welcome to the Ninth Annual Aspen cyberSummit please welcome Aspen digital vicepresident and executive director VivienSchiller hello hello hello everybodyWelcome welcome to the Ninth Annual it’samazing for me to say Ninth Annual Aspencyber Summit um as you heard my name isVivian Schiller I’m a a vice presidentand executive director of Aspen digitalwe are thrilled looking across this roomI’m so thrilled to see so many um umfaces I know and then new friends thatwe’re going to meet and uh here at theabsolutely stunning uh reach at theKennedy Center we just love thisfacility and I think we’re going to havea fantastic day I also want to say a bigthank you to those who are joining usvirtually from all over the world um anduh the issues we’re going to be talkingabout today have never been moreimportant um um in the last year alonecyber security challenges andopportunities uh there are some of thosehave taken Center Stage we’ve witnessedas you all know unprecedenteddisruptions to Global infrastructureattacks on National Assets threats uh tothe Myriad national elections that havetaken place and continue to take placeall over the world uh this year luckilywe have an absolutely Stellar lineup ofspeakers who will be joining us todayand they’re going to help us make senseof the last year and also where we’reheaded so all of you should have youshould have been gotten for those of youin the room when you’ve registered youshould have uh paper programs uh if notand for those of you who are watching usvirtually you can see the full agenda uhand the speakers at Aspen cyerssummit.org Aspen cyber summit.org I wantto especially thank our sponsors withoutwhom today would not be possible um ourPlatinum sponsors Google Splunk a Ciscocompany and Craig Newark philanthropiesour gold sponsors Capital 1 andPWC our silver sponsors a advisersPaladin Capital group Booze AllenBrunswick group Coalition Inc recordedfuture AWS andsaic their support again not only hasmade made all of this possible for us tobe here but it has also allowed us toopen up uh our doors literally andvirtually to so many Civil Societygroups on the front lines of cybersecurity issues every day and we’regrateful uh for their turnout todayespecially from groups like latinas andTech uh the George Washington Universitywomen in cyber security share the Mikeand cyber the Consortium of cybersecurity clinics and of course all ofthe cyber civil defense uh Partners uhbefore we get going just a little bit ofuh housekeeping uh first of all we’regoing to uh Endeavor to leave 5 to 10minutes at the end of most discussionsfor Q&A if you have a question and bythe way when I say question I mean aquestion not a statement not a speech umwe will have stationary mics availablein the aisles I think you can see themfor those of you in the room here in thetwo Center aisles uh in the event of anemergency the reach staff will provideinstructions but please take a moment tolocate the fire exits around the room umand also uh on the socials uh you cantag us on X or as some of us still callit Twitter if you’re still on thatplatform at uh uh at Aspen digital anduse the hashtag Aspen cyber uh we’realso on LinkedIn at Aspen digital andwith that that it is my pleasure to getus started by introducing our firstsession of the morning which will beintroduced by Shawn Joyce the globalcyber security and privacy leader for uscyber and risk and Regulatory leader forus responsible AI at PWC over to you[Applause]Sean good morning everybody and thanksfor being here thanks Don it is mypleasure as the former deputy directorof the FBI to introduce director Raytoday uh director Ray was born in NewYork he was a double Yale I didn’t knowthat he was undergrad and then went tolaw school uh he joined King andSpalding after law school he uh afterthat he really began his law enforcementcareer in1997 serving as an assistant UnitedStates Attorney in the Northern Districtof Georgia in 2001 he was named theassociate Deputy attorney general andthen the principal associate Deputyattorney general in the office of theDeputy attorney general in DC in 2003 hewas nominated by President Bush as theAssistant Attorney General for doj’sCriminal Division which in that timeincluded counterterrorism and CounterIntelligence he was a member ofpresident’s corporate fraud task forcehe supervised the Enron task force andwas a leader of the doj’s post 911efforts he became the eth director ofthe FBI in August of2017 for the last seven years directorRay has led the FBI through some verydifficult times where the public trustin the organization has been shaken noone has done more to restore that trustand demonstrate how institutions likethe FBI are Court to not only the ruleof law but a functioning DemocraticSociety specifically in cyber securityhe has built Partnerships inside thegovernment and with the private sectorand those have culminated in historictakedowns of nation state actors likechina-based volt typhoon who targetedwastewater treatment plants andelectrical substations the FBI and dojleverage Title 18 section 1030 toactually conduct search warrants andremove malware from router throughoutthe country he has brought his extensiveprivate sector experience and emphasizethe importance of joint sequencedoperations in cyberspace that focusfocus on coordinating and teaming withthe NSA sisa our foreign counterparts inthe private sector he is an incredibleAlly to the cyber security community andplease join me in a warm welcome todirector Ray[Applause]well good morning uh thank you Sean it’sgreat to be here uh with you today uhlet me say up top while I realized thatwe’re at the Aspen cyber Summit thismorning and I promise I have some veryimportant cyber related issues I want todiscuss with all of you before I get tothose I just want to take a quick momentto talk about what happened over theweekend at West PalmBeach for the second time in just overtwo months we we’ve witnessed whatappears to be an attempt to attack ourdemocracy and our Democraticprocess and I’m relieved that formerpresident Trump is safe and I want theAmerican people to know that the men andwomen of the FBI are working tirelesslyto get to the bottom of what happenedour work is very much ongoing and we’rejust a few days into the investigationso we’re Limited in what we can say atthis point what I can sayis that we have dedicated the full forceof the FBI to this investigation andthat runs the gamut from Criminal toNational Security resources fromtactical support to evidence responseteams from forensic scientists tooperational technology personnel and Icould go on together we’re workingaround the clock to investigatethis and now I’d like to get in to thosecyber issues I promis to discuss thismorning so for three4 of a century theAspen Institute has helped leadersthroughout industry Academia andgovernment identify not just thegreatest challenges we face butopportunities we have to join forces toovercome them and while the Cyberthreats I want to discuss here weren’teven the stuff of Science Fiction 75years ago ultimately today’s threatsstill boil down to an age-old conflictthe conflict between good and evilbetween the rule of law and thecriminals and foreign adversaries whoseek to harm our people ourorganizations and our businesses andunfortunately then and now there’s noshortage of bad guys out there lookingfor ways to hurtus so where does that leave us well it’salmost inevitable these days that yourorganization will be the victim of somekind of Cyber attack and when thathappens working with the FBI can helpyou navigate what otherwise might be anincredibly costlyordeal and to be clear in many casesthat may even mean saving yourorganization money now just how muchI’ll get into in a few minutes workingwith us can also save you precious timehelp you reconstitute your operationsfaster and may keep not just yourorganizationbut the American people themselves saferfrom futureattacks it is no secret that the volumeof cyber incidents has increasedexponentially cyber criminals and nationstate hackers alike have demonstratedthat they’re not only willing but moreand more able to hit the services peoplereally cannot live without things likehospitals and schools you utilitycompanies and transportationproviders between 2021 and2024 15 of our country’s 16 criticalinfrastructure sectors sectors liketelecommunications Energy emergencyservices all fell victim to ransomwareand that’s justransomware because those services are soessential criminals and hackers backedby nation states know that they canscore big by One locking up your datauntil you pay an outrageous Ransom twoconducting what we call Double extortionstealing your data and then threateningto release it or sell it to the highestbidder and three conducting tripleextortion by preventing access to yourwebsite through denial of serviceattacks or by harassing or threateningyour organization’s employees andexecutivesso given the ubiquity and the severityof the Cyber threat more and more it cansometimes seem like the odds are stackedagainstus mindful of this evolving landscapefour years ago I announced a newstrategy to drive the FBI’s cyber workthe Cornerstone of that strategy is ourunwavering support for victims everyonefrom private citizens targeted byfrauders to billion dollar corporationssuffering data breaches that means thatour mission revolves around you usingevery piece of intelligence available tous to help keep your organizations andothers like them safe from futureattacks and working with you when aCyber attack does occur to help youminimize your losses and get up andrunning again now depending on thecircumstances the work we do can varyfrom victim to victim and we believe inusing every tool we’ve got to make lifeharder for ouradversaries for example when an attackhappens we can deploy one of our FBIcyber action teams these are Elitespecialty groups that can deploy aroundthe world in a matter of hours torespond to cyber attacks on site that’swhat we did last year for instance whena particular telecommunications companyfound suspicious behavior on theirNetwork and asked for our help our teamwas able to identify malicious activityassociated with volt typhoon a group ofhackers sponsored by the government ofChina they had been hiding inside thenetwork lying in weight fortunately ourcyber action team gave the company theinformation they needed to mitigate thecompromise across their system and whenwe discovered volt typhoon was alsousing a botnet made up of hundreds ofcompromised privately owned routers toconceal their activity and the fact thatit was being directed by China weconducted a court authorized operationthat not only severed their connectionto the botn net but also preventedreinfection of those victimsdevices now Vault typhoon is just onefacet of a broader campaign by theChinese government to infiltrate usinfrastructure Co-op devices in yourorganizations and frankly a whole lot ofhomes and use them to Target us and ourallies today for the first time we’reable to publicly speak about a secondjoint sequenced operation that weconducted just last week as part of ourongoing efforts to take China’s botnNetsoffline this botn net was run by adifferent group of hackers again workingat the direction of the Chinesegovernment known as flax typhoon theyrepresent themselves as an informationsecurity company the IntegrityTechnology Group but their chairman haspublicly admitted that for years hiscompany has collected intelligence andperformed reconnaissance for Chinesegovernment securityagencies flax typhoon was targetingcritical infrastructure across the USand overseas everyone from corporationsand media organizations to universitiesand government agencies and like Vaulttyphoon they used Internet connecteddevices this time hundreds of thousandsof them to create a botn net that helpedthem compromise systems and exfiltrateconfidential data but unlike volttyphoon they targeted more than justrouters flax typhoon hijacked Internetof Things devices like cameras videorecorders and storage devices thingstypically found across both big andsmallorganizations and about half of thosehijack devices were located here in theUS flax typhoon’s actions caused realharm to its victims who had to devoteprecious time to clean up the mess whenthey discovered themalware one organization in Californiafor instance suffered an all hands ondeck cyber security incident an IT staffneeded to work long hours to remediatethe threats and replace Hardware all ofwhich took swaths of the organizationoffline and caused a significantfinancialloss but but working in collaborationwith our partners we executed Courtauthorized operations to take control ofthe botn Net’sinfrastructure now when the bad guysrealized what was happening they triedto migrate their Bots to new servers andeven conducted a Dos attack against usworking with our partners we were ableto not only mitigate their attack butalso identify their new infrastructurein just a matter of hours at that pointPoint as we began pivoting to their newservers we think the bad guys finallyrealized that it was the FBI and ourpartners that they were up against andwith that realization they essentiallyburned down their new infrastructure andabandoned theirbotnet ultimately as part of thisoperation we were able to identifythousands of infected devices and thenwith court authorization issued commandsto remove malware from them pror themfrom China’sgrip now I view this as anothersuccessful disruption but make nomistake it is just one round in a muchlonger fight the Chinese government isgoing to continue to Target yourorganizations and our criticalinfrastructure either by their own handor concealed through their proxies andwe’re going to continue to work with ourpartners to ident identify theirmalicious activity disrupt their hackingcampaigns and bring them tolight of course we’re also working hardto provide your organizations withinformation to proactively buildresilience and defend yourselves beforean attack even happens that was the caseearlier this year when we joined ourpartners to warn the private sectorabout a group of pro-russian activistscyber criminals using a particular knownvulner ability to compromise operationaltechnology networks they had set theirsites across our critical infrastructurefrom dams and Wastewater systems to theenergy food and agriculture sectors andafter we sounded the alarm we heard fromour partners throughoutindustry because of the advisory we’issued they were able to prioritizefixing that specific vulnerabilitykeeping their companies and the Americanpublic publicsafe when we learn of a potential attackthrough our intelligence collection orour Global Partnerships we focused onworking with you to stop criminals andforeign adversaries before they can yournetworks like we did in 2022 to protecta major American political party’snetworks through information collectedusing our fisa section 702 authoritieswe learned how hostile nation stateactors were just days away fromconducting a Cyber attack so workingtogether with the targeted organizationwe denied that adversary’s access andprevented anydamage and as you saw from ourannouncement just last month regardingIran foreign targeting of our politicalparties remains a seriousconcern now hardening systemsfixingvulnerabilities mitigating Networkcompromise that’s all essential but whathappens if or maybe when yourorganization finds itself the victim ofa ransomware attack that you can’tdefend against and you’re faced with theprospect of shelling out millions ofdollars or even hundreds of millions tounlock your network and free yourdata well the bureau can help there tooand in factmany ways the kind of help we providesets us apart from just about everyother Agency on the planet becausevictims our highest priority we areconstantly hard at work developingdecryption capabilities to combat knownransomware variants and when we’ve gotthem we try to put them to good use I’mextremely proud to report that in justthe past two years the FBI has handedout nearly a thousand decryptors and wehave saved victims around the worldsomething like $800 million in Ransompayments let me just repeat thatpartnering with the FBI saved ransomwarevictims around 800 million dollars inthe span of just two years and of coursethat’s just the money saved in ransomsnot paid it doesn’t even include thealmost incalculable savings byorganizations not paralyzed by an attackoperations not suspended with systemsand data takenoffline and that 800 million savedironically that could have been evenmore so what do I mean by that wellbefore we can use many decryptors weneed to know who the victims actuallyare whose data each of these unique Keysunlocks so if your organization gets hitby a ransomware and then just tries togo at loone well we may not be able tomake that match we may not be able tosave you that Ransompayment now it has been more than sevenyears since I was working in the privatesector but I still think I understandthe importance of profit to a businessso let me just say this as plainly as Ican if you are a victim of a ransomwareattack call the FBI rightaway because together we can try to saveyou your moneybut money is not the only thing thebureau can help you save when you’re thevictim of a Cyber attack every secondcounts and involving the FBI right fromthe outset can save your organizationprecious time when it really matters themost in fact there was an IBM study justlast year that proved exactly that thelife cycle of the average data breach is33 days longer when the victimorganization does does not involve lawenforcement in theirresponse let me say that again databreaches 33 days longer when the victimdoes not involve law enforcement intheir response think about it can youafford an extra 33 days of downtimeafter a Cyberattack consider for example the case ofthe Los Angeles Unified School Districtwe’re talking about the nation’s secondlargest school district with 600,000students and 100,000 employees two yearsago they were hit by a ransomware attackover a Labor Day weekend and immediatelycalled the FBI and we had our experts onsite within an hour and by the end ofthat holiday weekend we had helped themhalt the ransomware turn their networksback on and restore priority systems allwithout paying the hackers a scent andwithout losing a single day ofoperationsor what about the US Cancer TreatmentCenter that was the target of aransomware attack last summer wellhackers had encrypted the center’ssystems and data leaving scores ofpatients without access to criticalMedical Care frankly it’s hard to thinkof a case where the criminals were morecallous or when getting back online fastmattered more fortunately the centerengaged with the FBI fully right fromthe start and in addition toinvestigators and Technical experts wealso deployed crisis negotiators sowhile we were busy working with ourpartners to provide indicators ofcompromise and share information aboutthe Hacker’s tactics and procedures wewere also helping the center negotiatethe ransom payment getting it from$450,000 down to50,000 then using the decryption key thehackers then provided the center wasable to resume operations all just fordays after the attack in that instanceit was not only time-saving to work withthe bureau according to the victimCancer Center it was also lifesaving but the value I think you’ll findin working with the FBI is more thanjust time and money the FBI has a suiteof unique authorities and capabilitiesthat are key to stopping and preventingattacks and essential to our work withvictimsbefore during and after theirhit one particularly critical Authorityis Rule 41 which I know a lot of peoplein this room are familiar with it allowslaw enforcement to seize and I quoteinstrumentalities of a crime thinkmalware that’s been secretly installedon victimnetworks with rule 41 search and seizurewarrants we can combat illicit cyberactivity that spans multiple Statesseizing the bad guys domains and serversremoving malware and webshell orconducting operations to kickadversaries out of oursystems in the case of volttyphoon and flax typhoon we could nothave protected our nation’s criticalinfrastructure your networks without ourrule 41 authorities and the help of ourpartners in the privatesector in many of these cases it is theprivate sector that helps us identifythe threat actors and understand thosecritical technical details and in somecases we’re able to work with privatesector companies and our governmentPartners to develop mitigation measureshelping shut the doors the bad guys havepropped open for us to continuesuccessfully executing our rule 41operations information and intelligencesharing is critical because bottom lineL the FBI our government Partners theprivate sector each tend to have a pieceof the puzzle and everyone’s got toshare their piece to complete thepicture to help us impose the greatestpossible cost on ouradversaries that’s how essential all ofyou are in our nation’s cyber securityand we need you to keep playing a rolein this space because the threat is onlygoing to get more severe more comp Lexmore challenging as adversaries likeChina Russia and Iran turn increasinglyto AI to infiltrate our networks andsteal our information we’re going toneed all the help and teamwork we canget the mission of the FBI always hasand always will prioritize victimsworking to keep people and organizationssafe providing the assistance they needin the aftermath of acrime that’s what we do and if thecriminals and hostile nation statesbehind today’s cyber threats had theirway everybody would be a victim not justyou and your networks data andlivelihoods but all Americans and theessential Services they depend on so ifthere’s only one thing you take awayfrom my time here this morning I hopeit’s this the FBI needs and wants towork with youlet us save you money save you time andsave you from future attacks so that youcan keep your organizations Focus whereit should be on your operations andtogether we can keep our nation safethank you[Applause][Music]all right good morning everyone thankyou so much for joining us today here atthe Aspen cyber Summit I’m Katie BrooksI serve as director of global cyberpolicy here at the Aspen Institute I’mjoined by kemell Walden cison Seymourand shobhan Gorman for an excellentconversation where over the next 35minutes we’re going to talk about a hugetopic which is aggregated cyber riskmany of us have been tracking this foryears with fears of large scaledisruptions this year though it enteredthe public Consciousness in a new waywhen on July 19th air travel EmergencyServices Banks and more were disruptedby a faulty update that was pushed outto operating systemsworldwide now this is certainly not thefirst time that this has happened umthere have been industry specificdisruptions impacting everything rangingfrom car dealerships to pharmaciesHealthcare and more all of these stemfrom a single point of failurethese single faults can Cascade bothboth vertically and horizontally acrossthe digitalecosystem so we’re going to dive intothis today in basically three parts oneis level setting so what is the problemtwo is how we got here so what are thebenefits and incentives that put us inthis position and what’s the problem sothe costs and then where do we go fromhere so to get started um Kemba this isa pretty complex topic um most willcertainly understand I think what wemean when we’re talking aboutmonoculture and Tech concentration umbut I want to make sure we start with acommon understanding so can you describewhat we mean in simple terms and howyou’ve seen it actually play out sure umthey’re simple terms and and they’re notwords that I’ve made upmyself uh you heard the director saysome of these words and so let me uhrepeat what some of he said and you’llalso find these words in the in thelatest cyber safety cyber SEC cybersafety review board report on storm0558 uh so the definition from myperspective are ubiquitous and criticalproducts products like operating systemscloud services Payment Systems whichunderpin essentialservices and the director talked abouthospitals schools utility providers thatsupport National Security thefoundations of our economy and publichealth and safety so ubiquitous is aword that the director said so these areubiquitous products that underpin ouressential services and it’s often we’llget to this in the second part but it’soften created in the cracks merges andAcquisitions large conglomerates comingtogether being acquired being integratedso that you get bigger and biggerproducts that underpin Servicesexcellent thanks that provides us with agreat starting point um so let’s stickin a little further so suzon are thereparticular sectors that need that weneed to be more concerned with aboutthis concentration and why or why notyeah I think so so there are somesectors that uh may be predisposed to uhconcentration risk and the word risk isgoing to be doing a lot of heavy liftingtoday so in the spirit of of kena’sresponse just to Define what I mean bythat is when I talk about risk I’mreally talking about two things um thefirst is the potential for anundesirable outcome and here we’retalking about disruptions and the secondis the Imp impact of that um disruptionwhich we measure in terms of variableslike Financial loss harm to NationalSecurity threats to public health andsafety uh reputational damage and soforth and you’ll probably notice thatfor all of those variables there is ascale of severity that’s um worth payingattention to and there are some sectorsthat are um potentially more likely tohave more exposure and have more severelosses associated with the disruptionand I’ll just illustrate what I meanwith two um examples so first ishealthare the healthcare sector ishighly vertically integrated soHealthcare organizations have made thedecision to bring various parts of theirsupply chain inhouse and they’ve donethat to improve patient care and keepcosts lower um at the same time thehealthcare sector is highly specializedand there are a number of Highlyspecialized vendors and softwareplatforms that service that sector sowhen there’s a disruption at any pointin the healthcare value chain those canthose can Cascade very very quickly umwhether that disruption by the way iscaused by a ransomware incident or an IToutage um as we’re discussing largelyheretoday by contrast you have themanufacturing sector and Manufacturingsector is highly disaggregated umtraditional manufacturers in inparticular like to Outsource all aspectsor many aspects of their supply chaineverything from like sourcing rawmaterials to to finishing to design andso forth at the same time themanufacturing sector has really embracedstandardization and interoperability sothat when there is a disruption alongtheir supply chain they can very quicklypivot and integrate new vendors veryfast and it’s thatdisaggregation and um and you knowinteroperability that makes that sectorlike a little less exposed to thesetypes of risks so if I were you know apolicy maker in the space thinking aboutcritical Services I would be looking forindicators like vertical ibration andspecialization definitely and a littlelater on we love to ask that samequestion about different sectors onresiliency so we’ll we’ll come back tothat um so Siobhan over to you thisissue has obviously been in theheadlines a lot recently I think a lotof our probably non-cyber friends in theroom have had a new interest in it havestarted asking these questions but it’sactually not new so what has changedrecently that this is hitting theheadlines and have how have you seenthis problem manifest in the hours anddays into crisis management around ityeah no it’s a great question and I meandefinitely not a new issue I mean Ithink actually it just the concept ofcyber security in the cloud wassomething that was much debated likewhat 15 years ago or something like thatand we sort of got past that but um youknow more and more in terms of how wegot here um you you are seeing just sortof these business forces that pullnetworks together whether it’s throughum you know merges and Acquisitions oror or just wanting efficiencies um thatI think that increasingly you’re justsort of seeing within companies umyou’ll have kind of a some one multiplesystems that are kind of critical nodesfor a whole host of things right a wholehost of services things that start tohave cascading impacts on a wide set ofpeople that affects Healthcare itaffects your ability to buy a car itaffects you know your ability to turn onyour computer it affects a lot of thingsand so I think why we are seeing it nowis just we’re reaching kind of acritical point where those systems umare in fact so integrated that you dohave just more single points of failureout there so there’s more surface areaif there’s a technical outage or a Cyberattack for something to go wrong andhave these kinds of cascading impacts umin terms of kind of the crisis responseaspect to it I think um you know one ispreparation is really where you want tobe right so if you’ve exercised some ofthose crisis response muscles you’regoing to be able to respond much morequickly and much more effectively in themoment um but sort of I thinkappreciating what those cascadingimpacts are going to be is very hard butprobably the most important thing youcan do because I think that one thingthat companies run into is they don’tfully appreciate the set of stakeholderswho are affected by whatever thisincident is and they’re correctly tryingto resolve the issue but they aren’tnecessarily seeing all of the third andfourth order impacts um and that isactually what ultimately gets companiesinto trouble because it’s much harder topull that back when after the Cascadesort of starts if you don’t take initialmeasures to try to mitigate itdefinitely well that provides a greatsegue into the next part which is how wegot here so diving in more closely tothe costs as well as the incentives thatbring us to this point um and so kbocertainly we’ve talked about a littlebit of the cost cost consolidation orreduction some the mergers inAcquisitions that bring us here what aresome of the other driving incentives uhspecifically for the private sector butthen also on the government side okay soI think as a nation now we are trendingtowards the idea that we are shiftinging cyber security risk from consumersto producers from the small to the bigum and that creates efficiencies that’shelpful to raise our over our overallsecurity profile across our digitalecosystem but with that shift that liftand shift of risk as as Susanna sodefinely described it um there is a nowheightened responsibility andaccountability for those cloud serviceproviders and those those PaymentSystems whatever it is those Enterprisesthe federal government there’s a higherlevel of scrutiny a higher standard forbuying down that risk so we’re shiftingrisk from those that are underresourcedto buy it down rural hospitals andmoving it to those that are betterresourced to buy it down so that’s thethat is the benefit of some of thisconsolidation some of this aggregationso now we know where to look for therisk and buy it down and we are going todeploy all of our resources and our byour I mean the private sector and thegovernment’s resources to buy it down umso those are the incentives those arethe benefits it helps small mediumbusinesses it helps individuals it helpsunderinvested communities um thedownside though is that now all thatrisk is concentrated and um vote typhoonand flex typhoon know exactly where togo look and attack right that is thedown side so there there are morethere’s more light on those that have ahigher standard of buying down the riskthat’s where we are I think as a nationfor fig that’s what we need to figureout together how do we do that moreeffectively and more importantly how dowe do it how do we make it moredefensible the system right um and howdo we make that system more resilient Ithink there’s a lot of work that stillneeds to be done there but that’s thecost definitely and suzan I want tobring in you into this conversationabout the split between private andpublic centor incentive incentives wherethey are now and where they should gofrom here what are your thoughts yeah Imean I I’m not sure that I have too muchto add frankly to um to kemba’s answerwhat I would say is just you anobservation to add um to complement thatat the end of the day this is really allabout trade-offs and managing risk um soand where you sit will influence how youview that risk and how you make thosetrade-offs and the costs that go withthem so if you’re sitting in governmentat the core of this conversation is thepublic policy tension between umleveraging the societal benefits thatcome with economies of scale and ummitigating the costs of concentrationrisk if you’re a chief risk officer in aprivate business on the other hand thedecisions that you make aroundconcentration risk are going to sound alot more like what operationalefficiencies am I willing to give up forsecurity um what will that cost me andwho makes that trade-offs will you knowit will differ it businesses we’retalking about boardrooms Etc but reallyit is about values and tradeoffsdefinitely and so Shaman we’ve seen thisconversation about the shifting of riskum to to those that they can hopefullyhandle it at the Enterprise level um areyou finding that uh many of those folksin those seats are prepared for thatshift in Risk are they doing thesecontingency planning business continuityplans or what what’s happening on thatend for the preparedness piece um I meanwe are seeing increasing attention to umplanning around how to respond andbusiness continuity and particularly theintersection of business continuity andcyber crisis response because obviouslyransomware but a lot of other sort ofbusiness continuity issues come up withwith cyber security so we are seeingincreasing attention um I think rightnow it’s still largely from thetechnical standpoint which is good andthat’s really important and frankly justsort of based on some of the recentcyber incidents we’ve seen we probablycould do even more there because I feellike more often than not what youusually hear in terms of like the rootcause of an incident it is um you knowan an an IT professional making acalculated risk you know accepting therisk because it was needed for some sortof business purpose but that’s notnecessarily a decision that’s made at aparticularly elevated part of theorganization and so you know even theseeso may have no idea that that’swhat’s happening and certainly people inthe SE Suite probably don’t know and sothese are risk acceptances that arebeing taken fairly low down in theorganization and I wonder whether itmakes sense you know to just kind ofstart elevating that at least for reallytruly critical systems whether it’scritical infrastructure or you knowsystems um that that just have a largenumber of people businesses Etc relyingon them um I’m sorry what was the otherpart of your question my B but no thatthat was great and I actually have afollowup on that so um I’ve spoken withmany SOS some of here some of whom arehere in the audience um how have youseen organizations successfully shiftthis from an it problem to anorganization wide problem and bringingin all those stakeholders that should bea part of the business preparednessplanning yeah no exactly and actuallythat was that was probably the secondpoint I was going to make that for sureit needs to be uh addressed at the itlevel but