2022 Aspen Cyber Summit

The 2022 Aspen Cyber Summit took place on Wednesday, November 16, at the iconic 92nd Street Y in New York City.

The Summit is a unique, annual gathering that brings together top leaders from business, government, and civil society to discuss the world’s urgent cyber issues. This nonpartisan Aspen Institute event is one of the most significant stages for cyber policy discussion, and spurs dialogue and action on the challenges of today and tomorrow.

Senior representatives from the US government’s cybersecurity response headlined the seventh annual Aspen Cyber Summit. Guests heard keynotes from DHS Under Secretary for Policy Rob Silvers, TSA Administrator David Pekoske, and White House Principal Deputy National Cyber Director Kemba Walden.

transcript

Search Transcript

foreignforeignthank youforeignthank youforeignforeignthank youforeignthank youforeignthank youforeignforeigngood morning our program will begin infive minutes please find your seatsforeignforeignthank youforeign[Music]foreign[Music][Music]foreign[Music]really important901umgood morning please take your seats ourprogram is about to beginforeign[Music]thank youokay hello everybody Welcome my name isVivian Schiller I am executive directorof Aspen digital we’re a program of theAspen Institute and we are so incrediblythrilled to welcome you to the annualAspen cyber Summit it’s the first timewe’ve been back in person in three yearsand just a few things have happened inthose three years in the world of cyberum they certainly have not gotten easierthey are more complex more real andcertainly more urgent but luckily wehave an incredible agenda and a lineupof speakers to reveal all uh to youtoday so I want to welcome our onlineaudiences who are watching live fromaround the world and I especially wantto welcome those of you who have joinedus here at the iconic 92nd Street Y inNew York we are so proud to welcometheir supporters in the roomum their members and people from variousorganizationsum that we’ve gotten to know and workwith over the years including just toname a few unfinished Network All Techis human Latinas in Tech and so manyother amazing communities I also want tothank our presenting sponsor for Scoutand our media presenting sponsor therecord by recorded future our goldsponsors Paladin Capital group and PWCand our silver sponsors McKinsey andbroadcomat Aspen and at Aspen digital we areexpanding and growing our cyber securityprogramming significantly and in orderto meet the moment I am really pleasedto welcome both here by my side but alsouh to the Aspen Institute family uh JeffGreen who has recently joined us fromthe White House and with just a stellaruh background in all areas of cybersecurity he has coming in to lead andcontinue to build our work in this areaso I’m going to turn it over to Jeff whoalso has an announcement about one ofour latest initiativesthanks Vivian um as Vivian said it is anexciting time for the Aspen cyberprogram our U.S group is now five yearsold and in that time we’ve publishedwork on a wide range of issues fromWorkforce Development to operationalcollaboration to maintaining ourcountry’s Edge and Innovation and in thecoming months you can expect to see morework out of that group in particular wehave two projects underway one lookingat private sector support to Ukraineboth in the lead up and as that warstarted and also on the role of theChief Information Security Officerbut as that work shows cyber is trulyGlobal it’s a cliche but it is true andin recognition of that I am reallythrilled to announce today the formationof a major new initiative of the Aspencyber program our Aspen Global cybergroup we held our first meeting lastweek in Prague with a group of expertsfrom around the world we have threedistinguished co-chairs leading thiseffort Marina calirand currently amember of the European Parliament fromEstonia formerly Estonian foreignminister David Koh who is thecommissioner Commissioner of cybersecurity and the chief executive of thecyber security agency of Singapore andfinally Corey Thomas who is the CEO andchair of the board of directors of Rapidseven our charge to the group was prettysimple give us some practicalimplementable solutions to the mosturgent cyber issues that face us todayin the coming weeks and months we’ll besharing more details about what thatwork is doing what that group is doingbut we’re really thrilled to have thattogetherum but now turning to today’s eventwhether it’s ransomware or Ukraine orWorkforce or resilience you know I liketo say the last 18 months have been avery interesting decade in cybersecurity so we’re really excited to havethe opportunity to dig deep on theseissues and more so let me bring to thestage for our first discussion today wehave from the Department of HomelandSecurity the under secretary for policyRob Silvers and from The Wall StreetJournal Aruna vishnuwathafolkssorry it’s okay[Applause]oh okay uh it’s great to be with you alltoday and it’s great to have undersecretary Silvers with us we have a lotto talk about but I thought we wouldstart with something that’s on a lot ofpeople’s mindsum the midterm elections after severalyears of major disruptions foreigndisinformation campaigns cyber attacksphysical attacks it almost seemed likelast week’s elections was something of areturn to normal whatever that meanswanted to get your take on what the daylooked like for you did did you expectit to be like that what how did it lookfor you well thanks Aruna thanks thanksto Aspen for for having us and I I justwant to say on a personal note it’s verynice to be back at the 92nd Street why Iactually took art and music classes hereas a toddler and a bit back many timessince and great to be here with youtodayAmericans Canon should have confidencein the security and integrity of ourelections including the midtermelections that recent happenedwe had worked extensively with state andlocal jurisdictions and administerelections to ensure they had what theyneeded in the lead-up to the electionsand on Election Day we had a 24 7 OpsCenter going to make sure we were on topof everythingwe have no evidence that there was anyactivity that changed or deleted votesor interfered with critical electioninfrastructure we had there were nospecific or credible threats to electioninfrastructure on Election Day right nowvotes continue to be canvassed andtabulated in various jurisdictions insome jurisdictions that takes longerthan others based on what local statelaws are and that’s how it’s supposed towork and that’s actually why Americanscan have confidence that the process isworking as as it is and so between theterrific work of election administratorsaround the country and what sisa at ourdepartment did to help support them wecan and should have confidence in theIntegrity of the elections before theelections we did see some tech companiesand and the FBI talk about how therewere some foreign disinformation uhcampaigns that that they had identifiedand took downum how worried were you about about someof those thingswe’re concerned about uh foreign maligninfluence campaigns when Com whencountries like China or Iran or Russiauh try to insert themselves into ourDemocratic processes that’s somethingthat we’re going to be very Vigilant tofrom a national security perspective andsisa did put out its website calledrumor controlto ensure that Americans could get a faxabout election security and againnow over a week after uh election day weuh have confidence that we uh saw no noevidence no no of of uh Foul Play thatchanged or deleted votes and no specificor credible threats to the actualelection infrastructure rightso to take a step back a little bit onon cyber security more broadly we’veheard for a few years now one of thelargest concerns has been the potentialfor attacks on U.S criticalinfrastructure from Russia China NorthKorea Iran now that you’ve been on thejob a while how do you rank the yourconcerns and sort of where are we at interms of trying to address thoseyeah absolutely I mean if you look atwhat the last two years or so havebrought it has really been uhunbelievable in terms of the threatlandscape and how Dynamic it is almostexactly two years ago you had the solarwinds supply chain attack uh come youhad the Microsoft Exchange hack shortlythereafter and then Colonial pipelinewas taken out disrupting gasoline supplyto the Mid-Atlantic region and then justas Network Defenders after a busy yearwere hoping to get some rest for theholidays the log 4J softwarevulnerability the most seriousvulnerability ever discovered came tolight around the holiday season lastyear and so and then of courseescalating tensions around Ukraine andall the Cyber risks coming with that andso it’s a very Dynamic uh threatlandscape we continue to be concernedabout China and their capability Russiaand its capability and many and manyothers and then of course the criminalactors ransomware continues to happen atunaccept levels so between criminals andnation statesthe threats are real the good news isthere are a lot of steps that companiesand other organizations can take thatare effective in protecting themselvesand building resilience defense mattersresilience matters uh in this space andso our mission is to help those enablethose companies to harden upsome of those examples you justmentioned are all more than a year olduh and to some extent we haven’t hadhuge attacks like those in the past yearshould we read anything into that do yousee that as sort of a positive trendlineI wouldn’t get too complacent uh youknow I I think um uh we see enough uhattempted intrusions and successfulintrusions every day uh that we are notletting our guard down even a little bituh we saw ransomware hit a major healthcare System uh recently here in theUnited States and so uh no I don’t Idon’t read too much intoum uh any kind of pause I don’t reallysee a pause uh in that respect I do seeincredible efforts to build resilienceand network defense I think the um Ithink that companies I think thatindustry are making a lot of progressthere but I think they need a lot ofsupport from the government and we areit is our mission to provide that tothem in the in the form of uh sharedeveloping and sharing best practices inthe form of sharing threat intelligencereally really quickly declassifyinginformation really really quickly so forexample when Russia started massingtanks on the Ukrainian border aroundthis time last year we went into anall-out push with our other agencypartners in the federal government todeclassify as much russia-related threatinformation as possible and push it outto Industry so that Network Defenderscould use it to protect their systemsand so we are really going all out we’renot letting down at all do you thinkthat declassification effortspecifically thwarted attacks that wouldhave otherwise happened in terms ofcyber attackswell I do think that there is a lot ofevidence that um uh good preparednesscan be effective against Russian cyberattacks uh I think Ukraine is actually areally strong example of that theUkrainian government uh has gotten a lotof support from the U.S government andotherpartner governments on the cybersecurity side they’ve also been workingreally closely with Western technologyand cyber security firms and they havewithstood a lot of Russian cyber attacksBetter Than People expected they wouldnow obviously it’s not perfect defensesome has gotten through but they’ve alsocut off at the past some seriousattempted intrusions and disruptiveattacks in a way that I don’t think thecommunity would have predicted that theywould have been able to doand I think that’s just really powerfula really powerful uh lesson for all ofus again that defense matters how muchyou invest how much you focus on itcounts and will count in the crisis andyou think Ukraine’s ability to defendsome of those is a direct result of theU.S sort of declassifying and sharingvery quickly intelligence I think thecombination of intelligence sharing uhprivate sector companies from the UnitedStates and elsewhere helping them todetect uh malware that may have beendeployed and pretend actual potentiallive intrusions that um may have beenset to execute yeah I think all that isdemand has provably been effective forUkraine on ransomware the treasuryDepartment put out some numbers lastweek that showed more than a billiondollars in ransomware payments last yearand that was up more than double fromthe year prior that suggests a prettyalarming Trend but then we also hearfrom industry Executives that companiesare getting better at having databackups and having a stronger ability toresist paying Ransom how does where doesthat trend line look like to you fromwhere you sitransomware look we we just uh had as Imentioned a major ransomware attack on ahospital system uh and and so we’re notumit’s at unacceptable levelsum and uh so what we’re doing is amulti-pronged approach one we arehelping companies with their resilienceboth in terms of withstanding the attackat all or being resilient by havingbackups that they can resort to andrebuild their infrastructure withouthaving to pay the ransom two we’reactually going after the ransomwaresyndicates through increased lawenforcement activity and then alsothrough by going after their money so wehave sanctioned as an Administration wehave sanctioned cryptocurrency exchangesthat don’t have uh the kinds of controlsthat are needed and that are used byransomware actors we have uh C’scryptocurrency wallets that are used toprocess the proceeds from ransomware ashacks and so we’re taking this on fromall angles and actually uh just abouttwo weeks ago 36 countries convened atthe White House for our administration’sCapital ransomware initiative so we’redoing this together with industrypartners and also with internet NationalPartners in this fightyou mentioned cryptocurrency I wanted toget your take on we’ve obviously seeneveryone seen the implosion of FTX thisweek and the devaluing of somecryptocurrency what is your take on howall of that turmoil impacts the fightagainst ransomware does it make itpotentially harder for uh criminals toaccess ransomware payments does it haveany impact at allthey may not have been using FTX butI at this point I don’t have a aspecific impact uh it’s it’s too soon totell at least from anything I’ve seen ofwhether there’s been an impact onransomware from what’s happened at FTXbut I will say that with respect tocryptocurrencylook there needs to be an architectureof security and integrity around thedigital asset ecosystemum there need to berules uh in the in the way that we haverules around other financial services toensure integrity uh and it’s just I seeit all the time not just in cybersecurity but we have a variety of lawenforce submissions at the homelandsecurity department and uh practicallyany any kind of criminal act or harmfulact that you can imagine these days isbeing enabled by cryptocurrency uh anduh so it’s really important uh that wehave from the regulatory side that wehave the right attention on it and thenalso from the law enforcement side weare investing hugely in our capabilitiesto trace cryptocurrency transactions totry to um to to do blockchain analysisand to try to get back uh trace it backto the the bad guys or to seize thefundsum so you have talked a lot a lot abouttrying to improve the federalgovernment’s relationship with theprivate sector to better combatransomware and other cyber threats umthis is something the FBI and even thestate department have been talking a lotabout can you describe sort of what doyou think that what was thatrelationship like a year ago and whatwould you like to see it look like ayear from nowyeah look our our strategy with respectto working with industry is to move pastsort of one-off meetings with companiesand declarations a partnership but theneverybody going back and doing their ownthing and really getting into a mode ofreal-time operational collaboration Idon’t think we just need to lowerbarriers for work between the governmentand the private sector on Cyber weactually need to dissolve barriers andthe threat landscape is so sophisticatedum that uh and worrisome that I don’tthink we need just sort of incrementalchanges that’s not how we’re thinkingabout it and our work we are we aremaking transformational changes to howwe do business to work with industry andI’ll give you a couple examples uh so uhpre-incident uh before incidentshappened and then during incidents we’veset up the joint cyber defensecollaborative at our cyber security andinfrastructure Security Agency wherecompanies 30 or so of the biggest Techand cyber security companiesare with cisa and other U.S governmentagencies it’s all housed at cisa andthey are on slack channels in real timeexchanging information about whatthey’re seeing hey I’m seeing this on myinfrastructure any of you seeinganything like this oh these mitigationsare work working for me you should trythem all in real time informal and whatwe can do is that helps all thecompanies that are part of it and thenwe can extract the best lessons thethings that we’re learning from it andwe can push it out to the broadercommunity of tens of thousands hundredsof thousands of companies and you’reseeing a lot of uptick with the use ofthose channels yes so in the law Imentioned the log 4J vulnerability itwas really really effective uh itactually all came together that was sortof just a few months after we stood upthe jcdc and it was a really amazingproof of concept that led to sisa beingable to put out authoritative guidancethat was incredibly valuable to theentire information security Communityafter incidents occur we’ve establishedsomething called the Cyber safety reviewboard right which we stood up earlierthis year it’s true public private it’shalf the members are all the federalleads for cyber security I’m reallypleased to serve as the chair of theboard half the members are privatesector luminaries and cyber security andour and our charge is to review the verybiggest cyber security incidents and doan authoritative fact finding on whathappened and then Lessons Learned forthe community it’s not aboutaccountability it’s not about fines orregulations it’s just looking forwardhow can we all do better we did ourfirst review this summer on log 4J itlanded really well with the community wetalked with over 80 companies that sharedata and information with us and we’regoing to be announcing our second reviewactually pretty soon I assume you don’twant to make any news today stay tunedum what did you learn from sort of doingthat first review that will shape howyou approach the next one yeah I I thinkum uh a couple things one is theappetite in the community for thesekinds of reviews is really strong uh youknow when companies are historicallywhen companies have been hit by a Cyberattackthis was missing from the ecosystem noone was doing a deep dive to find outwhat happened for the benefit of thewhole Community uh you had the companiesdoing their own internal investigationoften but that was for their ownpurposes sometimes you had a lawenforcement or a regulatoryinvestigation but that was narrowing forits own purpose this is to just get theLessons Learned out as an on an afteraction basis so that’s going to bereally good the other thing you know weum when we did the first review theboard was new we were there was anelement of building the plane as we wereflying it we did that successfully we’venow built up significant permanent staffwe have procedures in place and so Ithink we’re really going to be able tohit the ground running in acollaborative way with companies whoshare the information in with us and youexpect to be reviewing another Cyberattack or do you think you might broadenout to other types of incidents tracinga disinformation campaign or anythinglike thatI think I think cyber security is in theWheelhouse for right now of what we’relooking at that’s really the charge thatcame to the president who directed us tostand the board up by in his executiveorder last year rightand umon the disinformation front we’ve seen alot of criticism from both the left andthe right of tech comp social mediacompanies for eitherumpromoting disinformation or throttlingaccurate information in hopes of tryingto suppress disinformation you mentionedthe rumor control website uh you DHS hadto shut down the disinformationgovernance board earlier this year overFirst Amendment concerns about that whatdo you see dhs’s role at this point inthe information ecosystem and trying toget at the problem of disinformationuh look we’re we’re we’re disinformationposes a tangible and core threat tosecuritywe we have we make we have a role toplay so when it’s within our missionspace so I’ll give you an exampleuh after natural disasters you have allkinds of scams where uh people try toum uh defraud uh survivors of disastersuh by how of you know how they can getrelief benefits how they where they canget water or supplies uh and FEMA’sMission FEMA being part of DHS is tomake sure is to take care of survivorsand if we’re seeing disinformation outthere about how what survivors can doand how what kind of benefits they canget we’re going to dispel that uh samewith our Southern border our mission ofprotecting the Border if smuggling ifhuman trafficking gangs are claimingthat they for a price can take people upand ensure that they get in safely intothe United States we’re going to dispelthat disinformation I think we wouldreally bestepping aside from our mission if we ifwe didn’t so we’re not the we’re not theArbiter of Truth we don’t tackle adisinformation of any of any sort orkind it’s where it really has a tangibletie to a core Homeland Security interestand always subject to very strict civilliberties civil rights and privacyprotections so at this point you view itas mainly trying to dispelmisinformation about dhs’s coreresponsibilities and that’s sort of thethe missioncorrect it’s subject to very uh strictsafeguardsum Switching gears you would mentionedat your confirmation hearing that one ofthe things that you would be focused onum in your role is looking to the Futureand looking to competition with Chinaand how to approach that you’ve now beenon the job a year and a half what whatis your assessment of of your role dhs’srole in sort of planning for that sureso soum we have a number of roles actuallythat are relevant to uh China andthreats coming out of China so justclearly on the cyber security fronthelping Network Defenders around thecountry uh repel Chinese state-sponsoredcyber attacks which can be done forEspionage purposes can be done to stealintellectual property it can be done tosteal mass troves of Americans personaldata we also have a core interest inprotecting American Technology andcritical infrastructure from fallingintothe control of the of the PRC governmentof the of the government of the People’sRepublic of China so we’re a member ofthe committee on foreign investment inthe United States uh that reviews all uhinbound investment for National Securityconcerns and we take that reallyseriouslywe also um uh are at the front lines ofuh the mission of making sure that we’renot importing into this country Goodsthat are made with forced labor inxinjiang province which is a really aScourge uh and a human rightsviolation of really historic proportionstargeting the uyghur minority there andthat’s so our customs function at theport and so that’s become a big part ofyour portfolio that’s become asignificant part of of my portfolio andother had I wear is as chair of thefederal forced labor enforcement taskforce and we take that mission reallyseriously too and so look therelationship with China the competitionwith China isincredibly multi-facetedthere’s a lot of really perniciousthreats to our way of life and oursecurity that come from the vision andthe direction of the Chinese governmentis pushing that country and DHS is uh isat its post protecting the Americanpeople from thatI think we have a we have a few minutesleft and I think we have some mics setup if we have any audience questions Ican’t quite see but uhis anyis there anyone that wants to ask aquestion or we can continuethank you thank you for your commentsthe word that stood out for me in yourcomments was very worrisome did you wantto spend on that in terms of how uhthose of us in this room and watchingthe event and people in the country ingeneralwhat level of concern should we beapplying to the threats on cybersecuritythe highest level of concern that youcan that you can muster uh is is theshort answerum look uh with ransomware for example Imean that can bring a company to itsknees operationally in an instant andreally pose an existential crisisuh uh you know Colonial pipeline beingreally um just an extreme but real worldexample of uh the impacts and so uhlisten we we are absolutely uh meetingwith CEOs meeting with boards andtelling them this is no longer uh justan issue for the I.T team this is a CoreBusiness issue a business risk issue uhand it’s one that you need to take uhdeadly seriously and I I think I think Ithink we’ve seen that message registeredand heardwhen you see these surveys of sort oftop board boardroom concerns cyber isvirtually always uh right up there andthat’s really good but there needs to bemore investment there needs to be morefocus on itum uh you know the cisos ChiefInformation security officers are reallyum uh they’re really stretch thinthey’re often under resource firstthey’re burning the midnight or they’reburning the candle from both endsbetween uh trying to build and sustaintheir information security programs andthen also just being called upon in themiddle of the night to respond uh toincidents and they need the support oftheir leadership so when I meet withleadership teams from companies what Ialways tell them is you know they askwell what can I do I saycreate an open environment for your cisoto tell you what he or she needsuh how receptive I have the boards thatyou’ve interacted with been to thatmessage I think they’re receptive Ithink they want I think I think boarddirectors and CEOs want to do the rightthing I think sometimes it’s hard forthem they view it as a technical issuesometimes and they’re not sure they’renot aware of what they can actually doas non-technical non-expert uh people inthe field but the point is you hire theexperts and you enable and Empower andresource themwe have some others up herehis High umcan you hear me it’s highfrom Eagle project I have a questionum it’s great that we Lessons Learnedbut it’s always afterand uh it’s like we’re running after theattacks which is what we did the best wecan do and it’s great everything thatyou’re doing so I was wondering wouldyou considerum for the energy industry and thecritical infrastructure of the UnitedStates would you consider a dedicatedwireless networkjust for that industry because it’s opento attacks and it’s of national securityissue and what would it takein your opinion for to make that happenyeah thank you for the question I youknow I I have to think about thededicated wireless network uh idea Ineed to think about thatum but I will say not everything we’redoing is about chasing the last incidentuh we just uh sisa just released umabout two or three weeks ago somethingcalled the cyber security performancegoals which are a defined set of thehighest impact security practices thatany organization should be deploying toprotect their networks regardless ofwhat industry they’re in and it’s beenreally really well received by industryI think it’s going to be very helpful inparticular to smaller and medium-sizedbusinesses that may not have the deeplyresourced information security teamsit’s also going to be really useful forreporting to boards and CEOs as a way tomeasure hey how are we doing where areour gaps and what do we need to do toimprove so a lot of what we’re doing ison the proactive sideenabling companies to defend themselvesat the end of the day companies arecustomers of ours you know and we needto be really customer Centric in termsof what do what does industry needto protect themselves because thatprotects the nationand so we are looking to what they needand providing things like the cybersecurity performance goalssorry I think we’re at times so umthanks so much for joining us thank youthank youforeign[Music]to the Aspen cyber Summit on young Choidirector of the national cryptocurrencyenforcement team at the Department ofJustice Megan steeple Chief strategyofficer at The Institute for securityand technology and Heather truecounselor to The General Counsel forvirtual assets at the U.S department ofthe treasury they’re joined by Aspendigital senior director of cybersecurity Jeff Green[Music]morning everybody thanks for again forbeing with us so we’re going to talk alittle bit aboutcyber crime ransomware cryptocurrencyvirtual currencyumobviously cyber crime isn’t new neitheris ransomware but really over the pastcouple years summer of 2021 theintersection of virtual currency inransomware was a prime public andinternal to the government conversationso today we’re going to explore why thatis what the government and the privatesector can do to address the illicit useof virtual currency so let’s get to itumI guess the first question Megan I’mgoing to pick on you first why are wetalking about virtual currency what’sspecial is it is it really that bad soyou know what brings us here to talkabout it in a cyber crime event or cybersecurity event I feel like that excuseme until recently was the three trilliondollar questionum but uh now it’s a little bit lessthan that so um before I totally respondyour question first thanks very much forfor including us I’m delighted to beassigned to three former governmentfolks and I do just want to highlightyou know the importance of Civil Societyparticipating in this dialogue andparticularlyum we’re pleased to be here uh as uhco-chairs or excuse me as a co-chair ofthe ransomware task force which weconvene which we’ll get into in a minuteum but no so we are not here really totalk about what happened most recently Idon’t thinkum we know for example uh that thatwhileum the the market cap ofcryptocurrencies or virtual currenciesis somewhere around 900 billionum that’s actually really only twopercent of the kind of equity market capin the in the in this space which issomewhere 41 trillion andbut we’re here to focus oncryptocurrencies in large in large partin light of their decentralized natureand the challenges that poses to work onand Secure Public Safety in publicpolicy and the role that these existingtools that we use to Pro to advancethose initiatives by government andprivate sector entities is complicatedas a result of this pseudonymousapproach to cryptocurrenciesum we know for example that there was areport from Jay analysis earlier thisyear that illicit address has received14 billion over to 2021 that’s doublewhat it was in 2020.um but overall the volume oftransactions in cryptocurrencies wasabout 15 trillion last yearumwhich means if you do the math which I’mnot always good at thatillicit addresses received less than onepercent of the transaction volume so whyare we talking about cryptocurrencieswe’re talking about them because they’rethe currency of choice for ransomwareactors in particular but a large numberof other criminal actorsransomware attacks 98 of them demandpayment in cryptocurrenciesand as you just noted uh as wetransitioned to work from home as thepandemic evolved the number of attacksgrains and more attacks in particular oncritical infrastructure grewincreasingly exponentially and the scaleand scope of this trend brought a numberof us together to form the ransomwaretask force one of our keyrecommendations that was that we need todisrupt the business model of ransomwareand one of the way key ways that weidentified to do so was to strengthenand further apply the use of kyc and AMLmeasures by governments that they’reyour customerthat there needed to be harmonizationglobally in that the United Statesneeded to lead an effort to advance thisamong other recommendations that we madeso I think there was reference in the inthe panel just a minute ago about thereport that came out earlier this monththe treasury reported in the first halfof of 2021 uh that a billion dollarslikely was paid in Ransom paymentsum so this obviously uh suggests thatthere is a real problem aroundcryptocurrency which is I think thismorningso Union can you tell us a little bitabout your new unit and maybe riff offof what Megan said about why you’rethere and then by extension while you’rehere sure I mean I think that um youknow everything I agree with everythingthat Megan was saying with regard to theneed to look at this issue morecomprehensively from our perspective thedepartment I mean we are open on 100plus ransomware variants early as youknow about a year plus ago in Aprilum the dag issued a memorandum itcreated the ransomware and digitalextortion task force and from there westarted to look and see sort of ways inwhich we could apply our existingauthorities to ransomware in a moreaggressive more forward-leaning way oneof the outcomes of that was obviouslythe seizure and Colonial Pipeline and wewere looking sort of holistically at theum at our cyber and cryptocurrencypractices and really realizing thatcryptocurrency in particular is verymulti-disciplinary in a way that itwasn’t at the Advent of cryptocurrencyearly days crypto the criminal activitywas really about Dark Net Market it’snow we see it in every single type ofinvestigation including obviouslyransomware and cyber crime and so theidea behind standing up the nationalcryptocurrency enforcement team was tobring subject matter experts from acrossthe department to be a One-Stop shop forall things crypto we do a variety ofthings including investigating andsupporting investigations on CuttingEdge digital asset technology use wehave a particular focus on mixerstumblers exchanges and platforms thatfacilitate a wide variety of cybercriminal and criminal activity writlarge including ransomware the idea hereis if you can sort of take out thosecenters that facilitate this type ofactivity you could have multipliereffects upon a wide variety of criminalschemesin addition we have uh you know we havepolicy experts we’re trying to think ofways to ensure that our authorities aregoing to meet the needs of new use casesincluding coming out of the PresidentBiden’s executive order some legislativeproposals and to ensure that we are bestpositioned to deal with these threatsand we’re doing a lot of capacitybuilding that’s both within thedepartment including standing up anetwork of 150 dedicated digital assetprosecutors the digital assetcoordinator Network throughoutthroughout the department in all of theoffices to make sure that when it comesup in any particular investigation youknow who to go to that you know to bestensure the use of tools andinvestigative techniques along withInternational Partners as well asinteracting with the private sector soit’s a lot of different things thatwe’re sort of focused on but I like theway that I like to say it is most of themajor cases in the last 10 years thatthe department has brought in thecryptocurrency space if the prosecutoror the investigator is still therethey’re on our team and so we reallyenjoy having an opportunity to workcollaboratively in the center ofexcellence in that regard and you’re allcrime not just cyber crime that that’sright we have experts that are cybercrime prosecutors myself my mainbackground of cyber crime prosecution aswell as white collar work we have peoplethat are money laundering expertsbecause obviously our view is Banksecrecy act anti-money laundering andknow your customer issues are very topof mind for the reasons that that Meganarticulated and we have folks that werethat we’re dealing with across theSpectrum so we liaise a lot with folksthat are dealing with fraud issuesthey’re dealing with National Securityissues we have a really broad network offolks that are working on these issuescollaboratively so Heather treasury sitsin a little different place you arethe legal and illegal uses so I suspectthere’s a little more balancing in termsof how you approach the intersection ofvirtual currency and crime and cybercrime General I don’t know if you couldtalk a little bit about how treasuryapproaches its uh many missions in thisareacertainly thank you for having me andit’s a delight to be with my colleagueshereum so I think treasury as you noted uhEYC was talking about a lot of the lawenforcement elements to the sort ofcombatingcombating crime and the misuse ofvirtual assets but I think treasuriesauthorities and responsibilities aresort of a little bit different not tounder you know are we’ve got veryimportant role in terms of the work thatirsci does and sort of the lawenforcement realm but the authoritiesand the responsibilities that are oftenthought about with respect to Treasuryand what we do or sort of is a specialtyregulator in the anti-money launderingBank secrecy act realm finzen ourfinancial crimes enforcement Networksort of serves that role they promulgateregulations they promulgate guidance Iwould be remiss if I didn’t put in aplug for their 2019 guidance about howsome of theBSA and anti-money launderingregulations and sort of registrationobligations apply in sort of the digitalassets ecosystem and also obviouslytreasury administers sanctions are ourofac office of foreign assets controladministers over 35 programs both sortof jurisdictionally based uh you knowlike our North Korea program and alsosort of activity and behavioraldesignations such as our maliciouscyber-enabled activities program whichhas obviously been very active so youknow treasury’s position of course isthat uh you know we’re we’re animportant player in the whole ofgovernment response to ransomwareattacks and we want to make sure thatdigital actors in the ecosystem are allbeing behaving responsibly engaging withtheir customers uh you know havingrisk-based approaches to BSA andsanctions compliance as programsto make sure that we’re not facilitatingeither malign actors or those whoprovide material support or otherwisefacilitate those malign actors youalways say you mentioned ColonialPipeline and some of the activity youall did after that I’m wondering if youknow Heather if you and UIC can talkabout some of the things the governmenthas done in the past 18 months two yearsnew approaches new efforts uh youmentioned you know what ofac or other ifyou can give some examples of the workthat has gone on you want to go first orum sure so I think another very criticalrole and maybe was also highlighted inthe report that treasury just issuedearlier this year is sort of treasury’simportant role in terms of informationsharing treasury gets a good amount ofinformation specifically you knowregulated financial institutions msbsmoney transmitters which can increasemsps money service businesses sorryum they all and money transmitters are aform of money service business and moneyservice businesses are consideredfinancial institutions for purposes ofthe bank secrecy act so sorry sorryabout the technical piece hereum but under the bank secrecy actregulated financial institutions whichcan include these crypto exchanges andother mixers and and can you explainwhat a mixer is in case folks don’t knowum certainly so there are somebusinesses that operate in the digitalecosystem that are sort of designed tobreak the chain of causality or to tosort ofanonymize transactions so you can’t justtrace on the public blockchain somebodyreceiving cryptocurrency to somebodysort of sending cryptocurrency outsidethere are services that specifically aredesigned to sort of take yourcryptocurrency maybe put it in a poolwith other people’s and then sort of thecrypto that taken out at the end is notnecessarily directly traceable and sortof the way that the blockchain works soponder it if you will launder it yes andfor the record treasury is very muchagainst money lawthat so she just broke news[Music]soyeah I think so I was just uh so yeah sounder the bank secrecy act uh regulatedfinancial institutions have obligationsto have compliance programs and theyalso have obligations to submit aso-called suspicious activity reports orSARS and there are sort of rules andregulations uh governing what what goesin a sar and you know fincen has somegreat guidance on their website so againplug for finson and their websitebut I think that with the SARS that’s abig source of data where you knowplayers in the world in the ecosystemidentify things that they think of assuspicious transactions and so thatinformation comes into fincen and it’smade available to otheroperators in the United Statesgovernment you know we work fincen worksvery closely one of their emissionsinvolves the support to law enforcementsothere are lots of way ways in which thatthat information can be sort of reviewedand used as part of the response to tothe ransomware epidemicUIC maybe talk a little about what do Jsure and I think pieces have done ourview is I’m following the money Trailthrough the blockchain is critical toall of our criminal investigationsespecially in the context of ransomwareand cyber crime over the past year or sowe’ve been have success in the area ofbeing able to trace the money backrapidly after a ransomware attack inorder to in instances in which thevictim companies have come forward in ain a fast Manner and allows us to sortof Follow that trail very quickly and sowe’ve had about 40 million dollars worthof seizures that represent payments madeby victims put in a very terriblesituation as a result of a ransomwareattack and you know they includesituations involving Colonial pipelineas we mentioned the group that wasresponsible for the cassaya attack aswell as nation-state actors in the formof North Koreans who are now usingransomware as one of the means wepresume to uh to to fund the uh fundtheir weapons of mass production programand avoid the sanctions regime that’sbeen put into place so you know that’sone thing that we care deeply about whydo we care about tracing the money wellfirst all law enforcement is in thisbusiness because we want to make surethat we protect the American public andwe make victims whole and in manyinstances as we can and so we view thatas of top priority second it’s key todisruption especially in instances wherethe actors such as North Koreans orRussian cyber criminals for instance areabroad and we may not be able to getthem in in cuffs in any in any um in inthe short run and third you know it’sit’s really key for actor attributionpurposes especially sort of marryingwith the question of anti-moneylaundering we still can’t live our livesin crypto you can’t buy coffee in cryptobuy a house and crypto really and socriminal actors need to find ways tocash out in instances where we havestrong anti-money laundering regulationsboth here and abroad we can use that asan investigative tool because those Fiaton-ramp off different places are ways inwhich we can actually get to have moreinformation about the people that arereally behind those transparent publicLedger transactions which we know thetransaction happened but we don’tnecessarily know who’s behind it unlesswe have those robust policies the Fiaton-rap and off ramp is converting toFiat or any dollar or pound correct Eurocurrency and that’s that’s a veryimportant Point too becauseif there are players in the digitalecosystem that aren’t regulated you knowcurrently in the role as a financialinstitution very often other importantroles are you know when somebodypurchases uh crypto in the first placewith you know Fiat or regular currencyor when they attempt to cash out so theycan buy the things that UIC was talkingabout and fincen has some otherimportant rules such as the sort ofso-calledtravel rule where if you collectinformation about somebody you knowmaking a transaction a suspicioustransaction or any transaction thatinformation has to travel with the moneyso that you can’t break the chain ofcausality and you know that just if wecould broaden the aperture a little bitbeyond ransomware to other types ofcyber criming the department also beingable to use those uh the informationfrom AML and kyc and policies that wereput into place we had two very largeover three billion dollar seizures nowthis year alone one relating to a hackof an exchange and the other one dealingwith a dark net Market attacks so I meanwe’re getting better at this I thinkwe’ve been working to build out our toolsetum in this regard and so we’re applyingthat not only toum to ransomware but to the broader uhto the broader questions of cyber crimeas wellMegan picking up on the doj thegovernment getting better where you sitnow at the ransomware task force thevisibility you have I guess kind ofmulti-part question do you see theImprovement and is it working or are weplaying a game a whack-a-mole andsecondly what is the role of whetherit’s RTFany of the other private sector how doyou play a role in helping at the frontend with victims and then withgovernmentsure so I think it’s easy for people tobe critical and say oh there have onlybeen four or five or two uh but I thinkwhat we really need to think aboutinstead is the rec to recognize thesuccess that this whole of governmentand whole of Industry approach has ledto in a very short orderum and it demonstrates what we can dowhen we collaborate what we now need todo is to scale that capacity so thatboth involves additional resources andand additional attorneys it involvesadditional folks within differentdepartments and agencies within thegovernment but it also involves buildingand strengthening existing relationshipsbetween this lovely public-privatepartnership phrase that we all cling toum what I think would boost this thoughto help it work even better in additionto additional resources is thinkingabout some of the guidance that you knowthe industry is always seeking isthinking about how do they reportaddresses should they report addressesdo they hashes of different transactionsthinking about the role of due diligencethat entities can play and givinggreater Clarity to that spaceum offering additional advice toexchanges and how they interact withmixers and recognizing the risk that uhhelping them inform themselves about therisks that we’re engaging with mixerspresentsand we really need to think about whatelse could help us thinking about againboosting this capacity globally tofollow the fat of guidance the financialaction task force guidance and apply kycand AML requirements to exchanges andother entities engaging withcryptocurrencies and other virtualcurrencies overall though what we needto do is to ask ourselves if we areleveraging every possible opportunity toenrich the information environmentare there gaps in the informationsharing space we were fortunateyesterday to publish this map of thecryptocurrency ecosystem thatarticulates not by entity name don’tworry anyone but entity type who isinvolved in this spaceum to really help we hope facilitate adeeper inspection and reflection