one I guess I can hear myself so I don’thave to ask if the microphone’s workingthanks everyone for coming out Iappreciate the time on an afternoon andI know we have a good crew onlineum real quick my name is Jeff Green Irun the Cyber know her she’s currentlythe deputy National cyber director fortechnology and ecosystem security I’vehad to write that down she came to oncdfrom Google where she was the globalhead of product security strategy alsoserved in DHS in the Obama BidenAdministration and also of note she’sthe co-founder of share the mic in cyberwhich aims to highlight the need forincreased diversity in the cybercommunity Camille if we can starttalking about the big picture give us asense of as you all built out pillar 4as you got I’m sure endless feedbackfrom the interagency what was in yourmind what was the intent and can youjust give us a bit of an overview ofwhat’s in there sure so first thank youfor having me thank you all for comingout today pillar 4 to me is the most funand maybe that’s because it reflects alot of the portfolio in the technologyand ecosystem Division and it’s thefuture resilience one of the aims of theoffice of the national cyber director isto focus on moving towards a digitalecosystem that is secureresilient and Equitable and a lot ofwhat’s in pillar 4 is how do we makesure that we are investing in a futurethat’s resilient and defensible soyou’ll see things about emergingTechnologies like Quantum you’ll seethings about protecting the foundationsof the internet you’ll see a focus on RD and Innovation and the goal is not tolet stopping the bleeding be the onlything that we focus on in this strategywe want to set an affirmative vision forwhere we need to go the strategypurports two fundamental shifts onerealigning the ecosystem to make cyberdefenses you know the responsibility ofthe big players rather than the smallplayers right so how do Cloudhyperscalers how do large tech companiestake on that burden and shift it awayfrom smaller players like individualslocal governments small companies theother one is realigning incentives tomake long-term Investments rather thanshort-term wins so no quick fixes how dowe invest for long-term success how dowe shift Market incentives to supportthat and such that our Market is workingin our favor in terms of securityresilience and defensibilityand so with that in mind you cannotfocus only on what’s happening today howdo we apply the lessons learned the bestpractices the the wins we’ve seen thebest of technology to our future digitalecosystem and so that’s where theInvestments are focusedso I love I love the idea of stoppingnot just stopping the bleeding becausein the day-to-day most cyberprofessionals can’t lookmuch past this week’s patch or thisweek’s crisis so I you know it’s greatfor the White House to be pushing thatoutum kind of picking up on that one of thethemes is research and development youhave in pillar 4 and there have been anumber of studies Aspen was part of onea few years back showing the decline inTech r d both in the government and theprivate sector can you talk a little bitabout how you think the White House theadministration can drive that what doyou think is the balance public-privatepartnership on that and how you see thatevolvingnation isis our economy me we have to continue toinvest in research and development andthat’ll take work on both sides in thefederal government in non-profit in theprivate sector at large we all need tobe focused on research and developmentto boost Innovation and so in thefederal government a lot of theimplementation you’ll see is us focusingon how do we support an innovationeconomy an r d economy that can enablethe market to continue that work how dowe get more players and how do we engagephilanthropy how do we engage you knowall of these other actors in theecosystem to make sure that we areinvesting in r d that Spurs resilienceand Security in the innovations thatwe’re making and so what you’ll see inthe strategy at a glimpse but whatyou’ll definitely see in theimplementation and as the work begins isthat Focus how do we engage all playershow does the federal government use itspurse use its influence its r d dollarsto support that innovationso coolimplementation in a little bit if Icould follow up on the question ofgovernment investment there were somepretty significant spending bills orinvestment bills in the last year how doyou see them tying into the strategygenerally pillar 4 and the r d it feelslike there’s some Synergy there and I’veseen some guidance come out recentlytalking about cyber and Investments yeahthat’s a key example we’ve made a lot ofinfrastructure Investments through chipsthrough the bipartisan infrastructureact Ira all of those things and wrappedin that is cyber security relatedinvestment making sure that theinfrastructure spend that we have thatwe are investing in through these billsincludes security and resilience byDesign and so those things go hand inhand as we are funneling money to makesure that we have a strong semiconductormarket and as we make sure that ourinfrastructure is resilient how do wemake sure cyber security is beingconsidered by Design up frontcan we talk a little bit about thedigital identity ecosystem becausethat’s one of the Strategic goalsum not the first time we’ve seen thisnot the first time we’ve seen it in agovernment document I’m looking at I’mseeing folks who are involved in the endstick the national strategy for trustedidentities in cyberspace but the marketin the world has evolved a bit sincethen you have private sector players nowyou have States getting involved on intheir own rightdo you think we have a betteropportunity for federal success or doyou think it should be State and privatesector driven what’s the how do youbalance all those different equities ina much more evolved Market yeah I meanone thing we’ve seen even from the 2011strategy is that no player operatingalone is going to be successful ondigital identity so it will take federalwork it will continue to take State workit’ll take private sector work but weneed to be working together andcollaborating on a common Direction andso what the strategy proposes is USfocusing collaboratively on movingforward on digital identityuh one of the things you’ll see is thereare not a lot of privacy preservingTechnologies on digital identity andthat Gap creates a lot of opportunityfor identity fraud that came up in thepresident’s State of the Union Addressthat he really wants to hone in onprotecting us because that affects allof us and so the work that we need to dois making sure that Federal resourcesare being an r d in particular are beingfocused on digital identity there arelegislative opportunities the state workthat’s going on even with driver’slicenses that kind of work needs toconsider security privacy civilliberties interoperabilityEquity by Design and we need to belearning from those states are a greatincubation for us to understand howdigital in identity impacts our dailylives and we can leverage that toincorporate it into the federal workthat’s going onso in doing that how do you reachcommunities that are not and I I knowthe Broadband is part of it but you’retrying to reach communities that don’thave as big a digital footprint and youwant to make sure you advance this butdon’t leave them behind how do youthoughts on balancing that is thatFederal mandate through the states or isit the same type of joint work you’retalking about I think that’s somethingwe’ll have to explore collaborate butyou’ll see things like the digitalEquity money and the Investments comingout of Commerce and the grant funding sowe’re really puttingum a lot of money and effort intofiguring out how we engage communitiesthat have been traditionally left out ofsome of these advancements andInvestments particularly in broadbandand connectivity so how do we make surethat we don’t create a digital identityschema where you know a segment of thepopulation is unable to engage that’swhy we need the collaboration because itwon’t be just a federal effort yes theremay be some requirements there may besome collaboration on the state level todrive that forwardbut private sector has to be thinkingabout that first and foremost and whatthey design states have to be thinkingabout that in the schemas that theydevelop for driver’s licenses and otherand other thingsso I’m going to get a little bit intothe weeds hereum I warned you about this one sotechnical foundations of the internetone of the Strategic goalsumthose of us in the community have talkedfor a long time about border Gatewayprotocol bgp potential risk threatvulnerability thereumbut it is now in a national strategy assomething we need to address can youexplain for the audience many peoplehaven’t heard of it most averagecitizens wouldn’t know if it was abusedwhy should we care and how do you thinkwe can address one of the you knowtougher nuts to crack that’s been outthere for since the Inception of theinternet nowyeah I mean many of you know but bgp isbasically the postal system for theinternet it determines the fastest andmost efficient route to get you to whereyou want to gothat is foundational to our use and theeffectiveness of the internet itsability to serve us its ability to be apart of the digital ecosystem thedigital landscape if we don’t protectthose foundations we are missing out onso much part of that future focusedresilience is making sure the thingsthat we are building on top of aresecure as well there’s a lot ofhijacking risks we’ve seencryptocurrencies stolen from bgp riskswe have to invest in making sure thatkind of a foundational capability isinvested in and it is part of usthinking about the future of theinternetso with with oncd’s role across thefederal civilian agencies is thissomething that you can do a governmentfirst try to set the example drive thisout thereyeah I mean I think we canconvene the federal Partners to figureout what tools are in our toolkit tomake advancements here we can use thefederal purse that’s always a good onewe can focus in on our r d dollars onthis as well so there was a lot ofopportunity to lead by example here butwe can’t do it aloneso one more question maybe and I want togo to implementation and thisI’m usingwelcome toZoo pressedwelcome to events in the Modern Ageumthe workforce strategy you talk about itin there I know that there’s a lot ofwork ongoing you guys have been at thiscan you give us any kind of previewmaybe if you want to make some newsabout when it might come out or otherother things you want to share aboutwhere that’s goingresilience and so