I do think that what we areseeing is all of the cascading set ofbusiness impacts right and so businessesneed to be planning um both from a agovernance standpoint you know are youreally thinking through roles andresponsibilities in terms of broadercrisis response business continuitycyber crisis response um and are youreally thinking through through um thesort of how your your broader sort ofbusiness is going to interact with anycomponents because we see a lot ofissues where you know either they it’slike a holding company with subsidiariesor just a sort of more of a Federatedbusiness organization they have a reallyhard time organizing among themselveswhen a component of the business isaffected and there are sort of larger uhissues at stake than just that componentof the business so I think that kind ofthinking through the business-wideimplications and then who thestakeholders are on the other side whomay be affected by it and how you wouldreach out to them connect with them uhcommunicate with them um and help themum is really important absolutely um sothat I think takes a really goodorganizational lens to it um suzan wouldlove to go over to you and zoom out tokind of an industry lens um I think inJuly there was a lot of discussion aboutwhat does this mean for the CyberInsurance market so we love to turn toyou and and hear how you’re thinkingabout that aggregated exposure to riskyeah sure so so um I I will sort ofstart by saying like you know what theinsurance sector does is that we ofcourse when a business decides totransfer their risk we will take some ofthat on board and it’s important for themarket to have confidence that we’redoing that responsibly and sustainablyif if I say one thing about insurance orif you remember one thing about cyberinsurance today I hope it’s this we donot view our exposure to aggregatedDigital Risk is static and we take avery Dynamic approach to managing itBeyond which policies we writeum so I’ll just take a step back DigitalRisk does not behave the way that manyother um causes of loss in Insurancebehave like flood or fire you can’t moveyour home out of the path of a hurricanebut we do the digital equivalent of thatall the time in cyberInsurance um so we have an aggregatedcyber risk model that takes 48 trillionevents a month and that model gives usinsight real time into to which of ourpolicy holders may be affected by anoutage or vulnerabilities and we usethat information to work with our policyholders throughout the life of thepolicy to mitigate that risk uh and I’llgive you a concrete example so if rightyou know right now a vendor discovers acritical vulnerability it’s a knownexploited vulnerability assit issues ofrelease whatever we realize it’shappening the first thing that we do iswe scan our Brook of business weidentify the affected policy holders andwe reach out to them very quickto alert them that they are affected wealso make technical assistance availableto help them remediate that risk therebyreducing the likelihood that they willbe um breached and that essentially isthe digital equivalent of moving theirhome out of the path of a hurricane gotit that’s really helpful insight to hearand certainly um interesting to get thedynamic component of that there as wellum all right Kemba over to you I want togo back to the role of government in allof this uh aggregated risk um what roleshould the government play in managingthis for society in general and fortheir ownsystems I think government is in aunique position to be able to take alook at the entire landscape much likethe insurance Market frankly but um takea look at the entire landscape not onlythe digital infrastructure that thegovernment relies on to deliver PublicServices um but the digitalinfrastructure that of our criticalinfrastructure owners and operators andwe are able to look Beyond borders uhand because we have a collaborativenature with uh you know many of our nearallies and and allies uh and some of ouradversaries to figure out what’s what’stheir what’s in common so there are acouple of observations uh for governmentfirst um government through itsregulatory power and authorities legalauthorities you know you heard directorRay they can go and arrest people andgive you the encryption key decryptionKeys uh we can Reg ulate so that certainessential services and certainubiquitous critical providers uh raisetheir cyber security uh bar um but alsowe can see a lot of technical debt Iknow this is not sexy or exciting um butwe can see a lot of technical debt andwe can invest in fixing that technicaldebt so that we can be dynamic and movethe the hous out of the path of thehurricane at any given moment um we canencourage industry and the federalgovernment those that are more resourcedto buy down risk uh to make cybersecurity a capital expense rather thanoperational expense right much like anautom manufacturer will havemanufacturing tools that are capitalexpenses your cyber security toolsshould be capex not Opex so your itdepartments and the things that they usein order to protect the business becausethat’s to be clear that’s what they’redoing they’re protecting the business byprotecting theinfrastructure that should be a capitalexpense um but those are the ways we canarrest our way out of it we can helpwith the infrastructure technical debtuh and we can regulate and provide someminimum Baseline of cyber securityacross the digital ecosystem that’s areally helpful overview and where areyou seeing some of these conversationshappen operationally across governmentnow kind of who has the lead on that Iknow it’s in a few places it’s in a fewplaces and maybe the United States isnot the easiest place to figure out whohas the lead on that but I will tell youjust from my experience as the theformer acting National cyber directorthere is one of those at at a minimum ineach country uh and so you would ask whywould the national cyber director travelso much because there’s a national cyberdirector in Singapore or in Israel or inNigeria or in Costa Rica and Etc um andwe are all trying to solve similarproblems maybe slightly differentcontexts but similar problems acrossdigital ecosystem Nate Vic is in theroom somewhere he’s he’s um our and wehave a few International diplomats whoare looking at the foreign policy pieceof it uh and and so I think being ableto mirror each other’s strategies um andeach other’s actions and putting moneywhere our mouths are in each one ofthese jurisicis going to raise the bar for the entiredigital ecosystem absolutely did Ianswer your question no that was perfectand certainly gets into the component ofuh International coordination on thiswhich is a key part as well especiallyfor some of the more Global uh issuesthat we’ve seen recently so I’d love tospend the last few minutes that we haveall together uh speaking aboutresilience so getting to a place ofoptimism before we close um so suan Ithink you and I were speaking recentlyabout kind of different approaches in inthe immediate moments after a crisis andhow different entities May communicatethat to end users so what does successlook like for that even when you’re youknow experiencingdowntime I mean in in the the in theresponse time I mean I would just Echosomething that sioban said earlier thetime to prepare is not um is in advanceand to understand so this is somethingthat we really saw I think in July 19one of the um you know I thought it wasa really instructive event that soundsawful to say but it was quite usefulbecause in the United States what yousaw was that within the same sectormultiple businesses that were seeminglydealing with the same challenges had avery different um ability to respond inreal time with metrics that are clearlyvery public and I think what that tellsyou is a couple of things uh the firstthing that some of these organizationswere much better at preparing and knewwho to contact in the moments internallyand the second thing that I would say isum communicating to the public what’shappening um in real time is quiteimportant um making it clear I think wesaw saw a lot of the organizations thatwere responsible that were clearlypointing back to um the to crowd strikefor information uh in real time and Ithink that was the The Right Move uh sothose are the kinds of things that Iwould think about in terms ofcommunications and really just theemphasis should be preparing to respondin advance absolutely and Shan wouldlove to go over to you with the samequestion what are the ingredients forSuccess when you wake up one day andfind out things aren’t going as plannedyeah um I I think that againunderstanding sort of who is affectedthe most about you know through thisthis situation and trying to communicateto them um you know often it’s customersright so if you’re a business that getshit or you have systems that are down umfiguring out how it is that you cancommun communicate your to yourcustomers and also thinking through umagain with some pre-planning like whatare multiple ways that you can do thatright so if your systems are down how isit that you can actually reach um andand maybe it is publicly maybe it’sthrough you know broadcast television ormaybe it’s through social media orsomething like that that but it’s goodto know in advance sort of what the gameplan is and sort of plan a plan B plan Cfor reaching at a minimum your customersand your employees right because thoseare going to be groups that you reallydo need to reach um in in a majorincident like that um but I think thatit’s it really does come down back toresiliency and it is resiliency on thetechnical side it’s resiliency on theoperational side it’s resiliency on sortof the the the communication side whereyou’re thinking through okay like what’sthe backup plan um and I think thatincreasingly hopefully especially aftera set of instructive sort of incidentsthat we’ve seen over the course of theyear um I hope that that companiesorganizations governments too are kindof thinking through how is it that umwe’re going to build in a little bitmore redundancy into our responseprocess and the whole response processso it’s not just the technical side butalso sort of the more sort of corporatebusiness side of it as well excellent umso I think we actually will have timefor one audience question um K I’ll goto you with a final question before weget there but want to cue that up firstif anyone is interested in asking aquestion of our panel please feel freeto cue at the microphone here um fewground rules please go ahead and stateyour name in affiliation and please makesure your question ends in a questionall right um so Kemba we’ve talked alittle bit about resilience and and whatthat means um from kind of immediateFirst Response uh Viewpoint what does itlook like in government again when youwake up and see those headlines oneday so I when I wake up and see thoseheadlines now now that I’m out ofgovernment I can I can roll over and goback to sleep which is nice umso what could be helpful to governmentand there are a lot of things thatgovernment can do to be helpful toIndustry I’m I’m aware but what could behelpful for government is if thatindustry or that that entity that hasthe most information about a Cyberattack or is the biggest victim of aCyber attack has a decision maker I knowI’m calling the the pot calling thekettle black but a decision maker rightso that incident responders whetherthey’re government incident responderswhether they’re private sector incidentresponders and all of them need a singledecision maker if you are talking to auh a siso or chief security officer thatsecurity officer should be able to pulla business offline without having tocall the CEO to to talk to the boardalso um because time is of the essenceso having a single decision maker Ithink would be something extraordinarilyto the government the other pieceis please know who your FBI specialagent or your your sisa cyber securityadviser is on the ground and have theircell phone number written down on apiece of paper just know who that iswell in advance because as the Directorsaid if you call the FBI immediatelymaybe we have a decryptor that if in aransom or case that we can come andsupply and deploy or if it’s if it’ssisa the same thing but no know who thatperson is at that local level and havethat number written down on a piece ofpaper because if your system’scompromised you’re not going to get itout of your whatever your your contactslist um so those are the two things thatI think would be extraordinarily helpfulto the government have a single decisionmaker that can make business decisionson a dimecontact your local c a contact on apiece of paper can I just add one quickthing I think in terms of one decisionmaker I think the the single greatest umchallenge that we see companies goingthrough in a cyber incident is the lackof a crisis captain and so it’s it’sreally it’s the same kind of thing butit’s the decision it’s the decisionmaker to speak to the government orother external folks but also to callshots internally because companies Spinand they lose time and then it can getaway from them definitely I like thatterm crisis Captain I don’t think I’veheard that before but yeah single persondecision maker to to lead folks throughthe fire all right um excellent if youwant to queue over at the mic that wouldbegreat Virginia Griggs Healthcare it itspace um epic and CERN or now Oracle ownHealthcare it and I think it’s a hugevulnerability um you all are geniuses umin the um so can you speak tothat so specifically the the health caresector or the healthcare you Hospitalproviders more so than the like mentalhealth sector where most of that’s stillnot fullyautomated but the patient medical recordthe ronic medical record where all thepatient data resides yeah and duringcovid it was opened up so that we wouldknow have access to people’s covidresults across the country so there itmade it more vulnerable versus Hippatried to lock it down got it so some ofthose concerns around pii being involvedhere does anyone want to takethat I can please no I can start but Iknow you both have a lot to say becauseof of where you sit in theinfrastructureum so just from a I’m a old lawyer froma lawyer’s perspective we’ve got Hippawhich is which is not about security umbut that is what governs a lot of thoseelectric medical records uh and sounfortunately we don’t for my opinion wedon’t have yet the legal framework toaddress exactly that issue um true storyI’m the I’m the some of you have heardthe story I’m the black sheep of myfamily my family I’m I’m a lawyer I comefrom a family of doctors who run clinicswho um rely on medical records in thatway electronic medical records and it’sand it freaks me out um but a lot ofthese vulnerabilities and so I’m givingyou my assessment more so than an answerthe answer is we need more Authorityaround cybercity of Healthcare systemsthat is my answer from Congress butthese vulnerabilities are illuminatedbecause of all the merges andAcquisitions and aggregation of thesedifferent systems coming together andbeing governed under Hippa which is notwhich is an important law but not asecurity law and so there’s a there’s agap there anything to add over here I Iwould just add to that that I thinkwhile we wait for Congress to act whichmight take a while um you know companiesdo have a role to play just sort of interms of like self- policing their ownnetworks right and so identifying youknow if if you do hold a lot ofelectronic medical records eitherbecause that’s your business or yourbusiness relies on it you know how is itthat you are building in um bothredundancies in terms of making surethat there are other ways to have accessto it if certain types of systems godown as well as sort of additionalprotections or access controls orwhatever else is needed that I think inin cyber we’ve often sort of thoughtabout what are the crown jewels and Ithink it’s not it’s not so much the dataanymore it’s actually more the systemsand so how is it that you are bothprotecting and creating resiliencyaround sort of the really Key Systemswithin your company to make sure thatthat you can bounce back as quickly aspossible you’ll have to deal with HIPPAyou’ll have to deal with all the datapieces but I think that anything that isblocking kind of critical care to peoplein in some sort of way is going to takeprecedence over kind of working throughwhat the the data notificationrequirements are which are obviouslyimportant but it’s got a longertale I I will just add on um just in thedays following change Healthcare therewere a lot of questions about whetheryou know um Market concentration sincethat’s what the topic of the panel likeis that a problem in healthcare areoligopoly a problem in healthcare and Iwould caution against sort of movingdown that line really at the end of theday olop and and the market movestowards concentration for good reason umand there has to be value judgmentsabout whether we accept the risks withthat but large organizations are able toinvest heavily in research anddevelopment to the benefit of societythey’re able to spread fixed costsacross a number of stakeholders so thatyou know costs are brought down um forfor many of us andbut at the same time the largerorganizations to your point on dataprivacy they become more attractivetargets to to criminals so there is a atrade-off there and the the question isare we making the right tradeoffs and ifwe don’t think the private sector ismaking the right trade-offs on their ownum then there that’s you know I knowthere are a lot of students in herethat’s a market failure right like froma policy perspective you have to step inand and and regulate or legislate sothat’s um you know I would just keep inmind that really are talking abouttrade-offs and value judgments here andif we as a society don’t think that thatparticular sector is is um making theright tradeoffs then that’s the time fora policy to jump in I do think we haveto think about that healthc care sectorin in different ways um because youmight have a clinic or a ruralhealthcare provider whose job it is toprovide HealthcareServices e[Music]um I’m going to I like it I’m going toadd get rid of your technical debt allright excellent well with that thank youthree so much for joining us todayreally appreciate it and we’ll move onto the next panel thank you all[Music][Applause]it’s a pleasure to introduce our nextpanel moderated by Sasha oconnell seniordirector of cyber security programs atAspen digital featuring Stephanie Crowacting head of the Australian cybersecurity Center in the Australiansignals directorate Lisa Fong deputydirector general of the New Zealandnational cyber security Center RajivGupta head of the Canadian Center forcyber security David Luber director ofthe cyber security directorate at theNational Security Agency and FelicityOswald Chief Executive Officer of the UKNational cyber security Center pleasewelcome the[Music][Applause][Music]panel well good morning Aspen cyber itis wonderful to see everybody here Iwant to take uh just a minute to say ahuge welcome to all of you obviouslyeach of you individually joining us tooffer your thoughts would beextraordinary and to have all five ofyou together is a real privilege sothank you for making the time I did wantto also acknowledge quickly um whilethis is in some ways unprecedented it’snot entirely unprecedented about fiveyears ago we had a panel at Aspen withRepresentatives um from the Intelagencies and at the time Felicity yourpredecessor said um it’s good there wassuch a robust introduction becauseotherwise the group might have beenmistaken for for reunion of a boy bandand um I’m so pleased as I know ouraudience is that the uh five eyes is nolonger the Five Guys so welcome and atip of the hat to you um it’s it’simportant it’s important representationmatters so with that maybe Felicity Ican turn back to you to kick this offwe’ve heard a lot already this morningum about the threat landscape and I’llgive each of you a chance to weigh inI’m really curious how do you see theCyber threat landscape evolving what isthat change piece and maybe if you canone thing this audience might not knowfrom your perspective in particular or amisconception they might have so F ifyou don’t mind thank you so much andit’s so great to be here at Aspen so uhthank you so much for having us so thethreat landscape in cyber continues toevolve we all know that the threat tosome extent is getting worse day by dayand getting more diverse day by day Ithink there’s a number of things thatwe’ll all all agree on and that’s thethe rise of some of the the St Statesthe Nation States involved in the Cyberlandscape and colleagues have manyexamples of that um that they will speakto I think there are a couple of otherchanges as well though one is the changein cyber crime and the realproliferation of those tools and the wayyou’re able to go on a Marketplace andbuy some of those cyber crime tools andthen the Third change i’ I’d highlightwould be the Cyber proliferation so theability of any nation state or anyorganization or person actually to goand buy a legitimate or semi-legitimatecyber tool from a known and registeredcompany and use that rather than buildit themselves and those three changeshostile States Nation States going aftergreater disruption greater Espionagethrough cyber plus the change in cybercrime and then this Middle Ground ofthis cyber proliferation across So ManyNations all three of those worry usregie did you want to add on to thatyeah I mean Felicity said it well Ithink that the the Confluence of thosethreat actors as well as the increaseddigitalization of our society I meaneverything is connected to the internetnow so the threats surfaces incrediblylarge and growing right so we see allthese Internet connected devices thatare now being used by thread actors indifferent ways we see our operationalcontrol systems for you know factoriesor other sorts of systems that werenever intended to be connected to theinternet that now present a great riskto those organizations so I think thosethat combination with the threats thatpolicity mentioned are really presentingthe threat surface did you want yeahthank you um as all comments mentioned Ithink that the the threat in theAustralian context continues to evolvejust in terms of the way we’re seeing uhadvanced persistent threat actors andcyber criminals in terms of the scale umagainst us in the Australian environmentI think we are seeing more and moreimpacts to our citizens than we havebefore I think that um you know in thein the financial year in Australia 2022to 23 we actually saw over 94,000reports of cyber crime into um theAustralian signals directorate and umactually that’s the equivalent of onereport every 6 minutes and when we thinkback to 3 years ago that was one every10 minutes so we’re starting to see seethat Gap really start to close um andjust to add to R’s Point um I think thatthe way in which technology isproliferating in our environment is alsoadding to the increased opportunity andvulnerability surface across all of thenetworks particularly in criticalinfrastructure and government where westart to see um some of these uh youknow attacks and the scale increasingthat makes sense yes Idid good a good illustration of thechange from the New Zealand context isthat earlier this year new publiclyattributed state sponsored actor on ourmost critical of infrastructures ourDemocratic institutions that related toan incident dating back from 2021 so 3years ago and actually two years afterso a year ago we had already attributedliving off the land activity um with ourcounterparts on stage so just uh eveneven illustrated by the what we’reattributing and the kinds of activitiesuh you can see a huge progression areally rapid Evolution and not only thethreatscape but also the tech scape sothe nature of the domain that we’reoperating in and in terms of what thatmeans and what you might not see in thisaudience and there’s a rapiddiversification of the kinds ofrelationships tools as well as tools ofstatecraft that we are bringing to theproblem set outside of just technicallanes and well into policy and standardLanes thank you I’ll let you have thelast word on this St thank you and justto Pivot off of what Lisa just mentionedthe living off the land technique weeksI think from 2023 and into dat to datereally changes the way I think we haveto think about uh the advanced cyberactivity of of the PRC and then what weneed to do differently in to ensure thatwe can identify instrument and to keepthat kind of activity happening in ourcritical infrastructure networks andother uh critical national securitynetworks of course the main theme thatwe have here today is Partnerships andwhen you think about uh keeping in frontand understanding that threat landscapethat’s what we’re really good at aspartners across the felines thank youfor teeing up my next question I’m gotto come back to that of course seeingall of you together we know some of whatyou do together but maybe is theresomeone who wants to offer some examplesmaybe first how you work together andthen I would love to hear to maybesecondarily we’ll go back around aroundAcademia private sector that other kindof Outreach but anyone with an exampleon the collaboration between and amongsthere yeah open so is this small nationwe obviously uh derive enormous benefitfrom being able to tap into the depth ofexpertise and um breadth of coverage ofour partners and you know traditionallythat’s been in the sort of indicatorsand incident space but equally theability to stand on a public stagetogether and talk about secure by Designand and principles uh that if we haveconsistency and the cons um secure bydemand uh we may well be able to drivechanges and behavior uh I I’d say notwithstanding our sides however ourcontribution back is unique and and oneof the strengths of our partnership isthe diversity we each offer so ourability to take uh intelligence run itacross our own Sovereign accessesproduce a unique feed uh for New Zealandto consume commercially and scale ourprotections across the Wier economy issomething that is unique to a smallnation’s reach and our ability to pickup the phone and our our offering backof of telemetry and visibility of ouroperating environment is something thatwe contribute to the partnershipper yeah I would offer each of us uh oursteeped in the world of signalsintelligence and cyber security ourteams are built with both expert sets ofexpertise and when you think about theopportunity space of taking what we knowand separating it from how we know itand then driving uh collect Ive cybersecurity for our Nations that’s reallythe power of the partnership that I seehere and and when I think about some ofthe examples I’ll point to many of thedifferent cyber security advisories thatare published by all of us uh in orderto drive specific guidance for NetworkDefenders and those who are uh focusedon ensuring that the advanced persistentthreats uh are not impacting theirsystems can I ask you a followup on thatwe had a little side conversation thismorning aboutcoordination of Regulation and sort ofharmonization how how does thatfunctionally happen um we know there’salways room to grow but as you just saidit’s an important contribution of thispartnership what does that look likelety how do you get that done it’s sucha such a great question and I think oneof the things that maybe gets forgottena little bit is how fundamental the fiveeyes is not just to intelligence but tocyber security and cryptography as welland the depth of that partnership goesjust as as far and deep and as long backas any of the intellig collaborationwe’ve done in the five agencies and thatmeans that not just the the leaders onthe stage that you see here not just ouroperational teams or our comm’s peoplewho are helping you know design theadvisories as they come out in the finalformat but actually every intelligenceofficer in any of our teams thecryptographers the software Engineersthe the individuals looking forvulnerabilities all of those thosepeople know their counterparts acrossthe five nations so it’s both a formaland an informal relationship for me theformal Works incredible well because ourpolicy our compliance our legal teamsalso stay really well connected ofcourse we have slightly different legalFrameworks and oversight regimes but wehave shared values and so many of oursystems are built on those shared valuesand long history and it’s fantastic tosee actually individual countriesinnovating because it means we can learnfrom what they do and look to work outcan we do something similar even if it’sslightly different in our own contextamaz somebody yeah I would I would eEcho everything you you’ve said Felicityin terms of the you know the criticalityof the five eyes partnership here in theoperational space and how we worktogether to provide that advice to ourpolicy agencies in the context of takinga whole of government approach toactually how do we defend and mitigateagainst the the Cyber threat and I thinkyou need a balance of of both you knowregulation policy response as well asthe operational response that we take umand as Dave said the incredible value ofthis partnership um is definitely beingable to draw all of the information weprovide together and provide the bestexpensive advice that we can provide toIndustry to our Network Defenders andthe the providers that are responsiblefor working with us to defend theirtheir products um so I think it’sincredibly important um in terms of umsome of the advanced tradecraft we’reseeing um The Joint advisoriesparticularly on event logging and bestdetection in terms of how to prevent andunderstand what’s happening in yourenvironment is really really importantfor us and with the five eyes there isway more impact and up take of thatadvice and that’s a really importantthing for us last word on yeah no I mean80 years of cod making and code breakingdating back to World War II right so along-standing tradition of collaborationthat surprised me coming from theprivate sector and into governmentamazing I couldn’t believe the thecollaboration that happens there’s onlyso many experts in this field as wellbeing able to reach out to any countryand knowing that there’s a you know youhave that pocket of expertise anywhereis fantastically important in terms ofyour point on harmonization reallyimportant particularly as we get intoregulation of critical infrastructureand some of these other spaces and usall being aligned in terms of what’sreally important incredibly uh valuablefor us in terms of North America um weknow that many of our Industries flownorth south right so it’s the same setof regulations so Canada does somethingdifferent from the US doesn’t work forindustry so work very closely at thelead end in the advice and guidance allthat technical expertise that we put inplace for example the Cyber performancegoals that szo has put out we wereclosely with the us on this as well weput out our cyber resiliency goals thatlook exactly the same right and that’skind of like the basis for the theregulatory guidelines that they comelater so just having us aligned from thestart AI is another one with the co-badges incredibly important to getconsistency in the marketplace perfectand once again you TW up my nextquestion beautifully it wasn’t it wasn’tpre-planned but on the private sectorOutreach piece maybe I could come backto you on that um and ask each of youhow does that integration work we hearso much about public privatePartnerships and so for eachorganization doing that individually andthen aligning that for multinationalcompanies can you talk a little bitabout what does that what does that looklike and what are some of the challengesand successes there sure I’ll speak abit to it um and we all have a you knowsome somewhat similar models but withinCanada it’s been really important for usas a single organization that’svoluntary we’re not a regulator is towork with industry aggregators so if forexample the Telecom uh in Canada we havethe sea St or the cyber securitytechnical advisory committee where wecan actually have really detailedin-depth understanding and threatsharing sessions in terms of you knowwhat are we seeing and how can weactually defend the nation we of courseshare that information across the fiveeyes and make sure that whatever we knowis being shared Al across our differentuh groups we have the same thing forfinance as well the financial resiliencyworking group get all the banks togetherinsurance companies stock exchangesthese sorts of things energy the eackenergy you know security technicaladvisory committee which is a bit of agap for us but looking at our currentthreats and the threat landscape whatmight be targeted really important forus to establish these advisorycommittees and get not just thecollective knowledge of the five eyesand and the information we can share butget that really important informationfrom the actual operators back into ourspaces as well so we understand theirrisk and their threats and then we canfind solutions to that as wellabsolutely Lisa is it the same in NewZealand the scale I know so interesteddifferent but how does it does it workin a similar fashion absolutely does uhso uh this you know taking the terysector for example uh we have thesimilar approach to security informationexchange so the ability at a uhTechnical and analytic level uh tofacilitate conversations betweenuniversities who who are comp competingin the market um are research institutesum they are looking for uh students uhand and want to defend their networkswell it’s a great Forum to have pointsof contact in the event that somebody’shaving a bad day and to build uh trustand higher levels of sharing than wemight otherwise see between thoseuniversities we also engage with seniorsso so it’s really important to us not tojust sit in a technical Lane that wealso speak to Executives and thecouncils uh and provide the kinds ofprioritization uh understanding of thethreat scape as it changes um we weprovide Technical Services so I’vetalked um uh about Maly networks whichis our ability to apply indicators uhacross uh the public and private sectorum to detect and disrupt threats uh weprovide those services to one of themajor providers of um digital and datanetworks reans and to the tery sectorsand and since their adoption of thatservice they’ve seen about 177,000events per day uh across their networksthat we’ve been able to disrupt so theimpact is really real it’s at the otherend of things we also like to engage uhas part of the community as well soprovide our own contribution back and wehave uh a stem scholarship um for womenparticularly um Mar and Pacifica womenand so we’re looking to also engage in asort of human and Workforce way to makesure that we’re growing the capabilityof the future perfect any other thoughtson Partnerships either yeah I think Iwould say from an Australian perspectiveI mean ASDS of the realization that wecannot and we won’t work independentlyof industry it’s a really important umuh part of how we operate now um andactually some of the best scale thatwe’ve achieved both against adversariesas well as in terms of the defensiveenvironment have been from thosePartnerships um uh earlier uh this yearAustralia did its first cyber sanctionsum and we couldn’t have achieved that umwithout the Partnerships of the 5is herebut also the incredible amount ofinsight support and assistance of someof the critical industry Partnersinvolved in Sharing us some of thatthreat