have ashutdown then okay cool you need todisclose that toon your annual filings your investorscan know policy makers can know and wecan start understanding where systemicrisk might bewith cyber this is you know this isreally out of date um i think that a lotof the it can be a very small contractwhich can pose a very large risk if theyhave trusted access you know privilegedaccess then thenthat’s something which should also bedisclosed using the existing mechanismsthis doesn’t need a cyber dodd-frankalthough i think we should get there butbut i think itdoesn’t need that for for this pointwhere you can you know use the existingmechanisms to to get a lot more of theinformation that we would need and thisis not full s-bomb but you know part ofthe way they’re of telling you what thewhat key inputs are that could pose asystemic risk and i’d really like tofootstop especially for the governmentfolks when we we want to so understandwhat happens with supply chain and we’relike oh we should regulate we do x1 andz i’ve never heard of accountingstandards and just some small changes toaccounting standards to help usunderstand full supply chainsit’s such a small change to an existingregulationand i think it’s just a brilliant ideayeah and the sec has it the sec providesthis data through the regular systemit’s something that we really we couldrun with actively if they with a smallchange in rulesaccount the only thing more rivetingthan accounting standardsis insuranceso i want to talk about insurance whycan’t we just insure against these risksyou know if amazon web services goesdown and half the fortune 500 goes downwell they’ve they could they haveinsurance contracts right um why is thatnot the obvious free market solutionhere let’s start with you jonathancorrelated you asked what is thatthe fact that so so many differentcompanies in their insurance portfoliothat they’re insuring with also with allsoftware losses at the exact same timegiven in aw a large aws outage are theyready for thati i’m not going to speak for them i ihave doubtsi’d say for the consumers that havetheir information compromised when aservice has been negligent in their uhduty to protect that information thatcredit monitoring service isn’t going tohelp them um mitigate their riskof of identity theftwhen i get to the white house in 2003 itwas going to we’re going to do insuranceand insurance and other risk transfermechanisms of the way that it’s going tohappen18 years on and insurance just has notas great as the ideas it has just notbeen able to bear the public policyweight that we’re expectingfor insurance so hopefully we’re goingto get there i think ransomware hasreally changed things up andhopefully hopefully it can do betterumlast question before we wrapwhat is to you your nightmare scenariowhen we think of a systemic shockand then we’re gonna we’re gonna gostraight to jay’s point on how we caninnovate in the cyber security fieldspecificallythat’s ugly i don’t know who wants totake this first critical vulnerabilityin a device that doesn’t have an updatemechanismthat meant that billions of people thatimpacts lots of folks whether it’s ait’s a car it’s a it’s an airplane it’suhan mri device likethat’s my that’s my nightmare scenariocritical vulnerability being exploitedin devices that don’t have updatemechanisms jay uh yeah we’re nottreating the internet sustainably toborrow the the language from theenvironmental movement like ourgrandkids and their grandkids there’s noway they’re gonna have an internetthat’s that that’s as good as the onethat we have today i’m scared that theadvantage that the defender has had atthe system-wide is gonna go from themhaving the advantage to them havingsupremacy right things can get a lot lotlot worseokay i’ll add to it there are thingsthat we understand widely that arereally critical financial services uhenergy sector if somebody came up with aclever way of getting into them forexample to disrupt trades and nobodynotices it uh in for two weeks or threeweeks it would be a huge disaster greaton that cheering note uh we’re going tomove on to the next panel vivian back toyou okay thank you david thank youjonathan window uh jay you definitelymade good on the title of that sessionwhich was monsters under the bedum so now that we are suitably scaredwe’re gonna turn to our next sessionwhich is gonna um really talk about howwe slay those monsters um this is wherethe dragons come back in that’s thetheme for the cyber summit is dragons uhso our how can the cyber securityindustry address the systemic risks thatwe’ve been talking about please welcometo the stage uh ang cui the ceo of redballoon security sam king the ceo ofveracode and uh and while muhammad theceo of forescout moderating thisdiscussion is michael daniel founder andceo of the cyber threat alliance over toyougreatwell thank you vivian for thatintroduction and i think you know we’vehad a great uh talk by jen easterly withkelly bourne this morning in theprevious panel talking aboutuh the nature of systemicriskand how it uh you know how it hasevolved in what it’s likeand i think from our purposes this panelwe’re going to focus on what the cybersecurity industry can be can and shouldbe doing aboutsystemic riskbut first let me just kind of open witha question about how do you think aboutsystemic risk and importantlywhy should organizational leaders maybethose who aren’t even in charge of youknow giant pieces of the infrastructurewhy should they care about this topic ofsystemic risksoyou want to go sambasure i’ll jump in here sothe way i think about systemic riskactually resonates quite a bit with whatthe previous panel was talking about butfrom aorganizational perspective i think thebiggest shift that i’ve seen ishistorically we’ve talked aboutprotecting our critical assets and a lotof times organizations will identifywhat are the applications or systemsthat are really critical and i thinkwhen you think about this problem spacethrough the lens of systemic risk yourealize that there’s really only oneasset that is critical and that is themission of whatever your organization issetting out to do and increasingly thatmission is dependent on other parties sowhen you think about getting speed andagility in your business youautomatically think about drivingdigital transformation and last 18months in particular have hasteneddigital transformation at a pace that ithink was unimaginable prior to thispeople that were sitting on the fenceand saying our business is not ready ourusers are not ready our patients are notready our students are not ready gotready and got ready overnight and a lotof that adoption of new technologyhastening of digital transformationoftentimes was conducted by making useof third party service providers bymaking use of third-party software opensource code commercial code etc so whenyou think about this problem from thestandpoint of systemic risk you realizethat the critical asset is the missionof your business that mission is beingfueled by digital transformation anddigital transformation in turn is beingfueled by this great reliance anddependency on all of these serviceproviders which makes good businesssense it helps you go faster but itintroduces that risk into your systemand i think the reason why leaders andorganizations even those that don’t haveresponsibility forthe infrastructure or even security thereason why they should care about thisisthat when they look forwardtheir ability to drive the businessresults and their ability to manage riskfor their business is increasinglydependent on this environment in thebroader ecosystemyeahum soman all right i havesome thoughts onsystemic risk on the commercial side butalso you know for the us governmentwithin defense and i’ll preface this bysaying you know i’ve spent the last 15years of my lifethinking about security for computersthat pretty much no one wants to thinkabout and those are the ones that youdon’t see right the little embeddedcomputers that run all of the criticalinfrastructure uh and you know actuallythis is a great room right if i if iasked everyone to draw on a piece ofpaperwhat you think a fault protection relayin a substation looks like i think we’regoing to get at least a dozen differentyou know things right um but you know soi was uh coming up you know so we drovefrom denver to aspengreat trip yesterday like 11 o’clock atnight and i you know i was thinkingabout this we’re talking about howinnovation cansolve or help you know make systemicrisks go awayand i started thinking well you knowwhatsystem innovation by definition actuallygenerate systemic risk because one ofthe things that you know duringinnovation what you do is you take athing that might not be possible rightand you create a thing that’s functionalbut you by you know necessity have tohopefully well ignore some of theexternalities right and then the nextiteration of innovation will come in andsay how do we solve those you knowexternalities to make things a littlebit better and that innovation createsmore externalities and i think a goodexampleof that you know way back you know we’renot just about talking about you knowcyber security um i was talking to uhjumanji my colleague in the car um doesanybody remember this thing called uhoperation plowshareuh show of hands anyoneso this was like in the in the 1960sright um we had a wait i think we hadtwo problems and it was right aroundhere in the rockies and santa fe newmexico the problem with the two problemswere we had too many mountains and wehad too many nuclear weapons that wedidn’t know what to do with so operationplowshare was a series of you knowinnovative experiments to see if we canuse one to solve the other by blowing uplarge chunks of the mountain we also ithink at some point wanted to create thepan-atomic canal by just blowing up uhthe animal canal like and expanding itright so that’s innovation right theexternality is that well you know weknew that there was going to be someradioactivity that’s going to be left inthe land but that’s one of thoseexternalities right the next round ofinnovators will come in and solve and ithink um we see that i mean that’s thething that i see in innovation in cybersecurity both for defensive capabilityright for all these things and also bydefinition you know offensivecapabilities tooand to make things worse rightradioactivity nuclear fallout is not aintelligent adversary right it just doesradio decay so if you put the adversarylike an intelligent adversary into thismix who also innovates right potentiallyagainst youum then i see that yeah there’s no wayto not innovate but by going forwardwe’re necessarily increasingaccelerating both right the problem andthe solution and it’s really interestingto think about i don’t know if that’skind of a bummer for just early in themorning butthat was my thought coming up here fromfrom my perspective is basically uh iheard it in the previous panel uhwindows mentioned about not on yourcustomers but your customers customersand your customers customers customersandand long time agoum we used to talk about basically howthe perimeter is disappearing today itdisappeared you know i mean as a matterof fact now in in the time of covetwe’re all working from home andit’s it’s reali do still rememberhow i started my my first company and iwas walking in i was standing in thelineup to actually pay for my groceryand then the cashier said you know whatat only cashwe cannot really take any any credit orany plasticand i said okay i’ll go to the atm inthe machine and put my card and it stilldid not really work and then i had toleave my grocery and i realized therewas something wrong with the system andi as i get my car and i was loaned ongasi stopped the fuel and thanks godactually the car worked but at thatmoment i still remember i said you knowwhatthat server that actually it was a killchain it was a bank that basically had aproblem with their firewall and a partof the kill chain was very dramatic theyactually stopped the system so all theircustomer customers and customerscustomers customers were affectedand i said you know what that serverneeds to be able to protect itselfdoesn’t matter where it lives if it’sliving in this parking lot it should beable to protect itself and that wasactually at a beginning of reimagininghow it’s going to work and that’s whatinnovation is all about when i startedit was like maybe a hundred companiesbasically try to be able to solveproblems today there’s thousands when istarted there was not a lot of resourcesthere was not a lot of money you had togo and talk to a lot of vcs theyconvinced them that cyber security isimportant today there’s funds thatdedicate it only to cyber security soi want to bring some positive into thisi do believewe have incredible amount of innovationin our space every single day i talk tonew entrepreneurs with ideas to solvingproblems we as the large companies donot see and that’s the beauty aboutbasically innovation is to reimaginethings that we don’t see or think evenis important today and that’s the onlyway we can get ahead because the badguys are cooperating and collaboratingand basically sharing and they’relearning and investigating what we haveand you mentioned earlier we weretalking outside about how theinformation is available to everybodyand and we as an industry need toactually embrace that innovation and andbasically continue with it but i dobelieve we made huge progressin the last 30 years i’ve been in theindustry now we know what cyber securityis we understand the risk we understandit’s not inside our walls now even ourown employees that working from homebringing a completely new set of risksthat was not as visible two years agonow it’s visible we’re talking aboutprivacy and you have no idea when you’retalking in zoom what’s listening whatbasically microphone is on you havesmart everything in your houseand now your house is part of yourenterprise so it’s incredible basicallynew setting i do believe cyber securityit is like the brakes on the car it’snot invented to make cars go slower itmade cars to go faster can you imagineif you’re driving on the highway 100miles an hour without no breaks youcan’t so we as cyber security leaders weneed to figure ways and how to actuallydo exactly what you said alloworganization to drive growth anddigitize and take a full advantage ofwhat we have but in a safe manner andthe only way for that is we need tounderstand the risk and be able tomitigate it in in various ways whetherthat to do with your basically how youwrite code whether that basicallyunderstanding some of the vulnerabilityin your hidden system andwhether that basically uh to be able tosegment certain assetsso it will not be as exposed there’smany many ways to be able to do that andand i think our industry have a lot ofleaders but we have a lot of work to doyeah so actually i want to build on thatpoint while the i mean the securityindustry as you noted is i mean it’snotoriously fractured right i mean ifyou go toany sort of cyber security large cybersecurity conference like you know rsa orsomething like that i mean there arethousands of uh security vendors thereand it’s a very intensely competitive uhindustry in fact it’s it’s nice that allof you are sitting on stage being sonice to each other and we appreciatethatbuthow does this you know this structurethis very diversified fractured natureof the cyber security industry how doesthat affect the industry’s ability toidentify and address systemicrisk especially since if you think aboutmost companies start out beingyou know they’re designed to solve aproblemright there’s a cyber security problemand they build a widget or a process ora thing to solve that problemhow should we think about that and maybeon we can start you know so here’s athought um wellmaybe another way tothink about this problem isif you look at the number ofdollars or cyber security companies thatare you knowbuilt and you know operating to solvethe problems that they solve right andyou put that in a histogram or some somesort of a heat map you know does thatmean thatthose things that are hot are thebiggest security problems that we shouldaddress right andyou know i personally don’t think so andi think there are plenty of reasons whythat is i think um it is true you knowlots of security companies out therelots of competition um i think there’scertainlysome risks that probably have anoverabundance of solutions and and youknow commercial companies that can helpand make those products and i thinkthere’s certainlysome of the more critical infrastructureyou know things that you know in my mindrepresents the one of the larger sort ofcyber systemic risks that you know isreally interestingly you knowunderserved and this is what i did myphd on uh insecure at columbia and thisis kind of what you know my company doestoto address um i think there’s a reallyinteresting dynamic you know maybe wecan if we have time let’s come back toright for example the devices you knowthat make up the critical infrastructureright do the people that operate and usethose devices rightyou know have any impact on how securethat device is and if there’s acompromise who pays right you know doesthe manufacturer who makes this thingpay money or is it all onlet’s say you know the operator and oneof my analogies is and i know windowshere all right soi would say so close your eyes imagineyou know you want to run a utility rightyou make power you have a hydro dam umand the world says okay you know thething the computer that controls all ofyour valves and things that can catch onfire and explode and take power out okaythe best on the market is you buy awindows xp pre-patched laptop okay youcan’t open it up you can’t look at thecode you can’t install anything youconnect it to your network and youautomate all this stuff right and youhave to have an audit processum and if you know and that’s how youhave you can’t you know reverse engineerthe thing you can’t get microsoft to doanything and window’s not around so nono service pack one right pre-patch uhand then lo and behold right like theutility gets compromised because youknow in 2021 if you’re running windowsunpatched xp laptop you’re gonna get ohin likelike half a minute and then what happensis um the utility has the responsibilityof doing all of the forensic informationthe cleanup and the reportingright while the manufacturer that madethe windows xp laptop uh keeps on makingwindows xpthings and you know when i survey thedifferent devices that run thesecritical infrastructures yeah i wouldsay you know you know some verticals aredifferent but certainly in you knowpower and industrial control i would saythe average security posture for thecode inside those things it’s likecircuit 2001 to 2005.um so i think the big question is wellwhy do we have that dynamic and i thinkif we can solve that dynamic we canreally kind of get to the heart ofaddressingthat thread rightyeah so sam so uh first thing i’ll sayis that thank you for acknowledging usbeing really nice to each other despitethe fact that we compete in the cybersecurity market i would say that beingcompetitive and being civil or notmutually exclusive so i think we can alldo thatso i’ve been in the security industryfor over uh 20 years at this point intime and there has absolutely been animmense explosion of service providersin the space and an immense uh expansionof the understanding of what we douh you knowwhen i first started uhmy parents didn’t quite understand whati do for a living then they got to apoint where they were really proud ofwhat i did for a living and latelythey’re at a point where they’re lookingat me and sayingare you really good at your job or notbecause like uh it’s i’ve gotten thesame questions what are you guys doingright and i said i don’t know i’m goingto the aspen cyber security summit