we recognize prettyearly on that one page in the broaderNational cyber security strategy was notgoing to do enough to really invest inmaking sure we had a Workforce that metthe need we don’t want this strategy tobe focused on the symptom that we’re allaware of the 500 to 700 000 jobs thatare unfilled we wanted to focus on theroot causes really making sure folks areequipped and empowered in and throughtechnology to understand the best of itand so they can protect themselves fromthe worst of it and while the nationalcyber security strategy does a great jobof Shifting that burden to the bigplayers we still need to be equippedjust like with literacy and numeracy tobe able to effectively leveragetechnology so we’re really focused onCyber skills and how do we equip allAmericans with that and that is aconduit for us to build out a cyberWorkforce that is robustmulti-disciplinary diverse so we canbring the best we have to bear and meetdemand in terms of numbers but moreimportantly the dynamism of the industrywe need to be able to have a talent poolthat is equipped to meet the challengesof today but also adapt and change asthe digital ecosystem evolves anyprediction on when we might see astrategy come out or some discussion ofthe pieces of it we’d love to host youto have that conversation I meanI mean exactly when but sooner ratherthan later the goal is to make sure thatthis strategy is whole of nation so wehad the RFI where we got 147 responsesthat spanned individuals all the way toconsortiums of organizations so we’vegotten a lot of feedback there we hadthe workforce Summit in July of 2022 tokind of kick off the effort we’ve had anumber of engagements at universitiesand a lot of one-off conversations wewere getting feedback and input and nowwe’re working that through theinteragency process as we continue tocollaborate with our private sectorpartners and we don’t want to rush thatwe want to make sure that the strategyactually does the things that I outlinedand to make sure we understand thechallenge space the opportunity spaceand truly get to equipping all Americansand also creating that robust ecosystemwhere we’ve got the Education andTraining apparatus to support a strongWorkforce and we’ve got the retentionand hiring apparatus withinorganizations to support a strongWorkforce that’s going to take timehopefully not too much though and I’msure the interagency process will be funum actually before I go toimplementation we’re going to talk inthe next panel a bit I think about thesecurity of quantum Quantum encryption Iasked I’ve heard you speak about this acouple times and and very passionatelyabout the promise of quantum you knowwe’ll talk a bit about why we need tomake it secure can you talk about howyou see that because I think the pillartalks about Quantum security I was alittle surprised there wasn’t talk aboutthe promise of quantum so I don’t knowif you can share some of your thoughtson that yeah I mean the Biden HarrisAdministration has a two-fold twofoldprong two-prong approach that’s a betterway to say it two-prong approach to aQuantum and one of them is yes theNational Security concerns thecryptographic issuesum also like when Quantum meets AI whatdo what are we afraid of what what arethe opportunities there for ouradversaries to leverage all the datathey’ve collected but more importantlyor just as important are the opportunityQuantum Computing presents a lot ofamazing opportunity for us to computelarge data sets very quickly we can makeadvancements in space we can crank outvaccines and think through Healthimplications we can Workshop a number ofdifferent things and so there’s a lot ofopportunity with that Quantum Computingcapability for us to make progress on alot of really complex challenges muchmore quickly and that is something wealso want to make sure that we’refocused on so while we are thinkingabout how we protect ourselves we alsowant to make sure that we areforward-leaning in the Innovations basedon Quantum and that we are leadingeconomic investment there so that we canalso be leadersgreat on implementation can you give usa sense on how you think that’s going toroll out where might we see you can’twell I don’t think you can move out onall of the Strategic goals immediatelyhave you prioritized what to start withand what can we in the public expect tostart seeing on that in the near futurethat’s the exercise we’re going throughright now is figuring out theimplementation plan that will roll outbut some of the work has already begunyou’ll see it coming out throughdepartments and agencies throughdivisions within oncd there’s a lot ofgreat work where we are already pullingthe principles from the strategy pullingthe lines of effort and starting to makeprogress aligning the federal governmentaround the places that we need to trulyinvest in figuring out our prioritiesand our aligning the timing so you’llsee a lot of detail in theimplementation plan but we’re mobilizingthe private sector we’re understandingwhere they’re investing we’reencouraging them and we are thinkingthrough where we need to invest ourpriorities our prioritiesso you see a role for the private sectorand helping to implement thethe parts of the strategy definitely ImeanI mean public-private Partnerships arefoundational that collaboration willcontinue we want to enrich that make itmore meaningful this isn’t just aninformation exchange how do we trulycollaborate on these thingsum so the private sector will continueto be very meaningfully engaged in theimplementation of the strategy and doyou see agencies taking the lead on oncertain parts of it is it going to beoncd or a joint effort oh there aredefinitely parts of this owned byspecific agencies we will leadcoordination to make sure we’re allmoving in the same direction but thework will be spread out across theinteragency there’s there’s lots of funfor allso before I go to questions one thingwhen we were preparing for this you andyour team were very adamant to make surethat agencies got their due for theamount of work and the strategy do youwant to speak a bit to the type ofcollaborative work you had across theagencies to get to the point where youhave you know for those of you whohaven’t been in the government to getclearance on a document of this size isa truly Herculean and impressive myfirst reaction when I saw was thank GodI I didn’t have to get this cleared butcan you talk a little bit about yourpartners across the agencies yeah yeahyou’ll you’ll see some representativesfrom two of the agencies in the nextpanel but oncd might have held the penbut this was truly an interagencydocument the inner’s agency was veryengaged on where this strategy should goit is very forward-leaning it builds onstrategies of the past where we seeinformation sharing and public-privatePartnerships but really goes to the nextlevel and really sets our ownaffirmative Vision rather than focusingon how do we react to the adversary thestrategy looks ahead and sets where wewant to go and the interagency wasinstrumental in articulating that visionand understanding what tools were in ourtoolkit what opportunities we had andrecognizing the work that was alreadyongoing and how we could continue tobuild on that and so the collaborationto get a document of this size to buildthis out to clear it such that itaccurately reflected all the work goingon and the opportunity for the work tocome is no small feat so kudos toeveryone involvedI’m going to pause for a second I knowwe may be having some issues on the zoomhonor of someone from Aspen’s here ifyou need a second to kick something offon the zoom so we uhcan enjoy the music rather than beinterrupted by itall right let’s just keep goingum from the audience any any folks withquestions out there for uh CamilleStewart Gloster don’t be shywe’re gonna wait while they get thisfired upto zoomlet’s press poundmeeting Iumall rightthere we go Mike’s coming from alldirections all directionsI will just speak really loudly and saythank you for your commentsthank you for your commentsthe um security protections here areexcellent obviouslyum my question related to something yousaid at the very beginning uh and I’mDanny Weiss from Common Sense Mediaum that the focus is on large actors toensure that large actors take the bulkof the responsibility for this and notas much uh smaller individual actors butcould you speak to that other part doyou see a role for the smaller andindividual actors in terms of uhsecuring our cyber infrastructureof course I mean small organizationslocal governments will always have workto do to secure their own infrastructuretheir own networks but what we’re hopingis that these bigger players thatprovide the infrastructure for smallgovernments that provide theinfrastructure for our businesses aredoing the work to make their productssecure by Design to make them resilientsuch that the burden the heavy burden ofthinking through how to build out asecure infrastructure in a securenetwork is not on those small playerssame thing for individuals and one ofthe the ways that we bridge thatresidual risk is through this Workforcestrategy that’s why there is a focus onthose foundational cyber skills foreveryone so that similar to literacy andnumeracy individuals are focused and andand skilled appropriately to be able toleverage technology and to make choicesabout how theysupport their own privacy and their ownsecurityin the front hereright we’re like full service at Aspensince I’ve been in and out of governmentsince 1992 and worked in the informationsharing environment and help thedemanding and Snowden report and blahblah blahI’ve heard all of this for 20 years Imean it really doesn’t sound anydifferent just like on I worked on thetask force for DOD for ash Carter on howto improve cyber how to improve theCyber Workforce nothing happens I toldJay Johnson he said well why can’t wehire cyber people I said because youhave a problem like in the 70s would youhave ever hired someone that said theydidn’t smoke potand he said probably not I said that’sthe problem they are these privatesector efforts Karen Evans started onethat graduate hundreds hundreds of cyberexperts that will not be hired by thegovernment because they don’t have uh amaster so they didn’t go to MIT andthat’s I mean there are highschool teachers and privates in the armythat know this stuff so you can solvethat in a nanosecond but it won’t happenand the issue I mean the governmentcan’t even take on simple things I wrotea paper in 2020 that or 2010 that saiduh why don’t we just use uh encryptionat rest and role-based access we can’teven do that