data so uh I would just highlightthat from a you know um scaledperspective on how we um counter thethreat environment it’s it’s a reallypart of the way we operate now and ournational Partnerships program um in ASDis framed around that very principle didyou yeah i’ just like to emphasize thescale piece one of the ways we in scalecyber security is bringing the insightsthat government can see particularlyintelligence uh agencies to whatindustry can also see uh and and thepower is really analyst to analystcollaboration uh and as our analysts canwork with analysts and Industry that’swhere you get to see the opportunity toshare insights back and forth bringcontext to the most important threatsand then develop uh countermeasures andmitigations uh to ensure that we don’tjust uh support incident response buthow do you also outmaneuver adversaryactivity prior to exploitation occurringso I think the real power in the publicprivate Partnerships is that ability toscale and to link the analysts togetherin a way that they can truly haveamazing outcomes perfect and Felicityare there challenges that remain in thisspace is this all good news from yourperspective at the core or anyone elsebut start to have a chance to I thinkthe the challenges for us uh firstly asa as a five eyes I think for me the thesingle biggest challenge is the reallypragmatic one we live all live and workin different time zones and so thatmeans anyone in the Americas gets iteasy when there’s a video call becausethey can do it in the Working Day someof us have to get up really early or orgo to bed really late on those days sobut there are practical thingstechnology makes that better uh andgetting the chance to spend timetogether as we are this week face toface is fantastic and we get to do thatmultiple times a year which is reallyreally important but I think broadly inthe partnership space it has to startwith trust and it has to start withunderstanding but it also has to startwith listening because each of ourcontexts whether that’s acrossgovernments on this stage or Beyond orinto industry are going to be slightlydifferent but actually we all have suchshared values and a shared vision of asafer world with with an internetultimately and technology that is safeto allow us to to go about our dailylives but also be prosperous as Nationsand really get after that Innovationthat we all know is going to enhanceultimately humankind without being sograndiose but we have to do that in asafe and secure way and actually if youhave that shared starting point gettingto a space where you’re collaboratingdoesn’t feel so hard if you can agree onthose those great great big moments sofor me yeah of course there are thereare challenges and we all have that inour our daily lives but it’s that senseof moving together and and looking athow others are innovating and I thinkthere’s a concept for me about moving atthe pace of the fastest not the slowestand that means um a bit of to um riskoverusing the team sport analogy youknow there’s there’s a sense of makingsure that you you have the strongestathlete in each race and the rest of ussupport them and then learn from themand work out what we can do to add valuefrom our from our context or Viewpointand that applies equally in the privatesector too perfect last piece onPartnerships I know we have a lot offaculty and students here anything onAcademia did you want to oh Academia iscritically important to the success uhfor NSA and I know our partners as wellI’ll first start uh with our K through2program Jen cyber this really startsearly in the careers of youngindividuals who are interested ingetting into cyber security so wesponsor camps Across the Nation in thesummertime for students to first getinto the idea of cyber securityprogramming uh and and other STEMrelated um uh disciplines but it goesbeyond that because uh our work with uhcenters of excellence uh centers foracademic Excellence we have over 400universities Across the Nationwhere we have CAE programs for cybersecurity cyber security research andcomputer network operations this helpsall of government ensure that the nextgeneration of cyber experts are beingtrained to the level necessary to uhensure that they can uh work theadvanced persistent threats and thecomputer network operations needs uh forour nation um summer internships arealso available for those studentsstudents out there and the students uhshould have signed up already for theirsummerinternships uh but uh you know about 300uh summer interns will come into NSAevery year 12 weeks cleared working realproblems contributing to both the cybersecurity and signant Mission and theircontributions will become part of thework that we do after they leave about85% of those students join us full-timewhen they graduate amazing so it’s areally great program and then lastly Ihave to give a plug to the NationalScience Foundation for the scholarshipsfor service program where students areprovided scholarships uh for uh twoyears of service in in government oncethey uh once they graduate a reallygreat program awesome thank you anyoneelse quick plugs on Academia or yeah Imean I I definitely would and it’s suchfantastic work that NSA and othercounterparts do thinking right throughacross the skills and the researchlandscape in the UK our Universitysector is so vital so we at the top enddo uh sponsor research programs weaccredit courses we work with academiccenters of excellence and and then likeDave said we also have a responsibilityas signals intelligence and securityagencies to think about the skills ofthe future and that does start whenyou’re in in elementary school or highschool um within the US context or orprimary or secondary school in a UKcontext and we have to be all able tothink about what’s the language we’reusing as a community to ensure thatwe’re getting the most diverse reachinto those schemes as well as gettingthe numbers we all have a shortage ofcyber skills so some of the programs werun are particularly aimed at minoritygroups at young women to join thoseprograms as well and I think we all havesuch a shared aim in ensuring the wholeof the cyber security Community whethersomeone has a government email addressat the end of their career or not isactually a shared shared Challenge andit’s another area that we partner reallyclosely with both universities andschools but also um industry in the UKis a big sponsor of of our skillsprogram called cyber first but nofantastic thank you thank you youanybody else good well with 15 minutesleft I want to turn to the Future sowe’ve talked about kind of where we areand what we’re doing about it but I Iknow this audience wants to hear fromyou all of what you see coming and inparticular how emerging technology ofcourse you can talk about Ai and postQuantum encryption and all the kinds ofthings there’s plenty to talk about takeus more than 15 minutes but I wanted togive each of you a chance to really havea minute and and talk to this groupabout what you see ahead and maybeReggie if we could start with you sure Imean I’ll start with the obvious I meanyou mentioned post Quantum andencryption and the algorithms are outand you know the Big Challenge there isto be able to roll those out intoindustry through standardizationprograms and and basically making surethat’s embedded in your procurementguidance and churning the the equipmentbased on a risk-based kind ofunderstanding as to you know where thatrisk really manifests itself in terms ofgetting the standardized cryptographicalgorithms into your technicalappliances that are out there um AI is ais a really big one right and that’sgoing to be something that enablesorganizations like ours of course we’reyou know we’re looking to exploit thatin any way we can to really get thebenefit um but really important to be beable to secure that because of the thepresence it will actually have um threadactors will be using AI for things likecontent generation we see that in termsof thread actors trying to divide anddisrupt us right with misinformation andthese sorts of things so contentgeneration and the ease of actuallybeing able to do that with some of thesetools um certainly something that wehave to keep our eyes on and make surethat we’re managing that as best we canand thread actors will use that forthings like you know social engineeringand other sorts of elements that way aswell the same point in time there’s verygood things that can happen in thatspace as well we talk a lot about secureby Design all trying to put forth youknow standardized ways of of upping thethe ecosystem in general but those sameAI tools can be used to develop betterproducts and find vulnerabilities beforethey’re actually shipped to Market sothey’re not patching every week andright so lots of opportunities but lotsof threats as well and it’s our job tostay a breast of them and share ourknowledge and make sure that we’reputting out the right advice and guidein still protected Thank you Lisabeautifully I guess I I’ll take a littlebit a higher level rather than uhtechnical we we see the threateverywhere that we make it easy for themand and so I suppose we’re looking for afuture where good cyber security ispracticed Everywhere by everyone all thetime and that’s really about engagingeveryone’s roles and responsibilitiesand recognizing that um we will we willnot get on top of uh our our technicalopportunities without recognizing umwhere the threats evolving and doing ourpart so so you know we have recentlyintegrated our uh search with and ourncsc functions and we look a little bitmore like our um counterpart agenciesnow uh and and in doing so we’ve reallytried to think about where’s where’s ourvalue ad here um how do we make surethat we position ourselves to do onlywhat we can do and enable others so wewe’re really Guided by three keyprinciples um looking to the Future thefirst is that people act on informeddecisions so that individuals areengaged with what they can do to helpprotect themselves we want to see uhthat the basics are basic thatorganizations are able to uh implementthe required security controls that theyneed that are suitable to theirorganization but also that the digitalsupply chain has pre-implemented secureby Design principles and that leads us aspace where we can really focus on thehardest end of the problem and engageour partnership um on that so um we wehope that that provides a sort of moreDynamic mindset I suppose and range oftools and a sense of empowerment topeople that um we we’ve got thisStephanie everything said by mcolleagues um I guess I might just adduh I think that you know we’ve talkedabout the threat today and and the scaleof that increasing and becoming morechallenging and I think then it requireslooking into the future a scaledresponse um you know to to cter that andand deal with some of the challengescoming our way technology is one but Iactually think that you know um thereneeds to be a really Collective responseat senior leadership levels acrossindustry private sector government um toactually do this and think about a riskyou know risk management of cybersecurity uh as you would any otherEnterprise risk and that’s going to bereally critically important into thefuture um ASD we’re taking the approachthat we are going to engage executiveleaders and start to drive some of thatculture from the top of organizations umto help with that uh We’ve briefed umyou know a large portion 40% of our ASX200 NASDAQ equivalent in the UnitedStates that’s a really important part ofour mission because driving change oftenhelps when you’re driving it from thetop um and actually thinking about andhaving senior leaders think about whatare the most significant Assets in mynetwork and environment how do I riskmanage and protect those critical assetswhen the problem set is so large um andI think that’s going to be reallyimportant part of where we head into thefuture uh in Risk managing some of thethe threats out there and can I ask justa follow up on that and how are in termsof that Outreach and awareness and sortof driving is that programmatic for youhow is that organized is it acrossagencies or how you’re working throughthose is so so we prioritize that basedon you know core parts of um the theindustry that support the running of oureconomy um we look at uh tiering ourNational Partnership program in terms oftiers and sectors to make sure thatwe’re reaching the right audiences andscaling in that way um so in ASD we haveum over 3,000 partners that are what wecall Network partners and those arelarge organizations that have um hugeenvironments and require a lot of umadvice from us around know networksecurity and response um we have mediumlarge organizations we have over 5,000Partners there and then we also scaleOur advice to over a 100,000 home usersthat have joined our program and it’sreally about making sure that thattailored advice from a defenseperspective is provided uniquely tothose sectors and to those umorganizations amazing thank you foristin terms of the future so the future forme I guess I think about it in threeways firstly the threat and we know thatthat’s uncertain at the momentunfortunately there’s nothing to suggestit’s going to get more predictable overthe next few years and there are someindications that things may get tough attimes so we can’t expect the threatpicture to to lessen necessarily thatmeans that as we evolve the futureTechnologies and uh riiv has mentionedAi and the future of quantum uhComputing particularly in relation tocryptography those are absolutely two ofthe the Technologies we’re focused on weneed to make sure that those futureTechnologies are as secure as possibleagainst that threat l landscape and thenthe third element for me about thefuture is how we respond and for us inthe ncsc and I know it’s a sharedambition across all of our Nations is toensure that we have the levers and theincentives aligned so that it’s easy tomake really good cybercity decisions atevery level whether you are a citizenthinking about your password how do youmake a a smart decision on what a greatpassword for your new device is how dowe ensure that a new internet of thingsdevice that you buy for your home is assafe as possible there’s a role forgovernment and the Regulators there theUK this year set out some reallygroundbreaking regulation to ensure thatall new iot devices coming to Market aremuch more secure but that scales rightup Stephanie mentioned the importance ofscale we have to think about all ofthose leevers all of those incentives weall have buying smartly using ourConsumer Power we’re big supporters ofuh sissors secure by Design work secureby default is so important for thefuture and for us it’s thinking abouthow do each part of the of the systemwhether Private Industry whetherindividual consumers whether governmentsyou do their part in that in that mazeto ensure that it’s easy at every levelto make those those really safe andsecure decisions for the future and thethe kind of big big elephant in the roomis is the tech debt and that’s the onethat we we need to help organizationswho are grappling with with technicaldebt um and worrying about the futureand how they modernize to really bringbring forward good good examples andthat we as Government to support them inwhatever means we can going forwardthank you last word on the future nopressure no pressure all well just toadd to the great discussion that’soccurred already I think we all knowthere’s no s single Silver Bullet tocyber security and when I think aboutthe the future taking from uh all thediscussions so far the threat requiresus to think differently about how weprotect our networks so think about umtoday where we have a single edge devicethat we’re counting on to ensure that uhsomeone doesn’t get in and get access tothe crown jewels of our criticalnetworks whether it’s in criticalinfrastructure or or government we needto think more about zero trust Conceptswe need to make sure that as we thinkabout the future of networks we have toassume that breach will occur how do wemake sure that if breach occurs and whenbreach occurs that there’s limitedmovement for those adversaries to get tothe data that they’re really trying toget after uh second I think cryptographyplays a critical role in making surethat advanced nation states can’t do thereconnaissance they need to do in orderto get to the networks that they’d liketo get to uh for exploitation uh so theto prepare for the quantum era ofcomputing we all have to have a Quantumroad map whether that Quantum road mapis for national security systems orwhether that Quantum road map is forcritical infrastructure Academia we’reat a pivotal moment because uhparticularly forindustry the the algorithms have nowbeen implementation will start occurringin products and as as um folks arelooking at their Tech debt they shouldbe really uh matching that Tech debt upto their Quantum road map to ensure thatthey’re buying new products that will besupported with the new Advanced Quantumresistant uh algorithms that will helpyou protect with high Assurance cryptohigh with with cryptography that willthat will uh that will counter a quantumcomputer in the future so really tyingthese things together Tech debt quantumuh and making sure that uh that we’repreparing for our future not justreplacing devices because it’s time toreplace them let’s make sure that wereplace them uh with a strategy that’sgoing to uh make it more difficult foran adversary in the future and thenlastly AI I mean you can’t uh have aconference without uh talking about AIum you know we think about this uh froma couple different facets from theNational Security Agency first um fromour foreign intelligence perspective wehave to be able to detect and counterAries as they try and uh manipulate oruse AI against National Security andother uh critical Systems Second uh justas we’ve done with other parts ofIndustry we need to develop those deepPartnerships with AI companies as wellas uh Partnerships with those who areimplementing AI within our nationalsecurity systems and other governmentsystems to make sure that they’re doingit securely and making sure that we canshare insights that we have on howadversaries are threatening uh those newecosystems and then lastly I think uhand and really important is promotingevaluating and developing best practicesand guidance on how to secure the AIecosystem so back in uh April mid April15th of April of this year we publishedour first guidance on securing AIecosystems but there will be more ofthat coming uh in in the in the nexteven couple weeks perfect thank you wehave about three minutes left I justwant to do one quick speed round foreach of you you all have offeredthoughts I know are so relevant to folkshere leaders in the private sector ingovernment in Academia again we have alot of students here so I want to justgo back through and maybe start with youif you don’t mind can you just offer abit of advice we have students who areinterested in careers in cybercity youoffered some very specific internshipand other opportunities at the NSA anyother life advice things you all wishyou had known then again with threeminutes we’ll just go back through realquickly Dave startor with well first offuh for the students in the audience uhthe summer internships are reallyawesome we also have co-op opportunitiesfor those students uh but you know whenwe have engagements with Academia Ithink it’s really important to haveengagements with the professors and thestudents because your professors areguiding you through uh your programs andand when they understand the value ofwhat you’re cont contributing and whereyour goals and aspirations are it’sreally going to help out when you’re uhthen deciding at the end whether youenter into government or enter intoindustryuh that they’ve got you on the righttrack uh because they’re really close tothe work that you’re doing every daythank you thank you for your passion forour students as well ficity thank you somuch so for me I think one of the thingsthat cyber security um suffers from is abit of a reputation that suggests youhave to be a deep computer scientist atthe age of 18 or 21 to be able to have acareer in this sector I am proof thatthat is not the case I learned to codewhen I was in my 30s and by the way Idon’t have to code every day now that’sa good thing for the nation and for theworld um but uh for me there’s somethingabout the cybercity community doesgenuinely welcome all skills we talk alot in gchq about the importance of amix of minds and that’s about therepresentation the communities you comefrom your your gender your backgroundfrom an academic perspective or yourinterests as well as the things you cando in the workplace so don’t be put offand be curious and seek out newopportunities ask questions it’s such animportant thing in all of our jobs is toask great questions and really listen tothe aners so but it’s fantasticeveryone’s here and I really am excitedabout the Next Generation coming throughthank you I am also living proof thatyou don’t have to be a deep coder ortechnical expert um to have a career inthis field and I think that um just toreally add to your brilliant points umbecause I’m in complete agreeance withFelicity um it’s about also not beingafraid of the tech in my experiencetechnical people if they get askedquestions get very excited and they’remore than happy to explain to you everyintricate part of their job and Missionum so I think that I would tell studentsout there that you know it’s itabsolutely the Curiosity thing is is keyand asking questions don’t be afraid todo that um because there’s not a day incyber security that I don’t go homelearning something new as well so it’s aconstantly evolving uh space and we needpeople to be asking questions um andjoining us um on this journey perfectthank you with our 37 seconds left Iwant to hear from both of you verybriefly uh felicities mentioned uh thesort of multi-disciplinary nature of theindustry uh I’d also add that cyberyears are like dog years you got to movefirst and and the the range ofdisciplines you need to keep bringingtogether to get the right sort oftriangulation on on your uh landscape uhyou need to keep working that and sothat might feel a little unsettling butyou will um you will get more out ofyour existing staff and you will be umquicker to respond if you’re able tokeep switching it up final work sir freeseconds I would just say that we alsohave a co-op program sobut absolutely curiosity absolutelyessential the career is always changingyou never know what you’re going to bedoing and what you think you’re startingas a as a student will be something verydifferent 10 years later or or 15 yearslater um but an amazing career I wouldsay amazing thank you all again onbehalf please join me in thanking thisamazing panel and we will be onour it’s now time for a short breakcourtesy of Splunk a Cisco Company helpyourself to a specialty drink at thecoffee station and a quick snack andwe’ll see you back in your seats by11:00 welcome back everyone pleasewelcome our next panel Ellen NakashimaNational Security reporter at theWashington Post with our panelistsTobias fekin founder of protestarstrategy Jorge guajardo partner at theDGA group and co-chair of the Aspeninstitute’s Global cyber security groupJarrett C ridic senior fellow at thecenter for security and emerging technTech ology at Georgetown University andJessica chanice David M Lamptonprofessor of China studies at JohnHopkins University School of advancedInternational Studies please welcome thepanel I well thank you and welcomeeveryone um we we had a uh the title ofour panel was mythbusting what do we getwrong about China it’s a niceprovocative title and uh and it got methinking though with with that questionit sort of presupposes you you want toknow you want to devise a pretty goodeffective strategy or policy for umdealing with with China and as part ofthat want to know what are the realoutcomes what is it that we actuallywant to achieve Visa V China and so ourpanel today is going to discuss uh Ithink what the the goals are in ourcompetition with China what thestrategies are to achieve that whetherthey’re working or not what do we getright and what do we get wrong as we tryto as the US and its allies and partnerstry to work towards that goal so I’mgoing to start with uh Jessica ChenWeiss from uh Johns Hopkins Universityand talk about ask you to start with youknow vice president Harris has said thatthe goal with China is to win thecompetition for the 21stcentury part by winning it throughemerging Technologies like Quantum andAi and by focusing on AmericanTechnology Jessica is is that the rightgoal is it to win the competition or isit to manage it and is the strategy toachieve it working what do we get rightwhat do we get wrong in that firstthanks so much it’s great to be herewith all of these illustrious speakers Iguess first of all I think it’simportant to acknowledge that you knowChina’s activities whether it’sEspionage or hacking efforts to embedvulnerabilities and criticalinfrastructure do pose a major Challengeand American policy makers are rightlyfocused on that that said I think inwhether in Beijing or in Washingtonrhetoric about winning the future orwinning the 21st century of sets up areflexively zero some frame that makesit difficult uh to maintain the kinds ofintegration um that both societies uhbenefit from and and whereas you knowyesterday um ordinary activities betweencompanies researchers and students uhwere seemed valuable now they arepulling back from those activities forfear of being deemed disloyal and theproblem here is that integration to somedegree even though as we need to youknow mitigate the risks we also need torecognize that there are real benefitsto American interests of remaining tosome degree connected if only to learnuh you know what Chinese scientists andinnovators are working on uh in China insome areas whether it’s in renewableenergy or others Chinese uh you knowproducers are well in front and so theidea that we could simply win um byWalling ourselves off and Walling themout I think is a misplace can I justpush back on you for a minute therebecause I think what the administrationhas said is that it’s not seeking tocompletely you know cut off China or ordecouple entirely it wants to focus inon a a number of of of discret uhemerging technologies that are crucialto what they say is China’s uh militarymodernization uh maybe we buildingweapons of mass destruction and theyhave this concept of the small yard highfence to just home in on a handful ofthese emerging Technologies and thenbuild up strong defenses there exportcontrols or what have you so with thatin mind do you think that strategy is issmart and effectiveso I think that the Biden Administrationhas gotten a number of things rightincluding kind of invoking a sharedpurpose you know of Defending an orderwhere might doesn’t equal right andarguing that you know a completedecoupling is unrealistic and thatdrisking um is a better way of goingabout it that said I think that the youknow the process of determining where toremain connected and where to uh youknow pursue some degree of separation isin incredibly complex and I’m a littleconcerned that the process underway toevaluate these tradeoffs doesn’t NEnecessarily take enough stock of uh therisks and costs to American and theability of American firms and other uhleading firms in developed democraciesuh to continue to um progress as well aspotentially um the fact that by imposingthese kinds of uh restrictions andExport controls they may actually behaving the counterproductive effect ofkind of forcing Chinese companiesprivate and otherwise to work with thegovernment and other domestic suppliersum maybe even creating the veryJuggernaut that these ex restrictionsare were intended to stying great I Ithink Toby you’ve had some uh experiencein this area as former cyber ambassadorto a from Australia what’s yourperspective on this strategy firstlygreat to be back in DC this is the firsttime I’ve been back since I finished upin my role so it’s really nice to see somany friendly faces um indeed the sixyears that I spent in that role um Iwould say I was in the hot seat for theAustralian approach which was very mucha Security First approach in terms ofunderstanding threats risks andvulnerabilities and one of the distinctfeatures to contextualize what’s goingon right now is that you know it’s thetech convergence of key Technologies andthe way that they interplay theyreinforce each other’s Innovation cyclesand you’ve mentioned a few of thosewhether they be Quantum AIbiotechnology those Technologiesbasically will shape the power structurestructures of the 21st century and we’reonly beginning to vaguely understandwhere that takes us genuinely theinnovators who are developing theseTechnologies are still quite unsure ofwhere that Journey takes us but whatwe’re sure of is that if you are in ifyou like first place in the emergence ofthose Technologies and the ownership ofkey areas of those Technologies then youare at the Forefront of global powerstructures so in sense ofwinning outright that’s a difficultobjective but keeping competitiveAdvantage is absolutely the key aim hereand then when you look at Key policiesthat especially the US has taken aroundsemiconductors which are essentially youknow one of the key underpinningTechnologies of of all of those otherFrontier technologies that I mentionedyou know I I think the US has done aquite incredible job I go as far assaying that’s one of the most impactfulthe chips act and Associated traderestrictions has been one of the mostimpactful um supply chain policies thatwe’ve seen at least in the last 40 yearsand it’s created if you like a maybe5year air gap where the US can nowinnovate in that space and I think oneof the risks though is that it’s not nowtime for Pats On The Backs and job welldone it’s now time to push home thatInnovation advantage and make sure thatyou utilize the money spent and theefforts to comprehensively shift a keysupply chain within two years I meanit’s quite remarkable when you look atthe shifts that have gone on in thattime MHJared so I think part of uh the the thethe basis of the question that you’reanswering and then what what Tobias hastalked about um is is a talent questionas well because if we’re saying that wewill uh turn inward and use our ownresources to engage in this competitionthen Talent becomes very important andyou know we look um we just did somework at CET to look at the the CET isthe center for security and emergTechnology at Georgetown yes thank youso Public Service Announcement C saidCenter for security and emergingtechnology at Georgetown we are a nokidding DC Think Tank working the areaof AI and National Security to produceum uh evidence-based uh recommendationsfor policy makers and we’ve just done astudy to look at the global producers ofstem talent and clearly there’s atremendous gap between China and theUnited States and so when we look atthat you know we will have to haverobust um immigration policy and remainsort of open to the world and in termsof of gaining talent but domestic talentand sort of the stores of talent that wehave in sort of groups that have notbeen represented as stewards oftechnology is a real growth opportunityfor the United States but as tobas saidwith this Gap that we have we have todouble down on and adjusting our systemso that they are able to gain um accessto this Talent um in ways that wehaven’t before that who’s able to gainaccess the the United States internallydomestic Talent here in the UnitedStates so in the vein of what are wegetting wrong about China what is itthat I think in our earlierconversations you were saying that theUS might be uh unfairly demonizing uhchin ethnic Chinese academics or so wewe when we talked we talked about thisterm China Hawks right and so there’s aa new report out from CET um Sam bresnikat CET who is a researcher there has uhrecently written an oped in foreignpolicy where he’s talking about theimpressions of the Chinese militaryaround around artificial intelligenceand and you know statements have beenmade you know China’s eating our lunchon AI um we’re way behind but there’ssome interesting findings um from Sambresnik and in this recent um um reportthat he’s done one being that theChinese military in the the the publicdocuments that we can see are veryconcerned with trustworthy Ai and infact saying that if if um they goforward with AI That’s not trustworthyit could cause um problems in you knowmilitary applications leadingescalations leading to um unnecessarycasualties and Military and we also knowthat the Chinese government has saidthat AI will have to adhere to socialistprinciples and so those restrictionsfrom from that type of statement butalso this notion that there is a a chiefconcern among AI um military um uhactors within China aroundtrustworthiness I think is somethingthat people may miss because we’re we’redepicting China as if they will take Aiand just unleash it but we see fromthese military actors that they areconcerned with the trustworth you thinkwe’re maybe overestimating China’sprowess and sophistication rate ofinnovation in AI I think we would be uhthere is no we would we are notoverestimating and I think we would beum we would do ourselves a disservice tonot take them seriously in thecapability but also the scale becausehaving volumes and volumes of of folksworking on these problems you know putsyou sort of at at a certain type ofdisadvantage but the advantage that wedo have is that we have significantquality Advantage um in the talent andso we have to sort of double down onthat and grow domestic talent andmaintain the quality advantage that wehave in order to keep Pace okay um Iwanted to get back to uh some of the thechip strategy and working with alliesand partners which is a signal featureof the Biden administration’s approachto China right it’s not just us puttingup uh tariffs or export controls againstChina it’s trying to build coalitions oflike-minded Partners um Ambassador Karoyou’ve had you you’ve worked on thisissue and and also not just with youknow the EU or 5is but Global Southcountries right other countries in theworld how do you think the US is doingin that strategy of building umPartnerships with other countries tokind of help in the competition orcounterChina so so let me answer that questionand just very briefly go back to theprevious debate on what I think the USis getting wrong uh with regards toChina and I think one of the things Isee right now so I spent six years inBeijing ER as Mexico’s ambassador toChinaand I I noticed the Chinese politicalsystem is opaque by Design it’s meant tobe opaque it’s it’s not meant to be anopen system and something that I see alot of in the United States these daysis certainty among the opinion leaderswhen it comes to China you go topolitics and Pros here in Washington DCand you count the books on the new ColdWar on CH and it’s they speak with acertainty at a time when there are thefewest journalists inChina and these are mostly opinionleaders projecting their values on Chinaand assuming that China will be actinghow they would act if they were in theirposition and I think that is a a fraudproposition so so I think the certaintywith which the US acts is something thatin and of itself is something the USmight be getting wrong I think the firstthing to realize is that we don’t knowwhat’s happening there we really don’tknow uh now