2023 Aspen Cyber Summit

Search Transcript

eeeeeeeeeeeeeeeeeeeeee egood morning our program will beginmomentarily please go ahead and findyour seats thankyouee efor[Music]Hello everybody welcome welcome to theeth annual Aspen cyber Summit uh my nameis Vivian Schiller I’m executivedirector of Aspen digital the programthat puts all this on we are so thrilledto see you all here so many as I waswandering around outside so manyfamiliar faces with us and a lot of newfaces which is just fantastic and also aparticular welcome to those who arejoining us virtually from all over theworld so if you’re in this room youalready are aware of the importance ofcyber security I you don’t need me topersuade you of that or you wouldn’t behere um but it’s becoming clear andclearer that the public needs to beengaged in these conversations as welljust even since we gathered here exactlya year ago there’s been vast leaps ingenerative AI technology that’s changingthe security landscape highly visibleattacks on MGM and other institutionsand of course uh an escalation of globalconflict so all of these issues are onuh is are on our minds as we go intotoday’s Summit I want to thank uh ourco-hosts 92 and Y they are approachingtheir 150th anniversary of bringingDynamic Community focused programming tothe Upper East Side we hope you enjoythe vibe here particularly the littleboys and girls going to their swim classmixed together with us it just gives ita certain J qua that we just love um andwe also want to thank our sponsor ERSwithout whom today would not be possiblewe are generally generously supported bythe record from recorded future news onspan Google Insight PartnersPWC Paladin Capital Management SplunkCoalition Amazon web services and appletheir support your support lets us openour doors to so many groups of people onthe front uh on the front lines everyday and we’re particularly grateful forthe great turnout today especially fromum Altech is human Tech Congress sharethe mic in cyber and the Cyber civildefense Partners In addition to theprinted programs that you have you canlearn more about today’s agenda andspeakers at Aspen cyers summit.org Aspencyers summit.orgum a little bit of should you choose totweet if you still do such a thing on Iguess it’s now called X um you can uhplease tag us at Aspen digital Aspendigital and use the hashtag Aspen cyberum on your on your posts we’re also onLinkedIn at Aspen digital so just alittle bit more housekeeping before weget started uh we’re going to do Q&A formost of the programs at the end um so uhwe will what we will have is stationarymics in the aisles um if you see a bunchof people lined up please don’t line upbehind them we’re only in each casegoing to have time for a couple ofquestions and just a reminder reminderwhen we have a solicitation forquestions please we actually meanquestions I know everybody has a lot tosay that’s great that’s what our breaksare for um and I just feel like I needto say in the event of emergency whichof course there will not be one the 92nstaff will provide instructions butplease take a moment of course to locatefire exits around the room and with thatit is my pleasure to introduce our firstconversation of the morning Lori lassiois under Secretary of Commerce forstandards and technology and the 17thdirector of the National Institute ofStandards and Technology known to mostof us as nist she is joined this morningby my colleague Jeff Green who leads allour cyber security programming Aspendigital so welcome Lord and Jeff thank[Applause]you great thanks everyone for joining ustoday Welcome to our eth Aspen cyberSummit we have a great day ahead of uswe’re looking forward to some greatconversations very fortunate to kick offthe day with Dr lassio Lori um inaddition to serving as the head of nistand the fourth under secretary sheserved as vice president for research atthe unity University of Maryland CollegePark and the University of MarylandBaltimore and where she was a professorin the Departments of bioengineering andpharmacology before that she was 31years at nist rising from a researchbiomedical engineer to Leading theentire material measurement laboratoryand recently was elected to the NationalAcademy of engineering congratulationson that um so I think we’re going tostart with a topic that no one’s reallytalking about uh artificialintelligence you but we held this Summita year ago almost to the day and wedidn’t talk about AI pretty much at alland then a couple weeks later chat GPTwas released and and everything changedum and it pretty much sucks the oxygenout of most conversations so we’re goingto talk a bit about AI but try to hitother topics as well but uh you knowgenerative a AI now is at the pointwhere late night comedians are talkingabout it U Central issue in in some ofthe major strikes um at my son’s HighSchool graduation in the spring theprincipal made not one not two but threechat GPT jokes none of which were funnyum but so this has hit like nothingbefore and laor I guess I’m curious likeyou’ve been around Science andTechnology your whole career have youever seen anything like this and andwhat are your thoughts on why this hitso big I thought you were going to sayyou’ve been around Science andTechnology a long time and I have I’vebeen around Science and Technology along time and you know it’s it’sinteresting because Science andTechnology do Advance you know weadvance based on what has happenedbefore and we keep building and buildingand building and accelerating technologyand science until one day it just seemslike bang and then there’s somethinghappens that is really disruptive rightand that’s where we are obviously withAI and generative Ai and chat GPT umhave I seen anything like this before Ilove that question because uh I am mybackground is biomedical engineering andI I think the closest that I in mylifetime that I can think of is reallylike Chris Bat Gene editing when all ofthe sudden you know had all the scienceAccel or developing developing then allof a sudden you could edit genes andpeople were freaking out because it wasyou know you could either use it to forgood where you could solve some of thebiggest health problems in the worldcancer Etc or you could have designerbabies right and so the ethicist cametogether and everybody came together tothink about what are the rules of theroad for moving forward and feel likewe’re there with AI right we’ve beenbuilding and building and building it’snot brand new but we’ve been buildingand building and then all of a sudden wehad this major breakthrough that changedthe landscape and changed theconversation and now it’s so excitingbecause we’re in this place where it canbe used for amazingly good things rightit can be used to um honestly just makeour lives easier or it could be used toaccelerate um scientific discovery itcould be used for so many good things umit could be used to solve climate changeum but it can also be used for bad itcould be used to disrupt Society atlarge right so I think that’s the theconversation is is timely we have tothink about when we have hugedisruptions which we will always havehugedisruptions um in science and technologyhow do we deal with it and then what arethe roles of the road moving forwardthat that comparison to the gene editingactually is is fantastic because peoplekeep trying to apply a nuclear constructto this and for a number of reasons wedon’t we could talk about all day it’sit’s not a great fit um if only for thetimeline but what you’re talking aboutexploded and we were able to come upwith some rules relatively quickly wewere the community was very interestedand I see the same thing happening AIeverybody involved wants to be involvedin the solution wanting to make surethat we come together as a society asscientists as technologist as as as aspublic as the public and think about AIfor good how can we really accelerate AIfor good and I and that so it is we’rekind of in that same spot and I thinkthat that’s a great place to be becauseeveryone cares and everybody wants toget it right yeah no to Aspen stafflet’s build that into our analysis of AIlooking at the gene editing I thinkthat’s a great place to look um talkabout the white house a little bitbecause they issued a series of newpolicies to deal with a lot of thethings we’ve been talking about umobviously it’s been brewing over thepast year uh the president recentlysigned an executive order on AI and theyhanded nist they handed you um severalof the hot potatoes um can you talkabout how you intend to to carry outthose tasks and also maintain the hugebody of work well beyond cyber securitythat NIS does on the everyday yeah it’sbeen a big couple of years since I gotback to nist um and just right now youknow besides the AI executive orderwhich I’ll talk about in a minute andsome of the things that we’reresponsible for um and and basically howwe want to go about accomplishing itwhich is really based on our traditionof how we work um but but also the umthe the national Quantum initiative isbeing uh is is is get is underconsideration for reauthorization inCongress nist has a seminal role in thatas well um nist is leading the $50billion implementation of the chips actin the Department of Commerce um andwe’re also leading the national uhstandard strategy for critical andemerging technologies that came out ofthe White House really so many excitingthings it’s it’s it’s sort of because weare at this incredible cusp where um umthese critical and emerging Technologiesarebecoming um um a potentially big bigpart of the domestic market right of ofand of the global Marketplace and so umn mission for really all its life since1901 was to um is to um is to advanceInnovation and economic competitivenessand and Industrial competitivenessand it’s I think it’s a really excitingmission in 1901 when we were formed ofcourse that meant we wanted to make surethat all the nuts fit with the bolts andyou know so it’s a little bit of adifferent domestic uh uh ecosystemMarketplace at that time now of coursewe’re in the digital economy where we’reworking in cyber security and Ai and somany other things um but the way that wedo our work we have a lot going on inthe a in the AEO that the president justsigned a lot of responsibility and butthe way that we do our work is not to doit alone we never do our work alone wewe have some really smart people I someof them are in the audience many of youmay know them um but but we leverage ourcapabilities against the best otherMinds in the country and in the worldand we come together in an open andtransparent way to try to make sure wecome up with the best solution and andhonestly what that means is that um thewe are ultimately trying to developtrust in technology um we’ve developedtrust in technology in 1901 we developedtrust in technology today today we’relooking at how do you develop theframework for trust in technologyrelated to Ai and uh and the way thatwe’re going to do it is we are going topartner and partner with people all overthe country and all over the world tomake sure we come up with the bestSolutions solutions that are easilyimplemented or rightly implementedimplementable I guess is the best wordto say um but also that answer the needsfor the time and so um I I you know whenwe were talking backstage je you hadmentioned that nist is trusted byindustry um that’s our calling cardreally we we we value that aboveeverything else that trust that industryplaces in us the trust that othergovernment agencies place in us thetrust that academics place in us um andso our ultimate goal is to be able touse that trust and leverage it to buildPartnerships to build trust intechnology like AI under the executiveorder we’re supposed to be building outthe framework uh guidelines bestpractices that um that support thedevelopment of safe secure and trust orthe AI um but the following the releasor this the signing of the executiveorder the following week uh it wasannounced um at the AI Summit that therethat NIS will also be responsible forstarting the US AI safety Institute andthat is particularly going to be a placewhere we need your partnership we needit’s going to be a place where peoplecome together to collaborate to figureout the ways to measure safe secure andtrusted AI right that’s that’s a hard todo you have to measure things likerobustness and accuracy things that areeasier to measure technicalcharacteristics but you also have toconsider that the human is deeplyinvolved in this and so there are socitechnical characteristics that we haveto figure out to measure that no oneknows how to measure so the communityhas to come together put the best brainstogether and and do this as a team umand so I mean I think one of theexamples where that has happened incybercity over the past decades is theCyber secur framework um you there havebeen a lot of different efforts bygovernments around the world um todevelop documents but nothing hasendured or been used as much as theframework I think because of the trustyou talked about so I guess is that themodel you have in mind and also umyou’re also updating the framework nowdo you have any thoughts are those twogoing to intertwine or how are you goingto um take them both forward at the sametime yeah so we are updating theframework and that’s exactly how thatwas developed right we in 2013 when wereleased it um we had pulled the wholeCommunity together to to help us developit and come up with the right TechnicalSolutions um and then we also listenedto you when you said hey this needsrevised right and so we kicked that offlast year um you know when we kickedthat off that Revision in in response tothe call from Community um we had 7,000people sign up for that first meetingright from a hundred different countriesthat is how big the impact and how broadit is it’s now translated into 12countries one of the last uh into 12languages one of the last translationswas Ukrainian right after the warstarted and so it has very broad impactvery broad reach we’re excited aboutthat but we heard the community say heyyou need to update this it’s not um itit needs to keep evolving to respond tothe needs of today and so we’reanticipating the release next yearthere’s going to be a couple new thingsthat are really important one is anincreased emphasis on governance andthat’s not not governing not megoverning you but but that’s uhorganizational governance how do you howdo you take care of cyber security inyour within yourorganization um so governance is onepart of it the other part is reallyfocusing more um uh discreetly on uhcyber Supply chains cyber security whichof course we found to be a a veryimportant issue over the past severalyears I smile at both of those becausehaving been there when the framework wasbeing developed I was in the privatesector the private sector advocatedstrongly to keep both of those issuesout of the framework so it’s anindication of how far the framework hascome as now you have the the privatesector advocating for the framework totackle those um there are other issuesBeyond AI though and I want to turn backto that and one that we were talkingabout in the past years but it’s dieddown a bit is is quantum Computing andparticularly relevant to thispostquantumcryptography um this could havesignificant National Security EconomicSecurity issues can you briefly explainwhat the issue is here and talk aboutthe things that NIS is doing in thisspace yeah sure um so like AI n has hadyou know decades long research thatreally led up to our work in inpostquantum cryptography today um wehave had a Quantum program at this forfor decades and that led to four Nobelprizes at nist in related to Quantum umso we continue to really do some verydeep technical research on QuantumQuantum Computing Quantum sensing umQuantumnetworking but about in2016 our a team at nist realized that uhwell when the quantum computer comesthat essentially has the potential to bevery disruptive in terms of uh itsability to break current encryptionalgorithms and so we started a programin postquantumcryptography we engaged globally weasked everyone all over the world hey weare looking for um algorithms that canstand up against a quantum computer inthe future right the quantum computerisn’t here today that can break currentencryption algor algorithms but in thefuture you don’t know what’s coming orwe do we we hope we know what’s comingthat there will be a quantum computerthat that it’s that powerful becausethat will lead to incredible excitingbreakthroughs right it will have reallyuh the power of good as well but thepower on the other side is to be able tobreak through current encryptionalgorithm so the post chronimcryptography program again we launchedin2016 um we had response from from againall over the globe uh people submittingalgorithms were down to umfor algorithms that have been thoroughlytested people have been trying to breakthem and hack them and and that that hasbeen happening globally too with reallythe best Minds all over the world um andthese four uh public key encryptionalgori algorithms are out as draftstandards now and we’re anticipatingthat they’ll be finalized next year butagain it’s you know we have a relativelysmall team we don’t have thousands ofpeople working on this we have arelatively small team we asked the worldto give us their best Solutions and weasked the world to help us try to tobreak through them and um and so againworking with our very very smart team umI think we were able to come up with areally really good solution and thatwill be released as I said as standardssoon and organizations need to startdoing this now because the transition toa new algorithm them won’t happenovernight and in addition anythingthat’s out there now that is vacuumed upis potentiallydecryptable in the future that’s rightyou know there’s a lot of um publicdiscussion about that right now thatpeople are basically saving data rightnow so that in the future they can breakit with the quantum computer um yeah sothat that’s a concern people are verymuch worried about that I mean we haveto think about uh you personally what’sgoing to happen to your privateinformation what’s going to happen todata in the future so there’s a lot ofattention to the fact that that that’s athat’s a potential issue um but I willsay that in you know migrating topostquantum cryptography is going totake years and years it’s going to bevery expensive it’s not going to becheap um I attended a conference inWashington DC it was before we announcedthe four uh the four finalist and I wasapproached very rapidly by the CEO of amajor US company um who I didn’t knowand I didn’t know he knew me and uh hejust said when are the postquantumcograph algorithms going to be announcedand I said oh I’m Lori locao he’s likeyeah I know so uh yeah it’s it’s he hewas just really set on it on gettingthat information because it will take alot of time a lot of attention andhonestly a lot of effort and fun andfunding in order to do the migration sothey’re prepare all the big companiesgovernment everybody is really startingto think about that and how to preparefor it which could take years and yearsto to be there um before I go to theaudience I want to ask one question thatI know many of you have been wonderingabout um I’m not talking the bird droneconspiracy because we’re going to talkabout that after lunch um but I want totalk about peanut butter um is it truethat nist maintains a standard forpeanut butter I guess is it as old asthe 1901 and how do you do that and doeverything else that you need to do it’snot as old as 1901 but we do have peanutbutter that’s $1,100 if you want to buyit now the interesting thing about ourpeanut butter is that you are not buyingjust peanut butter what you’re buying isdata actually right so that’s what theprice tag on on our um standard we callthem standard reference’s going to be aheadline the ,000 washer and the $1,100peanut butter and but the importantthing about it is that we you know wemeasure very accurately characterizethese materials like peanut butter likesteel um for like you know just we have1,200 different reference materials thatwe sell various materials um from awhole Human Genome to peanut butter tosteel and they’re very very accuratelycharacterized very well characterized umand then these are used used at and soldall over the world to Benchmarkmeasurements to make sure that um thatthe peanut butter that you buy has thecorrect amount of nutrients has thecorrect amount of um of of fats andsalts and sugar so that’s basically whatwhat how you know why we sell these sothat when you buy peanut butter in thiscountry you know what you’re gettingwhen you when and we also sell forinstance um ref materials to measure thestrength of steel very important youwant to know that the buildings that youare sitting in uh have steel that’sthat’s really held up to the goldstandard and we sell the gold standardand that’s the gold standard costs a lotbecause it comes you’re buying datayou’re buying essentially truth in abottle is basically what you’re buying Ilike that we have a few minutes left I’mI’m going to turn to the can say onemore thing about that because uh youknow a lot of people don’t know verymuch about NIS but uh Nate baratti sincewe’re in New York I just wanted tomention that he had a we are theNational Metrology Institute for theUnited States and he had a skit onSaturday Night Live that talked about umthe importance of weights and measuresand so if you haven’t seen that you knowit it was all the rage at the NationalInstitute of Standards and Technologybut it’s also got four million hits andit’s hilarious and it talked about howimportant uh a measurement system is inthe United States and that’s We Are TheProtector and defender of that so watchit if you haven’t seen can not imagine nemail system that night when it came onoh yeah this is fantastic so I think wehave time for one question um I canbarely see so I’d ask you just to keepit brief and make sure there’s aquestion mark at the end do I see anyoneoutthere I think not all right I have aquestion then not peanut butter relatedum but it is you with 31 years at n timeat at University of Maryland and nowback just focusing on cyber security howhave you seen that issue it obviouslywas not probably even called cybersecurity then evolve and where is ittoday in the level of significance andcrossing over into the other work thatNIS does yeah I think the most excitingthing that I found when I came back tonist is that I had a chief cybersecurity advisor because cyber securityis such a critically important issue notnot just for um well just for everythingthat we do in life today right we haveto have um uh systems that are secure wehave to have privacy that’s protectedbut the intersection of cyber securitywith really everything that we do in ourlife and also the development of everyother technology in and that we aredeveloping today every other emergingtechnology from AI to Quantum um to tosemiconductors I mean every everythingrelies on us being able to protect theinformation and the data that we hold sovaluable so um for me I guess one of thebiggest surprises coming back to nistwas that um our we have grown ourprogram tremendously over the years thatum I left for five years went Academiacame back and the program had growntremendously to meet the demands of thecountry and um but there’s a lot of workto do and again it requires partneringnot just with uh industry and Academiabut of course with the other agencieslike sisa who will also be representedhere today when you travel the world iscyber a pretty regular topic ofconversation with your counterpartswhether in similar agencies orleadership of other countries yeahabsolutely I was just uh about a monthago in Taiwan on a cyber security tradeMission and uh cyber security was reallycritically important the discussion wasuh I I met with the president and and ummany other cabinet members uh who allbrought up the issues issues related tocyber security and how important that isfor for them moving forward as a countryI mean as a uh as a um as an economy umuh of course Taiwan is not recognized soas an economy and so when I was therevisiting Taiwan um the conversationswith each one of the uh the people thatI met with were were really uh designedaround what is coming next related toproduction of infrastructure productionof uh companies uh data so just sameconversations we have globally withreally every place that we go everyeconomy that we meet with uh around theworld and uh I will close by justinviting everyone to engage with nist onthe cyber security framework update theyare seeking comments I can tell you frompersonal experience they will adjudicateevery comment that is submitted uh samething on the AI work going forward um soDr lassio Lori thank you so much forjoining us for helping start a greatappr thankyou thank yougood morning everyone my name is SteveWard I’m a partner at Insight Partnerswhere we’re invested in 64 cybersecurity companies across theglobe um I’m a we’re a proud sponsor ofthe Cyber Summit and your next panel isgoing to be on artificial intelligenceand its impact on cyber security uh TheGood The Bad and some would say theugly um my job today is to introduceSuzanne SMY who is a reporter for therecorded uh recorded future company andshe’s going to lead the next panel soSuzanne hi everyone we’re all very happyto be here um I am a reporter atrecorded future news and we have aincredible panel for you so I decided tolet them introduce themselves becausethey have more accomplishments than I Ican even memorize so please Sean goahead hi everyone my name is Sean JoyceI’m pwc’s Global cyber security andprivacy leader I am also the US cybersecurity privacy risk and reg leader andthen I own responsible AI for the firmgood morning everyone my name is irangaKahan I’m with the Department ofHomeland Security where I serve as theassistant secretary for cyberinfrastructure risk and resilience helloeveryone my name is Jama green Aon I amthe Chief Information Security Officerof octus customer identity Cloud poweredby altzero have responsibility for theholistic protection of the product anddefense of theproduct and I’m Heather Adkins vicepresident of security engineering atGoogle um where I’ve been for over uh incyber security for over 25 years and I’malso Deputy chair of the Cyber safetyreview board forsisa great um Sean I’m gonna start withyou given your role advising clients onthe impact AI will have on cybersecurity what are you hearing fromclients what are you telling them andespecially with the president’s recentexecutive order on AI um how is thatchanging what you’re what you’re sayingso I I think companies are asking twoquestions and the first one was how do Iactually leverage geni to really bringopportunities and bring efficienciesinto the organization so specifically incyber I think we’re seeing in thesecurity OperationCenter we’re seeing basically uh genbeing used for incident summaries we’reseeing it be used for re remediationrecommendationalso summary of regulations what whatare their obligations from thatperspective a kind of a a needapplication we’re dealing with with onecompany is name your email software thatyou’re doing to screen for fishingwhether it’s proofo mcast Defenderwhatever you might be using but all ofus know in our email inboxes it’s thatusually that place over here saying heysuspicious email what some folks aredoing is actually training the model totake those emailsand then push them through a model toactually detect whether it is trulymalicious or it shouldn’t be quarantineso those of you who don’t know in thesocks probably 20% in a mature cyberorganization to 40% in an immature thesesock analysts are spending that timedoing those type of things so everyone Iwould just say it is a little bit andyou know I’m going to plug the as Aspencyber paper because we were looking atthe light in the dark side of geni Iwould just say one of the things isdon’t sort of follow all the hype lookat truly those boring repetitive tasksthat you can leverage gen gen veryquickly the other area where we’reseeing and I would say uh the use casesare going like a Corvette down thehighway the wrist side the governancethat’s a little bit going on the bumpyCountry Road and I think a lot ofcompanies are trying to catch up withdifferent parts of theirorganization leveraging specificallygeni and we’re all saying gen AI hasbeen around for a long time right it’sjust that I think this to the consumeris the unique part of this and when Isee companies now they’re saying Hey howdo I actually govern this riskresponsibly what stakeholders do I bringin what is the risk taxonomy look likehow are we actually going to test andvalidate like do the pen testing thatnist has uh as part of the executiveorder and their task withd doing so Ithink those are the the general areas Iwould just say I don’t think there’s anylack of the use case part I do worry alittle bit about the risk part thanksaranga um I wondering how the rise ofgenerative AI is impacting or shapingdhs’s plans for the future um inoperative plans how you’ll deal withoperations and if you’re preparingalmost for future you can’t see sure soI think like all of us our ourexperience with AI has come very rapidlyyou know I think DHS is a uniqueorganization it’s 260,000 some oddpeople many Mission sets and so one ofthe unique things and this is theexperience we had when we were helpingput together the executive order thatPresident Biden just signed is lookingacross all of our mission sets andseeing what role we have and I think thethe unique part for DHS is that it’stwofold right I think we have manydifferent operational applications of AIthat we are actively using and lookingto improve upon using whether that’s onthe generative AI side or more uhtraditional machine learning typeimplications so you know that is youknow leveraging AI uh to make ourcasework more efficient for humantrafficking or child sex abuse materialuh online and combating that uhobviously we use it in our cybersecurity Mission we also have acountering weapons of mass destructionmission that we’ve been tasked in theexecutive order with leveraging AI tocreate systems to detect when ummalicious types of um chemicalbiological materials are being createdso I think in the day-to-day missionspace of how we will effectuate ourmission we’re looking at upping the anteand and doing that in concert with AIbut on the other side I think we alsohave uh an externally facing obligationas uh an agency focused on HomelandSecurity on public safety and criticalinfrastructure security and so if youlook in the AI executive order we alsohave very explicit roles to work withindustry to work with um criticalinfrastructure partners and to work withuh sector risk management agencies asthey do risk Assessments in theirsectors and then turn it over to us tohelp create those guidelines because Ithink as Sean mentioned we’re we’re kindof starting to lag behind and what theguidelines look like I meet withcritical infrastructure owners and theydon’t know where where to go with theseand so I think the time has come for thegovernment to start you know thinkingthrough with industry with owners andoperators what those guidelines looklike where we can be helpful um and youknow we have we have some interestingideas at DHS including uh standing up anAI safety security board with PrivateIndustry to do those types ofevaluations to do that type of ofguidance issuance as well great um Jamayou’re on the front lines um how haveyou used AI in the past at OCTA how areyou using it now and how do you foreseeusing it in the future so Sean kind ofsaid that it was a Corvette rolling downthe highway I think it’s more likechildren Running WithScissors um I think one of the thingsthat we are tasked with doing um as apublic company is making sure that weare implementing AI one of the bestoffenses against the nefarious parts ofAI which there are many of themotherwise I wouldn’t have a job um isthat we have to defend against Ai and sowe have integrated this into both sidesof our product both the customer and theworkforce side to ensure that we’recreating the kinds of tools that EmpowerSecurity Professionals with the latestdata um that’s AI infused to help themactually remediate what is happening andI think for us this is going to be acritical part of how we move forward inthe future um I think what you’re goingto see from public companies is that AIis a part of the ecosystem of ourproduct you won’t actually see itsitting right out in front it might saysomething like powered by AI but I thinkwhat you’re going to see is us reallymaking sure that we’re using it withinthe infrastructure of our product thedevelopment of our products and when wethink about secure by Design that’sgoing to be a critical fuel point for umus within our product to make sure thatour products are secure I think we alsounderstand that it is our responsibilityum not to just build solid products butto protect the consumer um and that’sour critical our critical Workforce andso we want to make sure that we areusing um the best in class and AI rightnow is going to be one of the best inclass it also empowers our securityoperations teams and our securityengineering teams to move at rapid firepace and I think this is one of thethings that is going to make generativeand has made gener AI so provocative isthat it’s not going to replace humansit’s going to make us super human and Ithink we have to really dig into thatconcept great um Heather you’ve saidthat AI hasn’t changed anything abouthackers other than the scale and givenyour National Security perspective onthis I’d love for you to expand on thatbut also discuss um how AI has changedcyber security I mean it’s been aroundfor a long time time what’s differentnow well I think it’s really interestingwhen you think about the history of AIuh some of the first papers that cameout on applying um whether it’s neuralnetworks or sort of machine learning touh security issues actually comes out inuh I think the first paper i’ earliestpaper I’ve read is sometime in the 90sso we’ve been thinking about how to dothis for a long time and uh one of thethings we learned at Google is that itis actually very good for looking atcontent and sort of determining whetherit’s good or bad so today 99.9% of allSpam fishing and fraud attacks actuallyget automatically detected using AImodels and put in your spam mailbox umalso if you’ve ever gotten a capture uhwhen trying to log into your Gmail thatis also AI back so we’ve been doing thisfor a long time the industry has knownhow to do this for a long time um what Ido think is different today than say uh18 months ago is generative AI right weare at this pivot moment where we have anew type of model large language modelsum that both offense and defense can useand we’re still trying to figure out howattackers are leveraging this um we seeexperimental tweets from researchers allover so we have to assume that actualthread actors are doing this as well umso one great example uh that benefitsboth defense and offense is uh findingvulnerabilities in code now we asDefenders um and in fact kind of we asan industry and public privatepartnership know that we think we canfind vulnerabilities and code usinglarge language models um and DARPA justkicked off a um a Grand Challenge uh tothis purpose we we launched it uh incollaboration with uh Partners in theindustry and DARPA uh a two-yearchallenge to encourage entrepreneurs tofigure out how to use llms to find bugsand code then we can fix them quicklyand actually we think there’s a worldwhere we can assist developers inwriting code where they create new newvulnerabilities which is great but wethink this same kind of approach can beused and May in fact be used already forthe bad guys to find thesevulnerabilities and when you look at thenumber of zero days this year uh it hasspiked significantly it’s a hypothesis Ihave we we have no way to prove that butI think it’s an example of dual use ofthis technology where you could do bothsides great thank you um Sean I’d loveto dig into the president’s executiveorder with you a little bit more thereare many references to responsible AI umand he uses the phrasing uh that we needto find ways to use ai’s of Leverageai’s promise and avoid the perils so canyou dig a little bit more into that thanyou did previously what does that meanto you so so a couple of things and I’dlike to build off what Heather wassaying I would tell you I’m concernedthat in in cyber security with sort ofgeni being ubiquitous that is becomingthe halves And The Have kns And what Imean by that is companies that have theability and tools and that are mature incyber security are actually going toleverage gen and it’s going to make themstronger and better the companies whichare themajority that are not at that maturitylevel it’s actually giving the adversarylike a like great tools right thefishing is going to become a lot easieryou’re not going to see thosemispellings and the URLs that are offand you’re going to see them actually beable to scan for vulnerabilities a lotquicker and act a lot faster so so I’mworried about that on the getting backto the E executive order listen I thinkoverall the executive audit was wasgreat it was definitely a Leap Forward Ithink we also though have to be lookingat that with a critical eye so I wouldtell you like I like all of the thingsbut as aranga mentioned when you look atall the sector risk management agenciesthat they identify in the 111 pageexecutive order I am petrified that allof those agencies are going to come outwith their own regulations for AI rightso how do we learn from like I thinkwhat sisa did a great job in cybersecurity how do we bring that into thefold the second thing is onwatermarking like that is a those of youwhat is AI what isi what is AI generatedcontent is it your Photoshop what you doon Photoshop when you touch itup so how do you every like everymusician uses some type of AI when theykind of adjust their digital sound sofirst identifying what is AI content andthen the technical challenge ofwatermarking that I think is going to beextremely difficult the third thing thatI worry about is are we worried moreabout the inputs versus the outcomes andso are we looking to regulate somethingthat hasn’t happened or we looking atactually the outcomes and looking atthat all those things being said right Ithink the AI is a Monumental stepforward I think it’s great looking athow do we promote Innovation how do wemake sure that we’re looking at theSafeguardI would tell you though if you look it’s90 to 270 days on a lot of theimplementation sort of the No Regretmoves in my estimation are how are youactually establishing the governance inyour organization what does the risktaxonomy look like in your organizationand actually defining that and notcreating necessarily everything new I’mnot sure yet where I am on a gen or anAI officer in every organization I’m notsure I want to go down that road rightbut then the the last po point would belike how do you actually set up thepolicies right the testing andvalidation that you go through I thinkevery organization you want to be doingsort of those three steps in regardlessof the next Administration if this oneis reelected it’s one of those thingswhere I think there’s bipartisan supportand there’s no like there’s no downsidefrom not doing it great um rangaspeaking of sisa yesterday it rolled outits AI road map and just for those whodon’t know this is host uh hosted in thedepartment um of Homeland Security whatdo you see as the most critical elementsof that road map thanks uh yeah I thinkit’s a it’s a good road map it’s a agood set of parameters that um that arethat are going to be guiding a lot ofthe work that sisa does for those thatdon’t know I think there’s there’s fivepillars uh you knowresponsible gu being Guided by responsresponsible use being uh integrating itwithin our Workforce coordinating withwith uh partners and other stakeholdersin the community but then there’s twoothers that I think are going to besubstantively really vital both to Sis’swork and the broader community’s workand that’s uh one cisa’s work to startred teaming and actually put outguidance in line with its existing cybersecurity guidance around the secure safeappropriate development of the softwareof of AI and AI tools themselvesand then the other side of the coin isthat they’re going to be working withsector risk management agencies andother stakeholders to help outsidestakeholders Implement safe and secureuse of those AI models and so I think ifyou look at this work that sis is goingto be doing it’s emblematic more broadlyof what the department is trying to doas I previously mentioned about securingsecuring things that we’re going to beusing but also helping those that are onthe outside um I think it’s in linereally well with with the overall tenorof President Biden’s executive orderright when we were developing andwriting them writing it with it you knowobviously balloon to 111 pages I thinkdhs’s cont contributions alone added acouple Pages um but I think it it does areally interesting job of trying to setthe Benchmark for flagging the potentialrisks that exist and how not justgovernment agencies should be looking atit but how it can be a model for thoseout there that don’t really know tothink about that and I think there are alot of pivot Points within um within theEO that that does that but on the otherside it also allows um it gives agencieslike sisa the space The Authority theagency to begin moving out on this Ithink as as Sean said I think you knowwithin the federal government we’re alsovery varied in in how you know the Halesand the Have Nots I’m sure and how we’relooking at AI how we’re using Ai and soI think the goal of the EO partly is tocreate a More Level Playing Field acrossthe federal government and make peoplethink about doing it you know at DHS youknow we we we have we made our CIO thechief AI officer right and a lot of thatis is the import that we put on how weuse it and making sure we’re using itresponsibly ethically uh you know uh ina in a inclusive way um I don’t knowthat other agencies were necessarilythinking about that so I think therewill be a little bit of a leveling of aplaying field and then um hopefully whenwe get back to talking about what sisais doing on the cyber security side cisacan be additive in how the federalgovernment’s using it you know we’regoing to be piloting some programs on uhupgrading the use of AI and how we’redefending Federal cyber civilianexecutive branch networks um but at theflip side we’re hoping to get some stuffout there so that uh srmas criticalinfrastructure owners and operators canalso have have some of those guardrailsso I’m looking forward to the work but Ithink of all the pillar those two in myopinion at least are are going to bereally key great Jama you’re at anidentity company how are you thinkingabout taking new tools and Technologiesand infusing them with AI um especiallyyou know in order to kind of complementwhat you’re already doing aroundidentity well I think um I’m a two mindswith this um I think identity is such aunique space um our identity is one thatwe own it belongs to us and it it willalways belong to us and so I thinkthere’s the thought process of howunique um our identities are and howthey belong to us and then there’s thethought process of how do we protectthose identities and so when I thinkabout what Sean said the The Have andthe have knots I think there’s there’sthere’s a couple of pieces to the haveand the have knots I think AI isactually going to enable some of thehave knots as well and when we thinkabout deep fakes and we think about someof the new capabilities that AI hasaround code review and the ability toinject and we think about what thatlooks like for our platform of usersit’s going to be very interesting for usto try to protect when we don’t reallyknow if this is real or not and so oneof our big challenges is around makingsure that we understand and we injectthe ability to understand what is AI andwhat is not um that capability is goingto come from our partnership with thosewho actually build AI um I thinkcertainly AI should always have theability to understand if it is AIgenerated or not I think this is notsomething that we can put on the onus ofa user um and right now I see there’snew there’s some new um informationaround like YouTube and it’s requiringthat you actually tell users if yourcontent is AI generated I don’t thinkthat’s good enough um because people areprone to to lying so you know why wouldI tell you if this was AI generatedcontent if it’s going to make me moremoney and so I think there’s that piecewe have to have the capability um withinour identity systems to detect ifsomething is real or if it’s AIgenerated or if it’s a deep fake on theother side of it I think about thethings that make me who I am and Irecently kind of shared that there’s anew um AI generated robot that’s outit’s a it’s a CEO and the CEO happensnamed happen to be M and I thought wellthat’s kind of my nickname and ithappens to be a black woman and I waslike huh that’s interesting um so you’venow created this likeness of a blackwoman um as an AI CEO CEO and I thoughtyeah I don’t think I like that um Ithink that it definitely is someone elsedefining what is an identity of a blackwoman and I think that only a realperson can truly Define that identityand so I’m of two minds in this space Ithink and I think that the duality of itis something that is truly interestingabout AI there’s this idea that it canhelp drive us forward drive Societyforward but there’s this idea that yeahI wouldn’t be a ceso if there weren’tpeople who weren’t trying to drive usbackwards as well and so I think that umit’s really interesting to be in theidentity space and be in this positionwhere you have to defend but alsoprotect um and how do we do that in away that makes sense for identity andit’s going to be something that we havenot clearly defined I think it’s goingto be on society to Define that greatthank you um and by the way anybody jumpin when you have a response to whatsomebody else says um Heather I’mwondering AI companies are clearly theArbiters of whether they train models onanonymized or personalized data but as acloud provider you need to think aboutthe Enterprise as a whole needs um howdo you think about training databroadly yeah I’ll I think training datais a great topic and I’ll get to I wantto react first to something uh that Seansaid on the Hales and the Have Nots so Ithink it ties in pretty closely to thatum I want to credit uh US Governmentsisa especially in helping us build amodel for thinking about uh theresponsibility of cloud providers inparticular to sort of create secure bydefault Solutions and and to really ownsolving some of these cyber securitychallenges um from the beginning uh sothat we can enable people who maybewould think of themselves as the haveknots you know they don’t have thousandperson security teams to actually getsecurity by by default right out of thebox and I think that’s how we’re goingto solve the Cyber problem um you know Iwas in my dentist chair a couple monthsago and I was already really nervous andthen I looked over and she had Windows 7installed nothing nothing nothingagainst windows it’s a wonderfulplatform we have lots of it in my housebut it an older platform and she had anupgraded and um you know I think theseare the kinds of small small tomedium-sized businesses we have to helpum as technology platforms and um Ithink we we take that responsibilityvery seriously that now extends into theAI conversation right and um making surethat uh we’re thinking about safety butI think also thinking about what AIreally is it’s a um it’s not a chat botit’s it’s a scientific instrument it’s atool that is going to help people dotheir jobs whether you’re a car mechanicuh whether you’re a photographer adoctor a lawyer we’re going to be ableto create platforms you’re already usingthese Platforms in your jobs um mydentist already uses um fairly Advanceduh systems in in the in the practice andeventually AI will be there to help withinterpreting images and things like thatso the Haves and Have Nots I thinkactually um some of these Concepts we’realready building for cyber we’re goingto extend very naturally there um whenwe think about uh training on data uhjust to get back to your your questionSusan um one of the things we’re lookingat is what are we studying in the supplychain problem because that’s also wherewe’re putting a lot of energy is thesafety of software supply chain how dowe know where the data comes from howare we validating it uh when we trainthe model how do we know what data wewant to go into the foundation model howare we refining that model um andlooking at the principles end to end ofintegrity and validity all the way thisis uh something we’re deeply thinkingabout it’s something that is beingthought about in uh forums like there’sa new um front uh Frontier modelsFoundation Forum that we’re nowparticipating in Cross functionallyhorizontally as an industry has all thebig players in it um and it’s part of umthe safe framework that we’re alsoworking on so I I think you’re going tosee the industry look at that verycarefully but again tying into cyberbecause we’re already thinking aboutsome of these things for cyber and Iwould I would add you know the OAS top10 for large language models is gives areally really great overview of what weare actually facing right now in termsof the Cyber threat um for the largelanguage model and it’s a great read aquick read um also super super helpfulfor this for the software companies whatI was yeah I was what I was going tomention on top of Heather is it’s it’sbeen really interesting insidegovernment as we’ve tried to ThinkThrough what these principles what thesegoverning organizational thoughts shouldbe around cyber security on AI and youknow a lot of the material we write wewe it’s it’s it’s rather repetitive ofwhat we’ve already been saying on cybersecurity right and so sometimes we’ll bein these meetings where we like we’retrying to present the golden you knowkey the golden bullet around how tosecure these and it’s a lot ofrepetitiveness and so I think that’sjust reinforcing the fact that we’re ina period where there’s a lot of blockingand tackling and Basics that can stillbe reinforced and I think that’s goingto be a really interesting road to godown but the other thing that you know Ialways think about too is that you knowit seems like we’ve already as a as acountry as a society begun on