so let me let me jump inreal quick on a couple things I do thinkthere there are several new things inthe strategy from my perspective I thinkhaving a White House document talk aboutShifting the burden away fromindividuals about soft reliability is inand of itself significant and I knowthat oncd did an event where you weresome for the workforce event the numberof internships that came out of that soif we view something like that asseeding the future I think that’s anexcellent point and we’ve been talkingabout this in cyber for quite some timefocusing on degrees is the wrong thingbut maybe you can speak to that into theoncd event that youOMP hack sf86 everybody who has a TS FCIall our is out there so Iappreciate that let’s let’s give her achance to respondmuch of this will come down to theimplementation which is why Jeff soaptly focused in on implementation inthe questions most of the work that wehad to do might not be novel but some ofthe framing some of the things that weare putting forward in the strategy toJeff’s Point are new framings newpriorities for us you will see the workin the implementation right in theworkforce strategy for the workforcestrategy we’ve already stood up anational cyber Workforce coordinationGroup which aligns all the federalagencies around making progress onWorkforce and the amount of progresswe’ve seen to facilitate the drafting ofthis strategy but also just to get ourown house in order around Workforce hasalready been Leaps and Bounds and sothat work coupled with the work toimplement the national cyber strategyyou will see a lot more of what you’rehoping to see but the federal governmentis a big shift so it doesn’t change itdoesn’t turn overnightbut the work is happeninglet’s take one more question I see rightup hereMike is on its wayimplementation as well as well are thereany carethat or maybe you’re talking about orthinking about implementing in order toactually support actionI mean the strategy does talk aboutleveraging regulation in the mostlimited form and where needed so that isdefinitely a tool in our toolbox thefederal purse is another tool in ourtoolboxchanging Market incentives I mean thereare a lot of tools outlined in thatstrategy that we’ll leverage bothcarrots and sticks to drive towardsthese outcomes yeaha follow-up there maybe because it wasnear and dear to me but the executiveorder 14028 can you talk a little bitabout particularly the governmentprocurement there trying to shift thefocus on secure development and how thatI know there’s a reference to that inthe strategy if you can talk about itthat tied together yeah I mean you canevenlooked umsoftware bill of materials and how we’releveraging that to increase transparencybut doing it in a way that doesn’toverwhelm vendors and and ensures thatthey have the opportunity to not onlyinform the process be but be able tokeep up so there’s a lot of focus onleveraging the tools but in a way thatis collaborative andallows for the the actors that we’reworking with the private sector Partnersto inform the development and and movealong with us keep Pace with us butwhether it’s in the EO or in thestrategy there’s a lot of focus onleveraging all of the tools and thetoolbox and being collaborative to do sogreat Camille thanks so much for yourtime oh there’s good do you have timefor one more let’s sneak in one moreyeah uh thanks very muchum I just wondered whether there was anyuh consideration given to seems to methat the original sin is this apermanent waiver that Congress grantedthe software industry from there fromthe normal commercial requirements formercantability and uh and uh you know tobasically do what it says on the boxI mean is there any chance you couldwould you try and get Congress to repealthat would that would that be a sort ofthe the big lift on this shift ofresponsibilityCongress has been eager to passcontroversial bills but you know the thegeneral positioning I think would beinteresting yeah I mean it’s definitelyan optionum as we pull folks together to look atsoftware liability and how we build outa schema that actually supports themarket and is something that companiescan bear particularly with you consideropen source and all of these otherfactorsum that that is definitely an option onthe table now will we lean only on thatprobably not because you know we have tolet the legislature do what it does butit will be a part of the calculus forsuregreat Camille thanks again and re-extendthe invitation for the workforcestrategy or any implementation pieceswe’d be happy to have you back up hereeveryone please give a nice round ofapplause[Applause]so we will now bring on our panel firstis Nicole Tisdale who was doing yeoman’sDuty with the microphone Nicole is Aspensenior advisor for cyber Workforce andeducation most recently she was at theNational Security Council working onCyber and legislative matters she spenta dozen years on the hill prior to thatworking on a variety of NationalSecurity issues and is the founder ofadvocacy blueprintsum I see Morgan our panelists are Morganadamski you to stand to the podium so wecan adjustso we have four panelists coming onMorgan adamski Eric Goldstein DonnaDotson and Ola Sage Morgan is thedirector of the cyber securitycollaboration Center at the NSApreviously the deputy Strategic Missionmanager a pre strategic Deputy StrategicMission manager and has been part ofnsa’s computer network Defense computernetwork exploitation and cyber analysismissions for more than a decade Eric iscurrently the executive assistantdirector for the cyber security andinfrastructure Security Agency where heleads sizza’s mission to protect Federalcivilian agencies in the nation’scritical infrastructure against cyberthreats before that he was at GoldmanSachs as the head of cyber securitypolicy strategy and Regulation andserved in cis’s precursor agency and PPDfrom 2013 to 17. Donna Dotson recentlyjoined Evolution Q as a senior strategicadvisor but most of you know her fromher long and distinguished career atniston in the Department of Commercewhere she held Technical and policyleadershipamong her many roles she was nist Chiefcyber security advisor the inauguralDirector of National cyber securitycenter of excellence and the CommerceDepartment’s cyber security advisorfinally Ola Sage is the co-f the founderand CEO of cyber RX which does cybersecurity risk and compliance assessmentsfocused on critical infrastructure Olesspent more than 20 years focused oncyber security Readiness for small andmedium-sized businesses and over theyears she’s been part of numerouspublic-private partnership efforts withDHS and other federal agencies Ola isthe past chair of the I.T sectorcoordinating Council and currentlyserves on its executive committee thankyou all for being here today and I willhand it off to Nicolesure we’ll go ahead and ask all the thepanelists to come up there’s a step onthis side too if it’s easierthis is what the zoom music was keyed upto do y’all it was supposed to beplaying nowwe just got a little ahead of ourselvesso thank you all so much for joining uswe’ll get yeah one moreum I think we want to as we werelistening to the first conversation withJeff and Camille we were headed towardimplementation so I think it’s veryfitting that we have representation fromthe agencies but also the private sectorwho no pressure y’all are in charge ofimplementationum so I wanted to go ahead and kick usoff Eric I’m going to start with youum everyone has their favorite parts ofthe strategy and as we just heardum people have a lot of questions aboutthis strategy for some folks it feelslike we’ve seen a version of this beforeI always warn people I’m like thestrategy is the map which is going todecide how we get to the destination soI never want the government just drivingwithout a map um so I appreciate a goodstrategy but what’s your favorite partor what is the most impressive part andwhat do you see coming out of the gatein terms of first action forimplementation absolutely first of allNicole good to see you uh good to behere thanks to Jeff and the Aspen teamand I think I think Camille left but youknow thanks to our partners at oncd thebrought a white house for developingwhat I think is a really impactfulstrategy that really changes the tenorand indeed in many ways the course ofnational cyber securityum you know I have three kids I can’tpick my favorite so similarly I can’tpick my favorite part of the strategybut but I’ll speak in some some broadContours about what I think the strategyis taking us uh both generally and thennarrowing down to a bit of a focus on onpillar four so you know if we look atthe overarching emphasis of the strategyas part of what certainly our agents aredoing and I think the nation as a wholethe goal really is to address securityneeds in the broadest most scalable wayspossible and so looking at Pillar 4 ifthere’s a way to address a securityissue by dealing with the architectureof the internet that can help everysingle user individual Enterprise let’sdo that if there’s ways of addressingsecurity risks by changing the way thatwe in incentivize and enable securitybeing built in by Design and included bydefault in software and Hardware that’sused by thousands or millions oforganizations let’s do that and then andonly then let’s really put the focus onthe end user Enterprise to put in placethe most impactful controls the mostimpactful measures because what we’vebeen seeing historically in cybersecurity is that all of the burden hasprobably been put on that end userwhether it’s in it’s an Enterprise or anindividualum and and in so doing we have a fewproblems first of all we’re notaddressing the base layers of risk thatwe know have to do with with technologythat’s designed in securely or lackingbasic features that would enable moresecurity by default and we know that inmany cases these end user Enterprisesaren’t even able to adopt the rightlevel of controls for the threats thatthey’re up against and so if you’re aschool district if you’re a hospital ifwe’re if you’re a water utility andyou’re up against a nation state orransomware gang realistically it’s goingto be really hard to stay on top ofevery single control every singlemitigation that you need to stay safeand so I think the strategy is reallypart of this our effort to say let’sfigure out how we can address securitymeasures at the most scalable possiblelevel of the ecosystem and then narrowdown from there and if we can do that ifwe can really address some of thesearchitectural issuesum like looking at at security GP forexample if we can get to a point wheresoftware and