going back to that certaintywe saw it a lot with the Huawei roll outand the United Stateswas going all over the world saying donot buy Huawei kit because the theChinese can spy on you and they would goall over the global South LatinAmerica Africa and other places and saythe Chinese will spy on you if you useHuawei well first of all keep in mindthat as a region or as a global South asa we are not geopolitical players in thesense that we worry as much about beingSPhere first distinction second the USspies on us just as much so so it’s nota concern about the Chinese spying on usversus the US spying on us usually theUS uses the spying to to build criminalcases against the political leaders sothey might not be as inclined to befavoring with the United States in termsof spying whereas the Chinese do it forindustrial commercial purposes again wedo not have as much intellectualproperty as you find in developedcountries so that idea that you would goaround that the United States would goaround talking to developing countriesleaders and warning us about the threatabout China spying on us doesn’t play asmuch as one assumes it does it doesn’tscare us as much as people in Washingtonthink ER interesting there there’s anaspect that the United States again inits certainty and lack of understandingon how this countries think overseas andthat is one as I mentioned that we don’tworry about as much about being spiedupon buttwo that perhaps what would get ourattention more is the threat ofcommercial coercion and what do I meanby mean by commercial cotion if acountry has Chinese kit whether it beHuawei City whatever may come next inits infrastructure and is dependent onit they may be susceptible to commercialcoercion by China now a country likeMexico Colombia Peru or anyone LaAmerica would say well we don’t we arenot geopolitical players we are notafraid about commercial until yousize a Chinesemine or you arrest a Chinese a fenteldealer somebody with whom the Chinesegovernment takes objection and then yousubject yourself to threats and mightthey not probably upgrade your system asfast as you would ECT because you’rebeing subjected so now it’s a matter ofsovereignty MH now developing countriesunderstand sovereignty we don’tunderstand spying we understandsovereignty so again that’s a change ofemphasis how the United Statesapproaches this issue instead of talkingtelling us or warning us about thethreat of spying interesting to what doyou think of of that given Australia’sposition too and having also beensubjected to Chinese economic coercionbut also having to work with uhnon-aligned Partners in in the regionto counter China what’s your take it’sit’s quite hard to unsee what you’veseen from inside the Beast and so youknow my my mind’s pretty clear as to youknow how China is operating certainly inAustralia how it’s operating in theasia-pacific region um and there may beelements of what H said which I’m notquite in agreement with the the singlemost poignant thing that J said is thisis an issue of sovereignty and thatreally should Hammer home and a lot ofmy time was spent talking to countriesaround the region especially where theyare caught in this vice likee game ofmaking choices um and in amongstcountries that don’t want to have topick sides they want to get on withbuilding their economy and digitizingand innovating um and that is one of themost powerful messages you can give themokay they may not really care abouttheir networks being owned they mightnot have the awareness to understandthat but that’s why it’s important thatyou assist countries with building thatcapability to be able to understand forthemselves what’s going on on theirnetworks but there’s also another partof this that we had to speak to andengage with countries on which is thewhole indebtedness in the developmentcycle because a big part of the playthat China made in our region was aroundthe digital Silk Road and thehuge um infrastructure developments ofdigital systems and networks that werethen you know Laden in countries withdebt and an incomprehensible way and andeven worse you know than than havingthat capability was not providing theability to sustain that I mean I’m I’mseparating myself completely from youknow my my maybe my ideological leaningshere but you know to provide thetechnology and DET a country to it andthen not even be able to maintain it andthat means all the country has isinfrastructure which can be essentiallyaccessed at will by a state that isreally just interested in understandingeverything about the way you operate asindividuals as a state as you know yourindustry to influence the way that theywill then make decisions about what theydecide to do with you that’s Chinesedecisions and by the way also havinglived in a country which has beensubjected to Chinese coercion verydirectly um once there’s a decision madethat you are you know not flavor of themonth sorry to put it in a very you knowglib way they will then switch off thetap very very quickly and you’ve seenthat happen in other parts of the globeand that’s certainly something thatAustralia had once it had been throughthis process as I said of a SecurityFirst policy where it was understandingwhere our risks were um so helping othercountries understand more ourdecision-making process and why wearrived at that decision to us was thebest way of explaining to othercountries why it was important that someof those considerations werein were intheir own choices so it wasn’t a matterof saying You must choose this supplierbut it’s saying here’s our examplehere’s the process we went throughhere’s how we reached our decision doesthat make sense to you you in theprocess that you’re going through andactually we did find a lot of countriessat up and said yeah actually mygoodness yeah we’re going to go throughthat ourselves yeah I think thisAdministration to is trying nowincluding with Partners in the AsiaPacific to try to um find ways to helpother countries resist such economiccoercion build resilience does um do youhave any thoughts on whether or not thisstrategy seems to have traction beworking um Jared before I go to that Ireally would like to stay on the globalSouth issue as well because I as Imentioned um the work we did at CET tolook at the uh Global um producers ofstem Talent um this was data that hadnot been updated since 2016 and when welook at took a look at the most recentdata which was I think 2020 data umBrazil and Mexico are in the top 10world producers of stem Talent whichwhen I saw that surprised me I don’tmean that you know to you know todisparage the the our our Latin Americanneighbors um but I think people would besurprised to hear that fact and so whenyou think about the encroachment ofChina into the into Latin America SouthAmerica to the global South and then Ioften tell people because of my past uhin science and technology that I reallylive in2035 right and when you think about 2035out to 2050 one in four people in theworld will be on the continent of Africaso Global South we say that now sort ofas you know we but in the future thatwill mean something very different andthe way that the Chinese are positioningnow and what that will mean in thefuture is again I think we could putunder the category of things that we getwrong because I’ve talked to many peoplewho say well our longstandingrelationships with these countries willgive us an advantage no matter whathappens and and Tobias is very clear insaying that these the way that theChinese are doing this is reallystrapping countries with debt but I dothink that what is happening now and theway it will position the Chinese for afuture that will look very different ifyou’re talking about now countries inBrazil and Mexico that are producinggreat greater stem Talent thispopulation explosion that will happen onthe continent of Africa it begins to meto begin another conversation abouttalent and talent that’s being producedin these places that is much differentfrom what has been there in the past andso that future really Tobias said itwell the countries that lead in emergingtechnologies will be the countries thatreally have a great Advantage goingforward and so the talent mix thatexists now in the global South and withwith China being there I think gives aparticular type of advantage that we’renot paying attention to if we get into2050 and they are there and we’re notthe talent explodes and then we don’treally don’t have an entree into thatTalent so I think that is somethingthat’s probably not on the radar of mostpeople and when I talk about it I thinkpeople say to me well I haven’t heardthat before but I think it’s thinkingabout 2035 2050 what the populationmixes the stem Talent that’s there andthe positioning of China I think issomething that we we’re in my opinionsort of missing the ball thank you goahead I think Ellen to your question Ithink um whether it’s from Beijing orfrom Washington lectures don’t uh winmany friends um and so I think the realquestion is um you know China’s sort ofcoercion in some ways hasn’t beenparticularly effective on its own kindof steam um separate from the UnitedStates coming in and and trying to tobolster um resilience to that coercionum and so I mean I think that thequestion for both countries uh really iswhat can they offer to the world rightin the form of of deliverables orbenefits um whether that’s talking aboutkind of an effective International orderthat is functioning where you knowvarious countries uh from the globalSouth have greater voice um feel thatthere’s a path to uh greater prosperityand security um and I worry that there’sa little bit of tension um in some ofthe uh Rising protectionism um that uhwhat’s on offer here um may be runninginto into some of those concerns welllet’s go there let’s move a little bitto economic strategy because uh it isclear right mean to be clear the US isnot decoupling from China China is stillthe second largest trading partner tothe US and the US is seeking to driskits supply chain and given itsexperience in the pandemic it it’s itseems like a prudent idea aidea uh todiversify the supply chain to includeyou know partners and and and allies umbut at the same time you do hear uh youknow DOD has bi American strategies bothboth uh parties are focusing on on youknow investing in America American jobsyou hear talk about tariffs Trump ispromising you know 100% tariffs 60%tariffs how do those two um competingtensions work together to both positionUS the US and its allies to competebetter with China and also be moreresilient at home what are we gettingright what are we getting wronghere I I I would start with industrialpolicy industrial policy is a new word ANew Concept we’re dealing with in thewest that started with China and now werealize that unless we have anaggressive industrial policy we will notcompete with China in certain sectorsever er sorry I I I see you so so so I Ithink the first acknowledgement is tounderstand that they have made hugeinroads in Innovation and that issomething ER that you often times seepeople not understanding the UnitedStates because they don’t see it so youhave Chinese evbs electric vehicles thatyou can’t buy in the United Statesthey’re far Superior than anything youcan have in the United States is thefirst time in my life that I rememberother than Iranian caviar or Cubancigars that the US customer cannot haveaccess to the best product out there andthe best product out there right now areChinese EVS which are heavily subsidizedright by the besides the point so youask people you tell people here and saidyeah cuz they’recheap and and you know because they’regood and you I mean there was a a longinterview with Jim Farley of fourlast weekend on the Wall Street Journalhe just came back from China and saidwow I realize how good the Chinese EVSare so that’s all because of industrialpolicy yessubsidies and that’s something theUnited States has got to considerwhether they want to play that game ornot and if not to assume that someoneelse will take the lead so so I reallywant to come in here because it soundsexactly what you’ve described there itfeels to me like I’m on repeat rewindwith 5G because there is no getting awayfrom the fact that you know despitesecurity misgivings around 5Gtelecommunications equipment built byHuawei or ZTE um The Innovation that hadtaken them to World leading 5Gtechnology was frustrating at the timeas a a western Diplomat when you’retrying to sell your alternativeproposition and it it’s at a price pointwhich is well below Western competitorsyou know that that is a very difficultproposition that you have to try andthen go forward and sell you know withelectric vehicles you’ve described thatexact same proposition which I wouldn’tdisagree with but still the risks arethere you know electric vehicles areconstantly communicating constantlyproviding data much of which isessential for the security featuresessentially of electric vehicles butmuch of it isn’t and what’s built in isthe inability to switch off certainparts of data feeds that you wouldreally not want going back um to thecountry of source and it’s exactly thesame risk methodology that you should bethinking of which is if that data isbeing hoovered up out of the car andpull back to country of origin what arethe policies that are in place forAccess of that technology how does sorrythe data how does that data then getutilized and assimilated intounderstanding your country is yetanother layer of granularity ofum of intrusion upon a nation and and itbecomes incredibly difficult because younow see this playing out the economicside of it in the EU where you knowenormously ambitious uh emissionstargets and climate targets andrealistically you’re looking at itthrough that economic lens and you’realmost well how else do they achieve itunless it’s through electric vehiclesalready a feel indulge me um I don’tknow if there’s any and I it it pains meto call it but soccer fans out thereit’s really football thank you thank youvery much exactly thank you I knew youwould agree um if anyone was watchingthe European championships recently andif you looked at the key sponsors thatwere across there it was Chinese fintechfirms and payment services and it wasChinese electrical Vehicles providersshrewd move because you’re accessing theRight audience which has an a groupingof countries who have enormous policypressure on them to deliver results andyou know you can see that uh I keepusing the word convergence but theconvergence of pressure on the EuropeanUnion how on Earth are they going tostart fracturing in the security risksof that at this moment it feels like thehorse is almost bolting in I regard so Ijust want to jump in with the EVconversation to sort of highlight whenyou’re saying EV I think you’re alsoreferring to autonomous driving carsright and so this autonomous vehicleconversation really I have a colleaguewho was in China and was in one of thesecars and made a video and showed it tome some of the capability was far beyondwhat what we have and I I drive a TeslaI’m not afraid to admit and so I usethat to drive autonomy often and it itthe the car is very capable my car isvery capable it can drive me from myapartment to work and busy traffic withjust me watching but the things I saw inthe video were far beyond what we’redoing and you think about this from theuh military perspective autonomy issomething that we’re chasing and we seein Ukraine the impact that theseunmanned systems that are not fullyautonomous are having on the battlefieldthere and this is something that themilitary is paying attention to ismaking the military rethink what thesesystems can actually do in terms of thethe modern Battlefield and so when wesee autonomous driving vehicles in Chinadoing things that we can’t do here justtranslate that into capability for thepla so I just wanted to add the securityconcerns or fears of Chinese dominationof the EV Market can be addressed in anumber of different ways one is to raiseteror so high that they just kept outand you can go to Mexico and say don’teven make them there and this is sort ofthis like counter strategy the otherwhich I think is being more pursued inin Europe and elsewhere is to say wellwe have the terorists but come producethose vehicles or let’s license thattechnology to try to localize thatexpertise you know when China was behindand technology they brought all these uhforeign companies in made them establishjoint ventures and did a whole lot ofthings to kind of you know move quicklyuh and progress in the technologythemselves the question is for us herein the United States is the solution tothese problems just keep them out or isit you know let them in but regulatethem so to reduce the risks that you’vedescribed around autonomous vehicles orthe you know data more generally um andthen what’s our plan for moving aheadright because I think that the strategyof just keeping them out isn’t I don’tsee where the success lies in that Iagree definitely on the the banss areineffective too expensive to um uh uhsort of uh enforced but I worry becauseof the military industrial Fusion whenwe bring in an industry partner are wealso bringing in the pla that I I worryaboutthat anyone with any smart ideas abouthow we move forward on this to just andI agree with Jessica and and it’s aconundrum I’m not sure it’s as easiestjust asking them to come and andmanufacture in our country and thatwould so contrary to what you would hearin political rallies there are no twogiant Auto factories being built inMexico there are non-chinese Autofactories being built in Mexico periodnevertheless there is a debate in Mexicowhether we should H want them to come toour country and just H three days ago Hthe ministry of Commerce of China issuedguidelines to EV manufacturers in Chinanot to export their technology tomanufacturing plants abroad to keep itand just send the parts and that’s Chinaplaying the counter game so they theyknow they have a an advantage not unlikethe United States knowing they have anadvantage onmicrochips and that’s something that isimportant for the world to understandthat there are areas in which theChinese now have advantages just as theUS has advantages and not assume thateverything can be overcome just quicklywith more money or with more SiliconValley innovation M so look this is acyber Summit I would be remiss if Ididn’t ask at least one cyber focusedquestion so the US government has beenincreasingly vocal about warnings thatChina is a persistent threat to criticalinfrastructure seeking to preposition onwater power and Telecom networks in theevent of a conflict how much progresshave the US and Western allies made andother allies in bringing um other Asianpartners and allies on board inrecognizing and calling out this threatso I feel compelled to answer thatbecause that was again a big part of myjob was uh working out how how could youcreate more comfort with regionalPartners in the concept of calling outbad behavior it’s it it wasn’t perceivedto be um a natural thing for our friendsin Southeast Asia and Pacific Islands tobe involved in uh calling out theirtheir greatest trading partner in theNorth typhoon for instance well I meanVol typhoon absolutely I mean that’sthat’s a huge issue which has impactedthe us but I’m talk I’m going back a fewyears now when there were all sorts ofincidents you know in Australia we firstcalled out um Chinese activity inconnection with managed serviceproviders the cloud Hopper incident somepeople may remember that goes back to2018 exactly and we tried to getRegional Partners on board inattributing that activity but there wasa degree of um not suspicion butconcerns that their their ownintelligence Holdings wouldn’t be ableto um show the same kinds of activity sowhat you’ve seen and it was great havingthe five eyes partnership here becausewhat’s shifted on that front is you cannow see the level of intelligenceOutreach um cooperation and I sayintelligence diplomacy that’s now goingon between agencies so if you look atthe recent ap40 attribution that tookplace in July this year led by Australiait was very much led by the Australianuh cyber security Center but it hadJapan and South Korea very importantlyon that list and that does show a coupleof things one of which an increasingcomfort in calling out what thosecountries are seeing on their ownnetworks but also very importantly Theincreased level of cooperation andcoordination that’s going on betweenagencies at that level across the regionso I would only expect now to see moreand more Regional Partners get on boardwith these attributions becauseum I may be telling no one anything inthis room that’s new but the fact is inin the region in which I live theChinese are rampant at going throughnetworks and owning you know governmentsystems and and Commercial Enterprisesacross the region and when I say ownedyou you know what I mean it’s a cyberterm um and it’s you know it’s good tohave that in your thinking you know whyis that it’s it’s not that they want tobe caught it’s that they really want tounderstand everything about the way thatyour country functions your decision-making and your future pathway in orderthat the advantage is ultimately heldwith China okay so in the um two minuteswe have left I’m going to do a lightninground 30 seconds each what is the onething that policy makers and politiciansget right about China that doesn’t getenough attention we’ve talked a lotabout what they get wrong but what dothey get right do you think thatactually doesn’t really resonate or getenough attention tariffs and overtariffsTy on Chinese products is something theUS gets right it’s not on Cyber but it’sjust something that is right at anylevel at alllevelsokay Toby my God that’s a a tricky onecan you guys someone else was I thinkthere something clever enough so I I’llgo back to a CET report that we did afew years back um looking at um you knowChinese students who come to the US alot in the tech protect area there’sbeen a conversation about you knowBanning students and limiting theiraccess but the the study that was doneat CET showed that 90% of these peopleeither stay in the US or in the west andwant to be in the west and I think themore we stay open to that thatattracting Talent the better we areJessica yeah I’ll I’ll footstop that andsuggest that you know the BidenAdministration was very clear andsecretary blinken’s speech a couple ofyears ago on China stating that we arelucky uh when students and Scholars uhfrom China and elsewhere come to theUnited States to study and contributetalents um we can talk about how policycould be adjusted especially by Congresson immigration to make them even morewelcome rather than sending them backafter they get their degrees here um butthat’s an area where I thinkrhetorically um and substantivelythere’s there’s a an appropriateemphasis uh on running faster um thereis an approprate there is okay yeah atthe same time not losing sight of thefact that there are a lot of uhabsolutely malign influence and threatsthat we have to pay attention to okayjust the final thing I want to say isdespite you know everything I’ve saidone of the really important elementsthat needs to be in state tostaterelationships during times of attentionis a conversation is a directconversation around these issues becausethe most dangerous part is that you losethat contact um so for me that’s acomponent that needs to be rememberedand and reinforced despite everythingthat’s going on very good point allright thank you very much everyone andum thanks to this panel allright I knew you were super[Applause]I as we enter our final session of themorning please welcome Cecilia KHreporter at the New York Times and ourspeakers Nathaniel Fick the USambassador at large for cyberspace anddigital policy at the US Department ofState and Brad Smith Vice chair andpresident of the Microsoft Corporation[Music][Music]hello can you hearme so hi so we are the last panel in themorning standing between you and lunchthank you so much um and thank you somuch Ambassador and Brad for attendingthis conversation on Cyber diplomacylet’s start off with um sort of anupdate on where cyber diplomstands today and how the Dynamicsbetween the private and public sectorhas evolved um and more recently overthe last year or so and maybe Ambassadoryou can start I think well first of allgood morning uh it’s a pleasure to behere with you Cecilia Brad thank you uhI think the trend line there thereheadlines and trend lines right andevery day in this space brings aheadline whether it’s Vol typhoon orflax typhoon or exploding pagers there’salways something um the trend line frommy perspective is the migration of cyberand Tech diplomacy from the periphery tothe center and a few concrete exampleswe had secretary blinkin at RSA on themain stage uh launching the USInternational cyber and digital strategyfirst time a sitting secretary of statehas appeared at that conference uh We’vetrained 200 cyber diplomats uh and putthem at our embassies around the worldand last example for the first time evera commit to these issues is one of thetop five selection criteria for forcareer us ambassadors so in ourdiplomacy again I think it’s a migrationfrom the periphery uh to really thecenter and the core and recognizing thatit’s intrinsic to everything we do andBrad in your role at Microsoft um I’veseen you sort of take on more of adiplomatic role as well can you talkabout from the private sector how thingshave changed from your where you’resitting yeah I would say two thingsfirst I just want to build on what Bor Fcan I call you Nate for this purposewhat Nate said look one of the mostimportant things I think of the lastyear and last few years is that the USgovernment and the state department areback in the center of multilateraldiplomacy playing a leadership role onCyber issues and that is indispensableto technology and to the world and it’simportant to have not only a positionand a team but you know frankly just agreat Ambassador and leader it’s made aworld of difference for all of us in thetech sector and then second as as younotedCecilia it is not multilateralism forgovernments alone yeah becausecyberspace is fundamentally andtypically owned and operated by theprivate sector by tech companies I dothink multilateralism has becomemultistakeholderism you do see techcompanies showing up offering a point ofview and civil society and so I thinkthat’s where we do our best work it’salmost the only way we can do good workis to bring all three you know pillarsif you willtogether let’s um let’s shift a littlebit to the the threat landscape and whatyou’re seeing today some of the biggestthreats um at hand and maybe Ambassadoryou can start I think when we talk aboutthe threat landscape it’s important tokeep our ultimate objective in mind uhand my view I think our view of theultimate objective is that we have tosustain at least a basic level of trustin the digital world we have to havetrust in our supply chains we have tohave trust in uh the Integrity ofinformation we have to have trust in uhuser privacy we have to Su sustain trustif it’s all going to work uh if it’sactually going to be uh a reliablearchitecture underg guring the 21stcentury economy and underg guring howhumans interact all around the world onevery topic and so if you look at itthat way um then you you sort of turnturn the map around on the adversary andand think about okay what are thethreats to trust uh and the threats totrust are uh fundamentally untrustworthyinfrastructure um that that has no dataprivacy sa safeguards um threats toinformation Integrity in in fundamentalways that that are essential to thefunctioning of a Democratic Society inaddition to all of the more kind ofPoint threats uh on in a particulargeopolitical hotspot or on a particularissue and how about you br what do yousee in terms of that threat landscape Ithink the threat landscape unfortunatelycontinues to become I’ll say morediverse and more sophisticated um andit’s more hazardous um and it reflectseverything that Nate just said and moreum I tend to focus at least on two bigbuckets of issues um one is around cyberattacks you know efforts to penetratenetworks and either steal information oractually put a government or someoneelse in a position to damage and takeoffline fundamentally destroyinformation infrastructure um you knowwe’re seeing 340 million password-basedattacks on Microsoft customers 340million every day that’s not a yearthat’s a day that is astonishing or itshould be and we have to be careful thatwe just don’t become inured to it wetrack 160 nation state ATT haers and youthat does I think unfortunately reflecta a lawlessness in cyers space and thenin addition to that we see increasinglysophisticated frankly cleverwell-resourced cyber influenceoperations um you know fundamentally bythree countries that are in thatbusiness and they’re very good at whatthey do and you this year is a yearwhere I think quite rightly we’re allfocused on the protection of Electionsand we need to be yeah and that’s a goodsegue into the election space and theretwo-thirds of the world will have anelection this year um and the USelections are coming within weeks youjust reported um Microsoft just reportedBrad about um the detection of a Russianback campaign against the the Harriswalls um uh campaign um tell us aboutwhat we’re you’re seeing on the electionside in terms of um threats as well asas um what could be coming there’s a lotof talk about already maybe too soonthat this was not the AI disinformationelection that people feared is it tooearly to say that and what are youseeing down thepipe um well let’s talk about the UnitedStates for a moment because right nowwe’re seeing vigorous activity we’reseeing the Iranians really Target theRepublican Party in the Trump campaignwe’re we’re seeing the Russians Targetthe Democratic party and the now theHarris campaignyou know we’re seeing those twocountries in China I’ll just say share acommon interest in discreditingdemocracy itself um and you know we’veseen starting in May increasinglysophisticated Iranian activity topenetrate Network accounts you know it’sa classic you know Prelude to hack andleak operations if you can steal theemail in June you can use it in Octoberand you can even change the email yougot plenty of months to rewrite it andmake it look like it’s even differentfrom what was originally said um youknow we’re seeing active you know cyberinfluence campaigns the production ofvideos the production of of reportedlyaccurate news stories audio you name ityou know that’s the format AI is beingused increasingly especially for textand and probably most especially foraudio I think AI is hard at this pointto use effectively for video for avariety of reasons but way too or fouryears and that’s going to get harder aswell um and you know the interestingthing about these kinds of influenceoperations is if you want to if you wantto go back to the Steve Jobs adage hesaid every day he worked at theintersection of engineering and theliberal arts that’s where cyberinfluence thrives when an adversary canbring together all of the technologyexpertise and the liberal arts becausethat’s what you need you have to beplausible in order to be credible andhave an impact and that social sciencebackground is maybe even more importantthan the engineering background and theRussians especially have that sure andAmbassador what are you seeing on theglobal landscape in terms of Electionsand maybe you can talk about some of thecoordination you’re doing with theprivate sector on that certainly so uhthankfully we have very capablecolleagues in the US government theDepartment of Homeland Security uh atNSA and cyber command who are focusedevery day on safeguarding the Integrityof of the US election uh the role of thestate department in that regard isprimarily outside the United States ofcourse uh and it really takes two formsthe first is uh conveying a very clearmessage to our adversaries that we viewinterference in our Democratic processas dangerous and escalatory andunacceptable uh and that’s a messagethat we convey bilaterally uh in andmultilaterally in in many places all thetime the seconduh primary role that the statedepartment plays and this really is handinand with Brad’s team uh and others issafeguarding the Integrity of theelectoral process uh among our alliesand partners and uh we’re doing that inmany different geographies to your pointcilia we have elections all around theworld this year uh and we’re workinghand inand um yes on on providingsoftware but also on building capacityand trying to create U more long-termcapability among our allies and ourpartners in anticipation that this uhthat this landscape is going to remainreally challenging for a long time rightand I think that you might havementioned mova as a good example of oneof the Partnerships you have so we workuh kind of uh up and down uh the Easternflank of NATO as you as you might expectuh and and and Beyond NATO and in otherparts of Eastern Europe uh where thereare elections uh upcoming and U theRussians are interested in deployingkind of the full spectrum of theircapability to sway those out everythingfrom direct cyber attacks to informationcampaigns to sort of a an increasingincreasingly troubling uh series ofhybrid attacks that cross over into thekinetic world and that actually dothings that I think only a short timeago um we we would have found umextraordinarily surprising and I wouldjust could I say everybody in the UnitedStates and everybody in the world overthe next six weeks should pay moreattention to mova and that probablysounds like a funny thing to say becauseI think for most Americans it’s likewait wait where’s mdova and the answeris it’s a country the size of Marylandon theSouthwest border of Ukraine so thinkabout Ukraine it’s got Russia to theeast bellarus to the north Crimea that’sbeen peeled off on the Southeast now youhave mova on the Southwest they have anelection on the 20th of October it’sgoing to be one of the most importantelections of 202 24 I think in terms ofwhat it takes to protect a democracybecause they are going to be voting ontwo things one is the leadership of thecountry with a pro-european EU candidateand a pro-russian candidate and an EUreferendum and it’s a country of onlytwo and a half million people think ofit as twice the size of Estonia but akey strategic location it’s a countrywhere the Russians have long had manyassetswe saw a lot of activity against mdovaWhen The War Began two and a half yearsago in Ukraine and yeah it is I think ofvital importance to Nato to Europe tothe European Union and frankly todemocracy so you know it it’s one wherethe world I think to some degree reallyneeds to come together and and protectmova thank you for explaining that soBrad I want to go back to something thatthey Ambassador said which is in termsof threats um trust is really animportant um uh con uh thing that needsto be um earned as well as maintainedand and Microsoft over the past severalmonths has really um endured a lot ofskepticism and scrutiny um of itsability to respond to security andsecurity flaws um in the June hearing itwas you you testified um I don’t need toremind you but you did I remember thathearingyeah yes um again it but I remember theword trust came up quite a bit we don’ttrust you that kind of a thing so whatare some of the Lessons Learned forMicrosoft in terms of its securityapproach to security as you play such apivotal role you also are in many waysum offer so