aroundwhether or not there are gaps in thespace and then create opportunities toclose those gaps to really strengthenthe information environment because Ithink EYC just made a pretty clearargument for the better the moreinformation the government and theprivate sector has the more we’re betterable to combat these actorsum so where can we see the map uh it’son our website thanks for the plugum yes if you go to institutions forsecurity and technology.org you’ll findit um you know I think what’s the roleof the RTF the ransomware task force isthis uh group that that we werefortunate to convene last year uhbrought together over 60 organizationsboth public and private International aswell we had 48 recommendations thoseinvolved bothum working on hygiene so helpingorganizations Better prepare themselvesbut also looking at what measures thegovernment can take for example some ofthe clarifications that I suggestedlooking at whether and how we’re able toshare information aroundcryptocurrencies themselves and whetherthat’s within the scope of Cisco 15 ifyou really want to get into it butum we’re also really trying to helpstrengthen this public-privatecollaborationscale really I think is the name of thegame at this point and we we have anopportunity here to get ahead of whatwill come after ransomware and build thebetter build better relationships bettercapabilities re-examine incentives oneof our favorite topics to see how we canmeet this threat because ransomware willhopefully evolve excuse me die down butit will evolve into something else somenew extortion wear and if we can worktoday you know secure today what does itprotect tomorrow protect today securetomorrow that old sisa phrase um we’rereally trying to highlight that from ourvantage point in Civil Societyso you know UIC it canthere are a lot of different tools wellHeather as well the that the governmentcan bring to bear but criminalinvestigationscan take a long time to develop toideally get someone in cuffs but we’redealing a lot of times with withransomware with virtual currency withindividuals who are outside the U.Smaybe non-extradition countries veryunfriendly countries when you areworking together and balancing criminalinvestigative versus disruptive there’sa little bit of the disruptive terrorismaspect to it can you speak to what arethe considerations when you have anopportunity to just which way you’regoing to go do we disrupt now do we do along-term investigation for moredisruption you know have you had thosedebates internally like how do youapproach that sure I think theDepartment’s views are pretty clear onthat we had a comprehensive cyber reviewthat came out of the Deputy AttorneyGeneral’s office which I worked on in myprevious capacity at the department ourview is all tools approach is the bestway to deal with that that’s both withinthe department as well and when weevaluate what authorities we want to usein order to try to disrupt the threat aswell as sort of in the whole ofgovernment approach and there are a lotof things to balance I think it is truethat sometimes criminal investigationstake some time because we have to proveBeyond A Reasonable Doubt in front of acourt that this person is in fact guiltyand also get cuffs on in instances inwhich they’re abroad but that being saidwe have shown through things like thecolonial pipeline attack and the theseizure back that happened within amonth becausehappened in a very short period of timewe’re able to find things like decrypterKeys as part of our ongoing criminalinvestigation to help victims and thatand other irons and more situations aswell there have been instances in whichbecause we had ongoing investigationsinto these variants we could detect ttpsand malicious activity and go forinstance to a children’s hospital andtell them hey we think you may be nexton the list from this particularransomware variant there are instancesof success that exist where we’relooking at all of our tools not justsort of the traditional approach of acriminal trial and we work very closelywith our treasury counterparts I knowI’m missing a phone call right nowcoordinating with my friends over atfincen to be on stage here today if ifanyone thinks that we’re not talking ona constant basis not not just on theenforcement side where we’re bringingjoint enforcement actions or coordinatedenforcement actions with our regulatoryPartners at treasury SEC cftc but alsowhen it comes to things like sanctionsand other types of disruptive activitiesthat treasury can take in my view and Ithink generally treasury treasure wouldprobably agree with this Heather wouldprobably agree with this sometimes thetreasury tool will be more effectiveperhaps in the short run to send amessage about this particular type ofcriminal activity especially if there isa strong U.S Nexus in other instancesand I think as a general rule it’s bestif we can go together and coordinate andjointly sequence our our tools formaximum disruptive effect there could becircumstance in which treasury couldtake an action and then we can look atreflections of how the criminal actorsare working in response to that treasuryaction to help build our criminal caseand find Opportunities to seizeinfrastructure or funds at the back endand I think that’s the type of model wereally want to be working towards we’vebeen working very hard over the pastyear or so to get us to a moreforward-leaning posture I think staytuned to see more of that work to comeHeather oh and I agree with everythingthat EYC said about the you knowoutstanding and always uh looking to youknow improve our coordination I think wedo an excellent job and we’re alwayscontinuing to to do more in that realmum but yes the sanctions we’d be remissand not mentioning sanctions there arecritical critical action they’readministrative andum you know I think one way they havebeen referred to uh is sort of applyingthe financial death penalty todesignated uh persons or in some casesjurisdictionsum once ofac sort of puts anadministrative record together toidentify that somebody meets certaincriteria in those 35 over 35 programsthey can list this person on the sdnlist and not only can they list theperson they can list sort of associatedidentifiers I think is is ofaxsort of term of art for it but that thatcould include you know addresses and itcan also include things like uh likewallets uh virtual currency wallets andthey’re like over 150 I think now on thesdn list sdnum sorry especially designated Nationalswhen somebody has been designated theythey are put on the specially designateduh National and that’s the financialdeath penalty you were talking aboutthat’s right and soum you know everybody in the U.S one ofthe things that’s sort of I always thinkis very remarkable fincen has thisimportant critical mission to sort of bea specialty AML anti-money launderingBSA regulator and ofac which means thatfinancial institutions have to payattention to all these rules but ofachas a very critical mission of you knowputting people once they’ve designateduh persons and sort of executed thepresident’s foreign policy objectivesand guidance hereit’s the responsibility of everyone youU.S persons that are subject to U.Sjurisdiction to comply with ofacsanctions so it’s not just financialinstitutions it’s everybody and so Ithink as EYC was saying when whentreasury takes an action and putssomebody on this list which again ofacis super agile and and very hard workingand they’ve they’ve had just a realexplosion of workum you know they think they’ve done overmaybe 11 sort of digital assets relateddesignations and you know not that notnot only hurts the person who is beingput on the list who as you say may notnecessarily themselves be subject toJewish jurisdiction but it means theycan’t transact with anybody who’s eithera U.S person or is you know subject tous it should be any U.S Bank Etc exactlyMegan four go to the audience I’mcurious from the RTF you’re all thevarious life and job experience you’vehad do you have thoughts on as you’rebalancing how the government shouldbalance the designation sanctionimmediate Impact versus the time toinvestigate you know the the allegedCasey actor was I believe extradited andand brought versus other actions do youhave thoughts on it or is it really itdependswell I was a lawyer um uh so I I’m gonnago with the it depends answer I’m sorryto disappoint everyone yeah four lawyersup here uh I think we do don’t tellanyone too lateum I do think it depends I think what asI was saying I think what we need to toreally work towards is better scalingthose it depends answers or analysisumit’s it isum I think not fair to be sort ofplain about this to sayinvestigations take too long there istremendous amounts of information thatcan be gleaned through thoseinvestigations but as EYC said a fewminutes agoum it is an incumbent and critical forvictims to talk to law enforcement andthat is not a popular thing for mostpeople to want to do because they areworried about the implications for thatum but we can’t make progress here wecan’t prevent further victimization ofthe victim themselves or other victimsif we if we as a society and enable thecapabilities not only of the USG but ofour partners and allies soumbeyond that I think we need to to be theum you know we need to continue to thinkabout our role in the global communityand we need to leverage our ability tobuild capacity to recognize that this isnot a threat only for today and not onlyfor Western countries but it’s really athreat globally we put out a map overthe summer that depicted a change fromthe the map that we put out in ourreport last year and you can see theflow of ransomware and the impact ofransomware expanding around the goloopand so that we also need to recognizeand leverage our ability to buildcapacityto manage the ransomware risk which willalso help us then manage the cybersecurity risk at a global scale sosanctions can be a critical tool in thattoolbox as well and one of the thingsthat we I think hopefully made a goodcase for in the ransomware task forcereport was this idea of 10 10 Solutionsum this idea that we can really bringall of the tools to bear and what wereally as I sort of said a few times nowis we need to think about how can webestmove on that score quicklyand the role that the private sectorplays is really essential I think tothat space I do look forward to seeingour government but other governmentsreally moveexpeditiously tobe go beyond the sort of public privatepartnership and really think aboutintegrationum and doing so in a manner that we inour for our cultural values and ourDemocratic Valuesum can be preserving of which means thatwe’re thinking about as EYC said alsoyou know we’re working to protectvictims we’re working to bring Justiceand we were doing so in a manner thatprotects civil liberties and privacy andadvancesum human values of Human Rights so if Icould just make one point about victimscoming forward I say that generallyabout all digital asset related crimesbut also specifically obviouslyransomware it really is important for acomprehensive threat profile and we needto understand how these actors work it’simportant for investigations in order todo things like seize money finddecryptor keys do other types ofdisruptive activity writ large and Iknow sometimes it’s a little confusingwhere to go I would say you can go toany federal law enforcement partner ordecisa leave it to us to figure outwhere that information should go we havethese systems set up in order to be ableto facilitate that type of informationsharing and to the extent that companiesare concerned aboutreporting to law enforcement I wouldencourage you to read the statementsfrom the case CEO about his experiencesand the company’s experiences dealingwith the FBI in that instance I think itwas a very good and fruitfulrelationship and we strive to have thattype of relationship with all of ourvictims these are victims not they’revictims that victim the only reasonwe’re in this game is to protect theAmerican public and to and to try tomake it that is that is your view thegovernment’s view when they come in thatwe’re we are talking your it is a victimwewe’re from the government we’re here tohelp yes I mean otherwise I would nothave devoted my professional career tothis job so yes so uh let me take aquestion so I’m I’m going to repeat itback just to make sure our guests onlinecan hear soumit’s bright I’m trusting someone to yeahI don’t know I think this question isboth for uh Department of Justice andDepartment of Treasury there are a lotof cyber security regulations that applyto the victims uh financial institutionsHealth Care organizations that takefederal funds uh defense contractors andthe dojs announced the Cyber fraudinitiative and how do you balance andwith ofac you also have access to thevictims or Communications with thevictims how do you encourage the victimsto communicate the law enforcement andat the same time you’re threatening themwith regulations and civil prosecutionsif not criminal prosecution so thequestion was a lot of the victims haveregulatory obligations from variouswhether critical infrastructureotherwise asking them to come forwardhow do you balance the potentialinvestigative results of ofdisclosing a violation versus the needto help so if I could address thatquestion from the Department of Justiceperspective with regard to the Civilfraud initiative that you are talkingabout that initiative is very specificwith regard to instances which fendersor people that have contracts with thefederal government have specificcontractual obligations to do reportingon significant cyber incidents and thenfail to meet that particular standard soI think it is a specific situation whichwe’re making sure that our contractualthat contractual obligations for thegovernment to ensure that its systemsare safe are met and I think that is thesort of reason for that initiative it’sa little bit different than the broaderquestion that you’re asking about how dowe encourage victims writ large to comeforward and in that instance I would sayyou know our view is especiallyespecially in the ransomware contextwe’re here to support the victims firstand foremost oftentimes there are issuesthat come up with Regulators forinstance but we’re in communication withthem and they will often ask us sort ofwhat was the level of cooperationinvolved with law enforcement as part oftheir assessment as to whether or notthere should be civil enforcement atissue and similarly and and I thinkHeather could speak more about thisthings like sanctions enforcement I knowone of the things that victims ofransomware in particular concerned aboutis if they make a payment or considermaking a payment are they going to be inviolation of ofax sanctions and whatdoes that mean about their capacity tocome forward I will say it’s Departmentof Justice position that we’re not inthe business of Prosecuting victimsthere are specific guidelines withinofaxGuidance with regard to this particularquestion that says one of the thingsthat they will take into account fromtheir perspective is how quickly thevictims came to law enforcement andworked with law enforcement andsimilarly we think that in a situationin which a company is forward leaningand trying to do it’s best to bothreport for themselves and also for thegreater good of other potential victimsthat are out there that will take thatassessment into account when trying tomake a decision about whether or notthere’s some uh you know criminalenforcement at issue I’m not aware ofany instance in which that’s occurredbut it was updated guidance on thisspecific issue in the past year correctthat’s right exactly I think the maybethe best answer to say is that you knowcertainly the way that these programswork there are regulations that apply toanybody in terms of uh you knowtransacting with somebody who’s adesignated person having said that ofachas pushed out important guidance aboutuh you know what to do if you’re avictim here you know I think I would beremiss if I didn’t say in all instancesif there are any questions about what todo you can always call ofac and askbecause ofac is has got a very robustyou know public engagement on this andyou know I think reaching out to ofacone can always you know ask for specificlicenses for example which would be sortof a temporary authorization to be ableto do engage in a transaction that wouldotherwise be prohibited you know I wouldalso just say that as as EYC pointed outsort of our published enforcementguidance notes thatum you know there are a lot ofmitigating factors that are consideredas you know ofac looks at a range ofthings to do in the event that somebodyyou know does knowingly or unknowinglyviolate the sanctions regulations andyou know there are certain non-publicyou know actions that that ofac can takeprivately that aren’t sort of civilenforcement actions they don’t you knowinvolve levying a fine there are alsoinstances in whichyou know I can also just point to thefact that that ofac and fincen both haveprioritized taking enforcement actionsagainst you know real bad actors youknow I think the the cryptocurrencyexchanges that are you know launderingillicit fine you know illicit funds thatare the the fruits of you knowstate-sponsored hacking that’s thatthose are the people that that ofac andfincen are going after yeah I see rednumbers in front of me so unfortunatelywe have run out of timeum I want to thank the three of you forfor all the work you have done to helpkeep us safe and for the time today andhopefully you can get the notes from thecall that you missed let’s hope so thankyou allforeignI’m Christopher alberg I’m theco-founder of the CEO of recorded futureand as we get into the panel I’m goingto say a few words about Ukraine andintelligence I like to say that uh whenit comes to oil the in good intelligenceabout the price of oil might be morevaluable than oil in itself and I thinkwe’re now at a point where intelligenceis not just guiding bulletsintelligence might be the bullet initselfthe world is becoming internet-centricand as we see here now war is becominginternet-centric at the beginning of thewar I sat in a room in our office inLondon with this very senior governmentofficial from Ukraine he was showing meon his iPad movie clips that they wereputting together high production valuemovie clips for putting on to to turnRussian soldiers that they were puttingon download sites music sites porn sitesto be on it uh and it just told told methis war is becoming internet-centricthis is a new world herewe had worked early on with the recordedfuture in this sort of conversionbetween cyber security and and warfareand disinformation and that was sort ofour resonate and so when we saw the Warbreak out on the 24th of February wewere like this is our time we have tohelp out so we declared loudly oursupport probably as loudly as he couldwithout sending a postcard to theDear Mr Putin and and send out ourdigital emissaries and were then able toput by now I think nine differentagencies in Ukraine on our intelligenceplatform and so what’s been prettyinteresting about this is that we’vebeen able to do a lot of intelligencesharing and collaborationum we’ve been able to for example rightat the beginning we had helped search UAto do a government-wide scan sort ofsisa uh Shields up like scan if you wantacross the entire Ukrainian governmentNetwork found 10 very critical holes inin it that the Russians couldn’t havetaken that could have taken advantage ofwe helped search UA likewise find holesas it related to starlink and how theywere communicating with that we workedwith NCC their cyber coordinationCenter on finding issues around criticalinfrastructure the ministry of digitaltransformation helped them findingdisinformation campaigns regarding thebio labs in a series of these sort ofexamples what I find compelling herethough is maybe not so much theintelligence sharing that’s interestingand it’s good but what really ends upbeing interesting is how we can worktogether to share trade Craft onactually help them how to fish in orderto teach them how to fish not justprovide the fish and that’s how I thinkwe can actually help Ukraine CrushRussia if I may put it that way so thatI’m going to introduce Dina Templerastin who’s the moderator of the panelDina is the the executive producer ofthe click here podcast and she’s also asenior correspondent for the record byrecorded future Dinathank yougood morning thank you for coming and uhyou may know my name from NPR so if youfeel more comfortable just sort ofclosing your eyes while I talkI understand it’s dark so I can’t telluh so let me introduce the panel to youreally quickly to begin with we’re goingto start with a discussion about cyberlessons that we can draw from Ukraine sowe have a panel that can kind of hit itin a lot a lot of different ways sofirst we’ve got uh Mika oyang the deputyassistant secretary of defense for cyberpolicy at DOD I feel like we shouldapplaud or somethingall rightthank youum then we have Ole uh dear vianco whois the chief Vision officer for isspwhich is a Ukrainian cyber securitycompanyand last but not least Gary Steele fromSplunk which is in uh analytics drivencyber security firm[Applause]okay so uhwell they I wanted to start with youbecause I wanted an all Ukrainian paneland I only get one Ukrainian so I wantedyou to tell a little bit about what wemight not be seeing just from a humanlevel on what is going on in Ukraineright now we know the electricity is outuh we know that it’s a a tough slogright now but what what is the thingwhen you see us reporting about thisthat you think everybody’s missingwell that’s that’s a hard questionbecause first probably this is the firstmaybe not the first war but yeah maybethe first of its of that scale thatactually you can watch live like almostlike a reality show rightunfortunatelybut maybe what you don’t see is theyou know that part of the resilience ofUkrainian peopleis the mood they have the humor the waythey laugh the way they jokeyou know and the way they support eachother in every single moment of time notjust when something bad happens and thenthere’s a you know an action needed butalso in small conversations you know inin anything that needs to be done indifferent ways yeah so this is really Iactually know very often been asked forthe last several months you know whathas changedfor you since the beginning of thisfull-scale Innovation and and I said youknow operationally almost nothing haschanged but once we have seen all thosewaves of cyber attacks before and theywere at scale and uh as well you know ifyou go back to 2015 16 17 you know evenfrom 2018 to 2020 there was a five-timeincrease in at least in the number ofattempts uh not you know lessculminations of course but sooperationally almost kind of nothing haschanged for cyber security serviceproviders but of course what has changedare all these different otherum you know constraints and pressureslike logistical especially first twomonths a lot of logistical issues andhow you deal with families you know whois going to be relocated what what youdo with you because they’re also the menand women in your company and you needto so I mean lots of all these differentthings that you are not prepared for uhthat you didn’t have in your work in aformal business continuity plans orso so it was you know kind of actionfrom from scratch like uh on the goalwas needed and very quick decisions andso on right and and that’s sort of whatI wanted to get to more broadly on theCyber sphere when it comes to lessonslearned from the Ukraine from Ukrainesorry and andwe just dropped a uh an episode of clickhere in which we looked at a Cooperativeof a collaborative of companies knowncdac Splunk is part of it uh that isbasically helping various companies sortof build that resilience in Ukraine andone of the things that they hadn’t beenMandy hadn’t been prepared for with mathNAFTA gas which is the major oil and gascompany there was they seem to be seeingthese Insider threats and they couldn’tunderstand because the perimeter wasclosed the perimeter of the network andyet they were credentials were stillgetting stolen and wiper malware wasstill showing up and they were wonderingwell how are they getting through and itturns out that as the Russians wereadvancing in different cities they wouldactually take over Data Centers insidethat were NAFTA gas data centers so theylooked like it was an Insider threatbecause of that so what the ukrainiansdid is they would start to call theirsupervisors and say I’m leaving now andthey would cut off their access and thenThe Insider threatthat was the case not just withnaftagasta there were other companiesthat when when the Russians you knowtook some territories occupied someterritories of course they immediatelygot access to to to the branches ofthose companies and it related you knowto telcos to Banking and so on so andmany of them of course even if you cuta certain segment of the of yourinfrastructure from the kind of from theother network they still have access toto the machines right so still theystill can learn a lot uh and and itmakes the further attempts and furtherattacks a little bit easier for them andbut frankly those attacks that that wesaw because of course there was a hugeincrease in number of attempts it alwaysyou know trick you how you count cyberattacks you know presidents could justrecently said to Jade 19 that there wasyou know 1300 cyber attacks but ofcourse it depends how you count you knowthe Cyber business that you said was 166so it’s really whether you count all thenetwork activity uh or we just you knowreally look at some attacks that evolveyeah butum but those uh the the the attempts onand Ukrainian critical infrastructure inmost of the attacks that actually wewere so culmination the intrusion didn’thappen during the period of War it wasdefinitely before some cases some casesthat were so they they took us if youremember there was a big you know waveof cyber attacks in mid-January thisyear and and also December and Octoberlast year uh sometimes when youinvestigate the attack you could I meanyou know your your earliest event is theone that you can actually detect rightand Trace back so in some cases we sawthat we clearly see that the intrusionat least happened in January but itdoesn’t mean that you know it could beeasier that it happened before uh and uhwhat we see also what has changedrecently like even like for the recentmonths even if you compare this you knowthird quarter to second or first quarteris that there’s no you know Russia isnot hiding anymore so if you look atthose attacks and back in 1516 and allthat years you typically would see thatCNC centers command and control centerswould be located I know in Netherlandsand France and States you know you nameit but now we have like you know many ofthe attacks just coming directly fromthe Russian AP addresses so then youknow kind of pretend anymore that it’snot them right so as it was beforeand was that alloh well I mean we are cyber securitydefensive companies so we frankly in ourphilosophy we don’t care where theattack comes from we think that’s in theit’s the responsibility of lawenforcement people we can help them withsome evidence if they need but but ourgoal is just to protect the assets fromfrom those cyber attacks to detect asearly as possible and to respond so fromthis perspectivebasically we don’t kind of pay too muchattention to that so DOD Mika um whatkind of lessons do you feel that it’sinternalizing now that we’ve watched awar unfold for nine months that is theFirst full spectrum war that we’vereally been able to see yeah this is areally important Conflict for us in theDepartment of Defense to understandbecause what you’re seeing is a cybercapable adversary bring thosecapabilities to bear in the context ofan armed conflict and one of the thingsthat we’re seeing is the context of thearmed conflictdwarfs the Cyber impacts of that whenyou think about the physical destructionrelative to the Cyber disruption of whathappens herethings that Russians tried to disruptvia cyber could not actually did nothave the Strategic impact that theywanted and they sought to destroy thosethings physically it has had a visceralreaction or a visceral impact on a lotof people when you think about you knowcyber security is a risk-managedexercise and if one of the risks you aretrying to manage in the context of thatis armed conflictyou have to think very differently aboutwhat you are dealing with so when youthink about the cyber security of datacenters for exampleit’s not just aboutpatching and closing those things it isabout the physical security of thosedata centers it is about whether or notthose data centers are within the rangeof Russian missiles Ukrainian colleaguesthat I had the privilege of meeting withhad a very different physical andvisceral reaction to data centers thatwere above groundthen then I think they would have hadprior to the conflict so I think we haveto think about it very differently butwhen I think about the four bigcategories of things that we theDepartment of Defense have to thinkabout in the context of armed conflictwe have to make sure that we arethinking about secure Communicationsgovernment to government how ourCommunications with Ukraine have helpedenable their defense throughintelligence sharing other things how dowe make sure that those networks aresecurehow do we make sure that the ukrainiansare able to continue secureCommunications with their forces aswe’ve seen Russians trying to disruptthat the ViaSat hack is part of thatum we also now have to think about whatit means for ukrainians to be able tocontinue to communicate with the worldbecause the ability of averageukrainians to tell their story on ticktock on Twitter on Facebook to sharevideo of what has happened to them hasdenied Russia the informationenvironment that they want to prosecutethis conflictand you can see Russia trying to takeaway from Ukraine the ability to controlits own fate and its traffic by tryingto reroute traffic through Russia asthey take over territory I mean the lastthing is how do we ensure that they cancontinue essential government functionas you look at attempts to destroy thekind of essential data that makes acountry a country such as such aspassport records Birth Records propertyrecords as you see russification effortshappening in occupied territories whatdo governments need to be able tocontinue to operate its essentialfunction as we think about that at theDepartment of Defense those first twothings are things that we have a lot ofexpertise in and can help countries dealwith some of those other things are newto us and are part of whole ofgovernment efforts but I think that wehave to think very differently about howwe think about armed conflict and cyberin light of this conflict so of thosefour that you named was any of the fourmore surprising than the othersI think that this is really you know asalways said this is the first conflictthat we’re seeing where the ability ofpeople to tell their storiesum as as their experiences of armedconflict is very different and theinformation space here is a verydifferent environmentum than what we’ve seen beforebut I think that all of these things intheir own way have have differentimpacts the other thing that I wouldjust add that is different about thisconflictis that the there is a tremendousinfluence of non-state actors both theprivate sector’s assistance to Ukrainebut also individuals who have notwearing the uniform of any particularcountry who are coming to the assistanceof one side or another and I think thatit will take us quite some time tofigure out what exactly the impact ofthe of those non-state actors was at astrategic level they all volunteer I.TUkrainian Army I want to come back tothat I want to give you a chance to getin here Garycan you talk about the role of analyticsand intelligence analytics in this kindof of environment because I think I meanI understand it now but it took me awhile to understand that for exampleseeing something in GitHub that belongsto a particular company is actually areal problem because the Russians canfind it could you could you give uswithout naming companies or anythinglike that sort of a specific example ofof the role that you’re playingyeah I think at a very simple levelsecurity is rapidly increased to becomea data problem simply because the attacksurface is now so large and it spansthe entire software development lifecycle is disbands the entire perimeterNetwork it spans everything going onwithin an environment and so what hashappened is you need Rich data analyticsjust to figure out what the heckhappenedand soumin this world where data now isavailable across all these systems youcan then do rich analytics that thenhelp inform what actually happened andso when you use you’re giving examplesearlier about the role that mandya wasplaying in Ukraine underlying all ofthis is a rich data environment that’sbeing used to determinewhere did the intrusion come from whatactually happened and so you know whatwe see today and and one of the reasonswe participated in this jointcollaborative is to provide thesecapabilities into this environment sothat people can help make thosedecisions so what you’re saying itsounds like it would apply in peace timeas well of course right so you haveevery single day yeah so how is itdifferent in Wartime how does that is itjust sort of raise the urgency of it oris there actually a different way ofutilizing it no it’s it it just raisesthe urgency of it it’s not a differentway of using it and I think you know oneof the things that we recognize thatthatyou know as you look atat this event that has happened how doprivate sector companies like a Splunkcome together as a collaborative tocreate some value and it’s hard to dothis and I think that this is a goodexample where can we build an apparatuswhere if events happen in the futurethat we as an industry can come togetherto deliver valueand while we’ve had very good experienceworking in a private public arrangementwith the US government through jcdc Ithink this broader apparatus forsupporting events like this is somethingwe need to learn from right and andcyber defense assistance has to be partof a broader sort of basket of things itdoes and there’s no and there’s no realapparatus to do this right this thiscame together through some leadershipfrom some specific individuals itpeople decided to take matters in theirown hands that’s right no that’s rightso let’s talkwe were all guilty of making some in theearly days of the uh the war we actuallythought about going the clickier teamwas going to go to Ukraine and we wereworried that if we got there they wouldcut off Communications and we wouldn’tbe able to file and I think most peoplethought the electrical grid was going tobe attacked in a big way not justkinetically but but from a cyberperspective so I wonder if each of youcan talk a little bit about theassumptions about cyber and its role inWar what assumptions have changed nowthat we’ve had nine months of ofon-the-ground knowledge and I can startwith you if you want or if you’re midcough drop weekend no I thank you yes Ihave a few cough drops umlook I think as we look at assumptionsthat have changed I think there were alot of assumptions about howmuch how intense an effect Russia coulddeliver in Ukraine given our history ofthe 2015 and earlier cyber attacksagainst Ukraine and this is just toexplain black matter which attacked theUkrainian power grid and what is a halfa million people lost power for aboutsix hours yeah and so I think we wereexpecting much more significant impactsthan what we saw and I think it’s safeto say that Russian cyber forces as wellas their traditional military forcesunderperformed expectationsum some of that I think has to do with asense of how long preparation takes incyberas you look at that Microsoft report andyou see that they had a lot Russians hada lot of cyber attacks and activity inthat first week but in the second weekactivity really dropped off and thenthey come back again what you see is yousee this in the data the fact thatRussia was not prepared for the conflictto go on as long as it didand so when they had to come backquickly what do they come back with dothey come back with the intensity andsophistication of attacks that mighthave come earlier in the conflictas we think about cyber there’s awonderful article by a Swiss researchercalled the subversive trilemma thattalks about three factors the subversivesorry trilemmaumspeed intensity and control and it’sthese factors play off against eachother so you’re all familiar with thetech right good fast cheap pick toospeed impact control pick two right andso if you want it fast then you’retrading off between intensity of effectand control and if you are trying toavoid spillover say because you’retrying to avoid embroiling nato in aconflict that you don’t want them tojoin into because you can barely holdyour own against Ukraineum then you might have to lower yourexpectations for intensity so as wethink about these things as we thinkabout like if you want it fast you mightnot get as intense an effect you want oryou might get an uncontrolled effectum if you have a lot of time you cantrade off these other things how wethink about the factors that matter incyber as an offensive tool and conflictI think is something we have tounderstand how those factors playagainst each other and when we have tomake choicesum how we compensate for the fact thatyou can’t have everything as fast as youwant it okaywhat do you thinkwell first of all I thinkthat there were some assumptions werewrong all the timeand this and the core assumption thatwas wrong all the time is thattechnology is the decisive factor incyber securityof course technology is is essentiallyimportant but you can give this plant todifferent people they’ll have twodifferent results with all the same datauh so it’s uh it’s really the questionof the quality and capability and skillsof the team and it’s and it’s about thealignment of the Strategic cybersecurity operationsuh and and then technical cyber securityoperations and non-technical cybersecurity operations within the companyit’s about the operation you know how doyou operationalize the cyber securityand not just at Enterprise level butalso at you know to your whole supplychain so we in Ukraine I mean it’s greatI admire all those initiatives thatcurrently help Ukraine providedtechnology and so on but Ukraine somehowlived all these years before 20 you knowFebruary 24 and have been you knowimproving in cyber security in so manyways and that was where did it happen ithappened at organizational level becausecyber security happens at organizationallevel that’s where you actually detectand response and then and of course youknow very often we just see thedifference betweenbetween a company where the CEO hasenough engagement into the Cyberproblems and and vice versus whencompany when the CEO is completelydetached from from cyber security issuesso uh it’s and I think that in in thefuture as well and we as for example asASP we always were thinking how can wehelp our clients when they don’t havebudget for expensive Technologies theydon’t have enough qualified team and soukrainians at all levels both the on theon the side of these service providerson the side of the you know asset ownersand operators they had to be veryinventive and creative and created theyhad to create tools that enabledall the detection response even beforeyou knowsome technologies arrived in the countryand that’s uh and I think that this isreally and cyber security now before nowand definitely for the at least in somecontinuous future and foreseeable futureis really a matter of how do you unlockthis power of of computers and peopleworking togetherfor you know for the best result and andhaving the urgency not just be for theciso or the CEO but everybody all theway down I mean that was what wasinteresting about NAFTA gas is that youhad somebody who never really probablythought about uh cyber security callinga supervisor and saying okay they tookmy computer at the border yeah I’ll tellyou that in some companies uh in Ukraineresponding to an incident there wasautomatic features when incident happensthat a person is get called or receiveda message and and there’s a veryautomated way how the person confirmswhether he did it or not I mean there’sa lot of different ways how you do howdo you do how you can do cyber securityat an operational level without too muchyou know Tech no without too muchinvestment and without too much costinvolved it’s it’s really a lot ofthings are really in the processes atthe process level at the managementlevel the governance level and theeducation yeah yeah and technology ishere you can you’re definitelyTechnologies you can’t do anything aboutTechnologies but but that’s the way howyou use this technology is and how youuse this data and and what’s your HowDeeply you go very quick example if Imay say yesone of thesignificant attacks against one of thetelcos not the AssadEveryone likes to talk about the Assad adifferent onethey they have friends with rhymes withno noyeah no no they they had some PublicCommunication about it as well it’s it’sso Telecom who who actuallyoperates the fixed lines and all thesekinds of communications right so theinternet service provider and fixedlines operate including all the linesfor the government Communications and ofcourse many of their facilities wherewhere non-occupied territories and so onand and they faced some significantattacks and in one of the cases okaythey get some notification from fromMicrosoft that Microsoft notice some youknow malicious activity within the onsome of the end pointsuh okay what’s next next team has torespond to that right and it’s thequality of response of this specificteam with all available technologiesthat actually help them to and ensurethey show tremendous resilience the CEOwas involved he was available to for acold day and night if you need toenforce certain decisions within theorganizations because it’s alsotechnological networks it’s not just theI.T networks and and they and they wereable to you know to Prevail and althoughthe attack was quite significant theyrecovered very quickly and also whybecause the team was hugely mobilizedyou know people would just wrote daynights and day and nights and they theydidn’t have any spare resources excepttheir you know their service providerand you know so that’s that’s really amatter of of of the teamwork the skillsand the level of managerial attention tothe matter do you want to talk aboutassumptions gameyou say that again do you want to talkabout assumptions and yeah I think justreally quickly I think the oneset of assumptions going in that weanticipated more reverberationto multinationalum U.S companies that had presence inUkraine or presidents broadly acrossEurope I think everyone still is in highalert because no one really knows whatwill happen but we assume there would bemore Downstream impacts on largemultinationals dealing with the factthat they either had employees oroperations in Ukraine and that therewould be spillover and cyber events forthose particular companies you knowfrankly it’s been relatively quiet whichis a good thing but you know I was at adinner with csos the other night andpeople are still on high alert they needto be they need to be very thoughtfulabout what’s happening in theirenvironments and we don’t know wherethis goes I I thinkwe wish it was over it’s not and I thinkin in the industry we all need to besupporting all these organizations thatare dealing with this as an ongoingthreat and soI think we had assumed it would havethere would have been more reverberationright now I think we hope that it’s notgoing to be but I think that’s thequestion of the hour is where does thisgo from here yeah Dina on that point Ithinkyou know President Biden was very clearwith his counterparts about issuingdeterrence messaging about uh what howwe might view attacks on U.S and Alliedcritical infrastructure and I thinkthey’ve taken that seriously but thatdoesn’t mean that we can that thatmessaging is sufficient and so theshields up exercise that DOD DHS otherinteragency partners have been engagedin to try and make sure that industry ison high alert that we aresharing in very novel ways theindicators of adversary activity to tryand help people prepare and enablebetter private sector defenses this is areallyunprecedented effort on behalf of theU.S government at this time you know inin light of the threat I do think thatwe are seeing what happens when whenRussia is forced to make choices abouthow much how it allocates the Cybercapacity that it has I don’t think anyof us know what the escalation calculusis going to beand at what point we might behaving to really think about attacks onU.S infrastructure but it is reallyimportant that we are taking all thesteps that we can to prepare for thepossibility of that to make ourselves ashard and resilient a Target as we can bethroughout the United States and I thinkwe’ve learned a lot of really importantlessons you know NSA as part of DOD hasbeen working with DHS very closely totry and make sure that the kind ofadversary activity we see is pushed outin useful ways to Industry which I thinkis culturally very different than howthe NSA has been in the past and I thinkis we are learning a lot about what itmeans for the defense departmentto engage its defend the nation missionin cyberspace and how we can betterenable others uh to defend so that wethe defense department don’t have to beon all of those networks well also Warshave a way of focusing Minds right so Ican add something yeah I just want to goto questions that’s really importantbecause I think we shouldn’tunderestimate also the the way thedecision making is made by by theRussian agencies who wage cyber attacksor who control the proxy groups thatraise cyber attacks and uh just you knowlet’s assume the question what would youprefer if uh as a Ukrainian company andso on you have an adversal inside yournetworks and they’re able to to to readyour you know emails they have access toyour network area if they’re inside butthey stay quiet and stealthy and just dowhat get access to data or you wouldprefer that they trigger the combinationphase of the attack and you kick themoff and so on and I think that in manycases what happened in Ukraine duringthis past month is that maybe somehowsome somebody within the Russianagencies just needed to show that theycan do something and then and they andthey sacrificed their presence incertain networks for the sake of showingthat they’re actually fighting right youknow because they also need to report tothe chain of command upward and theykind of need another what are you doingyou know okay so wait a year ago so sothat’s that’s also and and we andthere’s always a chance I mean when thenext major security breach comes andwhat’s what’s the next major zero daywhat’s the next major so it’s it’s allthe questions so it means that we