Hardware is secure bydesign for example we’re using memorysafe coding languages to knock out a lotof vulnerabilities categorically andthen we can say okay what’s left what dowe need the Enterprise to do that can’tbe done elsewhere then we’ll be in amuch different place than we are todaybut of course really the key is going tobe how do we first agree upon as acommunity about what those measures arehow do we drill down those levels ofspecificity and then how do we build andplace the right incentives the rightmeasurement the right governance so weactually make progress as a community ina collaborative way so I think thestrategy is a critically importantmarker to drive us toward this new modelwhere the burden is appropriately sharedacross actors in the ecosystem and Now’sthe Time to really put it to workI think that’s helpful context Ericum and I love how um I know the Englishmajor and me noticed how you were usinga lot of wheeze and hours and this toshow that like this does have to be acollaborative effort and I want the nextquestion to go to you Morgan I know asthe Director of um NSA cyber securitycollaboration Center we’ve like I’mworking at the White House I got to seeyou in action and like how you advocatefor the private sector in real timeum sometimes with the carrot sometimeswith a stick towards your colleagues ingovernment but as it relates to pillarfour what do you see in terms of yourengagement with the private sector andimplementation on the NSA sideum so I see two specific things so firstand foremost thanks for having me um andcompletely agree with Eric right thiswas a Monumental lift to be able to getthe strategy out it really is unique inthat IT addresses so many significantareas that we talk about every singledayum when we talk about you know and I dohave a favorite I’m sorry but myfavorite is obviously the public-privatepartnership collaboration it underpinsall of the pillars in different ways oneof the main points is that publicprivate collaborationpeople think sometimes that it’ssupposed to look a single way it doesn’twe have a lot of different forums thatserve different purposes and what I willtell you that has been significant interms of what we’ve done with the cybersecurity collaboration Center but alsothe joint cyber defense collaborative isthis Intel driven collaboration with theprivate sector which is specifically fedinto that desire to have context behindwhy they should care about modernizingcertain technology or care aboutsystematic risk because we’ve saidhere’s the attack factors here’s thethings that we know our adversaries aretargeting and this is how you need topotentially address it but it providesprioritizationand when you talk about systematic riska car across a large scale that can beeating the entire elephant and it can bedaunting but if we’re able to provideprioritization to our private sectorpartners and say Here’s the top coupleof things that we think you shouldprobably pay attention to and here’s whywhat we’ve been able to do is see thisUnity of effort in figuring out how toaddress them secondly in thepublic-private partnership RealmI’m going to try not to saypublic-private Partnerships 14 timesit’s just the key termum is thatit is really about a conversationum with our private sector partners andso when you talk about regulation whenyou talk about changes when you talkabout secure by Design those are allfantastic principles that we’re allworking towards but when it gets down tothe practitioner and implementing it youreally need to fundamentally understandfrom the private sector is thisachievable what are the things that Ihaven’t thought about and what I cantell you about a lot of our engagementthat has occurred and what we’ve learnedover the last three years when we’vebeen working to share Intel with theprivate sector is a lot of feedback thatwe’ve gotten is okay that’s great butthat’s not actually the data that Ineeded that’s not as timely as I neededto be and this is the type ofinformation that would help me actuallydefend my networks and that’s theconversation that I think we knew whenwe talk about resilient infrastructurefor the future is having an honestconversation about what is the type ofinformation that we all need to make theright decisionsI like that um and I I think it’simportant when you talk about it is theconversation because I think over timeum as we’ve seen a lot of thesestrategies roll out I think people inthis room can attest people haven’talways felt like they feel like thestrategy comes out and then anAdministration will say and now we’reworking on implementation and then youdon’t hear anything until a mandaterolls out and it’s like okay how do wemake sure that the people who are goingto be responsible for these uhresponsible for helping to enforce thesepolicies are a part of the policy makingprocess so inputs as well as outputsum which leads me to Ola I’m going toturn to you because we’re talking a lotabout what the private sector engagementshould be and I know as a member of theI.T sector coordinating councilsexecutive committee this is literally apart of your job as well and so I wantto talk to you a little bit about as wespeak to pillar four what do you thinkthe role is or is there a role for theprivate sector to help with theimplementation of pillar 4 in thestrategy yes and this is my second40-hour job is it or third 40-hour jobno you never can’t tell what womenuh yes and I love the question whoeverasked it about small business role inthisumI think you know somebody also askedabout the implementation plan I think wewe might need a National Small Businesscyber security implementation planbecausethere’s just so much and it’s frankly alittle bit overwhelming and everybodywants to help small businesses and welove thatand it also means that it can be achallenge trying to figure out where tostart Etc but one place potentially tostart as it relates to at least criticalinfrastructure is with the sectorcoordinating councilsand you know while a lot of smallbusinesses may not have a lot of moneyour contribution can be our time andexpertiseand and that translates to dollars righttime is money and so I think there’s anopportunity for at least in the I.Tsector to engage more companies toparticipate more small medium-sizedbusinesses to participate becausewhat’s that saying if you’re not at thetable you’re probably on the menu yeahand so I know um I gave Eric a heads upI told him I was to talk about him butbut in the I.T sectorum you know we’re about we we’ve alwayshad a very strong small business kind ofum support and encouragement andadvocacy and all thatum but it’s been kind of uh topicspecific and we’re getting ready toreally set up a standing I.T sector SMBworking group that can really take onsome of these issues as they come upbecause they evolve right we don’t havea static environment and I think thatwould be something that might be areally useful tool for other sectors aswellum to to think about something like thatI think that is a good exampleum I feel like a lot of times you’reright once you join one of thesecouncils like someone is asking you todo a public service of like can you comehelp the federal government for free inall of your free time that you haveum but I think we’ve all seen firsthandthose ideas those Concepts thoserecommendations that come out of thesecouncils for a lot of the folks that aretrying to make the policy it’s not thatpeople are trying to not be inclusivethey just don’t have the perspective andsoum I I it’s always a lot when thegovernment is asking people toparticipate on those councils and so I’mglad that you’re saying positive thingsand I would encourage other folks to getinvolved in their sector-specificcouncils as well because that is wherethe implementation comes fromum that is where you’re going to see thepoliciesum and so I want like as we’re talkingvery high levelI don’t want to scare anyone in the roombut now we’re going to do a deep diveand we’re going to turn this into awhole talk about post Quantum computingI’m kind of joking but not reallyum so because I wanna because weactually when we talk about pillar fourpillar four are all of the things in thefuture and you heard Camille say earlierwe’ve got to be able in cyber to notjust put out the current fire we have tothink about what’s ahead and so Donna Iwanted to turn to youum specifically uh in pillar four or 4.3focuses on preparing for our postQuantum future which sounds kind ofscaryum but I want to know in particular likecan you explain to a layperson what itis should I be afraid and how is thestrategy going to move towardimplementation or how do you hope thestrategy will move toward implementationsure so I think um there’s a lot ofupper a lot of opportunities that we’reseeing in the strategy and they’ve donean excellent job laying out bothshort-term medium-term and long-termgoals and the the challenge will be inthe implementation and how we get abouthow we think about what we want to doand then as Morgan rightly said how wework with the private sector to getthere instead of here are the fivethings that you have to do right how doyou listen and and think how do you dothis and what is it that you’re tryingto protect and that comes into play whenyou think about cryptography and why areyou using cryptography what are youusing it for and what is it that you’retrying to protect and when you thinkabout this it helps you come up withyour quantums your strategy for the daywhen we have quantum computers becausewhen we have quantum computers they willactually break the math behind many ofthe crypto algorithms that we’re usingtoday and as we break that math we haveto put in new algorithms but when we putthose new algorithms in place we havemore work to do than just drop in thosenew crypto algorithms and we’re good togothis is an opportunity for the federalgovernment it’s an opportunity forindustry to think about resiliency inour cryptographic infrastructure and soas we’re thinking about implementationplans we can think about cryptographicresiliency why is this important it’simportant because cryptography is afundamental tool in our in our cybersecurity tool chest that we use fromthat btp example that Eric put forwardwe use cryptography there all the way upto our applications with our Healthcaredata that we’re protecting to ouridentity management programs Etc so howdo we build resiliency in how do wethink about the physics aspect uh thatthat Quantum is bringing what are theopportunities from bringing togetherphysics and math togetherto build that crypto toolkitI came from nist I was working on