many different Services umto the US government as well as othernations and the private sector um youknow how will you regain that trust aswell as lessons learned from this pastyear well I think the first lessonlearned is just you know I think all ofthe big tech companies and frankly manyof the smaller but critical techcompanies are real targets today um andyou know when you have a a world whereyou see so many attacks every day youknow we’re definitely uh you know in thecrosshairs of some of these countries umand the unfortunate thing for Microsoftlast year was two attacks got throughnow tens of millions were defeated butwe can’t afford two we can’t afford onewe have to always Ure sure that thenumber is zero uh and you know so wereally had to go back to square onewhich we’ve done and just we launched aninitiative the good news is we launchedit last fall we didn’t wait for agovernment report or Congressionalhearing um and are just reworking theEngineering Systems of every singlething across the company and yeah wehave launched the single largestengineering project for Cy Security inthe history of digital technologyroughly the equivalent of 35,000full-time Engineers focused on securitywe just have to keep taking steps as weare we have to keep making progress aswe are uh we have to share I think in avery transparent way the steps we’retaking which we have done and now theprogress we are making which will startto provide shortly and continue on aquarterly basis the good news from myperspective is in some waysthere’s trust and there’sconfidence trust is usually in myopinion focused on whether someoneshares your values do you think aboutthings the same way confidence is aboutwhether they’ll deliver and so I thinkfor us the issue has been in retainingand rebuilding confidence and that’swhat we’re doing great um let’s shift toAI governance and the the work thatyou’re doing Ambassador as well as Bradum globally on that um on that front umas of as of now what we’ve seen is a lotof commitment from different governmentsum on on basic sort of concept of safetywhat is the and and in your role andI’ve heard you talk Ambassador aboutsort of threading the needle betweenInnovation as well as um as appropriatesafety um regulations or safety guardrailsum what is the best argument in yourmind right now for for voluntary AIvoluntary AI safety commitments from theprivate sector and you know how do youbalance what our approach as agovernment has done so far which is noregulations um on the high level um withwhat’s happening in Europe in terms ofthe AI safety act yeah so uh the thepresident was fond of saying don’tcompare me to the almighty compare me tothe alternative and uh I actually thinkof the voluntary commitments in similarterms um voluntary to your question inour view was essential for two reasonsfirst voluntary doesn’t constrainInnovation and make no mistake uh we areinvolved in the early stages of a globalcompetition uh for which metaphoricaloperating system will become thedominant one in key technology areas andI think it’s absolutely essential wethink it’s absolutely essential that arights respecting uh operating system inAI become the dominant operating systemin the world and that requires um theUnited States many of our close partnersand the companies that are domiciled uhand and built uh inside our countries umare the winners um so voluntary isessential because it doesn’t constrainInnovation so much of our influence inthe world now is Downstream of ourability to maintain an edge in these keyTechnologies traditional measures thatwe’re accustomed to like GDP andMilitary capacity or Downstream ofleadership positions in these keyTechnologies that’s one reason whyvoluntary mattered the second reason whyvoluntary mattered is it’s fast and wecould not get into a regulatory swirlakin to the eua act at a time when thetechnology is moving so quickly so theview in this Administration wasvoluntary commitments were a necessaryand important first step toward a uh amore fome governarchitecture uh without undercutting uhthe Innovative power of the of theAmerican private sector and withoutgetting us into a very slow regulatoryprocess they may not be the last stepbut they were an essential First Step uhand so so now we’re working hand inandwith the leading companies um in the G7in the oecd and in in larger and largermultilateral for around the world tocontinue building out that governancearchitecture at the same time if you’llindulge me dolge me for 20 more secondsuh there’s a second track that’s equallyimportant which is ensuring that everyhuman being on this planet has access tothe benefits of uh Ai and we weretalking in the Green Room about somejust incredibly powerful examples nowtranslating 300 pages of Russian textinto Spanish in 10 seconds at the statedepartment I mean think about you knowthe the labor saving benefit of that umuh but the application of emergingTechnologies to alter the trajectorytoward a achievement of the UNsustainable development goals and thingslike climate modeling and agriculturalproductivity so there’s a governancetrack and there’s an AI for good forsustainable development track we need todo both and that said how do you makesure that some of the mistakes if youwill that happened during the the Adventand the the growth of the social mediaindustry um don’t befall this industryas well and and the government’s role solook I I’ll be very clear about this Imean our foreign policy US foreignpolicy on any topic will never be anystronger than our domestic policy onthat topic and uh the US in many fora umis under significant pressure because ofuh what we’ve seen with the socialplatforms and we have to acknowledgethat um that is a a simple observabletruth in our foreign policy uh and toBrad’s point in terms of maintaining notonly trust but also maintainingconfidence I think we as a government uhare going to have to square our domesticand international approachesuh on with the platforms and with AI youknow in no other industry that I’vecovered within technology have I heardsuch polar Arguments for the potentialand the great risks related to um as Ihave with AI Brad and Ambassador how areyou thinking about sort of you know thisis really simplistic but there’s thosewho say that it’s going to the the Doomscenario then there’s the the save theworld scenarios where do you see AIpractically and how are you Ambassadorum talking to your co- um your yourcounterparts around the world aboutthese two different sort of argumentsand Brad how do you as a companynavigate those two different scenariosand the regulatory landscape maybe Bradyou can start well let me try to weave afew things uh together I mean first ofall um yeah I think that there’sprobably a little bit of uh overrexaggeration some sometimes and peopleeither claiming that AI is going to saveevery aspect of the world or destroyevery part of humanity um it’s usually alittle less than that and that’s a goodthing turns out that humans matter evenmore thantechnology um and if you want to put itin context there absolutely is one hugetechnology that was more extreme in bothends and that’s obviously the harnessingof the atom now if you build on thatnotion to me what is fascinating aboutthis past year is personally I believethat what the US government did bothdomestically andinternationally was really provide amaster class in fast moving Globaldiplomacy On a par in my view with whatthe Eisenhower Administration did withEisenhower’s Adams for peace initiativecombining bilateral and multilateraldiplomacy that made it possible toexport nuclear power around the world ona p par with what the US government didsaying[Music]creating they saw that there was onemodel emerging that felt to mostAmericans a little heavy-handed inEurope so they said let’s have analternative the voluntary commitmentsworth remembering that went from thefirst meeting at the White House in Mayto sign commitments in July to concretecommitments it then got translated intoan executive order by August of morethan a 100 page[Music][Music]voluntary commitments in the US thenbecame a voluntary code of conduct forAI developers around the world andcompletely changed the conversation andthere’s a lot that will now be built butthere’s a blueprint and the Heart thingwhen you’re starting with nothing is tocreate a blueprint it is and it it haschanged the whole world including thecountries that are not part of the G7 inhow we all think about what we need toensure that AI can be used and usesafely ambassador to your Iwholeheartedly agree with every word ofthat um Brad thank you and to yourquestion of uh where where are we on theDoom Spectrum um I I think it’s reallyimportant to remember some of the otherideas that were put forward think aboutwhat the alternative courses were to theone that Brad described uh remember theidea of a pause right some sort of aglobal pause on AI development a wildlyunrealistic proposal that would haveresulted only in the responsible actorspausing uh and the irresponsible actorssprinting ahead so uh I think that theonly way that we can have thearchitecture place to deal with themitigation of the really dangerousdownside risks is because we followedthe path that we followed and now atleast there is uh a significant and Imean like dozens of countries uh wideemerging consensus on what governance isgoing to look like and how we’re goingto deal with transgressions well we areout of time we’re all going to watchmova we’re all going to go to lunchwe’re going to after that see Bradtestify on the hill um it’s a thank youso much thank you verymuch okay everybody wait before you gowe have some important instructions foryou um first of all it is time for lunchbut we we want to tell you about yourlunch options first of all to those whowere joining us virtually we’re takingan interm an intermission so please goenjoy yourself for those who are here inperson please select one of thefollowing breakout lunch discussionseach one is Cur created by one of ourPlatinum sponsors or instead of goingand I’m going to tell you what those arein a second instead of going into thosebreakout sessions they all have foodthere’s food everywhere you can alsojust have uh lunch on your own or withyour friends where uh breakfast wasavailable that’s fine too so the threesessions which are on your screen thefuture of cyber safety review board therole of the csrb in a new Administrationbrought to you by Google that’s going tobe in F which is directly across herehere the future of uh building aresilient Nation a public privateimperative brought to you by Splunk aCisco company is in J which is justdirectly over there and finally aninspiring future uh uh future cybercivil Defenders brought to you by Craignew mark philanthropies That’s inmacaroni which is directly across thehall if you are joining a breakout lunchfood will be served in the lunchroom ifyou need any help any of us wearingthese light blue name tags we will seeyou back shortly thank youthank you for joining us for theafternoon session of the Aspen cyberSummit we hope you had some great lunchconversations please welcome ourPanel LED by vas star president andTrustee of the Patrick J McGovernfoundation and our panelists ja BaloChief security officer of Rapid 7Michael Osborne CTO of IBM Quantum safeMatthew sha division lead atand Maria Spiro professor of physics atthe California Institute of Technologyplease welcome thepanel good afternoon everyone thank youuh very much for joining us um you knowI remember when I was a kid I think oneof my obsessions was figuring out how towork around the absolutely limitingComputing requirements of my game boy Ispent a lot of time figuring out how yougot around 40 kilobits and an 8 bit ROMinfrastructure we are today in a worldwhere I think about the same thing rightright like compute is changing and we’retrying to figure out how to get aroundthe elements of what we have and in aworld where so much is happening Ai andall of the other things we think aboutthen there’s the interjection of quantumyet one more sort of moment in timewhere we think about a fundamental shiftin how we think about capacity how wethink about its implications onfoundational parts of our cyber securityinfrastructure and many more topics I’mreally delighted to be with you all I’velearned a lot even in our prep calls forthis I think you will as well um I wantto start our conversation really by kindof Illuminating the boogeyman um if youread the newspaper headlines likeQuantum is here and Quantum is going todestroy everything that we know in theworld of cyber security and trust but Ithink we know that’s not really the caseI think I’d like to start Heather withyou if you don’t mind by helping ouraudience just get a sense of place andmoment in time what’s happening in theworld of quantum that our audienceshould be thinking about what does itmean for cyber security give us a littlebit of a landscape I’m going to come tothe members of our panel to give usadditional color on different elementsof that absolutely Ely so uh to be clearI’m not a Quantum physicist we’ve gotplenty of those on the panel um butroughly what we’re talking about is anew generation of computer and thesecomputers will enable new kinds ofcomputation that have never existedbefore um it will be much faster it willbe able to do more complicated thingsand we have ahypothesis that it will be able toimplement new kinds of algorithms thathelp break the confidentiality and theIntegrity of encryption um particularlythrough uh for example uh Shoresalgorithm which is a a Quantum algorithmuh specifically designed to B to breakpublic key crypto so if that is possibleand I think the if is something we cantalk about today um if that is possiblethen now is the time to get in there andupgrade our crypto but I also hope weget to on this panel why that’s a goodidea anyway even if we can’t get QuantumComputing to work well Heather you’vealready brought us back from the brinkright like I think there is a version ofcyber security and Quantum where youcould sit and say everybody’s telling usthis is something that is about tohappen and we don’t know and we’rescared I think you’ve just shared withus one the keyword hypothesis that thereis a framework of theory that underliesthis and we’re beginning to think aboutwhat actually this means for Preparationand resilience Michael I want to come toyou you you said something to me quiteum interesting just as we were enteringthe room and I want you to share thatthought with the audience tell us abouteverybody throws around the word Quantumwhat are we really talking about yeahunfortunately Quantum is one of thosereally popular hashtags that’s used inmany many scenarios so you have like umQuantum Computing which are the usingQuantum effects for these um morepowerful um algorithm and things um butwhen we talk about postquantumcryptography this is like we considerquantum computers as an adversary andwe’re talking about all of the thingsthat we need to do to protect againstmisuse of that technology and to protectagainst misuse of that technology doesnot mean using Quantum technology so tobe Quantum safe or Quantum resistantit’s not about using quantum computersit’s about protecting against the misuseof quantumcomputers let’s take that g explain likeI’m five okay I I’m I’m apparentlyreally good at explaining things likeyour fives so no I’m just joking um sofirst we should remember that um we havecryptography today it protects all ofour Communications uh it protects thingsthat we don’t even know it’s protectingwhen we use it so when we use Apple’siMessage or Whatsapp we havecryptography protecting thoseconversations or when you’re usingsignal probably a better example and theclue is that those algorithms are basedon foundational math problems those mathproblems for us right now with ourcurrent capacity and and you know uhmathematical pressthey are not crackable they take a verylong time in fact we estimate Sometimessome of these algorithms when used attheir maximum strength would take likethe lifetime of the universe to breakhowever if you had a quantum computerand you’re able to use Grover’salgorithm and Shores algorithm you canactually break the the currentcryptography and instead of taking thelifetime of the universe it brings itback down to a couple of seconds sothat’s why the whole thread of quantumComputing is a legitimate threat and Ishould be clear this is not all of thecryptography you’re using symmetric keycryptography is genuinely uh a bit saferbut we still need to worry about the keyencryption mechanisms and there arecertain algorithms that are also betteroff than others so it’s not all createdequal I’ll let you talk about that in asecond and uh so what I really want tosay is we’ve got a problem we need tofix but there’s also the larger loomingproblem that we have treated ourcryptographic assets unlike every otherasset we’ve kind of you know disregardedthem for a very long time and it’s partof that overall Tech debt we don’talways know what we’re using we don’tknow where we’re using we’re not surewhat’s a good algorithm or a bad one wejust kind of take it with the flow so ifyou actually do a survey which somefolks did of their current cryptographicuse they’ll find really weak algorithmsin the mix that don’t have anything todo with Quantum it’s just a generic youknow not keeping those assets like theway we would treat everything else we umwe joked in passing again in preparationfor this call that there might be ananalog here to the Y2K problem rightthat there is a storyline here that Ithink you’ve all spoken to eloquentlythat our modern version of cryptographyis based on a set of mathematicalprinciples and a human conviction thatthose principles were strong enough thatwe couldn’t build a way to break them inreasonable time frames and now we’veinterjected that into that with thiscode word Quantum the idea that we mightbe able to build technology thatactually changes the underlying calculusMaria I’m going to come to you you’re aprofessor of physics you work on thisall the time is this a reasonableframing what I’ve just shared and if solike what’s next like how close are weto this idea that Quantum will do thisthing that is potentially promised sofirst of all I want to to say um uhthanks to everyone who is here and andThe Institute and my co-panelist who hadvery interesting discussions thelifetime of the universe that Jmentioned is 13.5 billion years just toput it in context for the solutionbefore and after um then I wanted to saysomething about Quantum you hear Quantumfrom uh um and by the way when you havean academic on a panel it means a lot ofwork needs still to be done uh researchwork to be done but when we hear Quantumuh it takes us about a 100 year before100 years ago a century ago withEinstein the photoelectric effect is aQuantum effect that opens and closes thedoors when you pass through um what wehad not and in fact in 1935 quantumtanglement that can be used as aresource protocol in order to havecommunication of quantum information inlinks that areunbreakable unhackable because of thelaw of physics um we was described in1935 and uh they didn’t like it theythought it they called it spooky actionat a distance it was undetermined it wasimpossible so there’s a lot of physicsof 100 years and I want to tell you thatthe physics of the the experimentalphysics of the past 30 years and more umhas shown us that we actually can havestreams of and beams of entanglementjust like we have beams of subatomicparticle we can have Quantum controlnist has proven it with atomic clocksand all these Quantum fuzzy uh um ordramatized things we’re actually doingthe every day and the students havecontrol over that so the magic ofquantum is Mo mostly on the philosophyand the math that are not intuitive butin actuality in practice in makingmeasurement we do it every day now inthe Lots how we’re going to use it um tobreak the uh the let’s say the quantum1.0 world ofthe classical Computing I want to remindeveryone classical Computing has atransistor the transistor works becauseof quantumeffects and uh so it is based on on onon quantum physics in those Quantumeffects there is effects ofsuperposition and entanglement thatwe’re not considering so the many phasesof quantum that we are now need to uhget a gra a grip of heart how theyaffect our technology world are not thetransistor but they are the the the restof the quantum not quantum mechanics butthe rest of the quantum effectsuperposition and entanglementspecifically so to this effect the forthe crypto world and I will hand it ifyou don’t mind too much because theyhave started thinking about that not nowbut in2016 there is a u there is a way thatall our encrypted data that CH told youabout in your Siri in your bankingaccounts every other encryption that weare using which is based onmath if there is a Quantum processingsystem that works in 10 years or in 20years all of this data that is storedthey can be hacked so you can start nowhack later this is why nist and Matt andand his colleagues in 20 16 they saidokay we need to do highly sophisticatedeven more highly sophisticated mathalgorithms and test them and docompetitions and figure out which ofthese are resistant in a postquantumworld can they prove that it will beresistant in a postquantum world no youcannot prove that any of thesealgorithms will not crack but I if youdon’t mind pause you for a second that’sgreat thank thank you first of all yesthis is what we did we gave you a reallygood and heavy lunch and then broughtyou into a physics class like flashbacksto college like I get it this is amazingno no super good and a test afterwardsthere you go but we’ve heard now fourdifferent perspectives on kind of whatmight be and Matt I think I’m going tofollow Maria’s guide here and come toyou for give us some practicalities likewhat is actually out there today andwhat’s your kind of like frame for whathappens over the next three yearspracticalities rarely do people come tome for practicalities um I loved yourIntro by the way because I Metro down Ispent a there you go decent amount oftime on my 8bit Game Boy emulator on myphone so I was overclocking my game boyum all right practicalities soum we’re all using encryption your cybersecurity people uh you are buildingabstractions on top of encryption youmake a lot of assumptions we all make alot of assumptions when we build cybersecurity one of the main ones we make isthat the crypto is good uh it’s thereand it’s working properly and there’s alot of stuff you can’t do in cybersecurity unless you made thoseassumptions you can’t do zero trust youcan’t do secure logging you can’t dosecure code distribution you can’t dosignatures you can’t do identity youcan’t do uh repudiation it’s a lot ofthings you can’t there’s a lot ofassumptions that are made based on goodcrypto okay and we’ve done a great jobat abstracting crypto away from youwhich is the good news but the bad newsis we’ve done a great job at abstractingcrypto away from you and now we’re goingto tell you find that crypto that we’veabstracted away and figure out if youneed to replaceit what we’ve been discussing here isthat um in the future there is a strongenough possibility that a capabilitywill arise that will break ourasynchronous our pki enabled encryptiontechnologies that possibility is strongenough that we as the government workingcollaboratively with the world hasdesigned signed and published newencryption we just what’s published itlast month right yeah August 13th wejust put it out um as Specs open Specsopen standards for industry to build andto implement and to provide back toConsumers Enterprises and governments sothat we can start this long andlaborious Marathon that is ahead ofus to find somebody had mentionedfinding where that vulnerable crypto isfigure out what it’s protecting becausewe were also talking about store nowdecrypt later because that’s your threatmodel you don’t think about keepingsomething confidential the first day youencrypt it you got to think about it thelast day you need it kept secret allright so if you’re in the government yougot classified data 20 25 yearclassifications that we’re encryptingand transmitting over publicwires your threat model is bad guys aregoing to download and beat on it hopeyou made a bad key you’re using thatcrypto that you shouldn’t be using youdid something wrong and if not they’lljust sit on it wait for that capabilityin the future um so 20 years out that’s20 40 what is 20 plus 24 20442045 yeah okay we’re not willing to bankthat bet so we’ve made these specs we’vemade these standards we want industry tostart building them so that then we canstart to procure them and bring theminto our Enterprise so where we areright now specs are out final and readywhere we need to go asindustry to buildthem Enterprises governments to procurethem and transition them and then usethis as the opportunity for all of thoseother good crypto exercises that havebeen done so that’s my very quickly Ijust want I want to just follow thispoint because we’ve talked about ingenerality so many times like what arethe help our audience figure out whatare the canaries in the coal mine whatare the like the weathers of this ideathat this thing that might happen in thefuture is getting closer one of thethings people talk about is thesophistication of quantum computers thenumber of cubits right the whatever itis and those aren’t the right metricsthose are not the right questionsthey’re not okay so what are the rightquestions uh yeahdon’t I don’t know you guys somebodyelse want to jumpin say something I wanted to jump in alittle bit because we’ve and uh we havethis debate with our teams as well weget so focused on this mythical computerthat’s coming in the future that’s goingto break our crypto and we forget thefact that there are cryptographers todaytrying to break our crypto theoldfashioned way and the reality is thatwe don’t have any insight into reallythe weakness of what we’re using today Ithink the the the moment we are in weshould still seize this opportunity butwe should do it regardless of whether webelieve or what time frame we believethe quantum computer is going to arriveum and really the hard part of this isnot the math the hard part of this isyour agility and the ability to swap outyour old Tech to your new so really whatwe should be doing regardless of youknow whether it’s um just good Techniccetb cleanup or we think you know weneed to upgrade for a quantum computerum is the ability for us to just go inand and make sure that you know within aday you could change the algorithm thatyour infrastructure is using nobodyknows how to do that um mostorganizations don’t have even a list ofwhat keys they’ve got and Key Managementis a really big deal um and so I I I Ilove that we’re talking about quantumcomputers but I also want us to seizethis opportunity to clean up the techdebt and the way we operate much of theinfrastructure that that we’re relyingon them good I appreciate that CH I Ithink yes and so yes we have a lot oftech debt no attacker is going toreasonably try to attack thecryptographic algorithms if they haveanother vulnerability they can justexploit yes and so we definitely have tofix all of that stuff but the point isthat we have left we have orphaned tosome extent in from an operationalperspective the understanding of ourcryptography we actually don’t know andI would love to be agile and say we canjust rip and replace but we can’t dothat either we actually need to testthis stuff cuz it’s not a rip andreplace you actually need to see youknow which trade-offs you make whenyou’re going to swap your olderalgorithms for these new ones so I wouldI would really urge you all to start byyou said which questions I think thereare three questions first of all howlong do you need to keep your particularset of data secret how long is itHealthcare data is it just you knowemail stuff like what is it and how longdo you need to keep that is afoundational question that you need tobe able to answer because then you cansee if you’re using AES or if youactually need to swap out algor you cansee what options you have whether it’sjust you know maximizing thecryptographic key length or doingsomething else so I would say that itstarts the conversation with what is ityou’re trying to protect and from whomso how long do you need to keep thatdata secure the second question is youknow reasonably yes there are questionsof how long before we actually have aquantum computer so how imminent youknow to that thread is but even with thestore now do cryp later problem and thenthe third questionis that transition time we suck attransitions collectively we are terriblelike remember that thing that we calledIPv6 once right so we are not great atthat so let’s understand that we are acomplex and dynamic ecosystem of vendorsand consumers and that we really need towork together to actually be able totackle this I think that’s a great pointI think a lot about the organizationalchange necessary for technologicalinnovation I want to stay on that pointif you don’t mind for I think we have afew here that work on implementation Ithink two things that I’ve heard that Ihaven’t gotten a clear answer to one isin this complex ecosystem who is goingto be taking on the charge who’s goingto be responsible for figuring out thecommercial implementations of thingslike standards is that something wherevendors are going to step in and juststart doing that people are going toadopt it probably not where is theorganizational transformation theeducation piece happening and how do youwant to speak to that well I think a lotof it is going to come from the solutionproviders and I think you know I workfor Google you know disclosure there umyou know we are already thinking aboutthis we’ve been thinking about thisparticipating in the NIS process um forthe selection of the three algorithmsthat are out now and you know we willvery quickly be putting that into thesolution set and so the moment that youknow you have the opportunity to usetechnology that has it make thattransition right that’s going to besuper important um and I think you knowI would you know defer back to nist andand and other others who are working onbehind the scenes to provide us with thefoundations for understanding you knowwhat is it we should be looking at yesthis is a testament of how much I lovenist and NSA so I just want to mentionthat the for the frame for the timeframe uh two years ago there was thememo 10 ns10 that was signed for thepostquantum cryptographic systems to beimplemented in the federal criticalinfrastructures in a time period of 10years 2035 2035 not 45 so we have thisguidance but of course nist is workingfor the entire universe the world andfor uh the standards across the globeand the federal government is giving theguidance assuming or collaborating withthe industry uh with the universitieswith the education so all of these needsa lot of togetherness and holding handsum in order to roll out and uh um umit’s important that we keep closefollowing what nist is doing and alsounderstanding because in the emergenceof hybrid systems and yes what we havenow and also what the the new algorithmsand we put it together we have to payattention uh in every industry theapplication and each algorithm is notfor everyone so the industries even thefederal agencies will have to do asurvey of their assets and their needsthe data like ja said the theapplications and how they’re going toimplement each one of these algorithmsbecause it’s not one one on all for allit’s very customizable maybe mat wantsto say a little more did I say it allfor n ah you’re good I’ll save you for aminute yeah Michael I want to come toyou I I want to see if you havesomething that you want to offer on thiskind of who does it and really what isit we haven’t really talked about itwhat is quantum resistant patching likewhat is the answer actually I thinkthere’s a good you made the analogy toY2K so actually if you look carefully atwhat happened in Y2K some people patchedtheir systems but most people actuallyrenewed their systems I’d have aslightly contrarian perspective thatthere are Technologies today where youcan fully automate the the crypto andyou have full agility on Moderndeployment platforms forms not everybodyis going to be able to do that so you’regoing to get a camp where you canmigrate to very agile um deployment umplatforms but then you have a lot ofLegacy and the legacy is in two parts Ithink it’s the communications aspect andI think I see that far simpler than thetrust aspect simply because uh it’s likeparty to party there are a few bigvendors um few standards and that shouldwork I think quite okay but my mainconcern is really the trust trust thetrust in the sense that most companiesmight have an idea of the certificatesthat they issue um but they have no ideawhere these things are validated and thedependencies and things like this andthat that is a much much larger problemso I think you have to break down um thearea that you’re looking at and umpeople are going to need to choosethey’re going to need to choose whetherit’s worth the investment to upgradeLegacy or to to move to something tosomething new and there are new things Ihear an optimism in many of your answersabout the idea that this threatcertainly exists but I’m hearing fromyou that you all feel like we can comeup with a solution to a technologicalsolution to it and I see some nods isthat generally a correct answer I’mgoing to come to you Matt I I think thetechnological solution we’ve been kindof hinting at around here on this panelis the easiest solution we have atechnological solution we have newsignatures we have new cams they willnot not be susceptible to a futureQuantum machine so we have TechnicalSolutions I think it’s trust issues Ithink it’s deployment coordination Ithink it’s Legacy debt it’s riskmanagement it’s prioritization and itsunderstanding which what we’ve beentalkingabout what you’re doing where is yourcrypto what is your crypto doing and howto prioritize it so I feel like if wehave consensus around what you just saidwe have like done more in 20 minutes ofthis panel than like we were supposed todo in the whole time I one objectionokay we’ll come to the objection let’sdo the objection but let’s also use thisas a transition let me back up so allright I take it back your objection toum we have thespecs right okay next step is to get thetechnology yeah so we we need it to bebuilt in product provided by serviceofferers then we’ll have have theability to actually have it yeah pleaseyeah my little obser objection is is umis is that the technology it’s prettyactually counterintuitive the thetechnology and the math that will solvea problem that is manifesting as physicsis uh uh is kind of uh the first stepand the most logical step so that youdon’t have to change the whole Hardwareinfrastructure the physics St to toattack uh physics with math is to attackphysics with its own language andphysics is a little more cunning thanthat there is ways but it’s a more it’smore uh cost and uh completely drasticchanging of infra of infrastructure notonly the keys and the signatures Etc butyour Hardware the way you arecommunicating imagine if you’recommunicating not with uh not with anormal uh uh links with many manyphotons and doing zeros at once butimagine now you’re communicating withentangled cubits and you want to use thephysics itself to avoid the hack or todo the