wejust need to keep going and keep youknow improving our cyber security systemIt’s Not Over I don’t know if anybodywanted to ask a question we have acouple we have time for maybe one or twobut I it’s hard to see if anybody I seea waving hand on this side sort of ifyou canum somebody will bring you a microphoneI hopeand uhmaybe notoh there it is okay if you could ifsomeone could raise their hand and we’llbring you a microphone there we go uphere in front sir please thank you ohthat makes it so much easier okay okayeverybody stay yayokay yes a question relating to currentescalation or changes in tactics of theconflict right now given that we can seethat Russia’s tactics have changed todirect kinetic attacks on criticalinfrastructureis it reasonable to get those effectsso I don’t know that we can assume thatthat’s what’s going to happenum I think that the question of what wecall you know horizontal escalation intothings that are not currently thisconflict that’s a big decision for theRussian government to undertakeum but that saidbecause cyber is a risk managed exerciseand it takes time to prepare it is veryimportant that everyone is closing Allthe known vulnerabilities that they havedoing the patching doing the basicsmaking sure that they have resilienceplans now because I don’t know thatanyone can stay with certainty whatwould happen nextanother question this gentleman in thewhite shirt uh do you see him sirhe’s subtly raving his hand butone of the things that was mentionedearlier but we didn’t get a chance todiscuss was the very effectiveum organization by the ukrainians oftens of thousands of activists aroundthe world to Target Uh Russian Russiantargets known as the Ukrainian I.T Armyand the IT Army the Ukraine in veryeffective use of telegram could youcomment on the implications of that forU.S national security in the futurebecause as as the Christopher Ray thedirector of the FBI commented in histestimony to Congress early in the warit doesn’t bode well for us that we haveto think about not defending ourselvesin the future just against foreignadversaries but also against potentiallycitizens targeting the United States andmass cyber mercenaries if you want yeahI think this is one of the assumptionsthat I think those of us who work intraditional you know theories of armedconflict have to understand is differentabout cyber whereas in regular Warfareoffensive capabilities are held Monopolyto the state right you don’t have a lotof non-state actors who haveyou know theater missile defense systemsor theater missile systems butin cyber you do see non-state actors whohavecapability that can rival that of Stateactors and so it does mean that itbecomes a very complicated thing todefend againstumnot only that it complicates attributionbecause then how do you engage indeterrence or response if you are notsure that the people that have attackedyou are State actors or non-state actorsthat forces a little slowdown in theCyber response process as you try tounwind that to make sure that you arenot inadvertently taking a step inresponse against someone who didn’tactually come at you in the first placeunfortunately we are out of time wecould talk for another half hour but ifyou could please uh thank uh join me inthank youtime for a quick break grab a coffeefrom our sponsors at forescout enjoy aquick snack and we’ll see you right backhere at five after 11.thank youoh my Godforeignthank youthank youokayforeignforeignI was trying tooh yeahpleaseforeigntechnologythank youoh maybe just the one we needed so justgo to sit in the second chairforeignwelcome back joining us now for aconversation about the workforce we needto address cyber threats please welcomeEmilio Escobar Chief informationsecurity officer at datadog CraigNewmark founder of Craigslist and CraigNewmark philanthropies Camille StuartGloucester Deputy National cyberdirector for technology and ecosystemsecurity at the White House Office ofthe national cyber director and HughThompson partner with Crosspoint CapitalPartners leading the conversation isNicole Tisdale senior advisor to Aspendigitalgood morningum I think I know we have people joiningus coming in from the break and so we’regoing to go ahead and get startedum I’m Gonna Leave the first questionum to everyone to also give you moreinformation about their background but Ijust want to set the table a little bitabout why it’s important for us to havethis conversation everyone here is apart of the Cyber Workforce and I thinkit’s important for us to kind of tableset that cyber is cyber Workforceshortages and the issues that we haverecruiting and retaining staff in theCyber Workforce is a national securityissue all of us know that when we haveshortages we are more vulnerable butalso I think as we talk about how webuild our Workforce and making sure thatour Workforce is diverse and inclusiveand that means across racial ethnicgeographical and social economic ties isreally important we’ve all been in aroom where groupthink is taken overbecause we are are in spaces and placesthat are homogeneous we’ve also seenthat when people are when we don’t havediverse voices and we are short we alsoare in we don’t have the ability toinnovate and come up with new ideas andsee what’s behind the next corner and sotoday we’re going to just have a veryopen dialogue about what are thechallenges in the Cyber Workforce butalso what we can do as we go forward tobuild and build in a way that’s going tobe helpful to address our cyber securityissuesum I wanted to just kick it off with thevery first question as people give alittle bit about their backgroundum talk to us about why you are workingon cyber security Workforce issues righteverybody up here has what I call theirfull-time job and so you’ve also takenon another full-time job where you’refocused on Workforce so share withpeople about why this is important toyou Emilio why don’t you get us startedsure and before I start your waterbottle there you go Oh it’s leakingthank youum so I think as you said right soum it it’s a a it’s a hot industry rightnow it’s from page in most of the mediawe know that we have a lot of vacanciesand there’s a plenty of articles thattalk about it it is a national securityissue if you’re in a public sector whereif you can attract with Talent OR newTalent there but it’s also a privatesector concern as well where we haveroles that we’re trying to hire for andand the talent pool is not only verycompetitive but also is very challengingas well to get in so me being a resultof a internship with the NSA actuallyand getting started that way I I I likehelping people get started in this fieldbecause I know it’s very challenging toto start it’s a pretty uh scary field toget intoI’m also a former intern in the publicsector too oh so yeahwhat about you Craig talk to us how didyou get here did Craigslist bring youherewell my deal with Craigslist you knowfor the most part we help help peopleput food on the table you know get atable that kind of thing but about fiveyears ago I realized that no one atCraigslist needs me anymorebut I had started doing a lot ofphilanthropic work figuring I could giveback to the people who had protected thecountry and to help out the people whocontinue to protect the countryso I talked to a lot of vets andmilitary families and they tell me it’stime to enlistand cyber security is a natural area forme to enlist in I have a small amount ofbackground in it but maybe I have theability to do some good about itso I took a look at the past like WorldWar II everyone was expected to play arole in defending the countrybecause that’s what we need now we needeveryone to play some role in defendingthe country if they canand I figure too I grew up during thewhole uh Duck and Cover thingseriously so I’m thinking that we need awhole nation response in cyberand we need what I’m calling cyber civildefensethe idea that if you’re a regular personI can help other people get you theeducation you need to defend your stuffyour computers and phones inside thehouse and outand maybe if you’re good at that maybe Ishould also help find a way to get youthe training you need and maybeinternship so that you can get aprofessional job a career in defendingthe nation in this new Arenato that effect I’ve so far contributedabout uh well well over 50 millionuhbut the deal is that it’s incumbent onsomeone to do thatand if someone needs to play that roleand like the Batman says uh I’m not thenerd you want but I’m the nerd you’vegotI like that thank you Craigum Camille talk to us how did you gethere what’s your faith so I started incyber security because I wanted toempower people in society in and throughtechnology and I also like complexchallenges and over the course ofworking in this space I started torealize that there was a little bit of agap in how we were thinking about thesechallenges we were heavily focused onthe technical aspect and if you think ofcyberspace as technology people and proand process or doctrineum then we were really focused on thetechnology piece and trying to build thedoctrinal please but what about thepeople and often that became a humancapital conversation but it’s actuallybigger than that and if you think abouthow people use technology that all ofthe actors malicious or the users weseek to protect the technologistscreating technology are all people andhow that then changes our use ourimplementationthe threat landscape all of those thingsit became a imperative for me to talkabout the gaps I was seeing on thepeople side about how we wereunderstanding how technology showed upand different communities how systemicinequity was impacting our ability toactually understand the threat landscapeand createmitigations that actually solved all ofthe challenges we were trying to solvefor so it was very clear to me that itwas a national security imperative andso I started doing things like share themic in cyber and next-gen that set toreally Elevate the conversation and getmore people involved in the industrybecause we Diversified our Workforcethat we got more people interested init’s really fun and interestingchallenges on technology that they useevery day we would be able to betterattack the problem spaceand then that just kind of grew in a waythat I could not have anticipated andthen came to uh the national cyberdirector’s office to lead a divisionthat looks at the future of those threethose three spheres right peopleDoctrine and uh technology and so one ofmy divisions is focused on emerging Techbut the other is focused on CyberWorkforce and how do we future prove ourWorkforcethat’s really good that’s helpful I likethe at every space and place that you’vemade this a prioritywhat about you Hugh well first thanks somuch for having me on this panel withthe esteemed group of panelists that wehave you know it’s such an importanttopic and I think all of us haveexperienced that there is a materiallack of folks that are trained up ortalented can walk into a situation andhelp in cyber security we all know thatand I would say we’ve done ourselves ahuge disservice in the cyber securityCommunity because we’ve capped with HighFidelity a secret that shouldn’t be asecret it’s that cyber security isreally cool like it’s it’s reallyactually super fun it’s very rewardingnot just financially rewarding but it’srewarding from your heart and soulperspective it’s a mission you’re you’regoing in and you’re trying to fight badguys and you know you’re trying toprotect something it is it is such anamazing discipline because there are somany diverse problems those problems arechanging all the time you have an activeadversary on the other side that’sconstantly making you change andreimagine I think one of the biggestchallenges that we face in this space iswe’re used to thinking about a cybersecurity security professional as ahighly technical person that alsounderstands the methods of the attackerbut the reality is if you want to docyber security today you need a massivediversity of backgrounds and skill setsyour degrees in Psychology we want youwe need you we have to have you becausemost of the attacks now are preying onhow people think their phishing emailsthey’re a phone call with a deep fakeasking you to wire money and they’ve gota great reason why you need to do it inthe next seven minutes that’s a humanproblem it’s a psychology problem weneed the kinds of folks that are greatcommunicators that can actually talk topeople about risks without going intoacronyms and Never Never Land like inreally practical terms and so personallyI’ve been involved in this for many manyyears in many different roles first as aas a professor which I was for manyyears in computer scienceand I remember getting an assignmentwhich was the most dreaded in a computerscience department it’s like thissemester you have to teach AssemblyLanguage andI don’t know why or people just don’tlike that that class in general but Istarted the class off that semesterwhich with hey here is a recentlydiscovered buffer overflow vulnerabilityin some open source software let’sfigure out how to exploit it and youhave to know assembly to do itand you then become so thirsty to learnmore why can’t we ingrain those kinds ofprinciples into everything we teachI’ve seen it from a differentperspective which is as somebody that’strying to hire a large cyber securityWorkforce when I was a CTO or semantecin that case you really get a sense ofhow in demand cyber security skill setsare you know people would show up with10 resumes and it’s like point to pointto you on this list of places thatthey’re considering going and almostwith an attitude it’s like talk to mesell me like I mean that that’s thatthat’s that’s the reality that we facein today’s market but also uh in thecontext of RSA conference I’ve been theprogram chair there for 15 years andwe’ve tried to do a lot to bring instudents and get them excited aboutsecurity and non-traditional studentsthat would typically be a cyber securityprofessional people that have studiedliberal arts for exampleand tell them that this is a home foryou too so I think this is a massivetopic thanks so much for for hosting thepanel on it and looking forward to thediscussion yeah thank you I think thinkso all of you all have mentioned becausewe’re going to transition to I thinkit’s important to talk about some ofthese shared pain points right so wehave representation here from thegovernment from Civil Society fromCorporate America from the privatesector and I think what is sointeresting about cyber is everything incyber is so interconnected and so arethe pain points so it doesn’t matter ifyou’re in government you’re experiencingthe same pain points that the privatesector is having especially as itrelates to developing the CyberWorkforce and so I want us to talk aboutsome of those pain points I’m going tostep out first and say what everybodythinks we’re going to talk about whichis we’re going to have a pipelineproblemum I really hate when people say we havea pipeline problem I’ve worked on theheel and I worked at the White House andI would always say well what have youbeen doing to build the pipes like whatare you it’s not enough to say we don’thave people flowing through how are youlaying down the foundation as Craig saidlike are you talking about kids aboutcyber education so that they can seethemselves in these positions right nochild wants to be an astronaut untilthey know space exists and so when do westart having these conversations andintroduced in this industry and so thepipeline problem is my pain pointbecause I feel like a lot of people justhaven’t done the work to introduce theindustry what about y’alland if if the pipeline problem is yoursyou can you can like jump on that tooI’m open to that it’s gonna say you tookmy you took my pain Point um no I thinkthe only thing I’ll add is is it’s it’sactually true so Iyou know I hear a lot of people say likeoh if we had especially when it comes todiversity oh if recruiting will give usa more diverse pipeline we will have amore diverse team and and and usually mycounter argument to it is like we’re allindustryleaders here or we’ve been in theindustry for for quite a whilewe should know at least a couple oforganizations that we that we know aretrying to close that opportunity dividewhen it comes to cyber security rolesand opportunitiesum why don’t we go out and proactivelypartner with them right so I thinkTalent is everywhere it’s justopportunities are not making it wherethe talent is instead of expecting thetalent to come to us right so that is apain point I think the only thing I’llhave for my a what we see pain Pointstandpoint is similar to what Camillewas referring to is security is such abroad field there’s some technicalaspects of it there’s some non-technicalaspects of it and I find like a lot ofthe security training and guides for howdo you get started in the industry isvery focused on learning how to hackum where in reality yeah there arepeople that dedicate themselves to dothat and they’re really good at it butwe need a whole bunch of people to learnhow to defend as well and convince otherpeople that systems need to protect itso you’re not going to be writing thisearly assembly code or or you knowreverse engineering a binary to get tothere but you’re going to have toconvince hundreds of people to work onsomething and that’s a skill set initself I think that goes to Hughes pointtwo in terms of we need peopleeverywhere right like I’m a liberal artsattorneybut I spent a lot of time explainingvery complex cyber issues to members ofCongress and to people at the WhiteHouse and in different parts of theadministration and I know Camille is anattorney as well so as we elaborate onthat I think do you all think there’s alittle bit of elitism that happens inthe cyber security space in terms ofthe idea that people need to have atechnical background I find a lot of thetimes we talk about things and we makethem harder than they have to be we werejust having a conversation aboutacronyms I think it’s a competition atthis pointum so where nobody wins where no onewins so I mean what are some of theother pain points Point Camille I thinkit’s focused on stopping the currentbleeding that we don’t make long-termInvestments and that kind of piggybacksoff what you guys are talking about ifwe are not investing in making surethere are diverse leaders if we aremaking sure that we are grooming middlemanagement who can rise up the ranks ifwe are not focused on the educationpipeline if we are not focused on Broadawareness so that folks even understandthat the opportunity exists to become acyber professional and understands thatit’s multi-disciplinary and that thoselegal skills or your training skills oryour marketing skills or your psychologyskills are necessary in this space andvaluable and that quite frankly thetechnical aspects we can teach you tothe extent that you need them to do yourjob rightif we’re not investing across thatSpectrum we will never see the pipelinethat we’re talking about and so ratherthan just like let’s put out a aninternship that might help people get ajob which leads to another pain Pointeven after an internship if you needfive-year experience to get anentry-level job then we I mean thepipeline is broken there’s like a hugegap that people are trying to jump overto try to get to the next stageum then that doesn’t actually create afull-sum pipeline it is a cycle youdon’t see any leaders who look like youyou didn’t hear about it when you werein grade school there aren’t any supportmechanisms to help you get from thestart to the end you’re just not goingto thrive yeah I think that’s right andI I don’t think it’s gonna happen youknow to your point Camille by accidentunless we do something proactive in inschools for examplepeople don’t even realize that this is acareer path that this is something thatcould be a profession that I can grow inthat I can thrive in they don’tunderstand and I think that there’s amassive gap between the opportunity andthe self-satisfaction that you get bybeing in cyber whether you’recommunicating it to the entirety of thecompany in terms that they canunderstand which is a critical skill themost highly technical people don’t haveright and is much needed or it’s goinginto the bits and the bytes and you knowtaking a board to Binary and figuringout where the holes arefolks when they are planning their goforward they don’t think about securityas an option like I’ve got five youngkids and they recently had to draw youknow what is it that they want to bewhen they grow up you know one of themfirefighter standard another one was alawyer which I thought was veryimpressive yeah very great yeah it’s avery very very very excitingum you know one of them wanted to be aChristmas tree when he grew up which youknow I see it I’m okay with that limitedlimited it’s better than being a lawyerprobably wow oh geez from the lawyersfrom the lawyers okay I won’t repeatthatum yeah but but I didn’t see anybody andI’m evangelizing it all the time at homeI didn’t see anybody saying oh geez wellI really want to be a cyber securityperson and put away the bad guys so evenin our own home I’m not doing a greatjob of it we need to figure out how tomake it on the lists of things when youare in a school whether it’s you knowmiddle school high school college thatyou consider at least at least it’sintriguing it’s like what’s that what’sthat next I like that I think that it’sreally good transition for us to likealso talk about what are the brightspots right because if we sat here andwe talked about the pain points I thinkwe could catalog for days and still notcome up with some of themum and I know Craig you’ve been veryactive in terms of not just the Cyberrecruitment but also exposure so aswe’re talking about this I wanted you tohighlight some of the work that you’vebeen doing to empower people that areactually making sure that we can getsome career day cyber answers well forme the big challenge given my wholesociety perspective is how do you geteveryone to start pulling together inthe same direction regarding cyberfrankly the vision is that we need a newgreatest generationincluding a lot of people focused onthis kind of thing the hard part istalking people into working together togetting people to pull together forexample I work with groups like Aspendigital and the 92nd Street y havingsuggested we could use a cyber Summitsometime which would really be a good amilestone along these linesbut beyond that I’m identifying withhelp a lot of the groups who areaddressing these specific issuesstarting in a high school sometimesbelow that and then going Beyond it forexample one of the groups centered herein New York that does a great job isgirls who code and I’m helping themFocus some of the work on a cyber andthen a group notoriously good at thisseriously is the Girl Scouts of Americahelping out at that levelon the other hand since I work with alot of vets and Military spouseswe’re working with a group called vetsin Tech and so far they’ve trainedaround 2000 vets and Military spousesplaced or up up got promoted about 92percent of them so the idea is to justkeep working on working on this tryingto promote the idea of cyber civildefense that we really are all in thistogether we need to protect ourselvesnow this is an advertising or marketingcampaign Don Draper kind of stuff andyou know it uhI don’t know if I’m the right guybecause it requires uh social skills andlike have you met meum but uh I figure uh I can only do whatI can do and you know because a nerd’sgot to do what a nerd’s got to dowell I will say it wasable to teach it for you to have us herebecause there were toddlers All Inand a mom explaining what we were doingand she said they’re talking about howto keep our phones and our computerssafe and I was like okay Craig you werelike when you say 360 you mean 360.because now we’re getting toddlers intothe conversation which I appreciate sofar the youngest individual I’ve workedwith in this regards is the uh theseven-year-old who’s gotten the GirlScout Brownie mirror Badges and let’ssay someone in uh someone in a certainoffice has asked for a resume to be sentinbecause we’re figuring that if you’reseven you could pass a background check[Laughter]probably stillthe five-year-old needs to won’t be ableto she’s a she’s she’s she’s going toradicalized we think well we’ll we’llsee maybemaybe yeahI mean I’m looking at Camille becauseyou are in the process of reallyLandscaping what needs to be done theoffice of the national cyber directorhas take taken on the task of creatingthe first Workforce strategy and veryopenly you reached out to the communityto say send us your comments tell uswhat you are doing in terms ofrecruitment education tell us everythingthat is working what problems you’rehaving so have you seen some brightspots yeah I mean first I’ll talk alittle bit about the strategy directorEnglish hastasked me to lead an interagency wholeof nation effort to write a cyberWorkforce strategy that addresses thefederal cyber Workforce the nationalcyber Workforce Education and Trainingand then digital awareness Rift largehow do we address all the things we weretalking about how do we really raise thecollective level of cyber awareness sothat we’re having more conversationswith our toddlers about how their phonescan be secure but also how are weempowering Security Professionals thefew that need to be security engineersand highly technical the many which areeveryone in a cyber adjacent or cyberinformed profession and then really thecollective right how do you make sureyour entire organization the entirepopulation really is thinking aboutcyberand we want to make sure that it istruly whole of nation so while there isan interagency body that is reallydriving towards like putting pen topaper we open end up in RFI got 146responses from a variety oforganizations providing their feedbacktheir assessment of the challenge spacetheir assessment of the opportunitiesthere are some really interestingprograms some of which you’ve heardgoing on in Industry organizations andGrassroots organizations that can reallyhelp inform what we do not only in thefederal government but how we supportPrivate Industry and civil society asthey also get behind this effortand we had uh the cyber securityapprenticeship Sprint that was announcedat our Summit that catalyzed this effortto start a strategy development and thatclosed yesterday and we had2 000 organizations want to learn more194 new cyber security registeredapprenticeship programs over 7 000apprenticeships hired during our 120-daySprint with a thousand of them beingprivate sector 27 percent people ofcolor 28 women and DOD really investedhaving the largestapprenticeship program I mean that is aReal Testament to the need for folks toenter into organizations to have thetraining for organizations to figure outhow to pull in new Talent into theirorganization so there’s a lot of goodwork going on we’re hoping to harnessthat we’re hoping folks stay engaged theRFI wasn’t the only opportunity we havebeen working with universities to holdconvenings to have discussions aroundwhat we’re hearing and how we continueto refine that and use the federalresources to empower and supportindustry there’s more to come and sothere’s a lot of good work that isstarting we just need to make sure we’reall moving in the same directionand making both the short-termmedium-term and long-term InvestmentsI like thatall right what do you have here do youhave some examples these are tough tobeat because that is they yeahI’m like I hope you all are going to putthat in a press release and get it outand I hope everyone here is going toretweet and share because that’s amazingthat is and also for those that to focuson apprenticeships that means peoplewant these jobs right like these arepeople that are trying to reskillthey’re trying to enter into thisWorkforce and I love that you all aremaking a path for themand theyI agreeso I just talk for a minute about whatwe’ve been doing at RSA conference somany of you have probably been thereover the years it’s the largest cybersecurity event and what we’ve tried todo and I want to say this has started 10years ago is to bring in very talentedstudents from around the country thatweren’t necessarily stunning computerscience but if you asked the head of themath department the head of the commsDepartment the head of the and ask themwho are the best students at this placewe would go we would actively recruitthose people and say lookcome to San Francisco it’s going to begreat you know a whole week we set updinners with cyber security luminariesright so the the RS and the A and thealgorithm and you know everybody inbetween and we try and expose them as asfulsomely and directly as we can intowhat this space really means what arethe problems what are the opportunitieswhat does it mean at the coal face likefor example Communications the fact thatthe attacker continues to evolve the waythat they communicate to us the way thatthey try and deceive us with phone callsfor example now instead of emails andthe success rate in getting those folksthat weren’t headed towards a cybersecurity career but we’re headed towardsgreat success and whatever they didchoosing cyber has been immense and thenin the last five years we’ve startedbringing in thousands and thousands of[Music]top of their class I’m sorrybut from Iran[Music]in so that they can get the scaled View[Music]interactwith a variety of peopleand us to revealyou willlike this all rightyou will get emotional reward from doingit you will also get very financiallyrewarded by doing it especially today inthe private sector given where we areand most people don’t know that itsounds like it’s something boring whenyou just talk to somebody about it Iused to travel all the time I think oneyear I clocked 500 000 actual miles notPremier qualifying miles or anythinglike that on a planeand I’d remember just sitting next to arandom person next to me on the planeand you have this perfunctoryconversation at the beginning it’s likehey what do you do it’s like Oh I’m achemist I’m like whoa that’s great tellme about that and and then it would gothe other way it’s like what do you doI’m in cyber security and then you seethem start to reach in a bag for a bookit’s like hey I’ve been waiting so longto read this book and it’s probablygoing to consume me the entire flightyou know but it’s starting to changepeople have seen this in the headlinesyou know they’re it’s it’s starting tobecome a more mainstream topic anythingthat we can do on scale whether it’sPSAs or our own version of Smokey theBear that we start you know kind ofpushing out on the worldto tell people that this is cool it’sexciting it’s interesting and it mattersI I think you’ll have people just comingto us instead of us having the problemof hunting them down yeah which I thinkum you know we’re coming off of Octoberwhichum with cyber security awareness monthand I love the the slogan this yearwhich was see yourself in cyber Ithought that was so important because Ithink that’s what we have to show peopleright likeum I know Craig’s organization and theteam here at Aspen recently I’ve been tothe University of Mississippi talkingabout what cyber looks like I’ve been toSouthern University which is a HBCU inBaton Rouge Louisiana and people itmeans something when they have someoneshow up with this accent that soundslike them or show up that’s a blackwoman that looks like them and just talkabout your experience and the firstquestion I always get is like so you’relike you must be really good at math I’mlike absolutely not I also don’t do itin public I don’t it’s I don’t do thatum but these are the things that I amgood at and these are the things that Ienjoy and this is the space face you’rewe’re in a place now y’all whereKendrick Lamar is making deep fakevideos like it’s this is helping this ismarketing like this is I saw I see someyounger folks down there that are likeyeah we watch those videos too yeahum so what do you think what are some ofthe bright spots I I agree with witheverything that’s been said I think it’sbecome more mainstream uh you knowsimilar story uh so I used to work forHulu prior to data dog and every time Ihave to like go to the airport I’ll getpicked up from our officeyou know I live in LA is usually like ohI have a a Content pitch to or a Contentidea to pitch to you I’m like I I don’tdo that like and 99.9 of the time I saidhey I just run Security in I.T right andit’s like oh okay fine and the comp theright will be the quietest ride everexcept for this one guyuh that was like oh actually my show isabout cyber and my first episode isabout ransomware so we talked about itduring the way it and I kept saying likelisten I don’t buy content I don’t doany of that but that sounds pretty cooland I give it some pointers that wasright after one of the seasons of MrRobot came out so it became prettypopular uh so it’s become moremainstream I think you know some brightspots and Craig alluded to it I’ve donework with the Girl Scouts of Americabefore and and I like the fact of thatrepresentation so we we had an eventum I brought the CIO of 20th Century Foxand she talked to to the Girl Scouts andI had a couple Engineers on my team dothat and and personally I get involvedinin the Latino community and a couple ofnon-profit that are meant for likegetting people into Tech differentaspects of tech security being one ofthem because I do agree with the factthat if you don’t see it you can’timagine it uh so you know us that haveprivilege enough to be in the positionthat we are going back and say hey it ispossible for you to do it but there arealso like many options for you to choosefrom right like you know my role is arole it doesn’t need you need to go forthat path but there’s so many differentoptions here you know it is cool to workon it or you can be a you know sayyou’re Intel you can be a softwaredeveloper and care about security and bea great product developer and you’remaking the best friend of the securityteam because you’re a security uh Focussoum so there are many paths here in inthis field yeah and um so we’re going toopen it up for questionsum and oh yay hands went up immediatelyumyes we’ll go ahead and open up forquestions because I don’t want us to runout of timeum hi so I’m the reporter from SC mediaand thanks to you all for sharingum I have a question in regard to howrecession will impact the cyber securityWorkforce well there are a lot of peoplesaying cyber security is a relativelyrecession-proof industry I’ve seen a lotof like tech companies are laying offworkers so I wonder does recession hasan impact on cyber security Workforceand if so how does it reshape the theworkforce so the the question for ouronline audience isum how does recession impact the cybersecurity industrymaybe I can start and then pass it downyou know cyber crime just thrives intimes of uncertainty right we’ve seen ithappen over and over and over again andif you look at many of the securityrequirements that companies todaythey’re non-negotiable like they’ve beenescalated up either to the board as acompensating control for a risk that’sat the board level or they’ve beenregulated and mandated to the pointwhere you can’t actually continue yourbusiness as usual even if that businessas usual is shrinking without havingthese cyber controls and so I thinkwe’re at a point which is not a greatthing but because we have such a deficitin cyber security workers and talentI haven’t seen among the portfoliocompanies that that we have at CrossPoint capital I haven’t seenanything that would indicate that thosejobs are number one on the choppingblock for companies and then companieswhere they’ve had to do it becausethey’ve had to scale their wholeorganization down I’ve seen those folksquickly pick up alternate jobs justbecause the open racks survive aneconomic downturn but yeah no I agree Ithink in a private sector at least forwhat we’re seeing is we’re still gettingcandidates that still have like threeother offers that we’re competingagainst uh maybe what we’ve seen is adecrease of I used to have five otheroffers now I have three but it’s stillvery competitive so I think it’s mostlyRecession Proof and I think companiesthat have to decide to cut some of thesecurity workforces because they’re sothey’re they have to do it right likethere’s survival aspects to it from thebusiness standpoint and and sure enoughthey they pick up another job quicklyother questionshi my name is Sandra Khalil I’m withAltec as human and I’m also studyingcyber policy at NYU thank you so muchfor this conversationum I’m currently doing research on CyberWorkforce Development and one of theideas that my partner and I werethinking about was not onlystandardizing uh the Cyber education tomake it more of like a licensing uhboard the way we would standardize amedical doctor engineer lawyer but we’realso thinking about how to weave cyberinto a more vocational type ofprogramming so that cyber operators incritical infrastructure specifically areequipped with the knowledge at theintersection of cyber security andIndustrial manufacturing so I’mwondering if the panel has any thoughtson that and any challenges you mightforeseethat’s a good question so how do westart to incorporate the Cyber Workforceand cyber skills into more vocationalaspects as wellso I definitely think there’s anopportunity for vocational training andcyber I meanthere are a number of different modelsand a number of different ways that thatcan happen you could definitely do it Ithink the argument against licensing andcyber security is that the the pace ofinnovation the pace of change is tooquick for the licensing and so you willrun into an issue with how have youguaranteed that people keep up with theneeds of today that said for lawyers wehave a duty of care you’ve got to knowwhat you’re talking about before you gotalk to somebody and so there are otheropportunities I think to kind of keepthat pace but you’ll probably hear lotsof pushback on the licensing thing inthe near termparticularly because infrastructure isso different at different organizationsthe regulatory regime is changing quiterapidly it’s a pretty complicated spaceyou will need to get re-certified almoston a yearly basis yeah yeah I don’t knowwhat happens when you go over time butwe are over timeum and so I know we have more questionsum but we’re going to be here thisafternoon and we’re happy to keepchatting about these but I wanted tothank everybody for joining us I thinkthis is a very important topic and thankyou all for sharing thank you[Music]really[Music][Music]next up to help us explore everythingfrom location data privacy toreproductive data security to the futureof facial recognition please welcome FTCcommissioner Alvaro bedoya AlexandraGivens president and CEO of the centerfor democracy and technology and NewJersey attorney general Matthew Blackmanthey’re joined by kashner Hill of theNew York TimesI am Iright thereright therehello sorry our one of our panelists isgetting miked back thereum so we’re a little out of order but Iam cashmere Hill I write about privacyand Technology at the New York Timesum the panelists actually have a lot incommon it’s a panelists of a panel oflawyers uh Alvaro and Alex wereco-workers for quite a long time bothum worked on legislative issues with thedictionary Committee in the SenateAlvaro founded the Georgetown Instituteof Technology and privacy that would beAlex that’s me Alex founded it privacyCenter we try to make it as confusing aspossible as our goalum and uh yes and work there togetherandum Matt platkin recently was confirmedas the Attorney General of New Jerseystarted the beginning of this yearAlvaro fairly recently confirmed as anFTC commissioner and we’re all in ourinterested in the topic of the panelconsumer rights privacy and so I justwant to start off by asking the three ofyou what is kind of at the top of youragenda is the most pressing issue rightnow in this kind of very large sphere ofconsumer rights and privacy and I’mgoing to start with Alvaro sure it’swonderful to be here with you and withthe folks from Aspen digital I’ll givean answer that may be a littlecounterintuitive given our sharedinterest in face recognition technologyI spend a lot of timeworrying about and trying to get ahandle on the relationship betweensocial media and teenage Mental HealthI think this is an issue that peoplefrom my corner of progressive Techpolicy you know the world I came fromand Academia have spent too little timethinking about this and while there’ssome hyperbole we now have eight yearsof peer-reviewed social science researcharguing that not only throughcorrelation but causation there is uhthere’s a problematic relationshipbetween prolonged use of social mediaand clinical anxiety clinical depressionsuicidal ideation thoughts of self-harmand the two things that I have togetherwith my team zeroed in on as potentiallyhelping us get a handle on thisrelationship the first is establishingthrough statute ideally through statuteand there’s a Bill in Congress to dothis a bill just passed in California todo this to establish a best interest ofthe child standard that applies to techcompaniesto force them to use non-publicinformation that they are always thefirst to learn about the first to beprivy to and hold their systems up tothat standard to make sure they’re notharming childrenand teenagers and the second is therewas just a discussion in the last panelabout the law lagging behind technologyG and I think sometimes you get a littletoo much credit to technology and and Ithink recent events suggest that maybethe law it’s a pretty good thing to havein place before technology uh but umbut the point I’d like to make is youknow not only does yes the law sometimeslie behind technology but expertise lagsbehind both and expertise does notalways follow and So speaking of theFederal Trade Commission for decadeswe’ve uh sought to protect consumers inpart through the help of economists sowe have dozens of economists who canmeasure uh what we allow you to beconsumer harmed down to the scent rightthanks to a a number of folks that thatwe know and and call colleagues andfriends we have had technologists at theFederal Trade Commission for uh maybe adecade plus and so now if there’s a techissue a thorny complex issue I have abunch of technologists I can ask whatthe heck’s going on here you know I’mjust a lawyer you tell me what’s goingon here but we do not yet havepsychologists at the commission nor domost tech regulators and enforcers inthe space and it should come as nosurprise that in an attention economywhere the unit of value is the amount oftime time we spend online staring at thescreen that the harms are going to bepsychological in nature and related tomental health and I’m eager to make surewe have the expertise in place toGrapple that understand with that andaddress it so you’ll be pushing the FTCto hire more psychologists have them onstaff yes in fact that’s already part ofthe Strategic plan there’s a five-yearstrategic plan in place from 2002 to2012 to 2026 and part of it is toexplore bringing on staff psychologistswith a particular focus on childpsychology Youth Development experts todo that and you would like technologycompanies to be measuring thisinternally have some kind of standardthey’re supposed to meetthat their product is basically healthyfor children so so sorry did I write nono so the I don’t I wouldn’t call it asecret it’s actually all public uh umthey’re already doing that so in thesame way as you know the NSA was one ofthe nation’s lead higher uh uh employersof math mathematics phds uh if you go onLinkedIn and you uh uh look at publicinformation around who companies arehiring today they are hiring uh dozensupon dozens upon dozens actually nohundreds of PhD psychologists both todesign their platforms to be as stickyas possible and also to evaluate andaddress harm and so all I want is for uhenforcers and Regulators to have thesame skill sets internal to their workas tech companies already are usingtoday both to keep us online and toassess the harms that come from thatactivity uh so what we need is to catchup uh uh yeah and then how does thatfall under FTC kind of jurisdiction sureso another thing that I was speakingabout with the attorney general isum a lot of people say uh oh well youknow you have old laws you know theydon’t really apply to this and that’snot true uh um we have you know both inNew Jersey you know all states and thefederal government we have a law uh andfederal government we’ve had it since1938 that prohibits unfair and deceptivetrade practices uh Does it include theword privacy doesn’t include the wordcyber security but those words stillhave meaning today unfairness deceptionand uh the the test for deception is uhdid you tell someone you’re you knowobviously simplifying did you tell didyou say you were going to do somethingand not do it in a way that harmedpeople or did you materially omitinformation uh about your practicesthings that you knew about how yourplatform functioned and still let peopleuse the platform despite that so that’sone way misconduct in theory could bereached and when it comes to unfairnessyou have substantial injury it doesn’tjust mean people being sad butcritically that’s not what we’re talkingabout we’re talking about clinicalanxiety clinical depression a suicidalideation there’s not a single person inthis room I think who would say ohthat’s not a substantial injury but thenyou need to prove it’s not reasonablyavoidable you need to approve alsothat’s not outweighed by other harms andso yes we have old laws but uh but it’snot like people in 1938weren’t quite smart and and theypurposely set out laws that that wouldallow us to protect the American peoplefor generations to come fascinating okayAlex I’m gonna move on to you uh what iskind of your top issue right now thatyou’re looking atum hoping to do something about sure soI run an organization focused onconsumer rights and democracy in thedigital age so there’s a lot on the listum I think one of the issues that Ithink is worth calling out here is theintersection of privacy and civil rightsand I think for a lot of people whenthey come to this issue for the firsttime you think of privacy and it’s anindividual’s ability to control whatinformation that is shared with fromthem with the outside world but inreality in a moment where we can’treally control what information isshared about us with the outside worldthere’s a whole other set of harms whichis what inferences are being made aboutyou and how are the breadcrumbs ofinformation that we leave across theinternet in the course of our dailylives being used in a way that candramatically impact Economic Opportunitypeople’s ability to express and explorethemselves online you know we are seeingmany people are of course they’refamiliar with the notion of redliningright which is discrimination based onthe history of your ZIP code now thereare so many more data points than just azip code that can be used to tailor