adifferent footing with this AIconversation at least nationally I feellike in early days of cyber it kind ofjust cyber cyber security specificallykind of Came Upon Us and I think theonslaught of of generative AI has madeus more receptive to putting guard railson these early and I think thinkingthrough how we can almost look back withthe benefit of hindsight of what wedidn’t do in cyber security baking it infrom the start we have the opportunityto bake that in with AI right now and Ithink from the government side to kindof a lot of things Heather wasmentioning that’s what we’re trying toinstitutionalize so I I think that’s a agreat Point as far as listen it’s all itcomes back to the fundamentals of whatyou’re doing in cyber security but thenI think it what people I’m finding arestruggling a little bit with is okaywhat are the specific risks that aredifferent and what are the controls Ican use to mitigate so I I I think it itgets into I I would agree I don’t thinkthere is like I’m not an advocate of ohwe got to have to create all of thesenew structures um with the same sense ofjust understanding like we break downour risk Tex onomwe look at like our level zero risk arelike model risk data risk use or userrisk and then infrastructure risk andthen you have legal and compliance andprocess risk here but those are thoseand then we break it down to a level onerisk on each of those and what are thewhat are the controls you’re actuallygoing to put so it’s I would say you’renot creating anything new but justlooking at it from a differentperspective that I I would say I’ve seensome companies trying to understand whatam I going to do different like how doyou do pentest on an AI model well weknow we um we actually brought togetherabout a few thousand hackers at uh thebig uh hacker conference called Defconthis year in August we set up uhChromebooks um there were three or fourdifferent companies participating inthat and we invited the hackers in fortwo days to just hack on AI and I it itwas remarkable I I thought it nobodywould come and there was a line outsidethe door so um we we learned quite a lotand I I I think you know there’s anelement of uh red teaming in the EO andI think that’s um a really beneficialthing for the ecosystem I think we’vealso got to think a little bit carefullyas the rul making happens um sort of howdo we protect intellectual property andand kind of uh maintain thecompetitiveness so that we can createthe Innovation over time but um I thinkI think all these models we’ve beenhacking for a long time I think we’ll beable to adapt them and how do you how doyou actually test the efficacy of of thetraining data that’s used in a model umbecause I think when you think aboutattack threat vectors for a largelanguage model data poisoning is one ofthose ones that how do you actuallyunderstand I mean protecting data is isnot new um you know how we protect itwe’re not good at it but how we protectdata that’s not new those those tenantsare not new but when we think about theamount of data that goes into generativeAI um and into large language models andwe think about a pin test against thatthat’s gargantuan how do we actually dothat effectively and I mean again I’msure that we will figure this out quitequickly but how do we actually look atthat how do we understand when a modelhas been poisoned um how do weunderstand when it’s now spitting outinformation that’s inaccurate um andwe’re seeing that now we’re seeing wheremodels have been poisoned andinformation is being propagatedpropaganda is being propagated and it’sinaccurate and so how do we actually goabout fixing that um how do we detect itand how do we fix it and make sure thatit doesn’t happen again and we don’thave answers for that and that’s thekind of running with Scissors thing umthere there are spaces right now ai ismoving so rapidly that um I wouldn’teven say it’s the have knots that thatare on the loose the threat actors areon the Loose as quickly as we are umpropagating information into these largelanguage models and I think it’s goingto be critically important that weunderstand what the accuracy of the datathat we receive um when we’re using AIfrom different vectors is it accurate isit data that we should be using umthat’s knowledgeable and trustable umand I think that’s going to be a hugeChallenge and I think that testing is soimportant it’s also an element of the EOum and the EO kind of lays out thisconcept of looking at kind of how bigthe model is U the kind of how manyflops there are uh how much networkingspeed I think actually performancetesting the model is a a really goodapproach I’m hoping we get to have anice uh conversation and and thoughtabout that as we do the ru making but Ialso what I see um is uh we thought talkabout large language models but theindustry is also talking about micromodelsright and so you got to think about thesmall models not the ones with lots offlops but the ones with a little bit offlops and um making because I thinkthat’s how we get the training data tobe really good is so we train on smallersets of data that we really really trustum and then we go and then we and thenwe go Broad and so for example we’ve gotsack Palm which is something that we’vereleased it’s trained just on very verynice clean security data it does onething right we’re not deploying a veryvery large language model for somethingthat has quite a very specific taskright could you imagine chat GPT lookingat x-rays no you could you could make asmaller model that just knows how to dothat yes right so that’s one way alsothat we can look at the Integrityproblem a little bit better some of theuse cases we’re thinking through aboutthose those smaller use cases we’vewe’ve already started at DHS thinkingthrough how to how to use that for youknow how CBP is is is looking at youknow Goods at you know coming in and howwe can make the person more efficienthow we can sift through a number ofreports that are coming through ourhomeland security investigations to pickout license plates or names or oridentifiers around you know humantrafficking and things like that that’svery interesting I’m learning so much umso I just want to kind of throw out ajump ball and maybe have a quick roundof answers since we want to have timefor questions in the audience but I’mvery curious and all of you have touchedon this a little bit in your answers butlet’s crystallize it who is going tobenefit more from AI adversaries orDefenders Defenders I’m going to winDefenders yeah I have to sayDefenders for a small majority Defendersbut a vast majority adversaries oh wowinteresting okay well with that I thinkwe’ll take audiencequestions um I just a few ground rulesthere are standing mics please don’tform really long lines Maybe one or twopeople at each each station and pleaseintroduce yourself and keep yourquestions brief and keep your questionin the form of a question um sometimespeople tend to offer solo quits and wedon’t have a lot of time so with that umplease go first whoever isfirst hello hello yes a little bit lowum so I’m a ad professor at NYU um I’malso on the uh working group forteaching generative tools and I’d becurious to hear your thoughts about howwe can use generative AI to helpeducation move Beyond this 40y oldproduct and teach people critical[Music]thinking well I I for one as a studentthat didn’t enjoy all of my mathprofessors would love to have um the theoption of learning in different kinds ofways I think um generative AI uh my myjust context my husband’s a softwareprogrammer he’s been programming for areally long time he’s actually now usingdespite being very experienced he’s nowusing um uh a bar which is which is oursto teach him about the intricate natureof the programming language that just hehasn’t ever used before it was nevertaught in a classroom you can you canask it different questions and not feeljudged so think you know people cominginto profession for the first timeyou’ve got you know you’re in aprofessional environment not quitepsychologically safe you want to asksome questions nobody’s going to judgeyou know the bot’s not going to judgeyou for that so I think there’s a youknow lots to learn here but I thinkthere’s something in there that’s that’sgoing to change the way students learnbut I also the question back toprofessors is are we going to go back tooral exams if you really need to testknowledge so so I I would just tell youI am certainly not an educational expertbut I would just say I love themultimodal actually opportunity it givesyou because some of us like I’m a visuallearner so I enjoy the opportunity tolook at things with pictures right so Ithink it does offer other than you knowmaybe lazy students like myself writingpapers easier um I think it does offerlike that opportunity to sort of learnvery differently that isn’t necessarilythe professor’s way of of teachingsomething so I I actually think it willlike obviously every generation I thinkis getting smarter and smarter they werecalling me the pessimist up here I am aninternal Optimist but um I really thinkin education like the application isphenomenal I think it’s my hope that ityou know sometimes there are gapsbetween Academia and industry it’s myhope that AI will help us Bridge thosegaps um AI is really really good atunderstanding models and identifyingTrends very quickly and very rapidlyit’s my hope that that identification ofthose Trends will help benefit Academiaas well as benefit industry um andbridge the gap between the two of us I Ithink it’s a I think it’s an interestinguse case of what to test against I thinkwhen you think about who we need to beas people as critical thinkers there’sstill a gap in what these models spitout right and so I can see certainscenarios that are very educational whenyou test yourself and and and critiqueyourself vers is the output of agenerative AI model what did the modelMiss what Nuance did it Miss what datacould it have used I think testingyourself versus the output of a model umis a really interesting concept great umwell we have a question over here pleasego ahead hi good morning uh my name isleizer I’m the executive director ofcomputer science for all um and a formerCarnegie melan professor of computerscience as well uh I’m really interestedin hearing you all be so positive abouteducation and if we think abouteducation it’s the last place where wealways lead with this optimism and it’sthe last place security Lance thinkabout how slow schools are to adoptcyber security principles how do wethink about what the lessons we’velearned from early cyber um as we thinkabout Ai and if you look at thepresident’s generative AI statement itis be careful be careful be careful becareful be careful education doeverything um so how do we take lessonsfrom cyber sec as we think aboutimplementing these Technologies as weshould for every student to learn uh inschools I’ll just ask one of you toanswer that because we’re at the 30second Mark and I’m going to get introuble if we go over so I don’t knowwho want we’re looking at you paperscissors uh I mean it’s a good questionI think I think if if we I think we havean opportunity here on the cusp of atechnology to integrate it more securelyand more by my default in what we’redoing I think what the EO did as a wholewhat we hope to is raise the bar ofattention right I think as we go when Igo to International conferences when Igo to to other things people are askingquestions I think as I mentioned beforecyber kind of crept up on a lot ofpeople right there’s a small NicheCommunity you know think you mentionedCarnegie melon that you had no doubtthat that that it was happening but Ithink it kind of came fully bakedafterwards to um to that and I thinkthere’s going to be a little bit of agap I think people far younger than meyou know already know way more than meon AI when I look at you know littlecousins and and things like that lookingat AI so I think they will naturallycome with a bit more education but Ithink if we bake it in from the startthere’s at least the attention thatwe’ve raised to it at this point and sohopefully the EO and and othergovernment stuff can support that greatwell thank you so much to our panel thisis really educational for me andhopefully for all of you so thank youthanks thanks everyone[Applause]please welcome to the Aspen cyber Summitcashmir Hill technology reporter for theNew York Times joining us to talk abouther new book your face belongs to usgoodmorning um so in2019 I discovered a new york-basedstartup that had done somethingextraordinary it had created a facialrecognition app that looked through adatabase of billions of faces scrapedfrom the public internet including allyour favorite social media sites andwith their technology you could upload aphoto of an unknown person and it couldlink them to their name their socialmedia profile and maybe even to photoson the internet that they didn’t knowabout the company was called Clear ViewAI their database at the time had threebillion faces they now say they have 30billion faces in the database it wasbeyond anything created by thegovernment or the big technologycompanies at the time I first learnedabout Clear View AI they were sellingtheir technology primarily to lawenforcement agencies police departmentsuh but they were keeping what they’dbuilt a secret from the General Publicand the company did not initially wantto engage with me uh New York TimesReporter they did not want a big storyabout them out in public so instead uh Itracked down police officers who hadused the used the app and they said thatit worked better than any facialrecognition tool that they hadpreviously had access to um such asstate run tools that relied on databasesof criminal mug shots and maybe driver’slicense photos depending on the stateone of the officers that the firstofficer I talked to was a detective inGainesville Florida he had signed up fora free 30-day trial with clear VII afterseeing it on a list served for financialcrime investigators he told me he hadhad a stack of Unsolved cases on hisdesk photos of people that had beentaken at ATMs or Bank counters and hehadn’t been able to get any hits when heran it through Florida’s kind of stateface face recognition system but then hehad run the photos through Clear View Aiand he’d gotten hit after hit after hithe said it was amazing he said i’ I’d bethe company’s spokesperson if theywanted me and I said wow that soundspretty incredible I’d love to see how itworks and so he said well why don’t yousend me your photo and I’ll send you ascreenshot of the results and so I didthat and then he ghosted me he suddenlywould not respond to any of my messagesthis happened with another officer andeventually I would find out that clearVI AI had put an alert on my face andwhen an officer uploaded my photo thecompany Got a notification called theofficer and told them to stop talking tome um I think the attent intention wasto deter me from doing the story but itjust made me more interested than everwho was this strange company and how hadthey built this powerful app and so myin my reporting for the book um I Tracthis kind of history of facialrecognition technology and how we gothere and I found that the desire to kindof unlockthe secrets of the human face goes backcenturies and the attempts to getcomputers to do it goes backdecades in the early 1960s in the areathat was not yet known as Silicon ValleyEngineers tried to build the firstfacial recognition system with fundingsecret funding from theCIA uh it didn’t work that well backthen the technology improved over theyears and fits and starts but it wasn’tuntil this century that it reallyreached fruition and that was thanks tomore powerful computers advances inmachine learning and an endless supplyof high resolution photos uh taken withdigital cameras and put all over theInternet there had been this long chainof people that were working over yearsand decades to try to solve this problemgetting a computer to be able torecognize a face as well as a human ifnot better and I interviewed many ofthem for the book and everyone in thechain assumed assum that someone else inthe chain would deal with the societalimplications of what it would look likeif they perfected automated facialrecognition this is not uncommon in thetech space the concept is often calledtechnical sweetness based on a quotefrom Robert openen Heimer talking abouthis work on the nuclear bomb he saidwhen you see something that istechnically sweet you go ahead and do itand you argue about what to do about itonly after you have had your technicalsuccessor put another way by the great doctorIan Malcolm in Jurassic Park scientistswere so preoccupied with whether or notthey could they didn’t stop to think iftheyshould that said some companies whoachieved this sweetness opted not toshare it with the world before ClearView AI came along Facebook and Googlehad developed similar technologyinternally able to identify a strangerbut they deemed it a tool that was toodangerous to release clear viws Edge wasethical Arbitrage they were willing torelease a tool that others hadn’t daredto the company’s primary founder was aguy named Juan tonat he was a computerwiz he grew up in Australia at 19 yearsold he dropped out of college and movedto San Francisco to chase the tech boomhis experience uh before Clear View AIwas building Facebook apps um buildingFacebook quizzes iPhone games and an appcalled Trump hairthat he was able to go from you know anapps like that to creating thisastounding technology speaks to what ispossible with open-source technology thebuilding blocks for powerful AI basedapplications are increasingly widelyavailable to anyone with technical Savvyjuon acknowledged that kind of chain ofAI Pioneers who paved the way for him hename checked people like the computervision expert Jeffrey Hinton who’s oftencalled The Godfather of AI he said I wasstanding on the shoulders of giants sofacial recognition is on the LeadingEdge of the debate about AI technicalsweetness has been achieved and now wemust decide what to do about it here’sWhat’s Happening Now police are usingClear View Ai and other facialrecognition vendors to identify criminalsuspects we’re using it at airports andat Borders to verify our identitiescasinos can identify high rollers asthey approach the doors and turn awaycheaters and people with gamblingproblemsMacy’s and grocery stores here in NewYork have used it to kick outshoplifters and one of the mosttroubling deployments in the US theowner of Madison Square Garden decidedto use it against his enemies namelylawyers who worked at firms that hadlawsuits against the company using theirhead head shots scraped from their ownfirm’s websites I’ve actually seen thishappen I bought tickets to a Rangersgame and invited one of the band lawyersto come with me and there’s thousands ofpeople that are streaming into MadisonSquare Garden and as we walk through thedoors put our our bags down on thesecurity belt by the time we picked themup uh a security guard approached usasked her for ID and then told her shehad to leave and gave her this notesaying she’s not welcome back until herLaw Firm drops itssuit this is what is unique about facialrecognitiontechnology sorry I have likea the cough umour face becomes a key to knowingeverything about us linking ourselves inthe real world to everything that’sknowable about us online it is also agreat example of what’s calledsurveillance creep when we createtechnological infrastructures forsecurity purposes which is what mass andSquare Garden initially did when it wasinstalled facial recognition technologyin 2018 the idea is always initiallywe’ll use it for safety reasons but onceyou put this infrastructure in placeit’s often repurposed for to monitoropponents suppress dissent discourageother lawful activities China which ismuch farther along in the deployment offacial recognition technology than weare you know initially rolled it out forSafety and Security reasons and now theyuse it to identify protesters anddissidents to automatically ticketjaywalkers and to control how muchtoilet paper people take in a publicrestroom inBeijing the question we face with thisparticular particular AI is where shouldwe draw the line should police besearching databases of billions of facesevery time a crime is caught on cameraor should the databases be smaller morelocalized do we have effective systemsin place to question the machine’sjudgment because while facialrecognition technology is powerful itstill makes mistakes uh we know about ahandful of people all black who havebeen arrested for the crime of lookinglike someone else once a systemidentifies a person investigators canfall prey to automation bias where theyrely too heavily on the computer’sjudgment and don’t do a thorough enoughinvestigation beyond that and when itcomes to facial recognition technologywe have talked a lot about mistakes andbias but it is improving all the timeand I think we increasingly need toGrapple with the idea of a world whereit Works near perfectly and if it waswidely deployed then it would be youknow potentially quite chilling umshould we have facial recognitionalgorithms running on all the camerasall the time as they are in Moscowallowing police to find missing orwanted persons but also to identifyprotesters against the war in Ukraineshould businesses be identifying us aswe walk through the door able toimmediately link us to our onlinedossier should we in this room be ableto recognize one another with clear viewlike software on our phones or inaugmented realityglasses Clear View is limited to Policeuse but there are other face searchengines on the internet right now theyhave small smaller databases but youcould use them you know to identifyother people at this conference anyoneon the subway in a restaurant in apharmacy outside a medical CL Cliniccould snap your photo and potentiallylearn who you are should companiesshould face scraping companies have theright to put us in thesedatabases uh you know should that belegal Europe Australia and Canada havesaid no that it violates their PrivacyLaw but here in the US the answer tothat question so far is mostlyyes you may be feeling hopeless at thispoint in the talk but this is far fromthe first time we have confronted aninvasive technology with scaryimplications at the same time the CIAwas funding those early Engineers towork on facial recognition technology inthe area that wasn’t known as siliconvaly yet the nation was beset by theelectronic listening Invasion wir TAPSin tiny bugs that had Americans worryingthat they could never have have anotherprivate conversation again the countryat that time succeeded in passingregulations to re in what could be donewith that technology and it’s the reasonwhy the vast majority of thesurveillance cameras that dot our UrbanLand landscape that are everywhererecord only our images and not audio orsound we decided as a country thatconversational privacy was important wecan and should choose the future we wantnot simply let what tech technology iscapable of is capable of dictated for usif we think anonymity is important weare going to have to protect it thankyou so[Applause]much time for a short break grab acoffee and a quick snack and we’ll seeyou right back here at 10:35gotthere e[Music]I knowtour bot tourhe likelove[Music]theyou’re[Music]goodeeeeeeeeeee eHappa lthey’ll havemy wholehere eplease return to your seats our programwill begin in just a momentalsoyes[Music]welcome back to the Aspen cyber Summitjoining us now for a conversation aboutnation state threats to critical INFinfastructure please welcome Ela soberayassociate chief for policy at the UScyber security and infrastructureSecurity Agency peush Kumar director forthe office of cyber security energy andemergency response at the US Departmentof energy Rob Joyce cyber securitydirector at the National Security Agencyand Craig Adams chief of product inengineering at recorded future leadingthe conversation is Jeff Green seniordirector with Aspendigital everybody Welcome Back be a goodbreak um we thought we would come backwith something uplifting uh othercountries attacking our criticalinfrastructure Energy Water pipeline soI’ll have our our panelists introducethemselves real quick um Ela start withyou hi good afternoon I’m Ela soai I’mthe associate Chief at siza for policyum I just wrapped up an 18-month tour atthe White House at the National SecurityCouncil um working on Cyber policy p uhmorning everyone um I’m P Kumar I leadthe US Department of Energy’s office ofcyber security energy security andemergency response or or Caesar um weare the the policy side of looking atsecurity and resilience from anall-hazards perspective to the US Energysector and that includes electricity oiland natural gas um across the countryand they are a finalist for best acronymfor cyber entity in the US governmentRob hi I’m Rob Joyce I’m the director ofcyber security at the National Securityagency I’ve been there 34 years had someoutof body experience at the White Houseum and uh look at the threats to um theCyber infrastructure as well as work thedefense industrial base Craig I’m robsdoppelganger uh Craig Adams a chiefproduct engineering officer recordedfuture great before we jump in though Ido want to address one question that hascome up repeatedly over the the past fewdays um there is not actually a typo inthe name of the panel if we could Flashthe slide up to give people a littlecontext um can I see a show of hands whoactually got this anyone thank youthat’s better than I thought um Ithought it would be me and Rob up hereum but uh you know this is for those whodidn’t get it which is probably mostpeople um under the age of 40 this is avery early but widespread internet memeum and I fought hard with Aspen peopleto let me have a typo in our in ourheadlines so thank you to the Aspenstaff for allowing that and thanks allfor playing um but no we’re going we’regoing to turn now to nation statecritical infrastructure and I want toset some context for the conversation umso bear with me um in February Directorof National Intelligence a real Haynesreleased uh the annual threat assessmentdocument that comes out every yearpublicunclassified this version warned and I’mquoting if Beijing feared that a majorconflict with the United States wereimminent it almost certainly wouldconsider undertaking aggressive cyberoperations against us Homeland criticalinfrastructure and Military asset assetsworldwide the document went on to saythat the purpose of these attacks wouldbe quote to deter US military action byimpeding us decision-making inducingsocietal panic and interfering withdeployment of US forces and it went onto conclude that China almost certainlyis capable of launching cyber attacksand it cited oil gas pipelines and railsystems within theUS um for those of you who don’t readthese threat assessments on the regularum this is a pretty forward leaningstatement uh particular when it comes tocyber um so I want to kick it off thereum Rob I want to I guess start with youam I wrong in thinking that it’s prettysignificant for the dni to be this outthere and in particular phrases likeinducing societal Panic are prettyspecific and somewhat Stark so any anycolor you can add there yeah so I Ithink the the idea of getting thatthreat assessment out to the people whoown and operate the criticalinfrastructure was the real um drivingforce behind the way those words wereformed up there is a real and tangiblethreat from the PRC against our criticalinfrastructure and and for the lastseveral months um across the USgovernment we’ve been talking about theobserved prepositioning in criticalinfrastructure and that’s not justsomething from the Intel Communitythat’s also um joined by entities in thecommercial world who have looked andfound some of those intrusions in placesthat have no Intel benefit right theydon’t have a financial um incentive tobe in these places it matches theintelligence picture that the dni putout there which is this isprepositioning for Advantage in the timeof conflict that’s pretty serious p imean obviously energy sector is whereyou focus um what do you think thesector should be doing with this warningwhat are you telling your partners uhthat you engage with uh it it’s it’s agreat question and and you know so theworldwide threat assessment certainlyyou know on an annual basis has thisassessment of of um capabilities byChina Russia and others um this actuallygoes even farther back to 2019 becausethat was one of the first referencesthat i’ had seen in the worldwide threatassessment talking about Russia’scapabilities to cause temporarydisruptive attacks on the electricalgrid and of course China’s capabilitieswhen it comes to oil and natural gas andso um this is a a a very real threat andI know the energy sector in the UnitedStates takes it very seriously it’s howdo what do we do with this informationand that and that’s what we need to bereally talking about is how do we makethis information actionable um and sothat we can buy down this risk um youknow some big areas we are thinkingabout at at the department of energy isyou know we need to continue investingin sector hardening we need to have somebaselines for cyber security for the USEnergy System um we need to continuedoing things like capacity buildingtraining exercises Workforce Developmentthat was just talked about a little bitum and then there’s a new area thatparticularly with a lot of the new umreporting that we’re seeing I reallythink we need more focus on how do weoperate through compromise we have toassume our systems are going to becompromised how do we ensure that theycan continue operating how we expectthem to during those compromises and sothat gets into the concept of resiliencebuilding resilience into our EnergySystems um building security by Designand into our Inu system so you’re goingto see a lot more focus in that space ucertainly by us at the department ofenergy but I know our colleagues at sisaand other places are also thinking alongthose lines speaking of siza um Elaactually you have a couple hats youcould wear up here I’m wondering if youcould go back and put on your WhiteHouse hat and talk generally about theadministration’s approach to criticalinfrastructure security because it seemsyou know having watched this for 15years a fairly hard break from Relianceon entirely voluntary measures so canyou talk about how the adminis approaching this issue generally so Ithink the Administration has been veryfocused on building building afoundation of security and resiliencefor critical infrastructure and if youlook across the last few years we saw acolonial pipeline we saw the RussiaUkraine we then saw um and now we seethis threat so the message has remainedthe same that voluntary um Partnershipshave gotten us so far but now in um weare faced with these significant threatsand now we need we’re at a place whereno longer this public privatepartnership or voluntary partnership umcan get us to where we need in terms ofa secure cyber security posture to toget against these threats um I think uhthey the Administration has been veryfocused on making sure that owners andoperators have those cyber securityProtections in place to make sure thatum they can be resilient and they canrecover from uh if an adversary umdisrupts their systemand I think when um you look across theexisting regulatory systems and there’ssignificant gaps and so theadministration’s been very focused onall right let’s look at existingregulation and authorities fill thoseand then where we can add um cybersecurity into those and then also umwhere are the gaps across thesignificant critical infrastructuresectors um I will say that when youstart talking regulation they have beenthe administration’s been very clearthat there are a few aspects thatthey’re considering as they’re buildingout this kind of regulatory model um oneis that it has to be very focused andbased on risk and so it’s very it’ssector focused um based on the sectorrisk second it’s um in coordination withindustry and I think theadministration’s done a great jobbringing in the private sector havingthreat briefings briefing them on thethreat so that they understand why weare asking them to put these certainmeasures in place and then last makingsure that it is harmonized to the mostthe biggest extent possible just to tryto reduce the compliance burden that’salready out there um and then last Iwill say that you know regulation is onepiece it’s one tool in the toolkit butit’s by no means the entire picture thatwe need to consider so Craig you you andyour company work with these companiesthese providers every day um P talked abit about the things they can do um areyou hearing like when things like thiscome out do you hear from your customersyou know holy hell do we do and and whatis your answer what are some of thethings these organizations can do tobecome a harder Target yeah so firstjust a level set on a few facts um oneof the things we see the most is APSparticularly targeting Hardware basedzero days like that’s a common patternit takes about 45 minutes to scan theentire internet to look for specificvulnerability so that that’s your windowof action uh between zero dayannouncement 45 minutes your adversaryis already founded uh obviously thismeans that our traditional way ofpatching is not enough uh roughly 5% ofvulnerabilities are patched is the statthat I personally believe uh the secondpiece of hardening is if you look atmost areas of compromise it’s still theold-fashioned identity compromise uhthere’s different stats between 61% or80% depending on your Source but webelieve that that’s still the two thingsso the two things to do uh or excuse methe first two things to do is one it’sessential to be looking at yourinfrastructure and your infrastructuremeans your third parties the directthings you control um from the outsideit’s it’s not enough just to look atyour perimeter it’s gone uh the secondis you have to be laser focused onidentity compromise uh that problem isnot going away MFA hasn’t solved it umthose are the first two areas to startand that’s at an individual level toonot just a corporate level correct I’mthinking mostly from the aspect of um acompany because you think about acompany identity uh if a employeesmachine is compromised with malware Inot only can see what systems they’veaccessed frankly I can get personalinformation about an individual I couldsee their Tinder profile login name orother sensitive things which createsthis ripe environment and so you’ve gotto have an understanding of what data ofyour employees particular on identityhas left if folks are wondering whatthey can do on their own during thepanel discussion this afternoon oneducation some of the conversationaround the Cyber Civil Defense workwill’ll give you some ideas on on thingsyou can do um Rob I want to um Talk abit about you know hopefully not thefuture but looking at a potential futureEla talked about the preparation forRussia’s February invasion of Ukraine umand it at least outwardly you knowwithin Ukraine is separately there hasnot been a lot of activity directed atWestern entities that has been reportedhow do you think a conflict could orwould play out u in the Taiwan regionparticularly outside well and as well asinside Taiwan and reflecting back on theon the dni statement yeah I think theintent of the PRC is to keep us focuseddomestically but also keep us from beingable to preposition and Supply things tothe theater so I would expecttransportation and Logistics um defensecompanies um all to be PR hit prettyhard with the intent of breaking thosethose supply chain lines and the abilityto deliver material you look at the theUkraine conflict it has been soimportant with Western countries beingable to get material in to supportUkraine the same is going to be true inTaiwan and if you can stop shipping ifyou can stop air you can stop the railthat that feeds those things to the portthose will all be things that arefocused on and targeted and potentiallybefore the actual conflict turns hot uhbefore during and after um H Rob talkedabout Ukraine and the work there um inthe runup to that there was a prettycollaborative effortbetween you named the government agencyand the private sector and there wereactions that the government and theprivate sector took that for years wethought wouldn’t happen um what do youthink drove that was it the reality of athreat um has that Spirit continued andwhat lessons can we draw given where weare now yeah you know the there’scertainly a resilience in the Ukrainianpeople but one of the other things wesaw there was a resilience in theirinfrastructure and it probably was youknow they had cyber incidents back in2015 and 2016 that took down theirelectric grid and they they learned fromthose they they worked with with us andthe US government to harden some of thatinfrastructure so one of the bigtakeaways hopefully people are seeing iscertainly there’s the the the offensewhether it was kinetic or even somecyber but there was a tremendous cyberdefense that Ukraine had employed thatactually had hardened their systems andso a big takeaway you know for the USEnergy sector is that investment in thedefense and the hardening can really goa long way if you are facing an anoffense so that’s number one numbernumber two thing that you saw during theconflict was it wasn’t just thegovernment working with with Ukrainiancompanies uh critical infrastructure onthe government it was also privatesector companies Microsoft had done aton and actually released a lot ofreally good insights and so that leadsus to think about this concept ofcollective defense and so we in theUnited States are now um trying toapproach that similarly where we have apilot underway called the energy threatanalysis Center which we’re partneringwith our colleagues at the jcdc um andthinking through how do we pull togetherwhat we know of threats to US EnergySystems and we we have to look at Umultiple sources it can’t just be umjust one source certainly ourintelligence Community is is an amazingsource for it but a lot of these cyberthreats are actually on private sectornetworks so we need to get thatinformation to correlate against theentire sector what are we seeing um workwith our colleagues in the intelligenceCommunity see how do we correlate whatwe’re seeing through Intel channels butwe need to do this Collective defensephilosophy if we’re truly going tocombat a nation state um like like likea PRC so that those are two big areas offocus that hopefully are Lessons Learnedfor us in the United States okay youlanded at the NC right as we wereworking on the the pre- you any thoughtson what drove the activity and fromwhere you’re sitting now at siza hasthat cooperation continued or do we dowe need to find a way to reinvigorate noI think that has really spurred a lot ofaction at sza and kind of taking my theWhite House previous hat off and theregulatory hat off and putting the szaHat on when we talk about public privatePartnerships and how we can build thiskind of trusted network of networks um Ithink that is really how we’re going toget ahead of the threat because we needto build this kind of community wherethere’s operational collaboration inreal time and it’s not just sendinginformation just to send it over thefence and no one actions it I thinkhaving these types of channels where inreal time the private sector cancollaborate with the government that’show we’re going to get us uh we’re goingto get these early warnings we’re goingto get um ahead of the threat so I thinkit definitely hasn’t stalled and I don’tknow if new action is needed I thinkthis is like a continued ramp up of umbuilding this community community ofInterest Craig I want to ask yousomething I’m interested in all thepanelists reflecting um private sectorsees a very different slice of thethreat landscape than the governmentdoes because the number of systemsyou’re able uh customers to work with umat least and understanding there arelimitations to when and how you’d sharewith the government but on criticalsystems like this criticalinfrastructure how do you work with thegovernment to merge the Intel picturesand then Rob may be starting with you ifyou can add your thoughts because I knowthat’s a world you’ve worked in for alittle bit yeah absolutely so first I’llsay something that works well andsomething that probably we need to dobetter at uh so there’s two things thatwork well so the first is we Definetogether what good looks like you cancall a regulation you can call itstandards but defining what’s good iscritical as a way of building a notionof Defense um the second as mentionedearlier how do we share information backand forth is absolutely an area thathappens frequently um particularly onenergy or excuse me areas related toNational Security and energy the areathat I I still think we’re all bra inour way through is the selective use ofclassification uh in other words how doyou determine what should be classifieduh because of the methods and otherreasons behind it and the second iswhere is there societal benefit forsharing more uh which then allowsDefenders to ramp up against that partso overall I think it’s on the righttrack but of course like everythingthere’s room for us to get better RobI’ve heard you talk recently a few timesabout kind of a shift in in in what andhow to share can you maybe reflect onand sure so so the NSA mindset haschanged um we set up the cyber securitycollaboration center with the intent oftaking the classified information thatwe know and getting it into the hands ofthe people who can actually do somethingbecause um if we know something it is nogood unless some somebody can dosomething so our our Focus has beentaking classified information getting itdown to an unclassified level becauseeven if a big company has cleared peopleusually those aren’t the folks operatingthe network who can do something withthe information so so it really needs tobe unclassified and more and more oftenthe people who have the biggest impactin this environment are multinationalcorporations and so we’ve got to becomfortable that that information has tobe um exercised and used by people inMany Nations right some of them friendlysome um uh may be on the fence and somemaybe even hostile um to the US and I’vegot to give that information for thegreater good and we’ve gotten um muchbetterat at getting that information down toactionable levels the other big partthat that drives though is then thewillingness of Industry to come and meetus in that analytic environment andbring their own stuff um when I joinedyou know kind of cyber security manyyears ago the the NSA and FBI DHS ourpublic private partnership idea was giveus your stuff right and it woulddisappear Behind the Green Door you’dnever hear back if it mattered nothingcame back out it is totally differenttoday right it is um you bring a piecewe bring a piece and the power of the USgovernment signant system from NSA isreaching out into foreign space to learnthings that is off their networks andthen deep inside the networks wherethere’s insights that you don’t franklywant NSA into um being brought to thetable because they know it’s maliciousalready from their own analytics andthat’s a that’s a beautiful combinationso P this is your second time at Caesaryou worked at an energy provider inbetween where are we now on on beingable to share that information andwhat’s one thing you’d want to reallystep up if you could so um I I think theindustry sees the value of um workingmore closely with government on reallyunderstanding conceptualizing and thengetting actionable information out therewe’re really seeing the private sectorcome and want to work with us so I thinkthat’s a really positive thing so Ithink we need to continue investing inhow do we have that again Collectivedefense um posture I I will say giventhe the threats that we’ve seenparticularly with for example Voltyphoon or mandian report last week onliving off the land whether in itenvironments or OT environments an areathat we also need to be investing in ishow do we really understand thesethreats in the context of um actualinfrastructure so it can’t just be an ITproblem anymore it’s an engineeringproblem and so so we you know based onthese reports what they tell me butyphoon and and the Mand report is theseour adversaries are not just gettingsmart on Cyber techniques and ittechniques they’re getting smart on howto use native capabilities to controloperational environments so what thatmeans is they’re leveraging Engineersthey’re leveraging folks who know howthese systems can be used to changethings that they may we may not want toso we have to we have to continueinvesting in the um you know identifyingand detecting purely again from an ITperspective but how do we use uminformation about systems to say is thatanomalous or is that not um in anoperational environment so did somethingjust trip just because it was a um causeof a weather event or did it tripbecause it was actually malicious and Ithink that’s an area where we need toget the engineering community to be partof this cyber security and it Communityif we’re truly going to combat where Isee some of these threats headed and thecapabilities of some of our adversariesokay you know jcdc was built oncollaboration coordination any what areyou seeing from the siza side I guesswe’re about two years into jcdc we arewe’re two years in and by the waytomorrow is sza’s fifth anniversary sohappy birthday s sing Happy Birthdayto next panel that’s right um and Ithink uh jcdc has come a far a long wayand I think uh part of building out thiscollaborative partnership is determiningthe right stakeholder groups and who tobring into the big tent mindset of whatinformation we’re sharing whatinformation do they have as Rob saidthat they can share um but I think we’vecome a long way but there’s still a waysto go um I think one big Focus area thats has been focused on is how do we buildscalable resources so we talk a littlebit about um Target Rich resource poorum sectors and when we’re trying to makethem say Hey you really need to ramp upyour cyber security maturity and they’relike we have one guy who’s doing like 10different jobs um they don’t have theresources and or the expertise to reallydeploy a lot of these and so how do weat siza help provide these scalableresources so that it can meet the needum meet the more need across the countrynot just for you know those that areregulated but actually for everybody andthat this also includes the um uhindividual users so we’re not justtalking critical infrastructurecompanies but um our biggest weakness isthe people and so educating the peopleand making sure that’s scalable Craigcan you try to make this real for usjust you know recorded future have youseen what appears to be nation stateefforts to compromise or get on othernations not necessarily the us but othernations critical infrastructure sobinarily yes uh of course as we all knowthe answer uh and it matches thephysical conflict patterns we’ve seen sowhen former house Speaker Nancy Pelosiuh travels to to Taiwan uh you didn’tnotice a Guam Communicationsinfrastructure you know attackcoincidentally happen which just happensto have a few military installations andAssets in the region and so I I think tobe clear it’s happening uh and as youmentioned backstage there was afascinating statement of just the sheernumber of of both energy and criticalinfrastructure companies there are Ithink sometimes it’s easy for us tothink that these are large uhsophisticated organizations that’s notthe typical that’s not the the meanacross and so the question then is howdo you help scale it across theorganization but we absolutely see it Iwill say though that the most of theattacks we see against theinfrastructure space are actuallyprivate organizations they may operatewith leniency inside of an environmentbut they can frankly operate more freelywithout uh fearing an escalation perhapsthat happens across so in a few minuteswe’ll take questions if there are anythere’s microphones at the front of theroom if folks want to make their waydown uh just probably not time for toomany so don’t form a long line um Ela Iwant to turn to so we’ve talked a littlebit about where things have improved Iwant to turn to an area where maybewe’ve struggled a bit um specificallythe water sector that I know when youwere in the White House there wereseveral different efforts to try todrive security and it seems like um wemay not have made a lot of progress umCraig talked about the number ofentities water is one where there aremany you talked about there being oneperson in resources thought thoughts onwhere we are and what we can do on thatbecause we kind of need water we kind ofneed water it’s basically you knowneeded for every single criticalinfrastructure and it underpins ourentire Society um it’s a tricky one Ithink water just given the sheer numberof utilities given how expansive thesector is given the number ofinterdependencies it’s really hard it’sa it’s a huge undertaking um I think theEPA as the sector risk management agencyhas done a great job kind of rising tothe Challen and the call to action fromthe White House um to leverage existingregulatories that authorities that theyhave but unfortunately their approachhas been very focused on safety likemaking sure we have safe drinking waterand which rightfully so that should benumber one priority but when it comes tobolting on security and cyber securityrequirements on top of that you run intothe issue of all right well we need tomake sure that anyone who’s assessingthese systems understand cyber securityin order to assess them and again weneed to make that scalable across Statesum and also across all the utilities soI mean that’s a huge undertaking and wealready have a significant deficit ofcyber security expertise Across theNation anyway and trying to Target thatfor um small water utilities I canimagine is very difficult as well um Ido think on the flip side there’s somepositive things on going on um in thewater sector I know that EPA and sizahave been very focused on again buildingout some scalable resources so that wecan help some some of the smallerutilities but again I think there’sstill a ways to go when it comes tofinding an appropriate regulatory modelfor cyber security of water um and thatneeds to be built in partnership withindustry because they understand um theyunderstand the ins and outs of thesector if I can make a comment thoughthis is one area that uh if there’s nota federal solution there will be a statesolution so we just saw on Monday uh