encryption then you need anotherEvolution or another layer if those twothings go together and I think NSA saidthey go with the math first and thetechnology but they do not stop do theresearch in physics and this is what myinterest is very much that because I gotphysics students that want to do physicsacrobatics and uh and the math studentswant to compete with them and do the MAC better right good day so I was luckyenough to be the vice chairman of theEuropean Quantum Flagship for some timeand this is something we really believedin Europe which is a hybrid approachwhere youabsolutely transition from your currentcryptography to a post cryptographicalgorithm that is absolutely withoutquestion in addition to that providingtransmission layer security at the TeloNetwork in addition I want to be superclear not as a single thing on its ownbut in addition an augmentation indeedbut then it has to be ubiquitous thatmeans you have to have pretty much cardsthat do Quantum memory at scale and youwould have something like that we calledQuantum key distribution but then atscale to be like a Quantum Internet andfoundationally transmission basedsecurity across like your entireinternet infrastructure just like likewe said you know we’re not great atchange this is another one of thosethings we’re not great at change and Iwant to say one thing about the hardwareand this is not the quantum Hardwarethis is the classical Hardware we weretalking about unintended consequenceseven though we have algorithms eventhough we have certain Technologies itdoesn’t mean that we necessarily knowhow to build them out right just becauseyou have a protocol specificationdoesn’t mean you build it always a youknow twec and even when you do that itdoesn’t completely obviate the fact thatthere will be side Chan attacks therewill be other implementation failuresand we need to really also this is whyI’m saying we don’t have 10 years wedon’t have we don’t have the time tofigure out what we’re going to do weneed to start now because we need totest this stuff it is not a RI place wejust need to start understanding what dowe use how do we get there um and Iloved Donna Dodson because we did a talktogether at RSA just to try to helpother companies get to this road map ofhow do you actually go to that and askthe right vendor questions but like yourealize that those things are so complexthey’re so hard for organizations to gettheir head around and that’s the realworry that’s why we should start earliersuper good so this is a good jumping offpoint and we have about five minutes I’mgoing to come to questions from theaudience but I want to take our lastfive minutes to talk about let’s holdthe proposition that we know whattechnological responses look like whichwe’ve talked about what does it take toactually get to that future and you’veall spoken to this a little bit but Iwant to reframe the question in a worldin which uhum Let me let me properly say this inwhich political approaches tocryptography have varied widely for thelast 40 years you’re now going into aworld of postquantum cryptographicalgorithms there is a patchwork ofapproaches that we’re going to seeemerge both politically and from apolicy standpoint around how we thinkabout Quantum thoughts are things thatyou want to share about both theimportance of Standards but alsopractice and anything that you want tosay about the kind of geopoliticalcontext of the quantum conversationmaybe I’ll ask everybody to kind of doabout a minute on on this um anybody whowants to offer and Maria maybe I canstart with you you can tie it to trustas well yeah uh sothe so we we do live in a in a veryfast- pacing World politically quiteglobally quite uh um in an oscillatorymode U not stable uh in some sense andthis can be good and bad it can be it isa challenge but it can be an opportunitythe opportunity here is is that if youwant to think about uh your NationalSecurity and uh your leadership and yousetting the standards and when I say allthat I mean the you and all of that isthe US that has been uh first in theprevious let’s say Quantum revolution ofcomputing and internet um then you youuh you get to you get focused solidly onthe road to have results products andoutcomes um kind of first and then uhyou set the rules of the game for therest of the worlduh this is not the the arriving first itdoesn’t mean that you are adversariallystopping anyone else but you are usingyour resources talent ingeniousness andexpertise uh to to get there and youretain the focus in the executionwithout being adversarial with anyoneelse then you set the rules and if youset the rules of the game it’s a goodthing that gives you then the standardsare standards at this moment thestandards I think that you published umChina and we had an a full a full panelon that is going to muddle it up and notaccepting it and do their own and so allthe other countries they have eitherunseen French and in France and uh so onthey are they’re getting the same thingsthat n is providing pretty much maybe aperfect transition that yeah so I meanthe yes thank you right the uh we worktogether right the uh I mean in thecurrent state of encryption just overallis it regardless or irregardlessregardless regardless of pqc thank youum this is how it is there’s NorthAmerican encryption um it is generallyusually sort of accepted globally um umbut there are National encryptionalgorithms that are used by individualNations so the vend diagram is not acomplete overlap but it’s it’s it’spretty heavy the goal being industry canImplement a much smaller set ofencryption in their product so there canbe Focus there can be learning there canbe testing um and then they can sell ona global market so nist very muchrecognizes that it is a Global Marketfor industry so when we designencryption like we did for pqc weinvolve as many people around the worldas possible so the participation we hadin the design and the development wasfrom 26 countries um six out of sevencontinents um people from industryAcademia and other National authoritiesworking with us side by side that thenallows them coming to trust becausepeople then trust those algorithms andbecause they trust them because they sawhow they were designed saw how they weredeveloped saw how they were tested theycan then accept them and when we getthat level ofacceptance we open up a market at aglobal scale that really does help withtransition so we can get product intoour infrastructure so trust is criticalwhen it comes to crypto algorithms trustis done through inclusion participationand transparency and so that’s how wemodel love the Triad that’s great likeyeah slightly different perspectives I Ithink if we not from that just generallyit’s because I’m fully fully alignedwith that essentially that if we try andgo front foot on changing crypto withoutagility we’ve done ourselves adisservice and we’ll end up in a worstplace so the target needs to be agilityand Agility is 90% other things it’sknowing what you’re using so links withsecure software supply chain things likethis so it’s a lot of it about awarenessa lot about tweaking things that youneed to be doing already because if yougo to C and say you got to be changingyour crypto now and you said they’regoing to ask them well do I need toprioritize that over the AI attacks Ihave now and stuff like that so you haveto align with the things that you needto do and you get 90% of the way thereand then swapping the algorithms shouldbe should be fairly straightforward andthen it doesn’t matter matter so muchwhat those algorithms are essentiallyand I think bit this is where thepreparedness comes in now thepreparedness to be agile is so valuablewe have time to prepare now if theevents happen that we we end up in aQuantum era there will be no time toprepare and the consequences will bereally much much worse than thananything we’re thinking about now itfeels like things move slow until all ofa sudden they have to move fast and wehave the chance to actually change thatfair enough J yeah so I I actually thinklike I mean there’s a lot of really goodpoints that were already made so I’m notgoing to rehash that but what I do thinkis really important for us to recognizeis stuff is going to break to that pointof agility so we need to be prepared forthat breaking but the question is how dothey break right is is it breakingbecause there is a technical issue is itbreaking because there is a you knowincorrect implementation issue but ifthat’s not the case and they’re breakingbecause there’s going to be ageopolitical ask on you to provide somemechanism to you know somehow try toweaken or break or not use thatcryptographic algorithm because you haveto use something else from a nationalperspective I think these are the kindsof ethical aspects that we need to askourselves they ethical legal societalaspects that we need to understand whatkind of world do we want to live in anddo we have a choice when we want tooperate in geographies that may not beour own so I think that there is a realneed for us to have that discussionopenly we’re not really having it Ithink a lot of the points aroundtransparency are really around us beingable to understand the need to dobusiness with the trade-offs you make todo business in a particular place and Ithink that we we really should be veryupfront for specifically formultinationals that we all rely on howthat actually workspractice great Heather we’re going tocome to you we’re going to have time forone or two questions if anybody wants tocome up to the mics please go ahead umHeather for for your thoughts the thething I can’t get out of my head in thisconversation is do we have a completethreatmodel and we’re very focused on you knowthe version. 1.0 of a quantum computerthat can do Grovers orShores but the the the way we thinkwe’re going to use this Tech is probablynot how we’re going to use this Tech andit me means that other things are goingto be found and it means that you knowin 2035 if we were to do this panel wewould all say wow that really surprisedme I didn’t think we were going to dothat and just keep in mind if in ahypothetical scenario we had perfectlyrolled out postquantumcryptography what do you think theadversary would be incentivized to donext maybe back door your algorithmsyour code your supply chain your pagersI mean you’ve got you’ve got to makesure we have a complete threat model Ithink agility is so important for thatreason because it could be we aretotally wrong and we have to changecourse Midway yeah super powerful thankyou I think we have time for two let’stake them both together and then we’llhave the panel respond do you want tostart us off yeah my name is ScotBennett uh CIO for multinational 25billion Revenue Fortune 200 company myquestion is when is the timing rightit’s when do you think something’s goingto hit and kind of impact us knowingthat we’re going to rely on the vendorin the ecosystem a lot but what timingshould we be preparing for Good Veryeloquently but I tried to get them to ananswer I couldn’t succeed let’s see ifyou do let’s take the other question aswell hi um I’m VG Comcast so I I heardthroughout this panel like U thisassertion that we should be looking tomigrate to pqc even in the absence of aquantum computer because we don’t haveas much guarantees uh regarding theexisting classical algorithms that existso this just kind of think U curious asto what is the panel’s take on when youwhen you start implementing pqcespecially in a hybrid mode there areother security concerns that come up sofor example if you implement pqc in DNSSEC uh DNS SEC already makes DNSamplification at Haw you startimplementing pqc that you know thesignature sizes are so big DNS amp uhDNS amplification attacks become muchmuch worse so I’m trying to understandlike what benefit do you think we getout of implementing pqc if there’s nothreat from quantum computers becausethere are all these other securityproblems that uh that we have to dealwith and I don’t think we have anygreater Assurance in pqc algorithms thanwe have in classical uh uh algorithmsthank you all right we’re going to dothis a lightning round two questionswhen might this hit two how do we thinkabout the cost benefit analysis ofpotential second order effects ofimplementing pqc now who wants to jumpin I’ll go first yeah um the US federalgovernment says now is the time okay ifyou wrap your brain around when themachine iscoming that’s a very difficult argumentor discussion but the government is notwilling to take the bet that we areoutside of a 25-year window with dataand information that is eitherclassified or that the government hasbeen entrusted with by the nation so forthe US government we have said we willtransition by 2013 35 so that’s ourthat’s how we’re looking at it on thesecond piece um hybrid mode for cams notfor signatures you’re going to blow themup if you do that so signatures andespecially things like DNS secc might bean edge case where we might needsomething else potentially but let’s seehow well mlss Works in a DNS SECdeployment but hybrid signaturesprobably are not going to be the thingto be implementing going forward one ortwo more comments super quickly on thewhy now just because I think anyadversary who would have any capacity tobreak either even the current algorithmswithout even a quantum computer isn’tgoing to tell you that they can breakyour stuff so they’re not going to warnyou listen change your cryptographybecause I can read all your messages andtrans you know like get all yourcommunication so the notion is thatbecause of the the scale of uh where weare now with the potential to scale upuh with everything that we’re buildingthere is a notion that the adversary mayhave an advantage but not reveal it andtherefore we should beprepared just one quick thing I thinkwith agility crypto agility will be acore cyber security hygiene Factor youneed to go there regardless of whathappens go there first and theneverything else is much simplerafterwards go ahead pleas second so it’sit’s it’s 10 years ago it’s not now I’mI’m applauding n that they started this10 years uh 2016 it’s not exactly 10 butit’s 8 years ago this whole thingstarted and I appreciate your questionit’s a boardroom question now itelevated from the so it has become aboardroom question uh but I amoptimistic because I think Chromealready is putting camps on Chrome appleis doing that as well uh the the majorindustries are taking this seriously sohow the whole world is going toimplement it I want to make the pointthat we all have look at ourselves howmuch how many passwords and encryptionkeys and how many vulnerabilities do youhave on your accounts at all times anduh educate the the new generation ofmathematicians applied mathematicianscomputer scientist physicist that arehave to work together educate them onthe important of security confidentialthe triconfidentiality and security and andavailability because you don’t want tostop the availability of your resourcesof what you’re doing we had ex we heardall these examples this morning thankyou that was 30 seconds sorry thesolutions will start coming rolling outfrom vendors like Google over the nextcouple months seiz the moment especiallyif you are a mid transformation mid middigital transformation of any kind mypersonal opinion is I’m going to take2030 off 20 there you go um thank you toour amazing panel we’ve learned a lotfrom you I’m going to spend theafternoon thinking about how I usequantum to overclock my Tetris it’sgoing to be great thank you all somuch we now welcome to the stage KirstenTodd president of wondros for aconversation with Harry Coker the WhiteHouse National cyber director and CraigNewark founder of Craigslist and CraigNewark philanthropies[Music]good afternoon everybody uh it’swonderful to be a part of this panelwelcome uh director Harry Coker of thenational cyber director’s office andCraig Newar founder of Craigslist andCraig Numark philanthropies uh thank youboth for being here this panel isimportant for many reasons uh butespecially because the government andphilanthropic organizations have beenspeaking deliberately for over 10 yearsabout how to work together what is therole of resources of nonprofits how canthey be resourced to really help thefederal government execute strategiesand how can the nonprofit sectorallocate resources to support thefederal governmentyour office Harry and your work Craighave a lot of different priorities andare focused on some obviously criticalissues but specifically the CyberWorkforce and today we’re talking aboutindividuals we’re talking about humansand human behavior and so we’ll startreally with the the foundation of all ofthis which is uh cyber security which ispeople and each of you has created andhave developed important campaigns andefforts really focused on people and howwe’re engaging people in cyber securityso I’ll start with a very broad questionuh I’ll start with you Harry uh whatrole uh does the individual from yourperspective and from where you sit inthe White House have in cybersecurity well as you said everythingstarts with people and uh everyindividual has a responsibility if youlook at the national cyber securitystrategy we talk about two big shiftsand and the shift that directly appliesto people is moving responsibility orrebalancing responsibility for defendingcyber space uh from those that are leastcapable to those that are most capablebig Tech federal government and the likebut that does not absolve the individualfrom their responsibility to defendcyber space so we all have thatresponsibility uh we all need to beaware uh just yesterday we were inWestern Pennsylvania um Rural Americaand we had a discussion with how cybersecurity applies to folks all over thecountry cyber security is not a big cityproblem it’s not a national problem it’sa every one of us problem regardless ofwhere we live or what we do for a livingit it impacts every aspect of ourquality of life so individuals have asignificant responsibility what I liketo say do the right thing that’s what wehave to do and Craig from yourperspective what role does theindividual have both for themselves andfor the country yeah we all the extentwe can need uh to protect ourselves ourfamilies our homes like on an ongoingbasis uh Mrs Newark is a monitoring mymother-in-law um but beyond that welljust like in World War II everyone whocan play a role defending the countryshould be doing so um my dad fought inthe uh Pacific behind a desk but so do Iright now my mom learned bookkeeping sothe bookkeeper could presumably pick upa rifle and uh head overseas so the dealis that we uh all should do what we’recapable of doing uh when I was raised inthe 50s patriotism was a normal andexpected thing and that’s what we’retalking about now uh patriotism as areal and vitalthing and so when we think aboutpatriotism and we’re looking looking atNational Security Harry you mentionedthe national cyber Workforce andeducation strategy and you use a term inthat digital literacy and looking atcyber security awareness and if we thinkabout patriotism if we think about eachof our responsibility and accountabilityin this space how do you look at Harryin in this uh strategy the term digitalliteracy what does it look like for youand um what do you want to see it evolveinto first I want to touch on patriotismsince we did that and then I’ll get todigital literwe we have a campaign that’s ongoing nowservice for America it’s a Sprint acrossthe country to make uh us all aware theopportunities to serve America viacareers in cyber security Ai and bigTech and the key there is cyber securityuh enhances our economic Prosperity ourtechnological innovation and ournational security so you talk aboutpatriotism that’s engulfed in in cybersecurity Now shifting to digitalliteracy uh we do need to be clear thatthere’s a difference we we look at theYoung Folks nowadays and they’re playingthe video games to go oh they know cybersecurity no there is a differencebetween um being app Savvy and beingcyber security Savvy uh again I’ll goback to Western Pennsylvania where wemet with some high school studentsyesterday and we asked them uh how didtheir interest in cyber security getpeaked and one young person uh said thatthey were playing on their video gameand it got hacked and that’s why thatperson wanted to get into cyber securitybecause someone had invaded thatindividual’s space so they’re learningthere’s a difference between beingliterate in an app in video games andbeing literate in cyber security that’sone thing we have to know the otherthing is we need to reach further downthe education system and teach youngfolks and not so young folks about cybersecurity uh it’s a it’s a an area that’snot going to lessen in terms of thethreat it’s always going to be there andpart of what I’ll call literacy is isbeing aware we need to know that thatthreat impacts all of us all the time sodifferentiate between apps and cybersecurity there’s a huge difference andyou make a really important point and wewere talking about this in the luncheonpanel about human behavior thatindividuals like to see themselves wherethey want to goand if individuals at any age whetherit’s young people older people uh it’suh elderly it’s looking at differentgroups when you when they can seethemselves in cyber security not justfor careers but they can see theirability to do more to be empowered to domore through Stories We were talkingabout all the scams and things thathappen and people are ashamed to talkabout it but the more we share whensomebody who’s uh playing a video gamegets hacked and talk about theirexperience the more we make thiscultural we have a greater opportunityfor change and I think that that pointin the strategy in particular is soimportant absolutely and you talk aboutthese stories and sorry another storyfrom Western Pennsylvania that’s top ofmine um first off when we asked th thoseuh Young Folks you know what got themwhy are they’re interested they wantedto serve you know they have a sense ofcommitment of taking care of otherpeople themselves and others so that wasimportant but a specific example was ayoung man uh who had been a chef uh gottired of those 16-hour work days and hetransitioned to being a dispatcher forthat County uh Public Safety uh systemand he recalled taking a phone call froman 80-year-old Widow uh who had just uhbeen victimized by cyber fraud and shelost everything that her her latehusband worked for and he he took thatcall and he heard and felt her pain andwe we can only take so much of thattrauma that he took and and that’s whenhe decided that he wanted to transitionto cyber security so that he could helpprevent uh that type of victimization umagain of individuals and entities thatare or what we call um uh Target richand cyber poor that that 80y old widowum who was left essentially defenses incyers space and that’s what turned himaround goes to another Point Craig umyou’ve been Aon uh proponent of cybercivil defense and you’ve supported thatwith a lot of generous commitments canyou explain how you Define Cyber civildefense it goes to individuals who areon the other end of phones it is how dowe help build up resilience incommunities well the deal is that we alluh are responsible for our own uh cybersecurity but if you have the skillsmaybe it’s time to give a hand tosomeone else who can do something likethat so uh I’m working with the uhConsortium of cyber clinics with thepublic interest uh cyber securitynetwork and with some of the existinggroups of volunteers who help protectour uh country’s uhinfrastructure uh larger organizationsmay have the uh staff including the ITstaff to defend themselves and also toprepare for what happens when things gowrongresilience and yet there’s a lot of itstaffs and a lot of utilities around thecountry and so on who just don’t havethe resources to protect themselves orrecover and so that’s why I’m you knowfunding people as part of this uh publicinterest Network to uh to get the jobdone Craig what does success look likefor you when we’re thinking about cybercivil defense what are you hoping toachieve by supporting theseorganizations and what would be anoutcome if that you would see and feelthat a real impact had been made um asan engineer I would prefer metrics but Iuh I don’t see them possible the idea isthat everyone should feel comfortablenot helpless in the sense that theirstuff isprotected and that stuff which is on anational basis is protected in betweenthat uh our adversaries are not going tobe able to cut off uh our water or powerand sometimes in the event of a naturaldisaster at least they can recoverreasonably quickly from that you make avery important Point we’ve had sometremendous conversations today and thismorning and this afternoon about framingthe risk and understanding that there’sconcentration of risk understanding alittle bit more of the risk landscapebut what we haven’t talked a lot aboutis that urgency for Solutions it’s howif we understand the risk how are wegoing to mobilize our country how are wegoing to mobilize individuals at thecommunity and local level to helpEmpower individuals to do their part tobe cyber Patriots to be cyber civilDefenders uh Harry you talked a littlebit about the service for America effortwhich was just announced on September4th going through October and it’sreally a fantastic effort to engageeverybody in service defined by helpingin cyber security and I think what’sreally valuable to this is It’s openingthe aperture for what an inclusiveWorkforce looks like it’s engagingdiversity of thinking but if you couldtalk a little bit about the programitself and what you’re hoping to achievewith it our metric um and we canquantify it uh today there are nearly500,000 open cyber jobs in America uhthat number is way too large um and it’snot because this great nation of oursdoes not have the talent it’s because wehaven’t sufficiently uh sought outtalent in different areas um we haven’tuh inspired that Talent developed itretained it so part of service Americaand part of what we articulate in theNational cyber Workforce and educationstrategy is to develop multiple Pathwaysso that every American regardless of uhtheir upbringing uh where they live ortheir social economic status and anydemographic you want to put in there itdoesn’t matter every American uh needsto know that they have a pathway uh tomake contributions to this nation uh viacyber security uh individuals do notneed uh computer science or evenengineering degrees as a matter of factdon’t need fouryear degrees to make acontribution uh service for America isall about creating those Pathways uh forall of us to make a contribution uh toto defending this nation and to againsecuring our economic Prosper prosperityI think what’s so important about howyou’ve laid it out as well is we oftenthink when we’re building the CyberWorkforce that we’re talking aboutengineers and scientists which are veryimportant sitting next to an engineer uhit’s critical for that for those rolesbut we also when we look at cybersecurity we’re looking at problemsolving and Building Solutions and themost impactful and effective way that wedo that is through interdisciplinaryapproaches and so when we’re morecreative in how we’re attractingindividuals to this space and it goesalso with different iversity of thinkingneurodiverse individuals who are nowbuilding uh llms and AI that areoutpacing What machines can do and howwe’re looking at including more people Ithink it becomes very powerful forservice what I also think is importantis you’re defining service to be muchbroader than how we see it and I’d liketo ask both of you because you mentionedInspire Craig you’ve talked about informwhen we’re looking at informing andinspiring individuals to service what doyou think are the key elements toinspire individuals to come into cyberand to come into this service to thenation to protectit you well to start we need to letpeople know that they’re not helplessthey can all do something to protectthemselves and the country so we’reannouncing this uh program pause takenine based on observations that ifpeople look at something which might beuhwrong uh that they pause for a momentand reflect on how uh how wrong thething uh might be so that’s one of thebig announcements we’re making uhtoday you may have already heard aboutthe other big announcements should Ielaborate sure please um uh sure in theabout a year ago I committed to both a100 million for uh cyber security forthe country figuring that should reachinto2026 similarly and separately 100million for military family invets I’ve uh spent[Applause]both I’ll remind people that I’m I’m anamateur at this stuff which is mybiggestAdvantage um because I have permanentbeginner’s mind I guess so right now I’mcontemplating and have announced anotherhundred for cyber security my problem isthat my thinking is 5 to 20 years outand I’m 71 so at 20 years I’m going tohave to conduct due diligence viaSeance and I’m going to have to startfunding uh high bandwidth Ouijaboards or maybe I’ll just haunt peopleuh in addition I’m considering another1004 military families in vets uhseparate issue but the deal is to dosomething that matters and then to keepdoing things that That Matters to repeatwhat’s been done for example a lot ofpeople here have announced really goodprograms and now I’m bugging them toremind the public that they exist and toneverstop and I’ll just offer that rumor hasit your campaign launch film ishappening at 2:50 p.m. today do I have acamp launch film so adult before breakso adult uh Harry when you think abouthow to inspire I mean you are gettinginto the communities through your jobyou’re seeing communities schoolsorganizations and you talk about some ofthe things that you’ve seen that areinspiring people for service what do youthink we need to be doing to continuethis message to inspire individuals toserve the country through cyber work theCyberWorkforce well one of the things isfolks need to understand that uhcyber really is a significant threat tothis country uh it it really is and Idon’t mean to be the boogeyman but I domean to be realistic uh the threat isreal um I know FBI director uh Rey madea significant announcement today aboutanother um Network that was taken downuh a network that was intended to do asall ill will um similarly in January uhwhen we testified before a housesubcommittee and we talked about uhnation states going after America’scritical infrastructure not forEspionage purposes uh we we all know uhNations spy okay uh but our criticalinfrastructure was was put at atunacceptable risk and we all need tounderstand uh that acceptable risk meansjust that um if we’re not inspired todefend our loved ones and our homelandbased on the threats that uh n nationstates put forward uh towards us uh thenI’ll be challenged to inspire us but uhwe also need to be inspired by theopportunities that the digitalFoundation brings uh to America and theworld frankly um again this digitalFoundation is about economic prosperityand technological Innovation so I amnormally uh I’m told I’m a gloom anddoom kind of guy and and I don’tapologize for that um but I I recognizethe goodness that uh the internet uhbrings forward as well and we need tomake that available uh again to everyGlobal Citizen and we can start by doingthat here inAmerica an underpinning of that is thisresilience piece to what you’ve talkedabout and Craig a lot of your organizthe organizations you support you’reabout activating communities uh in cybersecurity can you talk more about yourapproach to resilience and the role thatan individual has in protecting criticalinfrastructure you talk about utilitiesand how we need to get individualsempowered to demand more from criticalinfrastructure and it’s not actually abig a huge Bridge um that we can Empowerindividuals at the community level canyou talk more about your approach tothat well there’s uh two parts in a wayuh finding people who are good athelping others protectinfrastructure uh like there’s the JoshCorman I’m the Cavalry thing Jake Brunhas something going at University ofChicago um but the deal is that we allcan play a role in uh reminding peopleat utilities and so on that they do needto play their role in uh protecting usthey all need to be their own Championsmaybe with help and encouragement fromregular people uh meaning that well bigutilities have a staffing most of thecountry though is covered by smallutilities and otherorganizations and we’re going to be inthe position of asking overworked itstaffs to do better and better jobs interms of the protecting themselves sopart of this will’ll be recommending toeveryone what everyone can do to protectthemselves like measures against fishingpassword managers updating your systemprotectiveDNS but for the most part we’re going tobe asking everyone to in the nicest andmost respectful way to remind it staffsthat they got to do the job ofprotecting their own stuff uh I’m goingto be I plan to tell everyone wellremind the it staffs and if they pushback and resent it and they will theycan you can blameCraig and I guess I’m assuming thatthat’ll happen and I’ll just I’m justready for it the deal is everyone knowswhat they need to do we just need tostop feeling helpless at all and remindourselves of what our parents orgrandparents did in World WarII we’re going to open it up forquestions before doing that though Ithink this concept of service of givingback you you each represent and haveserved the nation in your unique waysHarry certainly through the Navy andyour current role Craig through yourwork as an engineer and now what you’regiving back in the tremendousannouncement today so we it’s animportant reminder that we really canserve in different ways serve the nationby investing in resilience and that thepower exists in each of us and I thankyou both for the service and for your uhthoughtful remarks and I think we’llhave time for one or two questions ifthere are any from the audienceand if not I have many sothink I’ll ask ohyes I think there’s amicrophone hi there my name is ky I’mhere rookie mistake hello everyone myname is Kaye I’m here today with anorganization called cyber Collective wea nonprofit that helps people understandthe impact of technology and how toprotect themselves online and I justwanted to say thank you to the paneltoday this is really interestingconversation to hear and obviously we inthis room totally have aligned valuesand why we’re here today a big part ofwhat we do at Cyber Collective leveragesMutual Aid in our approach so empoweringpeople through solidarity to navigatethese broken systems and I just wouldlove to hear maybe another story or twofrom all of your perspectives on thosemoments within the the critical negativeimpact that happens how um how you haveable been able to support people withinyour community your families umonline Harry do you want to talk aboutsome of the work that you’ve gotten somegreat commitments from organizationswith the strategy and um that might helpto share some of that yes u in terms ofcommitments uh from variousorganizations and at the risk ofsounding like the president of thewestern Pennsylvania Chamber ofcom you’re you’re kind of doing a greatad for everyone’s going to start goingto Western Pennsylvania um PennsylvaniaCyber security center right now they arepartnered with 10 local high schoolsteaching Juniors and seniors about cybersecurity helping them get theircertifications uh so they’re defendingand learning earning and learning iswhat