adsto a particular audience to evaluate whois eligible for a job there’s anincreasing number of vendors and toolsthat are purporting to use machinelearning to come up with the idealprofile of a job candidate for examplequalifications for a loan tenantscreening algorithms for example all ofwhich are comparing individuals to amuch broader data set and inferring kindof does this person have the righttraits to match what we are selectingfor in this instance and all of that isleading to very real world harmum I think a lot of times privacy harmcan feel abstract discriminatory uses ofdata is not abstract that is a realworld harm that we need to Grapple withso that’s why both my organization isthe CDT and a lot of a wide range ofcivil rights organizations Avro and hisin his former career before joining thecommission are really so focused onmaking sure that civil rights is acentral part of the Privacy conversationincluding in privacy legislation andalso in best practices for companies andwe’ve seen leadership from the BidenAdministration on this recently theWhite House recently released itsblueprint for an AI Bill of Rightstrying to articulate a number of theseharms and what companies can be doing toaddress them I think it’s a criticalpiece of the conversation and so is yourfocus pray more primarily on the waythat companies the private sector isusing data or all of the abovegovernment and companies all of theabove so we do a lot of work ongovernment surveillance as well and sothat is also hugely important I knowwe’re going to talk about facerecognition later on the panel butlargely in the commercial sector I thinkit’s you important and we need acombination of solutions rightlegislation should provide the backstopmake sure that people are equipped withtools to defend themselves and give theenforcer something to use but alsocompanies really need to be out ahead ofthe curve on this and I think some aretrying to be really you know auditingtheir products for what some of thediscriminatory impacts might be makingsure they’re doing so on a continualbasis not just at the design phase butat the implementation phase and as ageneral matter we need to make sure thatthe public and consumer Advocates areaware of these risks so that they cantry to step in to protect people as wellso as an organization in terms of whatCDT is trying to do on the issues thatprimarily public education and kind ofpushing for legislation or are thereother things that you’re trying to doyeah so legislation talking to theenforcement agencies you know one of theimportant tricks of differentenforcement agencies is not only thatthey can bring actions but also thatthey can issue guidance they can givespeeches to audiences and they tend tolisten when The Regulators speak so wetry to make sure that they are playingthat role as well there’s also a lot todo this is to Alvarez earlier point onequipping the government to even beidentifying these cases and knowing tolook out for these harms so one of thethings that really matters right now isensuring that the Civil Rights focusedagencies whether that’s the equalemployment opportunity commission theConsumer Financial Protection Bureau theDepartment of Justice there’s state andlocal counterparts know about theseharms have the in-house capacity toactually be looking for these cases andbringing them where they need to and asI said issuing that guidance to Industryas welluh okay and then I’m gonna go to youMatthew what is uh what is the top ofyour list right now in terms of biggestproblem that your office wants toaddressum well first of all let me just sayAspen thank you for for having me I’m Ifeel like a Trailblazer being a NewJersey attorney general speaking at the92nd Street why so this is a reallyincredible momentum but this is this is basicallyeverything that’s been said I mean to behonest with you I’ll give you sort of ageneral answer and then a specific uhgenerally I am and as a state we arevery concerned aboutcompanies putting out terms of servicesor privacy policies that they thenblatantly don’t adhere toand as has been said you know we mayhave old laws but that is just adeceptive business practice that has notbeen legal in the state of New Jerseyand in Most states and under the federallaw for a very long time and so most ofour investigations that have producedsignificant outcomesall but many of them are based on thattheory and so I have and we see it inall kinds of conduct obviously we see inthe David privacy context and I’ll talkspecifically in a second about oneexample of that but we also see itum in the rise of bias incidents andwhat you know companies like Facebookhave said they’re going to do tomoderate the content on their platformsand prevent hate groups from spreadingactions in ways that the governmentcannot because the first amendmentprotections but once they say they’regoing to do it they have to do itum we see it uh in a whole range ofcontexts and so in the data privacycontext we’ve certainly seen itum and actually we we’re looking at thispublic we’re looking atum Instagram and uh Tick Tock fortargeting Youth and using similartheories that I just talked about andthe impacts you mentioned are very scaryand I’m very proud that it’s abipartisan collection of AGS that arelooking at that that’s not an issue thathas broken down along partisan lines soI think generally people are concernedabout that but data privacy it’s thesame thing I mean we just had asettlement last week oh very earlierthis week rather very significantsettlement with Google over their DataTracking policy what they were saying totheir consumers was just not what theywere actually doing in terms of locationtraffic yeah exactly and then in a veryspecific context in a very real senseand to your point where things can seemabstract when we’re talking abouttechnology and data and you know theaverage resident in my state does notunderstand what’s going on in theirphone that’s true pretty much everywherebut we’re seeing in a real way right nowwhen it comes to reproductive health andyou know post-dopsthere is both a very real fear byproviders and and people who are takingadvantage of legal reproductive HealthCare Services in States like New Jerseythat their data is going to be usedagainst them it’s going to be obtainedby other investigative agencies andpotentially they could be found to haveliability now under New Jersey Lawthey’re protected but I still have a lotof concerns about what tech companiesbig and small are doing with that dataeverything from the apps on the storesas well as what Google and apple aredoing as it relates to their own DataTracking and those who make their appsavailable through their platforms and sothose are very much unanswered questionsright now and we were talking about thisbackstage we’re doing a lot we have alot of tools but this is an area that II’ve seen because we on top ofeverything else we license the medicalproviders in the state so I know thefears that they’ve had because I’vespoken to them andum it’s it’s very much came to headobviously no one was necessary I meanDobbs was I guess to some degreeforeseeable but no one was reallyexpectingthat decision you know a year or two agoand they’ve had to adjust very quicklyin real time and the concern is not asmuch the reproductive Health privacy ofNew Jersey residents but people whowould be coming from out of stateum to to get abortions in New Jerseylook I think it could be both I thinkanyone who’s who’s providing theseservices or taking advantage of them hasconcerns about you know where their datais being stored if they do come acrossstate lines where who could potentiallyget access to it remember State like NewJersey we see that a lot of people passthrough a lot of people it’s very easyto travel to our state we have some ofthe strongest reproductive Health CareProtections in the country which I’mvery proud of and we have a strike forcethat brought together all of our civiland criminal authorities to ensure thatthose laws are protected and thegovernor signed laws that significantlyrestricted what data could ever possiblybe shared evento another state seeking that thatinformation whether it be from HealthCare Providers or from a state orgovernmental agency but uh there’s stilla lot of gaps in terms of what thecompanies themselves have done and evenwhat they’re saying about what they havedoneboth for us as regulators andenforcement agencies but also for theproviders and the public we’re talkingabout some of the most sensitive anddifficult moments in people’s lives andnow you add a layer of uncertainty ontothat as to if I’m taking advantage of alegal service in a state that I know I’mallowed to do it could somebody througha phone that’s in my pocket or from aperiod tracking app or any other or datathat my doctor is going to get is thatgoing to go somewhere that I’m not goingto have control over it these are thingsthat they might not even tell theirparents or their spouses or theirPartners about but they’re putting thattrust in companies that frankly don’thave a great track record when it comesto this issue and so it’s a very realsense and I think it sort of groundswhen we’re talking about data privacyand this is true as you said whetherit’s algorithmic bias or any of theissues we’re talking about they’re realissues for in people’s lives and that’swhere as an attorney general and mycounterparts across the state and thefederal governmentyou know we have an obligation to useour laws to protect our residents justbecause it’s new technology doesn’t meancertain practices that were illegal ifyou did it by phone or by letter or byadvertisement on a billboard is nowlegal if you do it on a social mediaplatform or an app I mean theoreticallyin terms of the way that the AG’s officewould get involved in a case like that Imean would it beyou they’re some kind of you know uhinformation request happens over statelines from a you know another lawenforcement agency with the AG’s officeget involved in some way at that levelor is it more just regulating whatproviders in New Jersey what informationthey would make available yeah I mean wecould get involved in a number of waysum and sometimes we might not know Imean if one of the reasons why the lawswere signed is because if let’s sayanother state were to subpoena recordsit wouldn’t necessarily get on our radarif it was to a third party but we gotinvolved in a lot of ways I mean we’rein the business of suing people so we wehave investigative powers and we bringlawsuits as it relates to data breachesand that’s not just because it’s what wewant to do I mean we prefer that didn’thappen but that’s we are tasked and I amtasked in New Jersey with enforcing ourlaws and you know we’ve used our ourTools in that sense but we also whetherit be through the regulatory process orby promoting good policies or just goodhygiene from the industry I mean I wouldmuch rather it’s a watch less resourcesand be much more productive when we’reworking together to change conduct in away that benefits the Resonance of ourstate I’d much rather do that than haveto file a litigation and get 40 otherstates to go along with us that’s muchharder and frankly I think not the bestuse of resources and not the bestoutcomes for the companies either and sowe we have a lot of interaction withindustry and they’ve been you know attimes very cooperative and other timesthey haven’t been in them it’s resultedin us having to take enforcement actionsI think within the Privacy sphere we’vetalked for a long time about how there’sso much medical data that is unprotectedbecause you know a lot of people thinkoh HIPAA protects Everything Medicalrelated not realizing that it appliesvery specifically to Medical providersand that there’s now so muchreproductive Health Data medical datathat is kind of flowing through thirdparties that are that are not you knowmedical providers and so it’s notprovided by HIPAA and Dobbs has reallybrought that kind of long goingconversation into very very sharp focusand so Alex I am curious I know this issomething the organization organizationhas thought about a lot but at thismoment how are you thinking about thatthe protection of medical data that’sincreasingly flowing outside of the kindof medical establishment that’sregulated by HIPAA yeah it’s a greatpoint and I think one thing again thereneeds to be consumer education becausepeople think that that stuff isprotected that it is not as we standhere today there is not a single federallaw that protects consumer privacy andthe types of commercial sources ofinformation that we’re talking aboutinstead we have to rely on a patchworkof laws on the consumer protectionProvisions either that states or theFederal Trade Commission can enforce sowe need a much more sophisticatedconversation around privacy legislationand making sure that there are Baselineexpectations for how data can beprotectedthe other piece of this of course isasking the companies I mean to the pointthat you were making I think this reallyhas been a wake-up call for manyconsumers about just how vulnerabletheir information is that you know yourphone probably knows more about you thanany single person in your family at anygiven time and that information can behighly revealing I think one of theelements of the Dobb’s decision that hasmade this such a sharp moment isrealizing that people have to worry notonly about law enforcement access tothat data but also the potential oflawsuits and pursuit from bounty huntersin certain States as well and so to behonest whether one actually expects tobe in the market for Reproductive HealthCare Services or not I think many peopleare realizing hey that there’s a lotgoing on here so one of the other areasthat we’re focusing on is reallyspending time with the companies abouthow they can better improve their datapractices in that regardand the answer here if they do not wantto be handing over or faced with theuncomfortable scenario of lawenforcement subpoenaing them for theircustomers most sensitive information isminimization don’t have that data in thefirst place so there’s a lot morecompanies can be doing to reduce theamount of data that they have to reducehow long they hold it for of course tothink about who they’re sharing it withwhere they’re selling it to andunderpinning all of this of course isthe market of data Brokers you know kindof this additional realm in theecosystem that are there buying pocketsof information from all these differentproviders and aggregating them to createprofiles for people that law enforcementcan then come and access without havingto get a warrant or follow you knowtraditional criminal procedure so thecompanies do have a really importantrole to play here I think this is awake-up call moment where theircustomers are looking to them withstrong expectations that they’re goingto follow through I thinkI wanted to flag a lawsuit that theFederal Trade Commission filed a monthor two ago it was a bipartisan voteagainst a company called cochava andwhat we allege is uh that they broke thelaw byselling detailed information about theirusers look geolocation information andgiving it away online to prospectivecustomers and in doing so gave awayinformation about people’s trips toreproductive service centers addictiontreatment centers churches and so we aretrying to as many other law enforcersare across the country we are using thetools at our disposal to try to to tryto address this but absolutely morelegislation would be helpful and werethey giving out specific identifiedinformation or this was kind of sothere’s some Nuance to itmy understanding and and I I don’t wantto get it wrong but the complaint whatmy recollection of what the complaintalleges is there was pseudonymousidentifiers but they were persistentidentifiers and so you know if I don’tcall you cash but I call you you knowsome other name but I always call youthat namethat functions as an identifier like anickname right I’ll call you K rightthat might serve the same function andsoum that is I think that was part of theof the kind of fact pattern in that caseand after you know after the Dobbs leakreally there was a call for women todelete their period tracking apps therewas a lot of concern about how this datamight be used have you seen that databeing used yet kind of what’s the mostconcerning data use you’ve seen happenso far since the rulings uh kind ofstate laws have started changing so Iwill say I was actually very worried bythe period tracking app news storiesum they served an important function forraising consumer awareness right youshould always be smart about the appsyou’re using what their terms ofservices are what promises they’remaking to you about how they’re usedthat data or not use it so that enforcescan come after them if they don’t liveup to those promisesbut one of the things that made me worryis that people if that was presented asthe fix delete that period tracking appand you are good to go wow is that somemisinformation for what the actualthreat model looks like right if youthink about so there have already beencases broughtProsecuting pregnant people for theirpregnancy outcomes and this includesbefore jobs when pregnant women havebeen prosecuted for taking drugs duringtheir pregnancy that resulted in themiscarriage of the fetus for example orfor people taking self-medicationabortion outside of the statutory limitsthat were permitted in States even underrow and in those prosecutions theinformation that’s being used isinternet search history the privateconversations that people are havingwith their best friends via text messagein their time of need and so it is thesemainstream uses right ones that we can’tthat you can’t delete that function onyour phone that’s the whole reason youhave it rightum so this is a story about a lot morein terms of the vulnerability and it’s alot more than individual user cancontrol so yes users need to be smartthere are great resource on resourcesonline about how to do that but also weneed these minimum protections and weneed the companies to step up to protecttheir customersum for a long time talking about privacyissues you know uh at kind of the end ofevery story I wrote somebody would saywe need more laws to protect privacy weneed a federal you know we need afederal Privacy Law and it has nothappened about the decade or so I’vebeen covering this uh though there havebeen interesting state laws some thatwere passed you know very early on Ithink that probably the most importantone is the biometric information PrivacyAct in Illinois that was passed in 2008before most tech companies were usingany kind of Biometrics facialrecognitionthere is yet again a Privacy Law kind ofat the federal levelhovering might or might not move forwarduh Alex I was wondering what if you canfill us in on where it is now uh if youthink it’s likely to move forward or notyeah so you grave a great you gave agreat setup people have wanted this fora very long time there are not manyissuesin the world today in the United Stateswhere you have Democrats calling forRepublicans calling for it consumerscalling for it businesses calling for itbecause they know that they want abaseline standard for for user trust andsome guidance about what the rules ofthe road are going to beso the conditions are ripe there is apiece of legislation the one that you’rereferencing here is the American dataprivacy protection act sometimes knownas the adppa and it recently passed thissummer out of the house energy ofCommerce Committee by a bipartisan voteof 53 to 2. there are again not manyissues that are getting that type ofbipartisan biomeum so one of the things I think is mostexciting about that bill is that itreally does move the ball forwardsubstantially in how we think aboutprivacy the traditional framework for along time was one focused on notice andconsent so if the company told you theywere going to do something with theirdata even if it is on page 57 of theterms of service which even I a privacylawyer do not read they could get awaywith it right because they’ve told youand you’ve consented by using theirservice right the adppa takes the reallyimportant just evolutionary step ofsaying that doesn’t work users do nothave choice in that scenario that is notthe way to regulate instead we needBaseline protections rules of the roadit also has civil rights language inthere to the point that I mentionedearlier it has a private right of actionfor users to be able to enforce theirrights so there’s really good stuff inthere the question is how we get itacross the Finish Line in what is adifficult political climate right nowthe main issue for this bill that isholding it up right now is that part ofthe grand bargain is that it doespreempt some state laws it doesn’tpreempt bippa but it does manage tocarve its way out of that it’s it’s beenthe law for long enough now that youknow people understand that theyrecognize that protection companies arecomplying with it soum but it does have a preemptive effecton California’s recently passed PrivacyLaw which is a challenge becauseobviously California was an innovator inthat space there’s a whole wheatyconversation to be had around that Ithink for many of us consumer Advocateswe think that the protections of thefederal Bill are stronger than what’s inthe California law and also number oneit allows the California enforcers tokeep enforcing and kind of keeping theirfunction and also we need to protectpeople not just in California but aroundthe whole country but we will see whathappens with it sitting in the NewJersey attorney general’s office howmuch does this matter the kind of thefederal privacy conversation how wouldit impact you if that law passed youknow do you want something like that ordo you feel like you have the tools youneed right now at your level to enforceyou know enforce these rights it matterit matters a lot you know I um chairmanpallone Frank pallone is New JerseyCongressman chairs the committee atleast for a couple more months that umyou know the the law the bill passedthrough and I’ve spoken to him about itand I know how hard he’s worked to getit through and those numbers you don’thear very often in terms of bipartisansupportum you know there’s certainly uh I thinka healthy debate amongst AGS in variousStates about the preemption question andthat I assume will shake it out but thefederal law is a very significant stepforward and giving us the tools toenforce is a step forward you know frommy perspectivewe and this is true for every every timewe pass a law I say this butparticularly in this space where there’ssuch a dearth of experienced uhinvestigators and lawyers in publicsector doing this workit’s really important that some of youfolks and those you know come intogovernment and and work on these issuesbecause I’ll tell you from us if wedon’t have the tools to enforce the lawthen it’s just a nice press releaseand so any law we’re tasked withenforcing is true from the federalagencies or in state attorney generalwhich play such a critical role we areaggressively building out our dataprivacy team we already have one of thebest in the country I would argue and weare expanding that rapidly and I alsoco-chair a new center set up by theNational Association of AttorneysGeneral on Cyber and technology and oneof the the pushes that I feel verystrongly is you know we need to beproviding State AG’s resourcestechnologist resources that are hard toget into state government so that aswe’re building these cases a we’re notpursuing cases that really shouldn’t bepursued and wasting government resourcesand wasting companies time when we canjust work out an issue the B that whenwe need to pursue an enforcement actionand when we have those tools that wehave an obligation to our residents tobe able to put them to workwhat about sitting in the FTC and I knowyou probably have feelings about uhprivacy being a bipartisan issue and yetnot being able to get a law passed on itat the federal level but with or withouta Privacy Law at the federal level howdoes it impact what the FDC is able todoso you know like I was saying earlierwe’re doing absolutely everythingpossible that we can using the authoritywe have and it is a broad Authority wealso have a rule making Authority thatCongress uh gave us in a couple decadesago that we are exploring whether we canuse and should use to fill to addresssome of the issues that have beendiscussed during this panel um butfrankly for the commission what would bemost helpful as resources and theinteresting thing about the FederalTrade Commission it’s the oldestConsumer Protection Agency in thecountry uh I would argue it’s preeminentone and so when Congress passes a lawthey say oh FTC you enforce it uh uh andand they’ll pass a law about you knowgreat laws right laws about uh uh youknow ticket resales you know laws aboutkids privacyum but they’ll just add on I think itsays FTC shall enforce it and yet ourstaffing is is lower than it was in the1980s and so and in the 1970s absolutelythat for me is the key issuethe law that Congress is considering isterrific it’s got everything we’ve justgot civil rights you know Biometricskids privacy kids information they havestrong Provisions there and we’ll usethem but for me my main concern ismaking sure that if Congress tells us todo something they give us the resourcesto do it I am curious you bring upBiometrics I’m obsessed with facialrecognition technology because I wrotethe story at the New York Times aboutClearview AI which had scraped theinternet of billions of faces creativefacial recognition app that could buyyou know just about anyone it wasselling it to law enforcement and Iwanted to ask you about it Matthewbecause when that story came out thethen Attorney General of New Jersey kindof put a moratorium in the use ofClearview Ai and launched some kind ofyou know fact-finding investigation intohow facial recognition and was beingused in New Jersey and I just wanted anupdate on what’s what’s going on withthatum so Clearview is still not operationthe moratorium is still in effect in NewJersey and if it’s been almost threeyears earlier this year we launchedactually a public process for solicitinginput on facial recognition technologyfrom stakeholders in that process isstill ongoing so nothing new publicleader report but this goes to sort of Ithink a broader issue I mean lawenforcement a lot of these issues cometo the head and with respect to lawenforcement and you know as the chieflaw enforcement officer obviously thereare times when new investigative toolsare very helpful but there’s also thecompeting concern about individualsprivacy the same way they had privacyexpectations in their home and there’sbodies of case law about all of thisthat is being is is still there’s stilla work in progress to catch up to someof this information but as it relates tofacial recognition technologyspecificallyClearview is still not allowed in NewJersey and we are going through a prettyrobust process to evaluate what theright safeguards are going to do alightning session here because we’rerunning out of time but I wanted to endour panel with kind of uh somethingbrighter like a research A Reason forHope and I’m just wondering if you knowprivacy digital rights have been anissue since internet kind of becamemainstream used by Society what kind ofwhat have you seen in the last decade orso that gives you hope about our givingpeople more rights on the internetprotecting people’s privacy what are thebright spots if you could name onequickly and I’ll start down here andthen come this way I think it’s publicattitudes have changed dramatically justover the last decade in terms of whatpeople’s expectations are for how theirinformation will be used and I thinkthat’s why it’s being reflected inbipartisan Attorneys General takingaction and bipartisan members of theCongress taking action and I think thatgives me hope that even in a polarizedfactionalized world this is an issuethat is gaining some steam because thepublic is demandingI agree I think that’s exactly right umwe’ve managed to go at least an hourwithout mentioning the name Elon MuskI’m going to quickly do it herewhich is to say much as the past fewweeks have helped raise awareness aboutthe business case for Content moderatewhy content moderation matters and whyit is a business risk if you do not payattention to itum very much the same thing is happeningwith privacy so you now see companiesleaning into their privacy identitymarketing themselves on privacy becauseof where the consumer interests lie andthat really matters we need to keeppushing that energy forwardspeaking on law enforcement fun fact isup until recentlyname the surveillance technologywiretapping you know geolocationtracking up until recently literallynever in American history did the peopleof a city or a state or the federalgovernment say no you cannot use thattechnology and on the law enforcementside which I do not have jurisdictionover I was heartened when people foundout how prevalentwarrantless use of face recognition wasand in many cities some states they tookdecisive action in some cases to put amoratorium on it in some cases toregulate it but that has never happenedbefore for law enforcement surveillancetechnology and you know whatever youknow this is separate from My Viewsabout it commercially but it tells methat people have woken up to what’s atstake here and and they’re they’remaking sure that laws reflect theirviews here great thank you so muchthank youjoining us now for a conversation abouthow the Federal Bureau of Investigationis handling cyber threats please welcomethe FBI’s deputy director Paula Abatejoined by Aruna vishwanatha seniorreporter at the Wall Street Journalforeignplace hereso it’s great to have you here todaywith us to talk about cyber threats andransomware and I thought maybe we wouldjust start there it’s been a year and ahalf since the colonial pipeline attackthat really seemed to seep into theAmerican Consciousness for the firsttime with long gas lines and FBIdirector Ray talked about that as sortof a very very much a moment oftransitionum for for the broader country to becomeengaged on this problem what hashappened since then at the FBI well uhfirst uh thank you Aruna for joining mehere and thanks to Aspen Institute forinviting us back and thanks everybodyfor being hereum we’ve we’ve only seen the problemcontinue uh to get worse actually whenwe look back to Colonial and everythingthat happened over the last couple yearseven with all the efforts we’ve madethough I think there’s been amazingprogress in terms of bringing peopletogether across the private sector andwithin government it’s a high highlyprofitable Enterpriseand it’s for for criminals and criminalorganizations to go after so we’ve seenmore a higher volume of ransomwareattacks and the financial losses areonly increasing as well and it’ssomething that we’re going to have tocome even closer together on andcontinue to work relentlessly at tocounter and prevent victims from beingharmed you’re saying that it’s it’s onlyincreasing is that becausemore different criminal groups aregetting access to the same kind ofransomware and deploying it or are wejust seeing more variants of ransomwarebeing used by the same people or what uhwhat what do you think accounts for thisincrease there’s always new varianceit’s really an infinite game in someways because we’re doing our work tostop it to meet the threat and to holdthose behind it accountable and then onthe other side we have many of the sameactors those that we haven’t been ableto take off the playing field they’restill working at it they’re workingevery day to evolve and adapt just likewe are and they’re finding new waysthey’re finding new vulnerabilities tocome after both government and theprivate sector so again it’s somethingwe’re going to have to continue to focuson and work hard at to put downI thought we’d talk for a little bitabout a case study recently where theFBI did come in to try to help a victimum there’s the the attack on the LosAngeles School District right beforeschool started over Labor Day weekendthe FBI came in to help them thesuperintendent said they refused to payRansom and some of the school district’sdata did end up online can you kind ofwalk us through what the FBI did thereand and how you uh what you determinedabout that breach yeah well the firstthing is this is not something that wewant to happen you know we’re all aboutprevention first and foremost and we’reworking together each and every day 24 7to prevent attacks like that fromhappening but when we when they do weresponded I think this is a really gooduh example again on the partnership andthe process and the response there andit shows the work we do with Partners onthe front line we were able to becauseof the relationship we had with the LosAngeles Unified School District inadvance of this attack we were able tothey called us right away our office inLos Angeles and we were able to get thekey people agents analysts computerscientists and others out there you knowwithin within hours on the scene sameday to stand behind and beside thevictim and to work with them to helpdetermine what happened the extent ofthe damage the attribution what was thevariant who’s behind it that was alldone very quickly and then I thinkhelping victims is one of the mostimportant things that I think I believethe confidence and the reassurance thatthe Personnel our Personnel along withPartners brings to a situation like thatit brings a steady calm to the situationand it really helps victims recover andget through that so I I think that’s ashining example of how we come togetheron the response aspect of it thoughwe’re working hard every minute of everyday to make sure something like thatdoesn’t happen and then further we’relearning for from that so you know thetechniques uh the tools that the badguys are using they’re the intelligencethat we were able to glean from thatwe’re able to roll it back out we issuedaum you know cyber security uh bulletinalmost immediately jointly with DHS andsisa to inform uh you know the widereducation and academic sector to puteveryone out there in the best positionto protect themselves on defenseum can you talk about what youdetermined aboutum who was behind that breach and wereyou able to recover the data or did younot have to do that in this instancebecause they had everything backed upuh well you know most importantly thethe school district was able because ofeveryone coming together and that’sinclusive of the private sector Partnersas well they were able to get backonline nearly immediately and able toavoid having to cancel school thishappened as you recall over the holidayweekend so we’re able to work you knowin in that that time period in advanceof the school’s reopening and ensurethat everyone was able to get back toschool and continue their studiesso there is this tension um when you’retalking about cyber security at the FBIwhen on the one hand you want to be ableto stop an attack before it happens onthe other hand you maybe want to havepart of the attack happen so that youcan identify who’s behind it and thenprosecute them how do you how do youdetermine sort of which way to leanbecause obviously traditionallyyour interest is more in having peopleto prosecute and investigate and chargebut here you want to stop the attackfrom happeningwe never want any part of an attack tohappen right we want to prevent harmthat’s the number one thing that we doand secondly our goal is not to arrestpeople that’s not the thing we believethat’s an important component of theoverall framework that we operate in totakeum you know criminal cyber actors uh offthe off the field to hurt them so thatthey’re not able but we we also realizewe’re not going to be able to arrest ourway out of the um you know thechallenges that we Face here in volumeso that’s just one tool one techniquethat we bring to bear and sometimes wedo sacrifice the opportunity to arrestsomebody or bring criminal charges forthe greater good you know for the victimto protect the victim from theconfidentiality standpoint and and alsoto prevent further harm that’s how weapproachum any in in the context of any respectbonds we’re making when an attack hashappened it’s all about preventingfurther harm to the immediate victim andany others and then moving forward andrestoring them to full function and thenmoving forward from there if we cansecondarilythe goal is to investigate attributedetermine who perpetrated a given attackand then hold them accountable and werelentlessly do that but that is not thefirst and foremost thing in any givenevent okay right so your first goal isalways let’s see if we can stop it andthen sort of third or fourth is if wecan identify who is behind it can we yestry to prosecute and we want to do allthat and I think you know togetherpartnership with the private sector andour other government Partners I thinkwe’ve we’ve seen tremendous progress inadvancement based on hard LessonsLearned particularly over the pastcouple of years and we’re going to haveto work work at it though continuouslyyou’ve also been deploying FBI agentteams overseas to help other countriesdeal with cyber incident incidents fromtime to time can you talk to us abouthow you decide which ones to try totackle and I think you can talk a littlebit about the case of Albania you youdeployed a team there recently and andthey were able to help attribute andattack to the Iranian government I thinkI’m really glad you brought this upbecause it’s an extension of the type ofwork we do here but reaching outglobally and again it gets back to thepartnership so when it comes to you knowworking with serving and protectingallies and those who want to work withus and most importantly they’re reachingout for help that’s the key thing youknow when we’re you know workingalongside an international partner thatcountry has to reach out and ask us forhelp and welcome Us in we’ve had excuseme numerous examples of this all ofwhich I can’t cite again much likeworking with the private sector in a lotof instances we’re doing this in aprotective covert confidential way tosupport other countries allies who havebeen victimized and again help themrecover prevent further harm use thatintelligence to protect people andentities and organizations across theworld and then we’re looking toattribute identify those responsible andthen work together to go out you knowand hopefully bring them bring them tojustice and prevent them from doingfurther criminal acts in the future butthat’s all on display with Albania andthat’s all out in the public realm youknow that country not too long agosuffered a Cyber attack that shut downpretty much all of their governmentsystems and services it was a widespreadvery effective attackvia cyber means on the on the country asa whole they asked for help we went inwe sent our cyber action one of ourcyber action team and again expertsanalysts agents technicians and computerscientists over there and workedalongside Partners from the Albaniangovernment and again private sector veryimportantly to help with the responsethe resolution the remediation and theattribution and one of the key outcomeshere was we were able to identify andattribute the attack to the governmentof Iran and then subsequently and veryquickly via that we were able to throughour through our government and inpartnership with other allies across theworld issue a very strong statementattributing this Tech to Iran andholding them accountable in that regarddid you determine what the motivationwas for that attackthe motivation behind that attack wasum you know ideological uh the Albaniahad been uhhosting a conference or planning to hosta conference there by an oppositiongroup to the government of Iran and itwas a malicious attack to strike at thegovernment of Albania for you knowsupport in some ways to those who opposethe government of Iran got itso this was a topic of discussion onearlier panels but I wanted to get yourperspective from the FBI’s Vantage Pointwhat impact has the war in Ukraine hadon the proliferation of ransomware inthe U.S on the potential for cyberattacks we’re nine months in we didn’treally see the kinds of attacks we maybehad anticipated we might see in the U.Swhat have you learned watching what’sbeen happening at this point yeah Ithink there’s a number of takeaways fromwhat we’re what we’ve seen there as youmentionedum you know in some ways there wereexpectations that there might be a muchsevere broader range of the use of cyberuh you know as an offensive weapon andthat didn’t really materialize uh butthe the good that’s a and that’s that’sa good news story in some ways because Ithink what it reflects is a few thingsum one taking lessons learned becauseeven in a for years in advance of uh theinvasion of Ukraine the the country ofUkraine had been under attack and hadsuffered a number of attacks launched bythe Russian government and componentsthereof from a cyber perspective and alot of damage had been done within thecontext of a number of those and butthere were Lessons Learned From That byUkraine and but you know by those of uswho are allies and have partnered withUkraine and we see those Lessons Learnedtaken and applied in this context andreally in the preparation not just inthe context of hostilities but overallso I think the the theapplication of Lessons Learned thepreparation uh and the Readiness to meetthose attacks reallykept things down to a lower level thanone uh might have expected and I thinkalso key here with Ukraine it reallyshows theimportance of the private sectorin on defense because some key privatesector you know companies U.S companiesstepped in and taking the intelligencethat legally and from their business andoperations and work in presence inUkraine were able to take take thatinformation in Intel and turn it aroundand share it with the government ofUkraine and others and put them in areally good position to protectthemselves from what was coming at themand again I think it just highlights theuh the critical nature of the role thatprivate sector has and all of this andit’s an instance where those privatesector companies really stepped up bigtime and helped in the context of a waressentiallysometimes we really haven’t seen beforesorry in terms of bothadding until to the intelligence pictureand proactively defending against thepotential yes taking the taking theinformation intelligence that thatprivate sector company is seeing ontheir Network out there what they havevisibility into given the infrastructurethat they owned that they own and thenturning it around and sharing it with acountry in this case Ukraine and puttingthem in a position to better defendthemselvesum and I also wanted to get your take onanother topic that was discussed earliertodayum sort of cultivating the CyberWorkforce uh the FBI obviously needs alarge pool of cyber Talent there’s therewas a recent report in propublica whereuh some former agents were sort offaulting the FBI a bit withum having a culture that’s not thatconducive to recruiting and retainingkind of a more technical uh technicallytrained Workforce what is the FBI doingto try to develop that that’s prettydifferent from the traditional agentpoolI we’re this is a big time challenge forall of us in government andum we’re investing a lot in this toreach out I I think wewith the FBI we’re fortunate in some inin big ways becauseum even with all the criticism andeverything we facedum we still have a great brand andpeople are attracted to come to the FBIbecause of the work that we do thepeople they get to work with there youknow the mission first and foremost ofkeeping the country safe and protectingpeopleum that’s built in we’ve had to adjust Ithink and not rely on that solely and Ithink in if you go back historicallyum we realized we can’t be complacent inanything that we do whether that’srecruiting agents analysts or the typeof individuals we now now need in thisspace with the technical skills to carryout the the work in the cyber cyberrealm so we are still constrained inmany ways like every government agencyis in terms of pay relative to privatesector but we still have the mission andwe still have the brand we do relyheavily on that but we’re we’re muchmore forward-leaning in terms of goingout nowgetting in front of people inuniversities colleges business privatesector and working hard to bring peoplein to the FBI and particularly thosepeople you know with the right skillsand technical skills that we need to dothis important workis there any sense that in the futurethe FBI might sort of change therequirements in order to try to retainand recruitum that kind of talent versus the moretraditional agents that you’ve gone forwe’re we’re very focused on that uh youknow each and every week I meet with ourHuman Resources Division and branch andwe were just talking about thatyesterday you know how do we approachthis differently what can we do betterto recruit and retainand you know part of it is financial wehave certainum you knowauthorities within the agency and wehave uh you know relied on that to beable to pay retention bonuses andleverage mechanisms like that to keeppeople but it’s stillum you know in the competitiveenvironment we were in that only goes sofar so that’s one thing but we’relooking across the board so you knowmuch like the private sector and our youknow government colleagues we thinkabout the new face of work you knowflexibility Mobility things like thatand I think you know the bureau we’revery as you all know traditional uh youknow hierarchical organizations thatsome might say is set in its ways but Iwill tell you all on the inside we havebecome much moreopen-minded in terms of the way peoplework in the bureau and you know that’sanother component of keeping people onboard letting them work from differentplaces now there are securityconsiderations and limitations with thisas well you know we have have to we dealwith classified information andsensitive information so that doespresent you know constraints andparameters in terms of where we can dothat work and how we can do it so peoplewe need to stay within that framework toprotect our people and our informationbut we’re thinking always of ways thatwe can do things better to better keeppeople and to bring people in to theorganizationand in our we only have 30 seconds leftbut in our in our final moments I askyou to sort of reflect on the lookingout over the next year give us a hopelike one prediction or hope that you youknow hope to see a year from now on theon the Cyber frontwell we want to we want to have zerocrime you know but we’re realistic weknow that that’s not uh possible look Ithink we have to stay on the track we’reon what I see in cyber and the suppliesand other disciplines that we operate inas well everybody’s coming together moreclosely and in ways we’ve never seenbefore and that’s within government inthe interagency both intelligence andlaw enforcement and the private sectoras well I think this space in cyberrequires really we talk aboutcollaboration but this requires