andi’ll come back and report to you so youknowhere’s how i would talk about thecharacteristics of the security marketumit is intensely competitive and there issome positive that comes from it andthere’s some risk that gets created as aresult of that the positive that comesfrom it is that you cannot be complacentas a service provider the people whoseneeds we are serving are thoughtfuldiscerning technical buyers that reallycare about solving the cyber securityproblem for their organization right andwith the intense competition that existsyou constantly have to be on your toesyou have to be continually innovatingyou cannot stand still because if you dothen someone else is going to come inthe the cycle with which the nextgeneration of the next generation of thenext generation technology comes out isreally shrinking sofrom that perspective competition is agood thing because it keeps us all verymotivated to continually innovate uh andto try to address the problem in such away that you’re not just providing afeature or a capability to you knowsolve some very narrow aspect of theproblem that you’re really trying to getat the business value associated withthe cyber security problem that you’retackling so i think that’s one of thepositive that positives that comes fromthis i also think that because of therelatively easy and tremendous access tocapitaluh there’s this equalizing of theplaying field between the large playersand the smaller players you can have astartup that has a brilliant ideaperhaps it’s getting at systemic riskperhaps it’s getting at a particularvery specific problem but either waysthey can get access to capital they cango spin up their technology inside acloud service provider and next thingyou know they’re competing with a verylarge organization so that equalizing ofthe playing field i think also keeps usall thinking about how do you solve thisproblem in a better more holistic waynow the the some of the negative thatcan come from that is that sometimes inthisneed to constantly differentiate and tohave your message be heard above thenoise that exists in the sector you maychase after some bells and whistles somefeatures that look really cool but whenyou’re really thinking about the broadlandscape of the business problem thatsomebody is dealing with maybe you’renot going to have that much of an impactand i think that is where i will channelwhat uhdirector easterly was talking about inher opening remarks that’s where thepartnership aspect between those of usthat are service providers in thisindustry and those that are trying tosolve the cyber security problem at thefront lines inside organizations whetherthey be in the public sector or theprivate sector comes into the picturebecause if we are held accountable tonot producing the coolest featurebut if we’re held accountable to are weactually helping them reduce the riskprevent or those of us that are on theyou know detect response side do that ina better more holistic way then thathelps raise the game for everybodyi totally agree uh i i believelook the real the real competition hereis the bad guysand and that’s the reality yes we can beable to compete or cooperate basicallyon on on some projects or trying to beable to when we’re in the end of the dayin business of actually doing businessand adding value to our customers andcan be able to to take that value thatwe add and we can reinvest and innovateand so forthbutnew companies always keep us on our toesbecause they they always look atsomething that is very very small maybeit’s not in our radar because of oursize of our impor our basicallypriorities and they can be able tore-imagine something that will becomeimportant tomorrow i believe innovationis about time andandbigger companies have resources havemoney but the only thing we don’t haveis time especially in our space like ifyou are in a hardware space you have adifferent cycle than a software space ina cyber security space we’re dealing inthe seconds and this we always have toreact and when you always have to reactyou basicallyyou have to have a different dnaand i and i do believe there’s alwaysgoing to beroom for innovation uh when i have oneof my customers because there is nosilver bullets and and when you go tothe customer any one of us do not go tothe customer said by the way i can solveall your problems that’s not true thisis what i can solve very well this iswhat i’m very good at and basically andbe able to provide that and we know wehave to be able to work together andwhen the customer is down we forgetwe’re competing we we basically have tofigure out how to bring this customer upand in my industry for many years wealways picked up the phone and calledeach other and said hey this customer isdown how we can be able to collaborateorganization like yourself is actuallyencourage us to have a platform forsharing it’s importantas you mentioned information becomingstale very quickly in the old days ifyou have something that is basically ofimportance and and you hold it for for amonth you feel that you have somethingvaluable now it’s like 24 hours it’salready been known soso how to deal with that one of thethings that actually wake me up at nightis the stealth attacks we hear all thestuff in the news by the time you hearabout it it’s it’s basically either it’snot sophisticated or it’s alreadyhappened but good thieves do not break awindow do not leave any things on thecarpet they do not tell you that you areactually in the house you are in and outand there is basically those attacksthat you are already in and we don’tknow for months you know i mean uh it’sit’s extremely dangerous one of thethings we’ve done better than a lot ofother countries is disclosures like wehear a lot of attacks happening becausewe we have an obligation to disclose andwe have really perfected how we can beable to deal that and strike thisbalance between how you disclose and notbasically providing the information tothe bad guys but there’s a lot ofcountries are behind that and i canassure you there’s tons of attackshappening that we see every day thatbasically in a lot of places around theworld thatit’s not disclosed and disclosure isvery important because that’s how youcan be able to mitigate the risk if thebad guys know that they’re going to getcaught and their techniques has beenbasically been captured and weunderstand it and we can have the rightiocs and can be able to do the sharingwe can close that windowthere’s tons we need to be able to dobut i’m very optimistic that we’regetting way better in basicallyperfecting the disclosuresyeah that’s greatgo ahead everythingvery optimistic um soi like it umsoyou knowin response to the thing you said aboutyou know uh the bad guys are our biggestproblems umyou know i well that’s probably trueright but if we look at not just thecyber security industry let’s just thinkabouttech industry as a wholei think the tech industry is the techindustry’s biggest systemic risk andi’ll give you an example rightin in two directions so you know themore obvious one is we love making newthings withyeah frivolous you know functionalityright or maybe you know in retrospectnot the most prudent things to put onthings um i know filters perhapscat filters are i think goodit’ll be probablythat’s the thing that’s going to savedemocracy but right so one example youknow i was looking at a brand new fallprotection relay right and these are thethings that is the first line of defensefor you know substation power grid ifthere’s a line down over current rightthis thing is a computer thatdisconnects so power lines don’t burnand you know things don’t catch on fireright and you know i’m sure we’ve allheard you know the first thing we shoulddo right is enforce uh air gapin this network and everybody says likeair gap is the first thing you got to doand this is a brand new 2021 productand you know they say that in the menuor manual but on the side of the thephysical box they have a google play andan apple app store logo and i said whatdoes that mean and you know you scan theqr code the thing is you know you cancontrol it right from your iphone andyou know this is not like um acommercial right fault protection relayi mean no this is the thing thatactually is about to get rolled into acritical infrastructure right now so inthis case right you know tech industryloves to put all of this new ways ofaccess and a lot of times i think wekind of run before you know we reallythink about you know whether we shouldyou know the whole like you know runfast and break things cool for facebookright but you know maybe not thegreatest for critical infrastructurethings and the you know the bad guyssure they’re there their job is to takeadvantage of the vulnerabilities of thethings that we you know we build soyou know so that’s one part of it andthe other part simultaneously right thetech industry alsohas a way ofnot getting rid of the really old legacythings so we’re suffering from bothproblems at the same time it’s almostparadoxical but right we have too manythings that are way too old to have nosecurity and we keep on building reallynew things that have all sorts ofconnectivity and very little security umsoyeah but i think this actually raises aninteresting point that really has struckmeover the years as we as i have beeninvolved with cyber security that somuch of the challenges that we’retalking about hereareas much about the economicsof the problem as they are about thetechnology the problemso why do we have all of those legacysystems still hanging around that’sabout economics right it’s because it’smore economicalin many ways to keep those systemsaround right why don’t companies patchwhen they know that they should i meanit’s not because they’re stupid rightit’s because it just doesn’t make it upon the missionpriority list right it’s a it’s aboutit’s about the economics andthe even when you know window wastalking about the economics of thedevices right on the previous panelright why are the devices run that slimwith as few protections put in it’s asmuch about economics as it isabout the technology and so i’m reallyinterested in your thinking about sortof how the economics of the networkeffects right of there’s an advantage tohaving everybody on the same platform orusing the same you know software rightthat’s you know there’s an advantage tothat but that creates a single point offailure it creates this it helps createthe systemic risk and so how should wethink aboutthe economics of this um particularlyyou know like the security from thesecurity system security industry’spoint of view how should we think aboutthe economics ofthat and how does that affect whatsolutions are available for managingsystemic risk well we can absolutely agreat great a great point and justto kind of commenton the the optimism about where we areand and your point of introducing a lotof riskbecause of the innovation on the uh onthe technology sideum i i think there is a little bit ofbalancei believethe economics is actually moving in theright direction so let me give anexamplemany years ago the cfo basically sayyou need to have basically a businesscase why you need to have a virtualmachine because our standard is physicaland then a few years later they changedtheir mind and they said look if youdon’t put it in a virtual machinebecause they realize it’s safer andeconomically actually prudent uh youneed to give me a reason why you stillneed to have a physical server and thennow if you actually do not use cloudthey can basically have to make ajustification why you need to basicallyhave a different architecture sothe the infrastructure change has movingextremely fast it’s more cost effectivethat forcing all this legacy to be ableto move forward andat the pace that it never happenedbefore so as as a security leaders weneed to be able to realizethe world is changing and there’s manymany changes first the infrastructurechange and i mean when i started mycompany i thought i was gonna do serversecurity and then it became virtualsecurity and then became cloud securityand now we’re saying serviceless can youimagine when when i sat down in mykitchen table building my business planthere was no imaginationto imagine a serverless you know i meanand and now we’re talking about devopsand the speed and how to be able todevelop but there’s always behavior userbehavior risk now when people can comeback from to basically post covetum there’s a new hybrid world whenworking from home is a reality there’shuge organization we’re designed youhave to be from the inside and now youneed to be able to figure out this newbehavior and we need to adjust to thatand it’s happening at the pace that wewould never anticipate it would probablyif it was not for cove it would havetaken us 15 years now we’re gonna takeus months and you saw how manyorganizations spun out theirorganization very quickly the third andthe most difficult thing for us is thechange ofthe motivation of the hackersand at ransomware is not a new thing itexisted but they used to go to your pcand capture some pictures and try to beable to say can you pay me this so i cangive you your information back and nowthey can be able to go to a pipeline andit can turn on very microcriticalsystems it’s an old techniques it’s justbasically used in a new way so to goback to you i think the economicsworking to our advantage and you’ll findthat we’re going to be moving to the newsystem faster and we as an industry weneed to accept that we need to acceptthat it’s cheaper to move to the newsystem but here’s a big riski cannot buy anything it’s not smart icannot buy an old tv i can buy oldfridge whether i like it or not and nowi need to know in a hospital system thisfridge is from my lunch or it’s for thebloodand the risk is totally different andnow i need to look at it is not just afridgei mean what it does and what it is andit’s how it’s going to be sitting in thenetwork and how i’m going to deal withit and and this is things we’re going toneed to completely revisit the way weactually look at risk not onlyinternally and externally but eveninternally and and i heard in theprevious panel talking about as simpleas a printeri mean a printer is a mission criticalsystem because it actually takes a hugeamount of data that you can send you cansend the contract you can send veryconfidential information and a simplehijacking of that printer that it lookslike a very low level device can becomevery very dangerous or a camera or athermometer and it’s just a new world soeconomically i think things areimproving because it’s getting cheaperit adds more challenge on us because weneed to really innovate faster buthere’s the beauty as i hear you talki’m i’m very proud of our industry to beable to attract that smart people to ourindustry to be able to think about theseproblemsand there’s tons of problems to besolved and umourour our competition the the bad guysthey come from a different educationbackgroundsdiversity going to be very important ournumber one challenge right now is talenthow we can be able to draw a diversetalent we have huge shortage and we needto figure out how we can be able toattract them and and make them on theright side there is a lot of money to bemade on the wrong side and i think thepartnership between government and andindustry going to be a big big factor ofthatyeah sam so i think there’s a lotembedded within this question around theeconomics as they relate to the networkeffects of using certain serviceproviders or software platforms and soforthlet me try to address it from a fewdifferent perspectives so first of all ithink uh the question of economics landsvery differently when you’re talkingabout the economics from the attackerperspective versus the economics fromthe defender perspective right forattackers relatively low cost very highreturns very high profitable bigbusiness rightfrom the defender’s point of viewwith respect tocontinued use of old technologies and ithink it is a great point that you madeabout we see simultaneously tremendoususe of old and tremendous adoption ofnew and then probably everything inbetween right so we don’t all moveconsistently to the news so you havethese vulnerabilities that were presentin old systems that are latent and thenas digital transformation has beenoccurring and systems have been gettingconnected at a faster pace now thatvulnerability is no longer latent rightsomeone can take advantage of that butwhen you when you think about the theeconomics uhyou can certainly talk about how youknow it’s cheaper for me to just staywith the old and not go to the newtill that’s no longer true but becauseall of a sudden on a particular day youcan’t find the talent to keep up the oldstuff speaking to your point by eel itbecomes more expensive to make changeson the old stuff a lot of the migrationto the cloud a lot of digitaltransformation you hear people talkingabout taking their monolith and eitherbreaking it apart into microservices orsometimes because they don’t want toundertake that effort because they thinkit might be too expensive they’re takingthe monolith and migrating the monolithto the cloud and then building cloudservices around it but you’re carryingsome of that cost and you’re carryingsome of that technical debt with you youknow it also uh behooves us to look atsome aspects of the economics that havebeen known for quite some time buttaking better action on them so i thinknist has published this data foreverwhich is it is 30 times more expensiveto fix the problem once that applicationsystem gets in production versus doingit when you’re actually developing it soif you know that then why do you not doit while you’re developing it that’swhere the time pressures of getting newfunctionality to the market come intothe picture right because if you’re abusiness you’re ultimately you gottwo problems growthand all the other problems right and howyou’re going to drive growth is you’regoing to drive growth by creating newexperiences by tracking your attractingyour customers whoever they may be toyourproducts and offerings versus yourcompetitors increasingly you’re going todo that by creating these new amazingsticky digital experiences you’re goingto do that by getting greatfunctionality out to market sooner rightso then that’s where you get thisjuxtaposition of speed to market drivingrevenuebuilding it more securely doing it righti know it’s cheaper to do it right herethan doing it later but i might rush andget code out which a lot of peopleactually say that they will oftentimesship code with vulnerabilities presentin it right so i think those are thethose are the factors that we have totake into consideration and there havebeen some moves within technologytalking to you know holding technologyaccountable to creating securetechnology devops is a movement that’schanging up how software developmentgets done devops very quickly turnedinto devsec ops and i would argue thatin doing so took into account thateconomic model if it’s cheaper to fix itsooner than doing it later so there areopportunities present too in thismigration from the old to the newyeah and i think the other piece thatstrikes meis that this is also a space then thatthe government has to think about how itmight want to be involved and shape themarket right and are there ways that itcan help address some of thatyou know first to market wins second tomarket dead right so that you know theuh there’s pressure to not deal with thesecurity questions right and there areplaces where we might want to say weactually want to slow that down as asocietyum as a digital ecosystem we want toactually slow that down a little bit togive us the time to think uh to thinkthese things through and to bake in thesecurity uh from the beginningum i know i’ll turn to you in just onesecond on this question but you know wewe were talkinguh previously