thestate of New York came out with newproposed regulations for hospitals andso I I think the this void is going tobe filled at least in critical DenStates but then we’re going to have aninconsistent Patchwork so I view it’s amatter of time before we just acceptthat there are you know definitions ofgood standard regulations that will hitall critical infrastructure and Rob it’sfair to assume our adversaries arelooking for the weak spots and wherewe’re able to make less Improvementabsolutely so you see the so so let mego to the Israel Hamas conflict right umso you see three different groupsfocused in attacking criticalinfrastructure um in that area so thefirst is nation state so Iran came hardat their infrastructure right they theyresponded to the crisis but you also sawprobably the biggest volume fromactivists those were people who rose upum and join the fry both amateurs andprofessionals sometimes um nation stateresource groups um came into that eventand those are the things that theselittle small mom and pop criticalinfrastructures have have to deal withand that’s probably one of the bigger uhactivities and then the third you seethe criminal element who are looking foran opportunity to make money so thesecritical infrastructure providers haveto worry about nation states they haveto worry about the activists as well asthe criminal elements ransomwareextortion Etc so it’s it’s a bigchallenge right before we got a questionP I want to I know water isn’tnecessarily your thing althoughobviously you need it for the energysector but you talked about resilienceand water to my understanding is one ofthe sectors that is still largelymechanical um in some ways does thatprovide a a unintentional resilience inthat or other sectors and Ukraine Ithink they had a lot of mechanicalsystems back in 201617 yeah that’s it’sit’s you it’s a question we we thinkabout a lot because like you said in20156 Ukraine was able to get theirpower back up pretty quickly because itwasn’t as digitally connected um and sothere was an inherent resiliency to thatI think the lesson learned here thoughcan be how do we leverage certainly youknow using digitization to make ourenergy systems or Water Systems morereliable more efficient that’s actuallygood for us to do um but and then alsodetect things but do we need to alsothink about in certain cases havingmanual backups and having other me waysto address resilience and so um astrategy we just released um last yearwe now have released an implementationguide is called cyber informedengineering and it’s it’s it’s animplementation guide for engineers thatthink like an adversary so that thatwhen they’re designing their systemsthey can actually include um backupsystems they can include things to sayhey if this is this looks weird maybe wedo need to go to a another option toactually be able to operate these thingsso I think we have to be thinking alongboth lines um but I also don’t want tomake sure I want I want to ensure thatwe’re not just saying we we don’t wantthe smart grid because we’re so worriedabout it um that we just want a dumbGrid at that point we’re we’re maybemaybe potentially helping with the Cyberrisk but all these other risks to thegrid of just not being as an efficientelectric grid so that we can deliverpower during U large scale storms andwildfires that we’re seeing across thecountry like I think we need to takethat all into context but I think we cando both but we need to be thinking aboutum both resilience from a cyberperspectivebut resilience from other impacts aswell so I’m going to go to the go aheadum just a quick plug so that tees offreally nicely what Pia said this monthis actually critical infrastructuresecurity and resilience month and Ithink this month it’s like resolved tobe resilient and so I think that’s teaseup very nicely it’s not just as thehardening it’s not just the prep workbut it’s also how can we recover and howcan we stay online um go to the audienceif you could just state your nameAssociation try to keep it quick with aquestion mark and if there’s anyone inparticular you’re you’re director yeahmy name is Scott Bennett I’m the ChiefInformation officer for leer Corporationa fortune 200 uh company and my questionis for Rob and and the agencies kind ofhere of how can we work better with yourprograms and your departments on ourindicators are compromise to help onthat partnership yeah the the best placeto start are your isacs right becausethey have natural kind activity into thegovernment and have the ability to oneto many um share if there’s a veryspecific threat um then you know thatchannel can get you in touch with sisaFBI depending on your sector riskmanagement agency but there are majorclusters who are banded together alreadyfor the purpose of threat informationsharing at Broad scale and I’d encourageyou to to join your local ISAC might bethe the ndac for defense Auto autoyeah absolutely thank you over here himy name’s uh Ethan Dietrich I’m the CEOand founder for a company called sixchin um so we’re a offensive hackingcompany that’s all we do we um conductedabout 400 Red Team events over the pasttwo years or so uh we’ve only not gottenin one time uh we recently hit a Fortune100 like 800,000 M Points it took usfive guys to do it in about three weeksand we we own most of theirinfrastructure um so my question is atwhat point are we going to kind of calla spade to Spade with the asymmetry ofoffenses offensive versus defensive andstart using that to our advantage umwe’re playing you know uh this game onthe one yard line our one one yard lineso um there’s no you know drafts there’sno guidelines for using companies likemine to provide an active defense roleand providing that public privatepartnership so that’s my question yousure Ela if the the red teaming as partof a defensive side is something thatthe different programs you’ve looked atas part of that or to go anywhere youwant with that that’s what yeah you knowyou you you need to actually be doingsome of that whether it’s pen testingred teaming exercising that has to bepart of your larger cyber strategy rightyou got to do the baselines certainlyimplement the best cyber securitypractices but then test your system umand and really stress test it as you asyou you could say to see if thoseadversaries can get into your system umhow we are recommending a lot ofcompany’s approach to this is there’s alot of problems to solve but maybe youneed to take a consequence drivenapproach thinking about what are yourcrown jewels and then using those to sayhow do I build in resilience into thosecrown jewels so that you’re notoverwhelmed um and really start toprotect from there and then protect outand out um but I think that’s part ofthe larger cyber security strategy thatwe have to employ and I think just toadd on top of that I think there is atime and a place for red teaming versuslike you’re not going to go red team andand do a pretty Bas of assessment on anentity that you know has like nothing inplace and you’re just like this is youknow this is not going to be helpful forthem um so I think as say we havemultiple different um types ofAssessments and exercises that kind ofcaters to the needs of depending on umthe maturity level of that entity and soI think that’s also key in building outthis cyber this the strategy forentities is like what level of maturityare you and at at a certain point Iagree when you have certain defenses inplace then you roll out the bigun and doa red team or a proactive hunt in orderto make sure um it is secure as youthink hey Jee I I heard a differentquestion right I heard hack back um andand you know I think the the questionwas you know when do we when do weunleash the cybers to go back and hackback um we have us cyber Command rightwho’s active in um you know for defendforward strategy and and the conceptsaround everything from use of hacking toPartners and allies who can get us toStronger um advocacy for defense um youknow I really believe it’s an inherentlygovernmental activity because we see allthe time that there are there areunwitting victims who are used in theseattacks in the um in the intermediarypoints and so um the the idea that youknow a a private citizen or a company oractivist would decide and take that riskin a very political sphere into anothernation and and let’s face it you knowit’s breaking laws to go back and dothat offensive cyber back againstanother Sovereign Nation um you knowthat’s something you want yourgovernment doing and that’s why youhaven’t seen the policy willingness umto to bring the private sector into thatspace so we have two minutes left umlast question quickly yeah thank youManish wel theore VP of cyber risk atexer um I wanted to ask you aboutconcentration risk across the sector andthe services so whether that’s uhvendors that provide you know a shortlist of Hardware whether it’s othersectors like space or whether it’s Cloudproviders and data which seems to memore like utility like water andelectricity we care about thetransmission distribution and less abouthow it’s used but I love yourperspective on that thankyou was that directed to who was thatdirectedanybody um P so I I’ll start so um I Ithink if I understood the correctquestion correctly is there’s a lot ofdifferent parts of the supply chain umwhen it comes to different types of riskand how do we address the differenttypes of risk is that what you wereasking about I mean that’s one part ofit but surely the concentrationunderneath the sector culture type thingwhat’s that monoculture type problemyeah I there’s you know certain plc’sare everywhere right in skea systemsthere’s a limited set of vendors thatmake that yeah or ICT providers andwhat’s behind there that kind of hiddenconcentration risk that we see acrossthe SEso um and certainly um Ela please pleasejump in on this one you know I think wehave to treat different suppliersdifferently right there are certainsuppliers that are the only suppliersfor certain pieces of equipment forexample Schneider Schweitzer Hitachienergy right they’re the industrialcontrol system suppliers not just forthe us but for the entire globe and sohow do we work with them versus maybe amilitia supplier where we might knowthey have a tie to a a nation nationstate kasperski right um how do weaddress the risks and I think it’sdifferent how you do it some in someways you have policy levers to addressthe risk in other ways you might need tohave more rigorous testing um of theircomponents just because they’re socritical to your system but how we’rethinking about it is it is differenttypes of suppliers you have to havedifferent strategies to address theirrisks but do you want to do a 10-secondsecure by we’ll just put a plug in for alater panel um I think you’ll hear alittle bit more about secure by designit was also mentioned in the AI um panelso I think that Lins very closely is thesecur by Design concept building it ininstead of tching it on great well thankyou everyone for joining us today Iappreciate the discussion thankyou thank you[Applause]hi I’m Samir haares general manager ofdigital agreements here at once span andwe are proud sponsor of the 2023 Aspencyber Summit I hope everyone’s enjoyingthe great conversations we’ve beenhaving this morning the next session isabout the 2024 elections which takesplace at a time of record polarizationand disruptive new technologies beinglaunched at one span we bring trust todigital agreements and I’m Keen to seehow we can bring trust in our electionsfrom the threat of artificialintelligence it’s my pleasure tointroduce Vivan Schiller executivedirector of Aspen digital who will leadthis next conversation thankyou all right come oneverybodyhello okay hi everybody we are here totalk talk about elections 2024 which youmay have noticed is already upon us andthe context in which this is all playingout is not super great um the challengeis we have some of the same challengesuh and issues as we had in the lastelections we have social media platformsfull of Miss anddisinformation we have a polarizedcountry mistrust ininstitutions there are bad actors bothforeign and domestic who seek to disruptour elections for all manner of reasonsbut as if that were not enough we nowhave a new layer of issues to pile onfor2024 um two incredibly consequential andparticularly divisiveWars um social media platforms who havecut the staffers who have been doingcontent moderation and looking forcoordinated inauthentic behavior fromBad actors uh outside the United Statesand inside we have um a chill among theacademic uh community and the notfor-profit Community because of somepartisan threats um we have a shift incommunication to more closed uhplatforms direct messaging which isharder for researchers to see and as ifthat were not enough uh we now have theunleashing of powerful new artificialintelligence tools so we’re going tosolve all of that the next 40 minutesum I am delighted to say we have theperfect people forit immediately to my right of course youprobably know um Chris Krebs but you maynot know him with his new title which isChief intelligence and public policyofficer at Sentinel 1 uh he was ofcourse former head of sisa but his mostimportant role of all is as the seniornew Mark fellow in cyber security atAspen digital at the Aspen Institute sothank you for that Chris uh JoselynBenson Secretary of State for the stateof Michigan where she oversawrecord-breaking turnout in 2020 and20222 uh elections that were more securethan any in the state’s history sheintroduced absentee voting um and myfavorite fun fact about uh the secretaryis in 2016 she became one of a handfulof women to have completed the BostonMarathon while eight months pregnantIknow that’s the most Applause we’ve hadthis all time and and uh Rafi Koran isthe chief technology officer ofengineering at Emerson um Collectivewhere he focuses on using technology anddata to accelerate solutions thatpromote social good prior roles includefirst uh uh CTO of the DemocraticNational Committee and he’s had previousvery senior roles at Uber at Twitter andis the host of the podcast technicallyoptimistic okay okay so let’s get goingso let’s set a little bit of contextChris I’m going to start with you as welook towards the 2024 elections here inthe US and just by way of context twobillion people are eligible to vote innational elections in in in 2024 aroundthe world we’re going to focus on the onthe US elections right now um based onyour experience in 2018 in 2020 how doyou think we’re we’re set uh to defendour elections how have things changed orevolved yes so I think as the NationalSecurity community and the electionofficials throughout the country arethinking about what you know is what isin front of us in 24 you have to kind ofrun back the tape and it’s it even goesbefore 2018 obviously with 2 2016 someof the the Russian activities theRussian activities that continuedthrough 2018 and then in 2020 you sawsome new entrance into the field withIranians uh and then just kind of someof the lower level activity that theChinese continue to do uh on Less on atechnical basis more on a on aninfluence at the community level and andso there you know the Playbook has beenpublished I think that’s where you haveto start with any sort of security orresilience strategy for defending uh the2024 election what are the technicalaspects that are potentially vulnerableor could be targeted um I I think thethe thing that kind of makes the hair onthe back of my neck stand up the mostfor24 is that you have to consider thatthat state actors don’t necessarilynecessarily get engaged and try to muckaround in elections just for the fun ofit now there are reasons the Russiansmay do that but the Chinese inparticular have been fairly deliberateand thoughtful and when and where theydecide to enter the space um but the themotivations I think have shifteddramatically since 2020 for a number ofactors for the Russians for the Iraniansand certainly for the Chinese as well somotivations have shifted and we may theymay have a different incentive structurethat would put them in a position wherethey may say hey you know what anoutcome here going one way or the otherwould uh benefit us in our granderdesigns whether it’s China uh moving onTaiwan whether it’s the continuedRussian invasion of Ukraine and thenIran of course with what’s going on inin Israel but more broadly just kind ofthe uh the kind of Fallout of jpa aswell as the Abraham Accords and and youknow potential peace in the Middle Eastso there are a number of differentgeopolitical factors that I think aregoing to play in the decision calculusof the adversary and the first tool thatI focus on is more the technical sidebecause from an elections perspectivewhere we have software where we haveHardware built in from a cyber securityperspective it’s simply an engineeringproblem we put enough resources enoughthinking enough preparation against itwe can build up the resilience of thesystem and that’s what we’ve seenelection officials across the country doover the last half decade get to a pointwhere we have the greatest degree ofpaper ballots associated with every votecast uh at least you know in in the lastcouple decades yeah so you’ve given us avery serious and sobering Global contextso Joselyn now talk to us about how yousee that playing out what on a statelevel in Michigan as the highest levelelection official in the state well Ithink we have to be clear eyed thatthese foreign actors that that Chrismentioned have greater incentive thanever before than in any recent electionto um interfere with our elections andand interfere with our election securitywe also have to recognize that theythey’ve already shown the way this isgoing to happen is through trying tocreate confusion and chaos and fear uhto demobilize voters I mean many waysthe 2024 election cycle will be you knowcertainly a choice between candidatesbut it may also be for many voters thechoice of whether to participate or stayhome and certainly the incentivizationof foreign actors to try to demobilizeour citizen to get them to just throw uptheir hands and say I’m giving up alltogether is a big part of the battleover the future of our democracy thatwe’re fighting right now and I thinkvoters need to say to see that we allneed to communicate that because thetools and mechanisms through which uhsecurity of our elections is uh damagedisn’t necessarily the hardware or thesoftware it’s the minds of Voters andit’s the confusion and chaos and thesense of division and the sense of uhdisengagement that the Bad actors arevery much trying to instill in our Citiand that’s something we all can fightback on uh by uh trying to ensure wehave Clarity and confidence about ourelections processes and to understandthe misinformation is a tactic toinfiltrate our election security by bycreating a sense of insecurity aroundour elections when in reality ourelections are Machinery you know cyberand otherwise you know quite securebecause of the advances and paperballots and other types of proceduresthat we’ve all worked to input over thelast several decades and are you seeingthat play out right now are you alreadyseeing that play out in Michigan I meanwe are in many different ways and we’repreparing for that I me in many ways the2020 election cycle has never endedwe’re still fighting the samemisinformation battles but we do havenew technology that’s coming to comeinto play uh that we’re mindful of butbut certainly again we’re alreadystarting to see the division the the dethe attempts to demobilize come intoplay through in many ways what isunfolding overso rafie Joselyn talks about you knowsometimes the decision of a voter iswhether or not they will even go votethey might stay home because they do notbelieve in the system and this gets tothe issue of trust and the role that itplays we’ve seen such tremendousdeclines in Trust of Institutions trustin um information trust in our fellowcitizen how do you see this impactingthe elections I mean as you mentionedbefore I used to be the CTO for theDemocratic parties but without apartisan head-on in 2018we even saw issues of just confusion inthe electorate of just when do I voteand see and seeing messages showing upon social media informing people ofpotentially the wrong date whether it’son purpose or erroneous we can put thataside but that alone causes a set ofvoter suppression that’s reallyconcerning in the grand scheme of thingsnow imagine 2018 was a long time ago welive in a world where every day feelslike a year when it comes to technologyright now and so imagine the kind ofchaos and mistrust that could occur in a24 election using some some of these newtechnologies that we’ve been talkingabout today whether it be generative AIor others and so I guess like my concernis just like what’s that amplificationit’s really easy our election systemsand I’m sure the secretary I’m hopingthe secretary will agree with me but ourelection systems in a lot of ways isbuilt upon trust like we trust a lot ofthe portions of the mechanics that theywill work together there’s a lot ofhumans involved it’s not necessarily allcodified and so any break in the systemit’s really easy to lose trust in theentire system from a single kink and sothe qu and it’s really hard to regainthat trust again so we live in thisworld right now where our informationenvironment is quite chaotic it’s quiteconfusing and so I’m very concerned likewhat how do voters navigate this worldlike where where should they look forfor trusted information should they lookfor from the campaigns that seemsquestionable they’re partisan does itshould they look for information frominstitutions as you mentioned Trust onthere is down so this is the concern Ihave moving forward racing into 24 sonone of this is by accident this is allby Design so when you think doctrinallyof information operations particularlyhow the Russians operate butincreasingly how the Chinese operateinformation operations or informationWarfare has two pillars one isinformation technical the other isinformation psychological so on theinformation technical side that’s whatI’m talking about when they’re goingafter systems and they’re not lookingnecessarily to get in a position toinfluence or change a vote or thecounting or the certification process infact the IC the intelligence CommunityNational Security Community will Continto say we have no evidence suggest theyhave that ability the state actors havethat ability however what they want tobe able to accomplish on the technicalside is just to have awobble that then jumps over onto theinformation psychological side where youget that chaos you undermine confidenceand that’s why I think we need to make abit of an evolution here from adefender’s perspective particularly on acyber security perspective that we’renot just technical practitioners andTechnical operators we have to thinkmore about strategic communicationhow dotheagency the system and in that waswhatwas around the 22 20 election ratherabout the resilience of paper ballotsthroughout the systems that you cancount you can recount combined withmeaningful post-election audits that getyou out of that space where you’rerelying on something that’s happening ina computer and it’s actually happeningin real life and people are involved incounting something tangible and andmeaningfulwell let’s now add a layer of complexityto all of this which is theacceleration um to the public toeveryone in the world of artificialintelligence tools now we knowartificial intelligence has been aroundfor a long time it goes back to the 50schat GPT was not the first instance ofit but it was almost a year ago thatthis tool was sort of Unleashed on theworld and people could really understandtouch and feel and and use AI generativeAI themselves and now we have you knowsort of a you know gold rush and an armsrace as one of my colleagues says aroundAi and these tools and there’s a lot ofconcern about the election some of itmay be overblown some of it may be notso um Joselyn just last week you were atum leader Schumer’s part uh uhbipartisan AI Insight forum and youprovided written testimony I believe youdelivered that uh testimony highlightingthe AI related risks of intimidation ofelection officials and the need to holdtech companies accountable for Contentso what were what’s the most give us asummary of that and what you what youwant Regulators to understand when itcomes to AI risk for elections well Ithink two things one we see you knowwith AI it’s a new technology but thesolution is an old one it’s aboutdeveloping trusted voices that peoplecan turn to to get accurate informationand we have to remember as we go throughall this transparency and truth of ourfriends uh and with paper ballots andwith uh the additional securitymechanisms that we’ve got in placethere’s all the work all the all thetools we need to instill confidence inour elections exist we just have to getthem uh not just in the hands of trustedvoices but then communicate effectivelyto the voices the people who need tohear them so one of the pieces is weneed assistance in developing trustedvoices and the second we need assistanceparticularly from tech companies in bothidentifying false information andremoving it we know we’re farther awayfrom that than we ever have been in theevolution of social media over the lastseveral years but at the same time whereartificial intelligence is going to beused to uh exponentially increase theboth impact and reach of misinformationuh we need Partners in the tech industryto help us minimize the impact andrapidly um uh mitigate uh any harm thatit creates because the harm would notjust be confusing voters about when tovote although that’s a significant onethe harm can also be generating enoughdistrust over our elections and electionofficials to create the type of violenceand violence threats and violentrhetoric that we see not just comingfrom candidates but also coming fromindividuals who have been uh misled bythese lies that again will only be uhyou know spread even further and fasterwith artificial intelligence so inMichigan we just passed uh two laws torequire disclosure and disclaimers forany artificially generated uh media uhregarding elections and we alsocriminalizing uh intentionally trying touse deep fakes to otherwise deceivevoters about their rights uh and theirability to participate in elections butI’m very concerned about the ability forAI to create hyper localized ways ofdisseminating this information uh andthe way in which that can generatethreats on Election officials and I’lljust you know put a pin in that or sortof an exclamation mark on that by sayingimagine on Election Day information goesout about long lines at a polling placeor violence at a polling place that isfalse but is generated through ourartificial intelligence in Michigan wewill now you know be able to identifythat through disclaimers and and enforceit but we need partnership from techcompanies and others in both identifyingthat misinformation mitigating itsimpact and having boots on the groundwhich we will have in terms of peoplewho can actually get to a polling placethat there’s a rumor about and dispel itquite quickly so we’re working tomitigate its impact but we need thepartnership of tech companies to help usdo that and of course in a situationlike that speed is of the essence andyou know once that message is out thereand it’s hard to necessarily even knowit’s going out there yeah and folksshould know in Michigan for the lastseveral Cycles we have I have a fieldteam in place all throughout the stateso that at any point someone from ourteam is within five minutes of a pollingplace because misformation is about uhthe status of voting is nothing new andattempts to use it on Election Day to toturn turnout is nothing new but we areaware with with about the speed withwhich artificially generated imagescould spread and that’s why having morepeople in the field than ever before toidentify the truth and get that outthere as fast as we can with I hope theassistance of trusted voices and andsocial media and elsewhere we can umhave our best shot at trying to equipvoters with the right information Christhe the DHS Homeland threat assessmentreport for 2024 I’m quoting now said theproliferation and accessibility ofemergent cyber and AI tools will helpthese actors bolster their maligninformation campaigns by enabling thecreation of lowcost synthetic text imageand audio-based content with higherquality which of course this is gettingat what you’re talking about you’ve longbeen talking about perception hacks byadversaries of American democracy so howdo you see AI helping the ouradversaries make that more effectivethere’s a there’s a mix of hype and it’stoolate and let me try to uh thread thatneedle for you um on the hype side whatwe’re seeing I think for AI right now interms of AD adversary use like splittingit up across cyber criminals and thenState actors on the state actor side Iknow that the National SecurityCommunity the intelligence Community isconcerned that state actorsare field testing that they’re they’reseeing what the capabilities are butthey haven’t necessarily rolled them outin campaign form just yet on the otherhand you have cyber criminals that arein fact using AI right now in their uhin the particularly in ransomware andthat’s to generate emails for demandletters to send threatening notes toemployeesI that’s just one more tool in thetoolit uh but that in and of itself froma threatening democracy perspective isnot concerning yet it’s still early theyhave 10 plus months and what I’m reallylooking to the community for and andelection officials is kind of like whatJoselyn just went through is what arethe potential use cases what are thescenarios that we should be thinkingabout where there could be maximalimpact because if it happens two weeksin or two months rather in advance ofthe election I’m not as worried aboutthat you can get on top of it speedmatters you can you can crush it but ifit’s election day yeah and people areheading to the polls and somethingcatastrophic is depicted and you don’tnecessarily have the authoritative howdoes that mess with the mind of the ofthe voter on on the maybe it’s too lateside we talk a lot about the closedproprietary models the big coming out ofthe bigfour but the challenge is from is theopen models that are already out thereopen source models open source modelsfrom hugging face from you know even thethe Facebook the metal Lama stuff that’salready out there and the internet’sforever so these tools are already outthere they’re in the hands of theadversaries and so any of theseregulations are not any of them but agood chunk of them particularly what wesaw I think in the executive order forAI is that the good actors are going toopt in and it would give them tools fordigital Rights Management they cancontrol their likeness and say no if itdoesn’t have that Watermark it’s notlegit you should not believe it that’s agood thing the challenge is going to bewhat happens with the proliferationacross the different platforms and thedetection tools can’t keep up with justthe flood of information I think we justdon’t necessarily have the societalresilience and kind of discernment builtup just yet to be able to deal with withthe information overload rafy I suspectyou have a lot to say about things likeuh watermarks and and how effective thatwill be but I also want to ask you to totalk a little bit about uh politicalcampaigns and advocacy campaigns and howyou see those uh changing in the nearterm as groups begin to adapt uh youknow AI technology for their to mobilizecampaigns I me everything the secretaryand Chris said is obviously true and Ithink it’s it’s even worse we have towork on multiple time frames on allthese problems like I don’t thinkthere’s no Silver Bullet these are allsocial techn technological systems andso we have to impact both The Human Sidethe technology side we have to worryabout this cycle we have to worry aboutthe next cycle like all this is true andso I think like when you think about thethe advis and political campaignsthey’re kind of scared like they’re likethey don’t actually know what to do solike the kind of advice that I’ve beentalking to them and others been talkingto them is like you have to communicatemore often you have to communicate inother ways you have to find the trustedmessenger programs you have to figureout ways to have who is The Trustedcontact within the platform so we canwork on what’s the right feedback loopwhen something goes wrong like in 20182020 um I’m glad had people on theground we also had people who werebasically just trying to in MTH reportany issues they saw to the platforms butwe now live in a world where like my Iguess as my former employer I used to bea VP at Twitter now X I’m not quite surebut like X has basically deest staffedtheir entire content reporting divisionthis community notes thing we’ll see howthat plays out um so I think like forwhat I tell these these organizations isagain we have to work on multiple timeframes like you have to startcommunicating now to voters to peopleyou’re listening to you also need to beadvocating for I’m glad that things arehappening on the state level but we needto be advocating for federal change andwhether it makes that time for thiselection kachar and others have bills onwatermarking you know that sets a barincredibly low but we need to start atsomewhere meta and Google are startingto put restrictions on whether or notyou can upload generative images intotheir political ads again bar is superlow we should be thinking about dataProvidence and others um so having theseconversations just like people nowtechnology next bigger picture F finallyand then just trying figure out how toStage all that those are the kind ofthings that we’re trying to get everyoneat least on the same page about yeahyeah against daunting odds I have to sayda staffed is one of the greateuphemisms I’ve never heard that beforeI love that I’m going to use that Uwe’re going to go to questions in a fewminutes but I have another one moreround of questions for our panelists soChris you famously called the 2020elections the most secure in US historyyou think you’ll be saying that in2024 so once again I did not saythat that was the electioncommunity that was the executivecommittee of the government coordinatingCouncil and the secondcoord to the world yes and I did thequote retweettldr and that’s what it was it was alsothe most litigated election the mostscrutinized election the most auditedelection I could go on uh do I expect tosee that again yeah I think from a a uhcertainly from a threat intelligencefrom a um an intell intelligenceCommunity National Community NationalSecurity Community looking out overthere for bad activity from working withthe uh the technology officials acrosselections for those kind of anomalies inuh across systems absolutely keeping ahard eye on it but you know you neverreally can tell what’s going to happenjust on the broader set of threats thatwe’re now seeing coming in from aphysical perspective uh you know we gota flavor of that in 22 and we’recertainly continuing to see threatsagainst election officials and so I’m Ithink you know when you kind of boildown what my biggest concerns for 24 areit’s it’s how does the you know thethreat of violence uh manifestinto um taking away opportunities forpeople to participate in democracy yeahand again for the record I apologize forbeing a propagator of Miss anddisinformation on your quote uh rafieyour your your podcast is called uhcheck techically optimistic which I loveare is that do that jive with how you’refeeling about 2024 I feel like that’slike a catch 22 question because in someways if I said I’m optimistic thenpeople might not pay attention and mightsay that like oh we have to solve so Iam generally an optimistic person Ibelieve that if we’re talking aboutthese problems that we can start toreally address them and we won’t takeour gas our foot off the gas on thosepedals but no I’m I’m actually quitescared about this informationenvironment that we’re operating rightnow like I was just looking at you youknow we spend a lot of time you knowpeople our age spend a lot of timethinking about the the metas of theworld the exes the world and I was justlooking at a report actually in Michiganof like where people are actuallygetting their information and it’s notthose platforms so like we’re actuallyin some way spending our time maybe inthe wrong places and we need to bespending our time on these other smallerupand cominging platforms that alsodon’t have the staff don’t have theenergy don’t have the the people andresources needed in order to make surethat they’re secure in the process so ina lot of ways this election is going tobe a whole bunch of actors trying toCobble together their resourcesthankfully the states and and electionofficials are doing a lot of work therebut on the information side on the Civilon the on the Civil Society side I thinklike none of us are staffed enoughthere’s way too many of us on the fieldright now and try to figure out how tocoordinate and pull us Al together is Ithink my biggest concern great and we’regoing to go to questions in a minute ifanybody wants to come up to the micJocelyn um what should we be what youhow can we best prepare for next yearwhat should we be looking out for Iwould I would say two things one to pickup on the optimism you know we I believewe take every I believe in seeing everychallenge as an opportunity to getbetter I think the challenges facing ourdemocracy today have to also be seen asopportunities for us to take themembrace them and make our democracystronger and indeed that has been a lotof the untold story over the lastseveral years more people are votingthan ever before young people are votingin higher numbers more people areengaged than ever before our electionsare getting more secure through thedissemination and use of paper ballotsand other things the transparency andthe scrutiny actually has been able tobe a productive thing in many ways atimproving a lot of the system and sothat’s all a good thing and I believeartificial intelligence and othertechnological advancements need to belooked at in the same way how can theybe used to better disseminateinformation about voting to languageminority populations or how can they beused to disseminate information aboutthe truth of Elections and thetransparency of our process so I thinkwe have to make sure that stays on thetable and then secondly we have torecognize that all of this everythingwe’re talking about is about deceivingpeople deceiving voters who then act onthat deception so we can work to alsoensure voters and voters can take theresponsibility to become criticalconsumers of information that is how weget through this process if you can’t befooled by AI it doesn’t work so how canwe really invest and we’ve beendisinvesting in voter education in a lotof ways in Civics education but we’vegot to start investing in that andcontinue to invest in uh peer-to-peerCommunications and other things forexample one of the things we’re doing inMichigan is we’ve created a voterconfidence council at the state leveland local 10 local voter confidenceCouncil to engage Faith leaders andsports leaders and Business Leaders andCommunity leaders at educating votersabout the truth about how to participateand how to trust our elections that is Ibelieve our greatest counter to all theways in which technology can try to inbad ways misinform citizens about theirvoice and their vote yeah and that trustreally does start at the local level sookay we have a couple of questions umover here if you can say I can’t seevery well if you feel comfortable doingso please say your name and youraffiliation and please a question okayI’m Saxon Knight I run the US governmentpractice for reality Defender I’m themarket leader in realtime deep fakedetection I’m curious um to hear all ofyour perspectives really on the factthat we’re working with almost everymajor news corporation right now inpreparation for elections 2024 um we’revery very deeply embedded there when Isee that interest from media ju supposedwith what we saw come out of theexecutive order in late October we’renot seeing deep big detection beingtalked about um from a trust perspectivespecifically I’m wondering yourperspective on how we get the governmentto the place where we’re not justtalking about content watermarkingworking with Commerce Etc how do welevel up to a more offensive posturewhere we’re actually looking for deepfake detection not just about you knowis there a long line at the polls but umwe’re showing a candidate doingsomething that they did not do or saysomething they did not say so I justlove your perspective on that go aheaduh I think on the last point I mean wewe don’t have a lot of time from acongressional calendar perspective getany sort of meaningful legislation outthat would have a impact technologicallystandards or otherwise regulations take18 plus months on the administrativeprocedures act absence on NationalSecurity exception so uh I think thatship uh is is going to be stuck in theharbor for a while uh I you know mediais an interesting question you know itcan I’ve always had particularly whenyou look at some of the uh the tradecraft the Russians have usedhistorically is that media Platforms inand of themselves are targets forhacking operations to get fakeinformation onto the Chiron or otherwiseonto a broadcast so we have to continuethinking through those sorts of threatsand at the same time how do they justorganically consume up things that areout there in the environment so Inewsrooms I suspect are working throughthrough okay we’ve got a syntheticcontent problem how do we ensure thatwhat we’re pushing out there what we’rereporting on is in fact accurate and ifanything uh dating back to October 7thin the in in Hamas invading Israel we wehave a kind of short fuse uh inwillingness to report quicker and weneed to you know I think there have tobe some some tighter cycles and not allof that has to do with AI it just has todo with basic journalistic standardssorry I say that as a recoveringjournalist myself I think don’t seeaction on the federal level the statesare the answer that’s why we’ve seenfive states most recently Michigan Ithink is the six passing the type ofbest practice legislation that we doneed to see at this point but that’s ourstarting point and so I would recommendconnecting with state election officialsand State Attorneys General uh throughour various associations to talk throughand help us to find these additionalrisks and addition and identifyPartnerships for uh essentially as yousay identifying deep fakes to help usbetter educate voters about what to spotand also law enforcement to the extentthat we have now some some criminalityin protections that we need to enforceto make sure we’re better equipped toenforce them I don’t have very much elseto add except for I think we all of thisis true and we also need to put beingway more pressure onto the platformslike I mentioned before they’re deestStaffing in a lot of ways we need themto increase their Staffing like I’m I’mvery concerned about video based deepfakes but audio- based deep fakes arejust as problematic and maybe evenharder to detect in some in some incertain circumstances and there’s been afew in the wild already in someelections and so like try to geteveryone on board I think is just keepthe salience on the issue I think issuper important great thank you I’mgoing to come over here your name andaffiliation your question yeah hi I’mDiane Chang I’m a former electionIntegrity product manager at a bigplatform and currently a residententrepreneur at The Brown Center for uhmedia Innovation at Columbia Universityum today the Wall Street Journalactually just reported that meta um asof last year has allowed claims on theirplatforms that the US 2020 election wasriggedum I’m curious to hear your thoughts allof you but especially Joselyn and Chrisasking you to put on your former cesahat um is the threat of that claim overor is there continued impact on theinitiatives that you shared to helpbuild trust in information informationliteracy trust in officials in thesecurity and safety of of Stateofficials and election administratorslike yourselves I mean no it’s not overwe are what we’re seeing is a aregeneration of the same is howmisinformation works the Regeneration ofthe same tropes the same fraud the samethe same word the same terminology thesame images the same examples that havealready worked they’ll add new actors toit they’ll add new new mechanisms fordissemination they’ll add new umelements of it but we even see just theRegeneration of of past stories as if itwas just recently uncovered as a scandaleven though it’s been uncovered beforeso that’s all a tactic of misinformationand the repetitive use of misinformationso we’re um and in that regard one ofour biggest challenges going into 24 isthere’s been a lot of turnover at thefederal level and at the state levelof the Battlegrounds of the sixBattlegrounds there’s only twosecretaries and then three you includeAl Schmidt who was in Philadelphia butum but there’s a lot of new secretariesof State uh doing this work as well whodon’t and weren’t there in 20 toactually be able to counter themisinformation that we’ve beencountering uh so that’s all we just haveto see that as a tactic that’s going tobe used and deployed uh and we need toget up to speed quickly to be able toquickly debunk then the nice thing is onthe other side we can quickly debunkstuff we’ve been debunking for threeyears but um for me it’s personally hardto do that without getting frustratedthat I still have to debunk it threefour years later I mean and on that noteI am not taking that bait so what shesaid over here hi I’m YY lowski I’m areporter and my questions for Joselyn umI wanted to bring up something thatVivian um mentioned in the beginningwhich was the um political attacks onresearchers in the space um obviouslycoupled with the dwindling resources atthe tech companies how has that impacting election officials ability to bothreceive information from the academiccommunity and from the tech companiesand also provide information how is theimpact in collaboration for electionofficials I I would say it has it hasmade it more difficult but the thecounter of that has been an increased uhdetermination uh among electionofficials to see the benefits of thatcollab collaboration and move forwardanyway and so there have been um there’sbeen deterrence of collaboration but atthe same time there’s more incentive forcollaboration than ever before and ifcollaboration doesn’t work in a sort oftraditional sense we create it in otherways I would say for example the sixBattleground states are collaboratingmore than ever before amongst ourselvesas well as local election officials uhand that’s going to yield great rewardsand I think additional public privatePartnerships um though you know againperhaps deterred as a as a tactic forothers to to make it harder for us to doour job that hasn’t eliminated um youknow that I’ve seen uh the incentive orthe desire to to still try to get thejob done through the collaborations thatwe’ve known to be effective so I Ihaven’t um I I yeah I I I think againone of the other pieces the other sideof the coin of the story here is that ofthe threats of the challenges ofeverything is we’ve got an electioncommunity that is weary and exhaustedbut more determined than ever uh to getthe job done and to protect ourelections in 24 that actually gives memore hope and optimism than anything andI think you can see that coming throughin the way in which collaborationsremain intact and we hope partners whoare not in the election Arena uh stillmaintain that desire to support us andhelp it because help us because we willneed it I’d love to hear from rafieabout this want to jump in for a secondI think I spoken to a bunch of theseresearchers who are doing thisdisinformation work and these politicalattacks are personally really hard onthem like in fact like in a lot of waysthey are questioning whether or notwithout saying exactly who but they’requestioning whether to stay at theirinstitutions whether they need to go dothis work elsewhere whether God forbidthey should stop doing this work andallow International informationdisinformation researchers to bemonitoring you election instead of usdoing ourselves so in a lot of ways wealso need to be providing these peoplehomes that they can be operating inwithin they provide with legal funds inorder to defend themselves while they’redoing this work like I’m actually reallyconcerned that if these attacks continuethese academics won’t be able to dotheir work anymore moving forward yeahit’s very concerning I mean this is justjust the last piece I’ll add here I meanthis is full contact First Amendment andthat’s really what you’re seeing so bothsidesare fully going at it and to rafy’s lastpoint is we’re starting to see I thinksome responses in defense of researcherswith groups that are coming up withlegal defense funds to give them theback stop so they’re not out there ontheir own so it’s it’s it’s very veryDynamic space right now indeed thank younext question yeah I’m an academicworking on thisinformation H based inTexas support what do youneed so research professor in ftic andbased at the University of Texas atAustin we have a lab called propagandaresearch lab part of the center formedia engagement I Forefront my questionI’d love to hear a bit more by I thinkthe three of you elaborate how youfactor in the diversity of the Americanelectorate in y all’s work of securingelections building trust background iswe’ve done a lot of work on diasporaimmigrant minority communities for whomWhatsApp plays such a huge role and youhave this kind of like when when youwork in the space then on the one handWhatsApp is a really important space forthem because it’s like removed from theAmerican majority population and opinionand they feel safe about it but thenwhen they get false information viathose spaces it it can be much more umimpactful Etc but breaking encryption isobviously not the solution so yeah inyour all’s work diversity of theAmerican electorate we’ll have to keepit pretty short from each of you on thisbut go ahead so let me I’ll take more ofa technical approach here thedecentralization of American electionsis actually what gives its resiliencecannot be attackedcentrally and and that I think willcontinue to be uh one of the Hallmarksof security of the 24 elections the thefact that one person cannot come in andmake sweeping changes or make sweepingyou