theworking with the crypto team there asthey started with the algorithms andworking with the International Communityand NSA and and many of the folks inthis roomum did a great job and have come up withalgorithms that we can use as asreplacementsthat’s this much of the work there’s alot more work that has to be done forthis crypto platform as we get preparedfor for the world when we have quantumcomputers and I think we’re reallyfocused on bringing these algorithms inand how do we how do we swap out RSA andhow do we put a lattice based algorithmin place but we have protocols to thinkabout we have Key Management to thinkabout we have these algorithms that arenot drop in replacements for where weare today so we have an opportunity tohave a much more resilient cryptoplatform instead of a brittle Clubplatform that we kind of have todayso I’m hoping that the implementationplan will look at this opportunity for acrypto platform instead of oh my goshthis is big and scary it’s not it couldactually be funI I’m gonna take you away for it Donna Ibelieve it could be fun and I think asas you say that I think it highlights avery important part that is wheat allthroughout pillar 4 which is theresearch and development and I love howyou say this when you said it it couldbe fun but also it could be somethingvery different and it does we don’t haveto always have these because it’s alwaysbeen here it’s not a reason for it tocurrently exist and so as we talk aboutresearch and development and I alsodon’t want this to feel like too schoolteacher y’all should like jump in if youall want toum add to anyone’s point but I Eric andMorgan I want to talk to you all aboutwhat does research and development looklike within pillar 4 as well becausethis is a lot of forward-leadingum initiatives that you all are going toundertake and we know the governmentdoesn’t have all of this informationthey don’t have all of these tools sowhat does private sector engagement looklike specific to research anddevelopment and how can people getinvolvedsure sothere we go um Donna that was awesome uhwe we need way more fun in cybersecurity uh a lot of times we are veryfocused on the uh the theum um the Dark Cloud thank you yes uhthe the uh increasing worsening of thethreat perpetually day on day on day onand so uh the more fun we can have thebetter so Donna thank you for addingthat uh uh note of levity the panel itwas much needed um so I’ll offer sort ofa somewhat different take on the r dquestion uh beyond the the appliedresearch questions that we have to delveinto because part of the challenge weface in figuring out where to invest andhow to apportion investment between theproviders of Internet infrastructure thedevelopers of Technology hardware andsoftware and the end users at theEnterprise or individual level uh ofTechnology products is how breachesactually occur and what investments whatsecurity controls what security measuresare actually most effective in stoppingharm from occurring and and one oneoverarching challenge in cyber securitytoday is we actually have really baddata in not only how breaches occur asin what was the initial access butactually how the adversary achievestheir action on objectives right and sowe say a lot of times you know well itwas a it was a phishing attack well youknow that might have been the initialaccess but a lot of other things wentwrong that allowed damage to occurwhether it was Data being stolen databeing encrypted what have you and todayyou know we just don’t have the data tobe able to say with real conclusivenesshere is what the developer of thatsoftware product could have donedifferently here’s what the Enterpriseuser could have done differently and soone area of research that you know weare really focused on is reallyGathering data from our partners acrossthe private sector at all levels of theecosystem to really get a better answerto that question because as we get moreand more specific as Guided by thenational cyber security strategy of whatare the measures that we think Defineproducts that are secure by Design anddefault what are those those measuresthat enterprises need to take to defendthemselves that they really can’t burdenshare with a provider Upstream we needto know how to ground those in data sothat we can actually say listen if youdo these this is a smart businessdecision do you see any reasonableexpectation of fewer intrusions fewer uhless damage less harm without that datawe’re guessing too much and so the morethat we can share in this voluntarymodel about how breaches happen and whatcontrols worked and didn’t work thebetter it will be it’s also why weassist are so excited for our incidentincident reporting rule soon to comethat’s going to give us a much betterbody of information so that we canunderstand for incidents across thecountry across sectors how are theyhappening what could have stopped themand what was effective in minimizingharm so we can translate that intoguidance or direction that can helporganizations at every level take theright steps firstI’ll pivot a little bit back to whatCamille brought up in terms ofinnovation right and so when we talkabout the cyber security community andthe technology that they are creating tobetter protect against these verycommonly used access vectors we reallyneed to have that collaboration andconversation about here’s the productshere’s what they offer here’s thedifferent type of data it was kind oftalked about the fact was small tomedium-sized companies they get allthese pamphlets right here’s all thecyber security services that you can usein most of that terminology of cybersecurity services at a high level itdoesn’t talk at the technical level ofwhat they’re actually getting out of itso I think from an innovationperspective I know in the Department ofDefense at the National Security Agencywe’re really trying to figure out how dowe pilot these capabilities in terms ofwhat’s Innovative what really helpsprotect against these attack vectors ina short-term way to see what’s mosteffective and neitheron-ramp it to scale it out to more smallto medium-sized companies or do we needto then pivot provide feedback and makeit better for the community in generaland so I think Innovation a key aspectof the pillar there I would like to goback to post Quantum can I go backI’m still trying to be fun so I’m goingto be funum so you know I just want to talk Donnadid a phenomenal job of outlining thesignificance of it but you know when shecame down to timing and details it isjust needs to be talked about howcomplex this is right so the NationalSecurity Agency plays a key role in thekeys code and crypto Missionum there are millions of devicesworldwideum and you know when we talk about whatthe steps are for that modernizationfirst you have to get rid of like actualcrypto that’s old that needs to move butthen from a modernization perspectiveum I would offer this is that you knowwe have to update our math as Donnapointed outum we have to then actually inventoryall of the devices worldwide to get abetter understanding of what needs toactually be updated then we have toupdate the software and the hardware andso from a Department of Defenseperspective the U.S Air Force is notdriving their fighter jets down 295 toNSA every 5 000 miles for an oil changeokay so we now then have to do thescheduling and the timing to update allof that software and hardware and sowhile National Security memorandum 10outlines I think 2033 is the deadline todo all this modernization that timelinewill come very quick in terms of how wephase all of this out and so you knowworking with our nist colleagues in thecommunity this is going to take a hugelift that we have to start yesterdayand so I think it’s something that we’reputting a lot of emphasis onum I would also just touch on the factthat and Donna mentioned thisInternational standards bodies andhaving a key role in the secureprotocols in this arena is a key aspectof the work that we need to do with ourprivate sector Partners as well rightand that is a joint public-privatepartnership conversationan opportunity to think about cryptoagility though to get back to that sothat in five years when we need tochange to a different algorithm or adifferent key size you don’t have tobring those ships in you don’t have tobringthose fighter pilot those fighter jetsin and we’ve not built that cryptoplatform to be to have that kind ofagility and in cyber security often wedon’t think about that when we’rebuilding these kinds of of capabilitieswhether it’s cryptography or whetherit’s some other kind of service aroundauthentication or digital identitiesthese kinds of capabilities that we’relooking at how do we build them so thatthey do have that sort of resilience andthat they can work in in differentenvironments and I think we do have Ithink this is an opportunity where thethe government can work closely withsome of thebigger providers out there who can anddo often turn things on a dime because Ihad an opportunity to work with some ofthe bigger providers after I leftgovernment and I saw how quickly and howagile they were with some of the changesthat they were able to make and it wasbecause they did that architecture andthat good thought provoking developmentup front instead of I gotta get this Ihave this mandate I’ve got to get thisdone I’ll put something down on paperand then I’ll go ahead and do it andthen I’ll try to figure out what theright answer is later on and that’sthat’s that approach where you don’thave people like really poking at the atwhat you want to do with thatarchitecture those really smart Mindsgoing back and forth and looking at itfor for a little while and and sayingwell what about this or what about thatumwe can we have an opportunity to worktogether to do some of that so that wecan get some of these platforms so thatthey are resilient and I think reallywhen I when I joked and said okay cryptocan be fun it can be fun because we havean opportunity to create that kind ofplatform not just in cryptography but inin other places in cyber security so wedo have an opportunity to partner withsome of these folks as as has beenstated earlieryeah I think that I would also add tothe point toum the work that needs to be done inpost-quantum Computing analysis and theresearch it’s still a very bipartisanissue on the heel I remember veryclearly working on some of thoseprovisions and um last year’s NDA butthen seeing it again and like the chipsact and I think Congress has also giventhe community and the executive branchspace to know like we’re not in a placeto legislate but we want to empower