hypercollaboration we have to work evenharder to bring everything together theinformation the intelligence and theoperational activity both offensive anddefensive that we’re doing and againwe’ve seen tremendous advancement inthat across the board so we’re going tolook to continue that progress bringeveryone closer together having theopportunity to be here in a forum likethis in a you know the public privatesector environment is one component ofthat we’re going to keep working hard onthat and I just want to see us continueto make progress uh and we’re going towork hard also you know to be aspreventative uh always striving to be100 but recognizing the realities of theworld as well and then when peopleviolate that and they commit crimes weare going to go after them relentlesslywe’re going to hunt them down whereverthey are in the world and we’re going tobring them to justice right here in theUnited States and we’re going to do thattogether thank you thank youpeaceall right thank you all for a greatmorning I’m Garrett Graf I’m thedirector of the Cyber initiative atAspen digital I want to give you somelunch instructions today uh so we have afun lunch breakout session uh fordiscussions up aheadum please go directly to the breakoutroom where you want to participate inthe discussion all four rooms have hotlunch in the room the lunch is the samein every roomum and uh don’t uh don’t stop in thelobby that’s not actually the lunchthat’s the coffee breakum so there are four lunch discussionsfor you todayfour Scouts people focused lunch isbehind the registration desk back in thelobby as you came in recorded Futureslunch on Intel collaboration is theimmediate right outside the theater sortof adjacent here over in the Wagram andthen pwc’s transparency lunch andpaladins infrastructure lunch are outpast the coffee left down the hallway soplease go directly to your room grablunch and settle in for a greatconversation we’ve got a lot more aheadthe rest of the Aspen cyber Summitforeignforeignour program is about to begin pleasetake your seatsno nothreeforeigngood afternoon everyone hope you had agreat lunch and thanks so much forjoining us for this afternoon’s programit is my pleasure so my name is HughThompson I’m a member of that Aspencyber security group and this next topicis such a critical one the attacksagainstOT and critical infrastructure havecontinued to grow growth and frequencyand severity and so we have an excellentdiscussion for you nowmoderated by the incredibleVivian Schiller executive director ofAspen digital Vivian[Applause]ladiessoum okay so uh as you said we have areally interesting and important topictoday so as you many of you remembervery well uh was a year and a half agothat the colonial pipeline ransomwareattacked and really revealed thevulnerability of our infrastructurenotably it was also the first time thatthe public viscerally felt the impact ofa ransomware attack on their day-to-daylives in the form as you know of of longlines for gas I don’t think it reallyhad you know this is the first time youknow ransomware and cyber securitybreaches probably penetrated theconsciousness of manyum it also shined a really really brightlight on the need for collaborationbetween government entities and PrivateIndustry uh to communicate and tocooperate so on this panelum and I’m going to invite my mypanelists out now we’re going to talkabout what we’ve learned since then andwhat we should worry about next so weare incredibly thrilled to have just theright people to have that conversationimmediately to my left is Alan Armstrongpresident and CEO of Williams theinfrastructure the energy infrastructurecompany that serves 30 percent of theU.S natural gas volumes and DavidBukowski Transportation Securityadminister a role that he’s held since2017 leading a Workforce of over 60000 employees responsible for securityoperations at highwaysrailroads mass transit systems andpipelines so I just want to be reallyclear here we have the regulator and theregulated sitting here on stage bothsmiling yes smiling peaceably I warnedthem that I was going to quote fromGhostbusters by saying it’s like catsand dogs living together so I’m verymuch looking forward to thisconversationum David I’m going to start with sorryI’m going on first name basis witheverybody that’s okayum so I’m sure I’m not alone in thinkingokay airports TSA got it that’s how mostof us usually experience TSA uh and bythe way we’re going to come back at theend to a very important Airport TSAquestion but I’m going to hold that okayairports railroads highways mass transitall of those things have something incommonPipelinespipelines so TSA was formed in theDepartment of Transportation back in2001 I was telling the luncheon audiencethat you know we were formed by law 69days after 9 11. so you think of howquickly that occurred in the wholescheme of of government process andessentially what secretary normanettadid at the time the Secretary ofTransportation is he looked across allof his DOT modal administrators so thiswould except for the FAA and and andbasically took all the securityfunctions from them and then looked atthe FAA and took all their securityfunctions moved it over to TSA TSA wasimported in the department oftransportation for our first two yearsand so that’s the reason why when youlook at the dot safety agencies nowthere’s an exact mirror in TSA of theauthorities on the security side yeahalthough pipeline clients of coursedon’t have humans traveling through themso it’s certainly different but theyhave product they have they certainlyhave a product which gets us to you soum what is it like for the pipelineindustry to be uh to be considered youknow a part of tsa’s uh remat andregulated by TSA how’s that working outfor you yeah it was certainly uh youknow the pipeline industry is regulatedtoday in a lot of different branches ofthe government and I would say that thishas been as constructive of an effort asI have ever seen between government andIndustry to actually bring impact tomaking sure that we are doing everythingwe can to keep our industry safe and soI I would just tell you I when thisfirst started you know all of us in theindustry kind of went oh boy here we gothis is really going to be uh rough andineffective but it’s been it’s beenhighly effective it’s been verycollaborative and I hope that you knowthe questions that come out of this ishow can we take that same model to otherareas of regulation of our industry aswell because it’s really been a ajourney thatdidn’t start out you know perfectlysmooth but I would just tell you thanksto and I hate to do this because it isthe regulator it’s like telling the headof your comp committee how smart he isbut but that could be effective but butseriously it’s been very muchadministrator perkoski’s leadership thathas said hey we’re going to listen weboth have things to learn from bothsides and he has really brought thatculture to an organization that wastheir first to regulate and enforce andnot not always in the the posture oflistening and trying to do thateffectively but it’s been remarkable tome how quickly he’s brought that cultureinto that organization I do want to cometo back to Colonial pipeline um in aminute but but this really does beg aquestion because if we’re talking aboutthis that’s a very strong statement thatyou made how well this has worked outand indeed how important it would be forthis that same kind of relationship andEffectiveness to be a applied to othersso what I mean you mentioned some ofthem but what are the Hallmarks of whatmade it effective you mentionedlistening which is always a good thingbut but what else from both of yourperspectives yeah go ahead yeah I Iwould say what’s made it effective isthe desire on both our parts to learnum you know when we initially rolled outsome very prescriptive cyber securityrequirements for the pipeline sector uhright after the colonial pipelineincident uh you know we knew that wewere rolling things out that were moreprescriptive than we generally wouldlike to be but we needed to get somebaseline Improvement in the overallcyber security of that very criticalsector in the country but we heard loudand clear from uh from the industry thathey we’d really like to do this adifferent way candidly so did we I meanwe always wanted to get to the positionwhere rather than being incrediblyprescriptive in our regulatory processeswe got to be more outcome focused and uhand you know one of the things that hasalways been clear to us is that ourprivate sector Partners the regulatedparties that are under our remit alreadyhave cyber security procedures in placeand what we didn’t want to see happenwas for them to just cancel outeverything they were doing and put inwhat we had prescribed additionally andit’s been raised a couple of times inthe sessions this morning this is arapidly developing field and so wewanted to provide some flexibility inthe regulatory regime so that we didn’thave to re-issue a new regulation everytime a technology changed or every timea company found a much better way toachieve those security outcomes that weput out together you know it was a verycollaborative approach the other thing Ithink is critical on this is thanks tothe great work that the Department ofHomeland Security had done for manyyears in the Nationalprograms and and protection directorateand then that soon became the cybersecurity and infrastructure SecurityAgency we saw this manifested a lotduring the covid-19 responses they theydetermined a way to identify by thenational critical functions and thattool has been very helpful to us to thensay hey within the pipeline sector youhave 3 000 companies in the U.S pipelinesector do you need to have prescriptiveeven though outcome-based requirementsacross three thousand companies theanswer in our view was no and so out ofthe 3000 we ended up covering in oursecurity directives fewer than a hundredbecause we’ve we’ve we felt along withcisa that these were the most criticalto the smooth functioning of thatcritical infrastructure sector great solet’s let’s talk a little bit about thelegacy of colonial pipeline as youmentioned this is a fast-moving space ina year and a half is you know in dogyears maze wave may as well be a decadeand a half of changes so is thereanything first of all is there anythingwe know now about the attack uh that youknow we didn’t know in the in theimmediate aftermath and and what hasbeen sort of what has changed in theaftermath of colonial pipelinewell I’m not going to speak for forColonial Pipeline on this but I wouldsay that the learnings that were madeavailableum werevery important to understand within thepipeline industry that there’s i tcontrols so your scada systems the broadsystems that control remotely controlthe pipeline operationsand there and systems that arescheduling your customers scheduling andthe it and then there’s operationaltechnology at the local level where youhave project Lam programmable logiccontrollers that operate the localpieces of equipment and the localcontrol on the facilities both of thosethings have to be protected and in thecase of colonial it was more at the thebroader system level but there reallywasn’t knowledge when when that attackwas first made they didn’t really knowto what degree of controls they hadinfiltrated on that and so they actedout of abundance of caution in theiractivities on that and so I would justsay that you know I don’t think theindustry saw that as an extremelysophisticated attack by any stretch ofthe imaginationand and there’s certainly been moresophisticated attemptssince then so I would just say welearned it wasn’t very sophisticated butthere if you don’t have a if you don’thave a plan in placeto determine how far it’s gone and whereit is that is one of the things that Ithink the industry learned which is tobe extremely well prepared so that youcan learn very quickly how far it’s beeninfiltrated in your Control Systems sohow’s it I want to come to you in asecond but I just want a quick follow-upon that soyou after it happened in your companydid you what what was your immediateaction in terms of trying to examineyour own systems well I mean the firstthing we wanted to do is as quickly aspossible learn from the incident learnwhat had occurred and I would say thatthat is one of the things over the lasttwo years that we’ve made a lot of greatprogress on across the industry is thatthe Intel the speed of intelligence hasto improve and it has improved and sothe the critical intelligence about whathappened there there’s been a lot ofother critical pieces of intelligencethat that the NSA and and thoseorganizations of shared cisa have sharedthat have been very effective at usdefending ourselves but I would say thefirst thing you have to do is actuallylearn from it and in this case we didn’treally have if you think about it wedidn’t have the protocols in place forsharing information across the industryat all at that point in time and sothat’s one of the things that’s beenestablished that’s much more effectivetoday to get with the TSA presumably yesright and I would agree wholeheartedlywith that with what Alan just said Imean you know one of the things that umwhen Colonial first happened we put fourrequirements in place immediately onewas to report cyber incidents to sisanot to TSA to report to sisa because oneof the things that we’re trying to dowithin the executive branch is ratherthan having five or six federal agenciesall calling that CEO in the midst of anevent to have one lead and then have allthe reporting go to One location thatwas system because you know we’ve usedsisa as the Clearinghouse for cybersecurity information within theexecutive branch so I think that wasvery effective so it was reportingestablishing a cyber point of contactthat’s available seven by twenty four sowhen there was an incident we hadsomebody that we could call reliably tospeak to that incident the other was todo a vulnerability assessment and thento have a contingency plan to be able torespond so that planning piece uh isabsolutely critically important goingforwardum you know a couple of other thingsthat that we saw too and one of thethings that we did uh very uniquelyum with pipeline uh cyber security andthen rail cyber security and nowAviation cyber security that thoserequirements have not yet been issued umbut we will have some cyber securityrequirements for the aviation sector inthe not too distant future was to invitethe chief executive officers of thosemost critical companiesum in this case in all three of thosecases into the White House for a a topsecret briefing on the threat because wefelt it was very important this wasenabled by the National Security Councilit was very important for the CEOs tosee the why why were we reacting The WayWe Were and why we needed their supportin reallocating resources and prioritieswithin their companies to build cybersecurity resilience within that sectorthose meetings I think were incrediblyhelp for all of us because in additionto getting the the top secret levelwhich is not typically what occurs thetop secret level briefing to understandnot just what we’re dealing with todaybut where things might be in the not toodistant future and then to have within arelatively small group of very seniorpeople senior government officials uhand the most senior people in in theseprivate sector companies is to have theopportunity to have a dialogue in askiff so that we could you know franklyexchange perspectives and then figureout the way forward and what was theimpact on them I mean they were gettingclassified highly classified informationabout the threats it must have had avisceral impact on them it did but itwas an impact you know my reaction to itwas why we should be doing this all thetime yeah I mean you know most of thecritical instruction in the country isowned and operated by the private sectorum the private sector should be aware ofum the extent of the of the threatum that they’re facing so that they canlook at the vulnerability consequencesand determine the risk um that they’reundertaking so I I thought that was uhincredibly effective to do plus it justyou know to me uh in any in any umrelationship that you have what’sfoundational to the relationship istrust andum and and I always Endeavor and Allenis a leader in in his sector hasendeavored hey to build a trustingrelationship so that we can exchangeviews on things in a very Frank waywe’re not dancing around each other uhand then find the best way for thecountry really going forward so you werein some of these top secretbriefings I assume and how howsurprising was the information that youum well it was very it was very targetedand very specific and I think previouslywe were used to getting information thatfrankly wasn’t all that actionable yeahand but if you really you know somethingthat I think people should really thinkabout when they think about criticalinfrastructure and cyber security in ourdefense is the speed of information ifyou think about intelligence that’s doneinto military level trying to findtrying to understand other Weaponrysystems of our of our enemiesum and and that’s done in a time framewhere you can plan for because you’renot immediately going to necessarily beat war with those weapon systems in thecyber world if it’s out there and beingdeveloped and being it is likely goingto be used in the very near time framethey’re not waiting for a war to to beapplying that and so we we have to makesure we have to think about the speed ofintelligence and being able to bring itto the actionable level much faster thanwe think about typical intelligence anddefense so one of the big changescertainly from the LA in the last yearand a half that I’m sure you are wellaware of is that ransomware attackershave really become more aggressive moresophisticated more ubiquitous they’remaking more moneyum how do we how are you thinking aboutreducing that riskwell um reducing the risk by preciselywhat we’re doing is trying to buildresilience within the sector and youknow I’m in a different position than alot of other sector risk managementagencies because I do have the authorityin law to issue security directives whenwe deem an emergency situation existsthat we need to take very quick actionon all those security directives on thesurface Transportation side eventuallyresult in a rulemaking and our goal iswe’ve discussed amongst us in Roundtablediscussions with the industry is tocontinue to modify our securitydirective to the point that when weissue the final rule that the lastsecurity directive in the final rulelook very very much like each other theother thing that’s a critical feature ofthis is you know when you when you do anoutcomebased performance-based regulationum and it’s unusual to do those in inthe government one of the things youwant to be able to see is hey show meobjectively the achievement of thoseobjectives and uh with our latestsecurity directive that’s really whatwe’re looking for and we’re not sayingto any of the regulated parties hey thisis what you need to report specificallyit’s just you need to to propose someregime where you can say hey here hereare a series of objective measures thatdetermine whether or not we’ve achievedthe outcomes because really what we wantto be able to do across all the criticalinfrastructure in the country is to seethe increase in resiliency across andthen step back as this is going on andsay hey where are we most vulnerable andwhere do we need to put additionaleffort in to get because you know acrossthe critical infrastructure there are alot of interdependencies too and reallyunderstanding those interdependenciesand if you see that you’re dependent onanother critical infrastructure sectorand yet it’s resilience building is notwhere it needs to be to put moreattention into that okayyou know as I mentioned in the open oneof the unique things about the colonialpipeline attack is the fact thatyou know every everyday Americans Inever know what that expression meansbut uh felt this viscerally in manyplaces which usually a ransomware attacksort of flies below the radar for thepublic because it’s a it’s a businessrelated issue doesn’t affect theconsumerhow did that impact your response I meandid that create Rising politicalpressure did it did it did it affect youin any way in terms of how you needed toaddress communique and and and andresolve some of the outstanding issuesI would say you know it’s very positivebecause I think too often people taketheir daily benefits that they have intheir daily life that come from criticalinfrastructure and just completely takeit for granted and if you think about agasoline pipeline like Colonial pipelinethat transports both gasoline Diesel andjet fuelmost of those pipelines in fact Colonialhas very large term storage terminals onthe end of it and so the impact is notimmediate in a in the natural gasindustry where you have pipelines thatgo directly to the power generations andabout 40 percent of our nation’spower generation today is coming off thenatural gas grid and talking aboutinterdependence we don’t have thatstorage capability with sitting rightthere at the market the way you do itagain so so our industry I would say iseven more susceptibleto that immediate impact and peoplewould recognize it in a more wholesomeway than the fact that you wereinconvenienced by not being able to pickup your gasoline at the at the speed andPace that you normally so so it’s veryimportant I think from a publicperspective for people to reallyrecognize how lucky we are to have sucha stable power grid such stable uh setof critical infrastructure that we havein the U.S here and it’s clear to methat if people could you know ifopponents could scare us into believingthat how vulnerable that is and and allthe things we take for granted that thatwould be powerful and so I think we haveto I think we have to take those momentsand use them to really alert the publicand and alert the political systems thatthose are critical infrastructure so acrisis is is it it’s too good to wasteyeah and and it creates a mandate rightI work for the American public and andthe American public demanded that therebe more reliability uh in thisparticular aspect of criticalinfrastructureum and you’re right it was it was mostlyat gasoline stations to fuel cars but itwas also starting to impact airports andjet fuel and so flights couldpotentially have been canceled and Ithink that caused a lot of people tothink of oh wow um this just doesn’taffect me and my own personal car thisaffects me and my ability to travelaround the country right yeahso here we are again a year and a halflater what what keeps you up most atnightwell umprobably the the things that we’velearned have been on the operational uhor what we call OT so the control systemand probably the making sure that thepeople that we have operating thiscritical infrastructure that not onlyare control safe but we are so relianton the essential workers that we haveoperating that that we’ve got to makesure that those we’re doing the vettingfor those people and that’s in thatfeels very intrusiveto an organization that has always beenoff the radar screen and hasn’t ever hadany of that kind of[Music]attention placed on it in terms of thesecurity of the workforce and so butthat’s an area that that we as anindustry have got to continue to presson whether we like it or not and whetherit’s popular or not we’ve got tocontinue to make progress on that frontwhat keeps me up at night is not a lotof things because I need all the sleep Ican get butum I feel yeah but it’s when I think ofthe risk you know we still have riskacross our critical infrastructure we’rebringing down the risk thanks to thegreat efforts of of Alan his team andacross that pipeline sector and nowacross the rail sector and soon acrossthe aviation sector but you know therisk is still very much there and thegeopolitical situation around the globeis is still very challenging overall soI I worry about the risk and thenattendance to that is should somethinghappen and I always need to think thisway right I’m a Coast Guard officer ourmotto with semper paratus always readyI’m always thinking about are we readyif something happens to how we’re goingto respond to it and that’s why we wantto do a series of tabletop exercises andand continue to work to make sure thatin the executive branch we’ve got ourprocesses right and that from thecompanies the companies view us as isworking to support them to get back ontheir feet and Recovery presumablyacross your whole portfolio ohabsolutely yeah so we’ll have time formaybe just one or two questions butbefore we do that I I cannot have theadministrator of the TSA on stage andnot ask you and feel free to break newswe had no problem with that when can webring the liquids on board yeahum really good question soI I would tell you thatum you know we’re introducing a lot ofnew technology in our screening processthe technology uh improves significantlythree things it improves our ability todetect it improves the efficiencyoverall and it improves the passengerexperience I think the passengerexperience piece is very very importantwe are looking at some changes thatwould affect mostly our trusted travelerpopulation so the global entry andpre-checkholdersum uh no no announcements here but youknow we do have more technology and andyou know we are looking at some of thosethings so before Christmas noI’m a journalist I can’t help it okay wehave time like literally for like wewill do one we may have one question andmaybe we can get to a second onedepending on how short it is I’m lookingand oh I see over hereover here so yes why don’t you shout itand I’ll repeat itso my question is what do you think canbe done to improve the speed of policyregulations for creation in order toprotect critical infrastructure forfuture eventsso the question from a representativefrom Northrop Grumman is what can bedone to speed uh the policy andregulation in order to protect futureeventswe’d like to take that on I think that’syeah I’ll I’ll take that on um you knowI would submit as exhibit a TSA I meanwe have speed um you know our vision isan agile Security Agency empowered by aprofessional Workforce that worksclosely with its Partnersto ensure security of the transportationsystem our Authority as I mentionedgives us an emergency to the ability toissue directives to close avulnerability that we see that’s areally really good model in my view andit’s followed up on the surface sidewith a full notice and commentrulemaking process so there is a processfor notice in common I think it’sfundamental to that though that the umthe regulating agency work very closelywith the regulated parties to determinewhat the best approach would be and andI think you know thanks to Alan and histeam and and the other partners that wehave that are regulated in the pipelinesector we’ve really gotten a lot a largeway to that point I am really reallyhappy with Where We Are at this pointand I just really appreciate thepartnership thanks thank you well we’regoing to have to end itended David Picassostrong thank you so muchthank you thank you all right thank youso much thank you yeah so you’re stuckwith me for the next panelum who will be uh who I invite now tothe stage if they can please uh join usokay we’re gonna shift gears here nowoops excuse meum to talk about hello welcome thank youto talk aboutum uh uh information disorder related tothe election so I should just mentionbriefly that I will sit down uhmentioned briefly that the AspenInstitute the cyber security group ofthe Aspen cyber security group whichyou’ve heard about does a lot of uh workstreams on different relevant topics andsometimes says work streams become solarge that they spin out into a separateproject and that’s what happened uh withus about oh gosh a year a while ago nowa year and a half ago two years agocoming out of the cyber security groupwe created something called the AspenCommission on information disorder whichbrought together a high-level group ofof experts two of whom are with us I’msorry I didn’t know you then youprobably would have been with us as wellto create a set of recommendationsaround the crisis of myths anddisinformation so this is now weconsider this part of as it should bepart of the broader cyber remit so umjust to set this up a little bit and I’mgoing to be quiet because we have threeincredible panel so as you all know wehad the midterm elections um last weekand and you know there was good news andbad news I would say the good news isthat some of our worst fears about whatmight happen around Miss anddisinformation around the midtermsdidn’t materialize at least not yetthere’s still some noise in Arizona andin other places Trump is Raging butKerry Lake only said that there mighthave been some possible MalAdministration and so you know that’sactually compared to some other languagewe’ve heard not so not so terrible thebad news obviously is the problem hasnot gone away by a long shot that wehave the U.S presidential electioncoming up in two years we have electionscoming up all over the world in PolandUK turkey Spain host of country foreigninfluence operations you know whatstarted with the Russians is now abroader Playbook and the platformcertainly haven’t con uh cracked thecontent moderation code sothis is why this is incredibly criticalstill and will continue to be even moreso to talk about we have with us RickFerguson vice president of securityintelligence at 4K at uh forescout alsospecial advisor to Europe’s uh Europeancyber crime Centerum next we have uh Yasmine green who isthe CEO of Jigsaw which is as you know aunit within Google that looks at threatsto open societies she leads aninterdisciplinary team that researchersand develops Technical Solutions to arange of Global Security challengescertainly particularly around Miss anddisinformation and how that impactsextremism and probably the man who knowsneeds no introduction to this group butI will group but I will introduce himanyway Chris Krebs founding partner ofthe Krebs Stamos Group by the way wehave both Krebs and Stamos in the housetoday which is unusual violation ofcorporate I know exactly he is also Ihave to say the senior new Mark fellowof cyber security policy at Aspendigital and might have been the firstdirector of cisa as you all know wherehe pioneered uh relevant to thisconversation rumor control which wasdesigned to counter misinformation okayso first let’s take a quick look at themidterm sonot so badum into information Integrity held upYasmin I’m looking at you I think it’sright and I you know I kind of don’tlike to represent big Tech on on thestage ever but um given that jigsaw itdoes sit inside one of the largetechnology companiesI I won’t go as fast to say that youknow content moderation worked or wasfully effective but we we do a lot ofwork over at jigsawum on the ethnographic side so we wespend time with peopledoing research that kind of factors ineverything to do with their lives andall of their internet usage and then wekind of like drill down from there andso we have a panel of of people who arevery interested in conspiracies anddisinformation and so the interestingthing from our research was thatelection denyers really felt it theyfelt the the efficacy of platformsmoderation you know like we we heardfrom many of the people that we spoke tothat too much of their stuff is beingremoved and they had to leave the majorplatforms and go to Alternatives soRumble parlor truth social uh which isreally good I mean the challenge is thatthere is an alternative ecosystem thatisum that’s thriving still not at theTipping Point that it it you know is ofequal scale to the mainstream platformsbut the reason to be worried about thoseguys is that they explicitly don’t havecounter misinformation policies that’spart of theirstick is that they did they didn’tacknowledge that as part of theirmoderationum so you know effective to that pointthe other one obviously was that uhright before the midterms Elon Musk youknow kind of took over Twitter and therewas a lot of concern not just aboutTwitter as a surface for the spread ofelection lies but also that that wouldspill over to other platforms thatsurface content from Twitterum so that was a a big relief well we’llcome back to Twitter but that story isstill playing out as we know minuteminute and a minuteum so you feel like content moderationlargely worked and pushed pushed them tothe edges where people are theconspiracy theorists are largely talkingto each other yeah Chris what so that’sthe private sector what do you think therole of of government your former yourformer agency and others was in in wellso 22 I think was a lot like 20 and infact I felt there was a significantamount of validation and verification ofthat 2020 was in fact a safe and secureelection because we didn’t really seeanything right it was as I said in 2020or I’m sorry a senior governmentofficial said I it was just anotherTuesday on the internetand it was it was fairly unremarkable Ithink the the biggest challenge thegovernment had at all levels so fromfederal down to local Administration wastheumyou know mistakes that happen orglitches or errors or whatever thathappens in the administration I meananytime you have technology you have toyou have to price in some degree of justthings going wrong and that’s whyelection administrators have adoptedover the last several decades a conceptknown as software Independence wheresoftware Hardware cannot be a singlepoint of failure in the administrationof Elections greatest example of thatwas in Maricopa County on Election Daywhere there was an error with thesetting on tabula well I’m sorry on theprinters where the weight of the paperthat was inserted in the machine it wasnot calibrated properly and so the theprinters couldn’t heat up the paper tothen print put the ink on where it wouldset and be dark enough for thetabulators to read so because it wasn’tdark enough you take the ballot thevoted ballot you’d put it into thetabulator and it would kick it back outbecause it wasn’t the the markings thetiming marks on the side were not darkenough okay so this in this cancompletely took off in you know some ofthe the disinformation and electiondenialistscorners of the internet saying ah lookthey’re doing it againwhich is also by the way like entirelybereft of any logic particularly whenyou have the The Ballot Box the DropboxWatchers that we saw early on in theelection said haha we caught him lasttime and they’re so dumb they’re goingto go do the same thing with theirballot mules and so we’re going to watchthem we’re going to catch them this timeso it never happened the first time butthey thought their strategy would be heywe’ll catch them again doing this so itdidn’t work anyway back to the printersso so that then took off as C MaricopaCounty is trying to steal the electionagain but the thing is like I saidsoftware Independence Hardware softwarethere are multiple different ways stillto vote you could drop it in the boxdoor three you could go to another voteCenter it did not disrupt the actualability to cast a voteum and and that’s the area that I thinkthe the electorate has been conditionedfor is that there will be somethingwrong anything that goes wrong should beimmediately viewed with skepticism andsuspicion as evidence of fraud asevidence of a stolen election never mindthe fact that over years and years ofreviewnothing has been verified becausefrankly nothing has happened behind thescenes so again I think government did agood job again election administratorsin administering the election SecurityServices did a good job keeping an eyeout interfering we’re disruptingoperations coming here and thencommunicating I think that’s the keybecause you can do all the stuff in thebackground but you have to continue tocommunicate communicate communicate onwhat is happening and what theelectorate what the population should bethinking about as information is teed upand served with them and yet the and yetthe conspiracy theorists uh have also insome ways been effective communicatorsRick you make you have made the point umwhen we were talking that the wholenarrative around the notion of the steelhas sort of just now become infusedthrough through the conversation yeah isI mean the narrative has changed fromwhat it was in in 2020 right right in2020 The Narrative was stop this dealthis is something new that’s happeningright we’re in a position of power wecan stop this happening we must react wemust Rebel we must do something about itwhereas if you look at how it was beingmessaged this time around it wasactually expect a steal like it’s becomea foundational beliefum of the underlies any of the eitherdeliberate disinformation or thereceived misinformation around electionactivities in the U.S the the steelin and of itself is a reality so wedon’t have to prove that to you anymoreyeah what we have to do is we have toyou know G you up to take action basedon this belief that we’ve alreadyinstilled in you and to me that’sactually potentially more dangerous yeahbecause it means the groundwork is laidum and you knowyou’ve got to remember as well I guessthat this is a this is an in-betweenelection so when like the carry Lakething happens and then you seeum knownnot bad actors but known sort of Botaccounts on Twitter for example are alltweeting in unison do not concede andthen that’s getting picked up by regularaccounts of do not concedeum you can fully expect that kind ofinauthentic Behavior to be magnified byorders of magnitude in two years timethis is like just another practice runright but it’s based on the fact thatthe narrative has changed so anotherdisinformation or information disordercommission member Kate starboard who’swith the University of Washington in thewake of the 2020 election coined aphrase or a way to describe thisactivity of priming the pump and settingthe expectations participatorydisinformation where you have a set ofelite influencers and then the bass andwhat the elites do is it is set theexpectation that there is going to besome kind of shenanigans or hijings andso you’re looking then you’re expectingit and boom that thing looks weird Idon’t understand it it’s got to beevidence of a stolen election so then itgoes up to the influencers theinfluencers amplify and it turns intothis magnifying uh ecosystem ofinformation that is only to your pointof it’s now set it’s calcified it’s allkind of metastasized around this conceptand so it was that much quickerof a trigger finger in 22 because lasttime they had to build up to it I stillthink with 2020 there was an element ofa b testing on the narratives that wereworking and I think you’re still seeingthat now but it was a lot of foreigninterference at the beginning withItalian spy satellite Spanish serverFarms Chinese coming in through thethermostats but technically that’s kindof hard to grasp and rock and andmoreover like Lou Dobbs couldn’t explainit so it was never going to really getthat traction on on the news outlets andinstead they they made that pivot inDecember to more domestic orientedframes that actually resonated within atribalist sort of scent of oh theDemocrats always commit fraud theyalways have the machine working andcommitting ballot trafficking orwhatever they’re calling it now and thenthat moves forward to 22. right theycontinue to improve and I think you’llyou’ll continue to see that sort ofrefinement of the messaging now what wasdifferent this time around though with22 in addition to being kind of themidterm is that you didn’t have thePinnacleyou have to have that voice at the topright the voice of God that’s reallykind of pushing the message it said itwas really decentralized and distributedisn’t it good Emperor now yeah yeahright sorry rightum and that I think kind ofundercut for now yeah for now yeah he’sone of them it’s for me it what you’resaying underscores that clear differencebetween disinformation andmisinformation right when something hasbeen received and is simply repeatedbecause people believe in it that act ofrepeating that’s the misinformation partright which brings up a point for aprobably later discussion of technicallyI think that’s right but I think thoseterms have lost all meaning in thecurrent information environment andYasmine what do you what tactics so herewe’re basically talking a little bitabout sort of the psyops in a way butwhat other tactics are you seeing um atjigsaw that you’re tracking about theway these kind of influence operationshave changed and evolved well just tobuild on the conversation so far I youknow I think the the theum the fact that there wasn’t a stopthis deal this timeremoved some of that mobilizationPotential from you know that he didn’thave that that existential you knowurgent but you definitely have this themobilization capacity that’s built up toChris’s point that if there weresomebody at the Pinnacle who were ableto command that that base to take actionit’s definitely there so so we’ve hadresearchers attend a bunch of conveningsof True Believers over their last yearum and and there was one in October of aconference called um the greatReawakening you can find out about it onaI think it’s like time to freeamerica.comthe lineup is just you know like severalyears ago it would it it would it soundsFantastical that you’d have likeelection denial and Health Mission youknow like discredited Medical Health uhprofessionals and religious leaders andthey all have their ownum angle on the disinformation that theyare peddling and by the way there was aton of you know medical cures for salemerch to ready to be stickers thet-shirts banners alsocoins like for protection against 5G andjust like anything you can imagineselling was like on you know so so thisis a community that are there now forsocial connection for capital T truthum and they are not going away rightthey have a lot of uh of connection ofidentity of actual assemblyum so what’s interesting I I’d say interms of looking forward it is theintersectionality of of all of theconspiracy beliefs and disinformationnarrativeum and then the fact that we will beseeing other platforms play a much moreprominent role in the distribution andthe mobilization of movements and itcuts to the quick as well think is thequestionhaving spent you know a career in cybercrime related stuff one of the questionsthat you always ask when it comes to toonline crime is what’s the motivationlike why why will people carry out andone of the the big ones is obviouslymonetization how do Iextract an income from these activitiesand for disaster trolls fordisinformation operations whereconspiracy theorists a lot of it isabout monetizing the belief or thecredulity of other people and you seepeople selling merch selling books thecoins that you speak of in fact that’swhere I got my tinfoil hat from yeahyeahright power influence and money yeahthere’s the kind of the nasty and boyare there a lot of credulous people outthere it’s just it’s astonishing wellthey told me it would work yeah and justone kind of like thing I think that’sworth pointing out though is I strugglesometimes with really understanding thereach of the community how vibrant is itgrowing is it Contracting has it youknow stoppedum it’s it’s hard to measure right youcan measure the activity online but it’shard to measure the population itself Iwill say this the Amer the Americanvoterstood up and said we’re doneat least for nowif you look at the Statewide racesGovernor Secretary of State and ahandful of other ones you saw that therewas some kind ofcaloric deficit where we’re just likewe’re done I can’t deal with this chaosanymore I think you saw that in theSenate and I think you saw that in thehouse as well but there there has beensome element of maybe maybe the fever isstarting to break a little bit I’m notentirely confident that’s a longer termprognostication but something’sdifferent right now than it was I thinka week and a half ago okay so that’s inthe United States let’s let’s turn ourattentionum for a minute uh outside the UnitedStates because we know there are somevery significantelections coming up in fact Rick youalso talk about you know make the goodpoint that there are a lot of electionscoming up in Africa where there’s sortof a proxy war going on there forinfluence between the Chinese and theRussians andum and and other key elections aroundthe world I mean that’s that’s that’sbasically it that we need to keep inmind that election interference is notsomething which is restricted to the U.Sright I mean in in I was living in theUK unfortunately when they had thebrexit referendumum I had been living outside the UK forover four years prior to that when Icame back in all honesty I didn’trecognize the place I didn’t recognizethe the quality of discourse that peoplewere having or even the subjects thatthey were interesting in so Insidiouswas the influence of disinformation overtime to the point where I left againactually I no longer lived thereum so it’s not a phenomenon that’srestricted to the US so bearing that inmind looking at what’s happening betweennow and the next U.S presidential wherewill people be trying to exert influencewhat will that influence be and how willthey be honing their skills well nextyearin a swathe of African countries thereare general electionsum and that’s a resource-richenvironment where countries like Chinaand Russia are vying for influence andwithin Europe we have elections in Spainwe have count turkey in there as wellturkey has an election next year whichis hugely strategically important givengeopolitical situation right now and thecountry where I live right now Polandwhich is right on the border of thecurrent conflict we have an electionthere next year as well andRussians in particularhave form obviously in Poland historicalform and they have expertise with thosepopulations Chinese lesser actuallystatistics and measurements say thatChinese propaganda has beensignificantly less successful in Polandbut we definitely need to watch forRussian interference in places otherthan here not just because of the effectit has but because of the fact that itdoes allow them to test and refinetactics and techniquesI mean look the global South is a hugeblind spot I think not necessarily intheyou know element to the researchCommunity but I think more broadlyparticularly the platforms the abilityto invest in these different regions Imean you look at in part what’shappening at Twitter for example andsome of the eradication of staff thatfocus on non-monetizable markets and youknow they’re just cleaning out a houseand also reducing the service so I thinkI think this is a huge area goingforward but also I kind of the the pointyou make about Russia’s success versusChina’s success we write the tactics aredifferent the outcomes are different andit you know what worries me is thelonger term implication of the ChineseCommunist PartyImprovement of their techniques they’restill quite rudimentary but they arestarting to kind of follow thisrustification model that’s more overthat’s more engaging online