know adjustments to the outcome andwe we saw that in 2020 yeah and I say onthat front with regards to reachingcommunities that are not necessarilyreached by some of the more um you knowtraditional social media other networksuh we have been developing Partnershipswith the trusted voices in thosecommunities because they whether they’reFaith leaders which are key um or againjust other types of community leaders orBusiness Leaders they can serve as thetrusted voices and then we give them theaccurate information uh or and and we’restarting to do that now so that asinformation starts to flow into variousdifferent circles WhatsApp or orelsewhere uh these people are therealready uh and able to equipped with youknow accurate information or rapidresponse details as well to emergingissues uh to counter any misinformationthat are out there that’s in some waysour best way and we also have to alsorecognize how AI can ease thedissemination of uh translated uhmaterials as well to communities thatare are not reached in traditionalcommunication ways in the way that thatcan harm uh information now thesecretary just made my point like I feelthat like these new technologies allowus to Target in very different ways thatused to require a lot of sophisticationhas now become a lot simpler and so likeactually trying to better understandthese communities so we can bettercommunicate with them I think like it’skind of step one it’s just like findingthose trusted messagers actuallyengaging in conversation and realunderstanding like what’s their mediaconsumption where are they gettinginformation from so we can build thosetrusted Pathways good well I’m glad wewere able to end on a on a positive notefor of the impact of AI on elections uhChris Joselyn rafie thank you so muchfor sharing your insights and thank youall thank[Music]next up to help us explore everything weneed to know about cyber security inspace please welcome retired Air ForceLieutenant General JackWeinstein Eric Goldstein executiveassistant cyber security director cybersecurity and infrastructure SecurityAgency they are joined by Garrett graphof Aspen[Music]digital good morning um I will firstnote Eric is not Jen easterly uh thedirector of uh siza um Eric uh is uhstanding in for Jen who ended up with auh minor crisis uh non-national criticalinfrastructure related um I should addtoday indeed L cool but I’ll do my bestyeah so um Jack let me start with you umyou uh retired as a lieutenant generalum in the Air Force um spent a lot ofthat t career in sort of space and spaceoperations and in some ways livedfirsthand and the sort of Rise of thisthreat and challenge um going back towhen you were the director of uh spaceoperations in Iraq andAfghanistan um and I wonder if you couldsort of talk a little bit about how yousaw the space domain evolve during yourcareer and sort of give us the shorthistory of uh space challenges over thelast 20 years so it’s really exciting tobe here because a lot of the discussionsthat have happened this morning talkingabout cyber are resident in the spacedomain and you can’t really separatespace without talking about cyber so I’mprobably going to have to rename thisevent the Aspen cyber space event soI’ll have to work with that but whatI’ve seen is a a complete dramaticchange in how the space domain we kindof operated you know getting to Spatewas the most difficult thing uh thespace domain and the use of space wasreally for the nuclear deterrent uh thefirst bis satellite Corona was put upand while both Nations at a time butboth Nations meeing the United Statesand the Soviet Union worked on adaliteanti-satellite capability it really wasa protected domain because the systemsthat were in orbit whether it wasmissile warning looking down on theearth or whether it was intelligencesystems or communication systems wereprotected because it was all in supportof the nuclear deterrent and no onewanted AC cross that red line as westart morphing and going into it um theterm was used um contested uh domainit’s congested it’s contested and it’scompetitive there are a lot of uh assetsup there and our adversaries havewatched how the United States operatesand space is important we can get intothis discussion it’s extremely importantfor the economy of the United States uheverybody uses space every single dayand they may not even realize thatthey’re using space every single day anduh when we talk about the GPS system theglobal positioning system you use theglobal positioning system to find outwhere 92 Y is in New York City but themost important part of the GPS system isthe timing it provides because thetiming is used uh whether it’s internalthe military or external uh what areadversary saw is the way we use space inthe first Gulf War 1990 1991 with theUnited States military was able to dothis big left hook in the desert aseverybody knows there is no street signsin the desert so having space capabilitywas absolutely critical and then theother item that was critical is theUnited States and while we’re notperfect all the time we really try tolimit collateral damage and GPS provideus the ability to use something called asmall diameter bomb in order to Targetexactly what we want to Target and notdo collateral damage our adversary sawthe way we operated and then uh itstarted to become a competitive domainbetween ourselves uh China and Russiaand then it’s also congested with theamount of uh assets we have in orbit uhwhen you look at everything we have inorbit whether it’s active satellites orsatellites that are inactive and youstart calling the numbers up to 42,000when you have pieces up there when youlook at small debris those numbers canget up to a million so what the whatwe’ve done inside for us and we can getinto this discussion too is create aspace force and have a group of peopleuh Focus specifically on the domain whatdoes it mean to operate in the domainand how we’re going to protect thedomain because it is something that’sneeded for much more than themilitary and uh space force of coursewas uh something an evolution thathappened during the TrumpAdministration umthat uh had actually been a longstandingpart of a shift in sort of Doctrine andthinking um and I think there’s sort ofa lot of uh public confusion about sortof what space force does what how itoperates what the reasoning for it iswhen you talk about the timing forinstance um a lot of people don’t reallyunderstand that like credit card systemswork because of the Timing Systems builtinto GPS that like gas pumps workbecause of GPS that like Banktransactions and Wall Streettransactions are timed using GPS uhrelated systems umEric you’re executive assistant directorat siza um thinking a lot about you knowthe various critical infrastructuresectors that uh siza has responsibilityfor and uh coordinating roles with wheredoes sort of space fit into to thatrubric for you of criticalinfrastructure yep absolutely you know Ithink uh building on Jack’s openingcomment I think we might need to renamethis event the the Aspen cyber Ai andspace uh Summit um but we we fallsometimes in cyber security into whatI’ll call novelty bias which is whenthere is a newer technology an emergentcapability particularly one that is hardto understand and hard to translate intoour everyday livesum we often both in our community andcertainly in the general public sort ofpulled back from the table and said thismust be this must require a newframework a new model a new solutionwhen in fact in cyber security we knowthat in the case of certainly space andgenerally also AI a lot of these cyberSecurity Solutions are the exact sameones that we have been evangelizing forGeneral commercial software and hardwareand Enterprise security for decades andso uh you know Garrett as you noted youknow space is a horizontal dependencyacross every other critical sector thereis no sector that does not depend uponspace assets space connectivity spaceinfrastructure to some degree or anotherand of course we also know that the uhSpace Systems themselves are not amonolith right it is of course aecosystem of terrestrial assetsspaceborn assets and thousands thousandsof suppliers some of which are pure playum in space infrastructure many of whichproduce products for Aviation ormanufacturing or other sectors andpurposes that are also used in spaceinfrastructure and so what this means isparticularly given as I think we’ll talkabout the commercialization andprivatization of space infrastructure weneed to keep focusing in the firstinstance on the basics saying forexampleif you have a software product that issupporting space infrastructure whetherit is supporting a terrestrial asset ora spaceborn asset it needs to be secureby Design you’ll hear sister say this alot but instead of saying you know let’sbe um perplexed baffled by the um by theopacity uh of space system let’s insteadsay we know how to solve for insecuresystems we know how to solve for systemsthat are under constant adversarialintrusion like space-based systems areand we also know how to solve forsystems that are difficult to maintainpatch upgrade for example we’ve seensimilar analogous contexts in theoperational technology space and so wesee Space Systems as a criticaldependency for critical infrastructureacross the board and our Focus point ismaking sure that we don’t unlearn andhave to relearn the lessons that havebeen so um so hard Bor over the past fewdecades but instead Drive adoption ofthe right security measures that we knoware effective in other contexts hey Garycan I just um I think there’s afoundation piece that I I want everyoneto know is that we look and you broughtit up earlier you know you look and sayyou know uh the former president uhdirected that we going to have a spaceforce and it looked like it it came outof the blue uh in 2001 um the formerSecretary of Defense Donald Rumsfelddecided um there was a space um uhcommission that he ran the reason I knowabout it is because um I was one of thefew the only Air Force Squadron thatactually um that he actually visited umand at that time we understood in 2001the importance of the space domain uh weknew that we needed to um secure thedomain so secretary umRumsfeld um when he wrote his commissionuh he created some some positions thatmay seem really familiar today um theyhad an under Secretary of the Air Forceposition that was dual headed with thenational reconnaissance office so totake what the military is doing with umspace and then combine that with theintelligence Community there was aseparate in the Pentagon a separatespace acquisition Authority and we hadan Air Force space command of all thespace uh people that were flyingsatellites launching rockets and doingall those important activitiesum everyone knows what happened onSeptember 11 so all the work that wentinto secretary rumsfeld’s commissionwent to the back burner because of 911and the our entire Focus changed uh infighting wars in Afghanistan and Iraqbut the beginning of the space force isnot something that happened in the lastAdministration it’s been something thathas been going on for 20 years trying tofigure out how do we uh train peopleeducate people in this domain and how dowe have a force of people that umcan start looking in war gaming I’ve wehad some discussions today about redteaming how do we red team the spacedomain so we can sure we can haveunabated coverage to ensure thateverything that Eric talked aboutcontinues during a crisis and duringday-to-day so one of the challenges in Ithink talking about space with andmaking the case certainly to the publicthat it matters is effectivelyeverything around space is among themost highly classifieduh secrets that the US government keepsum and that’s both true in terms of ouroperations on the US side and then alsothe threat from the adversary um and youhear uh sort of generals come out andsay uh you know uh you wouldn’t believewhat Russia and China are doing up inspace and then when you ask thefollow-up question well what are theydoing up in space they’re like well wecan’t tell you so how do both of yousort of make the case publicly how doyou talk about what the threat is fromnation state adversaries in this domainyeah I think the first place to start isto drive understanding of the dependencyand the impact right because you know weknow that as my friend and colleague RobJoyce uh spoke about just a few minutesago you know weknow as publicly reported in the dni’sannual threat assessment that we haveadversaries facing this country thatintend under certain circumstan es toseow societal chaos disrupt our abilityto project military force and executedestructive attacks to achieve thosegoals and so even if you don’t speak fora moment about what the US governmentmay or may not know about specificadversary activities if you just takethat generalized publicly articulatedintent and combine it with theubiquitous dependence as Jack noted andand as you noted Garrett on the criticalfunctions of everyday life getting cashout of the ATM getting fuel out of thegas pump our our our air airplanes beingable to take off the ground you know ifyou combine the dependence with theStrategic intent you know that is enoughright there to begin to convey thecriticality of this area and they needto make some urgent investments in bothsecurity andresilience education is a big thing weneed to educate people on space I Iwon’t forget I was outside playing myfather yelled at me and he said you needto come in I need you to see history isin the making and it was Neil Armstrongwalking on the moon so I ran inside toour little TV to see Neil Armstrong andas a little kid it was my idol I youknow I wanted to be an astronaut didn’twant to play sports if you know me yourealize that would have been anon-starter to begin with but uh spaceuh was really exciting to me uh wereally need to educate people on thevalues of space just like in some statesright now we’re educating uh youngchildren about cyber security and theimportance of protecting themselves weneed to explain to everyone theimportance of space um security is thatreally tough thing to crack we had aformer Vice chairman of the Joint Chiefsof Staff said we need to unlock some ofthe secrets um the former the currentcommander and chief of space operationsproud to say he’s a Boston Universitygraduate um also brought up that hethought as the determining securityofficial he could make somethingunclassified when he looks at it and howhe got the information and he was toldno uh one quick story is I was given aresponsibility one of my last jobs inthe Pentagon was to figure out how do wedo deterrence with all the capabilitiesthat we have how do you do deterrencewith nuclear how do you do deterrencewith space and how do you do deterrencewith cyber so you look at thatresponsibility and that task and it waskind of awe at first you know how do Iget my hands around it so we did a fewwar games and I actually love war gamesand when I came back I was talking tothe Chief of Staff of the Air Force andI said hey there’s no magic formula hereyou can’t deter an adversary unless theadversary knows you have a capabilitythat’s deterrence so we’re going to haveto figure out a way in the governmentthere are certain things that need to beprotected that no one needs to knowabout but you can’t say the trust mecard anymore because that trust me carddoesn’t work we need to explain topeople the importance of space and alsothe some of the capabilities we have upthere what is going to help this is thecommercialization of space and we canget into that discussion because thereare some companies that are puttingassets into orbit that if they will putinto orbit 20 years ago um they wouldn’tbe helpful assets y so one of the I dowant to sort of talk a little bit aboutthis commercialization um and start inthe context of talking about the war inUkraine where what we saw um as sort ofactually the major cyber action in theopening stage of Ukraine uh the theRussia’s invasion of Ukraine was uha space attack on a commercialCommunications infrastructure and I Iwonder if you could both talk a littlebit about uh sort of what you feel likeyou have learned and how you’ve thinktoday differently about the threat basedon the vsat attack against uh by Russiaagainst Ukraine and how uh that haschanged ched the way that you werethinking about this problem yeah I’lloffer uh a few takeaways from ourperspective um the first is is toreiterate the truism in cyber securitythat geography is irrelevant right and Ithink one of the interesting lessonsfrom uh the attack on ViaSat which mycolleagues at NSA did a greatpresentation on uh at the uh the blackhat conference this year is that therewas actually material spillover impactuh affecting countries elsewhere inEurope up um likely unintended um by theaggressors um but actually resulting inum in consequences on Commercialinfrastructure and individuals uhthroughout Europe and so thinkingthrough the inherent interconnectivityof communications infrastructure andspace infrastructure how do we controlfor those dependencies and how do wethink through the permissibility uh ofdifferent kinds of cyber operationsgiven the connectivity um the secondI’ll build up a point that my colleagueEla made on earlier panel which is theimportance of resilience um and franklywhat we saw in practice is even thoughuh the attack on ViaSat was veryimpactful for ViaSat very impactful fora variety of ViaSat customers acrossEurope it actually wasn’t that impactfulfor the Ukrainian military uh becausethey had built in resilientCommunications working with Partnerslike starlink to make sure that theywere able to Pivot quickly toAlternative measures and keep fightingand that I think is really the keythrough line here is we know that we arenot going to cyber defend our way out ofthe risk we’re facing and the idea offunctional resilience needs to be ourtop priority it’s exactly what the spaceforce is looking at right now it’s thatwhole resilience piece you know space asI mentioned is competitive congested andcontested um we were really good in thiscountry about putting satellites inorbit and we talk about the big yellowschool bus you put this big yellowschool bus in orbit it’s ingeosynchronous orbit so it’s 22,500miles up and you can call that a Targetit’s big and if you lose that bigcommunication satellite you lose anawful lot of capability so what we’velearned over time is and the term isdisaggregate you need to disaggregateconstellations so you can break up thosebig uh humongous satellites intosatellites that you can clearly identifyon which ones do tactical communicationand which ones do nuclear command andcontrol communication that is good fordeterrence cuz then the adversary knowswhat those satellites are and itprovides a resilience that you can workthrough the fight the same resilience isuh viia set and starlink is using umsatellites commercial satellites are inorbit there’s not enough Communicationscapability that we can provide solelyfrom military systems so havingcommercial satellites up there isabsolutely critical because then uh youtake the fight in a different realm whenyou’re not taking out a US asset per sebut you’re taking out a commercial assetthe other thing that’s really importantis transponder so all a transponder isis a is a um device that’s on asatellite that sends out the frequencyso you communicate and all a satelliteis is a big battery it’s got solarpanels and it’s got a big battery wellif you can put that transponder on othersatellites that brings in a wholedifferent realm of deterrence becausethen if you want to take out thatcapability that the United States needsor our allies and partner needs nowyou’re not only attacking the UnitedStates but you’re attacking anotherNation so that whole resiliency piece isreally key uh on the whole Space domainso just like in cyber having thatresiliency piece we talked about it forcritical infrastructure that sameresiliency piece applies into the spacedomain and I want to come back and talkabout International cooperation in asecond here but let meum part of this conversation over youknow as you said 20 two 23 years nowspace has almost always been uh spacethreats have almost always been spokenabout in the context of nation statesand one of the things that was sort ofnew this year Eric was the US governmentcoming out and beginning to talk aboutcriminal threats to space assets and theways that uh the the government and uhthe Director of National Intelligencewas now concerned about the possibilityof sort of transnational organized crimegroups beginning to Target space assetsand I wonder if you could talk a littlebit about the non nation state criminalthreat picture here yeah at at theoutset I think it is you know analogiesin cyber security are often fraught thisis one where you could just draw such abeautiful timeline to say the history ofcyber security threats the history ofspace board threats um and you knowthere’s probably a 20year gap betweenthem but the trajectories are justremarkably synchronous um I think it isit is a logical Evolution right uh youknow what we have seen of course incyber security is for the first coupleof decades uh of really material cyberthreats um you know cyberspace was thedomain of the nation states who usedcyberspace to achieve their geopoliticallargely intelligence gathering goalsover time criminal groups began tounderstand that they could achieveeither remuneration or strategic goalsby targeting the same assets we are nowbeginning to see the the same Trend withspace space assets I think all that itmeans is itincreases the unpredictability of thisdomain whereas US Government generallyhas a fairly good bead on what ournation state adversaries are trying toachieve as we have seen with the ransomepidemic in other contexts it is muchharder to predict and anticipate how thecriminal ecosystem is going to evolve intheir targeting and their ttps I thinkthe the core Lar Advantage here thoughis even as we have seen of course theintroduction of non-state actors on TheCyber threat side we of course have seenbroad commercialization of spacegenerally which then raisesopportunities for us to learn from whatindustry is seeing learn from howindustry is defending their assets andjust as with cyber security which ofcourse is by no means a Governmentmonopoly on Cyber defense we need toachieve the same partnership withindustry for defending space assets solet’s talk about commercialization whichis a a really good point to jump off ofso once a satellite gets into orbit themost dangerous part of getting it intoorbit is the launch it’s a controlledexplosion you get it into orbit and thenthe satellite is functioning and whatusually fails on a satellite thatrequires it to be deorbit or put into adifferent orbit is it runs out offuel uh so it seems pretty intuitivethat well what you need to do to have asatellite last if the satellite is stillhealthy is to refuel a satelliteum so there are companies now looking atrefueling a satellite but let’s stepback a little bit right so to refuel asatellite it means you have to get closeto the satellite maneuver close to thesatellite connect to a satellite andoffload some fuel to the satellite solet me make it more negative that’scalled a weapon right so now you havethese companies because if you’re goingto do something called remote proximityoperations which is flying a satellitenear another satellite this isn’t likeone of my favorite shows Star Trek uhwhere it seems really just cool to do ona science fiction show about putting itup there um flying close to anothersatellite can also make that uh whatseems to be benign a weapon just like wehave um uh systems that want orcompanies that want to go into orbit toclean up all the debris since we have somuch debris there so we have to reallythink our through think our way throughthat now the most important thing we weneed to determine are what are the rulesof the road or what are the Norms thatwe have in space because we really don’thave that yet um just like we know thatyou can’t fly an airplane too close toanother airplane you can’t have a shiptoo close to another ship you need tohave in space how close is somethingelse so what the space force is doing isa you need to catalog what is up inorbit and number two you need tounderstand what that other asset isdoing and and understanding those twoitems is really critical because backwhen I first started doing space all wecared was raw numbers that is a objectin space now I we need to know what isthat object and what is that objectdoing um I’m going to uh ask one morequestion and open it up to the audiencebecause we uh I want to make sure wewrap up in time so lunch starts on timeum a and Jack one of the things that youare sort of seeing this huge shift inspace assets is this is a realm thatstarted out as almost entirelygovernmental um you know almost allnation state almost all government ownedand operated now increasingly is uh bothprivate hands but then also a much widervariety of Nations playing in than therewere um you know even uh you know 15years ago um do you think that at leaston the US government side we areproperly structured to sort of do thecoordinating in space that we need to bedoing or do you think that sort of muchlike the creation of spaceforce uh you know air traffic controllercivilian you know dot air trafficcontrollers for um for outer space wellI’m glad you brought that up becausewhile the military is doing this it’sreally not a military responsibility sowe do need you know the Department ofCommerce and someone to look at howwe’re going to do this space trafficcontrol because that’s one of the uh thecritical pieces um the commercializationof space I think is a very positivething uh for those that remember whenwhen the shuttle was deactivated uh wehad no way of getting to theInternational Space Station so we haveto trust the Russians to get us to theInternational Space Station as anAmerican I don’t like that um and goingback to the Moon moon is great forscience because if another country goesback to the moon and plants their flagthe psyche against America is going tobe really um it’s going to be shaken andthen they’ll realize the criticality ofspace um two big items one is the spaceforce is working really hard bringingother nations uh working side by side umI was able to have Canadians Australiansand Brits working directly for me andthis was in the late 90s early 2000s nowthat capacity has grown and workingreally closely with civilian industry umbecause the space force is now providingthem when one of their assets may hitanother asset but it just needs to be aclose just like we talked about earlierwith Eric um exactly what happened incyber needs to happen in space with thecommercial the private the governmentall working together not just givingSecrets but sharing everything so theyknow what’s up there and workingtogether to protect the domain sir aquestion or twookay it’s lunch that’s what they’rethinking about that’s exactly whateveryone thinking Jack Eric thank you somuch for uh joining us and talking aboutuh the renaming of the Aspen AI spacecyber Summit thankyou just wait here for a[Applause]minute hey everybody um thanks so muchuh I almost said Jen Eric Jack GeneralWeinstein um Garrett um if you can’t getenough of space come back later whenGarrett’s going to talk about his UFObook spoiler um they’re real um so Iknow everyone’s Eed ahead to lunch letme give you a quick Logistics it will gofrom now till 1:30 um today’s presentingand gold sponsors are hosting lunchdiscussions they are set up in sevenrooms around the building there is foodin each one of them so you can pick yourtopic and go eat there two of themsecure by Design and AI in the Cyberthreat landscape areupstairs uh staff can help you find themyou can also visit the one span coffeecart in the lobby if you’re looking foran afternoon pickup it’ll also be thereduring the afternoon break last pointbefore you go though um please keep yourears open at the end of lunch uh we willhave a very distinct notification thatlunch is ending and follow uh followthat back to the auditorium you will notwant to miss the first session afterlunch um you will regret it if you’renot here for it so again keep keep yourears peeled you’ll know it when you hearit come on back and now go enjoy lunchthankyoueeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee e[Music][Music]spe[Music][Music]for[Music]for[Music][Music][Music]for e[Music][Applause]please welcome Peter Mandu ChiefInformation officer of birds aren’t[Applause]real how’s everyone doingtoday how’s everyone doing todayokay my name as people come in as Petermck do can everyone give a hand for ourbagpiperFrank he did a great job he alwaysdoes uh now my name is Peter macko andI’m here to talk about something maybe alittlecontroversial I’d like to thank uheveryone here for bringing me on to talkabout these things as there something alot of the media and institutions likethis often don’t share or don’t want theword to get out about so as I speaktoday please just remain respectfulremain kind please do not uh laugh andtake this seriously as you sit down tohear what I had to say raise your handif you know what this slide is referringto okay raise your hand if you don’tknow what this slide is referring tookay for those few lost blind sheep intheaudience I would like to share with youmytruth from 1959 through 2001 the UnitedStates government replaced every singlebird with a robotic replica that lookssounds and squawks just like a real birdthey did this using poisonous toxinssprayed from airplanes they fle B B52bomber Jets over the American skies inthe early 60s spraying a poisonous toxinthat would be contagious for the entirebird species spread across and make themfall from the skies now with each birdthat fell a fake Bird Rose okay can yousayfell can you sayRose can you say bird bird can you saydrone drone you’re tracking giveyourself an Applause[Applause]the proof that birds are robots is allaround us okay for instance Birds chargetheir batteries on powerlines have you ever seen a a birdsitting on on on a power line you everwonder how maybe a bird can sit on thatelectrical line while a human can’ttouch it without beingshocked another thought who here hasseen a baby pigeon by a show ofhands you haven’t have you no youhaven’t who here has seen an adultpigeon wow odd odd uh this is becausethese robots these pigeons come out ofthe factory as adults there’s no organicgrowth no time for them to to growup people ask me okay well Peter ifevery bird is a robot if the governmentdid this why do they poop on my car howdo they poop on my carwell how do you think they track yourvehicle bird poop is a liquid trackingdevice meant to track our cars whereverthey go now a lot of people ask me howhow do you know these things Peter howdo you know these I’ll tell you I haveconducted years of my own independentresearch looking into the bird dronesurveillance crisis I’ve seen actualvideos of real xcia agents sitting downconfessing to these crimes I’ve seenleaked government documents there was amassive leak from the Pentagon calledpoultry gate that came out exposinggovernment Elites and officials evenA-list celebrities in the government’scrimes now who am I I’m the publicinformation officer for Birds aren’treal for this movement I was brought onin 2016 to come and spread this wordwith the American people like you sincethen I’ve been going around tellingpeople the truth I got a van the birdsaren’t real van that I covered withdecals I put satellites on top of it topick up the gamma rays from the birddrones flying overhead we turned thehighway into an information highway Ihad slogans on my van trying to letpeople know trying to bring them intothe truth okay so we had Birds aren’treal obviously we also had if it fliesitspies was one of our slogans we also hadbird watching goes bothways as a means to wake the peopleup pigeons or Liars we have chapters allover the US called the bird Brigadethere’s even a bird Brigade locationright here in New York we went toWashington Square last year held a rallyand brought 3,000 New Yorkers out to Protest the pigeons was anyone at our ourrally here in New York lastyear thank you for coming you all areinvited to the nextone uh now before I bring on someone tohelp us understand more about this Iknow a lot of you may be thinking thissoundscrazy but why does it soundcrazy why did we all come into into theworld only taught one truth that birdsare real right school always taught meall these things about real organicBirds it had never taught me once toquestion the other side of the argumentso I urge you to do this today as I tellyou the truth possibly for the firsttime about birds being robots I knowthere’s a few of you that may have notheard this before they’re hearing ittoday and want to believe it but Icompel you please do not just believewhat I’m saying I need to do your ownresearch and confirm it for yourself ifyou were to just hear me talk today andbelieve me just off my off when I’msaying that birds are robots you’d bemaking the the same mistake that youmade in the first place when you weretold that birds were real and you justtook it asfact with that thank you so much forlistening to me here today I I reallyappreciate it I hope that you continuelooking for truth thankyou wait wait wait wait wait why arey’all clapping for this this is insanitywhy are you clapping for this do you allbelieve what this man just said why areyou encouraging thisBehavior Peter this is can we can we sitdown can we have a rational conversationabout this would you guys like to hear arational conversation aboutthis all right let’s sit down let’s dothis okay I mean I don’t know like thisis a cyber something this is a seriousplace these are serious people and so Iwant to have this conversation I’vespent 14 years in the US Congressworking on real conspiracies I’ve workedat the White House working on cybersecurity I think it’s important for usto understand this and so I’m hoping wecan talk about this as a socialexperiment as Peter um not the publicinformation officer can we do that alittle bit can we we can okay all rightall right good good so this is a socialexpent can you talk to us about birdsaren’t real like when you say a socialexperiment what are you trying to do whoare you and why are you trying to helpus with this totally thanks Nicole uh hiI’m Peter can you say hi hiPeter and I do not actually believe thatevery bird is arobot uh this is a character that I’vebeen playing for almost six years now ofa guy who thinks that every bird is arobot um play the public informationofficer for a fake movement called Birdsaren’t real that has a lot of realfollowers who are also in on the bit uhjust like I am I started Birds aren’treal from Arkansas nearly six years agoto see if I could convince themedia uh of a truth that is not true atall uh that there’s a real movement thatthinks every bird is a surveillancedrone uh so over the past six years I’veheld rallies I’ve hired ex CIA agents tocome on and confess to the Crimes of thegovernment uh We’ve manufactured oldemail leaks uh photoshopped fakepictures and through all this we’re ableto successfully convince the media overyears that we are a real movement thatdoes uh exist um so we came out ofcharacter last year on on the front pageof the New York Times uh coming out tosay this entire thing uh was false butthat through it we learned a lot aboutwhat it’s like to be a conspiracytheorist in America yeah okay but a lotof people believe this right and so youhad six years that you’ve been doingthis experiment only one year you’vebeen public yeah and telling people heythis is this is an experiment on whatcan be done talk about how it felt forthe people who still believe this at anypoint in the experiment but then alsowhat you experienced when people thoughtyou really belied that birds weren’treal totally yeah so I mean I spentyears driving around in a in a van thatsaid Birds aren’t real all over it aswell as other words like bird watchinggoes both ways and if it flies it spiesand as I did that uh I figured out uhsomething that I didn’t think I wouldfind which was that it really gave me awindow into how people treat conspiracytheorists uh in2023 I’m from Arkansas for some contextso I grew up homeschools in a very hyperconservative religiousenvironments uh in Arkansas in LittleRock so a lot of the people that I GREthat I grew up around are sort of usingthe same logic and Cadence um as thecharacter that I play so I’d understoodit to an extent before but I guess goinginto the character I would be incountless parking lots or gas stationsin the birds aren’t real van and someonewould you know walk up to me I would Iwould have a a cowboy hat on and a suitin a megaphone and they would walk upand they would explain to me how crazy Iam or how un how how uneducated I lookor stupid I am or that I’m the problemwith thiscountry and in those times it was reallyinteresting because I didn’t really feelthe emotions of myself as a person who’slike oh they’re falling for it you knowthey think that this is a joke I feltthe um the emotions of the characteryeah and I felt really emboldened andsad and otherand in those Mo in those moments it mademe want to burrow deeper into thecharacter to tell tell these people thatthey’re so wrong that they hadn’t evenseen the evidence that I’d seen thatthey didn’t even take the time to get toknow me and that they didn’t know that Iwas doing this for them too I was tryingto stop them from being surveilled aswell uh so I think that through the timeand character it taught me a lot aboutwhat it means to be a conspiracytheorist and how the way that I had evenbeen reacting to conspiracy theorists inmy own life may have been emboldeningthem more than uh diffusing what theywere dealing with and then therefore notreally being productive uh so yeahbringing us any closer into a sharedreality or living in the same truth thatI would prefer us to yeah yeah I thinkthat’s interesting I I will also sharethat I’m from Mississippi and so umthere’s a lot of othering that happenswith the southern part of the UnitedStates especially as it relates topolitics and public policy this ideathat depending on where you grow up orhow you were raised or the accent thatyou have um somehow makes your opinionsor thoughts about politics and policyand world events less than others but Ithink one of the things that you’ve beenable to do with the social experiment issomehow do what only Smokey the Bear wasable to do which is create a PSA formillions of people to have a little bitof awareness about thisinformation andabout how there’s it’s okay to have aconspiracy theory that you believe infor a little bit of fun but it can getdangerous and I think that is somethingthat the government and and corporationshave all tried to figure out how do weraise awareness about disinformationyeah and quite candidly have not done aswell as you have been able to do so talka little bit about what you were doingfor six years and now we are in a spacewhere the disinformation is so prevalentpeople are seeing it as we have these uhgeopolitical conflicts going on do youfeel like you have done a bit of a of aservice that your followers and theBelievers the Brigade have a higherlevel of awareness about disinformationthan they would have six years ago Icertainly think that our followers thinkabout it differently because they’vebeen sort of in the in on the bit withus you know we have millions offollowers uh all pretty much genz or orMillennial across Instagram and Tik Tokand Twitter uh Facebook and all that andthrough that they’ve seen how we canengineer disinformation and thereforehow easy it would be for somebody elseto do the same you know we learned thatuh people rarelyread uh farther farther than theheadline so if we could pretty much justengineer uh a headline and then you knowtwo clicks down we could pretty muchsell a truth without having to have anyactual substance uh or you know M howeasy it was to manufactureuh text uh documents and now with AI andImage Creators videos and images umthese can uh were so easy to plantbefore it was so easy to convince themedia and people that our movement hadbeen around for 50 years just throughsomephotoshopped uh photos and convincingarguments um but now it’s so far gone towhere disinformation and information arelargely indistinguishable you know thepast couple months I’ve seen that morethan ever where I’ll be online and I’llsee one you know uh a picture thatemboldens an entire you know kind oflike movement online for one for onething then it’ll come out that thatphoto was actually made with AI and thatthat wasn’t even real then they say heyhere’s the actual picture that this wasmade from but then that picture will endup having been made by Ai and we aretruly just in a posttruthera now where you can’t tell uh what iswhat so I think that for me and you knowthe followers that we have we we spend alot of time talking about these thingswe have something called the bur Brigadewhich is a boots on the ground activismNetwork it’s what what what what we callit where just like the one here in NewYork we talk about these things incharacter and also out of character talkabout how interesting the socialexperiment is and then what it teachesus about other people and things and Ithink a big takeaway for at least us aswe’ve been going about this is sort ofthis realization and acceptance thatnone of us are ever going to be able tofix misinformation or disinformationonline it’s such amassive uh Pandora’s Box that’s beenopened and you know me and a lot of usare not in charge of the social mediacompanies you know there’s no way youcan censor everything out there how doyou go about doing that but what Irealized and what we realized throughoutdoing this is that the side of beliefand Truth is being veryheavily debated and critiqued and peopleare really trying to figure out how tocrack the posttruth ERA with more truthwith shutting down uh disinformation andpromoting true the trueinformation but that’s pretty hard and Ithink there’s one side of theconversation that hasn’t been talkedabout as much which is what’s drivingpeople to uh disinformation in the firstplace you know specifically aroundconspiracy theories uh uh around youknow kind of making yourself this umperson that’s found out specialinformation that repositions you as thehero in your mind where now you haveinformation that people don’t um I thinkwe found it has a lot more to do withbelonging than belief when it comes toconspiracy theories and that for a lotof people it doesn’t really even matterwhat it is their um you know the theorythat they’re believing that’s why a lotof conspiracy theorists will start offwith one thing that eventually justbecomes everythingum because they’re getting three thingsout of conspiracy theories that they’renot getting in their normal lives atleast the character that I was playingfelt this which was that uh throughBirds aren’t real and through believingthat the government was killing all thebirds or replacing them with with robotsthat didn’t just give me a truth tobelieve in that gave me a community ofpeople that could come around me andgive me a sense of identity that Al thatalso thought that the birds were werekilled by the government and andreplaced with with robots um and it gaveme a a sense of purpose something to dowith my life uh so I think thatsomething beneficial that we can includein the conspiracy conversation while wetry to figure out how to go aboutreducing massive disinformation andsocial engineering online and it’s goingto get worse and worse and worse with AIin the coming years I think something wecan control is how we react to peoplearound us talk with people in our ownlives and approach disinformation whenwe’re confronted with ituh yeah yeah I think that I mean I thethreat that I would pull from that um iscommunity and trusted Messengers and wetalked a little bit about that duringour election security panel earlier andso I know we’re almost at time but youhave an audience with governmentofficials but also leaders in Academiain the private sector incorporations what is it like what areare there examples of things that wecould be doing or that you have seenthat bring together that community andtrusted Messengers as it relates todisinformation and conspiracy theoriesthat’s a good question yeah throughoutthe past few years I have not seen muchthat has worked uh I went to the globalfactchecking conference last yearactually and a lot of what the speakersthere were saying was basically we don’tknow what to do you know we don’t knowwhat works um one thing I have seenthat’s been promising has been uh Xformerly known as Twitter um a lot goingover there that I going on over therethat I don’t agree with but somethingthat I have seen that is veryencouraging to me is the community notesfeature where if something is spreadthat you know shares something that’snot true there will be a note left on itby a trusted member of the communitysomeone who’s in the system who can berated and voted upon their their theiraccuracy and it will tell you what’sactually going on and sites actualsources to let you know what the truthis and there’s actually I I I liked apost the other day on on Twitter that uhthat contained disinformation in it andI didn’t know and I went on about my daynot even thinking about it and thenyesterday I got a notification thatpopped up that said hey you liked thispost a few days ago it actually now wewe found out it has some disinformationin it here are the sources cited here’show we know and then it was rated uh assuch that you know you can trust thisperson doing it and I’ve actually neverseen those um I guess spread somethingthat’s not true it does seem to groundsomething in truth and have a follow-upmethod that is that is pretty effectiveuh so yeah that’s that’s the one thingthat I’ve seen yeah I mean anytime wecan figure out something positive to sayabout Twitterformerly uh I feel like that’s a goodthing but I think it is when we havethis and especially for someone like youwho has over the course of six yearsbeen attacked and now also in a placewhere people are like wait a minutemaybe he has a point I thank you forcoming and talking to this community cuzI think there are a lot of expertise inthis audience but there are also a lotof trusted Messengers in this audiencethe cyber security Community is aclose-nit community um and so I don’tknow if you’re going to get new membersin the Brigade um but this probably is agood place for you to recruit so thankyou for joining us Peter I hope so thankyou guys thank you[Applause]and joining us now for a conversationabout cyber education and civil defensewe have Dr Cynthia War President ameritaof Sullivan Stillman College CraigNumark founder of Craigslist and CraigNewark philanthropies Dr Diana BurleyVice Provost for research and innovationat American University and BrigadierGeneral Terrence Adams of the US AirForce leading the conversation we haveKatie Brooks director of cyberPartnerships for Aspendigital all right good afternooneveryone thank you so much for joiningus this is a little bit awkward becausewe actually had a bagpiper plan tointroduce this panel too and now it’slike we can’t do it so we’ll just DiveRight In it’ll be great so uh asmentioned I’m director of cyberPartnerships here at Aspen digital wehave about 40 minutes to talk about andtackle the topic of cyber educationspecifically as it pertains to two mainthings one is the workforce and what oneis what everyday people need to knowjust as citizens of this country andcitizens of the world um I want to makesure that I frame this conversationfirst with an initiative that wasstarted last year called cyber civildefense uh championed in large part byCraig Newark and that’s the idea thateverybody has a role to play in securingour nation securing themselves securingcommunities online um there are manydifferent components of that initiativewe’ll get into that in a moment uh butfor now I know that these panelists havea ton of excellent firsthand knowledgefirsthand experience on on all of thisso we’ll go ahead and Dive Right In umso I’d love to start by having each oneof you introduce yourselves with twoquestions the first is what is yourcurrent role and the second is how didyou get into cyber security or how didcyber security find you so we’ll startwith Cynthiawell hi um my current role is retiredalthough my children will say I’m notretired because I still do stuff but Ijust retired as the first femalepresident seventh president at StillmanCollege which is a historically blackliberal arts college in TuscaloosaAlabama and how did cyber security findme um I guess I’m a boom Boomer I’m aI’m a boomerum baby geek I guess you might call methat so I’ve been uh tracked totechnology pretty much all my lifebecause I’ve seen a lot of things happenin technology and being here a long timeso um and and first I was a president atSouth Carolina State University Istarted their cyber program and thenwhen I got to Stillman in 2017 we had aransomware attack and that’s how I gotintimately involved in cyber securityexcellent thanks Cynthia Craig over toyou um I guess my current role is inthis cyber uh civil defense stuff uh mydeal is that I’m thinking that in WorldWar II when our country was under attackeveryone played whatever role that theycould and I figured that’s a good ideauh I grew up in the ‘ 50s when uhpatriotism was athing uh it seems like a pretty goodidea so I’m trying to revive the wholeconcept and make it uh make it realagain because we are under attack weneed to stand up for ourselves and weneed to share the responsibility youknow private individuals to business togovernment like we need uh things likeuh cyber trust marks security nutritionlabels on devices like we might bringinto our home like baby cams which couldactually store uh Munitions in the cyberwarfare and we need uh trust labels onthings like kinetic weapons like uh yourcar which also could be used against usin an attack I mean I got into this Ithink around1974 when I wrote my Master’s thesis Iuh am that old and I figured I dedicatemy uh declining years to cyber securityexcellent and uh Craig we can talk a bitmore about this later but anything newtoday that you want to share um the doyour part we’re all in this thingtogether also applies to support forveterans and active uh active servicefamilies to that extent about an hourago I announced a program to help uhveterans families in Hawaii recover fromthe fires there I announced this with aguy that I’ve helped i’ basically I’m atrainer for