about how you know thisaffects the federal government toomany people complain about the oldtechnology you see in the federalgovernment but that’s not because thefederal government is just bureaucraticand slow entirely it is incrediblyeasier to get money from congress tokeep old systems runningthan it is to get money to buy newsystemsso if you’re a federal manager or ifyou’reyou know if you’re an expert or a youknow someone in the federal governmentresponsible for running an i.t system itis imminently practical and logical tokeep the old system running because youcan get money for that and you cannotget money to buy a new thingso of course that’s what you’re going todoso i think that’s you know thoseeconomic and structural issues are onesthat’s very important for the securityindustry to think about as welook to how we shape innovation to dealwith the systemic risk problems but i’lllet you sort of weigh in on yeah soman lots of things to say so the firstthing is um what oneon the optism optimism thing you know ithink for security people fundamentallywe have to simultaneously be you know apessimist because we think there areproblems that needs to be fixed andoptimists because we think we might beable to actually fix some of theseproblems and in terms of you know thenetwork effect right and having massadoption of a single system you knowdoes that actually you know improvesecurity make security worse you know ithink all of the things you you knowwe’ve been saying here largely applies ithink to general purpose computing rightif you want to do a cloud right you cando a lot of really good things toimprove security across the board um youknow looking at critical infrastructurethings though i think the dynamics arevery much different umyou know you don’t have the same dynamicwhere you can just replace all of yourcisco routers on the internet right youcan’t switch out you know every fallprotection relay you know people i’msure people would like to sell you newfault protection relays but i’m here tosay i would put a whole lot of money onthat will never really happen rightwe’re going to be living in this youknow perpetual legacy security problemforever just going forward um unless youknow it all burns down and we have torebuild again which won’t happen um andin terms of you know the security versusthe you know mass adoption or networkaffecting you know i do think thatthat’s actually a false choice or youknow that’s not a real connection atleast in critical infrastructure thingsbecause you know you with number oneright it’s not true that if you have thesame device that that device can’t usetechnology to you know intentionallyhype diversity and actually prevent youknow exploitation of it right you canhave one you know lineage of technologythat actually is more secure than 50different ones and in this country ifyou look at critical infrastructure wealready have the network effect right soif you look inside you know let’s sayany power station right there’s onevendor that roughly has what like 75 75of this country’s you know powerdistribution market and if you look atplc’s not that many companies make plcsright there’s effectively three or fourmajor players uh you know the playersshift from the us to um you know therest of the world but yeah we have youknow very few major players that havethese entrenched products that don’tchange very much and sometimes theychange a lot by putting a bluetooth chipon and you really have to ask why umand and yeah so finally you know interms of the economics of you know thesecurity right like how to changesecurity for critical infrastructure iwould say i i do see that fundamentallythere’s a misalignment on incentivebetween the people who manufacturedevices that go into criticalinfrastructure right and how muchsecurity they built in andthe incentive of the market demandingadditional security because again thepeople who make the stuff do notactually you know have to pay very muchwhen the operators are compromised withthe products right that they makebecause operators have to pay for thecleanup and i think if we can addressthat misalignment of incentive then wecan really get at the heart of thatproblem but you know we’re not reallygoing to be able to until we startreally you know looking at that policyinexcellentso we’ve got about you know slightlyless than five minutes left uh in thediscussion andso i’m going to end with this questiononumwhat’s one action an organizationalleader could take in the short term totry to better safeguard themselvesagainst the systemic risk that we’vebeen talking about uh this morning sosam why don’t we why don’t we start withyouso i think it starts with visibilityright if you are a single organizationyou are dependent on technologies you’redependent on software and code some ofwhich you’ve written some of whichyou’re getting from third parties ithink asking your organization to firstand foremost have an understanding ofwhat do we use what versions of thingsdo we use where do we have someconcentrated risk because we’re using athird-party supplier perhaps formultiple business units or what have youthat visibility starts to create theability to take action it starts tocreate better vigilance around what newvulnerabilities have been discoveredwith these technologies that we’re usingand if you know where you’re using themthen you can immediately shift youreffort and attention toreacting to that and patching it versusgoing out and figuring out where am iusing that version of openssl whenheartbleed came out as an example rightso much of the energy at first was justspent on discovering so i think if wecancreate visibility around what is it thatwe’re using and then this is where goingto your previous question around therole of the federal government this iswhere aggregating some of thatinformation in an anonymized fashionacross multiple organizations can startto give you a sense for where’s thattheir concentrated risk when you thinkabout the ecosystem more broadly rightand so i think if there’s one area thati would ask people to focus theirattention on it is it is gettingvisibility into what you are using anduh you know we have published a reportcalled the state of software securityreport where we provide visibility intothe use of open source what open sourceis most prevalent which one is on therise which is on the decline so alsomaking use of those kinds of sources toget smarter on what you have so thatyou’re in a better position to defendand to respond when new vulnerabilitiesor new issues invariably ariseexcellentumokay one thing one thing okay um i wouldsay i’m thinking about this from theperspective of again you know criticalinfrastructure thing so if you’re anuser of these devices you run some typeof critical infrastructure be it ingovernment or or in the commercial spaceum i would say very much likewhat you said you know knowingwhat’s bad in the firmware of the thingsright is step number one and i thinksoftware you know s-bomb good idea it’sjust the start but if you don’t have youknow the realno bsanswer to what is actually in thefirmware and how bad the security is orhow good it is you can’t really startmaking decisions on well which plc isactually more secure than the other andthen you know on the same you know inthat same sentence i’ll say once youhave that information go and complainright complain to you know the federalregulators go and complain to the devicemanufacturers and you know let’s reallywe need to start you know holding thosefolks feet to the fire to say you knowit’s probably not okay toship a an operating system you compiledback in 2005 in a product you’re sellingin 2021 right but you know you can’t saythat unless you actually know that factso you know find out some facts and gocomplainan s-bomb a very good acronymsoftware bill of materials um just toyou know unpack that a little bit but iagree and while we’ll give you the lastword here i do agree visibility is veryimportant you cannot really protect whatyou don’t really know and you need tounderstanding and as bomb will bedefinitely very important so you can beable to know if this components reallydo you have it or not and and if you dohave it what you’re going to do aboutthatif i have one one thing to be able to asan adviceto any customer i always sayask yourself a question are youcurrently under attack or notand and if you are do you have all theright mechanisms you can be able toreact and if you’re not do you reallyknow exactly how you can be able to dealwith it when you do i remember oneindustry colleague told me when whentheir peer another competitive basicallyorganization got hacked his ceo calledhim and he says whywhy would not act like i mean because hesaid look like they are there’s no letme assume that business were not betterthan them and if they got attacked thenwe could be attacked i need tounderstand where we stand and that’sgoing back to visibility and i think themost important thing as basically as anindustry leaders to be able to providevisibility how can i show you where youare where you stand and then best actionyou can be able to do that economicallyexcellentwell thank you for the great uhdiscussion this morning i think we’vecovered a lot of ground and we’veactually set up uh the next panelbuilt on the previous discussions in uhthe previous panel and have set up thenice next panel quite nicely so thankyou for your time and participation thismorning thank you thank you thank yougreat speaker[Applause]great thank you michael uh so much forthat great panel um i i’m garrett grafi’m the director of the cyberinitiatives at the aspen institute and iam here to introduce our next set ofpanelistswe will have a slight programming changedue to the vagaries of actually hostingthings in person uh paul abate thedeputy director of the fbiuh is running late today and not able tomake it but the good news is we alreadyhave one former deputy director of thefbi on stage todayso i’m welcoming back uh kelly bourne ofthe hewlett cyber initiative sean joyceuh former deputy director of the fbi nowwith pwcgang uh the deputy assistant secretaryfor cyber policy at the pentagon and uhkevin mandia of fire eye one of theindustry’s leading thinkers and threatresearchers sothanks very much for continuing to stickwith us today at the aspen cyber summitand kelly over to you garrett thank youyes i’m back um nice to see all of youtoday for this conversation about nationstates and organized crimei want to make this a little bit more ofa conversation so i have about a halfdozen questions for you allbut then also really want to welcome youto ask questions of one another becauseit’s such an interesting panel we’ve gothere um but i think i want to startsean with one for youwhich is really how have you seen thelandscape of cyber crime evolve over thelast decade it was about 10 years agothat you first started in 2011 as deputydirector of the fbiandwhat do you see as the front lines todayso i’ll do my best first to impersonatepaula bateum but i really think the the threatlandscaping we’ve heardi think from multiple folks this morningthat it is constantly evolving and onething that i think we all see is it’sconstantly changing but i thinkwhen you look at the criminalsi think probably 20 years ago to besort of in the business you ought to bevery technical right and you were thethose were the people stillwhen you look at the eastern europeanarea where a lot of the prolific hackersemanated fromthat was a thing now we’ve seen itreallythem becoming right cybercrime as aserviceand proliferating their malware andtheir tools so that you’re seeing youknow those of you out there that arelistening that are as old as i am if youremember those old nigerian scam lettersit is really just proliferated i thinkin the in the cyber realm and when youlook at and then furthermore on thecriminals like the ransomware it’salmost like a gold rushlike where can we make money and so youknow michael mentioned in the previouspanel about the economics so i’ve seen ithink we’ve seen a great change there ina rushto what i think a lot of companies aredealing with right now on the nationstate i think it’s aboutilike really the barriers to entry are solow so it’s not like you have to have astanding army it’s not like you need anuclear arsenal you actually need a teamof smart peoplethat give them the ability to do thingsthat many nation states were doing so ithink you’re seeing a lot morenation states that typically we didn’tsee in that spacecome into that space and that to me isconcerning in itselfand kevin mika i’d love to hear yourthoughts on that as well from yourrespective purchase of just how you’veseen the landscape evolve in the timethat you’ve been in this field yeah imean i think it’s really interestingright i think at one uh early on thenation state capability was really thething that we worried about because whenthe nation states able to put itsresources towards developing significantdisruptive capability that was somethingthat worries us from the nationalsecurity perspectivebut as we’re talking about here theransomware as a service it makes thosedisruptive tools available to a muchwider range of people and we’re seeingincreasinglyfuzzy relationships betweennation-state actors and criminals andparticularly worried about thosenation-states that create a safe havenand a comfortable environment for thecriminal actors to operate in and thatis something that you know we have tostart addressing directly with thosenationsbut i think it is a real challengebecause you know as we all saw withcolonial the criminal actor now has theability to impose consequences on theaverage american as they go about theirlives in a way that was unimaginable ithink 10 years ago and i think that’ssomething that is part of the reason whyi as a defense official i’m sitting hereon this panel because it’s now at anation-state threat leveland it’s now at a national securitythreat level that is something that wehave to take on we cannot just sort ofsit back and protect our own networksanddefend our way out of the situation andyou saw that in 2018 where thedepartment said we have to be able to gooutside of our networks and try anddisrupt adversaries where they arethat was something that we did inresponse to the 2016 electionsbutnate the criminal especially theransomware actors have risen um inpriority for the department of defensein a way that we actually spend a fairamount of resources focusing on thisthreati think two changes i sawand by the way whenever you go last youhave to put the last bread crumbs on thetable but uh the two changes that ithink acceleratedover the last few years is having ananonymous currency clearly enables badguys period and so with the rise of thedigital or the crypto currencies i thinkwe sawmore lucrative and more anonymouscriminal attacks and then it wassomewhere around 2016 or 2017which means i was five years later thanwhen it really happenedi noticed whoever’s breaking in andwhoever’s doing the crime aren’t eventhe same people anymore so i’m there wasa time wherestopping thedoing the blocking and tackling to stoplike 90 of the drive-by shootings on theinformation highway that was good enoughto stop the criminals because they werelooking for the lowest hanging fruit butnow i think the criminal element isbuying the access fromfolks that we’re having a harder timeputting in a bucket as to who they areso we’re responding to about 100breaches a little more than that rightnow and on the criminal ones i’m notsure whoever got an initial access isthe same person as who’s actuallyconducting the crimesothat’s a long-winded way of saying theymight be getting better and thatyou know there’ll be a criminal elementthat’s operating above the the slop theyou know the low-hanging fruit as icalled it and for those folks that aretrying to protect themselves let’s sayfrom 99 of the threat actors instead ofjust 90 of the criminalum they’ll do pretty good but it it’s uhyou’re seeing the tools and tactics ofthe criminal element risingyou know you know kelly i think animportant question out of here though iswhy does it matterlike the transthreat landscape why does it matter howdoes it change the rest of us outsidethat’s right and all those people in thecompanies listeninglike there are a lot of people that saywell it doesn’t matter about attributionand i would say oh contrairesright and and to really understand thethreat and this is whereyou know i think you get into directoreasterly’s statement about defense wellto understand defense and to playdefense you have to understand the riskright and right nowi don’t think the government has theability to understand the risk and idon’t think the private sector has theability to understand the riskand and if you understand the riski think you’re able to more effectivelymanage that risk right like we’re allkeep saying cyber cyber is a riskthe reason why it’s so different ispolicy makers don’t understand itlegislators don’t understand it and mostbusiness people don’t understand itright so when we talk about this threatlandscape changing all those riskprofessionals out there andpractitioners every daythey have to understand what does thatmeanto how they actually respond andmitigateand unfortunately as kevin and i know ohso well recoverright and actually learn from that and ithink that’s where it’s important onboth sidesto really say okay the threat landscapeis changing but what does that mean foruswell and i think that relates to thenext question i would ask which is aswe’re seeing these blurrier linesbetween nation state adversaries andnon-state actors you’ve talked a littlebit about attribution but what are thereal practical implications of this doesthat affect for example from the fbi’sperspective the ability to impose costsso impersonating my friend again um i idon’t think it does i mean we’re seeingi meanall intelligence agencies around theworld have used proxiesas long asnation states have been spying um soi think whatyou know going back to what kevin wassaying and and mika mentioned it’s theseblurring of lines and being able to ithink delineate and understand sort ofwho is doing whatso you can actually impose those costsand consequences so this isn’t just uhkind of a defensive playyou have to to play a good defenseyou have to actually know and understandthe offenseandyou can’t be on defense all the timei would say since the start of theadministration we’ve seen a realincrease in the focus on going after thecriminal actordoj and fbi have set up some new taskforces to focus on this area ourcooperation in the defense departmentwith our law enforcement partners hasreally increased and i think that you’veseen umyou saw this in the lisa monaco pressconference about the colonial pipelinewallet seizurethe rule 41cleanup of the microsoft web shellsyou’ve seen the government thinkingabout much more creative use of itstools and authorities to try and helpprotect the american people to try andimpose additional costs umon the adversary all the way up to rightthe president of the united statesaddressing his concerns about ransomwaredirectly with a foreign head of statewhich we’ve not seen before and that’sactually a big step of trying to addressthisthrough the entire spectrum of uh therelationship between the criminal andthe nation-state actor from the lowestlevel individual on keyboard who’s in itfor the profit all the way up to tryingto change the orientation of a nationstate about its you know how it’s goingto do enforcement so it’s a much morecohesive approach to the problem i thinkthan we’ve seen beforeand i think that it’s really trying toget at like what are the motivations ofthe peoplewe can’t just this can’t just be aboutsecuring our systems orgoing on offense about tools but we haveto think about how we impose costs on amuch morein a much more