it’s called sometime so that’sgreat that they’re doing that but theyhave made a commitment um by 2026 toexpand from 10 to 69 high schools uhacross eight counties in WesternPennsylvania um uh I was flabbergastedbut delighted uh by that goal so that’sa great way to help us help us anotherone uh since I’m running for officethere in Western Pennsylvania uh MercyHurst University in Erie um justannounceda a dual major program for their umtheir um their students that are on theautism scale it’s it’s a dual program uhneurodiversity U folks that have certainskills that can contribute to our safetyum and again our prosperity so you knowthat that commitment to develop thatprogram again to to go places that wetypically don’t go to recruit Patriotsthat are capable of advancing the causeuh you ask how how we can inspire peoplethat that inspires me uh to know that wehave caring entities that are are areworking to help us help us and I’ll justoffer I think Mercy Hurst has one of thebest engagements for neurodiverseindividuals and it would be great to seemore colleges really look at how to openthe aperture for Education because thathelps us to build out the cybercommunity Craig uh you’ve done so muchwork with or organizations that arethere to help people when they need helpand also to work with communities andbuilding resilience any highlights foryou in response to the question aboutwhere some of the the great work isbeing done where you’re seeing impact uhsince there’s only one of me and barelythat I’m building a network of networksof people who can oh get the work donein specific areas so like uh um I’veasked the folks at girls who code tocoordinate and work with peopleproviding education K through 12 and toprovide serious uh cyber securityeducation there frankly there is aseparate project through Aspen onWorkforce Workforce Development andothers the idea is that uh building anetwork ofnetworks which is the only thing I knowhow todo you do it quite well yes indeed asyou both do uh we’re all out of time Iwant to thank both of you for your timeand for your service and congratulationson the announcement thankyou we are thrilled to share today’sAllStar Sports panel please welcomeBetsy Cooper director of the Aspen Techpolicy Hub her lineup today will includeReynold Hoover Chief Executive Officerof the la28 Olympic and Par OlympicGames Gia Thomas founder of diverserepresentation and Eric Tark senior vicepresident of of the National HockeyLeague please welcome the[Music][Applause][Music]panel hi everyone good afternoon we knowthat cyber security should matter moreto Ordinary People as we just heard andwhat better way to do that than to getpeople thinking about how cyber seccould affect their Sports so we’ve got agreat panel here today Eric G Reynoldthank you so much for being here let’skick this off by just asking whatexcites you about the promise oftechnology and sports and what keeps youup at night Eric starting with me huhwell thank you for having us it’s uhvery happy to be here what better tostart a sports panel than a panel fullof lawyers right uh so here we are nobut what excites me is I will tell youum anyone and I know everyone’s a fan ofthe National Hockey League so everyoneeveryone in here that’s a hockey fanknows uh really the diffusion andevolution of technology that we’re usingum different distribution channels theway that uh whether it be streaming towatch a game or whether true fans canreally get data and information from theplayers not just social media but I meantheir performance data and and how allof that comes together uh is somethingthat really excites us and reallysomething that opens up differentrevenue streams for us awesome G whatabout youum hi everybody thanks for having me umso one thing that I think really excitesme right now is social media um I thinka lot of I represent a lot of athletesand a lot of them depend heavily onsocial media to build their brand andbuild their audience and there arealways new apps coming out newdevelopments new changes in the socialmedia space um that I think is reallyexciting um so that’s what I’mspecifically excited about and I thinkalso there are a lot more opport unitiesnow for athletes to create their ownPersona um digitally than there was inthe past they don’t have to depend onthird parties as much anymore you knowthey can just log on and you know createtheir own app or stream or podcast orwhatever you know that is available soI’m really excited about that um thatathletes can now do a lot on their ownwithout depending on other people tobuild their brand um and what keeps meup at night is a lot of them don’t knowwhat what they’re doing a lot of timesso that makes me a little nervous um soyeah there are a lot of mistakes thathappen along the way um and they’re notalways the most techsavvy people so thatkeeps me up a little at night aswell well uh first of all Betsy thankyou for having me I should point outhowever that when I was a Cadet at WestPoint I took for TR so I’m up on all thecomputer things the latest technology soum listen I think the thing that excitesme the most from the Olympics and whatwe’re doing at La 28 is we look at whatwe saw was done in Paris for both theOlympics and Par Olympic Games and thenwe think about the possibility of whatla28 can do and what can happen in fouryears from now I’m reminded of you knowwhen I was a a second lieutenant in theArmy back in the day in early 80s whenwe were carrying around brick cellphones and thought we were the coolestcats on the Block you know and and thetechnology has evolved a h hundredfoldsince then and so when I think to theFuture what I get excited about are anumber of things in the terms of oftechnology and that is how can we whattechnology is going to be available toenhance The Fan Experience as theyexperience the games right and where arethe new and cutting edge things that wecan do so that you know as you talkedabout you know following the F followingthe player on the field of play orgetting engaged with the actual eventitself right um and you talked about thesocial media for the athlet eles tocontinue to increase their profile allof these things are stuff that we’relooking at in in La as we think aboutyou know what is in the future and uhyou know we’ve got some people that aresuper smart in technology just thinkingabout like what is that thing that’snext what is next for the Olympics andhow can we use technology and leverageit I think what keeps me up at night isuh I think about the the high profile ofthe Olympics and the higher our profilejust like any other sport as it getshigher in profile then we become more ofa Target and so we have to be really onour toes and and actually one step aheadof the of the Cyber actors who are outthere who you know want to disrupt notonly the games but sport itself andthat’s what keeps me up at night wellhope you’re all just a little bit scaredbut not too scared because we’ve donepretty well so far but so what makesSports different when it comes to cybersecurity so G maybe I’ll go to you firstare there any differences from a legalperspective I don’t think there are aton of differences from a legalperspective um but I do think there aresome different some there are somedifferentiating um characteristics withregards to athletes as opposed to theaverage Joe I mean when we’re talkingabout athletes in cyber security a lotof athletes we’re talking about you knowmulti-millionaires so I think the themoney piece is something thatdifferentiates a lot of athletes fromthe average person and also influenceyou know professional athletes have alot of influence on society so more sothan the average Joe as well so I thinkthose are two very distinguishingqualities when it comes to athletes asopposed to the average person that ifthey’re hacked or if you know theirpersonal information is at risk there’sjust a much higher risk there um and alot more to lose I think than theaverage person that makes a lot of senseand Reynold you were getting to thepoint about scale as well and obviouslythere is a vast games ecosystem so helpus understand how big of a challenge youreally have have heading into La 2028yeah thanks so uh you know the LA gameswill be the largest uh peacetimeGathering ever it’ll be the largestgames ever we expect somewhere betweenuh 10 and 15 million fans upwards of15,000 athletes will come to LA to be apart of that uh we have more games thanany other Olympics we’ve added fiveOlympic sports and we’ve added one parOlympic sport to the to the agenda uhwe’re taking over UCLA as the which willbe the Olympic Village for us we’ve gotincredible iconic venues that are allover uh LA and so from a scaleperspective if you put it uh uh you knowwe’ve got about 800 different uhsporting events that will happen we’realready coordinating across uh a numberof federal state and local lawenforcement agencies to think about umuh the law enforcement challenges HarryCoker on the previous panels a friend ofmine we worked together uh in a previouslife and you know we’re already workingwith the White House on Cyber issues andcommerce on Cyber issues so you knowthere’s that piece of it um and when youyou know to maybe to put it in a littlebit of perspective uh it is like runningand coordinating Seven Super Bowls a dayfor about 16 daysstraight and so when you think of thatand then you think of you know theimplications of cyber to that it’s notjust uh you know the fan who worriesabout you know the ticketing websitegetting hacked or you know some otherevent part of the game you know theirexperience getting hacked there are somany applications of technology in thegames think of uh you know timing we’vegot a great partner with Omega who’sbeen doing timing you know I a very longtime probably since you know I don’tknow I’m joking when I say this is theearly games 1896 you know but Omega isthere and and so timing becomes isimportant think about accommodations andtransportation and all the things thatmake those games happen and theexperience not just for the fans but theathletes as well and so you know when wekind of put all that into perspective Ithink from you know cyber becomescritical to everything we do not onlyfrom a a fan engagement but also uh theathletes and Par athlete par Olympicathletes on the field so Eric talking ofthe fans imagine you’re actuallyspeaking to to the average fan and soyou know I have a huge family uh historyof being Buffalo Sabers fans so uh andmany of my family members probably don’ttake the appropriate cyber precautionsso how would you explain to them thethreat posed by Sports if there’s poorcyber security sure thanks it’s uh sowhen we we try to tellpeople in larger terms to manage theirrisk and everyone can really picture thearena with 20,000 people in it you putthose people in a confined space withlimited exits and everyone from a normalperspective gets to see or canrealize uh the dangers that are inherentto that environment and I’ve told peoplebefore and and in some instances ourplayers who I would I would engage inthat social media sometimes um I tellthem imagine if everyone that was inthat arena is walking around with alltheir personal data taped to their backon a piece of paper and how attractivethat Arena would be to a malicious actorto get in and just start cultivating allof that data and it normally willtrigger at that point because I thinkeveryone is used to uh the physicalsecurity issues that we face and thateveryone out there faces andtraditionally we’ve faced uh butsometimes it takes that analogy toreally see what those cyber risks aregreat analogy uh and I think as youthink about the number of people at theOlympics you can grow that even uh muchfurther so so G let’s talk about theperpetrators so who are the perpetratorsthat you’re most worried about and whatdo they care about are they activistsnation states individuals seeking to getrich quick who are you thinking aboutwhen you’re thinking about perpetratorsyeah when we’re thinking about athletesI think it’s definitely the latter umthey get rich quick folks um who want tocome after athletes who they know youknow like I said are are thesemulti-millionaires and it’s a way forthem to to get rich to get money um so Ithink from the athlete perspectivethat’s who’s you know we’re mostconcerned with Eric what are youthinking about and I’ll add to that hasgambling changed that as gambling hasbecome more widespread there areobviously opportunities to bet on gameshas that affected who you are thinkingabout when you’re thinking aboutperpetrators I will say it’s veryintuitive the short answer to that isyes um I think ja’s absolutely right wewe break those up into really threetrantas um the f that that that look atthe Players but believe it or not um andsomething I thought was interesting umfrom the government perspective thatmany in this room are from is that weactually do have some issues with nationstate actors uh being an internationalgame athletes have an internationalprofile I don’t need to tell rold thatwith the Olympics or G who deals withthe the athletes um but you’d besurprised how many times nation statesuh and some in particular that you couldprobably think of look to and I’ll use aa term punish a potential athlete whomay take a geopolitical stance that isnot uh congruent with what that nationstate thinks someone from their countryshould be doing um so on that side it’sit’s large and something from a leadLeague perspective uh we try to preventthreat education with our players um onthe other side of that though um yesthere the the other big risk is that uhmalicious angry actor who really youcan’t watch a sporting event now withoutseeing someone try to motivate you tobet on it um and the malicious actorthat really will pursue that athletethat official really because theybelieve it is their fault that someonemight have lost x amount of money and soyes with the rise in gambling um ThePlayers feel the pressure our officialsfeel the pressure our league Executivesfeel the pressure and so it runs fromthe potential of a nation state all theway down to that angry person fromSuburban DC who just lost a lot of moneyand soill can just yeah can I just pileon for just one second um so uh I thinkthat that really raises an importantpoint and so you know we partner veryclosely with DHS with siza and you knowthe the concern not only of I’ll justcall it the goober in the basement who’syou know trying to do something stupidum but all the way to nation stateactors right and it’s not just they’retrying to get into our system and dosomething nefarious or you know take ourmoney or steal our data and whatever itis but there’s another aspect that wesaw in Paris and that is disinformationcampaign and and you know the Russianswere very active in Paris doing tryingto do dis disinformation to disruptright and so the point of all of thatfor me is this is uh you know a teamsport cyber security and it is a we needto partner with the federal governmentwith DHS and sza and commerce and FCCand white house and others because noneof us the whether it’s the Olympicorganizing committee and la28 or the NHLor any other organization we don’t havethe resources to fight against anddefend our networks against a nationstate actor and it is got to become ateam sport and I will make a pitch forinformation sharing uh you know I spenta little time in the intelligence worldand and other and and uh you knoweverything was so super secret and youcouldn’t tell anybody well you know andwe’re still I think in that Arena ofeverything is so super secret in thecyber world and you don’t need to knowyou don’t need I don’t need to know howyou found out if you’re in thegovernment how you found out what youfound out all I need to know is how areyou going to help us and partner with usdefend against the threat or recoverfrom it and I my plea and I think mypiece is that it is not just trying tosteal our data it is now thedisinformation piece that we have to doand we cannot do it alone it requires apublic private partnership and itrequires open and honest informationsharing sorry I get off my Soap Box noit’s a great soap box so building onthat when most people think about sportsgetting hacked they’re thinking ofwebsite hacks they’re thinking ofticketing scams but take us inside theactual sporting event are you worriedabout actual results of sports beingmanipulated for instance what about goalline technology automated scoring systemcould systems like the automatic uh uhline judges for Hawkeye and Tennis bemanipulated to change results how areyou thinking about that Eric may startwith sure absolutely I think um it’s ait’s a good spot for me to give somecredit to our the League’s technicaloperations team um I think would rivalsome of the the the tech operationsteams and some major corporations inthat um as you see all those whether itis goal line technology it is re play umwe do use even the same the Hawkeyesystem um we’re watching we’re layerlayering data over on our players andthat stuff is coming back both toMedical committees it’s in-game stuffand everything what I will say is it’spretty good from our perspective um howwe localize that right we set up our ownlocal area network and those things arereally closed off I am not going to saythey’re air gapped they are closed offright uh to a certain extent but you dohit on something that’s very importantthat’ll tie us back to an earlierquestion that data though and I thinkrand’s right it is really a little bitabout what they can do with the data andone of those things is protecting wherethat data goes and making sure it’sconsumed by the right people goesdirectly to the Integrity of our gameand if that data in those systems getout and there’s loss of confidence therethat loss of confidence means there’s anIntegrity issue with our game and thatgoes directly to even legalize gamblingright someone gets information thatothers don’t it’s almost akin to thefinancial services sector um and theinsider trading hypothetical and so wereally focus on that and make sure thatthe data is protected where it needs tobe Health Data obviously things likethat and then the game data is reallybeing consumed by those who it’ssupposed to be consumed by because thatcould affect the Integrity of our gameand then ultimately when that starts towhen we start to lose that piece thatdefinitely affects the revenue piece andReynold building off of that artificialintelligence is the buzzword of the dayand where we are today it’ll be verydifferent by the time we get to 2028 soare you thinking about how artificialintelligence could affect the Integrityof sports for instance you can imaginePhoto Finish Line the photos beingmanipulated at that point of entry howare you thinking about challenges likethat yeah look I think uh what we saw inParis was that we can protect the gamesuh and it but it requires as I mentionedearlier it really requires a partnershipeffort and it was a all handson deckeffort in Paris to defend the networksyou know it’s a bit air gapped it’s aclosed Network and so we are veryconcerned about you know the Integrityof the sport and the safety of ourathletes and the safety of our of thefans that attend um and making sure thatwe can protect the data and keep that ininbound and the right people are gettingthe right data right so you think aboutwe have about 25,000 broadcast castersand media people that come to theOlympics it all funnels through the iocthe the international broadcasting uhpart the I holds that and so there is alot of data but we’re trying to andwe’re trying to protect it and we do itas as I mentioned earlier as a teamsport fabulous so G other high-profileincidents in this space have involvedthe hacking of athlete Health Care dataso uh Simone biles Serena and VenusWilliams their exemptions for drug usagewere revealed when the world anti-dopingagency was hacked so how should we thinkabout athlete protection in this spaceyeah I think um in terms of athleteprotection in the space I think one ofthe big issues is a lot of athletes relyheavily on their teams um all athleteshave a team you know they have an agentattorney financial adviser assistant umand they rely heavily on these people tomake decisions for them you knowaffecting their their daily life theirdecisions and they’re not all always abreast of what’s going on are thosedecisions being made um in a way thatthey should be so I think that’s onething um I think a lot of just athletesI mean they should depend on their teambut I think there’s still a lot of roomfor just education and them being moreeducated about issues like this um andnot just solely relying on their team toyou know deal deal with something likethat any tips any of you would share forthe athletes who might be out herewondering okay now what should I do stayoffline yeah much to to J Chagrin youknow look I I’ll just say you know uh assomebody who’s had a number of fakeFacebook pages and they’re still outthere um it can happen to any of us youknow I used to we would tell Generalofficers when General Millie was thechairman you know General Millie is notyour friend on Facebook um I would justsay uh you know what I would advise isuh be careful of your social mediafootprint and what you’re putting outthere um because you never know whatthey’re going to grab where they’regoing to take it and what they’re goingto do with that data whomever it iswhether it’s a nation state actor or thegoober in the basement and so I wouldsay it’s really an education and and youwant to be on social media look it’svery important to their brand theirpersonal brand it’s very important forus in terms of Team USA and you know sothat’s I get that it’s an importantthing but you got to be smart about itand that’s what I would say to ourathletes is be smart about what you’redoing and how you’re doing it punch lineoh sorry if it’s too good to be true itprobably is they back off of that too Ithink a lot of athletes are reactive andnot proactive they wait until somethingbad happens on social media to thenreact you know and I think a lot ofathletes need to be a little bit moreproactive um and think about worst casescenarios ahead of time and plan forthose ahead of time as opposed to justreacting when something bad happens umand also now with regards to socialmedia a lot of athletes now um hire outthird parties to handle a lot of theirsocial media so they have you knowthey’re companies who just focus onposting a on social media for athletesthat’s all they do um they create thecontent they post the content um andonce again A lot of times athletes don’talways know what’s going on um so onceagain just staying a prize staying abreast staying educated um are otherpieces of advice I would give them so onwe’re entering the streaming era um I’dbe interested actually raise of handshow many of you still have broadcast TVin yourhomes wow okay uh so what are newchallenges you’re experiencing inbroadcasting Sports in the streaming eraand how are you thinking about cybersecurity in that space um I will tellyou right out of the gate the streamingpotentials and the what they’re callingthe distribution channels um haveevolved 10 fold and really as aseverybody knows in sporting leagues youknow you’re doing 8 to 10 year contractsfor distribution rights um it’s creatingan internal Tech Challenge really to seehow those rights how the league willsell those rights how the league willpackage those rights will be distributedthings like that um but it really is abenefit to our game in that it allows usto reach different audiences and notjust by an age demographic right itallows us to reach different audiencesit allows us to do different things andagain I know I keep bringing this backbut allows us to tap potentially unusedor undiscovered in the past RevenueChannel channels uh with all of thatsaid similar to our league though umwhen we put a lot of faith in thosedistribution channels we’re putting alot of faith in thosethird-party operating techniques and andwhat their cyber uh protections are umwe all know you know the the ability forone of those distribution channels topromote or broadcast uh for that betterterm one of our games during a majorevent um you know losing that even for aminimal amount of time you know you’retalking about advertising uh impacts andthings like that so the challenges aredifficult and and we attack those reallylike any responsible organization wouldand we have very heavy third-party uhvendor requirements when we go intosolicitations for that um we have agreat broadcast and partnership teamthat that digs it their heels in forcertain things as we look at thosedistribution channels uh but we’re we’reexcited for where that’s going uh butwe’re not I’m not quite sure yet we’vediscovered all the potential pitfalls inthat area fair enough we might have timefor an audience question so if you dowant to ask a question feel free to getup for the microphone um overall we’veactually seen a lot of success inpreventing attacks Paris Olympicsresounding success Super Bowls have gonevery well to what do you attribute thesesuccesses so Reynold maybe I’ll startwith you on this one I think it’s prettysimple it’s early planning it’s partnership and it’s information sharingfantastic what about you J any thoughtson that I wouldagree um I I’ll tell a story that maybeillustrates that if we have time I’lltry to keep it quick so a few years agouh anyone that’s a Colorado Avalanchefan uh you know the Colorado avalancewere in a uh in the Stanley Cup Final umand if you’ve ever been out to ballArena you will know that it sits at anintersection of multiple colleges it’s avery large campus in downtown Denveruh the night of game five of our StanleyCup Final was also the night that theSupreme Court released the roie Wadedecision a few years ago um busy daybusy day uh having nothing to do withthe National Hockey League but havingeverything to do with uh differingpoints of view throughout the countryand one of which uh was concentratedright in downtown Denver which theirCity Hall happens to be about threeblocks from our Arena where tens ofthousands of folks decided to take itupon themselves to uh protest which wasgreat and they decided that the closestand most or the the largest amount ofmedia cameras were actually down thestreet at ball Arena um uh at theStanley Cup Final um and so I will tellyou that they started to make their waydown and that’s a long story to say wewere able to avert with greatPartnerships and it goes right back tosomething that Rand said which is umit’s a team sport and partnership theleague looked at that and worked withour Arena and actually we issued ashelter in place for the arena but nevergot to the point of stopping thegame um we had really no control to doanything outside of the arena and reallyhad to rely on um the Denver PoliceDepartment the PD and really some of theorganizers and the discussions that werehappening with City officials to say heywe understand you’re coming for themedia attention but let’s try to keepthis separate and all those parties dida really great job and I think thesuccesses are really distill down to towhat we talked about here which issharing the information uh not holdingback and thinking that anything isproprietary in that space um and reallytrying to trade best practices as forlack of a better term as best we can umand really focusing on the fact as asrold said it’s a team sport to reallyattack these issues fantastic well let’sbring in the audience uh pleaseintroduce yourself and ask your questionhi there I’m Jessica gck commissioner ofthe US cyber team we’re a travelingEastport team representing the nationinternationally in hacker games um andwe fuse athlet Athletics and cybersecurity together so very excited aboutthis panel thank you guys for being hereum my question to you is it sounds likea lot of success in the sport uhindustry in terms of infusing cybersecurity what would you say is thesecret to that success in terms of whenwe look at other organizations it can bevery challenging for us to talk to ourboards our employees Etc to take amindset that is more secure if you willsecurity by Design what do you think aresome of the reasons why you’re havingsome of the success that you have and wetalked a bit externally what aboutinternal to your organizations which Ithink is the direction the question isgoing are you doing anything inside tospread the word about cyber securitythat might make it moreeffective I’m happy to jump in soJessica thank you for that question Ithink it’s a great one um twofold yesthere is a challenge um one of thethings is that unearned confidence on asingular solution right we do the samething I have the same challenges comingup and saying hey it really has to beabout the business rules cyber is a is avector but we can’t just take out somecyber insurance or buy one solution andgo there but the success really is wehave a focus on prevention througheducation we just continue to hammerthat message that you talk about andcontinue to show that you know for Le atrit phrase of cyber hygiene and BR tostill that down and really try tosolidify those business rules so thatwhen we overlay the technology we canfind those successes and so far it’sworked and one thing uh to add to thatis you mentioned boards and it’sincredibly important to have cybercityrepresentation on boards and to be ableto grow that knowledge not just withinparticular audit committees but acrossthe board as a whole so I think Sportshave done an excellent job because ofall the threats they’re facing and otherorganizations could learn from that aswell let’s take one more question hi myname is Rafael sder I’m with Reuters umI wanted to follow up Etsy on uh aquestion that you asked about sportsbetting um I think Eric you’d said thatyou’d seen some sports betting relatedmalicious cyber activity um has sportsbetting LED and maybe this question forJ too um has sports betting led to anincrease in cyber threats or a new kindof cyber threat and can you give anykind of detail as to what that mightlook like you want me to start or youwant to start I could talk for hoursabout that it’s out of my Lane so that’sto you too uh the short answer I willsay yes but it would look familiar toyou from um different threatprofiles um it our are our realtargeting issues are the fact that uh itreally Falls in that malicious actorcategory right so um it’s really nottrying to obtain data because what we’redoing on the other side from what youknow for for a quick promotion the NHLEdge right we’re putting out all thatanalytical data we’re trying to put itout to grow the fan base to see thatpiece and that’s also though the datathat people use to develop Trends andsee where the Wagers go and things likethat but we do see a lot of folks withum in a nice way to say uninformedopinions where they think either thatlike we script the outcome of gamesright at that level or really theofficials Trend he should have did itthis way right so and then that turnsinto some significant I’ll just sayharassment as Gia talked about on thatsocial media profile you’re talkingeverything from standard doxing andthat’s where your threat profile looksthe same right but we’ve hadofficials uh their their children’s cellphones and location of of where they’regoing to school put out on social mediauh we’ve had some real vitriol towardsplayers all with that perception thatthey did something specific to that thatgambler’s wager um when really it’s justthe competition of the game so we seenew stuffbut it looks a lot like the old threatprofiles frightening thanks for sharingthat story that’s a good cautious taleand makes you understand how much theathletes are really in front of thesesituations so ja I’ll start um thisquestion with you we’re getting towardsthe end of the panel if you could changeone thing about the intersection ofsports and cyber security to make iteasier to shore up systems to make iteasier to protect Sports what would youchange uh I think from like the athleteperspective I know they both talk talkedabout um just from the athleteperspective I think a lot of athletesthink cyber security is a really bigword um and a lot of the the terms thatare associated with the space just seemlike really Out Of Reach just a littlebit over their head so I don’t want tosay if there’s a way to like dumb itdown a little bit sometimes but to maybejust make it a little bit more plain forathletes I think would be really helpfulbecause a lot of them still don’t reallyunderstand the space umand rely on on their teams to help themnavigate the space so I still thinkthere’s a huge lack of education forathletes when it comes to cyber securityso that would be my um recommendation tomake it a little bit more plain and uhto make the information a little moreeasily accessible for athletes well oneof the great things about some of thecyber security education work that CraigNewar and others are doing hopefullythat will grow that uh field Reynoldwhat about you what would you change uhinformation sharing public privatepartnership it’s the only way to go it’sthe only way we’re going to beat himgreat Eric um so I I think what J saidis I wholeheartedly agree with and Ithink it’s important to note just forthat education piece when you put aprofessional athlete in a room I thinkeveryone in this room would be surprisedum and and forgets just how young theyare and so you’re talking about kidsreally for the most part that make upthese teams and I think you’reabsolutely right the education pieceneeds to be strengthened and the otherpiece that I would I would really liketo focus on is is what I mentionedbefore is that it’s very difficultJessica this goes back to your questionthat unearned confidence in a singlesolitary solution right education isn’tjust the solution but it’s a pathway tothere and too often we’re still havingthose struggles of trying to get folksto understand how to really Harden thosebusiness rules what technology and thatit is a holistic solution and not onesingle piece or one single thing thatyou can do fantastic and a perfecttransition to my last question which iswhat is your bumper sticker takeawayfrom the panel can you give us onesingle sentence simple phrase that theaudience can take away about theintersection of cyber security andsports Eric you’re closest to me so youhave to go first all right I’ll give youone one single sentence rold said one uhbut it really is not about the dataexfiltration it’s really about thecontrol manipulation it really dependson what your perspective is from eitherside protector or malicious actor okaywhat about you J I like the terminformation sharing so I’m gonna go withthat well you can’t take it nowold soyou’re gonna have to pick a new phrasewe’re out of time so thanks for comingfolks uh no uh there’s two bumperstickers on my car the one says come toLa 28 and see what’s next the otherbumper sticker says it’s a team sportlove it that’s a great note on what Denthank you so much for being[Music]here and now for a special presentationthe launch of a national publicawareness campaign designed to show usthat we have more power to protectourselves than we realize[Music]the principles which guide my work areto treat people like I want to betreated and patriotism is about doingwhat you can to help protect the countryand the people in it our adversaries areattacking us already online through theinternet you go back about 30 years anduh people knew that there would beWarfare of some sort on the net but Ijust didn’t have the imagination to knowhow good