guy named uh DwayneJohnson I’ve heard of him he’s uhapparently both uh Fast and Furious I’mneither excellent well Craig that’s anamazing commitment thank you so much foryour support of that I’ll try to make afunnier one nexttime all right Diana over to you I don’tthink it’s fair that I have to followCraig it’s okay all ad doubt uh so I amVice Provost for research and Innovationat American University in DC I am alsothe director of a newly formed Instituteat American the uh shahal mcon cyber andeconomic security Institute uh I feellike I’ve grown up in cyber in many waysum I I’ve been doing this and in thisfield for 20 plus years and and I wouldsay as a graduate student at carnegimelon um where everybody was focused onthe techn ology I was that odd duck thatsaid people are important too and Ithink what aggravates me is that I heara lot about how people are the weakestlink and I just I I find that to be andI’ve used that I’ve used that phrasemyself but you know much of the time Ifeel like that’s a lazy way of thinkingbecause people are complex and dynamicand predictably and cre creativelyunpredictable and perhaps the weaknessis that we are designing systems thatdon’t account for that right and we’redeveloping technologies that forgetabout the people and so I have been inthis field for a very long time andeverything that I do is always aboutbringing those two together thetechnology side and the socialBehavioral Science side excellent wellwe’ll cover that in more detail shortlyuh for now let’s go over to Terrencehello Aspen I am Terrence Adams I gotinto cyber um probably because I startedwith software programming so if anybodyremembers a cobal and a Mainframe uhthat’s how I kind of started my careeruh LED it into uh joining the Air Forceand getting into networks uh deployingthose networks around the world and thenalso the opportunity to try to securethose networks uh so that’s what I doneyou know pretty much for the for my 36years that I’ve been serving I’ve umalso um en rolled into a new job justlast last month as the deputy principalcyber advisor for the Secretary ofDefense uh and today I came here to makean announcement but we’ll do that lateron as far as something that the AirForce is doing uh to try to uh attractthe the best and the brightest to servein our United States Air Force thank youKatie excellent well as you can seethere are a variety of different entrypoints into the field even just on thisstage here right now um so I’d love tovolley a question over to the groupwhich is if I’m a prospective entranceinto the field what are some of theconsiderations courses skills that Ishould be looking at either fortechnical roles or for non-technicalroles within the field does anyone wantto take that one first I’llstart um so first I think because yousaid it technical roles andnon-technical roles right so I thinkthat the first thing that people shouldremember is that cyber security is afield it’s not one single profession andthere are many many many different roleswithin that space um for people toengage uh in the field um when you’rethinking about courses as a new studentyou want to make sure that you arethinking about how to be computationallysound um how complex thinking decisionmaking those kinds of skills before youever get into the Hands-On technicalskills um or even the definitionum types of courses you want to makesure that you are able to think in a waythat allows the complexity to come intoyou and through you in whatever part ofthe field that you want to go intoabsolutely uh anyone want to add on tothat just different considerations yeahat stuman we um participated in the IBMskills academy and also the Amazon webservices Academy and so both of thoseorganizations offer certificationcourses so it’s pretty easy to getinvolved in in those areas because it’syou don’t it’s not required a degreeit’s not a degree program butcertification so I think building uponthose skills that you talked about uh interms of the interest in terms ofcritical thinking and and those types ofof uhcharacteristics uh just learning moreabout you know software we’reengineering it’s it’s multidisiplinaryso it’s um it’s it’s you need to reallyexplore what who you are and then whichprogram will be best for your yourinterest absolutely and so I I’d like tokind of test that on a bit of a use caseso understandably you were at the headof an organization that experienced aransomware attack what was that likefrom your perspective from discovery ofwhat was going on to recovery who didyou call for help and what skills didthey haveyeah well so happened in this same weekin2017 uh right beforeThanksgiving uh we got this messagethrough our uh enterprise system whichis colleague El Lucian colleague to torequest uh $110,000 in Bitcoin they hadencrypted all of our data and that uh weneeded to pay in order to for them torelease the data to us um so luckilywhen that happened our system crashed sothey weren’t able to access anydata luckily yeah but unfortunately uhwe didn’t have the capacity being asmall Liber arts college we didn’t havethe IT staff the people involved thatknew what to do so the first person Icaught was my daughter who happened tobe a lobbyist with the Society of riskmanagement and you know the insurancefolk know abouteverything and so she provided a lot ofthe details about where who we had tocontact who we had to report to there’sa lot that you have to do when you havethis kind of attack you have to reportto the FBI report to the uh DepartmentofEducation report to the Department ofVeterans Affairs because we handle VAstudents data you know so anybody who’sinvolved so all of those entities we hadto report to and and it was difficultfinding anyone in the community I’m inTuscaloosa Alabama right down the streetfrom the University of Alabama but yetthere weren’t any Professionals in thearea who knew anything who could help usand so reaching out to our insurancecover they had a list of companies thatwe had to use and they recommended legalcounsel for us to do that and you canjust imagine the expense that all ofthis in in takes you know you’ve got tohave a lawyer the lawyer has to craftthe messages that you send to everybodyelse and so it’s it’s really achallenging situation and when that allhappened I decided that we definitelyneeded to grow our own and so so thatthat motivated me to start a u a cybersecurity program and with assistancefrom IBM and Amazon web service and inNSA provided grant funding and justlooked at anything that had anything todo with cyber I reached out to them andasked for help that’s excellent and youspoke I think throughout your remarksabout legal professionals not just thetechnical folks as well but it reallytakes a village and I think until peopleare hit by an attack like this it’s hardto understand what the first steps needto be um on that theme then Craig I’dlike to turn to you about uh anyrecommendations you have for folks outthere who are not in the field what canthey do to protect themselvesproactively there’s in a way two levelsof Education needed there’s people whoneed professional level education whomight be looking for a career you knowmaybe they’ve done the basics and theyfind they have a knack for it andthey’re good at it now I know that I’mnot very smart so what I’ve done isengaged folks including people atAmerican University and the Aspen cybersecurity group to understand this at theprofessional level my particular passionlike I mentioned is for the role thateveryone could play helping defendthemselves their families their homesmaybe where they work and the entirecountry that’s the idea of this uh cybercivil defense St stuff after all I’m uhgenuinely a member of the Duck and Covergeneration and the deal is that we’retrying to figure out what kinds ofEducation are required for people Ggiven that everything is a moving Targetthese days we all need to do a betterjob with uh passwords but uh pass keysare coming pretty rapidly particularlypasy using what some call socialauthentication like when you try to login and it says hey you can go into uhGoogle or apple or Microsoft to log inand we’ll trust that and so I’m tryingto accelerate the adoption of pass keysin addition to the education of thatthat means I got to call up people atthe big eyes and be just the right levelofannoying uh because and be carefulbecause my tendency I can be veryannoying um so that’s one of the kindsof things that are going on otherwise Igot to explain why everyone needs to atleast know what ransomware is and howthey might consider it where they workbut also at home somebody last night uhuh from thisconference uh mentioned me that whathappens if somebody compromised one ofyour internet connected devices likeyourcar uh scrambled uh uh authentication orsomething like that and then help thatfor ransom so all these considerationsare our own these are Universal concernsand I’m trying to figure out what’s theproper balance between industrygovernment andourselves and that’s uh we’re just atthe beginning there I need help uh doingthings like developing memes I’minspired by a meme uh 80 years ago uhwith the message of uh loose lips sinkships and I need to find the version ofthat for cyber security absolutely soCraig I think it’s clear the risk doesimpact everyone so there’s certainly aneducation component that is required foreveryone to be able to address theproblem um di I’d like to zoom out alittle bit and take a look at the cybersecurity Workforce question I think overthe past 10 years we’ve seen numbersvaly up and down all of which arestaggeringly high about the workforceshortage so curious what trends have youseen recently um both for the for theworkforce question as well as for someof the educ programs that are coming outyeah so I I never use those numbers umbecause I find that they as you say theymove back and forth and it reallydepends on exactly what you’re talkingabout to know which numbers right so Ijust ignore them all um the need isgreat and that is undisputable so youknow we’re certainly seeing that somecompanies and frankly agencies aretaking it upon themselves to train upinh house uh so they are upskillingindividuals and develop velopingprograms sometimes in conjunction withacademic partners and sometimes withoutuh to get people ready for the type ofwork that they need specifically intheir organizations and sending them forcertifications as they need to do thatuh but we’re also seeing a growingnumber of programs in the academy uhthat are designed to both do thetechnical work and and get people readyon the technical side and and thenon-technical side um about five or sixyears ago I led a task force for theassociation of computing Machinery todevelop the first set of uh Globalcurricular guidelines to to develop thatstandard so that when you go todifferent institutions to get somebodyyou know that an apple is an apple is anapple uh because that’s one of thecomplaints that we had been seeing andso we’re seeing that there is at leastsome standardization some base level ofknowledge that um for program prramsthat follow these curricula that they’reable to achieve in their students um sowe’re seeing growing numbers of theseprograms and and that’s a good thing weneed to continue growing them we need tocontinue moving toward you know as Craigas Craig points out everyone needs thisregardless of whether they’re movinginto the field or not because theworkforce issue is really one of this isa digital Society so everyone needs somebasic level and and so you know my MyHope Is that at some point the academicinstitutions all along the way will havesome level of General educationalrequirement that addresses these topicsto make sure that everyone knows whatthese terms mean and and basic skills toprotect themselves and and the peoplearound them absolutely it it seems likean overdue component at this point givenhow quickly everything is moving um sospeaking of different programs toaddress this Terence I’d like to turn toyou um I’ve heard something about acyber direct commissioning program wouldyou like to share with us a little bitmore about that so I’m excited toannounce the Air Force is rolling out anew direct commissioning program uh theCyber direct commissioning program forour reservice uh you probably have heardthis program Direct commissioning usedfor Jags for lawyers uh for nurses anddoctors uh but that Authority hadn’tbeen given for other professions uh andso United States Air Force has a directcommission program for our active dutyuh but today we’re announcing a programfor our reservice uh we are seeking toattract the best talent that’s out thereand many of that that that Talent is inthis room today uh and then with ourReserve program you get an opportunityto still maintain your employment umwith whatever company you work for butsimultaneously uh wear the wear theuniform uh this program has beensuccessful that we’ve seen uh from otherservices uh and now the Air Force isdoing the same thing uh there will bemore information that you can findonline uh and now members will be ableto come in uh depending on theirbackground expertise the degree programsthat they’ve been through uh and startout as not coming in as a lieutenant afirst lieutenant or a second Lieutenantbut they could come in as a as a captainimmediately as a major immediately andas a lieutenant colonel immediately uhwe have a pilot program going right nowwe have a person that went fromtechnical Sergeant uh to Major and soshe’s going through training right nowMontgomery Alabama through our officertraining program uh she’s a black femalewho owns a tech company and so she’sstarting her journey to become anofficer with this direct commissioningprogram we want to be able to use thisas a tool that we can attract Talent uhthat we need to serve our nation and forour nation’s defense uh in unique waysuh this will be an opportunity for us toreach out uh into private organizationsand into our military enlisted force tobe able to offer something unique anddifferent that’s fantastic and thank youso much for announcing that here wereally appreciate it um I know thatthere are a variety of differentprograms over there um Cynthia I’d loveto turn to you to highlight a bit aboutcyber clinics I heard that there’s onecoming to stulman pretty soon yes umstulman joined the public interesttechnology University Network pit un andthrough that we learned about cyberclinics and it really fit what we wereplanning anyway because I had justgotten funding from the EconomicDevelopment Administration to convertand a former dormitory into a cybersecurity and information technologytraining center and you know justrecognizing the difficulty I had withtrying to access help these cyberclinics will be students who are trainedin cyber to really help small businesseshospitals churches everybody who hastechnology in the community to helppreventeducate understand about cyber securitybut also to help them facilitatechallenges within their system if theyget hacked Etc so uh we’re excited aboutthe possibility of having students servein the community you know as a communityservice so that they’ll be able to usethese skills that they’re learning tohelp these small businesses and othersto uh address these kinds of cyberthreats that’s fantastic I think appliedlearning opportunities are so importantin this field um and that also speaks tothe role that those with the knowledgeuh have in in really educating thecommunity about that so Craig over toyou if you could ask of this room who Ithink we have several cyber studentsprofessionals leaders we have a greatgroup here what should they do whatwould you like to challenge them to doto advance the Cyber civil defense causeum basically to talk about it a greatdealuh I really am a nerd and uh I’m not theguy who should be talking advertisingcampaigns PR or anything like that butthe most important uh component of allthis is to remind everyone that we areall in this together this is a matterlike I alluded to earlier it is a matterof patriotism and I think we’re onlygoing to get through it if we all doparticipate together I’m veryself-conscious about this because againas a nerd telling people we should allparticipate in this big Communicationseffort well it’s like a crime againstnature but like the Batman says I’mprobably not the nerd you want but I amthe nerd yougot there you go well said Craig um inthe limited time we have left Diana Iwould love to turn to you I know thatthe office of the national cyberdirector at the White House recentlyreleased not not a small document apretty ambitious document that pertainsto cyber Workforce andeducation um what were some of your keytakeaways from that document um and wasthere anything missing from it that youwould have liked to haveseen well I’m not going to answer thatquestion on the stagebut but um you know I I thought overallthe document was very well done I thinkthat it validated a lot of the work thatwe have been doing over the last many 10you know or so years years um it itcertainly pointed out the need for thisbase level of Competency that everyonein society needs to have in order toincrease and strengthen the resilienceof uh the Cyber resilience of individualcitizens um there was also a focus whichis sometimes left out on the developmentofEducators so individuals at the K12level and the postsecondary level whoare able to actually teach this contentand often times that is left out of thestrategies you know there’s just thisthis um Gap and so I was pleased to seethat and the other thing that I’ll pointout is that there was an emphasis onHands-On training and and because I amcompetitive and everyone else has madean announcement on stage I feel likecome on I must bring it announcesomething too so I will tell you allthat at American University next monthwe will be Opening Our cyber range thatwill give us a capability to do Hands-Onexercises uh with not just technicalscenarios but with non-technicalscenarios that allow our students andour Community Partners and and friendsto come in and exercise throughscenarios so that they understand whatthis really means you know what are wetalking about and so I am telling youfirst uh I mean maybe maybe second orthird butfirst that uh that we will be openingthe range soon in Partnership underneaththe con Institute in partnership withthe CRS Solutions excellent well this isvery impressive we’re four for four onannouncements in this panel well doneall so Terrence back over to you um Ithink for those of us that are not partof the military it can be a little bitopaque so if you could outline for ushow do military and civilianopportunities differ for cyber securityand are there opportunities other thanwhat you had just announced to movebetween sectors yeah sure so um thecivilian opportunities that we have andmost of the time when I go around andspeak most people think I’m trying totalk to be a recruiter uh because uhthey see the uniform and they thinkthat’s most of the jobs we have in themilitary but we have a lot of governmentcivilian positions a lot of times theyprovide expertise and continuity um anda lot of times they are part of the teamdoing the exact same thing that militarypeople do in uniform each and every daysome of those um members have beenretired so mean they’ve worn a uniformand they’ve come back to continue thatwork across a broad spectrum as relatesto cyber specifically we have those uhcivilians partnered on our team uhthey’re actually doing um actual handson keyboard work uh some of them arewriting policy uh some of them are doingour training and developing curriculumas well uh so our civilians uh that wehave um that are GS employees and alsowe have a a relatively new programprogram called cyber accepted servicecivilians and we’re able to um expeditethe hiring of those individuals theydon’t have to go through the regularkind of hiring process uh that most ofour civilians do that was designed toreally get at a critical kind of bathtubwe had to try to uh inject a lot ofcivilians to do cyber operations typework uh so we found success in our cyberaccepted service program uh as well andthose have been things that we want topair together with the directcommissioning program for active dutyand reserves uh to bring those twothings together that will bring in thetype of talent that we need to tocontinue to secure the nation excellentwell that’s fantastic thank you so muchfor sharing um so I’d love to go to aquick lightning round but before we dothat in the interest of time if you dohave a question for this panel I’llinvite you to go ahead and CU by themics um please if possible just limitthat to one or two people in line Ithink that’s all we’ll have time for Iwant to keep the aisles clear um but fornow a lightning round um and it’s alofty question so no pressure um what isone prediction that you can share withus about the future of cyber securityWorkforce oreducation um so actually I’ll go theopposite direction this time that wewill always need more people doing itthat’s a pretty solid prediction I thinkthat’s safe betyes that there will always be adisconnect between the academy andindustry but that we can continue to toshrink that Gap if we work together andquick follow on what what is the tenerof that Gap that you’re alluding to umyou know the academy approaches thingsfrom a curricular standpoint thatdoesn’t always address exactly what isnecessary when the people get into theworkplace uh and the flip side is thatindividuals in Industry focus oneverything that they need specificallyin their workplace and they don’t alwaysrecognize that we can’t do that and dothe base in a short period of time andso I think that the more that we cometogether and um talk to each other andhelp each other co-create programs thethe smaller that Gap will be and the thefaster we will be able to put peopleinto the workforce in successful rolesexcellent thanks for elaborating Craigover to you DOD has this uh greatprogram called skills Bridge whichtrains uh ac service members preparingfor transition transition to thecivilian Workforce it helps get themjobs in cyber security maybe other areastoo but I’m uhfocused and I predict I will help uhpush that along uh and I will try to bejust the right level ofannoying duly noted thanks Greg yeahwhich is almost the same as being theright level of irritatingor effective I don’t know all righteffective isn’t asfunny Fair Point all right Cynthia overto you uh I would say crooks are good atcrookery they’re very Innovative and sowe need lots of people to anticipatewhat the next round of cyber crimes isgoing to be about I think that’s veryfair all right well I see there’s aquestion over here um and again inviteyou all to you we do have a few minutesforquestions hi thank you so much for thispanel my name is Rich Chan I run this shthe Mike cyber initiative out of newAmerica um and so I’m interested inlearning your perspective about kind offurther down the pipeline there’s a lotof investment going into early in thepipeline lowering barriers to umcertifications and then theproliferation of cyber clinics um I’minterested in your perspectives abouthow to retain that Workforce especiallywhen we are coming up challenges ofupskilling to meet emerging Tech issueswhen we come toDei um things like belongingness in theemploy in the workforce um I’d beinterested in your perspectives onretentionexcent um no in terms of retention I Ithink one thing we have to focus on isculture um culture is so criticallyimportant and that’s that sense ofbelonging that we have to develop andinstill in the organization so thatpeople feel like they belong um therebut it’s also true that you know we talkabout if you can see her you can be herand so there are a lot of opportunitiesfor us to display the diversity ofindividuals who are actually working inthe field and seeing them hearing theirstories understanding what they aredoing and knowing that they are there umto develop and and have that sense ofcommunitygets people to remain in the field andso we have to do more things that bringthose communities together and and givepeople thatsupport the uh theme again is that I’muh not smart but I know people who areso I will support them in these effortsuh there’s girls whocode um there’s a number of other groupsgirlsecurity uh and what I’m doing ishelping support them I important groupis also the Gina Davis Institute becausetheir slogan is if you can be it I’msorry if you could see it you can be itand I’m working with them on a cyberprogram and there are all these programsthen that can actually push us all aheadtowards uh doing real stuff I’ll mentionthat the last time I worked directlywith Gina Davis was here just somemonthsago uh you’ll see a photo of us togetherwhere she’s uh well towering above me umbecause she’s at least two foot tallerthan I am but the deal is that there arepeople trying to change our culture whocan do so in ways that people who arekind of slow like myself don’t know howto well I would disagree with that CraigI think you’ve been an excellent Pioneerfor this field and the commitments thatyou’ve made have really bolstered thenext generation of cyber professionalsoh also I’ve supported at new America agroup called share the mic andcyber that too and thank you forthat excellent I really need some helptracking all these things Katie I’ll dowhat I can Craig all right right overhere very quick question Kevin Nolton uhcyber.org uh my question is around K12what’s your opinion on k12’s role inthis cyber security education WorkforceDevelopmentspan it all starts in K12 so I mean it’sit’s a critical role I think we have tothe further Downstream that we can gogetting this content integrated rightthere there’s Standalone cyber securitybut then a lot of the skills that wetalk about that individuals need are notunique to cyber and so part of what wehave to do is to recognize that we canintegrate this content this digitalliteracy you know the ability to to havecomputational literacy and skill setsand just understanding what the termsand the the concepts are we can begin tointegrate that into the curriculum veryvery young um part of thatresponsibility lies in our teachers andso I’m a big advocate for working withschools and colleges of Education tohelp the teachers learn what the contentis so that they can integrate it uh andthen you know certainly as we have campsand um clinics that are co-curricularactivities those are criticallyimportant too but they can’t do it aloneso um K12 is is a a very important umstarting point for us in our Junior RCprograms um we’ve had the Army uh had aprogram uh they were piling in a programto be able to integrated uh they have aschool in DC and it’s pretty much a um acyber kind of RC program that’s beenestablished uh the Air Force at ourJunior RC program was partnered withcomputer science for all um to roll outnew curriculum uh do summer camps aswell to be able to find that exposure uhand the Air Force Association has acyber Patriot program too um that alsogives that exposure to from K through 12so excellent uh to give credit againthere’s uh girls who code which focusesmostly on uh girls in high school notonly coding but cyber security andrelated areas and for that matter goingdown earlier in age there’s is the GirlScouts uh they have cyber security andMer badges like one of my uh neighborsback in uh San Francisco where one dayshe showed up with the compliment Ithink of brownie level uh cyber meritbadges and I’ve told her parents theyneed to pay her a fair hourlyrate fairenough all right well I’ll pause reallyquickly to see if there are any otherquestions um and if not would love aquick Round of Applause for thisexcellent panel and their announcementstoday thank you all so[Music]much up next chronicling ourgovernment’s decades long quest to solveone of Humanity’s greatest Mysteriesplease welcome back to the summit stageGarrett graph author of the new book UFOthe inside story of the United Statesgovernment’s search for alien life hereand outthere good afternoon um I realized thatthis subject feels like a little bit ofa stretch for a cyber Summit but uh Jeffasked me to talk a little bit about thismystery of UFOs in the search forextraterrestrial intelligence as a wayto stretch the imagination uh for theafternoon and also because it is afundamentally a story of how advancingtechnology National Security andpolitics have reshaped our world I cameto this subject as a national securityjournalist because I started to hear inthe last seven years serious peopletalking seriously about the mystery ofUFOs I was particularly drawn to thesubject in December 2020 when JohnBrennan who had just wrapped up thebetter part of a decade as the CIAdirector and White House HomelandSecurity adviser gave an interview toWashington journalist Tyler Cowen inwhich hesaid there are things up there thatpuzzle us that I don’t know what theyare and that they might represent a newform of life and it struck me because Iknow that John Brennan has spent the hisentire career at the upper ranks of theintelligence community and figured thatthere were not that many things probablyin John Brennan’s life that left himpuzzled when he had a question that hewanted answered he had a $60 billion ayear intelligence Community to go outand answer so I’ve now spent the lasttwo years as part of my researchstudying one of the most fundamentalquestions of human existence are wealone it is one of the biggest andprobably longest standing questions ofhumanity right up there with is there aGod and what happens to us after deathas part of that research I’ve dug intothe history of the US military hunt forUFOs here on Earth as well as theevolving astronomy and science aroundwhat’s known as SEI the search forextraterrestrial intelligence out AcrosstheUniverse usually these two threads aretreated differently by journalists andhistorians that there’s the poooky UFOhistory on Earth and then the seriousscience of seti but to me they are infact deeply related and closelyintertwined stories not least of allbecause whether the question of whetherwe are alone has a lot to do withwhether aliens are visiting Earth in thefirst place while humans have seenstrange things in the sky since theearliest recorded histories the modernFlying Saucer age dates back to thesummer of 1947 when a wave of flyingsaucer ings including the now Infamouscrass at Roswell captured the nation’sattention in the years since Hollywoodlatched onto the mystery and UFOs andaliens lodged themselves in our publicConsciousness yet 80 years into thequest to solve UFOs and understandwhether we’re alone in the universewe’ve come up frustratingly short ofanswers to either question the answersI’ve discovered for my book though mightsurprise you for one the path is almostcertainly on the side of thealiens they’re but they’re almostcertainly too far away for us to havemeaningful contact We Now understandthat actually habitable planets arequite common Across The Universe Andeven though there may be only a smallnumber per solar system or Galaxy thereare far more galaxies than we imaginethe James web Space Telescope pointed ata single patch of dark sky that webelieved was empty uncovered94,000 previously unknown galaxies injust that single P single picture themath across this scale is incredible theaverage Galaxy is now estimated to haveperhaps 100 million stars and every Staris now estimated to haveplanets Across the Universe put this alltogether and there are an estimatedsextilion habitable planets across theuniverse that’s a billiontrillion possible places for life toevolve that we wouldrecognize the vast Gulfs of outer spacethough mean that UFOs are unlikely to beextraterrestrial visitors here there’san obvious human Centric nature to theway that we think of alien visitorsimagining them bothering to cross thevast distances of space variously tobuzz us in their mysterious flyingsaucers make friends with us abduct usinvade us or harvest us for energy andfood the truth is that probably no oneknows that we are here or cares asStephen Hawking bluntly summarized itthe human race is just chemical scum ona moderate sized Planet orbiting arounda very average star in the outer suburbof one of about a 100 billiongalaxies Carl Sean the famous astronomerwas one of the strongest proponents ofthe search for extraterrestrialintelligence in the 20th century but heused to dismiss reports of UFOs as signsof alien Visitors by arguing thatstatistically aliens do come to Earthbut probably only every several hundredthousand years passing by on the wayfrom one place of interest to another inthe way that we would stop somewhere ata rest area on the New JerseyTurnpike but it’s clear that there issomething out there and that we aren’tparticularly close to understanding whatit is the vast majority perhaps nearlyall UFO sightings can be explained Awayby astronomical or meteorological eventsor through tracing sightings of knownAviation events many UFO sightings todayturn out to be the launches of Starlingsatellites for instance but not allsightings or incounters can be easilydismissed and the the truth is thatthere are important meaningful and Worldtransforming answers that we coulduncover here even if we never discoverthat they are alien spacecraft fromalfron tur buzzing the USS nits on arandomTuesday UFOs and uaps continue toconfound Us in part because we know solittle about the world around us and asmuch as we now know about meteormeteorology astronomy the heavens andphysics it’s worth remembering how newand still evolving that knowledgeactually is in fact before you even getto the mysteries of outer space much ofour understanding of our own planet isrelatively recent Western scientistshave only known about the existence ofgorillas our closest living relative forabout 150 years before 1847 reports oftheir sightings were dismissed asstories of mythical creatures like yetisorunicorns the first dinosaur wasdiscovered and identified in 1824meaning that George Washington lived anddied without realizing that dinosaurseverexisted and we still know less about thebottom of the oceans than we do thesurface of the MoonThere is almost certainly not one singleanswer to the mystery of UFOs and uapsthe truly unexplained cases that is thecases that actually puzzle militarypersonnel and experienced scientists notcounting all of those that are easilydismissed as the planet Venus ormysterious Plains is almost surely a piechart made up of various sized places offourcategories the first two categories ofUnsolved sightings are probably trueUFOs and have human terrestrialexplanations there is yet unidentifiedadversarial Advanced Technologies beingtested against us Chinese drones Russiandrones Iranian drones or there’s Skyclutter trash and weird stuff thatfloats around in the sky unnoticed on anaverage day that we don’t generallybother monitoring this is how this pastwinter we ended up shooting down theChinese spy balloon and then once wedecided to pay attention to balloonsfound a whole host of UFOs that we beganto shoot down with quar million dollmissiles that ended up being things likea weather balloon from an Illinoishobbyist club called the NorthernIllinois bottle cap balloonBrigade the last two categories ofUnsolved uaps though are phenomenon thatwe probably don’t understand yet as yetunknown or little understoodmeteorological astronomical andAtmospheric phenomenon like balllightning plasma St Elmo’s Fire and awhole bunch of other weird and wonderfulquirks of our universe that we need tostill solve andidentify then we get to the fourthcategory where I believe the mostextraordinary Mysteries probably lieanswers that will only emerge as ourknowledge of physics itself evolves andlets us look a new and understand what’shappening around us in ways that wedon’t currently understand this is goingto be the potentially very weird stuffinterdimensional or time travelingvisitors wormholes extraterrestrials orpossibly something even weirder what oneofficial once called the astronomicaltruths that are Stranger Than TheStrangestfiction and yet we still don’tunderstand much of this world as Harvardastronomy chair AI lobe points out whenFrench nun Lucille Randon died earlierthis year she was the oldest livingperson aged 18 and the entire humanunderstanding of Relativity and quantumphysicsoccurred during her lifetime imaginewhat we will learn about physics in thenext human lifetime or in the next 500years or the next 10,000 if we have thechance just this summer for the firsttime scientists found gravitationalwaves moving through the universe thatbendSpaceTime we need to be humble about howmuch weirder the world and universearound us likely is and I believe thatour government should be more interestedin this weirder World in part becausethis quest for understanding will helpus recognize why protecting andprolonging human civilization mattersthis to me is the important part of thesearch for uaps it’s the Hope optimismand wonder that can come from what westill have to learn here determining theline between science fiction and sciencefact has always been the core of the UFOstory a key part of what’s attracted somany generations as Philip Morrison oneof the inventors in the seti field saideither We’re alone in the universe orwe’re not and either answer will Bogglethe[Applause]imagination time for a quick break graba coffee from our partners at one spanand join us back here at 3:00 on the dotto hear from the SEC about their newCyber disclosure rule thanks Garrette eeIfor espeforfor foryeahforfor[Music]efor e[Music][Music][Music]don’tfor for[Music][Music][Music][Music]guysplease find your seats our program willcontinue you momentarily thank you[Music][Music]come[Music]itit[Music]hello and welcome back to help usunderstand the new sec’s Cyberdisclosure rule please welcome Ericgirding director of the division ofCorporation Finance at the United StatesSecurities and Exchange Commission he’sjoined by Erin Delmore North Americabusiness correspondent for BBC News do aflipflop okay I’ll take this one hereEric thank you for joining us todaythank you ER thank you to the AshmanInstitute for having me there has beenso much Buzz about the sec’s new Cyberdisclosure rule tell us what does therule do and what doesn’t it do so thankyou Erin uh the rule is really importantthe overall G uh goal of the rule is toinform investors about cyber securityrisk that they may face with wheninvesting in public companies so when aninvestor is investing in a publiccompany a company that is filing annualreports with the SEC an investor islooking to assess the risks to it uh hisor her or its investment and part ofthose risks may be in the modern worldlosses from cyber security incidents sothe rule is really designed to helpinvestors think about umwhat kinds of losses and risks they mayface from cyber security uh incidentsand there’s really two parts of the rulethere’s a rule that requires disclosurewhen a public company faces a materialcyber security incident there’s alsoanother part that requires companies todisclose in their annual report basicrisk management and governance uh abouthow they’re dealing with cyber securityrisk generallyI did forget uh the disclaimer I amspeaking uh on behalf uh on only in mypersonal capacity uh as divisiondirector uh my Council backstage isgoing to throttle me for forgetting thedisclaimer um I’m speaking in myofficial capacity as division directorat the Securities and ExchangeCommission uh and My Views do notnecessarily reflect the views of thecommission any commissioner or any otherstaff Ericto have you here we were not going tolet you forget that part um tell us howis this an improvement over the currentsystem um so the current system thestaff found that um in general uh underexisting disclosure rules before thisrule there was Under reporting of cybersecurity incidents by public companiesand the types of disclosure that wasbeing provided was not necessarilyconsistent comparable and leading todecision useful information wheninvestors are constructing theirportfolios when they’re making decisionson whether to buy hold or sellInvestments they’re really trying tomake apples to apples comparisonsbetween companies and having consistentcomparable and decision usefulinformation about any kind of materialrisk including cyber security risk isreally really important well more onthat what are the risks of Underreporting or inconsistencyso the risk is that comp that investorsreally don’t have a good pictureinto uh what what losses companies Mayface from cyber security incidents fromcyber security risk and what investorsare really looking for is to be able totell which companies are dealing withmore risk how are they dealing with riskum and how are they like addressing riskmanagement generally well we’re notdoing is trying to prescribe what is orisn’t good risk management practicesit’s really about disclosure it’s abouthaving public companies tell theirinvestors what they’re doing and lettinginvestors make the choices forthemselves in terms of what they thinkare acceptable levels of risk and whatthey think are acceptable riskmanagement practices now this rule goesinto effect on December 18th and smallercompanies have 180 days extra to complywhat’s important about smaller companieshere what have you heard from themduring the public comment period aboutwhat they need to prepare so one of thethings we always think about as we umrecommend rules to the commission um arethe impacts on smaller companies and wethink in particular about complianceburdens and the longer um complianceperiod is really reflective of the factthat smaller companies may need moretime in order to develop uh the disclosure controls the disclosurepracticesnecessary that being said um it’s notjust small companies it’s not any onetype of company that is subject to cyberattacks or cyber security risk it couldbe large public companies the largebrand name companies that you that youall know of it could be very smallcompanies cyber threat actors arelooking for opportunities that’s one ofthe things we’ve heard in uh the commentuh process and in our research they’relook they’re looking for opportunisticuh targets and that could be a bigcompany it could be a small company wellspeaking of opportunistic cybercriminals you’ve heard a lot about theroadmap risk and I know you’ve answeredto this but why don’t you tell theaudience here what that risk is and howyou see it so one of the things that wethought about when uh recommending theoriginal rule proposal and one of thethings that we’ve heard about in thecomment process is a real concern thatdisclosure not give threat actors notgive cyber criminals and other hackers aroad map to how a company’s cybersecurity defenses are working and weconsidered those comments very carefullyin the rul making process and took greatcare to specify in the rule um and inthe explanation of the rule that whatwe’re not looking for is technolog iCaldetails that give those kinds of Badactors those kind of threat actors aroad map to knowing how to pierce acompany’s cyber security defensesinstead what we’re looking at areinformation that’s material to investorsto help them assess the overall riskprofile and the overall risk managementof a company but it sounds likecompanies have some leeway there forinterpretation what’s material andwhat’s not how do you suggest they aboutaddressing what is material so materialto Securities Law Geeks like me Aon uhhas a particular meaning and it’s aparticular meaning that the SupremeCourt identified in a bunch of old uhChestnut cases around Securities lawsmateriality basically looks at what areasonable investor would considersignificant and what would consider tobe a substantial impact uh on areasonable Investor’s choice uh ininvestmentdecisions and that definition ofmateriality in our rule builds right offof the Supreme Court’s definition it’sreally no different than whatmateriality means and any other uhsecurities disclosure context and that’simportant because this is essentiallyvery similar to other kinds of risksthat companies face whether a companyloses money from having its property PLplant and Equipment burned down whetherthey lose money from Market riskinterest rate movements or whetherthey’re losing money from cyber securityattacks it’s the same kind of analysisthat um investors are are caring aboutand conducting at the same time there isa time frame here the companies need tothink about when they’re disclosing andit’s a question that I’ve heard overagain about this 4-day time frame todisclose some companies have asked whatif we’re in the midst of a Cyber attackduring this 4 days then what so it’s a4day time period but it’s a fourbusiness days after an incident isdetermined by a company to be materialit’s not 4 days after the incidentoccurs so that gives companies theability to assess what happened after acyber security incident to work withtheir technical teams to work with theirlegal teams to determine whether aparticular incident ismaterial and this is important becauselots of companies are subject topotential intrusions all the time 24hours a day so it’s only when anincident is not only material butdetermined to be material that the forbusiness day clock runs the other thingthat’s really important that we did inresponse to public comments is that webuilt in a mechanism for the AttorneyGeneral of the United States to make adetermination that there is asignificant risk to Public Safety ornational security and if thatdetermination is made the AttorneyGeneral can trigger a delay in thereporting mechanism and that givespublic companies more chance to workwith the Department of Justice the FBIor other National Security and lawenforcement uh agencies to addressuh secret uh cyber securityevents and now when you talk about thatmateriality determination being madecould we say for instance that anincident happens in January but it’s notdetermined to be material until June isthat conceivable it it could be right itcould be that um an incident could takea while in order for the facts andcircumstances to be known in order formateriality determination to be madethere we did explain in uh the releasethe the explanation of the rule that umcompanies shouldn’t unreasonably delaythey do have to take reasonable steps tomake a materiality determination soonbut we did in response to comments uhclarify exactly what the timing is sothat there’s not a rush uh to do amateriality determination so there’s alittle bit of a balancing act betweenpublic companies not delayingmateriality determinations not buryingtheir heads in the sand but also takingthe care to do the actual analysis anddo you anticipate that there’ll be anadjustment period and that we’ll seesome further amendments oraccommodations down the road as you seehow companies are complying with thisrule there could be I mean one thingthat one reason that I’m here today Aronis to say that our doors are open ifcompanies have questions on compliancequestions on the interpretation of therule they should come talk to ourdivision they should come talk tocommission staff and we will try toanswer questions and try to help themunderstand how the rule is interpretedum but in terms of the first year um wewill we don’t play gacha in terms ofmaking comments uh to companies ondisclosure we are really about trying tohelp investors understand disclosureand give investors meaningful uhinsights into cyber secur risk it’s notabout playing Goa with public companiesit’s about actually providinginformation that’s useful for investorswhat else did you glean during thepublic comment period you talked aboutthe insights there how did it go theother way in terms of like concerns withthe concerns and then adjustments thatyou made upon hearing how companies werefeeling about hurdling toward thisDecember 18th deadline so I think a bigconcern was the road map risk that I Ialready mentioned um and a big concernthat we not um inadvertently provide toomuch information to cyber criminals andcyber attackers and I think we adjustedfor that in a couple of ways I’vealready mentioned the um uh delaymechanism that the Attorney General caninvoke uh we also clarify the types ofdisclosure that need to be made about acyber security incident and all of thosetypes of disclosure are supposed to beon a level of generality that is allqualified by this idea materiality soagain it’s not the technological detailthat investors care about in terms ofhow which cyber defenses were breachedit’s more about the material timingscope and impact of a cyber securityincident on a company’sbusiness and what do you consider Ericon this front when when you think aboutnew technology including newapplications forAI it it clearly seems like cybersecurity is an arms race betweencompanies and all sorts of Institutionsthat are developing defenses againstcyber attackers and threat actors andthose threat actors and I wouldanticipate that AI would just add tothat particular arms race and that mightmean that disclos ures have to evolve tohelp uh investors understand whethercompanies are adequately winning thatarms race and protecting investors uhInvestments and let’s zoom out to the30,000 foot view here because this isnew but the risk itself is not so how doyou make that message clear when you’rein front of companies talking about therole that the SEC will play now I thinkthat part of this is again reiteratingthe messages that I’ve already deliveredtoday this is not about us mandating orprescribing what good cyber hygienelooks like it’s about providinginformation to investors and the typesof building blocks that companies oughtto use in order to assess what type ofinformation to disclose to theirinvestors is really not new thatmateriality concept it might be new topeople who who have never en encounteredthe Securities laws before but it’s notnew to Securities lawyers it’s somethingthat we are used to having conversationswhen I was in private practice I wouldhave conversations all the time aboutwhat was material and what isn’t and howto make that assessment what I think isdifferent now is that this is a type ofrisk where people with a lot oftechnological expertise need to be partof the conversation so there need to bebetween company management the technicalexperts and the security lawyers interms of helping figure out what ismaterial what needs to be disclosed andwhat investors need to know about andthere’s going to be a next generation ofProfessionals in this space what advicewould you have for them as they get intothe risk that you see now and the riskthat you envision in the future I thinkum I mean normally when I’m not a uh uhCiv