significant way and thisis really a whole of government effortthat that we’ve brought to bear herethanks mika kevin anything you want toadd here sean or i’d love to also moveon to questions around harboring cybercriminals but anything i guessmight as well add something even thoughi don’t even think this addresses yourquestion you know as i i was thinkingabout it i think we’re all going to comeup with no nation likes ransomware youknow and i think we can come up withrules of engagement that will apply tocriminal elements and you’ll havecountries that abide by those rules andsay these are crimes we don’t want todeal with it and if you’re a nation thatharbors these folks and you don’t imposeconsequence you know maybe we will anduh but i don’t think we’ll ever haverules of engagement for espionagebecause of the asymmetry and the factthat when you really sit down and thinkabout it’s just hard to come up with anarrangement where north korea would sayyeah okay those are the rules we’llabide byand the question just is where’s thatline wherenational interests become criminalbut i think there’s a large bucket ofcriminal activity that we can definethat you can have a bunch of nationsaligned behindand impose a lot more consequence onto either the people that conduct thosecrimes or to the nations that areharboring those folks and allowing themto do it and ransomware quite frankly isprobably the easiest one to define andgo kill it with a whole internationalallianceand uh and a lot of nations that want tojust put it to bed over timeyou know but but i would add kevin towhat you’re saying like it’s not justthe government’s actionsright so when we talk about the wholetheme here of systemic risk and wetalked in several previous panels aboutcritical infrastructure 80 to 90 percentof the us critical infrastructure isowned by the private sectorokay so to me 80 to 90of the intelligenceshould be coming from the private sectorright and i think the private sector hasa responsibilityto do a much better job managing thatrisk right and there’s such a disparitybetween some organizations that do aphenomenal joband maybe some thatdon’t feel the need to invest so muchand then how do they actuallyhow do we change the paradigmwith the governmentright so jen mentioned hey one of thethethe things that’s still there with thegovernment was bureaucracyright how do we get rid ofthose jurisdictional lineshow do we get rid ofthis committee has oversight over thisagency sowe’re going to put authorities in thisplace and how do we actually embed andintegrate the private sector into theseactions now you see it with some of theisps out there and some of the companiesthat actuallyhave done some takedowns but i thinkthat cooperation that integration goingback everyone’s mentioned it team sportcollaboration all of that i would sayit’s great to have informalrelationships that we like each otheri think it has to be hardwired to workyeah i appreciated an op-ed i thinkyou’d written the washington postrecently about this yeah umso moving on to nation-states harboringcyber criminals something we’ve seen alot of um would love to hear yourthoughts on the implications of this isthere a point at which this kind ofassistanceturns uh you know turns criminaloperations into actually nation-stateactivity and and what does that mean forthe the kinds of authorities that can bebrought to bear here yeah i think thisis actually a really tough factualquestion and requires a fair amount ofintelligence to be able to sort offigure out what the relationship stateis between the nation state and thecriminal and i really appreciate someresearch that jay healy had done on sortof this taxonomy of levels of stateresponsibility um in this area but oneof the things you know that we try to ummodel what we model and try andencourage other nation states to do isthat you know we have seen in othercountries that their nation statecapability those guys will like hack forthe country by day and go home and hackfor profit at night and that’s neversomething that we would allow in theunited states and if any defenseemployees are doing that i think the fbiwould like to have a word with you aboutit umbut but we have a sense ofresponsibility of our own forces so wehave highly capable people inside thedepartment of defense but they’re notout there committing these kinds ofattacks on other nations where we seeother nation states using that um in avariety of environments and then someother states who find advantage inallowing this sort ofecosystem to flourish where there aresort of loose connections between thenation state and thethe criminal actors and they may usethem for access they may use them forfor obfuscation they may not have directcontrol in it or they may and so it didthat’s a very tough intelligencequestion to answer but um the biggerissue is like how do you get nationstates to take responsibilityfor the threats that emanate from theirterritory how do you saylookyou’re either creating a permissiveenvironment or you’re directing attackslike we need to have a conversationabout this country to country at leastfrom the defense department andmeanwhile right the fbi and doj continueon their business of going aboutprosecuting the individuals but it doesbecome at some level a conversationbetween countries that we have to talkto them about like look you really haveto stop you really have to get thisunder control and you’re starting to seethose conversations happen now not justum from the u.s but around the worldand you see that in a lot of theattribution statements that happenedinternationally on the hafnium was agreat example of that kind ofcollaboration yeah um anything either ofyou would add to that orshawny hasn’t i don’t know why kevin’spointing that wasi iactually think we have started and thegovernment has initiated severalum groups to try to bring some of thatcollaborationand as many of us know right it’s amulti-pronged approach so it’s it’s thestate departmentit’s the department of justicei argue it’s the private sectorright it is a multiple it’s thedepartment of treasury with sanctionsright it is that multi-pronged approachto doing this but we’ve got to establishthose normsand right now i don’t know if anyone uphere knows but i’m not aware of anynormsin the cyber environmentright that actually existswhere we just sayno that’s a red line that is notacceptable behavior and you will sufferconsequences for that behavior and ithink we’re getting closer to do that ithink the ukhas been a leader in in that uhdimensionum and you know folks if you haven’tread the uk just came up with theirnational resilience strategy and itactually is i think a great approachwhere they’re looking at hey do youunderstand the rest we already talkedabout thatlike as a risk practitioner we all needto understand what this risk trulyencompasses what are you doing toprepare mitigate respond and recover andthen as you know director easterlymentioned previouslythis is everybody’s job all the way downto the user when she said hey if i couldtell everyone to do one thing mfa i’mwith youon the doing the mfa but it’s everyone’sjob and that is not the culture of thesociety we live in right nowright it’s the ciso’s job or it’scis’s job or it’s the fbi’s job no it’sall of our job it’s truly that teamsportyeah i think if you go out a few yearseverybody’s going to figure out whichcountries harbor criminals or lack thetechnical infrastructure to pierceanonymity and impose risk or consequenceto themand you’ll see different nations whosecitizens have a whole differentexperience on the internet i mean when ilook at all the remediation plans thatyou know pwc has written over the yearsand we’ve written over the yearsover time you’re just blocking every ipaddress out of russia then you’reblocking every ip address from theservice providers that the russians useand then you’re blocking every ipaddress of the ip addresses and grantedyou’re just putting your finger in thedike as it starts to leakbut we’re going to get better at this nomatter what and and for the countriesthat want to genuinely be part of aglobal economy they’re going to have tostart imposingrulesthat uh meet the requirements of othernations so i i don’t think it’s going toget worse i think it will get betterover time and it’s go and it’s alreadyhappening naturally there’s alreadyuh a whole different experience i bet ifall of us flew to moscow right now andtried to access i don’t know any defenseindustrial based company you’re notgoing to get there that would be myguess if that’s not the caseprobably you want to talk to those divcompanies and change their ssrma for thedib we hope that’s not the casebut that being said it’s obvious thatthere are certain nations that harborthe criminal element maybe evenoffer or promote some of theseactivitiesbut i feel like that’s starting tochange alreadyso coming back to a point that severalof you have made about cyber norms thelack of any clearly defined red lines atthis point um but curious when you thinkabout china versus russia versus iranare there beginnings you know come toyour point of rules or norms there howdo you see each of thesenation states operating differently whenit comes tothese questions i would say that thereis you know in observation i don’t knowthat it’s written down anywhere but wehave not seen a nation statesponsor a cyber attack that’s theequivalent of an armed attack and we’vebeen very clear about that as a red linefor the united states that theequivalent of an armed attack is goingto get you a responsebut i think below that i think it’s verydifficult to define norms andyou know as someoneyou know i recognizenorms are often defined by statepractice and so i’m in the statepractice businessand not necessarily in the norm writingbusiness um but we think very carefullyabout that when we engage in activity wethink about you know what is thereciprocal risk here what is this do westand behind this as a nation are wecomfortable with the activity do we feellike we’re doing the right thing hereand so i think over time you will see abody of uh behavior from uh responsiblenation states from democracies who arevery capable and cyber of the thingsthey do and don’t dobut i think it’s really hard to have anormative conversation with othercountries because so much of thisactivity is clandestineand so you can’t really have sort of theopen conversation that you do in thenuclear arena where it’s like let’sverify each other’s capability and let’stalk about what targets we each havebecause that kind of transparency justisn’t available in the cyber domainso i think we have to rethink how weestablish thatdialogue in the international space withallies and adversaries alikecan i excuse me can you define an armedattack for me what does that mean yeahso i think what wewe have definitions but the challenge oftheir armed attacks of course it’s alittle bit in the eye of the beholderthere are um it’s the it’s a significantconsequence that we would assume um thisis not the legal definition so iapologize to my ogc colleagues we’reprobably freaking out about thisbut um you know we’re talking aboutdestructive loss of life serious injurythose sorts of thingsso we have not seen that now it’sobviously in the purview of a nationstate to decide a particular attack isthe equivalent of an armed attack andrespond via force if they chose to butwe have not seen that happen yet in theinternational environment i thinkthat’ll make it interesting like evenjust look at colonial i think that was acriminal element doing a criminal attackin a nation that allows that sort ofthing to happenbut i think there’s a ton of unintendedconsequence there so the hard part incyber will be holy crap we did not wantthat to happen when we went on offenseand we justblew it up by accident so it’ll bereally hard to come up in my opinionwith a red line in cyber it’s theinfamous you go back to ronald reaganyou’ll know it when you see it commenton some other topicit’s a tough one a lot of people havethought about it for a long timeand i i just think in on offense youcan’t always predict the consequences ofevenencrypting a driveyou don’t know if the server is going tocrash in five minutes or 45 minutes uhand then you heard about the uh the dnsreliance i mean one domino falls andnext thing you knowpeople aren’t getting water in houstonand you’re like wowdidn’t plan that oneyeah yeah this is actually a reallyimportant thing i think for the criminalelement to be thinking about though whenthey are thinking like oh i want to stayoff the radar of right the most powerfulnation on the world with like reallylarge and impressive cyber capability isthat you given what we’re talking aboutwith systemic risk you may not knowwhen that business system that you thinkyou are compromising for fun andprofit um from the criminals perspectiveis actually going to lead to physicalconsequences in the real world becauseyou may not know the dependencies and soyou may trip over something that isgoing to put youon the radar ofpeople like me um and that’s not goingto be a fun day for you in the long runum but like thati think that it’s a veryum delicate thing and we have to think alot about sort of what are theinterdependencies and what are thepotential downstream effects of thesethings um and i think kevin’s right thatlike people could trip over somethinginto a much bigger incident than theythoughtwhen they start in this activity whichagain makes it really hard to enforcenorms if you don’t really know theintention let me let me challenge you onthat oneall right do you agree that this countryhas lost billions of dollars inintellectual propertyyesokay so my challenge to you then isdo you i meanwhen you talk about norm setting and howdifficult it is do you think we shouldbe doing it i think norm setting forespionage is going to be complicated ireally do because the asymmetry is whynorth korea is going to develop more ofa cyber component they’re not going tobeat us with tanksi don’t know if they know that butthey’re probably not going to beat uswith tanks butcyber is just a the asymmetry allowsthem to invest more so i i do believecriminal we can define it we can find wecan define asnations will sign it we hate ransomwarelet’s do that and impose economic riskto the nations that harbor those actorsespionage i don’t think we’re going tocome up with a ton of agreementbut but i but i think i mean we get intodefinitional things about what espionageis but the but the nation stateresponsible for sealing most of theintellectual property does that foreconomic advantage right the unitedstates actually yeah the infamousthey’re like where’s the fine linebetween i’m securing my nation througheconomicsthat’s right there’s somewhere andthat’s the thing but but the unitedstates does not define right thecollection of foreign intelligence isabout intent capabilities well that’swhy i hesitated when you said billionsof dollars in damage because stealingthe ipthen you got to go and do the work toreplicate it but i’d still say it’sprobably in the billions i think we’velost a lot of competitive advantage imean we did try to define that as a normin the obama administration and toaddress that directly and for a while wedid see some limitation of activity ithink you sawwhat i think we saw anyways we used tosee over 80 attacks fromone group in china to steal ip and itwent down to like five one month beforeuh president xi met with obama soclearly they’re centralized control ofthis group anyway and what was amazingis all the attacks against the hedgefunds or the companies doing m a inchina did go down at least from ourobservablesbut i feel like the defense industrialbase is still fair yeti meani don’t like hearing thati mean i’m just interpreting observationbut yeah i think right and but this isan important conversation that you ithink nation states have to have witheach other about what are theappropriate boundaries here and that youknow a conversation with anothernational leader can sometimesyield a difference of of activity um andso we should make sure that we’re tryingthat optionto try and reduce the risk to the unitedstates one of the things that wasinteresting sean you’d said it like alot of people don’t understand cyberthat goes the same for like all thegroups that have command and controlwhere there’s like a flag officer givingorders to a 24 year old who’s carryingthem outbecause i’m still shocked that somebodycalled hafnium said hey there’s a patchcoming out so let’s hack a hundredthousand servers i mean that’s a littleloud and you could almost see thecommand and control break down a littlebit where somebody said hey we’ve got agreat access you know we have an exploitthat works it’s a zero day don’t loseaccess and the 23 year old interpretedthat with okay so let’s just hack theworld you know i mean we’re going tohave a lot of orders given byfolks who don’t understand the techand the folks on the front lines thatimplement it you’re going to seea disconnect there from time to time iwould say given the amount of time thati spendthinking about these things and workingwith these things inside the governmentand the amount of oversight that we haveinside the defense departmenti think mature nations need to have thatthey need to have very clearunderstandings of what their forces aredoing that they’re not doing things thatthey don’t intend and i’m not sure thatall nations have that kind of insightinto what’s happeningat at other levels and you know i thinkit’s one of the basic principles theunited states military um and i thinkthat you knowwe should be striving towards that incyberspace as well and what do you thinkcan be done to improve that i think fromyour prior approach to the fbi and fromyour current purgei i think there’s a bunch of things likelike i mentioned that multi-prongedapproach but i want to bring it back tothe companies out there that areactually getting hit every dayand this is where i think you get intothe jcdc that director easterlymentionedlike we have to make some type of hardwirewhere the private sector actually sharesall of that informationwithout repercussionthere has to be some type of standardhygienethat is out there but if they’re able toprovide the government and thegovernment it’s it’s a two-way streetright that is a team sport there it’s atwo-way street but if they’re able toget that pictureof what that really that risk looks likeajen’s going to be able to do her jobmuch better in that defend missionright we collectively as in the privatesector are going to be able tounderstandthe risk and defend it betterand it’s also going to give i think thepolicy makersactuallybetter information to have thosediscussions through the state departmentthe department of defense department ofjustice to really i think combat theissue yeah i would say from a for theprivate sector from a deterrenceperspective making sure that you areresilient to try and prevent some ofthose collateral impacts is reallyimportant because there’s a lot of umdeterrence that can happen against thosecriminal actors if people are in aposition that it doesn’t really provideaninterruption and it’s the interruptionthat creates the motivation to payand so if people are resilient and itjust sort of rolls off thenthen the criminal’s not going to be ableto cause that kind of incident butthat’s not something that we in thegovernment can you know have a lot ofcontrol or insight intokevin anything you doubt hereso i wanted to come back to thisquestion a moment ago that you hadbrought up about rolesin the government and just thinkingabout outside of law enforcement actionshow does the governmentum demonstrate to the public that it’scountering adversaries when cyber opsareoften only working when they are done insecret i don’t know how you think aboutthis mickey i think thatyeah i mean look this