thecommunities to do the research and thenbring bring it to Congress and thenwe’ll make decisions from there andthat’s very rare y’all so I feel likepeople should be taking advantage ofthatum so I wanna I Eric I love when you umtalked about the data that is stillneeded in cyber security and how muchdata we needum I always joke with people I I workedon passage of the Cyber incidentReporting Act and it was really a datacollection bill but that doesn’t go wellin this town depending on who hears thatthat language I’ll also it’s just notfun enough for peopleum but when we when so I say that to sayI speak Kirby and I know how governmentspeak works but there were a couple ofsections in the strategy where I waslike I don’t know what this isum soyou’re about to be responsible for itbecause I didn’t get to ask my questionsto Camille I deferall right so we’re going to be veryspecific so strategic objective 4.1talks about securing the technicalfoundation of the internet and talksabout the Border Gateway protocolbut there is a specific sentence thatsays unencrypted domain name systemrequest and moreI’m going to need you to translate thisinto Englishum I’m gonna and we need this I alwayssay this in cyber security it’simportant for all the people in thisroom who got really excited when theCyber strategy came out to be able totalk to people who had no idea that theCyber strategy came out they don’t knowwhere you are this afternoon they thinkyou just left work earlyum what are we talking about and alsowhy should the average person care aboutthis I’m going to start with the secondpoint because actually I think it is itis probably interesting really I shoulddefer to Donna who is one of the mostbrilliant practitioners in this space toactually explain bgp and secure DNS butI’ll I’ll give it a shot as well but Ithink you know the starting point needsto be that you know we all know in thisroom that every function of our dailylife now depends on Network Technologieson software and hardware and the networkof networks that comprises the publicinternetum but of course there have been designdecisions over the past 40 or so yearsthat have been largely cobbled togetheryou know the help of some underlyingstandards but largely a series ofindependent design decisions that haveled us to the point where thisconnectivity enables absolutelyextraordinary efficiency productivityum you know social activities that wouldhave been unimaginable when the internetwas designed by some DOD practitionersand academic researchers you know 40some years ago but the result of that isthat across the board these systems werenever designed to be secure andresilient in the face of continuouspersistent Advanced attacks frommilitaries intelligence agencies andcriminal ganks right it was never theidea of the system and so this is trueon the backbone of the internet which iswhatum 4.1 focuses on it’s also true in theway that we design build and usesoftware and Hardware even today when byand large most products are designed forgood reasons focusing on featuresfocusing on cost focusing on time toMarket focusing on advancing theusability of these technologies thatagain have enabled absolutelyunimaginable advancesthat’s sort of the problem is you knowwe’ve never said you know let’s justpause for a second and have aconversation about how we makeinvestment decisions in the technologythat we’re using and what’s our level ofconfidence that these Technologies arefit for purpose particularly for themost critical applications to whichthey’re being applied I think thatreally is these strategic overlay of thestrategy you know in part in goal threelet’s focus really on how do we saylet’s make sure that if we are using apiece of software or hardware for anational critical function for examplethat we are really confident that we’vedone everything we can to make sure thatwe are not uh that we are reducing theprevalence of exploitable conditions andwe have the right security controlsembedded by default such that we aremaking life as hard as possible for ouradversaries um the goal 4.1 is actuallytaking a a broader approach and sayinglet’s look for example at how theinternet itself was architected anddesigned and so for example you know weknow that the way the traffic is isrouted throughout the internet using aprotocol called bgp you know is is ableto be spoofed or hijacked by maliciousadversaries who are able to Routeinternet traffic to where it wasn’tsupposed to go and so you can think thatyou are you are you know sending acommunication to your University orbusiness but in fact that could bererouted to a computer in Russia orChina for example and we know that thereare ways to secure this protocol in away that makes it more hardened tohijacking and to reroutingum and you know real real credit to ourpartners at the FCC who are actuallylooking into this issue and figuring outis there more change that we can make atthe level of the ISP but broadly thesechanges have not been adopted widely andso you know we know that there are thesefundamental you know Network levelchanges that we could make that wouldknock out categories of attacks thereare changes that we can make in how wedesign and build hardware and softwarethey’ll knock out categories of attacktax their security controls that we canembed in software products that wouldknock out categories of attacks and ifwe do all of that work that’s actuallygoing to leave a fairly thin layer ofattacks that are still the burden of theend user Enterprise to address andthat’s a much better world than theworld we’re in today in which almostevery kind of attack is to some degreeoffloaded on the end user Enterprise toaddress at least with many products thatthey’re using today and so our goal isreally I think in the strategy is abetter equilibrium to say let’s figureout what the easiest and most scalableplace to address a certain type ofattack is let’s let’s address it thereand then move forwardI like that um and just a flag foreverybody we’re gonna open it up I wantto do one more round of questions andthen we’ll open it to the audience for aq a so as we talk about implementation Iwant to make sure people leave with likea concrete way that they could getinvolved in implementation other thansending us messages on our LinkedInum after this event which is fineum but I think we also like we’ve talkeda lot about this is very forward leaningbut we also recognize this is a veryrobust strategy it touches on even justfocusing on pillar four touches on a lotof different topics a lot of differentissues and one of the things that Ithink is going to beum probably the hardest part ofimplementation is engagement and to beinformed on the process as it’s goingalong so I don’t want to just put thisquestion to our uh our friends that arein government I also want Donna and Olayou all to weigh into what is somethingthat people can do how in the privatesector engage with the government tohelp implementation what does that looklike from your seat in government andalso from the private sectorholasorry so this might be the entrepreneurin me but I just see opportunityand particularly for small businessesum you know sometimes we’re perceived asjust the victims you know we have to besaved from everything but I really thinkwe can have a front row seatin in all of these areas in pillar 4explicitly so whether it’s investment inr d you knowum that’s an that’s a place where anentrepreneur who has an idea wants toresearch something in this area I meanwhat I love part of what I I reallyappreciate about this the strategy isthe specifics these are the areas wewant to invest in right so it’s it’sclear and you know if you already have abusiness maybe you start another one butI just think that this whole idea of ofum being in a position to really play acritical role I think is reallyimportant for smbs the other thing and Ithink I don’t remember who said it mayhave been Camille about getting involvedwith the standards developmentI meanumyou knowthat’s not an area that a lot of smallbusinesses play in butI really believe policy standardsthey’re not just to encouragecompetition it can really for a lot ofsmall businessesuminfluence whether you can exist or notyou know and so I think if we can getmore small businesses involved in policyand standards development I think thatthose could be important uh roles thatwe could playI think there’s an opportunity to beable to sit down and and again havethose important conversations not just Idon’t like this but here’s a way wherewe can get to this outcome that you’relooking forand here’s a way to do this that existswherewe’re working up for this technology tobe secure so that this business canstill operate it’s not security for thesake of security it’s security so thatthat lab test can get to that doctorit’s security so that that money can gettransferred from Bank a to bank B it’snot so that the crypto works perfectlydarn itum right it’s it’s that security forthat purpose and so being able to sitdown and say okay let’s look at theoutcomes that we’re trying to achieveand thenum here are some different mechanismsthat can get you there and and here aresome different ways that you can testfor those outcomes that you’re lookingfor and give organizations theopportunity to continue to workin ways that they can still get theirbusiness done and still achieve thosesecurity outcomes I think comes fromdialogue and sometimes we don’t thinkabout those business ramifications whenwe’re looking at Security First for theoutcome but it’s the combination ofthose it becomes critically importantand that’s where those importantconversations come from about you knowif I had the data this way it would havea much faster impact for me and and so Ithink it really is those dialogues sothat people aren’t talking past oneanotheryeah I’ll jump in and add to that tooum I think for people I think everyonethinks when it when the government sendsout a call and says we want to hear fromyou it’s like let’s go get 50 lawyerslet’s sit down and and I tell peoplehere at the Aspen Institute when theWhite House was working on their cyberWorkforce and education strategy wehelped people submit comments who havenever submitted comments to anygovernment process it was a lot ofnon-profits that are doing the work incyber security and we did a webinar andwe told them like the federal governmentputs a maximum on how many pages you cansend there’s no minimum and if you don’twant to comment on everything comment onthe things that you that you do haveexpertise on but also that giveseveryone in governmentum almost like a call so they