servant I’m a professor uh at a lawschool so part of this is the advicethat I would give to my students whichis stay Nimble stay flexible staycurious try to always think not aboutjust the types of risks that you’redealing with now but what types of riskyou need to deal with in the future andin terms of this particular settingagain we’re not prescribing particularrisk management techniques but this isabout being being Nimble in a differentway being willing to have conversationswith people who are outside yourdiscipline and again this is abouttechnologists having conversations withlawyers having conversations withbusiness managers and being able tounderstand how they communicate to thepublic how they communicate to theinvesting public about a cyber securityrisk profile and Eric a final thoughthere what’s the number one thing thatyou want companies to keep in mind asthey prepare for the implementation ofthis rule the number one thing is if youhave questions come talk to us like weare not uh do it fast but it’s it’s aniterative process I mean we we talk tocompanies and their lawyers all the timeeven about new rules existing rules itit’s a very it’s an iterative processand we recognize that ultimately it’sthe company’s disclosure that mattersit’s the companies and their lawyers andtheir advisorthat are on the front line of makingsure that investors are informed Ericthank you so much thank you Erinappreciateit thank you Eric and now for a view onthe new rule from the sea Suite joiningAon Delmore please welcome Corey Thomaschairman and CEO of Rapid 7 Gary steelCEO of SplunkMichael Steed founder and managingpartner of Paladin Capital group and SamKing CEO of vericcode all right everybody thank you forbeing here we ran this with TVprogramming rules where you were able tohear Eric from the wings over there andI’m looking forward to hearing what yourthoughts are what your responses are butI want to start by asking each of youdown the line how are you preparing forthe implementation of this rule what areyou hearing in the rooms that you’re inCory well I think it really depends onwhich rooms you’re actually talkingabout I would just say that there’sGeneral confusion um in the boardroomswhere I think people are trying tounderstand um you know two things whatit means you saw that was a prettynuanced conversation I really appreciateEric taking the time to have it butthere was a lot of complexity in therethere’s a lot of judgment in there andthere’s not clear standards and when youhave complexity judgment tell us whatyou really think Cory um and and by theway I actuallythink I just I I want to be clear is I Ido think that the effort is required forus to actually have healthy regulationand especially transparency to actuallyimprove our cyber ecosystem that said isthat not everyone lives it like we doevery day um and so if you don’t live itevery day if you don’t understand if youdon’t understand the Nuance it’s a lotand it’s confusing um and it’s not clearabout like what actually good is uh andthat caus a little bit of anxiety yeahand I should point out for the audiencehere that Corey and Gary are reprepresentatives from public companies sothey’re the ones facing down thisupcoming deadline in the next month Garyyeah I I think first and foremost as aCEO of a public company I think aboutbeing able to oper operationalize whatEric talked about because this period oftime means that everything has to beworking very very well and a lot of thefocus is on the cesos and what the CESare doing but in reality there’s a wholegovernance arm and oversight arm thatthe board has to be ready for as welland so to make that materiality decisionit’s not just the ciso and their teamit’s it’s leadership in the company andit’s the board and so I think aboutevery day like how do you operationalizewhat’s required to make thosedeterminations to be able to communicateand while I think there will be a wholeset of challenges related to this Ruleand companies will struggle as Corey wassaying um I actually think it’s apositive but we need boards to maturegovernance to mature to support cesostheir teams and what they the decisionsthat they need to make and so you knowfor me as a CEO of a public company wehave a cyber committee we don’t just putit into audit we have experts on theboard that can work alongside of ourciso so these hard Nuance decisions canbe made I don’t think there’s a lot ofboards that are preparedto be able to manage that Nuance becausethey haven’t matured their board andtheir oversight model to support what’sreally required with this new rule soyou’re saying that it’s a matter of bothmeeting the rule and making sure thateither the people have the expertiserequired or that you have the rightpeople in the room no you think about itlike go back to financial disclosure youare required to sit on the a ofcommittee you have to be a financialexpert and you have to prove that you’rea financial expert there is norequirement today on boards to havecyber experts that they can verify thatthey’re a cyber expert so thismateriality which is a new wants thingyou really have to have people in theroom that can help and support cesos tomake the right decision and it’s notjust on the cesos back Michael so Erinthank you if you take a look at thiswe’re a private company um we’ve beeninvested in cyber security and AI since2007 2008 72 companies since then um wego far beyond what the rules are nowthat are been talked about by the by theSEC we applaud the SEC for doing thisrule um we further applaud the SEC forbeginning enforcement around cybersecurity so if you take the enforcementaction that was taken plus what youheard today that they’re essentiallysaying don’t lie right and so you’regoing to look at those public requiredpublicly required statements that aregoing to be made on the on their ontheir yearly report along with theactual disclosure ofmateriality uh we’ve gone we’ve gonemuch further than that we we we we lookat every company we go through all ofits cyber uh capabilities all of thesecurity that it has this is before weput money into the company and then wecontinue to Monitor and manage thatbecause as we know the threats againstour critical infrastructure where a lotof our companies are selling theirproducts are enormous and are evolvingso so we applaud what the SEC has donein fact they should go a little bitfurther we think but um I think it’s anexcellent first start with what they’veproposed and what’s going to go intoeffect here very quickly I mean give usan idea if you have it how would they gofurther next I’m sorry say again howwould they go further next how wouldthey what now uh if you wanted the SECto go further and meet as you’re sayingyou’re meeting a higher standard nowwhat would be on the table so Iunderstand nuances but we’re talkingabout protecting the criticalinfrastructure of America that’s whatwe’re talking about now who needs to benuanced when it comes to that that’s myfeeling because that’s and that’s andthat’s what we do that’s where we investso it’sum you have to know the nuances to makesure that they don’t bring enforcementactions against you and that’s importantI think what what what spunk is doingwith the Cyber committee is terrific Ithink those kinds of things are thekinds of things that show that peoplecare about it but nuanced in protectingour critical infrastructure we don’tneed nuanced we need we need clear andand and unequivocalum umcompliance uh with what’s out there andthen compliance with what’s reasonablewe don’t want to go way out and and andstart putting real owner onerous rulesand regulations on people but I thinkthat’s kind of where we need to bethinking about going thanks Sam howabout you how is this being received inthe rooms you’re in yeah so we’reprivate company so speaking forourselves for a moment uh we are notsubject to these rules however just likewhat Mike was saying we’ve chosen toadopt a lot of the standards that Coreyand Gary were talking about just fromthe standpoint of good governance nowwhen I talk to people that are trying tofurther the cause of cyber security alot of the people in the room today Ithink by and large they view the rulesas elevating the conversation aroundcyber security creating a sense ofurgency forcing a discussion between theboardroom management practitionersinside the organization a lot of peopleI talked to also say before the SEC goesfurther can we get a little bit moreguidance on what materiality meansreasonable investor you know there’s alot of ambiguity in the rules that havecome out which are left to theinterpretation of each company and someof that might be by Design because it’sforcing a conversation you figure outwhat materiality means for your businessin order to do that you have to figureout what what are the critical assets ofyour business and were the risk factorsfor you so I see in the rooms that I’min this conversation occurred ING with aserious Stone albe it with some stressassociated with it because you also haveenforcement happening at the same timeso people are watching both the rulmaking and the enforcement so watchingas people are trying to figure out someof the specifics here and you said someof the stress what is the pitch to apublic company Chief informationsecurity officer right now if you wantto get them in thedoor fortunately I don’t have to do thatfor a privatecompany okay so if you don’t have to doit breathe a s of relief if you do haveto do it what do you say Corey well lookI actually think that the good thing isthat you can actually say that cybersecurity is more relevant than ever it’snever been more strategic it’s neverbeen more upfront um you know everyone’salways wanted you know C have alwayssaid they wanted a seat at the tableguess what they have a seat at the tablethey might be at the head of the tableuh it’s front and center um there’sconcerns that you’ll have to address umyear and I we’re talking before you knowevery you know for the first time ever Ithink C are asking about dno insuranceum explain that everybody uh it’s justthe it’s the um directors in officeinsurance that says if uh if somethinghappens you know for your defense andyour legal defense you actually have umsome level of protection but I I thinkat the core though I do think that thereis a seriousness that’s actually beingrequired to take and that’s a good thingum I do think the role of the ceso hasto change though because you do actuallyhave to have cesos that can operate atboard levels that can actually havethose board conversations and having aseat at the table and actually thenknowing how to operate at that table aredifferentthings Michael how would you do it so Ithink I think um and I should point outMichael I’m asking you in particularbecause we’ve spoken about how you’veseen the evolution over when you startedyour company but many years theprominence of this role so how would youdo it now right so so if you look at thehistory of of of um of cyberTechnologies from 2002 to 20072 2008roughly um cyber Technologies were niceto have but they weren’t needed and youhad to fight for that little corner ofthe of the uh uh of the technologybudget to get a cyber technology adoptedwhen the threat changed to when when thethreats became uh disruptive anddestructive is when you saw the it beingpushed aside and the rise of the siso uhthis was figure this is roughly 20082010 give or take cyber budgets now cameinto view um not just it budgets butcyber budgets and the ciso was was wasnow talking to the Seasues um that’s terribly important butthe underlying issue is an educationissue the Education and Training to makesure that the siso knows what to do andunder what circumstances to do it uh inthat circumstance you always have tohave a lawyer presence so that youunderstand what the what the guard railsare and that and that and that’s part ofit but we’ve got to educate and trainthe cisem those now I think on what thenew rules are and what and what thestory is the corporations have to behave to be um uh flexible enough toallow that to take place so that youdon’t have people running out the doorand not providing that kind of serviceto not only the shareholders but but tothe protection of of criticalinfrastructure and let’s talk about whatEric described as the roadmap risk theidea that as you’re disclosing therecould be information that’s gleaned by abad actor who’s looking to takeadvantage of something they’ve learnedum how do you consider what is thematerial disclosure in light of thatrisk yeah so I think it comes down tothe level of detail right and let’sremember the audience Eric talked a lotabout these disclosures are intended toserve the investing public right so areasonable investor should be able tolook at this and make a determinationaround whether they choose to invest inyour company or not so it depends on thelevel of detail whether you’re spellingout a road map I think if we were to sayif you have discovered a bunch ofvulnerabilities that you’re working onfixing and you want people to report outthe technical granularity of all ofthose vulnerabilities that is providinga road map for for the adversary but ifyou’re talking about someone describingwe have a vulnerability Managementprogram where we routinely look forvulnerabilities and have a process bywhich we fix it and to your point aroundeducation educate our securitypractitioners technologists to figureout how to avoid them in the first placenow you’re giving something about theprogram versus technical details sothat’s how I would coach people to thinkabout the distinction here this is goingto be super nuanced this is reallycomplicated because if there’s a gapthat ultimately creates a breach you’regoing to have to close the gap the Gapthen is a road map issue and it’s notabout the detail of the Gap but the Gapwill be enough exposure that’ll createissue and this is going to be one ofthose nuances that has to get workedthrough with the and the evolution ofthe rules it’s very very tricky andwithin 4 days of that materialitydetermination being made unless as Ericsaid there’s an appeal to the doj on apublic safety note um are you concernedabout the timeframe always okay tell me more how willyou manage it come next month no I justI think that everybody all companieshave to make sure that they’ve got themechanics in place that they can respondin that period of time and a lot oftimes when events happen it takes timeto do the investigation necessary toreally understand what the impact wasyou might know something you might nothave complete data and what this rulewill require is for disclosure withinthatwindow um and companies Will May reportbefore they have full information thatis likely what will happen so what’s therisk there of reporting you’re reportingtoo early and you’re spooking yourinvestors when there was no need to wellI I think there’s a separate one and bythe way I do think that Eric sayssomething important is that there’s somepoint between the time that you firstlearn of it you’re doing yourinvestigation and the investigation iscomplete and you’re going to reportsomewhere in there um and I do thinkthat that is one of probably the biggestconfusion areas is just like I hearabout it four days later I have toreport I think that the SEC has beenclear that that’s not the case um butalso they’ve been somewhat clear thatlike it also can’t be when the finalreport’s done which could be monthslater so and that’s the great area thatI think is um is going to have to comeout and how we actually do practice tome the risk is a little bit different Ithink you actually have have theinvestor risk of communicating toinvestors um about something that’sincomplete and the challenge is thatwhen you communicate too early and it’sincomplete uh it can actually beinaccurate because the story is stillunfolding um and so that that I thinkthat goes a little bit against thespirit which is why I I do think it’simportant not to be overly premature umyou can’t overly delay but like you dowant to be accurate too um and beingincomplete and inaccurate I don’t thinkit’s helpful to the spirit of what theSEC is suggesting I think the other riskthat you actually have though isdependent on the type of Cyber attack isthat um and and how the um and how theattacker is actually acting um reportingactually notifies them that you’reactually trying to contain and eliminateand that can accelerate the behavior andactually do more damage in theenvironment and I worry a little bitmore about that one that’s not true inevery Cyber attack but that’s a realactually risk that you actually are alsoum notifying um not just the attackerthat you know about but any otherattackers cu the one thing that you knowin our investigation that we found isthat often times C customer often timecompanies when they’re compromised theyactually have more than one actor in theenvironment and so you actually lead tothis Smash and grab job where youaccelerate bad behavior in theenvironment before you ready to fullyremediate um so again I think thatthat’s that’s the risk of of ofcommunicating too early and inaccuratelyis there also a fear of giving upLeverage not just information butdepending on the time also leverage thisis the thing that I do like about thetransparency um because I think one ofthe challenges is that um manyorganizations and their advisors havetoo long tried to actually hide thingsum and that leads to you know fundingransomware which does all types of badthings it leads to all types of badbehavior I think the notion that youwill have to come clean is is anincredibly powerful and good notion uhand the question is how do you actuallydo that in a way way that actuallyallows you to protect the consumers ofthe information of these differentorganizations um and actually honor thetransparency that investors need but Iactually think the notion that youshould actually have to come clean is AGreat Notion um that actually I thinkwill allow us to actually improve theoverall cyber securityecosystem Sam you work across time zonesacross countries so how do you look atthe timing issue yeah so um I I thinkone of the things that uh every see soespecially if a public company butprobably every company should do is gobecome best friends with the chief legalofficer or the general counsel if theyaren’t already because I think a lot ofthese debates shouldn’t have to occurjust with the ciso and should not occurjust with the ciso in the securityCommunity this is about the timing forexample part of it is balancing thedisclosure requirements that you have sobalancing the legal obligations that youhave with securing what might be anactive attack securing against whatmight be an active attack but one ofother complicating factors that I foundis when you uh talk to companies thatare operating in a lot of differentjurisdictions even in the United Statesand then when you talk about globalcompanies across different parts of theworld different rules have differenttiming requirements so the SEC is sayingwe have to respond within 4 days afteryou’ve determined it to be material butin uh in Europe it 72 hours and theconcept of materiality maybe doesn’tplay in the same way right so so one ofthe things that I found to be incrediblyburdensome for those people that aretrying to defend their Enterprises fromthese types of attacks is that theirenergy is also going to parsing throughdid I do this in 72 hours and did I dodo this in four days and did I do thisand and and and that becomes reallydifficult and and that’s all the morereason that uh they should create thesePartnerships with other parts of theorganization so it doesn’t all fall tothem Cory what do you think about thatlook Ithe compliancemanagement is consuming larger parts ofof budgets by way I agree with Michael’spoint is that we have to actually raisethe standards in the high water mark ButI think we have to do it in a way thatactually is focused on improvingsecurity not managing compliance andRegulation and I think that one of theinefficiencies that you actually have inthe ecosystem that Sam is describing isis we start actually allocating moreresources to how we actually manage thecompliance ecosystem than how weactually manage good security that isnot I mean that’s partially an issuethat every regulator faces but that’salso just a dysfunction in how we governsecurity around the world um how the USin general approaches it state by stateregulator by regulator and I think thatthat is actually a real risk so I youknow if I had one wish it would be thatwe raise the standards but we alsoactually have fewer standards and weactually decrease the amount of SPcompliance now one of the big changes Ithink um the US chamber and severalother organizations that were not sosure about this in the past have nowcome around to the point of view thatyou actually do have to actually havemore consolidation and morecentralization about how you actuallyregulate across both the US and theworld and I actually think that’s anincredibly powerful thing that somewhererelates to SEC but it’s incrediblyimportant and did I hear you say inthere that there’s a risk that there’smore offense being played on defensiveteryes absolutely and so I I think a littlebit of what happens is that look my fearand this is just a fear is that you canactually when youhaveconsequences um and um a lack of clarityand a bunch of different things you haveto comply with is the emotional reactionin some cases is to actually manage theregulator um and to spend your time andattention actually doing that which isnot cyber security it’s not improvingthe high water mark it is complying it’srelated it’s a cousin but it is notdirectly related to the work that we’reactually talking about doing and thatactually in the end will take moneyeffort and time and not actually havethe corresponding benefit Michael whatdo you think Aon I might go down thisroute because I think this is a greatdiscussion um disclosure will kind ofdepend upon the attack that’s takingplace so umum if the attack that has taken placeimmediately harms humans it probablyshould be disclosed a little bit earlierright than other kinds of attacks so ifif there’s an attack that takes placethat steals a bunch of personalinformation that could be used againsthumans you you you probably are going totake a look at what an incompletedisclosure is because I’m in favor of afull disclosure and a completedisclosure not an incomplete one becausethat’s just more bad information on badinformation but but you have to take alook at and I think this is going to besome of the nuances that take placeyou’re going to have to take a look atwhat is the actual nature of the attackif it if it’s going to if it takes downa pipeline on the East Coast what is thetimeline what do you think about thatand is it a complete disclosure or not acomplete disclosure if it takes down ifit attacks humans takes all theirpersonal information and puts it outinto the world you have to think aboutdoing those kinds of things you used toremember that firms would say six monthsafter an attack in which personalinformation were taken from millions ofpeople was more than adequate I’m not sosure about that in today’s world welllet’s follow up on that now I heard Ericsay earlier that the onus is on thecompanies to make the materialitydetermination so Gary how are youhandling that now how do you thinkthrough what is material whatisn’t yeah the for us we thinkcollectively across the ciso and hisleaders acrosslegal with Finance weighing in umbecause they ultimately are thegovernors of what is materiality from afinance point of view but we haveengagement from the board too becauseone of the things Sam you were talkingabout was the importance to partner withlegal well you’ve got to partner withthe board too because at the end of theday it’s everyone has to be aligned tomake that very very hard decision and soum making all those Mechanics Work inadvance of this real going to effect Ithink it really important because you’vegot a the board’s job is to govern theyultimately need to approve or not notapprove the decisions around materialityand so driving that alignment andoperational execution around how toactually figure all this out in that4-day window is super criticaland you know we were talking about thethe role of the ciso the ciso reallyneeds to lead that broad group throughthis process to get to the right outcomeand I think there’s the thing that Iworry about the most is how do wecontinue across Corporate America how doyou raise the knowledge in board in theboardroom to support this ESO becausewhen I want to recruit a ESO the firstthing is I have your back and I’m goingto support you I’m going to support youin the boardroom and here’s what I needfrom you and know by the way we’re goingto pay you more because of theresponsibility you you’re taking on umall of those things come together butyou’ve got to drive maturity in theboardroom to help make these reallycomplicated decisions because they’renever going to be easy there’s alwaysgoing to be nuance and I think the ruleswill evolve but at the end of the dayyou’re going to have a a handful ofpeople in the boardroom with the ciso tomake that decision with with advice fromlegal well go ahead Z that is the pitchfor public company cisa too by the waywhich is that in helping your boardbecome more Savvy on this topic you’reactually increasing your board Readinessto go serve on a board but but I alsothink like I think it’s really importantthat leadership has the back of the cesoabsolutely and cesos being thrown underthe bus is to me awful horrific terrificum and so you’ve got but you have tohave the board having that same point ofview they should treat the ceso nodifferent than they treat the CFO itshould be the same kind of mentalitywell that’s what I want to hit nowbecause I want to flip the perspective abit and ask you all what should everyboard in America be thinking about whenit comes to not only cyber security butalso emerging TechnologiesI mean Gary hit one of the big ones isthat they have to evaluate their ownskills and experience and and relevancethere and this is where look things aremoving fast but I also think they haveto accelerate uh and you know lots ofboards um just don’t have these skillsets of perspectives I think that’s partof the fear and the anxiety uh that’shappening now there are some greatthings that I think are in the you knowwe we keep talking about the disdisclosure rule but the other Ru isactually quite important because boardshave to layout every year how often theymeet with their cesos how do theyoperate that’s a very positive thingthat I think will improve the educationunderstanding of efficacy at the end ofthe day though you are going to there’ssome big questions I think we have tonormalize from a governance perspectiveuh and there’s lots of great work that’sactually happened by a bunch ofdifferent corporate governanceorganizations all over but do you have aspecial committee is it a part of theaudit work you know Gary’s talked abouta special committee that he has we havea subcommittee uh of our board we havelots of cyber experts specifically on itum should every board have a cyberexpert one of the challenges with thatby the way I you know boards have askedme to actually help staff it is that youactually have to have cyber experts tounderstand board governance not justtechnology um and so we have to developthese people that have these expertisebut at the end of the day it’s skillscapability defining what the governanceprocesses are defining what’s beingreviewed and then not acting reactivelylike lots of these policies andapproaches should be um practice in thebank and have structure around here’show we going to respond and manage thesesituations as theyoccur yeah I think if I was a ciso and Iwork for a company that had a board thathad no cyber knowledge that’s a badplace towork saying it out loud because at theend of the day then it’s very easy forboards to place all the blame on ciso ifthere an event happens and you need tobe linked arms around okay board withleadership with ciso is aligned on howthese decisions are getting made and sothere’s no opportunity to place blameanywhere and so to me it’s we have to wehave to evolve board governance look atall the rules that exist today for auditcommittees and the requirements to be afinancial expert to be able to determineFinancial materiality you have to be anexpert and you have to be able to standup and say I’m an expert in this area wedon’t have those rules for cyber and weneed to if we’re going to hold companiesaccountable on materiality which I’mactually think is a good thing how do weultimately evolve the requirements forboard composition to ensure that we havethe right level of knowledge expertiseit’s absolutely required to make thesereally hard Nuancedecisions Michael I think yourquestion’s right on because it goes toemerging Technologies right how does aboard deal with emerging Technologies Iimmediately go to AI after cyber I go toAI um boards need to have people on themthat have some background and experiencein this so that they just don’t getreports that they get real comfortablewith because they mentioned MicrosoftGoogle and a few other things that makesthem feel good they need boards that areactively involved as you gentleman havetalked about I mean it’s it’s reallyimportant to be able to do that Paladinwe have people that are on on the GMboard on the on the Goldman SachsHuntington Bank MNT bank because theyneed and want to have some level of ofcyber security knowledge on the board sothat when the ceso comes in the cesoknows there’s someone as you say toguard to guard him to or or her in thatin that in that in that context we alsoneed that on boards for for emergingTechnologies and AI which is D which isgoing to be driving cyber in in in it’sgoing to pick up the speed of drivingcyber um you need to have people thatunderstand those Technologies and thatcan work with not only the ceso but thebut but the C suite and those in thecompany that know those areas becausebecause without that then they’re goingto run blind I think Sam so Gary if Icross reference your remark around um ifthere’s no cyber expert on the board orsomeone that understands this that’s abad place for the ceso to work with astatistic that I saw na uh the nationalassociate of corporate directors did asurvey and something like 78% ofcorporate directors said they don’tunderstand anything that the ciso issaying to them so 78% of companies arebad places foros to work the point thatI’m trying to make is that I think thelevel of knowledge around cyber securityis still pretty narrow so I think you’regoing to find a lot of boards don’t haveknowledge of this right and boards aretrying to do a lot with corporate boardeducation there’s a lot of good thingshappening but we’re behind we’re we’rebehind behind I I I I think it startswith asking the right questions right uhyou don’t have to become a technicalexpt expert in all of this stuff that’swhy you have the ciso but you do have tounderstand what what are the riskfactors for my organization what are mycritical assets where where do most ofmy revenue streams come from what doesmy extended supply chain look like wheredo I have a risk there so I think youcan create a conversation with the boardeven as it stands today by inserting theright questions into that conversationso would you credit that as anunintended side effect of this rulebecause I am interested in what some ofthe KnockOn effects are right some ofthe intended or unintended side effectsdo you think that’s one so I I thinkthat should be an intended consequenceof this which is that that kind ofconversation starts to happen in theboardroom between the board and the C sowith the support full support of the CEOand and and management I think anunintended consequence maybe people aregoing to be a little bit careful aboutwhat are they bringing up like I i’ I’veheard from uh people saying they’reasking questions about what do I do withmy normal day-to-day operations is thisgoing to be is is my discovery of thisinformation going to be held against meand that’s where I think education isneeded because we do not want to disruptday-to-day operations we want to createthis higher levelconversation how about other knock oneffects what do yousee I mean just to follow on Sams lookone of the I think one of the trickyparts of this is that we know that thestate of cyber security around the globeneeds to be improved right and soanything that actually makes it hard toto acknowledge what the current state isis a bad name I don’t think that has tobe the case here but I think that’sgoing to play a lot into actually how weactually execute and roll this outbecause we want to say it’s here todayand it’s going to be here tomorrow andthen it’s going to be at the next stagethe next day uh but that requires canderopenness and conversations I would saythe probably the bigger knock on effectthat actually affects it is not therules which have again there’s somestuff that’s going to set out andnormalize itI would just say that we haven’t talkedabout it there’s probably more confusionaround you know the also the enforcementand how that plays out um and thatprobably has a lot more noise on it frommy perspective than the rule I justhappened to well probably happenedprobably known but like the fact thatthese happened in the same time frame Ithink is probably creating more knock oneffects than just the rules in and ofthemselves um about all right sort ofnot just what do I say internally whichagain transparency is great like getthat’s the only way you make progressyou have to have cand you Havey but alsowhat do I say publicly um how muchliability am I actually taking for whatI say publicly and this is where the Iwould just say the messiness of thecombination of seos are experiencing Iwould just say a great deal of fearright now um in general and that’s ageneric statement but I would just saythe combination of concerns aboutenforcement action um not Shing ifboards or management teams have theirback it can actually be a pretty lonelyplace to be a ceso um right now and Ithink that that’s not a good setup formaking the progress that we want tomake it is a good setup for our nextportion which is audience questions soif anyone has a question for the panelhere please make your way down to one ofthe two microphones at the end of theaisle and in the meantime I’m going toask a question here we heard Eric saythat the sec’s new rule is not intendedto be prescriptive but I am curiouswhether you think that this willultimately strengthen cyber securityprocedures at publiccompanies at public companies but alsoat private companies so even thoughultimately I could ultimately work tostrengthen cybersecurity I think so I think this isgoing to raise this is going to raisethe bar and it brings as we talked aboutearlier I think it brings the importancethe Strategic nature of cyber securityinto the boardroom and so I thinkthere’s a lot of really positivelong-term benefits we have to getthrough the short-term mature phasewhich is going to take some time and alot of evolution and Agility to getthrough it great does anyone else wantto jump in before we go to questionsultimately yes I think during theprocess where we’re maturing we shouldjust have a lot of empathy for cesos andthe Defenders as we go through thatmaturation process completely absolutelyabsolutely definitely y okay firstquestion I’m Don Dixon for capitalcapital firm I specialize in cybersecurity companiesevery company I see today that walks inmy office starts off with Gen AI as partof their presentation whether it’s realor not or just a slide deck um uh and Iheard uh the director from the SEC talkabout throwing uh geni into the breachbasket that they’re going to have to tryto figure out for disclosurepurposes cyber security spending orcompliance bending tends to follow afterlarge well publicized breaches or or uhlarge regulatoryfines have any of you thought about whatthose drivers could be from gen AIwhether it’s going to be fines orexpensive breaches because I’m stillstruggling with that and if we can’tfigure it out there won’t be spending onit who would like to jump well I I I Iyou know Don is one of the best bestcyber investors in the country so he’sreally good at thisum uh geni is going to generate and yousaw this with the EO the the executiveorder right you saw it with the with thesolar winds enforcement and then you sawit with the activities in in uh in the Uin theUK um all of that says to you that thereis going to be in my in my thinkingthere is going to come out of that EO uhmaybe you go to nist maybe you go tosome others nist says we’re not inenforcement but they’re going to createthe rules somebody is going to enforcethose so there’s going to be somethingaround that when it happens whether it’sgoing to be whether it’s going to beeasily adoptable you know the way theway you invest is you invest becauseease of use ease of you know ease of ininstalling ease of reporting is anotherissue entirely but uh but this is aserious issue uh because everybody doescome in Don and and does say you know Ido AI well they don’t they they use theengines that are out there but theydon’t really do AI themselves and thenwhat’s that what’s that regulationaround it we don’t know yet but that’swhere the EOstarts would anyone else like to take acrack at Don’s questions we can move onto the next hi thank you for a very gooddiscussion uh my name is Manish Walterpory the VP of cyber risk at exer Iwanted to ask you about other reportingrequirements you talked about a littlebit touching on some of the others butwould love to hear how you think aboutthis SEC piece with the criticalinfrastructure reporting cersa um I knowthe administration is working onregulatory harmonization we talked aboutmultinational companies we have you knowthe EU has a digital operationalresilience act which has an initialintermediate and final report India hasit you have to do within six hours Chinahas it if you it’s over 100,000 users Imean just stacks on top of another so II would love to hear from you how yousee this slotting in here driving it orsome sort of larger harmonizationthank you that is not the pitch for thepublic company ciso by the way becausethat’s what they have to deal withexactly but you’re exactly right I meanthis this is what Corey was talkingabout earlier when he was talking aboutthe compliance overhead the compliancenightmare because it’s different inevery single placeuh if go ahead you operate around theworld at the end of the day you youactually have to have a a team thatactually um organizes how you actuallyare going to comply and that that’s mypoint it does require it is not just onefull-time job depending on the size ofyour company you have a team thatactually does this and my only point isjust like okay you know an overhead of acouple people that manage compliancethat’s one thing but like the moredifferent things you comply to thelarger that team gets and a large teamthat’s actually managing that complianceis not doing security yeah um and sothat’s the that’s the only point I wasmaking but I would just say I don’t knowmany companies that don’t have anin-house team or at least an outsideadvisor te team that’s own tap toactually manage that complexity um ifthey’re operating around the world umand I just think that’s the nature ofthe Beast and my only my only additionto this is um the data privacy rulesaround the globe are cousins to theseissuesobviously and the one thing we could allwork hard collectively on is not to have50 data privacy rules across 50 statesin the US skipping the complexityinternationally but like if hadharmonization across the US with asingle law around data privacy thatwould be huge because right now likewe’re headed to 50 different rules thatwe’re going to need much bigger teams toG’s points to manage all that and againit’s a close cousin to all of theseissues that’s a great PointMichael well I I I you know you’re goingto need to have um at least threelawyers working with your siso one tohandle what happens in the US one thatha that handles what happens in the EUand then one that that handles whathappens in the rest of the world trustme it’s bigger than three it’s biggerthan three yeah um uh it’s uncertain umto to make the point it’suncertain um and and this is you kind ofget I think a real time uh grabblingwith how do we do this how are we goingto make this good I’m hopeful that thethe SEC will take the position or the oror any regulator would take the positionif you make a real effort at this youput time and money money at at it andyou and you adopt some of the thingswe’re talking about here that that’sgoing to be a good first start um andwill’ll lay a foundation to be able tobe flexible uh in taking a look at atthe enforcement issues uh and thecompliance issues thanks Mike Sam bringus home with a final thought I thinkdoing all of the things that theydescribed proactively before you’re inthe middle of an incident is somethingthat’s going to make your life a loteasier so start having the conversationsright now yeah well said our thanks tothis terrific panel and to our audienceespecially for our wonderful questionsthank you thank[Applause]you all right[Music]you are not going to want to miss thisnext panel I’m Craig Adams Chief productofficer of recorded future and we’regoing to talk about the impact thatransomware has on real people first tomake it real for a second if we lookover the last three months there’s beenon average 400 named victims ofransomware attacks each month that’sjust the named victims now if that’s tooabstract let’s think of something maybea little bit closer to home for those ofyou with kids there is an average of 22school districts hit by ransomware eachmonth there’s over 23 state and localgovernments hit by ransomware each monthand over 25 different Health CareProviders uh please join me in welcomingthis incredible panel we’ve coming upPaul Abate the deputy director of theFBI Cynthia Warick president amerita ofStillman College and Arun vishan of theWall Street Journal who will lead usthrough this important conversationthank youthank you all for joining us today umand thank you to deputy director Abateand Dr War um Dr War you were on a panelearlier today and you touched on this soI want to start there um 5 years agothis week you were running a smallliberal arts college uh heading into theholiday days when you got a message youdidn’t expect your systems were hit witha ransom more attack um can you take usback to that time what happened did youhave to cancel classes could you notmake payroll how did it affect your weekyeah wellluckily our payroll system and ouracademic platform form were not on ourErp which is our operating system forthe college but all of our financialinformation registrationuh everything else was so basically weuh it the ransomware attack we got thismessage through the the system that umthey wanted $110,000 inBitcoin and once we started looking atit then our system crashed y so um Iimmediately had to call uh the uhDepartment of Ed the FBwe had to report to them we had toreport to the accrediting body thesouthern Association of Colleges andSchools and the Department of VeteransAffairs everybody whose data we hold youknow because we have veteran studentsdifferent students alumni we had to senda message out to them it didn’t reallystopour payroll or our operations per sebecause people were still getting paidbut let’s just say we didn’t have aThanksgiving holiday or aChristmas so students couldn’t get theirgrades or transcripts or they could getgrades but we had to over the Christmasbreak we developed a a manual system todo orientation to do registration andfinancial aid so we went manual back topaper yeah kind of we use a programcalled smart sheets I don’t know if youoff familiar with that but yeah but itwas pretty manual because we’d have toput in the data put in people’s namesyou know really um working with 700students and 200 employees it was It waskind of tax very intense yeah so deputydirector aate to bring you in um we wereon the stage a year ago and I went backand and you had said at the time uh onthe topic of rware we only continued tosee the problem get worse even with allthe efforts we’ve made and that hasclearly borne out in um in in 2023 chainanalysis data shows that companies wereon track to pay 900 million inransomware that’s up you know from 457last year um every week there are newincidents being reported what do youwhat do you attribute this huge Spike toI think you know it’s a few things knowfirst it’s a privilege to join you hereagain this year and Dr War grateful tobe here with you as well um look it’s ait’s a low-risk Endeavor and the profitsare high uh and that really drives it umit’s all about the greed uh Behind theseactors you know pursuit of carrying outthese types of attacks and the moneythey uh gain from that so um it isproliferating uh it’s definitely uhincreasing it’s a problem like manyothers in uh traditional crime terrorismthat uh we don’t see as being able toarrest our way out of so we’ve got toyou know come up with new Innovativeapproaches be thoughtful uh hypercollaborate particularly in the cyersspace and find ways develop new tools towork to counter that uh and stick to thefundamentals of cyber security uhtraining education best practices uh inorder to put everyone in the bestposition to protect themselves uh andthe companies and the a agencies thatthey work for right FBI director ChrisRay said this morning in a congressionalhearing that um in the past year in 2022the FBI and the justice department hadundertaken a thousand actions againstcyber adversaries um and that seemedlike a pretty large number and I hadn’theard that before um given you also seesuch a rise in ransomware what impact doyou think these cases and actions arehaving look the level of enforcementthat we with part partners are doing asway up as reflected in the numbers thatyou just cited from the director andagain I think it reflects the fact thatthat’s not the the sole or only Avenuethat we’re going to be able to employ tofight this uh and counter it it is asubcomponent of our overall effortstoward that uh and we have to stayfocused on it that’s our job from theFBI with other law enforcement uhpartners and we’re going to continue uhto do that but I I think it shows theseverity of the problem with the uh youknow significant level of enforcementactions arrests seizures searches uhdisruptions that we’re doing that itcontinues to move forward and again I goback to it’s the it’s the Partnershipscoming together with the private sectorwith other government agencies and withpeople the citizens that we servesharing information building trust thatall goes toward um countering thisproblem and bringing it down we’re goingto continue to focus on that one of thethings that a lot of uh officials I’vetalked about is that um as people pay asvictims pay um it it encourages more uhcriminals to use this tactic and so Dr Wcan you talk about you you saw this$10,000 request did you haveconversations with the board with uhothers about should we pay this what wasyour thought process well as a small uhHBCU we didn’t have it so we certainlyweren’t going to entertain paying it andthen when you you had no Bitcoin in yourback exactly and then when you thinkabout it if you pay it there’s noguarantee that they know how tounencrypt your data there’s no you don’tknow who they are where they are um youknow there’snobody who can say okay this person isgoing to do this you know it’s not likeon TV with FBI shows and they send ateam to call The Ransom person you knowno we do that too doctor oh you dosometimes right well these I don’t wehave no idea who it was so so I thinkit’s it’s really critical not to to payand certainly um try to prevent thisfrom happening of course what we foundwas that someone on the campus opened anemail and clicked on a link and thenhappens and so we we just have to bevery diligent in educating yourWorkforce your students everybody aboutyou know your systems administratorseveryone needs to be really um diligentabout not opening mail that comes fromunknown addresses or you know many timesthey try to act like they’re me you knowthe president you know so people willsay oh did you did you request make thisrequest for Amazon gift cards you knowit’s was like no I didn’t but you knowthey use all kinds of tactics and so uhyou just have to be very um sensitive toto this so did you were you able toconvince your insurance company to tocover some of this damage what did Itultimately cost the school to deal withyeah so so I would say we spent probablyclose to a half a million dollarsourselves uh rebuilding our systemstarting with a Consortium so our systemis not on the campus anymore it’s housedwith a Consortium of independentcolleges at the University of Charlestonand Charleston West Virginia so theyhave a team of individuals that manageall of our erps there for these smallcolleges and that’s worked very wellbecause they have the expertise in smallschools you have a lot of turnover in itand just like this challenge withfinding cyber Security Professionalsthere weren’t any then and so um so theinsurance company provided a list ofcompanies that they wanted us to usethey recommended legal counsel to handleall of our Communications with agenciesand others um they um they refus toallow this to be considered a businessInterruption even though it was but theysaid no this doesn’t qualify forbusiness Interruption insurance and atthat juncture back in 2017 they didn’thave these cyber security writers thatpeople can buy supplements so we had todeal with what we had and um and justfighting with them like you do withclaims uh deputy director that’s apretty Stark um sort of decision to makepay potentially$110,000 or ultimately spend half amillion dollars to sort of fix theproblem I know it’s not obviously wellour our system crashed so we couldn’tget them to unencrypt it anyway and itreally took three years for me to find aum a professional who could unencryptthe data so we sent it we they gave us alist we chose from the list and we workwith that company for about two yearsand sent them all of our drives Etc butthey could not unencrypt those data soit took three years later for us to evenfind an individual and that was just a acoincidence a meeting at the governor’soffice in Alabama that that um broughtme in touch with Abe Harper and Harpertechnology he’s an independentprofessional and he was able to do itwhere others who were noted cybersecurity peoplecouldn’t so deputy