is a really toughthing becausein the department we don’t discussoperational activity butwe are part of whole of governmentefforts to defend the nation and that’sbeen part of our mission since 2018elections defense and then you see usmoving into that in the ransomware spacebut those missions are not dod alonethey are par in support of our lawenforcement partners they are in supportof dhs and how we work with themand i think that we play an importantrole you know ourcapabilities are pointed outside theunited states but that’s where often theadversaries are and so we can help a lotidentifytactics techniques that the adversary isusing help locate do all kinds of thingslike thatto make law enforcement’s jobeasierbut i think that there’s it’s reallyimportant for the american people to seeespecially with the ransomware that lawenforcement is taking a public role inin disrupting these kinds of activitiesi mentioned a couple of um instances ofthis before but also with indictmentstrying to umarrest individuals when they travel tothird countries arrest them if they cometo the united states um putting outindictments so that it’s very clear whatourthat wedeem this activity as you know criminaland not legitimate um i think that thosekinds of things are really important umthe department’s activities willnecessarily not be something thatwe’ll spend a lot of time talking abouthopefully for the reporters listeningplease don’t make me have to talk aboutthem by writing really interestingarticles umbut uhyou knowi think it is something that there areways that the american people can haveconfidence that their government isactually doing a lot moreumto defend against this particular threatand and we can talk about the missionthat we that we’ve taken onso i i i would agree with you and ithink right everyone knows the fbi has adual mission as an intelligence missionit has a law enforcement i think wecould do a better jobum with like the takedown as we didrecentlyum you know tracking the cryptocurrencyand actually recovering that and i thinkwe can also accentuatethecooperation with the private sector so ithink that’s important and i think wecan be more transparent doing thatalso thoughlet’s not forget out in the privatesector there are a lot of clearedindividualsright and we should be havingthat dialogue with them on theintelligence side to the extent that wecanright in basically ensuring them thatsome of that is being met i mean that’savery hard when you get into anintelligence operationas far as it’s just not going to gopublic it’s notuh sort of the nature of uh of what theydo in in revealingtechniques tactics and protocols rightsoum i think it’s a it’s a it’s achallengeand kevin i’d be interested what youwhat you think of that no because you’vedone a lot of work and when you did thatuh that first thing on the pla rightthat foreshadowed and you went tocongressto me it’syou know we can’t just always playdefense i’ve said this for like 20 yearsno matter what company you are with nomatter how many great people you havegreat technology you have you can have abad dayon offense even the crappiest hockeyplayers if they get a thousand shots ongoal will put the puck in the netand so i like what i’m seeing i cansense there’s going to be change butnations do have to hold other nationsaccountable for winning the criminalelement period uh however they got to dothat if you can’t get to the person andyou and you may not be able toyou have to hold the nations accountableso i think attribution matters um andthat our government to me attributionyou know the private sector can do thebest they can there but the reality isthat sovereign nations are the ones thatare going to have to have the bar forwhat’s the line for attributionand confidence level andthen hold nations accountable to ityou know the private sector will do itsbest like i can tell you the top boardtopic right now is resiliency how do wemake sure we can recover from backupsnot pay a ransom and and have our coreassets up and running in six hours sothe private sector though doesn’t wantto just play defense they want to knowthat the people that are causing us harmyou know i don’t think joe blount shouldhave to go through what he went throughi don’t think frankfurt cassia had to gothrough what he went through these aregood people they were attackedwe need to impose wrestlingrepercussions and i think we have agovernment that’s willing to do that andi think we knoweven internationally i think you’regoing to see moremore effort to get attribution right andwe don’t even need perfect just get tothe right country get to the rightcitizens behind it yeah this is you andjen talked about the voluntary reportingand i think this is actually reallyimportant even if companies get to thepoint wherea ransomware attack is a resilient thingthat’s sort of a hassle and then theymove on it’s really important for thoseof us who are on offense that peoplereport those incidents because then wecan start understanding what kinds ofvictims attackers are going after thegovernment may be able to do somethingto helpbut if peoplepay and don’t say anything then we don’tnecessarily know what thedepth of capability is of the adversaryand what kinds of targets they’re goingafter so it’s really important that whenpeople get hit they’re reporting to lawenforcement they’re sharing thatincident i know it’s really scary tosort of talk about it because you knowkevin’s clients well no they that’s abad day for anybody um butwe will be able to do something or wehope that we will be able to dosomething if you tell us we certainlywon’t be able to do anything if youdon’t tell them absolutely i appreciatedyour point sean before about if 89 to 90of the risk is in the private sectorthat 80 to 90 of the intel should becoming from thereyou know but but to kind of add on towhat they’re saying and kevin wasmentioning like at the board room thisis the issueright and i would say it’s the issuebecause regulators are actually steppingup right so you know i’m working withboards where regulators are actuallylooking at them for their oversight ofthis risk but i think we got to getagaincyber risk right well what about thoseend of life systemsright there’s a lot of tech risk outthere in tech debt that a lot of us callit right and they’re not it’s hard toseparate thoseright and so i i just think you knowthese regulators they need to getknowledgeable in this area and it goesback toyou know what is the ftc doing what isthe cfpb doing you know the occ and fedi think most of us know in financialservices they’re pretty active the secis looking to do morein that area i think you know i wouldask all our regulators need to step upin the expectations from management andeven boards yeah i mean you’re seeingthat you’re seeing that treasury nowright taking action against a cryptoexchange um i think that they’re and iwould not expect that’ll be the last onebut you know to the extent that thereare these exchanges that arefacilitating criminal proceeds um andare not able to be able toshow that their transactions arelegitimate um i think that treasury islooking very carefully at how to dealwith thatum i want to come back to a point thatuh used to make kevin around sort ofattribution and just how complicated itis here in this space between nationstates andorganized crime and to this question ofcyber mercenaries private actors thatare operating at the behest of nationstates some of whom might actually beu.s alliesandhow you’re thinking about distinguishingbetween these actors and criminal groupsthinking like uae and their operationsagainst iran dark matter likewhere are we in terms of attributionwell i think the government has moretools to get it rightthe the private sector we usually see itat victim networksif an adversary is good they can stayanonymous as long as they’re not lazyand they don’t have an operationalsecurity blunderit gets really hard i i’ll just share itthis way in 2010 we’ve responded about idon’t know 5 000 6000 breaches in thelast 20 yearsand we’ve always codified to traceevidence left behind in real nerdy wayswith great rigor and discipline we threwit in a database in 2010 we only had 40groups like everything we wereresponding to went nice and neatly into40 different buckets oh it’s these guysfrom china oh it’s the russian fsb againor whatever it wasand all now we’re up to like 2 900buckets it may really only be 40 buteverybody’s changing so fast that theevidence we see today from the samehacker group is different than threemonths ago so it’s another number andwe’re trying to join groups umanonymitythe best hackers in the worldare probably pretty darn anonymous ithink you get to the country and then ithink the government resources will getto the country i do believe thatthe challenge we have is this if thereever is an attack that exploits thesystemic risk we have and we don’t evenknow who did it how do weproportionately respond i think thewhole game comes back to attributionbecause if something happens and we justdon’t like it as a nation if we know whodid itlet’s go do something about it whateverthat may be economic sanctionsdiplomatic relations whateverum but from my company’s perspectiveattribution is getting more complicatedand why why kevin do you see theproliferation from the 40 to the 100i think our defense is actually gettingbetter so that the ttps do have tochange i mean you can’t use ip addressanymore for attribution it just changesevery single intrusion anyway you knowfor the solarwinds intrusions everybodyhad a the attackers used a unique ipaddress set for every single victim soand then it never got used yet so thewhole infrastructure was burned um samething i remember back in the sony bridgethe whole infrastructure used to do thatbreach it was burned during that breachand never used againsoit’s just i think as our defenseactually gets betteryou force things like this year we’rehaving more zero days thanany i don’t know the last five yearscombined it feels like you know and uhthat means defense is getting better theproblem is we’ll always have imperfectdefense so we got to think aboutimposing risk and consequenceokay one last question i think we havemaybe one or two minutes left but justwanted to quickly touch on cyberterrorism there’s been a lot ofconversation about you know is this anunrealistic threatis it not is it possible that smallgroups or even individuals could cause acatastrophic incident and if so whatdoes that really mean for the unitedstatesit’s a great questionso i’ll take the house how many ideas dowe want to have go public on this onei would just sayhistoricallyterrorism was handled in a different wayto neutralize the terroristsandmost terrorist groupsthought it was to the disadvantage touse a or have a digital footprint so idon’t think we saw a lot of activity inthat space i thinkmore concerningis what we saw with the israeli watersupply systemand what was done there and when you’relooking at morenation-state bioterrorismtype activities that are more concerningbut i i’m not i mean i’ll i’ll defer tomy dod colleague if she wants to commentmore on that is really glad you deferredi knowum i don’t know that there’s a whole loti can i say about this i think you knowwecertainly it’s on our list of threatsthat we’re tracking and i think thatbeyond that i’m gonnanot say anythingyou know bottom line as the impact growsto cyber breachesit’ll be a tool used by more and moreentities anytime there’s geopoliticaldifference or ideological difference yougot to perceive a threat to the nationwell on that sobering point thank youall so much for your time here it’s beena really great conversation i appreciateitkelly thanks for uh moderating thatpanel sean mika kevin uh thanks for agreat conversationum so let me introduce our last panel ofthe morning uh uh or or afternoondepending on where you are watching thisuh we have a really great conversationcoming up here moderated by chrischris krebs who is the senior newmarkfellow for cyber policy here at theaspen instituteas well as maureen allison the cso forjohnson johnson which has had ainteresting last year in terms of itsthreat profile and issues on marine’sdesknewport davis the ceso for comcast andron greene the chief security officerfor mastercardso chris take it awaythe introduction garrett uh it’s been agreat session so far we’ve heard a lotabout systemic cyber risk and i want tounpack that a little bit more maybe puta little bit of context around it butbefore i go therejen easterly’s comments assist thedirector comments were fantastic thismorningi didtake one straight in the heart with thethe retirement of the pineapple on pizzauh so ii look forward to what the next uhdisinformation spirit animal fruitwhatever it may be and i look forward tothe kind of who’s that pokemon game thatthey’ll playbut just know that pineapples willforever live on there are socks soall right let’s get into it so whatwe’ve heard a lot about today issystemic cyber risk which effectivelyamounts to a horizontal so it cross cutsa number of different vertical sectorsthat make up the economy what i’d liketo start with though is is that verticalpiece and talk about vertical systemicrisk jay healythis morning talked about thethe cyberspace solarium and thesystemically important criticalinfrastructure and that’s that is aboutthe vertical risk posed to the economyessentially there are horizontal aspectsbut ultimately it’s about thosenational critical functions that uh ifif they fail we we have a big problem onour handswhat i think so fascinating about themakeup of this panel isthese are really the three of the mostcriticalsectorsin the american experience over the thelast 18 months so johnson johnson wehave a vaccinenewport with uhwith comcast and xfinity we had thisremote workforce we had digital learningand the shift in the dynamics and thenron with mastercard and the payments andhow everything went touchless andcontactless and and you know all ouronline purchases so let’s start thereand tell us a little bit aboutthe last teenage last 18 months and andhow did your thinking about riskmanagement change and how did how areyou adapting and agile in theenvironment so maureen start with youbecause you and i were kind of in thetrenches there initially yeah lastnight’s call was to chris hey chrisguess whatum so you know in health care we’vealways been like the criminal elementscoming at us we do know that there’s anation-state that’s out therelooking for intellectual property we didsee some destruction with not pettya andsome of our peer companies but we’vealways been what i callin the middle of the pack we’ve neverbeen the target the true target andwe’re never we were never at the backand nobody ever cared about usum the creation of vaccines and and itwasn’t just because my company did itchanged the threat profile of healthcarein a secondovernight we went from kind of in thebet you know just in the middle of thepackto leading pack leading threat orleading attack surface and that was hugeum i look at some of my governmentservice why i immediately knewuh that it was very umchris how am i going to talk to agovernmentuh overseas or in in europeum aboutclassified information or something thathappens how are we going to do thatand so it’s really expandingour us intothe government is now part of myincident response where before it was itell you about the indicators ofcompromise now it was the government waspart of myuh and the government has something tobring to the table from an overwatchperspective because collection verylikely shifted in that time period likeokay we understand that r d around avaccine is is one of those crown jewelsof of of the united states and how howdo we bring the powers of nationaldefense to bear in support and that andin part that’s what was behind operationwarp speed rightyeah okay so shifting gears hereinternet infrastructure so it’s not justabout the digital workforce and thatmoment that snapof march 13th and i remember we had anumber of phone calls across the sectorswhere we had a bunch of public healthofficials on and ceos and cisos wereasking uh about remote work and whatthat shift is and when do we make thatshift what should we be looking for andwhat was the answer the answer wasalwaysoh it’s not a trigger it’s a dialyou’ll have to adjust oh nooh it was a trigger it was schoolsgoinghome it was remote distance learningimmediately work forces didn’t have uhchild care and so we all signed up sohow did how did what you know what wasthe experience like not just in comcastxfinity but but across the industry ohyes and march 13th was the date i mean iwill always remember friday the 13thfriday friday the 13th absolutelyumso you know we we responded um and andjust in a in an amazing way i think theteams that that came together to to torespond to that situationpeople literally slept in the office youknow they were people working you knowaround the clock um moving gear from onelocation to another there was noway to do that in our traditional waysright so people literally getting incars and vans and and um so it was a atremendous amount of work but what wesaw happen is you know we constantlyinvest in the network and umthat investment thank goodness gave us areally good baselinebut my goodness how quickly we had torespond to that and the first responsewas just thesymmetry change right because uh theupload and download uh combinationchanged because now you’re doingeverything from you know doctorconferences to zoom calls toumstreaming gaming everything gaming andyou know people had more time on theirhands so they’re like wanting to watchmore movies and so so all of thathappened and and we had to literallyreconfigure the network on the flyand add capacity on the flyum one thing that really becameimportant for us and it’s always beenimportant you know people forgetthat cyber security actually has threepillars right um because there’s so muchattention paid to like data breaches andyou knowregulations around uh privacy and um youknow sensitive datawe forget that there are two otherpillars right confidentiality is one andthen integrity and availability are theother twoand for us that availability bit at thatmoment in those first four weekswas so criticalacross our company from a cyber point ofview from a network engineering point ofview from our people in the field whoneveractually went home because theywere critical workers so they they workthroughout the the worst parts of theappof the pandemic so uhyeah it was um atremendous response andum you know i’m really proud to say thatweand our other partners um all cametogether and we did not we absorbed thatshock and were able to keep movingforward i think there’s going to be areally interesting case study about thatinvestment in the network that youtalked aboutand how that is a an example of buildingresilience into your risk managementstrategybecause there were other geographiesincluding europe that were still runningon copper to underpin their internetinfrastructure that did not uh that werenot able to absorb that punch and fiberhere and sojust fiber but virtualization of thenetwork right so we had beenworking on that on on on and um thosesix to eight weeks it’s kind of umreallyinteresting to go back and reflect onthose but i think our entirevirtualization strategyleapt forward by two yearsso you know our roadmaps were showing usokay you know we have this many vc mts’sand this many and and and you know youit just got compressed it’s like youknow what we were going to do in 18months we’re now going to do in eightweeksand um justit that is when you know the goodfundamentals really help because umthose teams were kind of already workingin how do we develop things securely andso now it was just more things they weredeveloping securely and in a faster wayso umreallyamazingresilience of