and if youcombine that with some of the historicalcorruption techniquesI mean just the report last week out ofCanada on some of the the influenceoperations of uh you know members of thethe parliament I guess you know therehave been aspects of that here in theUnited States at local levels atCommunity level just briefly what is itthat happened in just for people thatdon’t know in Canada uh Chineseintelligence Services you knowessentially corrupting officialsgovernment officials to align withpolicy positions I mean that’s so thisis the Rob the great Rob Joyce quotefrom the RSA conference in 2019 atRussia’s the hurricane and China’sclimate change it’s really how you haveto think about the way they’veoperationalized their their informationoperations so I I think for sure rightnow in Europe Russia is active they havealways been active since you know thebeginning of modern era of the modernera but China is absolutely investingand they will look by the way as thereis a you know whatever happens in theescalation between China and Taiwan theywill look to split the EU they will lookto split NATO it takes one member in theEU right to break the unanimous that’snot going to be hard they peel one offthat’s their game plan that’s how theycan do it they can invest in thosecapabilities they can this is part ofthe Belton Road strategy as well of youknow debt traps and other investmenttechniques so I think it’s the longerterm play it’s much more Insidious it’smuch harder to play play defense againstbecause of the scale of it and that’sanother election 2024 Taiwan yep oh yeahexactly so that’s you know that they’reit’s not a one and done event and it’ssomething which is continuously refinedand honed and hasunforeseen outcomes right Yasmine I Iyou’ve been doing a lot of work atjigsaw you’ve been running theselarge-scale experiments aroundpre-bunking that have been effective sotalk to us a little bit about that’sbeen in Eastern Europe right yeah yeahumit connects the conversation we’re justhaving because uh when when you thinkabout I mean misinformation is a is itthe language around this whole challengeis is uh not helpfulum with the word like misinformation youknow when I say it you may haveassumptions about what I believe to missit to be misinformation versus somebodywho is on you know has the samepolitical or ideological beliefs as youare opposite ones Etcum but when you look at the types ofmisinformation that are the most harmfulwhich are the ones that we should and doprioritize addressingum they do tend to have some commonattributes and one of those attributesisscapegoating and fear-mongering and in apolarized society which this is one butthe UK has happened around around brexitand I think is the most dangerous typeof misinformation to really havepurchase in a country is where minoritygroups underrepresented groups orumany any group that is not the the um thethe one with the you know the the onethat’s represented by the elite whenthey are presented as a as a securitythreat or otherwiseum you know a threat to your well-beingor safetyum then thenthen the the stakes are really reallyhighum so in the U.S if you know if ifstopped this steel really does lose itsgloss then what we can expect is thatthat victimhood mentality around yourelection was stolen and the vote wasstolen will shift to a victim avictimhood around something else youknow one one likely candidate is youknow immigrants and other and um if nottaking our jobs then thenum you know posing a threat to you andthat’s you know was actually the concernthat we had in in uh Central and EasternEurope following Russia’s invasion ofUkraine we were interested in thinkingabout the likely uh disinformation tripsthat we’re going to take take holdum and we kind of consulted broadly andone of the ones was around refugees so Imean Rick is more expert and actuallyhas lived experience of this particulartopic butum in Poland they opened the borders toUkrainian refugees after the warum you yourself took in three familiesrightum just it wasn’t a government I meanthe government said they can come in anduh and they can have free schooling andfree free um transport and freehealthcare but didn’t expand theinfrastructure at all to make thathappen it was just dependent on peopleto you know the generosity that thecountry became an NGO butwhat it’s obvious what happens if youdon’t you know if there is no umexpansion of of infrastructure andeventually you know the new waves ofrefugees may not have the same amount ofresourcesum as the first ones because they didn’thave the instinct to leave immediatelythey don’t have a place to go nextum they don’t may not be able to work orcommand the same livelihoodum so there was obviously going to be achallenge we’ve anticipated withsentiment towards refugees and lookingat how how the Kremlin in particular hadbeen so effective in the case of theSyrian refugee crisis in Europe ofreally stoking fear and underminingEuropean leaders based on the fact thatthey had let these syrians inuh we decided that we were going to tryto get ahead of that disinformationusing a tool called pre-bunkingum so I don’t know how many of you arefamiliar with that term you certainlyare familiar with the term debunkingum I guess which is about trying tocorrect a false claim after the factum pre-bunking is is about trying toprecede the bunk and so the question ishow do you get ahead of a narrative thatyou that hasn’t happened that hasn’ttaken hold yet and it’s because actuallywhen it comes to disinformation andespecially in the categories that wecare most about it’s the same tropesthat are you know it’s like just likeyou think about the movies that yourfavorite you know whether it’s like StarWars or Romeo and Juliet or there’sactually only so many storylines andthey’re repeated and it’s true and thesame is true like if you know during thethe development of the covert vaccineyou any expert in the anti-vaxx movementcould have told you and did tell you ifyou asked them it was going to be mybuddy my choice big Pharma vaccineinjury it’s just the same things samewith you know but we do a lot of work onradicalizationum and we speak to a lot of people whohave been part of violent whitesupremacist groups and there are verymany different types of violent whitesupremacist groups but all of them onthe on-ramp have the pseudoscience ofrace you know it’s just they they dependon these uh these tropes and and on onehand it can feel a bit like oh this isjust happening to us like these tropesagain and again on elections and uh onon health and there’s no recourse for usbut actually it’s it’s thepredictability of the misinformationthat can that can be its undoing becauseif you can anticipate it then you canmitigate it and I mean Chris is not inbecause he he kind of was like the firstto deploy this in in one of the manyfirsts of of his inaugural CesarAdministration wasum was trying to arm people to make themresilient to to manipulation uh and soin Europe we in central eastern EuropePoland Czech Republic in Slovakia we’vejust launched a big video campaign thataims to pre-bunk Refugee hate andmisinformation pre-bunking has threecomponents one is an alert that there’sgoing to be an attempt to manipulate youwe don’t make that that gets our Shieldsup the second is to micro does skew withthe misinformation and the third is toand the second is what to micro dose youso what is it you know what what is thenarrative you’re going to hear aboutyeah Ukrainian refugeesum and in this case that they you knowthat you’re not safe or they’ve you knowin Poland like that they’re going totake you know all the apartment there’sno apartments available for normal pollsbecause the ukrainians have taken themallum and then to explain why that’s falseand why it is it is true that you youare the subject of an of an attack tomanipulate you so that preceding part isreally important you know it’s verydifferent like after you’ve walkedthrough like a rough neighborhood for meto tell you that that was a roughly itwas much more effective me to tell youbefore so the proceeding is reallyimportant and one of the benefits thatthat has is it separates the speech fromthe speaker I think a lot of the time alot of the challenge that majorplatforms have is that you know if likethe president is the person who’s sayingyou know making a false claim and youwant to you know and then you want toshow up and and fact check the presidentthere’s a lot there’s a lot of extrabaggage and equities involved in thatoutside of just the underlying claimwait what yeahthat explains it so let’s so so I so Iwas using we’ve done a bunch of researchwith academics and a bunch of like in inAmerican University and and Bristol andand Cambridgeum showing the efficacy of this acrossdifferentum you know efficacy in terms ofpeople’s ability to spot themanipulation attempt that’s being triedon them efficacy in terms of their howmuch they report trusting The Source ortheir willingness to to spread itum I would just say that it’s a it’s oneexample of what it looks like to go onthe offense with with tackling thisinformation and it’s something we’veseen actually quite a lot in themilitarycampaigned in Ukraine like pre-bunkingofRussian disinformation about rightthings that that they may or may not dothat’s a great example so the Russiansaying up frontthe Russians are going to say this yeahthey’re going to do that they’re goingto say that the Ukraine is attacked sothey can retaliate but yeah that’s agreat example there are some you knowprobably some underlying Exquisiteintelligence but nonetheless yeah youknow on the point about like cisa andrumor control we we didn’t necessarilyoriginate that right we stole thatshamelessly from FEMA you mentioned thedisaster trolls that come in afterhurricanes and say you know you’re goingto get Public Assistance this is how youregister for it they take your personalinformation they apply they get themoney so we take we just did it betterright that’s the difference uh but thekey here is thatthe pre-bunking is dependent uponidentifying the areas of risk thepotential areas that could be exploitedwe spent two and a half to three yearsscenario building but here’s the thingto your point of tropeswe probably had 20 30 differentscenarios where someone could exploit orclaim something went wrong once you getpast 10 they all look the same or atleast the response is 85 somewhere ithas to be the level of narratives itcan’t be individual claims because thereare too many and you can’t anticipatethem actually you know the origin of ofthe the social psychology and the theoryaround pre-bunking was actuallyum during the Cold War when Americanswould be captured the military memberswould be captured in Korea and asprisoners of war they’d be brainwashedum and you know they’d think they’d goin thinking that they’re for theAmericans and then they switched sidesand so the American Military decidedthat they need to send troops abroadwith in Vietnam with with mental armoras well as physical armor and so it’sbeen around for quite some time yeahyeah oddly enough and I’m sure there’ssomeadditional threat researchers out therethat know how the Russians work whenthey talk about information operationsit’s split into technical operationsso on network type activity and thenpsychological operations which is tryingto get the human response and so a lotof what I think we’re worried aboutright now from a from an informationoperation perspective of Russia perhapsexpanding cyber operations outside ofUkraine is that they could go after acritical National infrastructure andjust make something wobble enoughto create panic in societyand and that is part of it it’s notabout necessarily fully disrupting thetechnical infrastructure with theinfrastructure delivery it’s aboutcreating havoc and panic just thinkabout in the wake of colonial pipelineright so that was out I live in DCcouldn’t get gas for about four or fivedays but when you saw the reactionsthroughout the southeast peopleliterally filling upyou know Gap garbage bags with gasolinepeople in the State of Florida that arenot serviced by a colonial pipeline theyhave barges come in and don’t you knowdon’t make a Florida jokenonetheless it shows you the power ofthe tropes of the narratives and thethings that that happen it’spsychological pre-positioning yeah inconjunction with actions on objectivesright those two things working togetherdo the pre-positioning lay thegroundwork make something that looks alittle bit sketchy happening and you’vealready laid the groundwork for forpanic to occur as a result of that okayso we’ve segued our conversationseamlessly as with uh with with thisconversation about what we can do tofortify uh ourselves fortify the publicuh around future elections andmisinterest information we talk aboutpre-bunking Rick you talk a little bitaboutum you’re particularly interested inregulatory mechanisms in the DSA so whatwhat do you think needs to happen nextyeah so that I mean the timing is betterbecause actually the EU Digital Servicesact has been officially adopted today atDSAum that’s why we planit actually I wrote the date down so Iget it exactly right enters into forceon the 17th of February 24. that’s whenit will actually be fully enforced butthe timelines start now for makingpreparations so the first thing thatwill happen is uh platforms and searchengines will have to report their usercount and that allows them to besegregated into whether they count asvery large Publishers are very largesearch engines or smaller ones and theexigencies on them are differentaccording to that and obviously theexistence is higher on on the very largeones and it’s things like it outrightbands which I think is way overduebecause they get me all the timeoutright bands dark patterns and ifyou’re not familiar with what darkpatterns are they’re basically websitedesign strategies to make you do thewrong thing you know with the cookiepop-up boxes or the granting permissionto access your staff will follow youaround the web that you you will alwaysnotice that the button that you don’twant to click is the one that’shighlighted in the brightest color totry and get you should click it that’sdark patterns so the DSA Outlaws thosefor example whatever website you’redesigning know more of that but it alsoplaces obligations on organizations forumco-regulatory activities there’s a lotof the DSA that would not pass in theU.S the First Amendment sniff test itliterally it just wouldn’t be acceptablebut the co-regulatory aspect of it Ithink is something that could be andshould be widely adopted here wheregovernment and Industry work togetherwhere there are annual assessments andalso mitigations are worked on withgovernment oversight where industryparticipates in the writing of codes ofconduct with government oversight thatthey will then adhere to where there areindependent annual audits of compliancewith codes of conduct and results ofAssessments and one of the mostimportant things for me jimming to thisconversation is that the DSAmandatesmulti-stakeholder consultation wherethere may be systemic risk acrossinterested parties for example socialnetworks let’s say so it obligates thetwitters and Facebooks of the world towork together to identify systemic riskand to do something about it and thecool thing which we saw with gdpr isthat when legislation and regulation isso wide-ranging it does have knock-oneffects outside of the EU because it’saimed at anyone who makes their servicesavailable in the EU and it’s easy as theleast friction for a company likeFacebook to have a global policy ratherthan do something different in the EU tothe rest of the world soit’s a positive yeahso Chris Solutions you’ve talked I’veheard you talk a lot about transparencysort of really the electionAdministration which you which youpioneered about it really opening it upsort of in sort of an open book on allof the challenges so a couple thingshere first uh leaders have to lead wehave to get out of this mindset of ohyou know what’s the harm in humoring himfor a little bit going on no it’sunacceptable we have to have moreofficials stand up there have been ahandful of GOP members Dan Crenshaw isone example that said I was like no thisis all garbage the election wasn’tstolen we just didn’t deliver solutionsfor the voters so leaders have to leadthe second is investment in continuedinvestment in election infrastructure totake away any of the riskier bits andand that’s the touch screens that storethe vote down on removable media the Dreequipment the Louisiana Texas IndianaTennessee and a few others risk-basedinvestment get rid of them and thensupplement on top with uh post-electionpre-certification audits I think the thethird thing is is continue to invest inelection officials in their ability tocommunicate you know four years ago theywere completely out of the spotlight nowthey’re the spotlight and they need helpin strategic messaging communicationStephen richer in Maricopa County hasreally been great at being an open bookand talking about how elections work andthen fourth and finally Civics educationCivics education Civics education thatwas one of our recommendations in the inthe information disorder report that wasone of the cyberspace Solariumcommission recommendations there’s apiece of legislation on the Senate uhSenator uh Senators Kuhn and Coons andcornyn that if we can get that through Ithink it’ll be a great startinginvestment and I’m not talking abouteducating us on Civics but it’s our kidsbecause that’s where you can reallyinfluence it the greatest effect I willadd a fifth as we go to the floor forunfortunately one question which is isjournalism more local news moresustainable local news fill those newsdeserts we have time for one questioncan we see I can’t see anythingumso yeah there’s one right there if themicrone okay here we go right here okaythat’s the guy that I put in theaudience by the way there we gothank youum my question would be kind of onexpanding education in Civics and I do alot of work with a student at BostonUniversity do a lot of research intoPolitical literacy and one of thebiggest challenges that I’m finding ininterviewing people is it’s reallydifficult sometimes to haveconversations with people have them notfeel condescended to or talk down towhen it comes to especially people inthe southern part of the United Statesthat really truly unfortunately fellvictim to a lot of misinformation in thecampaign so my question to all of youand this is not just the US on a widerscale is how do we begin to have thoseconversations and debunking pre-munkwithout making people feel talk down toor condescended to uhwe have only one minute to answer thatquestion so Chris you’re closest to thesouth in the United StatesI born and raised in Atlantaum my parents are both from Alabama soI’m pretty familiar with this I suck atthis because it requires a ton ofempathy and I have zero empathy rightnowlike I’m still struggling with PTSD from2020 so I’m not the most empatheticperson but look I mean that’s part of ityou got to meet them where they areunderstand that they may be operatingfrom a different experience base thanyou and and educate and but you alsohave to recognize you’re not going toreach everybody and that was kind of oneof our keys with with rumor control wasnot you know the people that werealready in the Fever Swamp we were notgoing to get to them we wanted to getthe people that were on the fence andhopefully wouldn’t fall in yeah greatwell I’m afraid thank you that’s a greatquestion but that’s all the time we haveso uh Chris Yasmin Rick thank you somuch and off we go[Applause]to keep things on schedule we’re goingto skip our scheduled break we’re goingto move right into a deep dive with U.Sintelligence agencies to help usunderstand how intelligence agencies areworking together and with the privatesector we are joined by Morgan adamskidirector of the nsa’s cyber securitycollaboration Center Andrew Boyddirector of the center for cyberintelligence at the CIA Laura galantecyber executive and director of theCyber threat intelligence integrationCenter at the office of the Director ofNational Intelligence and Brian bondrenassistant director of the FBI’s cyberdivision leading them in conversationplease welcome again Dina Temple rastonhost and executive producer of the clickhere podcast and Senior correspondent atthe record by reported futuregood afternoonwe have a very unusual panel here todaybecause it’s awe’ll be focusing on the role of theintelligence community in addressingcyber threats but we rarely get realpractitioners to come out into the lightand the open to talk to us about whatthey’re doing and how it fits togetherand to a certain extent it feels to meas a former counterterrorism person thatwe’re kind of at the same point ofinflection in cyber that we were incounterterrorism in in 2003 in whichthere was a new kind of coordinationpeople knew how to work together in adifferent way and and it all coalescedto to be much more effective so I wantedto talk about that evolution in theintelligence space when it comes tocyber and I wanted to stop to start withyou Laura if you could talk a little bitabout where we are how it’s developedand and then I’ll go to each of you andtalk a little bit more about yourmission spacethanks Dina so this is a big questionhow has cyber intelligence evolvedum it may maybe we’ll start it a littlebit where you did which was back in theearly 2000s we’ll do sort of a twodecades so let me try to cover thatWaterfront quickly here’s how I like tothink of it so when you go back to kindof this initial era of where cyberintelligence was becoming a term whereintelligence was starting to be aconcept that we were using to track andget behind the forensics of a Cyberattack of exploitation events of othernetwork operations you really start tothink back to kind of the mid-2000s andyou know back in the late 90s there hadbeen Moonlight maze some of the Russianoperations that had been exposed but bythe mid-2000s and even up to I’ll justsay kind of the the first big eras and2010 to 2012. you were seeing the pla inChina going after intellectual propertytheft in a way that was so open it wasso deep in the targets and the victimswere so numerous that intelligence wasthe concept that security firms thatintelligence analysts were starting touse as they put together what thesehacking groups looked like in cyberspaceand unlike in terrorism where you didn’tdidn’t have you know faces and eventsthat you could put in the Public’s eyeto the same degree what you had in cyberat that time was infrastructure IPaddresses malware those who rememberPoison Ivy from back in the day specifictools that started to become theHallmarks of how we tracked these groupsall right so to fast forward from therethis is when intelligence is sort ofbeginning to to draw the confines of thespace of What actors are behind networkoperations then we move into sort of thelet’s say the kind of modern era thatSpurs a lot of the different elements ofthe IC that that are represented onstage here right so cyber is gettingtracked in all these different waysthrough all these different agencies butthen by about2015-2016-2017 you’re seeing amaturation both in industry and ingovernment where tracking threat groupswhether it’s the svr the gru Iranianactors criminal actors is now becomingsomething that’s more synthesized rightyou’re seeing the blog post in theexposure paper and you’re tracking thatin the same way back on the governmentspace and intelligence is now theinteroperable piece between how threatsare being tracked on the private sideand how they’re also being tracked andhow they’re being experienced ingovernment and you know I without goingtoo deep into that the era we are nowsort of entering today is a space wherewe’re not just tracking right hand lefthand on these different threats that arehappening on private infrastructure onpublic infrastructure on governmentinfrastructure but now the question ishow does Brian had put this the otherday in a nice way how does a virtuouscycle of taking intelligence behindcyber operation feed incident responsehow does incident response data feedcyber intelligence how does product onthe security side benefit from theintelligence you’re getting as youattract these groups and that’s not anew problem but it’s one that I think weare starting to really refine across thegroup here with the work that we’redoing so I’ll stop there is just kind ofan initial it’s a new response I meanit’s a more it’s good to look at this asa new coordinated response right we’vethought about it in more of a holisticway is that the right way to think aboutit yeah and I think it’s the dynamism ofthe response not to get too buzzword-ishon this right but how do you do thiswith speed how do you do it in anautomated way how do you take you knowmaybe maybe to pitch to Morgan next onthis like how do you take some of thework that NSA is doing out with with theum a bunch of different commercialcompanies in the div and elsewhere andtake the dividends of what they’reseeing from their own infrastructurefrom their own endpoints and make surethat’s fed back into intelligence intointo classified systems as well and thenback back out to the companies to saycan you deploy something larger can youget us a collective defense approachquickly in an automated way in a fastway so how do we improve that dynamismaround intelligence and response let meask the question just slightlydifferently at a sort of more groundlevel in the sense Morganso does it start with you find somethingand you call the companies or thecompanies call you and you say yeahwe’re seeing something so yeah how Iwould describe it really is it it’s anew operating model right so when wetalk about how we’re doing operationalcollaboration with our private sectorPartners what it looks like is reallyjust everybody bringing theirunderstanding and their data to thetable and being honest about it in termsof I don’t know what I’m looking at thisis what I’m seeing like is thissignificant is this something that Ishould care about is this something thatyou the National Security Agency istracking is it a nation-state actorright and we’re able to have thatconversation in an open environment andfrom a National Security Agencyperspective right we you know follow theevolution from Lara you know 10 yearsago we would produce these Exquisiteclassified intelligence reports we woulddisseminate them out to our interagencypartners some of that information wouldhave technical indicators we wouldcreate a tear line we’d give it to ourpartners and say go forth and do goodbut we can’t answer any questionsbecause we’re going to hang out here ina skiff behind a fence line right that’snot really helpful right we need to beable to engage in those conversationswith the technical expertise and theinsights if we’re The Originators of theinformation and so what I would say isthat fast forward to where we are nowright NSA October 2019 decided to standup at cyber security directorate wherewe really brought together our foreignintelligence and our mission Assuranceour cyber security Mission togetherum we now are at a point with the cybersecurity collaboration Center where weare engaging 24 7 in a completelyunclassified environment with over 300Partners every single day on the bignation state actors right two years agothat wasn’t occurring you know when weset up the center that wasn’t occurringat all we also have a physical facilitythat sits outside the fence line ifanyone’s been to NSA headquarters youdrive up 295 and you see these 12-footfence and you see these guards and Gatesand guns that doesn’t screamcollaboration and so it Whispers itthough yeah it Whispers it not in anon-proofy way but what I would offer islike we wanted a space where peoplewanted to bring their data voluntarilyto engage in that bi-directionallymutually mutually beneficialconversation because that’s how weconnect the dots right it can’t just beme taking intelligence and throwing itover the offense and saying good luckthat that’s not how we’re going toreally tackle these hard problems and doyou have a number that you’re hoping toget to you say 300 now yeah so here’sthe deal to me it’s not about quantityit’s about quality right if I can workwith companies that have the broadestreach that can protect the mostcustomers worldwide that’s why I need tobe sharing intelligence with becausethey’re the ones that can action itright obviously from an NSA perspectivewe want to help help those smallmedium-sized defense industrial basedcustomers because as a part of theDepartment of Defense that is ourmandate but again it really is how do wetake that Exquisite intelligence ourtechnical expertise put it in the handsof the people who can look at theirapertures understand their networks andtheir customers and Empower them toaction it in a way that really justprovides this broad Collective defenseokay and so if we’re sort of followingthe steps of this are you better to talkto next to Andrew or you Brian sure I’mhappy to talk okay pleaseum so as far as Mission sets Go I meanwe don’t do that we don’t have apublic-facing mission I am thepublic-facing uh part of the center forcyber intelligence uh but we dostrategic analysis uh and operationsintelligence collection operations tofeed that analytic cycle so that thepolicy folks I know D and I and and uhat the National Security Council and ourother partners in the intelligenceCommunity can do their mission be itdisruptive uh activities against cyberthreat actors or whatnot we’re in aunique position in CIA where atraditionally just strategic analysisand a human human intelligenceorganization but CCI straddles both weuh we are both human human intelligencecollectors and Technical collectors andit’s a very unique position in the inthe community wherein you know we’recollecting Intelligence on theseransomware actors that we’ve beentalking about all day day and that Nexusbetween those ransomware actors some ofthem are really just criminals but a lotof them had a dotted line org chartrelationship to foreign intelligenceactors beat China Russia Iran NorthKorea and others that are an existentialthreat to National Security in theUnited States so that’s not all thatdifferent than any other Mission setthat CIA has wherein we do strategicanalysis on a whole variety of subjectscollect intelligence to feed that WhatMakes Us different is the technologiststhat reside in my organization and theinteragency Partnerships I have a numberof FBI folks embedded with us NSA folksEtc where we can feed that cycle you andI talked earlier today about theparallels between you know what we’redoing in cyberspace and that existentialthreat with where we were oncounterterrorism in the early 2000s andfrankly it was kind of a mess we did nothave a community approach tocounterterrorism and until you knowmaybe not quite the mid-2000s beforethat but it took a while and I thinkwe’re farther along with that andevidenced by the folks sitting here andsome of the other interagency partnersthat are part of this but it didn’thappen organically we had to have a lotof really strong leadership within thecommunity a really strong understandingof the strengths of NSA the strength thestrengths of odni the strengths of FBIand the other members of the communityand and this has been mentioned severaltimes today the critical differencebetween the counterterrorism fight andwhere we are in cyber is the privatesector has to be part of this I meanbecause they own all the infrastructureand the ferment and the gravest threatsfrankly are against the private sectorin the United States that is differentand thank God for NSA and and and cesathat have these public facingPartnerships because we’re just not wehave relationships with the privatesector but they’re kind of behind closeddoors rightum and we’re not positioned in CIA to dowhat NSA is doing with Morgan’s team uhor with what CIS is doing but wecertainly feed that virtuous cycle thatBrian has referred to on theintelligence picture did you ever thinkthat you’d be saying that the NSA can bemore open facing than you can no theyten years ago that was that was not thecase but there was a lot of visionaryleadership uh at the end at the NSA thatthat at which more you know Morgan’sbeen part of that uh Evolutionum and I’m I’m just thankful as ataxpayer and a IC member that that’swhat’s happening so right I and I’ll gettuned in half a second I I interviewedGeneral nakasone a couple of weeks agoand he at the Cancer foreign relationsand he was talking about how it took awhile culturally to understand that youcan be more open with the information uhand uh it doesn’t need to be class partsof it need to be classified but some ofthe stuff that can be very helpful topeople to stop these attacks doesn’thave to be classified yeah and againwhen we talk about you know the types ofinformation that our private sectorcounterparts are really concerned aboutor they need to be able to betterunderstand the threat we’re talkingabout technical artifacts right we talkabout technical artifacts typicallythey’re internet facing they’re outthere most of our private sectorPartners already know about them whatthey really want to know is what are theones that I need to care about what’scoming from a nation-state actor give mecontext give me prioritization tell mewhat I need to worry about on any givenday and then help me remediate it and soit is that really signal to the noise iswhat we say tons of noise on a networkright help we want to help you try tofocus on what you should care aboutbecause those are the ones that are themost sophisticated most concerning sofor example the thing that is in yournetwork it’s not just you we’re seeingit across your entire sector that kindof context yeah absolutely and we dothat with our friends at FBI as wellbecause they have such unique insightsfrom a lot of the things that they’redoing and what they have historicallybeen out there talking to our privatesector partners and so we’re able tobenefit from their Lessons Learned in alot of this engagement which is aperfect way to get to you rightcan you talk a little bit about thatsure what I’ll do is I’ll give you astraight answer on it and I would justask for those of you listening tounderstand that with each element of myanswer or my response intelligence isBlended in at every step whether that’sthrough our domestic government Partnersthrough domestic private sector Partnersor Global government Partners or Globalprivate sector Partners we’re oftenasked hey will you collaborate with aprivate sector partner in Romania orsomewhere else if it means disrupting anadversary and the absolute answer thatis yes and you don’t have to look muchfurther back than so nakibi withbitdefender which has been publiclyannounced but from an episode sorry I’llget to thatum from a mission perspective right andyou heard our deputy director mentionedthis earlier today you know we really incyber are not your grandparents FBIright so we look at our role as imposingcosts through joint sequenced operationswith any one of our partners hereInternational Partners private sectordomestic International to change thecalculus the risk calculus for ouradversary and that is actually executedin four specific Ways by the FBI numberone is what I refer to as taking playersoff the field and some of you have heardme speak I always use this analogy rightlike I don’t like Tom Brady because healways beats my team but I respect TomBrady and if I was playing Tom Brady Iwould want to get him off the fieldright to have a chance to beat him rightwell we have to investigate attributepunish we are not going to arrest orindict our way out of the process butthat is a role that the FBI will alwaysfulfill and will always resource justsome data since the start of 2021 we’veextradited 21 one foreign cyberadversaries to the United States we’retracking five more for extradition andabout two dozen that are currentlyincarcerated overseas so it’s not azero-sum game where we’re not makingprogress we are making progress toremove those uh criminals from the fromthe fieldsecond is we have very unique domesticintelligence authorities that arecomplementary to NSA and the cias and itshould be the taxpayer expectation thatwe use those authorities not only toinform our public and private sectorPartners but to inform operationalopportunities based on adversariesBeyond on U.S infrastructure and that’svery very important for us and somethingwe put a lot of time into which leads meto number three the third is we aremoving more aggressively into the CNOCNE space both reactive think removingmalware from domestic infrastructure butproactive domestically where cybercommand fills those authorities rolesinternationally the question is why welltwo reasons number one because thebureau is the only organization rightnow has the authorities to do that workon domestic infrastructure and two wethink we need to be a closer near peerwith CIA and NSA in that space to informThe Virtuous cycle that we talked aboutand last is you know we do need toprovide Ritz-Carlton level customerservice to everybody up here but mostimportantly to victims of cyber crime inthe United States you know we’re 110 115years old victim-centered organizationwe take that very very personally andoffering those services to thosecompanies to help them in a time of needbut also to derive the intelligence thatwe need to feed NSA to feed CIA to feedsisa is very very important so when welook at this cycle and the blend ofintelligence through our traditionalauthorities as the lead domestic threatresponse agency in cyber that’s how Iwould answer that question about feedingthat cycle and and just to put a more ofa point on that solar winds was using adomestic server right so they needed youor the FBI to to take a look at thatwasn’t it a GoDaddy server for uhsolarwinds I’m gonna let me answer thatquestion this way I think when we lookat the solar winds uhcompromise right and I’m quite sure thatLaura Andy and Morgan would say the samething the best thing that happened insolar winds was how the victim respondedand the victim responded with immediatetransparency to every one of us with afull view of the forensics and theintelligence behind what had happened sothat we could all collectively Marshalour authorities and our capabilities todeal with the problem said and you knowas I’ve matured in my role and again I’mquite sure Laura Andy and Morgan wouldsay the same thing what you see is theorganizations that do suffer these verypublic intrusions the ones that fare thebest are the ones that stand up withbroad shoulders and say hey I’m going toshare immediately and transparentlybecause this is an America’s bestinterest and that’s why I’m going to dowhat I’m going to do we see that withsolarwinds we saw that with cassaya wesaw that with LA Unified School Districtlike people really really leaning intaking a leadership role to fight back Iright and also in the case of solarwinds you had two victims one fire eyefirst that had a lot of the forensics tounderstand what it was right away rightso that helped too so what I’m trying tocarefully do here is try to get you guysto go to specific examples as much as wecan do that and you feel comfortabledoing that so can you talk a little bitin practice about specific exampleswhereyou were able to coalesce all thesedifferent abilities that you have to tomake us strongerI can start and so what I would talkabout just because it’s in the recentpast and I just want to reference mynotes here so I don’t get anything wrongbut you know in July of this year therewas a public unsealing of threeindictments against Iranian Nationalsand while that serves as the platformfor us to deliver messaging and when Isay us that is US plus multiple othercountries and multiple other agenciesyou know that the Iranian actors theIranian Nationals right affiliated withirgc likely operating on their ownaccord for profit broad targetingthrough ransomware activity against theUnited States Australia UK Canada andIransorry irgc just for people who might notaffiliated with government of Iranum and sowhat you see is people essentiallyMoonlighting for profit right buttremendous indiscriminate targeting inthe United States broad U.S criticalinfrastructure even Children’s Hospitalshere and so while we see the end on theunsealing of the indictments publicly itleads to a whole host of otheractivities both domestically andinternationally and I’ll just mentionone thing before I kick it to Morgan totalk about the cyber security advisorybut if you saw director raise PublicAnnouncement of those unsealings he’s avery critical line in there in hisannouncement it’s a video that says andother actions we can’t talk aboutpublicly but I think the message of thatstatement is the coordination that’sgoing on between this group and othersto impose strategic costs on ouradversaries through both overt andcovert means it’s very very powerful butif it’s okay I’ll kick it to Morgan totalk about the cyber security advisorylet me ask you just one follow-up andthat would be so because there have beenso many of the these arrests orindictments is that is there a feelingnow then that this idea of name andshame which was something that was withthe pla originally have we decided as acountry that that that’s working thatthat actually stops uh some of this fromhappeningum you know what I would say is we needto change the decision analysis thedecision calculus of our adversary andwe’re learning more and more over timeabout how to do that and so when youlook across the US government right youhave cyber command with specificauthorities CIA NSA treasury FBI Stateyou know we have all these differentauthorities and different capabilitiesand really the question is what leversdo we need to pull right now to imposemaximum costs on our adversaries or tochange their analysis so it’s really nota question about name and shame it’s howdo we identify strategic impactfuldisruptive objectives and what levers dowe pull togetherso sorry yeah no and I would just offerright there are different lovers fordifferent adversaries right not notevery lever is going to work againstevery adversary you have to reallyunderstand what is their hot buttonissue or what is the thing that’s goingto make them the most mad um so I thinkit’s awesome to see that we areliterally now really comprehending allof the levers we are able to pull andhow we can work together and we’re ableto use thatum so just to talk a little about Brianhe obviously referenced a lot of theactivity around the Iranian saber actorsI think the one thing that I would pullback and offer is thisum you know there’s been a lot ofdiscussion about solarwinds log 4Jhafnium all the incidents that haveoccurred within the past year or so butone of the things that is most difficultas we talk about operationalcollaboration or public-privatePartnerships or intelligent sharing iswhat does that look likewhen it’s not a crisis right what doesit look like on the day-to-day and a lotof what that focus is iswhat are the key advanced persistentthreats apts nation-state actors on youknow unknown malicious activity thatwe’re trying to characterize what arethose key things that we’re concernedabout because they’re targeting criticalinfrastructure and that is aconversation that has to happen firstbetween the intelligence Community theUS government and private sectorPartners right we have to understandwhat are our joint priorities we’re thenable to determine what are the keytopics that we need to you know what dowe need to dig deep in what do we needto have deep analytical exchange so alot of these cyber security advisorieslike the Iran one that Brian mentionedright we are having these in-depthanalytical exchanges with private sectorPartners who are tracking these samegroups who have the same capabilitiesand apertures to understand what’shappening on their customers andnetworks and we are having conversationsto build that comprehensive threatpicture which is what Laura talked aboutright is that we are literally bringingall of our different pieces and insightstogether and those insights are the onesthat are coming out in cyber securityadvisories and you know obviously wedon’t have DHS sisa on on the stage herebut they’re a key component of that ifyou now look at cyber securityadvisories there are multiple sealsthat’s not just because we want to printmore paper and put a bunch of seals atthe top it is because that many peopleare contributing to those analyticalproducts to include our industry membersand I think that really speaks volumesto how we are buildingum this operating model to understandingthe threat putting out the bestmitigation guidance that we can and kindof moving forward if we were talkingabout Morgan’s priorities and and howthose are with uh corporations maybe youcan answer this Laura or companies arethe priorities really out of sync thatmuch I would imagine that they theycouldn’t maybe they are slightly but arethey massively out of sync where youhave to make asale I guess and say this is why thisshould be your prioritythere’s a couple different ways ways tosee the prioritization that commercialthe commercial sector has in governmentfirst is when we say commercial sector II actually come from the private side soI do chuckle a little bit inside when wesay industry because back in thecommercials I know it says industry sortof like outside of government senserightum so I I think it really boils down towhat sector is trying to solve whatproblem right with we’ll take RussiaUkraine since everyone’s lived throughit and continues to live through this sooften when you think back to you knowFebruary 24th the re-invasion in thecouple months leading up to thatcyber security vendors Brian’s PartnersMorgan’s Partners Andy’s Partners theywere well attuned to the Russian aptgroups who are likely going to be andwere part of a lot of that initialactivity but were SatelliteCommunication providers thinking aboutthis were other entities that that livein the critical infrastructure spacethat aren’t frequently the touch pointsfor security companies or for defensecompanies or even for energy companieswere they as attuned they were not andand again we know sis is sort of missingin this conversation but they were a bigpiece in broadcasting out the need forprioritization around Russian apt groupsand critical infrastructure targetingbut to get to the the little moretactical example around satelliteCommunicationswhat Russia Ukraine provided wasn’t justthis sort of like toddler soccer ballmatch prioritization of how doeseveryone join in for Collective defensewhat it did is it gave this jointapproach that we keep talking about hereand we’re talking about successes butwe’re all still refining it right thisis an evolution it gave us a chance towork those muscles and work them at atactical level whether it was sharingmalware whether it was sharingrelationship was whether it was findingnew partners you know I won’t steal inthis part but I’m sure you added quite afew new folks that you