director what what isyour advice to um companies institutionsbusinesses dealing with uh this decisionit is it is a hard one to make what iswhat is your advice to them well DrWar’s uh Reflections uh that experienceand the Lessons Learned I think is righton point uh in terms of to be to to putoneself in the best position to preventis again investing in cyber securitybuilding cyber defenses in advance andproviding users operators with thetraining uh andreinforcement uh of you know thefundamentals and the basics of cyberhygiene and good cyber practices um youknow for everything thing that we needto do to really address um you know theproblem that we’re all the challengethat we’re all facing here I think alsoum that was back in 2017 so it’s a fewyears ago now I think it also shows theprogress we’ve all made together to nowbecause uh what what uh the doctor justdescribed certainly uh has taken hold uhand is is being done much more so nowand I think from the standpointof for for us victim engagement uminformation and intelligent sharingbetween among private sector governmentuh educational institutions and othersthat have been or could potentiallyvictimize his you know significantlyAdvanced um as well back thenunfortunately the harm had alreadyoccurred uh to the universities uhsystems you know the Bad actors hadalready gotten in there and donesignificant damage so um I think thepresident at the time did the rightthing along with the University team andreached out to us and others brought inuh the right people at that time we webuilt a relationship of TR trust andcooperation which is essential um topreventing and to resolving thesesituations uh as well but it was verybasic at that time I would say for thebureau we didn’t have a lot to offerthen other than maybe comfort andreassurance you know we definitelybrought to bear uh intelligence behindit um that informed uh the incidentresponse firm at the time but we’ve comesuch a long way from that examples likethis are foundational to where we arenow in the stepup approach we’ve takenalong with others to better engage to doit in advance of an attack or anintrusion incurring and to really um youknow share information intelligenceagain to stop things from like this fromHapp happening ahead of time and disruptthose that are carrying out thoseattacks in terms of stopping attacksthere was a recent example where thebureau was able to help a um CancerCenter in Puerto Rico I believe stop aransom were attack recently can you canyou talk us through that example whatdid the bureau do there well I want toshare the spectrum because we haveinstances which is where we want to bewhere we get intelligence within the USintelligence Community Boston Children’sHospital so thereDell intelligence was detected inadvance it was shared with the FBI andwe were able to go out in advance ofattack occurring this one before theirsystems were left before the systemswere impacted this was again uh as we’veseen all too often the government ofIran uh and those acting at their behesttargeting the Boston Children’s Hospitalwe were able to take that informationget to the hospital and stop the attackbefore it occurred that’s where we wantto be or evenyou know even before that um with thecancer treatment center uh scenario thatrecently occurred in Puerto Rico thedamage had already occurred there too sowe we were able to come in uh and thisis I think this really highlights thatuh cyber attacks and intrusions can posea threat to life it’s not just an impacton systems and business and with uhnegative Financial consequences thereare real life scenarios where as in thiscase people’s lives can be placed atrisk because there’s the potential forthe denial of life-saving treatment uhin this context and we’ve seen that inother instances as well but we surgedinto deployed a team uh to Puerto Ricoin conjunction with our field officelocated there uh we were able to shareinformation you know regarding theactors behind this indicators ofcompromise which uh informed theresponse and the remediation effort uhand then we brought in resources fromour behavioral analysis unit our expertsuh in that realm and our crisisnegotiators and we actually helped andprovided guidance to the cancer centerin dealing with the actors uh toultimately pay a ransom uh get thedecryption keys and resolve it that wayand bring the systems back on so thiswas an instance when they called youafter they had been hit and then youwalked them through actually paying theransom and getting yes so that’ssomewhere in the middle of the spectrumwe have prevention and then we have sortof response and support and helpprovided to the those who are victimizedto help them resolve uh thesituation and do you talk to them isthat a decision that the FBI is involvedin in terms of is it worth paying theransom or not or they decided theywanted to do it and you help them thatis a decision that um the victim isgoing to makeabsolutely right so um for another sortof small business um a small Hospitallike that the FBI can’t always come inyou obviously have limited resourceswhat what do you tell uh hospitals andbusinesses that the FBI can and can’t doin a situation like this well if it’ssomething like that where we have a truethreat to life scenario we’re going tobe there alwaysI mean volume always matters butwhenever we’ve had an instance like thatthat we’ve identified or we’ve receivedOutreach from the institution or thepeople that are impact we’re going to bethere we are going to Surge and that isthe of the highest priority for us inthe bureau that’s our job to protectlife and keep peoplesafe we’ve seen a lot of attacksspecifically on hospitals and on schoolsis this I mean we also see it on oncompanies and businesses as well but arethey particularly vulnerable to thesekinds of attacks we’ve seen a lot oflocal government attacks aswell uh yeah there’s been a large amountof that um I think we we’ve seenhospitals that have been affected uhother medical treatment centers like theexample we just mentioned uh localgovernment 911 call centers so again Ithere’s there are no barriers thatthat’s just a reflection of the factthat there are no barriers when it comesto the criminal actors who are behindthese types of attacks there’s no uh nobarriers or obstacles that would impedethem from doing this even if it placessomeone’s life at risk and and Carriespotentially the most seriousconsequences right so Dr work what whatis you reflecting on um how you handledthe episode 5 years ago if if ithappened again today what would you dowhat what is your advice to someone elsein a similarsituation yeah well I think you shouldreview your insurance coveragebecause I think all of these entitiesare are getting hacked I know thehospital in Tuscaloosa was hackedrecently and they were offline for threedays um I just received notice from myum retirement plan in Florida that thewhole state of Florida’s retirementplans were hacked and so they theyprovide you with access to creditmonitoring just in case someone has youryour information information so it’sreally very frustrating so I think youhave to be very um sensitiveto getting the training um and and andjust like we did at stulman thatmotivated me to develop a cyber securityprogram to train students to be able toget you know help in this situationbecause it seems like it’s never endingand you think that um there mustbe hundreds of people out there thatthis is their job so to speak to justtry to sneak intoorganizations no matter what type toaccess their um you know payments youknow all over the world so this issomething they do on a continuous basisso we just have to produce more cybersecurity professionals who can helptrain folks who are in in uh businessand government and everything everyentity and just like in the previouspanel I think we have to start with umkindergarten K through 12 and reallystart maybe developing cyber games sothat young people are uh very sensitiveto what they do with theirtheir iPads and their equipment and Etcbecause many times they’re using theirparents technology and the parentdoesn’t know you know where the childhas been so someone has to you know bevery sensitive to oh what were youlooking at who are you talking to whatare you doing and I mean my 5-year-oldgranddaughter is on her iPad all thetime so you really have to um have lotsof Education I think education’simportant uh training producing moreindividuals um organizations like theFBI and dood hire more individuals to dothiswork because there is a um you know avoid there and and really make peoplesensitive to to the information thatthey share with with the worldum deputy director so uh places likeStillman and um Dr War were interestedin coming to law enforcement when theywere hit but we have seen over the yearsthat there is a reluctance by somecompanies um and other victims to try todeal with it themselves and as quietlyas possible and move on and not reportto law enforcement last year when theFBI did um Infiltrate The hi ransomwaregroup I think they had learned they wereable to distribute keys to a lot ofvictims but they also learned that only20% of the victims of this ransomwaregroup had reported the attacks to lawenforcement how how is the effort tokind of improve that number going Ithink it’s going well uh We’ve reallystepped up the Outreach uh across theboard the private sector to the academicCommunity uh and also Outreach to othergovernment agencies at all levels Statelocal and federal I mean it’s all aboutyou have to have a sustained effort inworking at it each and every day tobuild the relationships with people andthat generates the trust that’s that’sthe bottom line it’s not it’s never easyuh we’re all human beings uh so you gotto drive that all the time and you can’tbe complacent uh or r on anything uhfrom the past and I do think we’ve madesignificant strides um in the bureau andacross government in that regard I hopeuh those represented here from theprivate sector and other places uh feelthat um we’re open to feedback andcriticism uh if there’s more that we cando uh we want to hear it I want to hearit the director wants to hear it BrianVon will be up next wants to hear it butwe’re all about that and we’re goingplaces we’ve never been uh before notjust in cyber but across the board uh Drwar and I were reflecting on when wetalk about you know bringing diversityto ourorganizations uh and individuals withthe skills and the talents that we needin computer science informationtechnology and cyber uh we have aninitiative uh that we’ve Run for thelast several years in the bureau calledThe Beacon project and that’s uhincreased uh Outreach uh to andengagement with historically blackcolleges and universities uh we’ve beento national conferences together um youknow to drive that we just held one atMorgan State University in Baltimorewith Dr David Wilson uh just a couple ofmonths ago go uh so you know we’re we’rewe’re reaching out uh we’re engaging andwe’re welcoming listening to people uhwe need that in the bureau we need thateverywhere across government but we’reinvesting in that for the FBI and reallydoubling down on it and it’s payingdividends well thank you so much forjoining us I think we are out of timethank you thank thank youall right cyber Summit joining us forthe final conversation of the day pleasewelcome Brian vren assistant director tothe FBI’s cyber division Matthew moanpresident and CEO of onespan EricGoldstein executive assistant cybersecurity director of the cyber securityand infrastructure Security Agency andanang Choy Deputy Assistant AttorneyGeneral of the National Securitydivision at the Department of[Music]Justice thank you all for joining us umtoday uh we just had a very interestingdiscussion um with the deputy directorand with Dr War um talking about um justhow much ransomware has increased theirover the past uh and we we talked abouthow it’s increased a lot over the pastyear um maybe I can just get you all toreflecton the FBI is obviously doing a lot ofactivity in this area but the numbersjust seem to get worse and worse does itfeel like a losing battle at this pointhow how does it look from yourperspective um well thanks for thequestion I would want to take this inconcert with Eric if that’s okay becausewe do an awful lot of work together Ithink what we’ve seen over the pastcouple years is a significant changes intactics by the adversary you know twoand a half years ago we were generallytalking about encryption only events andthen we went to exfiltration plusencryption events now we’re at a an apexwhere we’re at a minimum exfiltrationencryption events and then other thingsdouble ransomware variants beingdeployed against victimizedorganizations adversaries monitoringemail traffic of those victimizedorganizations to understand how thevictim is going to respond so they canchange threats to Executives of thevictimized company right and so theadversary continues to evolve and we’redoing our best to stay uh in step withthat but it is a challenge you in theprevious conversation the deputydirector mentioned that the number ofenforcement actions and disruptionactions that we’ve taken not just as thebureau assist with all of our otherpartners um is at an all-time high butthe problem continues to uh persist andthat’s likely because it does pay rightand it’s a complicated ecosystem withinsurance payments and things of thatsort but if you’re okay with it or Iwould want to pass it to Eric becauseobviously sisa has the net defense sideand I’m sure he has some thoughts yeah Ithink what I would just add first of allis you know whether or not the netnumber of Ransom or attacks is higher orlower in a given month or quarter it istoo high right there are still too manyorganizations being harmed by theseactors but building on a pointthat you made a r of in the prior panelwe don’t know the number of Ransom orattacks happening in this countrybecause the vast majority are neverreported to the FBI or sisa which whichresults in a few problems first we can’toffer help second we can’t understandwhat these actors are doing to helpother organizations defend themselvesmore effectively and third our abilityto disrupt the ecosystem is stying andso to say the problem is getting worsewell to answer that question we makesure that we’re getting the informationwe need to actually offer helpunderstand Trends and then help defendother organizations before moreharur um onang are there recent dojcases that you feel like are having animpact trying to turn this tight at allyou know I think it’s a general Trendthat the Department’s had now for thelast few years with the FBI and otherlaw enforce and agencies where weunderstand that first and foremost we’vealways been a victim first whenorganization right we want we’re here inthe business to to protect the Americanpublic we need to take steps in responseto these types of threat to see if thereare opportunities to stop harm orprevent harm before that can happenresilience is always going to be firstand foremost a priority but from ourperspective every time that we can do aninvestigation with a ransomware variantwhere we can have unique insights intowhat’s going on and be able to preventfuture victimizations you spoke aboutthe hive disrup effort that happenedthat came about because we gotinformation from victims early we canthen follow those leads determine wherethe online infrastructure is and see ifwe can identify other victims understandtheir tactics understand how theyoperate and then disperse thatinformation to the public sector Hive isone example of that another example umtaking a nation state uh attack for amoment would be um there are there was aNorth Korean ransomware variant calledMaui for instance it it attacked two USbased hospitals one in Kansas in JuColorado the way that we were able toget back the ransoms that were paid bythose two victim hospitals was the firstone in Kansas came early to the FBIexplained their situation work closelywith law enforcement with s to try tofigure out how to rectify the harm thatwas going on in their systems but alsofigure out what other infrastructuremight be out there through thatinvestigation the leads that wereprovided by that victim company FBI wasable to identify another hospital inColorado get to them explain what wasgoing on and help them through theprocess as well and that iterativeprocess is just sort of how we need tobe looking at the problem how we havebeen looking at the problem over thelast few years it’s a it’s a collectivesecurity issue and I think it’s veryimportant to emphasize that we can onlyhelp so far as we have the informationthat we need to action to figure out whoelse might need our help can I add onenote so this this conversation aboutvictim engagement is really reallyimportant and you know some folks say tome hey does a victim’s engagement withthe FBI or with say so um does it reallymatter in the end from A disruptionperspective and the answer is adefinitive yes there is no maybe theanswer is yes it absolutely helpsperhaps more importantly when we engagewith a victim the information that we’reseeking it’s all underlying facts of theinvestigation that the incident responsecompany is conducting we’re never askingfor privilegedinformation uh the term privilege getsused quite frequently and probablyincorrectly at times but our primaryinterest is underlying facts of theinvestigation think about things such asIP addresses where the attacks werecatalyzed from cloud infrastructure thatwas used to exfiltrate data write Ransomnotes audio recordings of socialengineering phone calls these thingsbecome extremely important evidence tobuild the disruption opportunities thatwe have so just wanted to take theopportunity to highlight to all of youthe victim engagement really does doesmatter so I want to talk about you youbrought up some of the newer techniquesyou’re seeing ransomware hackers usedbut I want to go through a few of themMatt you had talked about how um fromyour perch running a a cyber securitycompany and identity protection companyyou have um seen the growth ofartificial intelligence being used tosort of crack some of what you’re doingwhat what does the problem look likefrom your perspective yeah I think theproblem’s obviously real and I think ifI had to be bold and predict it’s goingto get 10 times worse right I rememberdoing a panel fortunately I’ve spent myentire career in cyber sometimes I haveto apologize because you know aftertrillions of dollars of spend you knowthere problem’s getting worse after 20years right I mean any other industry inthe world you would have shut it downyou you never think doing that for cyberbut if it was automobiles or uh planesyou know the the failure rat’s very highnow why right I don’t think theinternet’s ever going to be secure rightit wasn’t built to be secure it’sconstantly changing and cyberunfortunately had to react totechnological change uh and uh you knowhere we are 30 35 years later and Ithink the one word I’ve heard todayconsistently has been trust right theinternet is in insecure and business andpeople and families and friends run ontrust so whether it’s business emailcompromise or account takeover all ofthese are just tools and techniques thatmanipulate humans into taking actionright and so I think when you thinkabout artificial intelligence you knowthe the uh you know 30 years ago youmight have had my grandmother orgreat-grandmother fall victim you stillhave that today like technically unusophisticated people generally speakingyou know may fall victim easier thansomeone who sophisticated but you knowwhen that picture of the Pope came out Ihad to stare pretty hard and I I couldtell that it was not real you know but Ithat wasn’t my initial reaction rightand so I think what you’re having iswith the new tools and techniques AI inparticular it’s almost uh it’s going tobe uh you know it’s going to be almostimpossible for even the train ey torecognize something that isn’t real andwe still trade on trust right so I dothink there’s got to be sometransformative approach to dealing withthis and obviously the executive ordercoming out with watermarking other typesof potential solutions for that but um Ithink uh until we can figure out how toensure trust uh overall it’s going to bevery very difficult for any of theseindividual types of techniques to bestopped for the rest of you what are youseeing now in terms of AI and machinelearning being used byum cyber attackers so you know whatwe’re seeing generally isactors are at times using AI to makewhat I would call commodity attackseasier for them so the canonical exampleof course is fishing emails where weused to say look for for grammar umerrors or uh Mis um misspelled URLsthat’s a thing of the past right and soany Reliance that we ever had on usertraining as an effective control againstfishing um you know that’s out thewindow um we are not yet seeingadversaries use AI systems to forexample exploit vulnerabilities at scalebut it is reasonable to expect that itis coming um and so you know I think wealready know one challenge we face withthe rore ecosystem is that when there isa newly disclosed vulnerabilityparticularly in a product that’s Bas thepublic internet Ransom or actors oftenmove within hours to launch automatedcampaigns exploiting every instance theycan find we saw that recently with thekop activity against uh the movementmanage file transfer application it isreasonable to expect that AIapplications will only make that kind ofactivitymore rapid and enable broaderexploitation which is why we do need tofocus also on the product side andmaking it harder for these actors toexecute these sort of opportunisticattacks against products that are builtsecurely um Brian you had brought up theidea that you you’re seeing ransomwareattacks also Target Executives ofcompanies um I pulled up a a an noticethat Microsoft had provided last monthwhere they were detailing a case studywhere uh an employee at aany was gettingtext saying quote if you don’t give usyour login in the next 20 minutes we’resending a shooter to your house I meanthat obviously sounds pretty scary howmuch are you seeing that manifest inrenmore attacks you know as I alluded toin my opening remarks we are seeing anevolution towards that where that isbecoming morecommonplace um you know and it’s alldesigned to put pressure onorganizations and people to extort themright that is the primary goal uh youknow I think it’s important to knowwhile we’re on this topic this is why weCouncil to always plan to move to out-of- band Communications as part of yourtabletop exercises with ransomware rightthat is extremely important so whetheryou look at it through the lens of anexecutive having a primary cell phonethat he or she uses that’s being Robotexted or receiving threatening callsthat phone is essentially neutralized atthat point from Communications similarlyas I mentioned we’re seeing emailtraffic monitoring by ransomware actorsand they are monitoring what the victimsare doing in terms of engaging with theUS government who their incent responsefirm is whether they do or don’t plan topay but the bottom line is you have tomove out of those communicationprotocols into something that you knowis protected from the adversary so justa really important takeaway But toanswer your core question it is acontinued escalation in a tactic that weare seeing and do you think that’scontributing to companies just decidingthat ultimately they’re going to pay itto get out of itit’s really hard for us to say umbecause of the data problem we haveright and that truly is I mean wegenerally and I don’t want to speak forEric but I think I probably am speakingfor him and sis as well we generallydon’t have companies come to us and sayhey we’re ready to close out our ourvictim engagement with you we have paidwe paid this much money and this is whywe chose to pay that’s usually not partof what that engagement looks like soit’s a very very difficult question toanswer in all sincerity Eric I don’tknow if you have anything exactly rightI’ll just note that is really theimportance of of why Congress enactedinstant reporting legislation last yearum when that um um requirement goes intoeffect uh in the next year and a halfthat is going to mandate importantly notonly reporting of covered incidents forRelevant entities but also reporting ofRansom payments which will go to sisaand the FBI and for the first timeactually give us that body of data withwhich to draw these conclusions andactually understand which actors areaffecting which entities and how thepayment EOS system is working at scalethe deputy director did talk about aninstance where the bureau did work witha victim to actually pay the ransom isthat a thing you’re doing more now isthat something the government is sort ofmore attuned to trying tofacilitate um you know I would say itthis way our position holds firm rightwhich is we discourage ransomwarepayments because it fuels a criminal orin some cases National Securityecosystem right and so we we wediscourage that but it’s the end of theday it’s a business decision fornonprofits and for-profit organizationsour ask has always been and remains keepus the US government close during thatprocess and there’s a couple reasons forthat number one based on the data we dohave we may be able to offer someinsight into how best to negotiate orwhat type of reduction to try tonegotiate if you’re going to make aransom payment Crypt tracing which Iexpect that we’ll talk about here todayis obviously very very important to usas well in the bureau and the departmentif we don’t know what virtual walletthat that ransomware payment is beingmade into we have no way to trace itright and so I don’t think it’s a matterof Are We encouraging or discour are weencouraging our people to be um part ofthat process as much as we want to beclose to the entirety of the processbecause there’s intelligence andevidence value to be derived from thatthat allows us to work with CIS andothers to do more disruptiveactivity um on a a a few earlier panelstoday uh we talked a lot about the sec’snew um disclosure rule about reportingmaterial breach within four days thereis this public safety exception wherethe Attorney General can make adetermination um impacting SocialSecurity and you don’t have to report itum Anyan can you start maybe talkingabout how how is the justice departmentgoing to interpret this sure we’ve beenworking closely with FBI to determineour own procedures as to how we’re goingto deal with this issue going forward aswell as with otherum government entities I think thebottom line is you’ll get public somepublic guidance about exactly how we’regoing to address it a few things that Iwanted to make plain one is it does saythat the Attorney General makes thatdetermination that determination will bedelegated to other senior people withinthe department to make sure that we canwork at PACE because the exception as iswritten in the SEC rule only gives usfour days from the materialitydetermination in order to determinewhether or not the disclosure itselfwill cause a significant risk toNational Security or Public Safetysecond the determination is really aboutthe disclosure so we’re going to look ata bunch of different um facts includingyou know whether what the industry isthe type of vulnerability if it’ssomething like a zero day from a nationstate we’re probably going to leantowards potentially having um a concernabout that disclosure in terms of anational security risk than if it is asort of run-of-the-mill fishing attackfor instance and so those are sort ofcase- by case determinations that we’regoing to have to make um third and againto Echo the theme of this panel I thinkat least from our perspective thegovernment perspective is um the newexception of the rule really requires avery quick turnaround and as wasdiscussed by um Eric from the SECearlier the panel when he was discussingthe thinking behind the SEC rule um youknow the determination of materiality isgoverned by Securities lawyers basicallylike you’re going to have to take sometime to figure out exactly the scope ofthe problem and it’s not expected thatthat determination be immediate but whatwe would ask is if especially if there’sa in which you’re not sure and you maywant to Avail yourself of that exceptionthe earlier you can come to us beforeyou’ve made the materiality decision thebetter we can be positioned to help youum not only from a remediationstandpoint but to make the determinationin a timey fashion as to whether or notthe exception applies and so again theearlier that you come to us the betterum and we can work together to try tofigure out um whether or not theexception would be appropriate in thatinstance you want me to add my part umso FBI has a a a central role with theDepartment in these delay requests andso for those of you who haven’t read therule essentially it says um that anypublic register in a publicly tradedcompany can essentially seek a publicsafety National Security delay for 30days for the disclosure uh by engagingany sector risk management agency SecretService sisa or FBI and I’m a processengineer by trade so like the killer ofany process is variability and like therule brings in a lot of variability uhbut the bottom line is this we will workwith the sector risk management agencieswith cist and Secret Service to providea standard essentially intake form thatreally asks the victimized organizationto provide us some again underlyingfacts from their investigation nothingprivileged so that we at the FBI can docoordination and deconfliction with theintelligence Community because while thedepartment obviously has aresponsibility to look at from thedisclosure part of that is informed byother ongoing IC operations intelligenceCommunity operations that if thisdisclosure does occur would disrupt whatwe’re trying to accomplish we will ownthat process um we would in we you knowEric and I are very very closecolleagues and friends and you knowassists in the FBI have tremendousrelationship in this case it is going tobe more efficient to come through yourFBI field office for the requestinitially um it’s just the reality of itum so two other quick notes on thisnumber one uh I’ve been asked the numberone question I get asked is if we engageFBI or if we engage sis or if we engageSecret Service or sector risk managementagency does that start our 96-hour clockthe answer to that is no it does not theimportant term is materiality once thatdetermination is made the 96 hour startsso if you want to consult with Eric andhis team or with the FBI team to figureout whether you do or don’t want topursue this the clock doesn’t start umthe second thing is that obviously wewill also Pro provide public facingguidance in the next month uh We’vestood up an internet page we’ve tried tohighlight it on our LinkedIn page allthe public facing guidance to make thoserequests will be there and available uhin the upcoming weeks so just continueto monitorthat are any of you worried that giventhe very tight time frame there could besituations where a company wants todisclose something a public companywants to disclose and doesn’t know thefull story that you guys might have somespecific National Security concern thatthey didn’t think to come and ask youabout so I’ll take that there’s somebodyin the audience today who I won’tmention by name who raised this exactquestion to me um we had always lookedat it from the perspective oforganizations who are victimized aregoing to want to request a delay rightwe never really looked at it from theperspective of there are organizationsbased on um regulation requirements ETAthat their initial provision is toSimply disclose right and so we aretrying to do our best to figure out howto best deal with that right now umwe’re going to probably solve that byhaving very narrow conversations withvery specific sectors to talk throughthis on a Nuance basis to make sure thatif there is an equity for the Bureau forNSA cyber command sisa that needs to beaccounted for prior to immediatedisclosure that we have those maturerelationships inplace the SEC obviously has a adifferent mandate than the agency hasreflected here um just a few weeks agothey did Sue solar winds and uh anemployeeover allegedly not disclosing thatbreach fast enough I know you can’tcomment on the specific case but can youjust talk more generally how do the FBIsays a doj sort of work with the SEC onthese issues when you might haveslightly competing interestsI’ll go first pass it to the right sothis is the number one question I get inmy job right what is the FBI’srelationship with the you know I answerthat in this way number one anorganization a company’s relationshipwith their regulator is that theirrelationship right the FBI doesn’t havea role in that relationship um I can’tcome up with one time in my tenure in myjob where the FBI has provided victiminformation uh to the SECum but you know here’s where there isinteraction um we will get calls in ourfield offices at times and the secc willsay hey uh we have questions for thevictimized organization can you let meknow when your team and your folks areoffsite and at that time we’ll engagewith the victim just so that they don’thave to engage with the FBI and uh SECat the same time that’s generally themagnitude of the overlap between us andSEC it’s a logistics coordination roleabout SEC Ser in their mission with avictim after or before we do but not atthe sametime like wise for for sisa I think youknow what I will add looking not just atthe SEC but Across the Universe ofregulators the question that Regulatorsare asking uh in general terms is didorganizations within their remit adhereto a reasonable duty of care in theirEnterprise cyber security and so Sis’srole being being uh a non- reggulator uhin the cyber security context but beingthe voluntary technocratic cyber DefenseAgency is to help Define fororganizations what should they be doingwhat should they be investing in so thatthey can drive the right the rightprioritization uh and invest in theright controls and security measuressuch that if Regulators choose to assessthe sufficiency of an organization cybersecurity measures they can look to a aplace of consensus to deter terine umthe the sufficiency of those Investmentsand we think that having that kernel ofbest practice across Regulators drivesconsistency and enables um morecertainty in Investments across theboard I mean I don’t have very much toadd to that other than to say I have hadinstances where the SEC is asked about astatus of an investigation and our viewis generally one of the things they’relooking for is to determine whether ornot the victim was cooperative and sortof what measures they took often timeswe will have we will let them have thevictim have that conversation with theregulator themselves but there have beentimes where I’ve affirmatively said inmy when I was a prosecutor doing thiswork on the line they were veryCooperative they came early and I thinkand these are the types of you know andthings that we would want to see from avictim and that has been helpful intrying to negotiate towards uh you knownon- enforcement as it were to put themin a better uh standing with theregulator Matt as the sort of privatesector representative on this panel howconcerning was thecases like solar winds like how how muchanxiety do you think that has produceduh no I mean it was incredibly importantfor a whole set of reasons reallyeverything from the insecurity of theinfrastructure down to actually goingafter an individual right I mean I thinkthat’s what’s hard about it I mean theCyber issue has forced companies tobecome to try to become cyber securitycompanies the banks and given the spendand the sophistication and the resourcesthey have have come very close in factsome of those banks are probably moresophisticated than some of the cybersecurity products companies in in manycases are the ones assembling that uhgoing after the individual there’s somuch variability in people right I thinkit gets down to intent and negligenceand things that other uh other partiesare going to have to assess from mystandpoint but I would just say thatthere’s a wide variety particularly withthe turnover inside of private companiesand trying to determine you know um youknow was someone uh the intent behind itthe negligence because I know that a lotof companies are exposed youknow um to switch gears a bit um thelast uh few minutes we have I wanted totalk a little bit about uhcryptocurrency um ony young earlier thismonth the Attorney General did say inthe wake of the October 7th attacks inIsrael that he had directed The JusticeDepartment to offer assistance toIsraeli investigators to identifyinvestigate and disrupt Financial flowsand other material support to Hamasincluding in the form ofcryptocurrency um is there any updateyou can provide on how that effort isgoing nope I can’t tell you anythingabout an ongoing investigation I willsay it is a priority for us to beworking closely with our as the AttorneyGeneral um directed us to do with ourlaw enforcement counterparts in Israelto deal with the ongoing conflict thereum and it’s generally highlights theissue that we’re seeing across the boardwith regard to cryptocurrency which isit is a means and digital assets are ameans to facilitate other types ofcriminal activity when it deals with umthat deals with the flow of funds whichis is in basically everything ransomwareum sanctions evasion all sorts ofterrorist financing all sorts ofdifferent things and so I mean in myprior role I was uh the director of thenational cryptocurrency enforcement teamat the doj the reason that whole teamwas set up was because of the importanceof cryptocurrency and the fact that itis very cross cutting across all of ourthe case types of cases that weinvestigate um so it’s no surprise thatthat the Attorney General would directus to also look at cryptocurrency but umthat’s because we see cryptocurrency inall sorts of differentsettings and I think a few of you havetalked about um this idea that as someuh exchanges cryptocurrency exchangeshave gotten better that some of the uhtransactions that you’re reallyconcerned about are moving to otherexchanges that are in countries that youmay not have access to information fromthem how much of a trend is that I meanthere’s always a jurisdictionalArbitrage issue with this this is notagain new to cryptocurrency it’ssomething that’s existed in um Financialcrime for quite some time there are somecountries that are robust with theiranti-money laundering encountering thefin Finance of terrorism policies andprograms they make sure that financialinstitutions within their jurisdictionsabide by know your customer rules sothey know who is actually in control ofthe money that flows through um theirBanks and their financial institutionscrypto on the other hand there’s apseudonymity that’s built into thatright they the whole point of umbitcoin’s creations to create atrustless system where um thesetransactions can occur without trueknowledge of the identity of the personon the other on the other end and sothat’s created additional problems thereare centralized exchanges that haveabided by the obligations they have tofunction in the United States includingby registering with finsen and havingrobust Bank secrecy act um AML uh CFTcontrols there are other jurisdictionsthat don’t have that type of robustrequirement and they are also verycrypto-friendly and that they want toinvite industry in we’re going to havethat problem until we can kind ofcontinue to make sure that we highlightthe importance of having um Universalstandards when it comes to um you knowAML and general you know compliancecontrols and all of those environmentsthis again this is a this is a problembut it’s not a new problem to cryptoit’s one that’s existed um generally inmoneya laundering investigations forquite sometime Brian can you talk about what thecryptocurrency problem looks like fromthe FBI’sperspective sure let me do my best toset a foundation to build off of what unyoung said so you know we know theprimary blockchain comp analytic firmsout there I’m not going to say them herebut uh they’re very well-known companieswhen you look at the exchange thevirtual asset service providers that’stoo broad a term but I’ll use it heretoday they’re relying on thoseblockchain analytical firms toessentially identify dirty water walletsEtc wallets tied to North Koreans tocriminal adversaries so that thoseexchanges don’t essentially processfunds uh from originating from thosewallets the timeliness of theintelligence in those blockchainanalytic platforms is extremelyimportant because of the speed ofcryptocurrency so after a theft or aftermoney is used for nefarious reasons theadversary’s ability to launder thatmoney quickly is is very very high rightand so we have a distinct role to tracethat cryptocurrency but it’s a niche joband it’s a really complicated job and itties into these blockchain analyticfirms because a lot of times some of thethings we’re identifying are beingshared with these blockchain analyticfirms to inform AML kyc Norms in thesevirtual asset service providers it’sjust a very complicated problem that hasa speed element to it that makes our jobextremely difficult um you know there’sbeen a lot of uh attention put onbuilding relationships with thesevirtual asset service providers and doesthat or does that make a difference Ithink at times it makes a difference attimes it doesn’t make a difference itreally depends on the cooperation of thebridge or the virtual asset serviceprovider and whether they essentially door don’t want to engage with us it’s Iwould just say for the crowd right yesit’s a historic Monday Laing problempresenting itself through crypto thevelocity that adversaries can launderthe money in the crypto space is veryhigh and that makes our job quitecomplicated right um to go back toransomware uh a little bit Eric I hadwanted to ask you about uh the recentattack on um Industrial and CommercialBank of China ransomware attack itseemed like this was the first time thatumransomware ransomware attack specificspefically targeted um stoppingFinancial trades within the sort ofPlumbing of the financialsystem and some folks viewed this as assort of a new frontier what what doesthat look like from your sure so I’m notgoing to speak to a individual victim orthe intent behind an individual attackum what I would say is you know we haveseen by and large ransomware campaignsparticularly by actors like lock bitlike Klo um that affectinnumerable organizations targeting veryspecific technology products that havevery specific vulnerabilities and thosevulnerabilities are characterized bycommonality which is that they couldhave been fixed before the product waspushed to Market and so from the pointof view of sisa even as we work urgentlywith our partners at the FBI to respondto victims we are also recognizing thatone way to reduce the prevalence ofthese intrusions is by taking away someof the opport tun nistic attack Surfaceby working on the vendor side on theproduct security side to drive to drivedevelopment of products that don’t havevulnerabilities that we know Ransomactors are going to exploit just as oneexample of our work in this area um inthe in reporting law that was passed uhyear or so ago um a little knownprovision uh had us create what we calla ransom or vulnerability warning pilotwhere we work with Partners like the FBIto understand what vulnerabilitiesRansom more actors are exploiting wethen scan the internet to find thosevulnerabilities when we see them we goout to knock on a door and say hey youneed to fix this device now before aranser actor gets to you but then alsowe go back to the vendor and say thisvulnerability is being used by ranseractors what can you do to driveremediation and what can you do on yourdevelopment side to make sure thatyou’re reducing the prevalence of theseconditions by Design that’s one leg ofthe stool that we need to invest in toreduce prevalence even further can Ipile on to that I think what Eric saidjust is extremely well said number onebut extremely important number two youknow when you read the national cybersecurity strategy that was published youknow it is a focus on net defense andresiliency and it ties and Maps directlyto what Eric just said anotherinteresting data point and please don’tquote me on this because I would want togo read it again before um it’s fullydisseminated but if you read the firstcyber safety review board report wherethe log for J L for Shell vulnerabilitywas studied one of the findings in theback of that report is how the AmericanAcademia system does not have securecoding by Design practices ingrained inour education system and I just thinkthat’s a really uh unique highlightednote in the Cyber safety review boardreport that directly ties into what Ericjust shared about some of the ecosystemproblems that Matt talked about thathave existed for 20 years probably pointto some of the core the root causereasons why so I really think what Ericsaid is important uh it’s an ecosystemproblem it’s a secure coding problem weall have to Rally aroundthat so I think we have a few minutesfor questions if there’s any audiencequestions and while uh we get a mic outI I just want to see if you guys can godown the line and and talk about youknow a year from now what do you thinkthe ransomware a problem will look likedo you think there’s any one thing thatmight help turn theI mean I think we’ll all still beemployed right because of that problemum and until there is a significantshift in the ecosystem that Eric justdescribed where ransomware actors arecompromising Mass vulnerabilities thatare capable of being patched orremediated and until our fundamentalsare in place across America rightfishing tests these types of things it’sgoing to remain a problem it’s just abottom line and the reason is becauseit’s worth the worth the time for thecriminals yeah I would agree I think itgetsworse suct I mean I I you know while Idon’t expect that we will see theproblem getting better my optimistichope would be that the slope of harmwill begin to shift downward both asorganizations Enterprises and vendorsmake the right investment and aspartners like FBI doj continue investingin disrupting the ecosystem that theseactors rely upon I just want to make onepoint about Trends which is I thinkransomware is just another the newtechnique that has happened over thelast few years as to how cyber criminalscan profit from their activities but thecommon thread I mean it was started withbanking Trojans it’s evolved over timebut the Common Thread as always there’ssome way in the vulnerabilities willstill exists the reason why resilienceis important in this regard is becauseyou’re not just making yourself moreresilient as against Ransom attacks butas against all sorts of different typesof ways be they profit motivatedcriminals or nation state actors who tryto um exfiltrate your sensitive datafrom your companies they’re all sort ofinterrelated in that respect and sogenerally trying to build towards moreresistance is going uh resilience isgoing to be the best pathforward other audience questions yesyeah thank you um my name is Mike wilsI’m the adjunct professor that asked thequestion earlier um I have aninteresting scenario in April of 2020 21we learned about the doj giving the FBIpermission to unhack the Microsoft proxylog on because these web shells hadn’tbeen patched and so that was adisruptive uh activity but if thishappened in2024 all hundred of those publiclytraded companies would have to file aForm 8K listing the threat actor as theFBI and so I’m curious uh if you coulddiscuss the possibility of thishappening again because I do believethat General nakason and and uh directorRay said that they plan to do moreinterventions anddisruptions I’ll take that one okayum I I don’t know you right and I knowyou don’t know me either but I I thinkthe uh opening description of yourquestion is is factually incorrect umbecause the uh legal standard we usedwas under rule 41 search and seizurewith a probable cause affidavit thatunderpinthat search and seizure warrant and inevery one of those cases with theMicrosoft halfan webshell we had veryspecific file pass because of ourinvestigation and because of someprivate sector Partnerships that allowedus under rule 41 signed by a neutralMagistrate Judge in the southerndistrict of Texas to give us the legalAuthority and that affidavit isavailable for any of you to read on theinternet to do that work and so I I justjust um I think I I found myself moreand more as I get into my job sayingwords matter and definitions of wordsreally matter and this is a time wherewords matter and in that case um youknow a neutral magistrat judge foundthat we had probable cause under rule 41to conduct that operation and we did nothack companies that would have in anyway shape or form required them toreport us as a threat actorand that’s true with all the courtauthorized disruptive act activitiesthat we’ve done today that includes thesnake uh Tak down with operation Medusait it also um applies to Cyclops blinkwe’re not doing any of this outside ofensuring that we meet the legalstandards that are set forth in rule 41I’m very proud of you for not being alawyer and remembering it’s rule 41 umbut you know a judge said that that waslegitimate a legitimate use of ourauthorities and we’re going to continueto do more of that to protect theAmerican people and you’re placed onnotice because we we provide notice tovictims and we also make available theand publicly publish the ordersthemselves so I think that’s animportant part of that aswell well thank you all for joining usum and thanks for a great conversationthank you thank you[Music]all right thank you everyone forsticking with us to the end that was agreat way to wrap up I think what was aterrific day um I do want to thank n 2nyfor opening their home and being suchgracious co-host to us also once againwant to thank our sponsors who madetoday possible the record from recordedfuture news onespan Google InsightPartners PWC Paladin Capital Managementblunk Coalition Amazon web services andapple um tomorrow you’ll get an emailwith a survey let us know what we did uhright and also what we did wrong so wecan make it better next year um and alsoif you want to find out informationabout next year’s Summit that’ll let youdo that finally a video will beavailable online please do share it withyour friends um but thanks again for forcoming today thanks for making this agreat event and we look forward toseeing you next year[Applause][Music][Music]