our peoplemore than anything else that we wereable to pull that off so ron i want topick up ona thread thatnewporttalked about with that thattwo yearsof really rapid advancement taking placein the in this in several weeks and talka little bit about your industryparticularly payments and andcontactless and andwhat did you seein in that crazy spring of 2020 uh it’stwo things right so it’son the contactless uh payments we sawlike a massive rise in the desire andour deployments of contactless withinthat uh quarter second quarter itself umwe delivered more contactless solutionto customers than we did the previousyear five times more wow um and somassive advancements on that front butthenjusta caution and do no harm so everyquarter we work together with ourcustomers to enable new services andsolutions and upgrading of our networkit’s a coordinated effort requiresimpact uhinteraction with all of our customersjust to support it just to make sure itcomes off flawlessly because when peopleare out there and they’re buying thingsthey want that nanosecond response timeto come back so they can you know buytheir uhbuy the medication that they need buythe food that they need whatever it isthey don’t want to hear that ournetwork’s downso in that second quarter where it wasnow everybody’s uh reverting back tohomeand our customers were impacted by youknow not knowing if their employees weregoing to be able to come in and supportuh the whole change so the first time inlike 20 yearswe held off a change on that quarterbecause we want to make sure thatdo no harm we want to make sure thatpeople can get access to whatever it isthat they’re trying to get to as we sortall of this outin the coming yearuh it’s funny because i’ve been back onthe road traveling a little bit latelyand uh i i think there’s there’s stillsome communities there perhaps a littlebit left behind and tangent here but uhthe hospitality industry i thinkparticularly when you’re talking about ahotel roomuh service and or the the the custodialcruise we still need some maybe sometouchless options for leaving tipsbehindin the in the rooms and sojust tipping people is still a thing forus to solve yeah i mean cash i can’ttell you the last time i had cash in mywallet it’s just one of those thingsyeah we were just talking about this ismoreso let’s shift gears here a little bitand make that pivot over to thehorizontal systemic risk that we’vetalked about a little bit here today andthinking about how within yourorganization you manage your yourenterprise and how you think about itwhether it’s it’s the the systemic piecewhich we talked about which i tend tothink is really about third-partyaggregated risk where you have a finitenumber of solutions just like again likejay healey was talking about from a setnumber of providers that you’redependent upon just like everyone elseandand then you have to go back to the edgeand it’s really the the things that arethe basics within your networks youryour vulnerability management uhmulti-factor authentication so can youtalk about marine we’ll start with youof of how you think of your riskregistry what are those things that areinternal external and how do you balanceand develop a good holistic riskstrategy yeah you know i i’ve lookedover the years and and how we assecurity professionals it’s we willprotect everything equallyand i’ve nowhad to change to business resiliencyand what is the risk business riskand then looking at thatover the last 18 months obviouslywe pivoted towhat we were doing with the vaccine andso it gives a different view of thingsin in what i noticed wasthere will be some thingsthati will not patch i can’t patchit’s not worth the effort or the dollarand i think sometimes as securityprofessionals we really like the idea ofperfect security and i think we heard alot of the just patch everything knoweverything that’s everywhere all thetime it’ll be good but the reality iswill you ever and especially as we moveinto the digital world and code is goingout all the timeare there some places that it reallyisn’t that important and that my bigpivot was into cyber resiliency andbusiness riskokayjupiter how are you how are you thinkingabout this with just a massiveit is it’s no it’s infrastructure it isjust massive and and maureen and i wereactually talking about this over lunchyesterday thatumi think there’s probably more in commonwithusum you know who are running thesemassive massivesystems than even in our verticalsum because um you know the kind ofproblems that we face at scaleare are very different than you knowsomebody who might be in the samevertical but not facing that that samescaleum i totally agree with uh with maureenthat you know if you’ve gotuh 10 000 endpoints you know you look atthem about okay you know i can patchthem you know if you’ve got half amillion or or more then you know it it’salways a riskdiscussion so but but to go back tosystemic risk umso we we worry about probably fourcategories wide categoriesum one isdevices you know we we have devicesthrough supply chains you know all theway from you know the chips that go intothose devices to the software that goesin the devices and the devices are inour customers homes and we take thatvery seriously so that that ecosystemthat you know comes fromthatchip level to device level to thesoftware that runs on it and then how itinterconnects into the wider ecosystemso so we pay a lot of attention to thatum the second is the the components inour systems um we are more and moredevops devsecops so we have you knowsoftware being built anddelivered multiple times a dayandum you know even something like a billof materialis is an ephemeral point in time thingrightand um so so how do wekind of build um software compositionanalysis for example into those so thatwe see that systemic riskand um see you know where we may beimpacted and where we may be impactingthe nextpart you know down the chainum the third is third parties um youknowthe the risk fromworking with third parties who are ourpartners we can’t do our work withoutthem but you knowthey connect to our network store datayou know how do wemanage that riskand then finally the one that i’ve beenreally thinking about a lotis the concentration of components thatwe use among very fewentities and i’ll give a perfect exampleum uh director astrali this morningtalked about multi-factorand you knowi wouldguess i’m this is just like i don’t knowthe actual metric but i would guess thathalf of the planet usesone single supplier of multi-factorauthentication systems rightso think about that risk that systemicriskthat you know if something happens tothat system and it’s compromisedyou know we are trusting up so much inour zero trust environments to that thatum so i do worry a lot aboutthatum and then just one final thingi also worry about the increasing gapbetween our hyperscale platformproviders and the people who are usingthose platforms and that’s a very longconversation so i won’t double click onit right now but umi i see systemic risk in that gap okayand as that gap gets bigger i see thatrisk getting bigger so deeperconversation someday got it i do have itfor the record that it was 17 minutesbefore our first reference to zero trustand i do want to i do want to come backto that though because it’s a thequestion i always have is what does zerotrust mean to you totally and what didit evolve from assume breach layerdefense but let’s not go there yetbecause i also want to touch on your ciatriangle before that you mentionedbefore because there’s there’s a reallyimportant piece to unpack there on theavailability side yes okayron where are you me on risks that ithink about for our organization firsti’ll start with it’s three things it’sfirst it’s internal risks uh it’s thethings that like maureen said you can’tdo everything there’s no such thing asyou know zero risk in the securityenvironment so sometimes you makedecisions and now you have to track themitigation to make sure that those arecompleted or you have to enhance ormature a particular security programthat you have souh what you’re doing on the insidethat’s the first thing i think aboutit’s near and dear to me it’s a primarymission second isand it’s still supportive of the firstwhich is our third partieswe’ve beeni think we got to a place wheredoing the annual reviews and the annualon sites uh those are how we judge ourthird parties but if you look atincidents that have taken place overtime here that just isn’t enough and wewe’re moving and or we already haveimplemented some continual monitoring uhrequirements around our third parties toalways have a finger on the pulse of howthey’re doing and what they’re doing inaddition to when things come up likewe talked aboutyou know new vulnerabilities beingreleased and them being a critical thingfor us to resolve having thethe processes and communication paths toreach out to those suppliers and gettingan understanding of whether or not theyknow the suppliers that supply them areare well protected uh against that andit’s something that we work with themand we chase that down that’s that’ssecond third party risk and the thirdthing uh for us isthe ecosystemumif we’re secure butleft and rightmerchants are being compromised and uhconsumers lose faith or trustin the ability for their transaction tobe securedthat’s still a threat to us right soyou know we’vewe’ve done a lot of things and we do alot of things to provide securitysolutions touh others in the ecosystem uh we engagein things likethe cyber uh readiness institute or theglobal cyber alliance in order to helpeven the small mom-and-pop shops raisetheir security game by not just tellingthem what the good thing is but toactually give them things that they canimplement in their environment today forfree just to raise the level of securityif not all the way up just a little bitevery little bit helpsi you know this isjumping ahead a little bit here but whatthis dynamic you’re talking about wherethe products and services are pushingsolutions out further to the edge toprotect the user because the user iseffectively in a position where theythey’re not in a position to to helpthemselves and so what can you do toto make them more secure tomaintain that trust and confidence inthe overall product the service and theecosystem i think that’s the futurewhether you’re in the software productsand services space or in the internetinfrastructure space you’re seeing moresolutions being pushed down to to theconsumer it’s it’s that’s the onlyanswer no totally i’ll i’ll just giveyou an example um so so weand and i’m forgetting recently two orthree years agoumstarted to just you know anybody whobuys a gateway from us you know hasanything that they connect through thatgateway through a wired or wirelessconnectionum is protected you know we we look formalware we look foryou know network traffic we look for badsites we look for and it’s all aimldriven it’s just embedded and it’s thereby default and um you just have to dothat and by the way it’s it’s mutuallybeneficial right becauseyou don’t want rampantumyou know malware on your network and ofcourse you’re protecting your customerwhich is your your your number one um uhgoal but i totally agree with you thatit’s got to move closer and closer tothe edge to where these systems arebeing used in in their day-to-day waysand i’m seeing it a little bit as we seethe esg movement at the board levelemerge with environmental sustainabilityand governance i’m seeing a similarshift towards stakeholder responsibilitya way you know not away from shareholderresponsibilityuh but inclusive of stakeholders theusers in the in the bigger ecosystembecause there’s such a brand andreputational hit that can happen if ifyou don’t invest and think three to fourfour steps out well i think the esgtopic is very interesting because we’renow starting to seethat data protection um as part of thebrand and and we saw whatseven or so years ago when multiplecompanies were hit not that there wasterrible impact on their brand but youjust saw the news on it and does anyoneon their stock even and so um that as asustainability uh data protection is adriving and as we move into the digitalworld i think we’re going to just seemore of that and and i think it’s allwrapped up in this bigger awareness atthe corporate at the c-suite level atthe board level that that really my hopeis that colonial was a great leapforward in awareness particularly acrossconsumer brandsand that cyber’s no longer you know likethe last panel talking about pii andintellectual property theft that you maynot see a manifestation or realizationfor 10 plus years now you’re like ohthis is a business disruptionyesavailable so i’m not shippingto the availability right and and whichis then i’ll tie back tothe sysa the cyber essentials where thenumber one pointis it starts at the topand if the leader is not on boardyour jobs as cisosare incredibly difficult almost yesyeah it makes it almost impossible butleaning into that it’s almost likewhat we didthose y2k days right we’ve been aroundfor the y2k days and how important thebusiness continuity planningnowcyber has a new role as cyber resilienceand those are scenarios that most of usare working out with our bcp planningbecause that’s a more likelybecause of all the things that were putin place you know generators and dualredundancy for networks and dualredundancy for power are all things thathave been previously donenow in cyber we’re starting to see thattype of resiliency be built in i’d sayit’s part of what we’re seeing more withthe engagement of our executives ourceos andcfos and and even our board in wantingto actually reviewhow we respond to a cyber incident andparticipating in our cyber exerciseswhere in the past it might have beensomething that’s done uh by the teams uhdeep within the organization now theyall understand well what is the playbookfor how we respond to ransomware whathow do we how do we respond to thesethings they want to know it in case ithappens because they see it happen everyday and that’s that shift that we’vebeen you knowjust praying for the last couple yearswas that shift from technical risk tobusiness risk and it’s correct and it’sit you know there was a there was thersa conference a couple years ago ithink the theme was hopeand and there’s a little bit of hopehere that at the executive level we getit and the investments are happening nowthe job’s on us at the defender level ofdemonstrating return on investment tothe bigger enterprisebut i also think you you know we’restarting to see in the one of the otherpanels there was a discussion onregulation and i always kind of cringeat the word regulationbut i i i do see where will it be thesecbecause from the large companies thefortune 100 is it really secis would have that visibilityand then to use a framework not alwaystheir i.t controls because sox issomewhat notwhat we would wantbut could we use the governanceframework of the sec and auditcommittees to report in a manner thatum really takes your ciso out of thepicture of of um what is being reportedso that i i really want to build on thatbecause umi think it’s super important and andwe’ve been on this journeywhere wewewant you know for our first second andthird line of defensewe really wantthe same systems of record the samesources of truth the samesowe’ve invested a lot in automating thatso we just connect you know our controlsjust connect to the systems of recordand sources of truth that at any giventime you can go and any level of of thatthree level of defense can go and sayhmm you know these controls are nowmaybe starting to um deviate and i’mstarting to feel uncomfortableand and and you know that that constantvisibility at that control levelis um and we’re just starting right soi’m not but we have a journey ahead ofusbut i’m already seeing so much positiveresponse from that one thing that umwe’ve and now along with thatisthat that part of you know how do we getpeople to take ownership across thecompany so it’s not just the cso it’snot just theso you know building some kind of anattestation model right that that goeshey a business leader um these are yourcontrols right not not just ours and umand and the great response has been howeverybody’s just leaned into that butbut i’m really excited about what i seelike two years from nowwhen we you know built that wholeinfrastructure outsowe were talking about uh regulatoryrequirements and i’m all for you knowhaving the right level of regulatoryrequirements but for the love of allthat’s gooduhthe problem i see is like we’re a globalcompanyand we have regulatory requirements yepuh coming at us from all directions andthey’re all like a permutationofthe otheruhother uhrequirements and it’s like one grouplearns from another and says oh i wantto add this couple extra stuff here andthen we’ll all tell you it’s all 80 ofthe same thing it’s just 20 differentbut 20 different over 100 times is stilla mess so i’ve even talked about this tothe g7 cyber experts group thatif we could get some regulatoryconvergence likeif there is aaset of requirements that everyone couldagree to that we could uhyou know prove ourselves against andthat we could leverage it in otherplaces it would actually allow us todemonstrate that we’re secure or not andinstead of investing on in teams likepeople upon peoplechecking the boxes differently than justhiring staff to handle all of thoserequirements we could take that andactually invest that into furthermaturing and security yeah totally i ithink it’s worth acknowledging thoughthat across thethe companies represented here on thepanel that you are at theyou’re in the haves space right andthere’s a significant have-notscommunity and i think the the thing thatwe really have to focus on solving foris that knowledge and capabilitytransfer from the havesand the have-nots i think that’s wherewe struggle have struggled as acommunity particularly from some of thelargerevents of the last few years is reallyreally distilling down what was thesystemic failure in the svr nebelliumsolarwinds event that we need to learnfrom and bake into our architectures andoperating uh mechanisms so again withthe the recent executive order in thecyber review board that sister orsomeone is standing up in the federalgovernment that will look at thoseissues and and just like after any othermajor event you do lessons learned andyou have an improvement plan and youstick to it you roll it out but we’vegot to continue i think pushing thatyeah those best practices down well andit’s really for those smaller companiesare they even regulated i meanbanking or finance they might bebut in in healthcarei know we’ve talked before is do theyeven if you give them an indicator ofcompromise will they know do they havethe machines to look at it and and thisis i think we’re getting you know we’rerabbit holding a little bit here butit’s a good one because if you thinkback to not pecha right supply chain ifyou think about the chinese cloud hopperactivity from 2018-19 targeting msps thehorrible joke i’ve used in the past isit’s like when they ask willie suttonwhy he robs banks because that’s wherethe money is why the chinese go afterthe msps that’s where the data and theaccess is so how do we think about mspsand i’m not talking hyperscale cloudsi’m talkingthe the you know dozen plus all the wayout to hundreds that feed the smallmedium enterprises how do we ensure thatthey’re implementing the right practiceson their own that then get pushed downbecause to the third party risk you knowyou’re letting somebody in to theenvironment do you what are thequestions you should be asking and againto jay healy’s point do you even haveleverage on the mspto ensure that they’re doing the rightthings from a security and do you do itin a way that you don’t suffocate themyeah because you know i worry