weren’t talkingto you know prior to your pain right tohire new peopleand probably need moreum but you know how we started to buildout a collective intelligence approachbecause of the prioritization andClarity of that was something that we’restill you know benefiting from infinessing here right I wonder Brian ifyou want to talk a little bit aboutsomething that we seem to be writingabout all the time which is ransomwareand and how sort of that fits in withwhat you’re doing in this yeah so againyou know my priorities again big nationstatecompetition China Russia Iran NorthKorea occupy the bulk of our time butafter Colonial pipeline I know there’s along discussion earlier uh with TSAabout that but after Colonial pipelineuh the National Security Council askedus to add that to our bucket ofpriorities uh again uh I’m not going tobe in the disruptive space on onransomware attacks but where we are ison the intelligence collection space uheither human human intelligencecollection technical collectionpartnering with NSA on on that technicalcollection the Strategic analysis that’sthat goes into that and then utilizingsome of our other private sectorPartnerships to help and inform thatdiscussion so that we can have thatvirtual uh virtuous cycle where we candisrupt that ransomware uh chaincryptocurrency we’re in that space aswell analyzing how those cryptocurrencynetworks work the ransomware actorsunless they’re 100 state sponsored theywant to get paid and and that and theonly real mechanism that ransomwareactors get paid these days is throughcryptocurrency and being in that spacewhere we can collect Intelligence on howthey’re using cryptocurrency and whetherthere is a way for FBI to disrupt thator as as Laura was indicating ourInternational Partners we have GlobalPartnershipsin every Capital you can imagine acrossthe globe and either us or FBI you knowprovide information to those teams it’sdifferent in every country who has thelead on certain issues but when we can’tdo disrupted from the US governmentperspective we enable our foreignPartners to do so got ita year ago if you were to boil it downwhat would it be maybe I’ll start withyou Laurasorry I thought it was going to cometonightum look I’ve been in my role since Mayso I’m going to cheat a little bit andsay look I’ve only got six months in formy beltum in doing this but I’ll tell youhaving having come back to theintelligence Community after 10 yearsout what struck me first and foremostwas you know my initial impression wasthere are so many more people doingcyber at large across the IC and notjust the IC but HHS EPA you know theinteragency Writ large has a reallystrong and I think tight and in deepcommunity on Cyber and we talk aboutWorkforce and you know I’m sure everyoneon the stage would take goodapplications from folks out there whowant to come into the government andwork on this problem set but we do havea really tight community that can focusand that is pretty agile in in comingfrom the private side where agility isyou know you’re you’re your number onestrength in a lot of ways to meetcustomer needs what have you I find thatthe number of agencies that can jump ona problem and not just in a crisis toMorgan’s Point but to jump on hardproblems like ransomware right and saylook that might not be my priority everyday of the week it might not be mystrategic priority in five years but I’mwilling to go and put resources on totry to think through how my agency’sauthorities and work and people can beapplied to this problem for X reasonright and that kind of problem solvingand thought process across theinteragency has something that has hasreally beenum exciting frankly to see and to comeback to and I think we’ve got a lot moreto do but that germination of kind ofthe the spirit around How We Dointelligence better in this space acrossthe government is something that I thinkwe’re really building here how about youbro you’ve been quietI’ll give you uh one thought internal tothe FBI and then one thought about cyberlarge so internal the FBI you know withyou know the mission and the strategythat I described in my opening responseyou know that was really kicked off inSeptember 2020 and I think the bureau isuh rightfully very proud of its historyright and that is a law enforcementhistory post 911 it’s also lawenforcement intelligence but obviouslymoving into the space of how do we applyunique authorities for the bureauspecific capabilities for the bureau intandem with again government domesticInternational Private domesticInternational partners for MaximumImpact that’s a huge cultural shiftright and I’m just really proud of ourpeople for wrapping their hearts andmind around that and trying to becomepart of the solution so that’s theinternal thought the external thought isthatum I’ve been in my job for 18 months 19months about and even during that timeyou’ve seen a maturation of process youknow not only process amongst us butcertainly if sisa was up here they wouldtell you the same thing certainly cybercommand would tell you the same thing anevaluation of when those uh authoritiesshould be applied as part of thatdeconfliction or coordination processfor Maximum Impact but then also how dowe effectively integrate with theprivate sector and understand theirequities and respect their equitieswhether victim or not but also bringthem into a fold and allow them to bebrought into a fold in a way thatthey’re amenable to that allows them tobe part of the solution in a way thatthey feel good about rather than sayinghey this is what we need from you soit’s a much more collaborative processdriven environment that I I do creditjust maturation of the industryincluding the but alsoum people’s hearts and Minds being inthe right place right and the threat haschanged a little bit too if I can havethe two of you just talk quickly becauseI do want to get to questions becausemost people don’t get to talk to youokay I’ll be very quick so um just toPivot off of what Brian talked aboutfrom a culture perspective right thePandey the pandemic gave us one goodthing it forced a lot of the NationalSecurity Agency to operate in aunclassified environment to communicatewith our Workforce that was home we wereable to take those processes in thatenvironment and really pivot to beingable to leverage that to share with ourprivate sector Partners so the cultureshift from an intelligence Communityperspective to getting us to share moreof our information directly has beensignificant for us in the last yearsecondly we’ve really started to figureout what works it’s not perfect toLara’s point but we’ve started to see alot of success on you know Brian hasbeen phenomenal because he’s gone out tothe field offices and he said here’swhat NSA is doing we’ll tell youprobably the first time the fieldoffices were like what do you mean NSAis doing that but they now are tippingus directly when they have informationto help in our operations it’sphenomenal in terms of how we just havethe information going back and forth andthen lastly really our industry partnersare a force multiplier in the fightright we we already have a deficit inthe workforce and we’ve got to be ableto band together use the technicalexpertise that is inherent both in theUS government and in the private sectorto really get after this threats in away we’ve never done it before well wecontinue to build that Workforce for thefutureand quickly so uh yeah what’s changed ofthe year for us is the Russian invasionof Ukraine that’s changed everything uhthe force buildup that was happeningexactly a year agoum when we decided as a government uh tostart using intelligence as a weapon soto speak to convince our allies and toconvince frankly the American publicthat this is a real thing a realexistential crisis and that’s a hardplace for us to be in the IntelCommunity we don’t like to shareclassified material with the with thePress but we did and I think it was itwas a brilliant leadership decision uhthat was you know made at the NSCsecondly from an analytic perspectivekind of reevaluating what did we getwrong what did we get right and why andwhat are our assumptions we’ve talkedabout this a bit earlier in Mika talkedabout this uh earlier so we we as in theanalytic Community are kind of goingthrough that like our our expectationsdifferent nowum and then secondly how we how wepartner a or thirdly how we partner inthis really large community ourbilateral Partnerships our five eyesPartnerships and throughout the USgovernment to work on on this problemset and then uh finally and this wasdiscussed earlier as well just theenormity of the Cyber landscape thehacktivist Community the the I.T sectorthat got involved in the fight both inthe Russian side and on the Ukrainianside and what does that mean from anintelligence collection perspective alsofrom a cyber defense perspective on theU.S end uh and how we can frankly turnthose relationships into an additivething for conflicts in the future and II think you know we’re going to be doinga retrospective on the Ukraine crisisfor quite some time the history of it isbeing written now but I think at severalyears from now uh we’ll we’ll we willall look back on this as sort of a pivotpoint in international relations and howthe intelligence Community feeds intothat right I agree maybe we have a Timefor some two quick questions I wouldalso say that one of the things that’sgoing on is you bring up the lightssomeone can re raise their hands someonehas a questionanybodywell you’re thinking of that questionI’d say I also think the other thing isthe audience has changed right that nowthe people that you’re talking to andcollaborating with have a greaterunderstanding than they may have hadeven a year ago and a more understandingof the threat and certainly we’re seeingthat of the average person who didn’tcare about cyber before but now theirschools are getting hacked so they haveto care somebody have a question rightback there just wait for the microphoneplease just so everybody can hear youhi when you talk about technicalinformation sharing how do you decidewhat level of context is appropriate toprovide with that technical whether itbe iocs or any other sort of technicalinformation with the private sector sothat they can useum use that information more actionallyum so for us in particular uh this hasbeen the beauty of the relationship isthat by us sharing informationdirectly with a lot of our partners theygive us feedback and say hey this is notthe type of data I need or this is thetype of information I need or can youput this in a different format so thatfeedback has actually enabled us toproduce more valuable information forthem what I will tell you that we havelearned over the past year is you knowspecifically being able to tie it to anapt group our specific nation-stateactor is critical because that providescontext it doesn’t have to be you knowthis individual on the keyboard it’sthis apt group a lot of companies thatwe work with especially in the defenseindustrial base have specific playbooksfor how they deal with specific aptactors and so that context helps andagain we are able we’ve had a lot ofsuccess recently on being able to sharethat type of information at a very lowclassificationother questionuh yes right here oh sorry right therethank yousorry it’s hard to seethank youhelloum so coming from a small country Greeceand uh with a small country with alimited badges actually uh what wouldyou suggest is the key area in whichcountries with like Greece with limitedbudgets should focus on in order toum have a sustainableum cyber uh securityum an enforced sustainable cybersecurity thank youI’ll take the first crack at it I’llChannel my inner sister and my answer toto you listen I think it comes down tofundamentals right you know whetherthat’s MFA you know air gap backups youknowum these types of things thosefundamentals I probably rattle off alist of seven or eight but those arethose are the difference makers rightand when you look at the compromisesthat all of us hear about see you knowthey all come back to a traditional setof vectors and the most fundamental wayto protect against those vectors isthose foundational security principlesanybody want to add to that I think justa one piece of what Brian briefly saidthere was um you know the question isbuild versus buy and where do you wantto accept a risk particularly on the buypiece and there’s risk on the buildpiece too right but that calculation andI think sharing how countries likeGreece and other countries with a morelimited budget who want to get thefundamentals right and want to learnfrom other countries on how they havemade those risk decisions I think thoselessons shared is something whereum you know there’s a variety of forumthat are forums that are starting to toget those lessons out but that’s a placewhere I think we could generally startto share more right on this sort ofjoint capacity building we haven’tfigured it out yet fully in you know inthe US government either but how westart toum think through Best Practices togetherthink through what interoperabilitylooks like between sharing apt groupsbetween sharingum you know forensics that we’re seeingbetween private sector sharing with ourgovernment those are all lessons that Ithink will be really applicable as moreand more governments build out theirprograms so I can just quickly yeah soand and we talked about Albania earlierI mean I do think from the US governmentperspective we learned some lessonsthere is every one of our embassiesoverseas prepared for a situation likethat and I think the answer was no andback to our counterterrorism examplesevery Embassy on the globe knows what todo in a counter-terrorism situationeverybody has their points of contact inthe foreign government uh foreigngovernments there be it MilitaryIntelligence or diplomats we do not havethe muscle memory on that yet when itcomes to a cyber crisis we’re gettingthere but we’re using existing you knowrepresentatives and all our embassies tosort of build that but that has been afocus for some folks on my team is toeducate our embassies overseas as towhat to do in a crisis like that so thatwe can help our allies and again this isan agrees example it’s an Albanianexample but to help our allies eitherprepare so that they don’t have anincident like that but in the event ofan incident they have an appropriateresponse and you know you talked about avirtuous cycle actually the four of youcoming out and talking about this addsto The Virtuous cycle I think that thatif people understand how this workstogether I think it’ll bring more peopleto you to talk about it and so thank youvery much for being here and please joinme in thanking Morgan Andrew morandrabefore we introduce the next panel we’dlike to take one more opportunity tothank our sponsors forskout the recordby recorded future PWC Paladin broadcomsoftware and McKinsey and Companyand while I have you you can be thefirst to learn the dates for the 2023Aspen cyber Summit by going to Aspencybersummit.org and signing up for ourmailing listnext up here to explore how the conceptof cyber resilience has evolved pleasewelcome Adam brumwich vice president ofr d at Symantec by broadcom softwareValerie Cofield Chief strategy officerat sizza Sean Joyce principal at PWC andformer deputy director of the FBI andiranga kahangama assistant secretary forcyber infrastructure risk and resilienceat the Department of Homeland Securityjoining us again is Aspen digital’s JeffGreengood afternoon everybody it’s great tobe back out here we have the mostcreatively described named panel we puta lot of thought into those two words soI hope everyone is enjoying it but whatwe’re going to talk about today is not anew topic in cyber you know the conceptof resilience but what we want to getinto is whether the understanding haschanged and whether organizations needto prepare differently based on somerecent events you know Colonial pipelinehas come up several times todayumTSA administrator prakowsky and AlanArmstrong talked about it but the bigtakeaway from that for a lot of us wasthe idea of an operational technologysystem the pipeline being taken downpurely because of an informationtechnology a ransomware attack and sowhat we want to get into is whether weneed to be thinking differently aboutthe concept of resilience more than justbackups and servers if if the triggerfor shutting down crucial systems is notan actual intrusion but it is merely theuh the potential compromise of it sowe’ve got a great panel to talk about itI’m going to start with Sean because Ihope he won’t be offended to say thatJohn’s been doing this a long time he’sseen it from a lot of different hats andI’d like to hear from you how theconcept of resilience has evolved in thedifferent hats you’ve worn where is ittoday the the clients you work with arethey understanding that the environmenthas changed and how are you discussingthis with them yeah I I think resilienceright now is probably a term that we’reall hearing every day whether it’sonline in any type of media form but Ithink it is really taken on animportance and I think the inflectionpoint has really been ransomwareand the the types of industries that itis affected so you’ve heard Colonialpipeline JBS and and when it affectspeople’s daily lives is when I thinkpeople start paying attention so when weused to talk about resilience withcompanies it was more related to what’smy Disaster Recovery plan right orwhat’s my business continuity planright and now I think companies arelooking atwhat’s my crisis management plan what’smy business continuity plan what’s myDisaster Recovery plan what is my cyberresilience planwhat is my physical security plan andwhat is my third party supply chain sortof plan as we go forward and how tobring those components together I thinkis extremely challenging we’ve workedwith dozens of companies on resilience Iwould say we’re in still the firstinningright I think companies are strugglingwith I think they’re realizing that ittakes on all of these differentfunctions within a company I thinkthey’re struggling with how do weactually weave these components togetherand so what we’ve been telling companiesis all those six different areas that Imentioned what’s your checklistto make that work and then what are thecommonalities in each of thosechecklists how do you bring thattogether and how do you kind of overlaythat with a governance structure I thinkhistorically companies have had a veryvery siled approach and I think you knowall day I would argue to everyone outthere that we’ve heard about resilienceall day whether it’s the workforcewhether we’re talking about sort of anational resilience which many comcountries like the UK has put out thereNational resilience strategy right itgoes all the way down to the human leveland I think we’ve got to come togetherwe see in the financial services wherethere is now like a resilience officerand we’ve seen some of the major Banksactually designate an individual but Ithink we’ve got to realize we’re notresilient right nowright we are doing some things well Ithink you heard previously from some ofthe folks on stage that we are makinggreat progress but I still think there’sa long way to go so if the universe ofcyber incidents that can lead to a majoroperational impact is much greater thanmaybe we thought on the Thursday or theFriday morning of colonialpractically what does that mean forcritical infrastructure for governmentsother entities like how should they beassessing the potential I don’t know Valif that you guys put a lot of work intothe performance goals recently was thatpart of that yeah and we’re you knowwe’re really excited that we were ableto uh release our cross-sector cybersecurity performance goals recently andyou know one thing that we’ve seen we’veseen a prevalence of you know when youthink about ransomware is how much it’simpacted you know the state and localcommunities as well as small andmedium-sized businesses so really ourFocus for our cyber security performancegoals is really to be able to talk tothose communities and help them you knowif you go to our cyber performance goalsand you can get to them from cisa.govthey’re worksheets that assess and giveyou an idea of cost impact andcomplexity of you know so let’s sayyou’re starting from the ground up andyou don’t have a lot of resources yetdevoted to cyber security you know wehave a checklist we can we can show showyou on these worksheets about where youshould focus your time and effort if youdon’t have a lot of resources but youwant to have the greatest impact and sowe’re really cognizant because I thinkthat’s where we’ve seen you know there’sjust been a growing rash of sadlyincidents rants more incidents againstHealth Care institutionsthe educational system there’s been youknow countless school districts thathave been subjects of ransomware attacksso we’re really focused on how do wehelp those communities that are areresource constrained but are rich targetareas for cyber criminals yeah you knowI think you raise a great point on thosecyber security performance goals I thinkit is right we think about the Cyberpoverty line and I think about thosecompanies that actually can afford theinvestment and the companies that can’tmost companies in the united states arebelow that poverty line and I think cisowith these goals really brings thatFocus like you did on the ransomwaretools that I think has been I’ve hadseveral smaller company he say what abenefit that brings them to allow themto focus on some of the basicsaraga you watched Colonial from a frontseat at the White House did thatdid it change your thinking or yourinternal thinking the White House or theagencies as to when we need to flip overfrom a purely cyber incident to there’soh my gosh real world gas lines fromneeding to message effectively thatthings are okay to planning the physicalresponse everything from like Jones actwaivers and things like that yeah I meanI definitely think it was a bit of aturning point not just for theadministration or the government butfrankly in the US how we how we viewedthe convergence of those issues right Ithink and then increasingly connectedDigital World whether you know your I.Tor your OT is connected or not one canhave an impact on the other uh withregardless of if they’re connected Ithink from what we saw at Colonial and Iwould also I think Colonial was aninteresting turning point and I wouldalso say that the the thereinvasion of Ukraine by Russia was alsoa really big inflection point from thegovernment side because I thought itbrought home the fact that there arecyber risks you need to be resilienttoward it’s the Cyber and the physicalconsequences but there’s a geopoliticalaspect of it that you can’t avoid rightlike Sean talked about seeing things inthese separate buckets and I thinkthat’s probably what people were doingbut now we’ve seen the bridge combinewhere it’s cyber with its physicalgeopolitical or otherwise having thesedemonstrable potential impacts on theactual operations of your networks andso I think thinking through how you areable to be resilient to these from acyber perspective is important justbecause the Cyber inflection point isoften the common entity across all thoseissues right as we in DHS did theshields up campaign through sizza andwent on these Road shows to talk tocompanies you know making the connectionbetween the geopolitical and the Cyber Ithought was really important the otherthing that I think the department hasdone a really good job of that sizza’sbeen doing too we Congress recentlymandated us to have these state andlocal cyber security grants it’s onebillion dollars over four years so Imean government has money it will givemoney but I think if you actually diginto the details too A lot of therequirements that we’re putting on themoney that goes to State and locals forcyber security has kind of specificrequirements on what the governanceboard should look like it has to includethe states as though or the state CIOthe entities then the agencies that aregetting it needs certain you knowgovernance mechanisms to make sure thatthose Investments are done properly andI think that all comes from a higher youknow sense of urgency on risk andresilience through the government’sperspectiveSo Adam you’ve spent a career defendingyou’ve seen it from a bunch of differentperspectives from building it to goingwith the customers how has the thetransition we’ve talked about changedboth how you’re thinking aboutprotecting customers today and how youdesign your future protections has itimpacted itwell look it’s been a very interestingEvolution over that whole time period Imean when I started out in security ourproduct tagline was set it and forget ityou know it was a hundred percenteffective right and that was in the daysof viruses right and very quicklyeveryone realized that more than onesecurity tool would be required and overtime that pendulum swung and I think itswung very far over to like almostcomplete DIY Security today so for anorganization to protect themselves theyhave to have a security team they haveto have a threat Intel team they have tohave dozens of security products theyhave to stitch all those productstogether it’s a huge effort and I thinkthat’s that the resource required to beable to do that is significant and toosignificant I think in many cases so youknow I’m a big advocate of that pendulumswinging back to center right you knowit’s important for us to get thesecurity experts in the securityindustry side together with the SecurityExperts in the private sector and ingovernment all together now near termwhat we found really effective is justconnecting those groups from anintelligence perspective so when we netwe now monitor activity happening at ourcustomers and if we see a hospital thatlooks like there’s some living off theland activity going on we reach out andconnect with that hospital can youexplain living off the land so oh sureliving off the land is just instead ofusing malware attackers will use commontools that are sitting on a machineoften tools that have very legitimateuses so it would use this tool to rollout software for instance or you mightuse like a remote access tool theattackers use those tools they don’tcustom craft malware nearly as often asthey as they used to so we look for thatkind of activity that’s a reallyimportant thing for every organizationto do but not every organization canreally afford to do that so we look forit as well getting the that’s connectedwith those organizations directlymakes us far more effective now longerterm I think there’s an attack surfacereduction effort that needs to to happenuh you know we work on technology thatumabandons the industry’sone-size-fits-all security solutionmodel we really need to get off of thatmodel and have we could have much moreeffective securityif we can tailor that security to eachindividual organization today we reallydumb down security because we’re afraidessentially if we call it a falsepositive you know getting it wrong sogreat example I use is athere are organizations out there thatneed to launch Powershell out of a Worddocumentmost organizations do not ever do thatwe cannot blockthat activity because there are somethat do it and so we’ve really dumbed itdown and it needs to be more tailoredand there’s definitely technologicalcapability to do that and so we’ve gotto swing that pendulum more to thecenter do more actual attack surfacereduction as well as more connectionone thing I’ve wondered is if ifhypothetical well let’s just sayColonial had had a tabletop exercise onWednesday or Thursdayand the scenario was ransomware intotheir I.T systemwould the security team there have saidoh my God we need to shut down theentire physical system or would theyhave thought or said things are fine sodid once it became a realitydid their perspective change Sean andAdam I guess like you guys probably workwith you have you sensed the change Ithink Johnny may even do some tabletopswith with companies have they gottenmore realistic has their understandingchanged or is there still a when it’shypothetical it’s easier to say I got itboss we’re fine I I think table tops area beginning and I think table tops are agreat exercise for communication and forunderstanding the governance of asituation right now when we’re talkingabout resilience I don’t think tabletopscome close to doing it right so whenyou’re talking about resilience I’mtalking aboutend-to-end technical testingso hey if we are hit by a ransomwarevariant and they encrypt our datalet’s walk through how we’re actuallygoing to restore that do we understandour Network topology do we understandwhere the break points are that we canlimit the blast radiusright and what I mean by that is whatthe ransomware can actually affectdo the right people have authority tosort of what you’re saying instead ofyou shouldn’t belet me say this a different way moremature companies are able to do it in amore precision based manner than justquote unquote pulling the plugAdam have you seen any changes like thatI think I I totally agree I think thatthat Colonial is a great example ofwhere you know you have to kind of shutthe whole thing down because you knowyou’re not you just don’t know what theimpact is you it’s and I think this isactually in the guidelines as well fromthe system right I mean it’s like youyou need to do these Basics you know youneed to know you need to segment yournetwork you know you need to have MFAyeah multi-factor authentication youknow it I’m going to put a plug intoshould be 502 as well you know I thinkyou know that’s that’s evolvingum and you need to do you need to havean incident response plan and you needto exercise that you need to and thosethat it’s not a fancy tool you need youneed these basicscan I add to that too I mean that’s onething that we do highlight in our cybersecurity performance schools is the needfor OT and it to come together before anincident happens so that the OToperators know or have thought throughwhat an impact on an I.T system couldhave on that and and I think it’s socrucial that uh these the cyber securityPersonnel in both of those groups meetbefore before an incident happens andit’s really something that we we dostress I mean I’ll say that you know wedon’t see a lot of OT attacks we see theI.T attacks affect the OT yeah theimpact yeah yeah yeah of course itdoesn’t mean it’s not possible but youknow I think for certainly fororganizations that are starved forresources they’ve got to close the gapson the I.T side first but but I thinkyeah I think there’s a little bit of aknowledge Gap there though right becausea lot of folks and you heard I thinkAlan talking earlier about you know whatis actually encompasses an OT system andwhen you’re talking about plcs andwhat’s in the I.T system however I havebeen with several companies that didn’tknow the dashboards from their OT wasactually the connection to their IDright so there is just a little bit of aknowledge Gap but I agree I thinkthere’s a long way to go when you’retalking about you know manufacturingsectors energy utilityum that can be done I think one thing wesaw from Colonial two is both inside thegovernment and in the company it’s notalways the ciso or the other securityindividuals that are actually makingdecisions right in the end even from apolicy perspective as we were trying totackle uh how the nation can beresilient to that type of attack rightthere was a healthy tension between thesecurity side at the NSC and then theeconomic folks and political factors soI think all these are kind of in playI’ve seen it from the government sidebut I feel like from the corporate sidetoo if you don’t have the rightgovernance models or mechanisms for youknow the c-suite or people Beyond sizzolooking at security to make thosedecisions like if they don’t haveconfidence in the it and OT separationor even the understanding of what thatis you still may pull the plug even ifit’s all good soSean I want to pull on the thread yousaid yet when Adam said we haven’t seenthe OT side attacks you know thinkingback to you know when I got first suckedinto cyber on stocksnet coming out ofthat there was a lot of securityresearchers and others started reallydigging into operational Technologiesand trying to understand them and wewere certainly more focused on thethreat of the uh of an OT attack and toAdam’s point of the pendulum swingingdo you think that withColonial Pipeline and JBS foods and theothershas the pendulum swung where that was ohwait a minute we actually don’t need tolearn all this esoteric PLC coatingwe’ll just make them worry about itis there a set of whether criminal andnation-state actors who said we’rewasting our time working on figuring outthe OT we’re just going to make them soscared they’ll shut it downI don’t think sothat makes me feel betterso you know when you’ve heard todaythere is no question that Russia is veryinterested in sort of that OT side ofthings and let’s not just think of sortof what typical I think the governmentwhen we’ve been talking today utilitiesenergyOT is Right manufacturing when you thinkof smart cities when you think of anyiot device think of the Mirai botnetright for a distributed denial ofservice attack so there have been OTattacks already that have beensignificantso I just think it isI would say they are not especially fromright 70 of uh I think the attacks aregreater are for criminal reasons rightfor monetary gainright that does not now you’re lookingat from a nation-state perspective theyare certainly looking at sort of that OTside of things there have been several Iuse the stat I would say roughly sevenout of 10 companies that I have dealtwith on ransomware I’ll pay the ransomso what does that tell you aboutresilienceright so we have we have a long way togo so so I I listen I think it’s goingto I think the nation-states arefocusing on those things if you’ve everdealt with any company that’s inlogistics if you go back to not patiowhen you think of Mayors Mark right inthe effects that it had so I think ithas been a wake-up call for a lot of uhcompanies that maybe had a verystreamlined security unit and understandand that’s where I talk about that cyberpoverty lineright you you the what’s happening rightnow all around what are we all readingin the paper about what’s every techcompany doing and what’s almost everycompany doing right now we’re hearingabout layoffs I think yeah right so it’scaught cutting measures right and howare we looking at this I keep saying Idon’t go into a boardroom where they’renot talking about digital transformationso I would argue technology is thecentral nervous system of almost everycompany so what are you doing to protectthat and are you making the sameinvestmentin that to make it the fabric of yourcompanyAdam have you seen any changes in the inthe trends or the the trend lines fromyour thread Intel teams over the pastyear two years you know where is thefocus going yeah well certainly thefocus got a lot more targeted in thelastcase right ransomware used to just kindof be going to anyone and everyone andnow it’s highly targeted right so that’sit’s gotten more sophisticated in thesense that it’s targeted it’s lesssophisticated in the actual techniqueswhat we’re seeing this past year is justan enormous increase in credential theftand a focus on credential theft and youknow I’ve been following this grouplapsis which is really interesting uhyou know it’s kind of come out that youknow these are teenagers who areinterested in breaking into companiesstealing source code and selling it forcrypto and just amassing money but inorder to do that they have to prettymuch compromise the network of theTarget and very large companies arebeing attacked and they are using mostlysocial engineering techniquesyou know they everything even even goingon to forums and paying employees tosell their credentials to them so theycan log into the VPN and compromise alarge corporationyou know those they’re very they’rethese are these are not sophisticatedattacks uh but with huge impactwell there may be psychologicallysophisticated not technology that’sright yeah that’s right exactly exactlywell there there’s a little known partof scissor that also focuses on physicalsecurityum yeah this is a for the most part nowit’s talked about in the Cyber contextcan you talk about howthe Cyber and the physical within sizzarworking together to understand thebroader threat picture yeah so um what’swhat’s been really uh great right now isthat we are working on exactly thattogether with the NSC so uh last weekthe president wrote a letter that sortof finalized what we called the 9002breport which was a requirement from theFY 21 National Defense authorization actand in that in that requirement we weretasked sister was tasked to write thisreport I’m really looking at the sectorrisk management our sector structureright is it the right structure and thisis across all hazards risks so not justcyber alone butum is this structure the right structureif soum you know do we have the rightagencies in charge of these sectors sowe’re doing we’re starting and we’reembarking on this work together with allthe other sector risk managementagencies and with the office of thenational cyber director and with the NSCon really implementing theserecommendations and so it gives us areal opportunity to look at risk umagain across these sectors and also tohave a national understanding of whatwhat we all mean by risk because I thinkthat’s been one of our challenges acrossthey’re very Divergent sectors right Imean the maturity across each of thesesectors is very differentum the resources that each of thesesectors has towards reducing their riskis also quite different and so you knowthis gives us an opportunity to be ableto work together again with with theseoff the offices that I mentioned oncdand NSC and to work with these sectorsto figure out how do we how do we Bridgethose gaps what can we do in the shortterm as we work to helping mature all ofthose sectors so that they can have amore of a of an indigenous analysis oftheir own risk and being able to to helpmitigate those but you know there’sthere’s a long again there’s quite adifferent scale of maturity across thesesectors and so really and the and the methe need is now the risk is immediateand so we’re really trying to figure outhow do we how how do we what do we do inthe short medium and long termso when Ukraine suffered some cyberattacks five six years ago impactedtheir electric grid the you know thepublic reporting is they were able toget back up because they were able to goto physical manual controls we’re acyber conference should we be talkingabout the need or the the capacity torestart something physically and justignore all the computers is that part ofthe resilience Sean was talking aboutironga is that something that that youguys think about at the big policy levelat DHSit is I think I think ultimately we area mission and outcome-oriented agencyright where we want to make sure thatwhether it’s critical Services criticalinfrastructure ultimately the end goalright is not to make sure computers areworking but that services are deliveredright or that that that folks aregetting what they need from thoseservices so I do think having that kindof end goal in mind has driven a lot ofour internal thinking and I think as aresult too it’s made us at DHS thinkmore broadly about what valve set as akey phrase all hazards risk and so we’vebeen doing a lot of thinking internallynot just about the Cyber risk but uhclimate the effects of climate whetherthat’s disaster management which weobviously have a very uh strong historyof doing through FEMA but also thoseslow burning slow-moving climate type ofrisks that pose resilience issues as youknow water resources are depleted orother things so I think those are allthings that people should be thinkingabout and I think we as a as adepartment are trying to kind of put ourmoney where our mouth is in terms ofhaving the government be able to betterrespond and be brilliant as well I knowI think things that sizza and others putout you know put the burden on companiesto be resilient but there is a bit ofownership that the government needs tohave on our own ability to be resilientfor how we provide services to thesecompanies so we’ve been due to theseservices so we’ve been doing internalthinking about how to mature andmodernize our own response andresilience capabilities so that we canbetter respond to the the Cyber ThanPhysical incidents right like the FEMAstructure for instance is very welldesigned for for hurricanes but is itdesigned for a cyber physical eventthose are some of the questions we’rekind of asking internally to be moremodern and flexible in our ownapproaches as we’re making those asksthe private sector Sean when you go intothose boardrooms are you having thatphysical conversation as part of thatbroader resilience discussion we we areand I think it’s important I mean whereit really came to light I think andwe’re talking more sort of here but Ithink the Ukraine Russian war is theexample where the Russia is linkingtogether kinetic strikes with cyberattacks and then the the second elementthat we’re seeing that to me is likevery unusual is we’re seeing thecrowdsourcing of private groups actuallyacting on behalf of a nation-state soeveryone here including myself right wesupport Ukraine and what’s happening insome of the companies here have done anamazing job my question to everyone iswhat do we do on the next one where it’snot so black and whiteso what is the role of a private companyshould they be intervening in anation-state conflictwhat’s the process they’re actuallygoing through to do thatare they actually going through thegovernment right because before Warfarewas kinetic and basically done by ourmilitary now we’re seeing a very uniquecircumstance now one that’s clear to allof us right and kudos to all of thecompanies that are helping right look atElon Muskright Microsoft they’ve done fantasticworkwhat about a conflict that is not soclear-cutand how are we describing that role so Ithink we’re in a sort of a unique timewhere there are no rules in kind offiguring outwhat that means it’s the flip side sorryI go ahead no I’m just gonna add I Itotally agree with that I think withRussia Ukraine too you see the scramblethat we did on the government side to doshields up was interesting it’ssomething that we’re going to be able tobetter scale but from the other side Ithink we saw companies dealing withsupply chain risks for instance but youhad a situation where a lot of thecompanies in their supply chain werewillingly moving out of Russia right andso for business continuity you weredealing with that issue but in a contextwhere you were willing to move out ofthat out of that conflict Zone that’snot always going to be true with certaincountries or regions or areas right likeif you can’t if there is a geopoliticalconflict and you need to operate in thatkind of environment or have a moreresilient supply chain those are thingsthat you need to be exercising now as aresult of hypothetically to countriesand in Asia across the street yeah yeahum Adam the physical side is thatsomething that you talk about or shouldbe talking about or is it that someoneelse’s to do list I mean I wish I meanwe’re a cyber security company so I youknow my my kind of answer to like youknow that the 250 2015 attack you knowunfortunately the ship has sailed uh theUkrainian power gridwas not affected by that attack becausethey had not computerized their systemsthey had not gone to an OT model theywere still on Old switches and so theywere able to recover from an attackwhich literally the attackers you knowremoted into a Windows machine and youcould see because there was a securitycamera on the machine you can see themmove to the off switch and click off youknow that was it you know uh but they’vemodernizedthey’ve modernized that that’s not thecase so you know everyone has modernizedeveryone is onthese systemsin full OT nowum going back to switches I think is atall odor I think it’s gonna be verydifficult it’s just too ingrain theshift of sail but but I would argue andI wish Chris Krebs was was up here nowone of the reasons our election systemis so secureis because it’s archaic it’s sodangerous okay and there are 50 statesyou have for three fifty different waysof actually doing it and with thatdiversity is strength there are countieswithin those States absolutely right soyou you look at that but I I think we’rewe’re way past the time of of thinkingof physical and cyber differentlyright when you think of basic physicssecurity when you go into your companieshow many use swipey badgesdigital how many companies have camerasit’s digitalright but you’ve got to look at thatscenario analysis of okay if our cellphones go down how are we going tocommunicateI think that’s a worthy question val didyou bake in any of that you personallyinto the uh the physical side even intothe planning and the checklists and theuh I don’t want to say checklist it’sabout cyborg into the structure of theperformance goals so with the structureof the performance goals it’s it’sreally not we don’t take into accountthese physical countermeasures thatwe’re talking about right now I thinkit’s something that we’ll be discussingas again as we try to implement therecommendations from the 9002b reportbecause we’ll have to look at risk allhazards risk across the 16 criticalinfrastructure sectors and how how willwe sector by sector and also with thecross-sector risk right because mostthings aren’t most incidents aren’t justgonnaSilo and just hit one sector they’reprobably going to impact another sectoras well and so how do we look at thosecross-sector risks and what are the bestways to mitigate against those that’sanother panel on the cross sector so wehave a few minutes left maybe we can tryto get two questions in so if uh againwe’re blind up here if someone couldhelp with a mic and I’ll repeat thequestion just so the folks online canhear itMike is on routeI have a question right up here in thebluetest okay okay hi mytalking about this low hanging fruitthat can help companies improve theircyber security maturity a lot of theways they get that is by hiringproactive Consultants as a formerconsultant myself a lot of theorganizations that Valerie mentionedcan’t afford those sorts of services sowhat else can we be doing Civil Societyprivate sector and the public sector tohelp these low resource organizationsthat are targeted rich likemunicipalities like non-profits theycan’t afford to hire professionalConsultants how can they continue toraise their cyber security maturity sothe question was when we’re getting outof the range ofbig companies with with large budgetsdon’t have the capacity to hireConsultants how do we help themunicipalities the non-profits thesmaller organizationsum maybe you can start on themunicipality piece with with the grantsand then no I’ll double down on what Imentioned so uh with a little morespecificity too so out of the theinfrastructure bill