Experts from business, state and federal government, and civil society took the stage on Wednesday, November 15, at the 92nd Street Y in New York City for the 2023 Aspen Cyber Summit.

On the heels of President Biden’s landmark Executive Order on artificial intelligence (AI), these influential thinkers and leaders broke down how generative AI and other emerging technologies will impact cybersecurity today and in the future.

Session topics ranged from a personal discussion of how cybercrime impacts organizations and individuals, to the growing importance of the cybersecurity of space-based systems. The Summit also dug into the federal government’s search for unidentified flying objects (UFOs), the bird-drone conspiracy, and role of technology in both fostering and fighting mis-/disinformation.

About the Summit

The Aspen Cyber Summit is a unique, annual gathering that brings together top leaders from business, government, academia, and civil society to discuss the world’s urgent cyber issues and drive action to help secure our digital future. This nonpartisan summit is one of the most significant stages for cyber policy discussion, and spurs dialogue and momentum to act on today’s challenges.

                {"includes":[{"object":"page","value":"203225","label":"2023 Aspen Cyber Summit to Cover Emerging Security Challenges, Including A.I., Elections, Space","type":"press"},{"object":"page","value":"203200","label":"Aspen Institute Announces Additional Speakers for 8th Annual Aspen Cyber Summit","type":"press"},{"object":"page","value":"203134","label":"Aspen Institute Announces New Speakers for 8th Annual Aspen Cyber Summit","type":"press"},{"object":"page","value":"203071","label":"Aspen Institute Announces First Round of Speakers for 8th Annual Aspen Cyber Summit","type":"press"}],"excludes":[],"order":[],"meta":"","rules":[],"property":"","details":["title"],"title":"2023 Aspen Cyber Summit News","description":"","columns":2,"total":6,"filters":[],"filtering":[],"abilities":[],"action":"swipe","buttons":["bullets","arrows"],"pagination":[],"search":"","className":"random","sorts":[]}

2023 Aspen Cyber Summit News

2023 Aspen Cyber Summit to Cover Emerging Security Challenges, Including A.I., Elections, Space

Press Release

Leaders from NIST, the White House, and the SEC to headline on November 15 at the 92nd Street Y in New York City.

November 1, 2023

Aspen Institute Announces Additional Speakers for 8th Annual Aspen Cyber Summit

Press Release

NSA Cybersecurity Director and Michigan Secretary of State added to roster of cyber policy experts for November 15.

October 11, 2023

Shared Futures: The A.I. Forum

2023 Aspen Cyber Summit

About the Summit

2023 Aspen Cyber Summit News

2023 Aspen Cyber Summit to Cover Emerging Security Challenges, Including A.I., Elections, Space

Press Release

Aspen Institute Announces Additional Speakers for 8th Annual Aspen Cyber Summit

Press Release

Browse More Events

Managing Your Worst Digital Day

2024 Aspen Cyber Summit

Lists*

Shared Futures: The A.I. Forum

2023 Aspen Cyber Summit

About the Summit

2023 Aspen Cyber Summit News

2023 Aspen Cyber Summit to Cover Emerging Security Challenges, Including A.I., Elections, Space

Press Release

Aspen Institute Announces Additional Speakers for 8th Annual Aspen Cyber Summit

Press Release

Browse More Events

Managing Your Worst Digital Day

2024 Aspen Cyber Summit

THE BEST OF ASPEN DIGITAL, RIGHT IN YOUR INBOX.

THE BEST OF ASPEN DIGITAL, RIGHT IN YOUR INBOX.

Lists*