about thatlike you know if i see our new you knowinformation security requirements thatyou know anybody who does business withus has to signi worry about what innovation am istifling because a small company can’teven deal with those right so so it’sit’s both sides of that that that youhave to worry about again i think thatgoes to the pushing it out further tothe edge where you make it easier forthem where it’s turnkey solutionsecurity you know mfa by default totallyno more sfa and password dependentenvironments all right let’s do a quicklightning round here let’s go back tocovid okay from a just an overallperspective what was the the thing thatyou learned that you will beimplementing and adjusting your youryour uh security approach going forwardbecause yes there will be more pandemicsand we’re not out of this one yet anywayso you know what was your key takeawayfrom from a security risk managementperspective from covett maureen i’llstart with you i’ve got a million but umi think the thing is is to look at thesecurity eventsum holistically because when we startedto and i’m not sure you can do italmost real timebut when we started to look atransomware that was in the environmentnow i’m talking very low level at a pclevel not major database um when welooked from 2018 to august of 20 we had20 a monthand then we went up to 65 a monthfrom september october novemberdecemberand then in januarywe um a ddos attack tried to get to usand then we fell off to 10. now becausei said that i’ll probably get 40 thismonth but umi would tell you that looking at thosethings holistically is inteland that’s where i go to the incidentsis is how do i make intelligence out ofmy incident i have you knowa large amount of events that occur isnoisetill we can make it something that’sreal and so we have to as organizationsworking with the government be able tomakeintel out of our noise and there’s thewe’re all in this together so how do youoperationalize that from an informationsharing all rightwhat’s the the one key um i think thebiggest key um for uh for for us was umyou know that the perimeter is justdisappeared you know it was disappearingum but there is no perimeter anymore andthat really umagain accelerated things that were onour roadmap so it didn’t make us kind ofgo oh my gosh i have to do everythingdifferently it was just um how do i nowimplement in you know monthswhat were on my five year roadmap rightso um that was the biggesti think aha is like just forget all theperimeter stuff that we’ve been workingon for years all right so we’re going tocome right back to that sure ron iactually think uh the biggest thing ilearned uh kind of what nepal has andthat is like we we we had identified alot of initiative that would help totake our organization into the nextuh phase of where it needs to besecurity wise and these are the rightthings to do it just we were we had amethodical plan of executing it out andthen when covet happenedthat plan that we were working on becamethisyou can’t do it in two years you got todo it in six you got to do it nowand it harkens you back to my time inthe government wherelike we would put initiatives togetherand we would have them ready waiting forother people not to have any moneyso that then bang we could just rollwith it so when we have our initiativeswe just need an ability to know ifsomeone said ah screw it no you need todo it now yeah having the ability toexecute it and know that you’re going toget itacross the line when the whole companyis now turned and pivoted and waitingfor you to get this thing that youthought would take a few years that younow have to get done in six weeksso i get i get two primary questionsthese days the first one is why is it sobad and is it ever going to get betterand the answer is no it’s not it’s it’sthere will only be more threat actors umand for the rest of humanity i’ll justput that stake out there and we willonly become more digitized we’ll onlyplug more things in so so the landscapeis is incredibly complex and so we’renow in that space where all right weaccept our mortal mortality and we’regonna have to we’re gonna have to domore risk management so what does thatlook like and the second questionrelatedly iszero trust right soto yourapid fire questionwhat is zero trust to you and what’s thehardest part about it maureen we’llstart with you again um you know zerotrust uh if you’re a network vendoryou’re gonna say sassy and casby are arethe answers and you should start thereand umbut i would really say it’sunderstanding your crown jewelsunderstanding what they really are andthen segmenting them out which will getyou into software-defined networking andcasbies and and the like especially asyou go to the cloud because where areyour crown jewels but really the primarything is the thing that we all haveloved dearly for the last 20 years or soit’s identity and access management whohas access to what data with whatpermissions from whereand in today’s digital environmentit just adds that contextual approachand especially where your data somepeople may not even almost never have tocome through your network they arealways on the outsidebut how do you know who they are and itgets down again identity and accessmanagementall right next so to us we have um twoprinciples around zero trustone is that um you know we don’t trustanything any persondevice or applicationum and it we have to do just-in-timecontextual uh authentication andauthorization so that’s oneand the second is that despite all ofyour uh precautions assume you’ll bebreachedand so um thequestion is the blast radius how do youcontain the blast radius so that leadsto micro segmentation so those are ourtwo principles microsegmentation for thenetwork and then umdo not trust any person device orapplication that tries toaccess an asset whichthat that blast radius piece marine isis key context around your ransomwareevents the 20 60. right that you canhave a ransomware event on a singlemachine right it doesn’t affect youisolate it you knock it down you bringit back up but you learn from it correctas soon as you see it happenit’s isolated it’s off the network rightso again it’s it’s micro segmentationbut we look at it as response toransomware todayyeah so zero trust for me isso we’ll have all of theclassic security controls but it reallyisgreateruh identity and access controland it isyou know getting just in time so whenyou need it just enough only what youneed and then just for now just for theperiod of time that you need to executethat thing and all of the requirementsand not just a human but for a device aswellhaving all of the the right criteria andunderstanding about that identity makingthat transaction i i think identity isalsothis is something that we can take on aslike a like a national initiative when ithink about when i think about paymentsit it all so a lot of people think aboutthe pan which is the 16 digit number butreally it’s about the identityuh and if we can enablea digital identity in a way thatwe can leverage it for payments but wecan leverage it for healthcare we canleverage it for ad providing access inour environment we can leverage it tolet the refrigerator buy some uh milkrather than buying diamonds and stufflike that if we had a way of doing thator we if we had an opportunity to focuson that we should really do that okay sowe’ve got about five minutes left we’regonna wrap this up with a question thatit’s multipleit’s multiple choice in the sense thatyou get to pick your your your uh chooseyour own adventure here okay so when ithink about the role of government incyber security in information technologyand technology in general they have theyhave four roles consumerenforcer law enforcement uh defender youthink about cybercom and nsa from an uhoperations perspective and then advisorslash helpersopick one and tell me what more you wantto see the government do in one of thoserolesi’ll startso moderate is prerogative uh consumer ithought what the executive order did byupping the level of requirements forgovernments or for i.t providers uhselling into the government uh whetherit’s the sdlc and build environment andwe talked about s-bomb i think that wasthe government finally really harnessingits power of the purseto achieve better and there will becascading benefits because uh the sameskeweffectively the government buys thatthat industry buys soactually i’ll i’ll start on that and umi agree because you know when when iread the eo that was my first responseis that um because you can go and lookin the past how this has happened rightso it’s umhistory will repeat itself and i hope itdoes umi think as those um items areimplemented and then those becomerequirements for people who are doingbusiness with the government then theybecome requirements with the next youknow line in in and soon you know theentire ecosystem is uplifted and in factwe’re starting to seeyou know because all of us are not justconsumers we’re also suppliers right soso we’re starting to see some of thoserequirements starting to show up alreadyin our rfps right that we have torespond to soum totally agree that i think that’s athat’s a great um area um the other areathat i would love um more isn’t thatadvisory um and and i know that for thatyou need a closed-loop system rightbecause um to advise you also needinformation right and so you know how dowe get to in a non-burdensome wayum and that’s the key is you know how dowe get to that so where you know we haveum the the government agenciescollecting and and and and you know in anon-burdensome way and thendisseminating that back in an advisoryfashion would be amazingly helpfulnot just for us but i think umespecially for that you know that entireum you know the smaller businesses thatthat don’t have as much to invest allright ron real quick and then we’llclose it up with more yeah there’s somany things i could ask them topick on one that i haven’t talked aboutbut but it is uh i think they’re thegovernment is in a unique place wherethey can help usuh across sectoruh and across industry groupsrespond collectively touman advanced attack justsowe know who we think we should engage incase of bad things should happen but canweexercise more can we actually have wheremy team members will participate in anexerciseeven at a technology level uh in a fightwhere they’re working with ourgovernment partners working with ourcommunication partners they’re workingwithour energy partners just working acrossthe board the merchantsi think there’s an opportunity for thegovernment to really help us get abetter understanding of how we canrespond as a country so we don’t have tofind it out for the first time in a realmap all right maureen bring us homeyou know i think one of the areas andyou know we talk about solar winds asthe a supply chain attackwe’ve been seeing them for decadesand but they haven’t been on on thefront page of any paper so everyoneignored thembut if the government and looking atthese i t systems and and it falls backinto s bomb and bill of materialsbuttodayalmost every technology can be impact inin the critical infrastructure and thewhole ecosystem so if there was amechanism if somebody has avulnerability and in uh in our medicaldevice business at j jif one of these vulnerabilities come outand i have a vulnerability out of it ihave to report to cert and it comes outhey there’s this vulnerabilityi believe that helping in the guidanceof what is the next vulnerability andit’s not getting it on patch tuesdaythat is we were talking last night aboutwe love patch tuesday it’s really goodbecause you getyou get to go through all parts of yourorganization looking for what piece ofthat is somewhere else and that would bevery helpful if we could get this upfront and know that thesevulnerabilities were there got it wellhey i want to thank y’all for two thingsreal quick first thank you for the paneltoday and your insights it’s beenabsolutely critical but i also want tothank you individually and yourorganizations for what you’ve done overthe last year and a half to get thiscountry throughthe pandemic from getting us a vaccineto keeping us online and educated andbeing able to work and then beingkeeping commerce up and running so thankyou thank you thank you all thank youjust to echo what chris said it’s justgreat to see such strong cyber securityleadership acrosspharma telecommunications financialservicesum we’re in good hands um for our finalsession we’re coming to our finalsession now i’m glad to bring to thestage my a friend and colleague garrettgraf our own director of cyberinitiatives at the aspen institute partof aspen digitaland rob joyce who most of you alreadyknow is the current director of thecyber security directorate at thenational security agencyand uh over to you thank you so muchthanks vivian uh thanks rob for joiningus um you uh have been a friend of theaspen cyber summit uh for many years nowand it’s great to have you back on thestage in yet another new role it’sawesome to be here um so uh let me startby actually asking you about umsomething that we saw from the nsa inthe last 24 hours here um where we sawuhyou and other government partners putout a warning about vpn vulnerabilitiesand i wonder if you could talkboth a little bit aboutthe purpose of that as a warningand and what if anything you can saythat prompted it at this moment but thenalso talk a little bit more about whatseems to bea growing strategyof thesejoint warnings from government toyou knowconsumers andand companies about the types of thingsthat government wishes people werepaying more attention to sureso this was a uhdocument that talked aboutwhat you should have in considerationfor securing your vpns and it was donejointly with sissathey’re our deep partner these daysright there’s almost nothing we put outthat we don’t do jointly with cisa oftencisa nsa and fbi togetherand we looked at it and said there’s somuch online right there’s so much efforttobe safe online and what we wanted werethe criteriafor how you do that and it really camedown to two things one the selectionmaking sure you had a reputable productand two how you locked it down and andremoved some of the vulnerabilities fromthat space and we thought between thedeep technical expertise and what we sawin foreign space from folksexploiting those it wasit was good advice the government couldgive out there and last 24 hours a lotof really great response to that kind ofinformation and sharingand was there any specific incident thattriggered this or specific threat thatyou were seeing behind the scenes thatsort of led you to do this in you knowseptember rather than a couple of monthsago or a couple of months from now yeahno no specific warning it really is theculmination of watching the ecosystemworking together to coordinate reallygood positive advice distill it downthat’s the other thing you know we canwrite 50 pageseasily it’s when you try to get thingsdown to a consumable action-orientedoutcome that uh it’s much harder so itjust took some time yeahso four years ago you were uh at thewhite house as the the cyber coordinatorum withthe national security council in thefirst year of the trump administrationumtalk to us a little bit about how now inthe first year of the bidenadministration the threat landscapelooks different to you and what’schanged in sort of what’s at the top ofyour your radar right now yeah so you’veheard it woven throughout today right umthe the idea that umcyber crime has become a nationalsecurity issue um that that to me isdramatic change and you see thegovernment utilizing all elements of ourpower to include the foreignintelligence teamand the offensive cyber team out therein the the the efforts to work againstransomware soyou know we work very closely with thefbi cisa and others to include treasuryand in that spaceit’s it’s very clear that even thoughit’s a criminal issueindictments and arrests aren’t going topush us out the other end of that tunnelso we’ve got to get a more complexplaybook and so it’s got all of ustalking aboutthe tools and infrastructurethe ecosystem because if you can’t makemake profit from it you’redisincentivized the people because as weidentify them there’s all sorts ofaction that can happen and then finallythat safe haven and and it’s reallyclear as long as there’s safe havenslike russia um there’s going to be thisproblem so so intel driven diplomacy andfiguring out how we’re going to workwith allies to to move russia off thepoint where these criminals feel thatthey’re untouchable in that space so sothat’s certainly the number one is theransomware activitynumber two is you know the topic thatkris krebs and the aspen foundation areso invested in that’s the disinformationspace we’ve watched people usethe cyber environmentboth as a cyber security problem butalso just as a malign influence problemthat that’s big change tooum third is we still have the the nationstate threats right russia china irannorth korea they roll off so easybecause those are the big ones we alwaysseedoing very um you know just uh obnoxiousthings in cyberspaceand they they haven’t dialed backthey’re still continuing it’s it’s atestament that you know the cyber crimesrising above that noise floor um but butthey’re still there and things like umthe the microsoft exchange server hacksthat hit you knowjust massive amounts of entities acrossthe globethe the solar winds supply chain attackshow that they are looking toat scale achieve and maintain presenceboth for intel but also for operationalactivityand also staying in that spaceso that they have the agility to move toplaces they can’t predict today thatthey might want to go to tomorrowand then finally i’d say it’s thecritical infrastructure we’ve alwaysknown and worried about the presence inthe critical infrastructurebut the last five years it’s justit’s the case where we’re seeing andaware of much more intent and capabilityagainst that and and it’s a world that’sgot to be locked down for our nationalsecurity um let me take you throughthose uh sort of four nation statethreats because we actually you know oneof the things that’s uh unique about thecyber summit this year is uh in pastyears that is normally what we spendmuch of the day talking about it orthose sort of big four and today it hasbeen a ransomware conversation sort ofthreaded throughuh instead many of our topics uh whatdoes russia look like to you onlinetoday and um you know leaving aside thethe question of the the ransomware andcybercrime uh aspect of it uh where doyou see its nation-state level activityfocused yeah umthey are the disruptive force they’reoften trying tonot increase their activity but teardown othersso you see the misinformation maligninformation they are very active um inthe intelligence gatheringactivities stillboth against governments criticalinfrastructure and thenthe the concern is that that effort thatwe’ve seen them actively use disruptiveeffects around the globe and we’ve seenevidence of pre-positioning against u.scritical infrastructure so all thingsthat can’t be tolerated and we need towork against and you arethe author of what is probably the mostfamous line about nation state cyberthreatsuh russia is a hurricane china isclimate change yeah i don’t know thati’m going to claim ownership of that butbut it certainly got picked up as aquote when krebs and i were doing adiscussionwell he had a much less memorable uhversion of it um and i i wonder if youcould sort of talk then about china anddoes china sort of still look likeclimate change to you they they do umscope and scale china’s off the chartsright the the amount of chinese cyberactors um dwarfs the rest of the globecombinedso so they have scaleyou talked about the difference four orfive years ago to today the difference isee is um we respected them less it wasalwaysbroad loud and noisy and what