that the Congresspassed there’s a billion dollars overfour years for state and localgovernment entities to improve theircyber security so I think on September14th or 15th the notice of funding wentout I think applications closed I thinkyesterday November 15th if I’m notmistaken and so I think there’s a lot ofwork that can be done there where we’regiving out a lot of money in terms ofactually identify having States identifyhow they will use it how they will havea governance model where they can applyit and I think the unique combination ofgetting that infusion of money and thenlooking at something like theperformance goals are going to actuallybe really nicely married upum and then on the other side I thinkthe thing that Val hasn’t touched yet isphase two of the Cyber performance goalswhich is the ones now are across allsectors but the next version will besector specific so I think you could seethis nice cross-cutting Matrix where youknow small medium Enterprises that maybeperhaps specialize in chemical or wateror something like that will eventuallyhave a very specific set of controlsthat they can hopefully afford to do andkind of Benchmark budget and resourcesagainst other thoughts yeah and so thiswas something that we thought about alot especially you know during the thebuild up to the Russia UK Ukraine crisisis that we really wanted through ourShields up campaign to be able toprovide resources to to companies thatdidn’t have a lot and soum Sean had mentioned we have um if yougo to our Shields up website we do havefree tools um you know there there werecompanies and organizations that came tous to say hey we want to offer thisservice we want to provide it for freeto small and medium-sized businesses andso if you go to our website you can youcan see a list of those resources andthe through Aspen digital through theAspen cyber program Craig Newmark hassponsored through Craig Newmark Clarencethe philanthropy is a cyber civildefense projecthe’s put significant resources behind itthe goal isn’t to push money toorganizations it is to identify exactlywhat you talked about what are the forcemultipliers of these organizations canfind ways to get assistance whether it’sindividuals small businesses CivilSociety Etc let’s try to get one morequestion in if there’s one the crowdhi thank you my name is Halle Zimmermanand I’m with Northrop Grumman I amworking on a research project that’sum might be a little specific butlooking at how to aggregate processeswhen it comes to compliancecertifications and I was wondering ifanyone has perhaps dealt with that andif you have any suggestions for maybe adigital transformation of complianceitself the processes of compliance so Iwant to make sure I get the questionright it is aggregating differentcertifications as part of an overallsecurity effort as part of a complianceeffort are you talking about individualcertifications or the certificationsthat a company might have to to complywith part of their regulatorysure as an exampleum like cmmcum that would be one okay so regulatoryor other type of requirements anythoughts on thatso I’ll I’ll take it since uh I thinkthat’s what we do for a livingumso what we have done is we’ve actuallyspun up an instance pick yourhyperscaler as your AWS or gcp and we’reactually bringing in the data streamsfor all you difference compliancerequirements and actually generatingreports from that individuallyright so I I think you know doing it theold way is extremely burdensome rightand having that ability to I thinkleverage uh not only data analytics butreally what the cloud brings you as acompany is doing that so we are actuallybeen piloting that in one company andit’s uh I think saved a lot of money soI highly think there’s a huge efficiencyplay thereany last questionsso lightning round for you folks yes nowith a few words you know we’ve talkedabout resilience we’ve gone through alot the trend lines do you think thatorganizations are are picking this upare we going in the right direction orare we still muddling around trying tofind our way so let’s start around andwork down oh toughum I’ll take the optimistic approachjust because I feel like from thegovernment perspective we are ramping upa lot of the attention we want to playfor this so you know hopefully it’sbeing well received but I think uh reallife events have really brought theseissues at home uh to home and and peopleare trying to take it more seriouslySean resounding yes just have a long wayto gono yeah I would say yes too and I dothink that sadly real life events havemade this an issue for for everyone yeahwe heard that from Alan Armstrong beingbrought in for a briefing for seeing ourthe the potential Invasion it it changesit when there’s an actualbad thing out there yeah that’s right Ithink that the risk has always beenthere actually it’s just that the recentevents have made it clear that toeverybody that that risk is there and soI definitely think the trend line is upI think there’s you know as we weretalking earlierthere’s a lot of organizations that havea lot of work to do to need to keep upthe momentum yeah so yeah great wellagain thanks everyone great panel greatdiscussion thanks for all the workyou’ve doneum maybe we’ll pick this up again nextyearthank youso I get the pleasure of introducing ournext group we are going to have alightning talk we’re going to peel backthe curtain and show the voice of GodRyan Merkley of Aspen digital is the theFantastic Voice who has been introducingour panels and speakers to the day soRyan is going to come out who’s going tohave a one-on-one with Sammy Corey whois the head of the Canadian Center forcyber security so let me welcome outRyan and Sammythanks JeffrightI did it dropped it there we go heyfolksSammy thanks for being here with usum nice to be able to have a bit of achat together also we’re the twoCanadians uh so we’ll be representingthe nation uh for this portion of yourprogramum I’m not going to assume that uheveryone here is fluent in the cybersecurity infrastructure and defenses ofthe neighbor to the north so maybe I’lljust give you a second to maybe justpaint the picture for the center whichyou lead and sort of where it fits inCanada’s cyber defenses sure thanks Ryanthanks uh to Aspen for inviting me to bepart of this great event today so theCyber Center uh that I lead or theCanadian Center for cyber security thefull name is part of the communicationsecurity establishment which is sort ofthe NSA equivalent uh in Canada we aresort of a information security cybersecurity and intelligence agency so abit of half half we do both we are partof the Department of Defense up thereand in 2018 the government sort ofbrought together all of the Cyberexpertise across government into thisone place called the Canadian Center forcyber security and we rebrandedourselves so our Public Image is underthe logo of Canadian Center for cybersecurity and gave us a mandate that is anational mandate so it’s not just defendgovernment but also a criticalinfrastructure small medium businessesand citizenry so it’s a full full scopeprogram that we have in the Cyber Centerand our partners would be on the U.Sside our partners would be NSA andgreatum I want to pick up the threads thatwe’ve started today around ransomwareum you uh to your left have a copy ofthe report uh your your threatassessment report it’s a document youall update every couple of years lots ofresearch behind itum in that report one of the things youtalked about is your concerns aroundcompanies that have been paying ransomsand you note the stat that stuck out tome is that in one of the surveys thatyou reviewed only 42 percent ofcompanies who paid the ransoms actuallyeven got their data backum and so what is your advice tocompanies who are facing this Challengeand how are you supporting them in thatprocessoh thanks uh so the document Ryan isreferring to is called the nationalcyber threat assessment and it’s adocument that we put out every two yearsroughly and that looks at the threatlandscape in Canada and what and theprojection the next two years ransomwareis recognizing this in this year’sEdition which we released about 10 daysago as the top threat that Canadian andCanadian businesses will uh will faceyou know the challenge we have in Canadaand I suspect it’s the same here in theUS is that ransomware continues to beunderreported for whatever reason andthat’s something that I and the team istrying to understand why is it thatransomware continues to be underreportedwe don’t have an official sort ofgovernment policy or governmentdirective on payment of of Ransom therecommendation is not to pay and thenultimately at the end of the day it is abusiness decision if a company wants topay Durant Summit there’s a businessdecisionbut know that in paying the ransomthere’s a number of sort of fine printsthat they need to be aware of andgetting the data back is one of themdealing with a Criminal organization isanother oneas far as what are we doing to supportthem we’ve launched a fairly largecampaign last year last December tobring attention to the ransomware issueand it was the first time in my careerat TSC and I’ve been there 30 years nowit’s my first time that I see fourcabinet ministers spend a letter tobusinessesinviting them to pay attention to theproblem not inviting them basicallyasking them please pay attention to theproblem this is a serious thing this wasan open letter to uh to businesses alongwith it we published A playbook to tohelp companieshow to protect themselves from aroundsomewhere but should they fall victimsto ransomware what can we do to helpthem sort of in the recovery phase ofransomware and it’s a Playbook that hasreceived very good positive feedbackthat’s also on our websiteum you mentioned it in your commentsthatum you know a lot of them don’t reportit and you also cite that in your reportthat you you know more broadly don’t getthe kinds of reports you wish you gotabout incidents and it’s come up aroundthe room today and and others have askedfolks to reportwhy should businesses make that risk whyshould they you know get past thegeneral counsel and and talk to you andwhat do you bring to bearif they doyou have a sense of the the scale of theproblem last year we received 304reports of ransomware considering thesize of Canada considering the the thebusinesses in Canada that is way underreported and to try to tease out why isit so we’ve been engaging with companiesand we get all sorts of uh I would sayexplanation to why is it that they don’treport some of them say you know mycyber insurance policy prevents me fromtalking to you some of them uh are youknow legal counsel is concerned aboutmaybe misunderstanding our our mandateas a as a pure cyber Defense Agencywe’re not law enforcement we’re not aregulatory agency but but I think thereis value and Reporting and that appliesequally to Canada to the states bygiving us visibility into the nature ofthe incidents we can then understandwhat happened we can understand maybewho did it we can update our advice andguidance we constantly publish adviceand guidance if we connect enough dotswe might identify a campaign that islaunched Maybe by a cyber criminal or anation-state campaign targetingum you know research Labs or whatever sothere is there is absolutely value in USuh understanding what happenedunderstanding how it happened but alsoconnecting enough dots uh to to start topaint a picture of what actually isgoing onand you have examples where you’ve beenable to do that or is are there you knowsituations where you’ve been able tostep forward or paint those picturepaint that picture we have we’ve had anumber of cases where uh in the earlydays of the pandemic we’ve connectedwe’ve connected enough dots that weunderstood that for example there was arussian-led campaign against covetresearch labs and then we participatedwith our International Partners incalling out that activity to say this isunacceptable this is crossing some redlines in terms of cyborg Norms so thatis an example of of uh having enoughconnected dots to identify that therewas that there was a campaign besidethat I think uh you know we’ve seen anumber of municipalities unfortunatelybeing hit by ransomware knowing what isthe uh the strain of ransomware that hashit we are able uh sometimes either topass it on to law enforcement or at atCSE we do have some authorities toconduct active cyber operations andimpose a cost on some of these cybercriminals so so again that is the valuewe’re not it’s not something that we’regoing to publish and we’re launching acampaign tomorrow anything like that butbehind the scene we are fairly active inin making sure that there is a cost toconducting these activitiesyeah um I want to stay on on this forjust one more beatum you know in that same threatassessment we talked aboutcryptocurrency and uh you know itsrelationship and obviously we had apanel earlier today where we talkedabout U.S responses around issues aroundransomware and cryptocurrencyand what the government in the US isdoing around those issues I’m interestedin how the Canadian position uhis and and how it aligns with the work Iknow you work closely with the us but Iwant to give you a chance to talk aboutthe Canadian position and perhaps howyou’re addressing that threat and howyou’re trying to advise Canadians andCanadian businesses on thatum in our national cyber threatassessment for the first time we alsohave a we identify as one of the five uhthemes in the document uh emergingemerging Tech or disruptive technologyand more specifically digital assetscryptocurrencies and how uh you know itis a capability that has a double-edgedsword it it is an evolution of the maybethe financial Market but it’s also usedby cyber criminal there is currently nouh prohibition or no mechanism in Canadato control cryptocurrencies or exchangesor mixers or any of that but we areparticipating in the white house-ledcounter ransomware initiative soobviously as one of the 36 countriesaround the table we we do work with ourU.S colleagues to make sure that we’realigned in our thinking on how do do wedo we manage that space I thinkeventually we will pay attention uh andand maybe pass some regulation aroundthat there is currently regulation foror I would say the standard money flowillicit financing eventually we will getto the cryptocurrency itself rightum let’s change gears and talk a littlebit aboutdistributed workum I there’s a section also in yourreport where you talk about hybrid anddistributed workplaces you know we wereall forced to work from home and duringthe pandemic including governmentsoffices many had to work from home andthat as you know really expanded theattack Vector because the office wasactually the home office Networkand their typically less secured andalso I have you know 42 devicesconnected to my home network includingmy kids Nintendo and like whatever iotdevices and so you know how how are youthinking about that in terms of advisingaround cyber security and the increasedthreat of homeworking to cyber attacksI think uh hybrid work remote work ishere to stay and it’s going to be partof you know the future of work as we seeit we have obviously we have concernwith bring your own devicesand maintaining the security of thosebring your own devices so for us in theCanadian government the position thatwe’ve took it we’ve taken is that it’s agovernment-issued device it is VPNalways on we have enabled in some casessplit tunneling but I think we areseeing that there are some issues withthe way departments have implementedsplit tunneling so we’re preparing someupdated advice on how do you splittunnel also uh we’ve seen we’ve seenfolks take advantage of of the VPN ortry at least trying to break into theVPN or circumvent the VPN so for usthat’s why the advice is VPN always onwe’ve seen cases of uh you know ourrecommendation is actually to also moveinto hard tokens as opposed to just softsoft token like pki certificates orthings like that so so we continue toraise the bar on security for the workfrom home it used to be that theperimeter of the building used to beenough but now because the perimeter hasbeen expanded we have to look at whatother things do we do we complement oursecurity at home obviously we don’t wantto touch your home it and we don’t wantto control your routers so how do wemake sure that the work device isprotected and that’s why we aredefinitely promoting the always on VPNand smart split tunnel linkand what about the sort of broaderinfrastructure I mean Canada had a quitea high profile Network failure uh veryrecently Rogers was one of the bigtelcos in Canada had a multi-day outagethat took down uh cell phone servicepayments a bunch of banks uh you knowconcerts canceled everything the youknow this the much of the country groundto a halt when one major provider wentdown uh you know their story is that itwas not a cyber crime it was actually afailure to update their systems properlybut obviously would raise big questionsas someone worried about the broaderinfrastructure of the network how do youthink about that piece when you knowthat Network also provided home internettoum you know millions and millions ofsubscribers across country yeah that wasa very challenging day waking up andrecognizing that internet is down notjust at home for me but the wholeprovince of Ontario pretty much or atleast all the users of Rogers were downand was a frantic set of phone callsjust to try to just identify what ishappening it turns out that this was nota cyber incident but it was aI probably called it a QA issue in in asoftware update that brought down theentire network in a unfortunatecascading sequence of event it hasbrought to the Forefront the whole issueof resilience and probably one of myfavorite words uh and and now the telcosare working together uh Rogers BellTelus and some of the other bigoperators in Canada to look at ways tobuild a resilience amongst them so thatif uh you know it just happens that thethe seniors had two sims or three Simsand they could swap the Sim out of theirphone and switch to another one butCanadians cannot do that they cannotafford to have you know in case ofemergency break glass and take a SIMfrom another operator so how do we howdo the how do the various operators makesure that if there’s a failure on onethat maybe there was some resilience onthe other one it’s a work package thathas been prescribed by actually ourminister of industry and we lead theconversation amongst the Telecomoperator uh to to make sure that thatprogresses so there is a commitment thathas been made there are some lettersthat have been signed obviouslyimplementation the devil is in thedetails and that will take some time butbut definitely it opened our eyes to howfragile we could we find ourselves inI want to use the last bit of our timeto talk about China yesum you know Russia has been front andcenter but China is also an ever-presentconcern and Canada has a fraughtrelationship uh especially more recentlyeven just yesterday our prime ministeruh in a bit of a argument perhaps withthe Chinese president at a meetingumyou know there are concerns both on thehardware side and also on the stateactor and state Behavior side from yourperspective does the West do the westand China sort of need to have acomplete cleavage of technology or arethere ways for them to find that theycan work together are there terms underwhich you could feel comfortable withthat kind of a relationshipI I don’t think that the completecleavage of technology is a workableoption and uh you know Internationalstandards are there for a reason andthey’re transparent and open and we needto work together with like-minded nationto to do that obviously for transparencyis very important and for as long asthat technology is not transparent wewill be challenged in adopting it wehave managed to work without uh you knowTelecom operators to manage the riskaround Chinese technology but it is everin our in the back in the backdrop of ofour threat landscape and and then againthe report we call out you know Chinaand Russia and Iran and North Korea asas state-sponsored activity that are ofconcern so the the key word here istransparency and I don’t think anythingwill change until we have some clearertransparencies yeahSammy thanks for coming to speak to usthank you for the work you do thanks Iappreciate it yeah all right[Applause]I’m honored to introduce our finalspeakersbefore I do I’d ask you to consider twoquestionsdid anything you learned today changeyour perspectiveat allare you going to do anything differenttomorrowif notthen I have faith that our closingspeakers are the right two people tohelp you answer those questions with afirm yesfirst John CarlinJohn Carlin recently returned to privatepractice at Paul Weiss as co-head of thefirm cyber security and data protectionpractice after serving as part of theleadership team of the Department ofJusticeJohn served as a top level official inboth Republican and Democraticadministrations including as the actingDeputy Attorney General of the U.S thetop National Security official for thedogthe chief of staff of the FBI and as anexperienced ausaJohn is also the founding chair of Aspeninstitute’s cyber security andTechnology Programand has now been named a strategicadvisor and chair Emeritus for cybersecurity for Aspen digitaland secondKemba WaldenKevin Walden is the principal DeputyNational cyber director in the office ofthe national cyber directory previouslyshe served as assistant general counselin Microsoft’s digital crimes unitresponsible for launching and leadingthe dcu’s ransomware programprior to Microsoft Kevin spent a decadein the government service of theDepartment of Homeland Security mostrecently as a cyber security attorneyfor the newly created cyber security andinfrastructure Security Agency and itspredecessorCanada was appointed to the Nationalcyber safety review board and alsoserves as an Adjunct professor atGeorgetown University in the school ofcontinuing studiesand it now if everyone will join me inwelcoming Kemba and John thank youthanks Jeff and maybe we could startCampbell a little bit with you’re in anew position and a new acronym for thegovernment because we need more acronymsbut it’s about the one-year anniversaryhappy anniversary thank you but youcould you describe a little bit it wentfromone person in an office I think togetting funding to what is it todayso let me give you a little little bit alittle bit ground oh CD the office ofthe national cyber director was createdby Statute in January of 2021.Chris Inglis is the director wasnominated by President Biden in April hewas confirmed by the senate in June inJuly he walked into the White Housebut it wasn’t until November of 2021that we were appropriated so the firstfull-time employee came on in Decemberso by all counts this is pretty much ourbirthday we’ve been operating for abouta year and building the plane at thesame timeum we are luckily not a lot going on incyber during that timeit’s it’s been we’ve been sprinting amarathon we’ve been doing quite a bit sowe havesomewhere close to 70 employees nowwhich gets gets us to initial operatingcapacityfor a White House office that is largeparticularly in policy and strategy foran operational mission that is verysmall meaning that we really don’t havean operational mission in this space wehave a tiny one to the extent that we dowhen we hope to get the full operatingcapacity early next year what does thatlook like how big would that be so Ithink that that’ll be around 100 peopleum and that will that’s that’s what weneed to be able to execute our strategicintent so we have four outcomes thatwe’re seeking to drive Federal cohesionso that not everybody has to have a PhDin order to operate in this space orunderstand how the space operates weweren’t created in a vacuum clearlythere’s a lot of cyber to go around andyou were there when we got stood upthere’s plenty to doand one of the things that we’ve done inour office to sort of demonstrate howwe’re thinking about Federal cohesion isto dual hat Chris derusha who’s theFederal cissoum in the Office of Management andbudget but he is also the direct thedeputy National cyber directory forfederal cyber security in the office ofnational cyber director so that he isable to we don’t compete right in thatspace so there’s no confusion there’s nocompetition between OMB and theirresponse roles and responsibilities infederal so Executives OMB that’s theOffice of Management budget and budgetand a question and sometimes this postis uh was referred to or was the debateabout it in the hill as the Cyber Czaryeah what do you think of uh beingcalled a czar what does that make youprincipal deputies are how does thatworkwell I think that’s that’s less lovelyto be considered as our but that’s uhthat is not that’s not what I doum we are we really think aboutstrategic Investments necessary toachieve our North Star and cyber and byour North Star I mean the Cybercommunities North Star uh which for meno matter whether I’m in the office ofnational cyber director or in anon-profit or at Microsoft or have anyof the other uh positions I’ve had it’sreally to make sure that communities areable to thrive and prosper in thisinterconnected world full stop so we arehere to help Drive the cyber securitystrategic Investments to enable thatcyber security is a means to that end sowe don’t do cyber security just for thesake of cyber security we really do itto make sure that communitiesindividuals businesses Academia are ableto thrive and prosper it is a nationalsecurityissue that we are here to resolve butit’s also one of Economic Opportunityand you know some some will say you’retoo small but some will say what do weneed another 100 bodies for and yetanother department or agency an acronymin government we have so many alreadyisn’t the problem that no one’s incharge are you in charge who who’sresponsible ultimately to making surethat everyone Rose in the same directionsatisfying answer but we’re all incharge of cyber we are all we all have arole to playum and I know that I’m not as silvertongued as some but the visual I like togive is you know what’s the purpose ofthe cartilage you have in your body youknow and sees it it’s not necessarilythe most important thing by anybody’simagination but it really is it makes itrationalizes how your fingers operatewith your wrist with your elbow withyour arm think of us as that connectivetissue right we’re here to rationalizewhat we have we’re here to make surethat we haveappropriate roles and responsibilitiesappropriate accountability andresponsibilitycyberspace is really thought of and frommy perspective it’s three pieces rightthe technology that we all know and lovewe have the CIA Triad think aboutsoftware and hardware and securitybut we have people in cyberspace peopledevelop cyberspace people use cyberspacewe’re not under it beside it we’re in itbut then we have the roles andresponsibilities the doctor in theprocess how do we think about uh who’sresponsible for cyberspace who’saccountable for cyberspace because ifwe’re not guarding the gates at thatleveltransgressors will walk right throughit’s the easiest thing to do it iscertainly much easier than coming upwith a zero day at that technology leveland so all of us have a role to play incyber I know it sounds like a slogan butit’s truly what we how we think aboutStrategic investment how do we thinkabout who’s responsible and who’saccountable I am as well as anybody elsein the government as well as anybodythat uses cyberspace well let me askabout that investment then uh I have uhI have a daughter she’s encouraged touse digital platforms that schools isrequired in fact to use digitalPlatforms in school to be on theinternet but she’s not taught cybersecurity charity as part of thecurriculum if everybody’s involvedwhat’s your strategy about reaching kidsin the school room people in collegepeople at different stages of lifeI’m so glad you asked that because thisis an area that I’m passionate aboutthis is an area that our office ispassionate aboutso we are working right now on an on anational cyber security Workforce andeducation strategy really trying to takea holistic view of this you might haveheard from Camille Stewart Gloucesterour Deputy National cyber director forTech and ecosystem talk about this in abit of detail but essentially what it isit’s an opportunity to take a look atand figure out what a strategicInvestments are to to raise educationand awareness of the K-12 system thosethat use cyber those that use theinternet to figure out how to make thesespaces cyber safe and then also to tofill the pipeline for those professionsthat implicate cyber and moreimportantly for those jobs that have theword cyber I.T in them but it reallystarts at that Elementary School space Ihave children too and it and it it keepsme awake at night that my daughter couldliterally start a national securityincident just like your kids could ifthey click on the wrong thing in ourhome computer so she’s unique with thecyber cyber security education all rightwhat’s three tips what should people doat home to make sure that they’reeducated in this space is there a bookthey should read is there so what whatare the kind of tips that you’ve beendoing to be secureum you know have a and I can’t endorseany particular tool but on thetechnology sideum have a have a a key for your passworda password key right so havemulti-factor authentication have randomcompletely created passwords but I use aI use a password key lock I can’tremember what it’s called the technologyis called but I use that on my systems Iuse a VPN but there are lots of basiccyber hygiene tools you can use mychildren know what a VPN is they knowwhat a password is they understand howit works they understand that if they’regoing to have technology in our homethat they have they have aresponsibility there we go again withthe responsibility and accountabilityfor safety right it is just like justlike in our homes right it is myresponsibility to make sure that thealarm is turned on that the locks areare lockedum but it’s my children’s responsibilitynot to unlock the door When a StrangerComes not to not to turn off the alarmright not to play with the knives it’smy responsibility to make sure thosethings are up high we all have a a placein this in this security space and soour kids really need to understand thatand we’re working on opportunities forcurriculum development for schools we’relooking at leveraging or finding bestpractices we visited a space todaycalled Tech first I believe thatdelivers technology to those underservedcommunities that were hit with covid andthey were on online but they didn’t havethe resources they have hot spots now wereally talked to them about deliveringthat technology with cyber safety inmind and really baking that in but weneed to start there and uh you alsotalked about development a question onthat for you I’ve had the opportunity towork with you in many different hatsover the years at the Department ofHomeland Security when you’re atMicrosoft now and you’ve had anillustrious career in this space but howdid you get in how did you get into thisfield in the first placeyeah that’s a it’s a security story so Iactually I went to law school at somepoint but before I became a lawyer Iwent and lived overseas to doInternational Development work I wasreally interested in that North Starmaking sure that communities Thrive andI did that in Tbilisi Georgia andsub-Saharan Africa and and some throughthe Caribbean and Haitium uh and I recognized that developmentreally didn’t take place without a senseof security and safetyum and that’s not a technology conceptthat’s just a reality in communitieswhen I went to law school my purposewasn’t necessary to get into cyber itwas to continue that work but to scaleit at a macro levelas I was practicing law though I foundthat I sort of took a left turn andstarted working on cypheus and Exportcontrol safety is this a committee onforeign investment in the United Stateslooking at National Security concernswith foreign investment in U.S companiesthe cases that were the most interestingI mean I think we were we were oncepheus around syphilis at the same timethat was interesting for those whoaren’t tracking because it’s it reviewsforeign investment for National Securityrisk and that used to be missiletechnology and then it got broadenedpost 911 to look at Port security andterrorism wind farms how did it go fromthat to according to public reportingblocking a transition transaction to buygrinder uh a dating app right well youknow some of the most sensitivetechnology that we have has haseverything to do with cyber security andcyber safety it’s digital technologywe’re in a digital ecosystem right nowsome would call it digital Revolutionso there are some sensitive technologyout there that if not mitigated the riskNational Security risks associated withthose Investments aren’t mitigated couldcause some significant consequence rightum so that’s what drew me into cybersecurity those were the most interestingconsequential cases I did not work onGrindr I can say that out loudbut um but those were the mostinteresting compelling cases for reallytrying to figure out how to measure thatrisk how to mitigate that risk and thenwhat do you do with that residual riskum that’s how I started my cyber careerso after doing that after providinglegal services not only in privatesector but in the government to at thetime Secretary Johnson and deputysecretary at the time deputy secretarymayorkas I went to work for the agencythat was the predecessor to sisa as anattorney and really focused and honed mycyber security skills there so I don’thave a technical background I have apolicy degree I have a law degree I amnot afraid of Technology anybody in myoffice that is an engineer would tellyou that I’m perfectly happy shouldersurfing and asking all the dumbquestions but I need to understand itbecause I have an opportunity to shapepolicy in this space you know it’scritically important point now I thinkwe think of the issue of board oversightI remember back after the one of thebiggest hacks ever was onon and oh on a database that had thePersonnel records of every US governmentemployee in fact my daughter’s firstpiece of mailwas linked to that breach and it wasnoticed that her identity had beencompromised and she was like one so itwasn’t wasn’t a big uh issue for herthen but I remember the President Obamahad to try twice to convene the cabinetbecause the first time everybody senttheir cyber expert and didn’t come andthe second time they had to say hey Idon’t care who you bring with you butyou need to have at least enough of anunderstanding of this in terms youunderstand about risk in order to makerational decisions imagine you’re stillconfronting that now and in your currentrole how do you bring in the non-cyberpeople to be part of the Cyber strategyso that’s a great uh question to askbecause that that brings us right backto that accountability space thatresponsibility space so we have at oncdwe leverage our convening power of theWhite House to bring in the c-suite theCEOs preferably of different Industriesto have them talk to each other to talkwith their sector what we call sectorrisk management agenciesum so this the deputy secretary level orthe the ciso level personto have a conversation frankly we startwith a threat briefing so to sort of getthem to understand this is a businessrisk because this is what’s happening inyour sector we’ve done that in healthand then Finance we’ve done that inelectrical Vehicles we’ve we’ve done anumber of things like that and then wehave a conversation aboutvulnerabilities and and mitigating thosevulnerabilities and the impacts thatcould that could come from that but it’sreally bringing the c-suite in andmaking them understand or helping themcome to the conclusionthis is my problem this is not the I.Tguy’s problem this is not the ciso shopsproblem this is a business risk I needto start thinking about Capitalexpenditures I need I’m implicating andI’m implicated in cyber right I need tostart put this on the cap x side of thebalance sheet not the op x side of thebalance sheet this is a capitalinvestment I need to make in order toreduce that business risk cyber securityis not just about National Security it’salso about Economic Opportunity the twogo together in cyber and you’ve talkedyou mentioned certain uh sectors and I’mimagining the CEOs that you’re having inare a fairly large companies yeah whatdo you do there’s so many particularlywith the scourge of ransomwares we heardearlier but so many of the targets noware small or medium-sized company and ifyou’re talking about making communitiesThrive those are often the businessesyou depend on day in Day Outwhat should they what’s realistic interms of them spending a capital in thisarea understanding it and how do youapproach that strategicallyso there are a couple of thingsumyou’ll see in our national cyberstrategy whenever that comes out I’m notcommitting to anything but we’re we’reyou heard it here it’s coming out nextweek is that what you just said no notexactly but we’re really thinking aboutstrategically what do we need to do tolift and shift risk risk right now isborne by those small and mediumbusinesses by local municipalities intowns communities how do we shift theburden of risk to those Enterprisesthose larger Enterprises that can buythem down and I’m including the federalgovernment in that sort of space buydown that risk and then what do we dowith the residual risk so we need arobust proposition for protecting whatwe have and buying and the risk meaningeverybody has to participate in thatsecurity piece but then we have theresidual risk what do we do there wefigure out how to make that pieceresilient in the people the technologyand the process for small and mediumbusinesses and for state and locals youdidn’t mention that but I know thatthat’s what you meant in there but forlocal cities towns to communitiesstarting with the basics I had a reallygreat conversation today with the cityof ciso that really helped me understandthat you know nist standards are greatand they’re helpful but they’re notnecessarilyeasily ingestible at that at that locallevel at the small business level sothere are a couple of things to do oneDHS hopefully around the last panelmentioned it but DHS has a cyberperformance goals that are reallyoutcome driven that are really thosefirst steps to creating a cyber a planor a cyber hygiene program that’ssomething practical that communities canuseon our end it’s how do we deliverservices in a shared space to be able toallow small businesses entities to be sofor example our procurement powerperhaps we and we’ve displayed this in14028 executive order 14028 use ourprocurement power as the largeEnterprises to drive cyber securitypractices pause one second explain thatexecutive executive order for folks soexecutive order 14028 was created by thepresident in order to drive certainbasic cyber security hygiene in ourfederal civilian executive branch agencyso think of non-dod agencies rightthere’s a corollary for that side but itit requires simple things like zerotrust simple in my mind maybe not for asmall business but zero trustarchitecture logging multi-factorauthentication those basic steps tocyber hygiene so if we’re going to beginto provide assistance to small andlocals or other entities we really needto get our own house in order and that’swhere that executive order has been ableto help us accomplish it’s been in mymind successful just for raisingawareness and I know that there are somemunicipalities that are using it intheir space as well and there’s someconcern I know about this cyber strategyand there’s a debate imagine aboutcarrots versussticks and you talked about risk and whoowns who owns the risk so I’m the drycleaner or the run a small school I’musing software that I did not design whoBears who bears that risk and are yougoing to mandate that I use some of theuh those protocols do I have to use zerotrust or I’m going to be penalized is itjust going to be encouraged what do youthink the best approach is I really dothink the best of right now it’s thatdry cleaner that bears most of that riskfor the software developer that didn’ttake security into consideration whenthey design the softwareso there are a few things one we canrely on Market forces to enable thesoftware designers or the cloud serviceprovider whatever it isto bake Security in their design so thatthe end user doesn’t have to figure outwhat logging is and how to turn it onbut so we now Market forces to do thatbut I think in some cases Market forcesaren’t reallyevolving enough for us there areregulation might be possible andnecessary in this space to cause thoseservice providers those that integrationpiece whatever it is to bake Security inby Design whatever it is that they’redelivering to local businesses or endusers but we’re really focused on whatare those Investments how do we shiftfor example how do we use Insurancecyber insurance for those purposes howdo we really provide incentives and Ilike to focus incentives more than thepunitive measures but how do we provideincentives for baking in security byDesign so think about it I I don’t knowwhen you had I had when I had kids I hadto give up my little red car which wasfantastic and a little stick shift I’msure it was Secure but I went and boughta car that I know has a as a reputationfor security because I did not want tobuy a car the way you have to buysoftware today which which is you knowyou go and you buy the car and then youhave to go and get the add-on for thesecurity features the airbag is anadd-on the seat belts and that on theanti-lock brakes are an add-on I meanimagine if we had a system like thatthat’s kind of what we have right nowright now though I can buy a car and Iknow all the security features are inthere my responsibility is to buckle thecar and put the child seat in the backseat properly and not text and drive wewant to get to that level of security byDesign in our technology and Hardware inorder to be able to ship that risk fromsmall business owners and end users tothose that can buy it down and so that’sand so that way those communities canfocus on the prosperity and the thingsthat we expect the internet to deliverfor themlet’s um open it up for questions andget the the lights on uh for but I’llask a question that as they’re gettingthat ready logisticallyit’s interesting that you use thatanalogy because of course the cars andthe vehicles may be one of the mostfamous spaces where it was a very heavyregulatory approach that led first tothe seat belt right and as somethingthat was required by a federalgovernment regulationis that that’s an intentional analogyand hereum who the manufacturer then would bethe software developer so you’ve you’veuh you’ve you’ve sort of picked out mylittle secret message in there you’rethe first person that actuallyarticulated that out loud but yes carsare heavily regulated they’re fundingfor highways were linked specifically toStates requiring seat belts right sothat’s how that happened but we need toget to that space when we when we startthinking about cyber so it’s not justthe software developers it’s thehardware it’s the integrators which iswhich is a really important element inthis space it’s the whole chain it’sfrom from development all the waythrough to the consumer end productright there’s a responsibility along thewhole chain and if you had that regimewe both sat on a what was supposed to bea cyber version of a safety review boardbut it didn’t really have the uh sameauthorities as the the version forvehicles is the strategy going to tocome up with a more elaboratearchitecture of regulation in the spacethis would be a significant change wellthis is a strategy so it doesn’tum it’s it’s how we intend to invest inorder to cause change right it doesn’tcome out and now sudden we haveregulations right there’s going to be animplementation plan and other piecesthat have to take placebut it does it does talk about whatinvestments are we going to make thatthat that that that where we havedemonstrated good practices like thecsrb like the jcdc like the NSA CCC likeFBI’s activity those are the Strategicwe’re going to make bets and that’sgoing to be placed in our strategy I seea hand up I don’t want to I see thatwe’re out of time but I would love toanswer Let’s do let’s do two questionshi thank you so muchum I wanted to inquire about how youroffice is thinkingum in regards to so you mentioned likethe you know the National Educationum you know a program you mentioned howyou guys are going to collaborateum and kind of be the connective tissuehow are you all thinking aboutum partnering with uh the VentureCapital space to kind of plug in wherethere are gaps in um in in in technologyand uh you knowjust pieces of innovation that could beuseful for us down the line that um youknow maybe Venture capitaliststhemselves are not directly consideringbut you know like how are you guysconsidering maybe signaling to them topick up on certain things that um youall are seeing in the private sector I’mgonna do a quick recap of the of thequestion which is what’s the role forventure capitalhow could they incentivize so as wedevelop emerging technology the thewoman that you saw earlier todayspeaking about cyber Workforce is alsoresponsible for our strategic thinkingand emerging technologywe need to be able to invest inopportunities for for building Securityin at the beginning right so thinkingthink of things like Quantum AI machinelearning security needs to be built intothe processum but I want to point out wow that isan important space The Venture Capitalspace for investing in emergingtechnologycyber security like I said Has there arevulnerabilities that we need to thinkabout security we need to think about inthe people and the process layer as wellright so I’ve heard people say beforeand I’m almost there with them thatcyber security is really a peopleproblem a people issue not exclusively atechnology issue and so that’s we haveto figure out what our strategicInvestments are in those spaces probablyas much as if not more than whattechnology we need to invest in rightbecause technology is not going to solveget us all the way to solving theproblemwell thank you I think we’re out of timebut uh thank you for not just speakingwith us today but your long career inthis space I know I for one am glad uhthat to see you someone with your energyand dynamism and your current currentposition so please uh let’s just giveyou a warm a round of applause and thankyou[Applause]guess what everybodythank you so much John and Kemba thatwas wonderful that was our last sessionthank you so much for your attentionthank you so much for your engagementyour great questions for being hereum this concludes our session uh and uhplease follow us well I was going to sayfollow us on Twitter but sign up for ourmailing list you’re going to see that ina minute and uh have a good nighteverybody thank you so muchforeign[Music]