now knowwho to call when they have very specificquestions it doesn’t matter how Nichethe issues are and so if you’re in theaudience but also if you’re online Iwould say when the government says wewant to hear from you don’t talkyourself out of why you should beresponsive and if that’s a dialogue ifthat’s a request for comments if that’scommon to an event to to hear frompeople you really when they say theywant to hear from you they really do canI can I just say something about thatbecause I know when I first started whenI first got involved with the itscc Ijust would be amazed looking at theselarge companies having conversationswith the government and I thought wowit’s actually making a difference Ithink for many small businesses we don’tthink it’s going to make a differencebecause we think we’re one voiceand we don’t have the you know hundredsand thousands of employees behind us butmy experience has been really differentso I just encourage small businessesthey actually do listen and actually itdoes informum you know the decisions they thinkthey make yeah I would agree I I would Iwould remind everyone that Advocate isLatin for ad voice that’s really whatyou’re doing when you’re advocatingyou’re adding your voice to the policymaking processum that’s my PSAum Morgan Eric we want to hear from youall about what engagement looks like inthe private sectorhonestly I think all the points that youjust made are the relevant ones righttake the opportunity the national cybersecurity strategy will be the Hot Topicat every Forum at every conference everymeeting every collaborationum for the I would say near future butprobably the next year two years rightand the insights that I know that I getfrom those collaborations from thoseforums from those discussions reallyweigh on me in terms of when we talkabout implementation what are the rightsteps and so um to the point that wasmade speak up your voice does matter weare looking for inputs on how toactually implement this in a way that wecan all achieve success and the outcomewe’re seeking to achieve and so I wouldjust offer that there are a bunch ofdifferent forums if you bring that inputto it a lot of it is all coming back tothe right people who are making thosedecisions and so I would just encouragepeople to really lean forward in thatspaceI think that is very well said and inthe spirit of having voices heard allthe time for Q ahave people pass mymy I think the mics are comingso we have one question therea small room yeahum hi I’m Tatiana Bolton with uh Googleuh you talked a lot about public privatepartnership and obviously we work a lotwith all kinds of governments supportthat uh extensivelybut a lot of what we’re seeing on thecyber security front I mean you knowsecured by Design and the policies thatwe support in terms of making ourproducts and services secure uh a lot ofthat is done already at Google butthere’s also like you’re talking aboutyou know engaging more and doing moreputting moreum putting more requirements on on bigplayers and we think that that’s right Imean we have a lot of ability to scaleand so we want to be able to do thatbut there’s also a ton of pressure rightthere’s a lot of pressure uhdomestically right and I trust bills thethe focus on big Tech uh andinternationally in terms ofum data localization and pressures toundermine some of the policies that weput in place for securityby uh you know localizing data andtaking away our ability to be resilientright and we’re facing those pressuresacross the world so do you want to canany of you say anything about you knowyour thoughts on the sort of the thevarious pressures that thecompanies are facing sure uh well thanksTatiana good to see you and reallythanks for the work that that you andthe team are doing you know we reallyappreciated uh your company’s great blogon security by Design default that wasreally uh well received and appreciatedso I think it’s it’s really well takenthat that we at times havecountervailing pressures where you knowthere are investments that are prosecurity that are pro resilience andthen there’s certainly at timesparticularly outside of the US arepolicy prerogatives that can underminesecurity I think this is why to to pullout a threat from us dialogue you knowwhy having the private sector’s voiceand the process is so important rightbecause certainly you know so speakingfor myself and Morgan you know we arefrom security agencies right we wake upevery day and eat drink and sleepsecurityum there are other agencies both in theU.S and certainly with our foreignPartners who are seeking other policyobjectives and frankly it is the role ofgovernment to both internally within theUS government and then with our partnersto reconcile those priorities and havethose fourth right conversations aboutwhere you know how do we rank stockpriorities and how do we ensure that ifwe have shared goals for security andresilience those are not undermined byother goals that may be soft and so Ithink you know as as a broad point youknow really looking forward to thefurther engagement with Google andpartners on these topics and making surethat that the security agencies can keepbeing a compelling voice in the room toreiterate the importance of strongsecurity by Design default and theimportance of enabling Partners likeyour company to really continue to beleaders in this space[Music]real quick uh one one other opportunityhere and it gets back to the point onstandards and and there is anopportunity here for internationalstandards to help play a role toalleviate some of the pressure it doesnot solve all of this very difficult andchallenging issue that has more thanjust technology at play I’m very awareof that however I think as we as thecyber security Community both nationallyand internationally try to get ourpartners and our other Nationalgovernments to play in standards bodiesand our othercompanies across the board to play instandards that can help alleviate someof the pressures that organizations feelaround some of these kinds of issueswhere you can point to a global standardand then everybody is and has a fairplaying field so that is not a fullrecipe to solve some of those problemsbut it is one that I would go back toand try as a piece of the puzzleum hi Ed mcnicholas from ropes and grayumI love all the discussion aboutpublic-private Partnerships I think it’sa long-term solutionbut when I think about cyber security inDC I think about the security ExchangeCommission the Federal Trade Commissionas being very significant playersand they tend to particularly with thenew SEC cyber security rulesalmost anything you say about cybersecurity can and will be held againstyouhow do you reconcile this call forpublic-private partnershipat the same time you’ve got agenciesthat are independent but are reallytaking out the stick and beating oncompanies right after data breachesthanks uhit’s a great question so so I’ll offerum a few thoughts the first is you knowum certainly speaking for sisa and Ithink for the other agencies that thatoperate in this voluntary trust-basedmodel you know our use case forcollaboration and partnership isdemonstrably different from that of TheRegulators right and and I thinkCongress realizing that fact has givenus a very strong authorities to protectinformation shared with us fromdisclosure in regulatory action foiacivil litigation Etc and so I think youknow while Regulators uh you knowreceive information demand informationuh to inform potential enforcementactions against victims or otherentities you know our goal is verydifferent right and our goal is both tohelp victims but more broadly to ensurethat we are doing everything we can toshare information to help the broaderecosystem and so I do think that youknow it is it is fair to think of ournational cyber security environment asoperating in two different levels thereis the voluntary trust-based model youknow as manifested by by sisa byMorgan’s team at NSA the srmas and thenconversely The Regulators who demandinformation for their particularauthorities and their purposesum I do think that you know it iscertainly our hope that as we mature andAdvance this voluntary modelum as we begin to shift the focus to saylet’s focus a little bit less on thevictim in the first instance and asksome better and deeper questions aboutwhy breaches keep happening and what canwe do on an ecosystem level to drivebroader change you know we do hope thatthose independent agencies that that youreferenced you know will will work withus to broaden our conceptualization ofthe cyber security problem and thatperhaps you will see follow-on change asa resultto your point right when we talk aboutpublic-private partnership we often saythat there are all these different typesof relationships there’s Cooperativethere’s compliance there’s contractualthere’s regulation and all of thoseroles have very specific functions andpurposes and they should all have a seatat the table maybe just not in the sameroomand so that that’s part of our model umto Eric’s point right when we talk aboutvoluntary mutually beneficialrelationships which means you have toput in some to get some back when youput regulation and compliance in thatsame room that sharing tends to decreaseand so we want to see the benefits ofall of those different types ofrelationships in this very delicateecosystem it’s one of the reasons thatall of those different types ofrelationships are mentioned in theNational strategyI’ll just add to that tooumthe private sector has really goodadvocates in the people that are leadingthese public private sector Partnershipsand so what you don’t get to see fromthe outside is when Eric and Morgan areadvocating for the private sector infront of their government counterpartsacross multiple agencies and that’s notsomething that anybody can brag aboutbut I do want to tell people that doeshappen and so a lot of the times thereare things that are happening behind thescenes that your partners are doing onbehalf of you in the rooms that youcan’t be inuh Ken lieberthal The Brookingsinstitution this is a fabulousdiscussion uh I want to ask Don ourquestion because you seem so excitedabout playing with the future of quantumComputing and sustainable cryptographyit uh in that world uh you highlighted Ithink very sensibly the complexities andtherefore thethe amount of time it will take toreally uh develop good defense in aworld of of quantum computeruh Quantum Computing my understanding isis a massively disruptive technologywhen that becomes really operationalthe world changes in terms of ability toprotect anything that is