we’refinding you know when you haveaa resource base that large that theelite in that group really are eliteright it’s a law of large numbers and sothe high end of the chinesesophistication is is really good sowe’ve got to continue to to understanddisrupt and then find ways across thewhole of that technology to kind of pushbackum i like kevin i think it was kevinmandian earlier today talked about thehockey analogy where if you just keepshooting in goal and it’s undefendedeventually you’re going to scorethat’s how we feelacross a number of these nation-stateactivities isyes defense is really important but youalso have to work to disrupt so that’sthe continuous engagement strategy outof the departmentand the idea that we’ve got to put sandand friction in their operationsso they don’t get just free free goldshots on goal to keep trying and tryingand tryingand folks think about that when theyhear persistent engagement continuousengagement kind of terms they thinkoffensive cyber it is but i would saythat the releases we’ve done jointlywith cisa and fbi about the the end dayvulnerabilities that those teams like tousethat knocks them back just as much andis just as important so finding thoseways that we expose tools andinfrastructure that wecontinue to bring other elements of thegovernmentand especially work with theinternational community um to push backestablishing the expectation that thesethings won’t be tolerated that’s allreally vitalum let me an another minute talkingabout china because we’ve seen somepublic reporting uh over the course ofthis fall aboutuh sort of the rise of the blurred linesin china between nation-state activityand cyber crime which is something thatwe’ve seenvery steadily from russia over the yearswhere you have sort of uhnation-state hackers by day criminals bynight or vice versaand i wonderat the same time we’ve seenuhthere’s been a lot of talk over the lastcouple of years about the switch uh fromchinese hacking sort of being primarilydone by the pla moving over to theministry of state security under uhunder xi and i wonder if you could sortof talk to whatever level of detailyou’d like uh about uh how you viewthose entities and sort of how you viewthatthat current evolution of what we’reseeing from china yeah so so across theentities both both in the military andthe intel servicesthey’re they’re robust and resourcedright so large teams um evolvingtechniques and and we see them lookingto develop new trade craft and then passit down so it scales to to bigger andbroaderthere arecriminal elements umbut what we often see is they’re thecommercial elements who by day aresupporting those government activitiesand then by night using some of the sametools infrastructure and otheractivities and and i think it’s reallyimportant china understands how much ofa risk that is to them um that thatthese uncontrolled actors are you knowambiguously combined with theiractivities um and that that’s a problemand kevin was talking about this inearlier today that you know you go backa decade and he’s he had sort of hisdatabase of40 apts thereabouts and now 2900 umwhat does that sort of look like on yourside as you’re trying to monitor thesethreats and and the proliferationof cyber actorswhat we’re seeing isthere’s a lot of tradecraft thatutilizes commercialopen sourceand even outdated tools because theywork you know they aren’t going to getyou into the most protectednetworksbut many of the targets are soft enoughthat you can come in with thosecommercial toolsand what we’ve seen iswe’ve seenwhole apts kind of go dark to some ofthe commercial entities who said yeah idon’t see those custom tools from nameyour favorite thread actor group when inreality they’re just as active but whatthey’re using now isyou know some of the commercial toolsthat get them to the same outcomes soit’s it’s clouded that spacewe do seethere’s always interest we talk aboutthe big fourin cyber crime butalmost every nation in the world now hasa cyber exploitation program the vastmajority of those are used for espionageand intelligence purposesbutyou know there is interest in dabblingin offensive cyber and outcomes thedifference between you know the top ofthe list and the bottom of the listusually is scalethe idea of how much how many peoplethey have how many resources they canbring to bear how much they can do atonceso you know there’s there’s really somehigh-end sophisticated small actors umbut they’re convin confined to whateverthat national interest is um thatthey’re aimed at so we see less of themanything you’d care to name at this timeno thanks umand then um going back to those big fourum talk a little bit about iran talk alittle bit about north korea countriesthat we haven’t heard a lot aboutsort of rising above the noise of thelast couple of years or last year or sobut assuming are sort of still out thereand actively engaged iran’s still activethey they were certainlyfirst and foremost back when everybodywas talking about the bank’s ddosand the schmoon wiper virusumstill activelyengaged in offensive cyberbutyou know what we’re seeing isum they’re they’re often very focused onregional things right now right theyhaven’t beenbeen as focused on on broader impacts umbut they’re capable and most importantlythey’re dangerous because they’rethey’re lessjudicious in what they decideis a reasonable action and i think attimes iran doesn’t understandjust how much um they’ve they’ve goneup to and even over the lineto the point where they’ve they’ve drawnthe iron concern of the greater greatercommunityin north koreanorth korea is still very very focusedononcreating wealth for the regime becausethere’s there’s there’s not many moresanctions the the world can put on northkorea and so they’ve got to find ways togenerate currency to make exchange andthey found that um you know stealingbitcoin is often easier than stealingfrom the bank of bangladesh so so theyhaven’t been hitting the biggest banksquite as aggressively because they’remaking their money in the crypto spaceyeah we also see um they really uh umyou know the the commercial firms weredealing with a lot of north korean umissues back when the vaccine was anissue um they were going after thethe intellectual property of vaccinemakers so still active um still a threatvery capable butmostly focused on crypto exchanges andand creating money um you mentioned inin that context uh bitcoin again umwhich is something that we’ve heard sortof come up a couple of times inboth specific and then more generallycryptocurrencyhow much of the ransomware problem doyou see as a criminal problem and howmuch of it is a cryptocurrency problemyeah i i don’t know how to gauge thoseyou know i mentioned the the four leverswe seewe’ve got to go after all of that rightcertainly without profit there is no umthere is no ransomware problem and theway the profit comes out these days isthrough crypto um you know crypto isboth a benefit and a liability you knowyou you saw some awesome doj activitieswhere cryptocurrency was c was seizedthere’s ability to watch thosetransactions they’re all very public thequestion is can you de-anonymize andconnect them in um so you know there’sthere’s opportunity and risk in thecrypto spaceum let me ask you a couple of questionshere about your current role um atop thecyber security directoratethis is adirectorate within nsa that was stood upby ann neubergercirca two years agowhen you arrived earlier this year uh totake over the directorate sort of whatis the top of your agenda uh for thenext couple of years and and what do yousee as the way that that fits into thisbroader constellation of governmenttools right now sure um well the the thekey aspect we have in the cyber securitydirectorate is we have that foreignintelligence against thethe cyber threat landscape so we canreach outunderstand tools infrastructure intentand often get to the left of theft rightreally that’s the goal for everybody isto prevent umwe really don’t want the government orany institution to be really good atincident response we’ve got to be aheadof that so so trying to toland that um that threat intel into thebest space we can to inform acrosswhether it’s critical infrastructurepartnerships with with sisa some of thecriminal activity with fbi whether it’sthe defense of the national securitysystems and the defense departmentactivities or even out in the broaderdefense intelligencearenaso so intel to drive all of that is isnumber oneuh number two is um we’ve got to secureour weapon systems and and platforms forthe department of defense we’ve had anumber of years um you know workingcounterterrorism counter insurgency as aas a nation that was the top priority weweren’t thinking about the near purechallenges of the china and russiaand in that we weren’t alwaysmodernizing the the the weapons and thecapabilities of the department to thelevel we need and we are laser focusedon that right now so so it’s getting thethe capabilities um you know these thesethings are oftenwings with computers strapped to themuhyou know floating computers flyingcomputers exploding computersand we haven’t always treated them asthings that we had to protect likecomputer networks and so now theinstrumentation the protection themodernization is really a high prioritythe other thing we’re doing iswe’ve stood up the cyber securitycollaboration center and that is anoutreach effort to the defenseindustrial base protecting and workingto take that that superpower ofintelligence and operationalize it it’sno good if we know it and don’t doanything about it and uh we’ve had somereally awesomeactivities over the course of the lastnine months where we’ve beenbehind some pretty bigumactivities to to disrupt at scale placeswhere we took information from thedefense industrial base married it wassiginthad an analytic ongoing conversation sonot just information getting thrown overthe fence but the deep analyst to deepanalystand then that information spread outinto other sectors and and we’re able touh to help contribute tobigger defensive outcomes that scaledmuch beyond the defense industrial basetalking to companies who are cloudproviders infrastructure providers wheretheir dedicated defense teams talk tothe sig interestand do it at an unclassified level so itcan be operationalizedthat’s really magicalyou mentioned the cloud there and iwonder if you could talk about from thensaand the cyber security directorateperspectivehow doesthe shift to the cloud change the waythat you all do your work yeah so it’sit’s interesting because the move to thecloud has bothbenefits and problems you know i talkedyears agothe cloud is just a fancy way to saysomebody else’s computer right and sonow what you’re doing is you’re trustingthem to run a lot of the securityaspects make some infrastructure and andarchitecture decisions that you don’tget to participate in now so the that’sa that’s a downside the upside is mostof the big cloud providers are reallyoutstandingly resourced with exceptionalpeople and they get to see activity atscale they get to look atacross a number of customers whatthreats are coming at them so they getto maneuverwith a sophistication even largecompanies and and especially small andmediums can’t so so very beneficial butthe downside is now if you’ve got thiscloud system it used to be we could takea box a server into our lab and we couldshake it until the vulnerabilities fellout and then we could talk about how tomitigate those vulnerabilities or how toget them patched and upgraded so they’reno longer a liabilityi can’t go ahead and grab somebody’scloud infrastructure and shake it tillthe vulnerabilities fall out rightand so we’re relying on them and theirprocesses to do that same thing and sothe question is is that the visibilityand the expertise um that that isnecessarywe probably got to find some ways tojust make sure that the systemic risk insome of those cloud architectures reallytake advantage of all the knowledgeacross the communityumandwe’ve spent a lot of this day talkingabout systemic risk and the way thatsort of government and the privatesector can collaborate shouldcollaborate around this what are thesystemic risks uh from your seat thatkeep you up at night and that youuh wish we were paying better attentionto as a as aindustry and as a society right now umfor me looking at the national securityspace and the defense industrial spaceit’s tech debt right there’s there’s alot of things we knowneed to be modernized upgraded changedbut it’s getting the resources and thewill to put the investment in there thatthat’s certainly one thing um secondthing i’ll highlight is um i’m startingto get very focused onquantum resistant cryptographyit’s a question of when that computerwill arrive for those of us that have tosecure classified information fordecades we’re already in that windowthat you know the the potential for oneemerging could put information at riskthat we want to protect um i’m lessworried about that as a bigum you know surprise event and morefocused on it’s just a big lift to gothrough and understand everywhere inyour system that you haveconfidentialityalgorithms encryption algorithms butalso authentication protocols that relyon things that will be vulnerable to aquantum computer and so it’s reallystarting to think about how do we how dowe plan for that you know it’s it’s ay2k problem um uh with orders ofmagnitude bigger and uh how well do youthink nsa isdoing at that uh progress towardsquantum resistant encryption i mean thisis uh the nsa is sort of the people thatweuh ask uh to do you know the world’smost sophisticated math and the world’smost sophisticated encryption andhow do you think you’re handling thatmission right so i’m feeling really goodthere are for the classified networks wealready have the protocols and thethe encryption technology um we’reworking with our partners at nist whoare running a a public competition toselect the uh the commercial standardsand that’s preceding a pace but itreally is after you have those thingsit’s the retrofitit’s the get it into everything andbuild it backwardsum you have a unique background cominginto the role that you do nowumas uh the former head of taowithin the nsaand i wonder if you could[Music]talk about sort of whatlessons uh and approaches you bring fromsort of going from an offense role intoa defense role yeah so i reallysubscribe to the the modelit takes a thief to catch a thief rightthe idea thatdoing and actively exploitingmakes you understand with a differentmindsetwhere the vulnerabilities and weaknessesreally areand sothat informs where we prioritize ondefense all the timeum i think you know the key aspect iswe put in the time to win onan exploitation effortat a much greater level than often thedefensive teams doand so there’s a lesson in that rightyou’ve got to know jen easterly talkedearlier you can’t defend a systemif you can’t see a system well you can’tdefend the system if you don’t know thesystem sounderstanding that technology thingslike software bill of materials beenbrought up several times today the ideaofreally penetration testing andchallenging your assumptions about yournetwork and infrastructurethethe as designed is different than the asbuilt and that’s where the exploiterswin and so you’ve got to come up withconcepts that continually understand howyou’re configured how you’re upgradedand then you’ve got to move at a paceand a scale that when there are brandnew vulnerabilities and techniquesyou’ve got tokind of retroactively go back and sayhow is that going to impact me and whatdo we need to dothere there’s no doubt that um systemswill be penetratedthe question is how fast can yourecognize and then how fast can yourespond to either limit that or drivethings out to the point you haveconfidence again um let me ask you sortof a final question here um about koviduh and the nsaum theyou know sort of one of theconversations we’ve all been having hereoveruhover meal tablesis the way that work is going to changefor companies going forwardand i wonder if you could talk a littlebit about you know how covid has changedthe way that the nsa works andwhat if any changes you think it’s goingto look different going forward based onthe way that the world has changed inthe last 18 months great question itreally accelerated our drive tounclassified systems that wasn’t anatural place for nsaan organization of secrets and so itpushed usto to really look and say what has to beclassified and what can be done on theoutside so a lot of technologydevelopment software development hrprocesses business processes eithermoved to the low side or are being movedto the low side it alsoreally increased the demand and theresilience of our low side networkswhere we never had to do at scaleso it changed us like the rest of theworld there’s still a lot of work thathas to be done in skiffs and inclassified environments and we were oneof the first federal governmentorganizations to come back 100um and so there there will be thingsthat that won’t change in theenvironment but especially cybersecurity we’re appreciating how muchmore we can do on the low side greatuh rob joyce thank you so much forjoining us at the aspen cyber summit umthat does it for us todaytune in next wednesday uhsame time same place for theday two of the aspen cyber summitand thanks again to our presentingsponsorpwc and thenour sponsors autodesk andmckinsey and company for helping to taketoday’s conversations possibleso rob thanks thanks thanks for hostingsuch a great eventyou
The Aspen Cyber Summit is a unique gathering, bringing together top leaders from business, government, academia, and public interest to discuss urgent cyber threats and secure our digital society. The nonpartisan, high-level setting provides one of the most significant stages for discussions around cybersecurity policy, strategy, and operations. This annual event is produced and hosted by Aspen Digital, a program of the Aspen Institute.
As the global economy extends its embrace of digital technology, systemic cyber risk poses an increasing danger for society. Systemic disruptions of internet infrastructure, healthcare during a pandemic, energy infrastructure, and food supplies within just the past five years have triggered significant unease about the potential for loss of not just data or state secrets, but the critical operational systems that underlie real-world social functions. Growing reliance on Internet-connected technologies has created new and dynamic interdependencies that tie together the fortunes of various stakeholders within and across economic sectors. Yet outside of finance and insurance, leaders in government and industry have made little progress on a global, cross-sector dialogue to identify and control the most dangerous sources of cyber risk that allow adversaries to inflict damage at a regional, national, or international scale. With new cybersecurity leaders in place across the Biden Administration amid a newfound public awareness that individual cybersecurity incidents can affect us all, the 2021 Aspen Cyber Summit will kickstart a new global dialogue on systemic cyber risk.
{"includes":[{"object":"taxonomy","value":"134"}],"excludes":[{"object":"page","value":"172763"},{"object":"type","value":"callout"},{"object":"type","value":"form"},{"object":"type","value":"page"},{"object":"type","value":"article"},{"object":"type","value":"company"},{"object":"type","value":"person"},{"object":"type","value":"press"},{"object":"type","value":"report"},{"object":"type","value":"workstream"}],"order":[],"meta":"","rules":[],"property":"","details":["title"],"title":"Browse More Events","description":"","columns":2,"total":4,"filters":[],"filtering":[],"abilities":[],"action":"swipe","buttons":[],"pagination":[],"search":"","className":"random","sorts":[]}
Facebook
Twitter
LinkedIn
Email