currentlyprotected uh by encryptionhow do you see handling the differencein timebetween the capacity to attack thecapacity to defend in our Quantum Worldgenerally my sense of the evolution ofoffense and defense in the digital worldover the last 40 years has been offenseis almost always ahead of defense anddefense is always trying to catch up butwhen you have this kind of massivechange where are we so there’s a bigchallenge today where you can collectinformation so Harvest it now hold on toit until those quantum computers are outthere and then be able to decryptinformation and I thinkum there’s been a lot of work that’sthat has started on on looking at hybridapproaches where you use a combinationof the cryptography that’s out theretoday and then some of these schemescryptographic algorithms that we seecoming into play and working both ofthose together and there are somestandards bodies that have taken some ofthose approaches the the big challengewith some of this also is the life cycleprocess to develop the algorithms toprepare the standards to get them inplay to do the Conformity assessment andthen to get those certified products outand and in into capable in to umproducts and then get those productsintoum into use right so that used to bedone in a very serial fashion one andthen one and then one and then one andthen one and so you had like a 15-yearperiod before you could see some ofthese changes occur I think some of ourum my colleagues and and friends fromfrom nist and NSA started looking atthis problem and saying okay how do wedo this in more of a parallel fashionwhere we start looking at both thealgorithms that need to be updated butalso where some of this needs to be doneso that we can work on the problem morein parallel and a lot of good work’sbeen done thereI think some of the places we haven’tuh seen as much work that I would liketo see or a couple of places one of themis in the standards bodies and beingable to look at some of the protocolsand how to use some of the protocols andget them more in in play faster withsome of the changes that we’re seeingwith the new algorithms the second placeis looking at some of the physics fromthe quantum side and thinking about whatwhat are those physics changes going todo and how can we use that from thecrypto sidein the defense world and are we gettingeverything out of that as that we can sothat’s why I’m I’m keep talking aboutthat resiliency that we can take a lookat across the board but we have I thinkI think we are changing the time scale alittle bitis it is it fast enoughprobably not but it’s much faster thanwe’ve seen with crypto in the pastwe have time for maybe one more questionand I see three hands I I think you’vehad your hand up the longest though allrightthank you so muchum I appreciate it um to build on thekind of questions around um QuantumComputing and post-quantum encryptionum I had this Revelation recently I waslooking at a pamphlet from uh from acompany that I won’t name that wastalking about Quantum Computing enabledencryption in such a way as if uh theywould encrypt your things with a quantumcomputer and then it would be secureagainst quantum computers which is nothow Quantum Computing and the quantumComputing threat works and coming myselffrom a cryptography backgroundum and being I like to think prettyyoung still have seen blockchain go fromsomething really interesting with a lotof possibilities into an absolute swampfull of hucksters selling nonsense thatis like totally disconnected from thetechnology so given that post QuantumComputing is going to be something thatis like really necessary everywhere howis like is the government thinking aboutcreating a good ecosystem that is notfull of snake oil salesmen doing thisand just to add a little bit of a Twistto this given the NSA historically has alegacy of subverting the development ofstrong encryption standards like um likedes and RSAum is it is there self-reflection aboutkind of saying that yes the UnitedStates government can be trusted thatthis is you know an open process and nothe NSA is not putting its fingers onthe scales to support intelligencecollection thanksso uh yesso quantum grifters yeah so so I thinkfirst and foremostum right one of the things that we aredefinitely leaning forward inconjunction with our nist counterpartsis when this type of Technology comesout or the narratives come out how do wedispel and say Hey you really need tothink about the modernization effortsand don’t think that there’s a shortcutthat you can leverage from a technologyperspective and here’s why right here’sthe fundamental things that you need tolook for so we are thinking about thaton how we create a trusted ecosystemthat people can think about working withand who are the right type of people totalk toum from an NSA perspective fundamentallyone of the huge shifts that we made toDonna’s Pointum in the last couple years is we stoodup in open and transparent Center forcyber security standards it actuallyexists at the cyber securitycollaboration Center it is inconjunction with nist Commerce State afew other entities where we are openlytalking about a lot of the work andpriorities that we have in the cybersecuritystandards development organizationeffortsum we are trying to we are doing that inconjunction with the private sectorbecause there’s not enough workhappening in this area it is a hugeeffort that we had to make and we areprimarily focused on how do we make thatfuture technology Cloud crypto standardsinternet protocols secure in a way thatit benefits all of the U.S civilianpopulation and so that is a significanteffortum NSA openly talking about a lot oftheir standards efforts especially onthe defensive Community sideso no even having someone from NSA herewith usum this is not necessarily the norm Iwould say probably two years ago I don’teven know if this would have even beenpossible to have someone from NSA herewith us publicly talking aboutpublic-private Partnerships and askingpeople to engage so I also think that isan example of not only are they sayingthey’re also doing the work and they’rethey’re trying to be more inclusiveum than previouslyso I thinkummy experience coming from nist in in thepast and working on some of thesestandard development activities you cansee historically from the very initialcall for algorithms all the way throughthe selection process exactly whathappened in that process and thereforeyou can see how everything occurredand because of that from theInternational Community these algorithmspeople have been fairly comfortable withthem I have seen and this is me speakingpersonally now not furnist with the withthe quantum algorithms that theyselected the four algorithms that havebeen selected I have seen that there arecompanies around the world who areimplementing those in making themavailable in products and services sothat’s super good the snake oil questionand how you get to that is where youhave that certification or thatvalidation kind of processand how do we do that thathow do we create a validation process sonist has a process for validating thesealgorithms but how do you do it at aspeed that keeps up with industry andthe products and services in a way thatdoesn’t compromise the security kinds ofcapabilities that’s looked at in the inthat validation process for for cryptoproducts and services through fips 140and they are working on how to have amore agile process and I think that’sreally really important particularlyhere so you can get these get thesealgorithms in products and services andget them out and in use Quick in a in afaster way than than what we’ve seen inthe past butum I I think if you if you really wantto dig into everything that’s happenedfrom the beginning from the selectionprocess all the way to the thealgorithms that were selected and whythey were selected you can go throughthat history and with the with thecommunity and it is a community effortit is one of those public privatePartnerships from a worldwideperspective that I think is reallyreally phenomenalyeah I will I’m about to make a cyberjoke just laugh even if it’s not funnyum I feel like if NIS can figure out thestandards for which we call peanutbutter peanut butter I feel comfortablethat working with a private oh y’allmiss the whole like no one left it’sfine cyber jokes are hard y’allum but I do feel like that is a goodexample of it’s the standards comingtogether it’s the public-privatePartnerships coming together and I thinkthat’s a good place for us to closeum I want to thank everybody for comingtoday and joining us online I also wantto thank all of our panelists for beinghere with us todayum as Morgan has said and everyone hassaid we’ll be talking about the Cyberstrategy board especially everyone inthis room this is like this is the SuperBowl and so we’ll be talking about itfor months and months to come and thanky’all for joining us[Applause]
The Biden-Harris National Cybersecurity Strategy has arrived. Pillar Four – Invest in a Resilient Future – is the most forward-looking part, and perhaps the most exciting.
Whether it’s securing the foundation of the internet, expanding research and development, preparing for a post-quantum world, or developing secure digital identities, how does the Administration plan to turn these goals into outcomes? And how will they partner with the private sector to do so?
On March 20, Aspen Digital hosted Deputy National Cyber Director Camille Stewart Gloster and other experts from government and industry to discuss the next steps toward that resilient future.
Speakers
Camille Stewart Gloster, Deputy National Cyber Director
Morgan Adamski, Director of Cybersecurity Collaboration Center, National Security Agency
Donna Dodson, Senior Strategy Advisor, evolutionQ; former Chief Cybersecurity Advisor, NIST
Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency
Ola Sage, Founder & CEO, CyberRx
{"includes":[{"object":"taxonomy","value":"134"}],"excludes":[{"object":"page","value":"198882"},{"object":"type","value":"callout"},{"object":"type","value":"form"},{"object":"type","value":"page"},{"object":"type","value":"article"},{"object":"type","value":"company"},{"object":"type","value":"person"},{"object":"type","value":"press"},{"object":"type","value":"report"},{"object":"type","value":"workstream"}],"order":[],"meta":"","rules":[],"property":"","details":["title"],"title":"Browse More Events","description":"","columns":2,"total":4,"filters":[],"filtering":[],"abilities":[],"action":"swipe","buttons":[],"pagination":[],"search":"","className":"random","sorts":[]}
Facebook
Twitter
LinkedIn
Email