people would get atmisinforming others and that peoplewould do a lot of this in such a waythat really hurt people now there is anational security Twisted this becausebusiness these days requires theinternet as critical infrastructurestructure good actors need helpsometimes protecting themselves onlinewe’re beginning to get people to worktogether to protect each other and toprotect the entire country when it comesto cyber security what I want to seehappen is that a lot of the people inthe country are taking good measures toprotect themselves and their familiesand help people runningutilities uh keep our infr structuresafe and resilient I do have a lot ofconfidence in Regular People the deal isto tell them it’s not hopeless andhere’s how they can play a part[Music]this is theemail this is the email from the bossthat George opened up though it looked asmidge funny this looks a smidge funnybut I’ll open it up this is the emailthat George opened up and launched theattachment that infected his hard drivethat zipped to the servers that got intothousands of otherdevices that stole the identities thepasswords the banking information thisis the email that spread to the serversthat got into the grid that fried theTransformers this looks is smidge funnybut I’ll open it up this is the emailthat you can stop if you pause for just9 seconds and take[Music]9 and think before you download beforeyou share before you act this is thepassword that you can strengthen thesecurity that you can add the IT personthat you can call this is the chain thatyou can stop if you pause and take ninefor yourself for everyone[Music]and time for a short break umRefreshments are available in the lobbywe’ll see you back here at 10 after3 welcome back from the break we aredelighted to introduce Garrett graphdirector of cyber initiative at Aspendigital for a conversation with LisaMonaco Deputy attorney general at the USDepartment of Justice please welcomeGarrett and[Applause]Lisa water is right behindyou good afternoon everyone uh thank youfor joining us after the Break um I’mGarrett graph from the Aspen Instituteuh Christy Canelo who is the uh seniorofficial performing the duties of thedeputy secretary of the Department ofHomeland Security was supposed to bejoining us this afternoon we should sayyou were mandated to use that cumbersome sometimesyes uh uh but unfortunately she is uhsick today and so I am pleased still tobe joined by solo Deputy attorneygeneral Lisa Monaco thanks for having meso uh Lisa I want to start off todaytalking about some of the news that isunfolding today from the Department ofJustice about flaxtyphoon uh and uh director Ray mentionedit a little bit this morning but Iwonder if you could give us a little bitmore detail about what has transpiredand uh what action the justicedepartment has taken sure well first ofall thank you Garrett for doing thisconversation thank you Aspen digital andVivien and the whole team for puttingthis conversation together um I’m I’mreally glad you asked about this becauseit’s another example of the Departmentof Justice working with the FBI with theNational Security division with all ofour partners both here and uh abroad totake the fight to our cyber adversariesand that’s what we’ve done again todayfor the second time I should say umGarrett second time this year that wehave taken action to disrupt a statesponsored in this case a Chinese hackergroup state sponsored hacker group thathad established a wide ranging Globalbot nut and the hacker group here we’recalling flax typhoon has been labeled soby the security community and what theydid was operating through a company inBeijing which was really just cover forthis hacker group to launch this botnetthat had infected devices more than200,000 devices globally including uhmore than half here in the United Statesand we’re talking consumer devices likecameras like DVRs um and we’re talkingrouters uh andtargeting critical infrastructuregovernment entities um universities youname it all to uh conduct maliciouscyber activity and what we did in ajoint sequenced operation which I thinkis becoming a Hallmark of the type ofwork that we are doing in the JusticeDepartment to really pivot to disruptionto prioritize disruption to use everytool that we can to go after ouradversaries prevent disrupt and holdaccountable and importantly to putvictims first uh and that’s what you’reseeing uh here again thank you very muchum and you know the the point here isyou know we always we’re prosecutorsright we’re going to bring criminalcases when we can but that’s not theonly tool in the toolbox and where wecan take action to prevent to disrupt uhto prevent the next victim we’re goingto do so and that’s what we did here byusing technical knowhow using legalauthorities to um remove remove thatmalware from those devices and disruptand wipe out that botnet I say secondtime in a year because uh this comes uhafter earlier this year we conductedanother joint sequent operationsequenced operation on vault typhoonanother PRC state sponsored hacker groupthat in that case uh had infected umrouters a lot of inhome routers um anduh that was really the assessment inthat case was uh really to lie and waitto um potentially launch very disruptiveuh and chaotic operations at a time andplace of their choosing um potentiallyto respond uh to a conflict in Taiwan orsome future time so here again the themeis disruption prevention putting victimsat the center of our strategy and that’swhat we’ve done againtoday we’ve been Craig Newark wastalking earlier today about you know theneed to sort of bring cyber securityhome to the average American um likewhat is the average American care abouta botn net that China has built that youguys have disrupted like why should thatmatter to the average American well II’ll say a few things in that regardGarrett one it’s your router your inhomerouter it’s your camera it’s your DVRwell maybe not your DVR butum that is potentially being infectedthat’s point one point two is in thecase of volt typhoon we are talkingabout state sponsored actor lying inweight in our critical infrastructure inour own devices to potentially launch adestructive attack a disruptive attackum at a time of geopolitical conflictthat has real potential impact uh on uhevery American citizen in the case ofthis most recent operation FL typhoonhere again our own personal devices umin many cases being compromised by anation state actor uh and used as coverto conduct all sorts of malicious cyberactivity right it could be um uhexfiltrating confidential information itcould be uh to conduct other types ofdisruptive activity so uh what thatmeans uh for the average American is uhcriminal activity disruptive activitygoing on in their uh in theirpotentially in their devices and and itis part of a broader ecosystem thatmilitia cyber actors are using let meswitch and talk a little bit aboutelection security for a little bit heretimely yeah um you have been veryoutspoken on foreign threats sort ofthroughout this election season you havelived in your career The Arc of foreignthreats to our election you were at theFBI when uh China hacked the Obamacampaign and the McCain campaign youwere at the white house uh in asHomeland Security adviser when uh Russiaattacked the 2016 election um how do youthink about the threat landscape for theelection this fall first thank you forthat trip down memory lane um so look umlet me zoom out more broadly and say thethreat and environment very broadlyspeaking um uh is today um the mostcomplex and I think aggressive that I’veever seen uh and you pointed um that I’mnot new to this world uh and why do Isay that we’ve got more diverse set ofactors acting more uh aggressively allfueled by uh technology um and inparticular of course AI when it comes tothe election security uh space theelection security threat uh I thinkwe’ve got again a more diverse set ofactors um in in play here they areacting more aggressively they are umdoing so in a much more polarizedenvironment than we’ve ever seen beforeand they’re utilizing more and moredisruptive technology uh to do all thisuh and when I think about the electionsecurity threats you know we kind of putthem in a few different buckets I thinkif christe canalo were here um she’dwant to be talking about electioninfrastructure um we’re going to talkI’m sure more about foreign maligninfluence that’s another of coursecategory of threats that we are veryconcerned about uh and then uh somethingthat I think we all should be veryconcerned about is a semi- new entranceum in the threat landscape and that’sthe threat to election workers these arephysical threats of violence um and uhintimidation that we have seen anunprecedented and really disturbing riseuh in threats to election workersthreats to public officials of of allstripes and that’s something I seealmost um disturbingly on a daily basiswhen I receive reports from the field Iget something called urgent reports umuh every almost every day those of youwho are uh justice department veteransin the audience know what I’m speakingabout these are reports from the fieldfrom us attorney’s offices around thecountry sending in Urgent reports for myreview for the Attorney General’s reviewand what I’m seeing on a more and morefrequent basis is those reportscontaining reports of threats ofviolence to public officials to judgesto prosecutors to law enforcement agentsand yes to election workers that couldbe State uh election officials these areuh folks who are elected um to do theirjob all the way to election workers whoare simplyvolunteers volunteers to help us go tovote to exercise our most fundamentalright the rightthat after all protects all the otherrights so these threats to electionworkers are something that uh I think weuh need to be and have been very veryfocused on when it comes to the impacton uh the potential conduct of theelection because it’s intimidating uhelection workers from Simply doing thattheir job and that’s uh unacceptable sowe’re seeing when it comes to tacticseverything from Miss and disinformationabout for instance hacking into uhregistration databases and shout out tosisa and the FBI who last week issued apublic service announcement about uh thepotential for that type ofdisinformation uh to seow uh Discord anda lack of confidence in the electoralprocess to foreign malign influencecampaigns which I want to get to I hopeum next uh to this threats of physicalviolence to election workers um we’vealso seen uh outrage political violencein this cycle um and and I wonder if youcould talk about the JusticeDepartment’s reaction to the uhattempted uh seeming attempted uhassassination attempt over the weekendabsolutely I mean I just talked aboutthe rise in threats to public officialsand there’s no more Stark uh anddisturbing example of that than uh theuh attempt an assassination against theformer president back in July uh and nowum the apparent uh attempted assassination again uh just over the weekend inFlorida that investigation is very muchongoing U but uh let me say this uh veryvery clearly first of all thank God thatthe former president is safe uh and thatthere is absolutely no place in thiscountry for political violence not inJuly not last weekend not now not everit’s absolutely unacceptable and what weare doing is everything we possibly canboth to address the broader uh challengeof threats to public officials and thenwith respect uh to this investigationvery much ongoing we are in the uh verybeginning days only a few days into thisinvestigation the full force andresources of the Department of Justiceare working on this investigation theFBI uh leading this investigation veryheavily engaged across a whole set ofdifferent resources our prosecutorsengaged um and we will spare no resourceto get to the bottom of what happened umcoming back to talk about the foreignthreat landscape we have seen sort of ahost of uh actions by a wide variety ofadversaries over the course of the yearum China with the spamf flage Network umlast month uh the FBI said along withthe the rest of the intelligencecommunity in a joint advisory that itattributed the uh uh Iran as theperpetrator of an attack on uh theformer presidentcampaign um and then just yesterdayMicrosoft came out with a report sayingthat it’s seeing Russia pivot itsinfluence operations against the Harriscampaign um I wonder if you could talk alittle bit about the informationoperations side and sort of what you’reseeing and how you’re trying to combatthat sure so a few things really I meanyou mentioned the history of formalineinfluence operations from China in 2008to uh Russia 2016 to today and obviouslyuh intervening actions in in 2020 aswell with Iran um as I said at theoutset what we are seeing is a moreaggressive and diverse landscape thanever before fueled by uh technology andum having a lot to work with when itcomes to feeding off our own internaldivisions now um what we are seeing inparticular is uh and I will call out anumber of uh nation state adversarieshere but starting with Russia and Iranboth accelerating uh their efforts toinfluence uh the presidential campaignsum and we are seeing all of the majoractors in this space Russia Iran Chinausing AI to fuel their foreign influenceuh campaigns covertly and online um justtake a a few examples uh Garrett um lastweek we um announced the uh actions thatwe have taken to expose in particular uhtwo campaigns um uh directed by Russiauh foreign malign influence onlinecampaigns in the first instance uh whatwe did is expose uh a Russian Statemedia Outlet RT that has been funnelingmillions of dollars into and throughshell entities to a US company uh toco-oped unwitting American commentatorsto push out Russia aligned andpro-russia propaganda all in an effortto sew Discord to feed off our internaldivisions and also in this electioncycle to undermine our support forUkraine so we’ve charged uh two Russiabased Executives of the RT State mediaoutlet with a um conspiracy to violateuh the foreign agents registration actand other charges then we also exposed aPutin directed uh campaign to use aproxy company orwellian Le named thesocial design agency this is a proxycompany directed um from the Kremlin uhto push out AI generated content throughfake uh websites masquerading andmimicking uh legitimate news sites butuh nevertheless fake pushing out AIgenerated content again designed to sewDiscord uh to feed off internaldivisions um and in the case of uh whatwe’ve shown in the social design agencycontext to really Target specific blocksof Voters specific voter demographics umwith pro- uh Russia narratives and inthat instance this is another exampleGarrett where we didn’t bring uhcriminal charges what we did is uhdisrupt the internet domains more than30 of them that were being used uh by uhthis um uh Russian Pro y uh company toto push this these narratives out umrendered them inoperable using lawfulprocess and disrupted and exposed uhthis activity and I have to shout out tothe dni here for this is a real changefrom the last couple of years being verytransparent very clear about what we areseeing from U malicious actors andhostile nation states in this space umand you already mentioned uh Iran butthere too they are accelerating theiractivity uh when it comes to foreignmalign influence I said this back inAugust um but it’s very clear they aretrying to influence the presidentialcampaign they are um pushing out falseum personas fake personas pushing out uhpropaganda and using frankly the Gazaconflict as almost kerosene uh to stokedivisions and in some case to to promoteuh protest activity and of course youreferenced the exposure that the uh FBIand the IC um did on the uh campaign byuh Iranian militia cyber actors to uhconduct this hack and leak operation onthe forign former president’s campaignso let me be very very clear we are notunderestimating the lengths to whichIran will go to influence this campaignum let me ask one more question on theelection and then uh pull back and looka little bit more broadly um howprepared is the Department of Justicefor domestic political violence headinginto this election um you are still uhquite consumed in the Department ofJustice with the prosecutions stemmingfrom the last election on January 6thand I wonder sort of how you’re thinkingabout heading into this period after theelection well look any um NationalSecurity and law enforcementprofessional is going to tell you orshould be telling you of our profoundconcern about uh the danger posed andthe risk from um loan or small groupswho are radicalized to violence from ahost of grievances here uh theintelligence community and the justicedepartment and others have been veryclear about our concerns when it comesto domestic violent extremists and inparticular the most lethal uh form hereuh racially motivated violent extremistsand unfortunately I’m a very goodexample of just this type of activitywhen last week uh when we broughtcharges against two leaders of theterror gr Collective I say Terror grCollective this is a transnationalcriminal group that has been using thetelegram platform to uh promote andAdvance a heinous white supremacistideology to provide Direction andguidance on conducting terrorist attackson critical infrastructure to advance uhguidance on uh hate crimes andassassination attempts of governmentofficials so that’s the threat that umwe are dealing with that we areexceptionally uh focused on here againno place for political violence um notin the guise of uh the terror Collectivenot uh in the form of attacks on theformer president which after all is anattack on our democracy uh absolutely notolerance and we’ve been showing timeand again that we will um exposeinvestigate and hold to account thoseperpetrators I want to step back now andlook a little bit more broadly at thelegacy of the Biden Administration umand of course uh you have not made anyuh comments about when or uh you mightstep down from this position but thereis a presidential transition takingplace uh one way or another come Januaryat this point um and I wonder if youcould talk about how you see and whatyou want the legacy of the Biden yearsto be in cyber security when people lookback at this presidency what are youproud of and what do you feel has beenaccomplished in cyber look I thinkthere’s a lot to be proud of um I’vetalked about the pivot that the justicedepartment has made to focus onprevention disruption um and puttingvictims at the center of our strategyand you’ve seen us do that time againfrom um the uh uh getting back andtaking back of the colonial pipelineRansom uh wear payments to um the uhefforts we have made to go after theentire uh ransomware ecosystem to theefforts we’re making on um statesponsored malicious cyber activity whenit comes to the broader uhadministration’s approach on um cybersecurity I think lots of people uh to uhwho can be pointed to for great work onthat front in the White House and thenational um cyber director uh office tothe IC but I think a few things that youcan point to here one is thisAdministration has put cyber security atthe center of and has seen it consistentwith and commensurate with NationalSecurity and economic security it isplaced as a measure of cyber securityhow quickly can we uh respond to anattack on critical infrastructure it isno longer simply about and I don’t meanto to minimize the importance of thisbut it’s not only about patching andmaking sure uh that uh standards arebeing applied but how resilient are wewhen it comes to attacks on criticalinfrastructure uh and there has beentremendous good work on um getting thosesectors to really step up from theTransportation sector to energy to thewater sector and a real focus on puttingin place these minimum cyber securitystandards so that we can uh be moreresilient uh and the work that has beendone uh to push back on nation statesand cyber and ransomware actors uh inparticular I think is um work that weshould all be very proud of and again uhwithout presuming that there is aleadership transition at the justicedepartment in pending um you really wantto get me on that beach which I am veryhappy to go to um as you think aboutthis presidential transition you havesort of previously talked about sort ofthe way that counterterrorism was reallya big part for the first time of thetransition from the Clinton years to thebush years that uh it wascounterterrorism in cyber from uh fromBush to Obama and uh cybercounterterrorism and bio from Obama toTrump um as you think about the threatlandscape you are handing off to a newpresidential Administration in Januarywhat is going to be the message that youare sending to the next Administrationyou’re really determined to make merelive the uh Greatest Hits here look itis it’s true I have been president andinvolved in um almost all of these Ithink all of these uh transitions I wasum the chief of staff to director Mullerduring the uh Bush to Obama transitionum and then in in the white house as yousaid in the Obama to Trump and then inthe Trump to Biden uh transition Iactually served uh after um the horribleattack on January 6 President electBiden asked me to serve as the HomelandSecurity adviser to the inaugurationbecause of the threat environment thatwe were in um as I think about this nexttransition uh obviously we are focusedon the terrorism threat International umterrorism uh of course and demesticterrorism the Cyber threat uh emerginginfectious diseases all of which whoeverthe next team is will need to be uhprepared to deal with but when I thinkabout the next iteration here I do thinkabout the hostile nation states that weare having to deal with now in theirefforts to project power at home andabroad across a host of vectors whetherit’s cyber whether it’s um uh proxiesperpetrating terrorist acts whether it’sefforts to siphon off our mostsophisticated uh technology to advancetheir aims uh their interests that arenot uh in um in alignment with our ownall of which being fueled by technologyology like AI that I think is uh thevery dominant threat landscape and veryum Dynamic threat landscape uh that weall will need to be prepared for in thefuture Deputy attorney general LisaMonaco thank you so much for joining ustoday thank you verymuch thank you sh thankyou I’m pleased to welcome VivianSchiller vice president and executivedirector of Aspen digital she will bejoined on the panel by Rishi aagarglobal technology reporter at foreignpolicy Jonathan luff chief of staff atrecorded future and Becky weight head ofGlobal Response at open AI pleasewelcome the[Applause][Music][Applause]panel hello everybody um well uh we’renow going to talk about the elections uhyou just heard the deputy attorneygeneral speak a little bit about umthreats to the election um and uhthreats that have been going on um for along time particularly from our uh fromadversarial nation states um and this isa you know a form of hacking right it isperception hacking it’s been going onfor Millennia but really I think it’sprobably really only penetrated publicConsciousness going back to 2016 when umwe found you know we we learned what welearned about uh what Russia was doingum and their attempts to so chaos andinfluence uh the elections that was2016 here we are it’s 2024 and twophenomenon have um in the last year uhthe last two years have combined tocreate something of a worrying StateI’ll just put it I I will understate itthat way one is that 2024 has been anunprecedented year for nationalelections a record year for elections47% of the people of the globe wereeligible to vote in national electionsin the last year many of those electionshave happened obviously some significantones are still to come at the same timeum since uh the beginning uh since late2022 um we have been part of sort of aof a just Mania for lack of a betterword about uh generative aand there has been a lot of hand ringinga lot of concerns about what happenswhen you take an already shakyinformationecosystem uh half of the globe going toelections and add generative AI on topof it so uh what we’re going to talkabout today is um how that’s going andwhere it’s going and we have some umreally great uh panelists to talk aboutthat immediately to my right is Beckyweight who is the head of global uhGlobal Response at open AI uh who openAI which of course set off that uhgenerative AI Mania on uh November 30th2022 a day that she’ll live an infamy umBecky leads the global election andrapid response team we then haveJonathan Lu who is chief of staff andchief of global Affairs at recordedfuture soon to be a MasterCard companyindeed uh where he is responsible uh fornation states uh working with nationstate Partners worldwideand um finally Rish uh Rishi aenar whois a reporter at foreign policy coveringthe intersection of geopolitics andtechnology in your programs you may seethere was supposed to be a fourthpanelist um uh Fila vanam butunfortunately um she was not able tomake it okay so I want to start by justtalking about again we were all sort ofvery wary about this year so I want tostart by just talking a little bit aboutwhat’s H what we what have we seen oryou know and to or to what extent isthis the dog that didn’t bark as I’veheard some people say so Becky you’vebeen looking at through your systemsacross around the world so just give uswhat are you seeing about globalelectionsoverall yeah so uh I was commenting inThe Green Room I’ve started a year agoyes uh tomorrow it’ll be a full year umand uh the first several months that Iwas in the role spent a lot of timetalking with folks in civil societsociety and government policy makersaround the globe to understand whatthey’re seeing what their concerns wereheading into 2024 and there were twothemes that really emerged from thoseconversations the first was deep fakesand the second was misuse or abuse ofour Tools in technology and of AI um andthat has come to pass those are theconcerns that we’ve actually seen but II think um how that has manifested is alittle bit different than what wethought back in Januaryum so on the Deep fake front we haveseen some examples famously um you knowin the US we had the uh rooc call um inNew Hampshire during the primaries ofPresident Biden we’ve seen images um insome other markets and I believe mypanelists will talk about some of thoseas well um but I think there have beensort of three things around deep fakesthat I’ve been heartened to see um oneis you know the media and theinformation ecosystem has pretty quicklyidentified them as deep fakes um that’snot to say that they are not impactfulum and that they don’t have uh sort of auh impact on the way that information istrusted but they have been identifiedpretty quickly um second we’ve seen somepositive guard rails be put in placearound the technology and what can beused to create deep fakes uh just as oneexample at opening eye we we have aguard rail in place that doesn’t allowour image generation model to createimages of real people so if you ask themodel you know um get give me a a photolike realistic um image of a candidateit won’t comply and we’re seeing sort ofguard rails pop up in many of the majormodels that I think are really positiveumuh go forward actions that we can takethen finally there has been also thisindustrywide um and Beyond industry uhcollaborative uh effort aroundProvidence and that’s sort of theresearch area that’s looking at how toidentify the origin of a piece ofcontent um an image uh audio or video umand can talk about that uh uh in uhfurther um but I think that broadindustrywide collaboration and efforthas been really positive in our abilityto quickly identify stuff when itactually is uh generated or um otherwisealtered the second category and I’lltouch on this very briefly is the misusecategory um and this we’ve really beenfocused on as a lot of the other panelshave talked about the impact of foreigninfluence operations and the use ofthese tools by these uh covertoperations and at a very high level whatwe’ve seen to date is yes these entitiesare using these tools they are startingto explore but um but the sort of keyword there is they’re starting um theactual ways that they’re using thistechnology is still pretty rudimentarythey’re still learning what they can dowith generative AI That’s not to saythat it hasn’t gotten a bit moresophisticated and that it won’t continueto get more sophisticated I think we canexpect that but to date it has stillbeen pretty rudimentary and we haven’tseen uh these operations have the impactthat I think they’re seeking to have soum you know in short I think we have tostay vigilant here there’s still uh twomonths until November and then electionsdon’t stop after November no they don’tyeah but um well when we’re going tocome back to the US elections in aminute but just one quick followup soyou said you’ve seen in the in yoursecond category some concern aboutmisuse of open AI tools even if they’rerudimentary when you say misuse likewhat what do you mean exactly like howare they using it so what we’ve seen todate and we we’ve published a um areport on we’ve seen largely knownforeign um actors actors likedoppelganger spaml these sort of likepretty well understood um operationcampaigns leveraging our tools mostlyfor perhaps surprisingly perhaps not uhcontent so asking uh the model to comeup with a bunch of comments for socialmedia for example or for productivity umjust like you or I might use it to helpus R email great um so it it it reallyis uh still a productivity tool andthat’s what they’re using it for soeffectively what you’re talking about isthey’re using your tools to do sort ofmore of the same but at a greater speedand scale yes all right let’s get alittle bit more specific we I’m going tocome to you and then I’ll come back toyou Jonathan you know we saw you’ve beenparticularly following the Indi uhelections in India um a few months backwhat did you see let’s we’re going to gointo two case studies here um what didyou see specifically in India uh asrelates to the use of AI so um I’ll justbefore before that I’ll kind of taketake a step back and Rewind to sort of2016 2017 I started as a tech reporterin in New Delhi in what was uh theso-called sort of WhatsApp lynching erawhere people were getting killed becauseof viral misinformation on on WhatsAppum and in response to that WhatsApp putin if if any of you use WhatsAppregularly when a message is forwardedtoo many times it gets labeled you can’tforward a message to more than fivegroups those were all sort ofinnovations that came as a result ofmisinformation in in India so I I saythat to to kind of set the foundationthat India kind of serves as a a lab forlab uh proxy um bellweather microcosmpick your pick your phras is for so muchof the world and and so much of the theglobal South in in particular um it’sthe most populous country the largestdemocracy um and and all that isespecially true and kind of in overdrivearound uh elections um so I thinkeveryone was this year there was a lotof concern similar to what what Beckymention uh especially around India onhow um AI could be used for to exploitsort of religious tensions that exist orother societal kind of fault lines umwhat what we saw what I what we saw andthere’s obviously a lot of reporting outthere on this is a little bit differentwhere AI was used but it wasn’t used togenerate misinformation per se it wasused more for propaganda but in a in away that was very obvious it wasn’t thatum people were trying to hide the factthat this was created by AI like deepfakes for example were used to to bringuh dead candidates back to life andeveryone knows that they’re dead toendorse their sons or daughters who wererunning for the same um uh position orum they they were kind of used so thePrime Minister Narendra Modi who’s sortof enthusiastically embraced technologyever since uh he first came to power in2014 um he used he spoke about how heused it to sort of translate hisspeeches India has dozens of languagesso he he’s primarily comfortable inHindi but when he was speaking in theSouth which has different languages usedit to sort of translate them in in realtime to all these all these differentlanguages he even shared uh before theelection he had expressed him and otherpoliticians had sort of expressedconcerns about deep fakes um uh sayingwe should be aware of this but then atthe same time he shared a it was like aviral meme of of himself kind ofgenerated by AI based on a a a concertby the rapper little yachty uh who waswho was like so Modi is in that positionand it’s been done to several Indian andand other politicians you may have seenit if you’re on X Twitter whatever we’recalling it these days um but but heshared that saying oh it’s nice to seepeople use AI to get so creative so I Iwouldn’t quite go so far as to say umit’s it was a a positive um kind of setof uses that we saw uh but but and toBecky’s point that that we’re kind ofout of the woods it it was all finelet’s let’s all go home now we’re donebut but uh it def there was definitelywasn’t the kind of misinformationdoomsday scenario that you can veryeasily see happening in a place likeIndia at least not yet right yeah wellright with the operative word being thevery last one you uttered which is yetbut I want to just double click onsomething you said which is I mean yessome of these are parody are just peoplehaving fun um with the candidates inpopular culture and memes and and that’syou know that’s fine but actually one ofthe things you mentioned is a verypositive use case or should be which isum the power of generative AI totranslate in almost real time intomultiple languages I mean that is if ifnot misused that’s a big carry outthat’s very powerful yeah um uhabsolutely and and and this is kind of aa topic that’s that’s close to my heartbecause my my parents come from twodifferent parts of India I grew up in athird so they all all of us speak likefour different languages and home um andso I’ve been interested for a long timepre AI in the way in which AI is uh usedin the kind of language context the theone thing I would look out for and thiswas something that we saw in the socialmedia era as well uh where the thecompanies need kind of having thetechnology do it in a way that’seffective and captures kind of localcontext and language cues and and oftenit’s it’s fine it’s great works great inlike French or German or or Spanish butlike when you go to some of these umagain Global majority languages thereare often W with with Facebook forexample we saw a lot of blind spots andand So that obviously goes into and I’msure Becky can speak more of this kindof the the way in which it’s trained andand the languages but that’s just onecaveat that I would I would put outthere yeah so Jonathan let’s talk aboutthe UK elections where you saw sort ofan interesting phenomenon happen I’lllet you speak to it yeah I I I’m I’m nothere to be the bearer of badnews turns out it is possible to have anentirely free and fair election in theera of AI Miss and disinformation butit’s probably worth reflecting on whywhy that is and and and then and thenlooking at where we are now a lot feelsdifferent today uh to how it felt at thestart of the year and if I can you knowtake you and the audience back to thestart of the year we’ll all haveattended events and invol been involvedin conversations which were um you knowpretty intense about the potential forMiss and disinformation disruption ofElectionsum to be honest it felt a littleoverblown but nonetheless the anxietieswere real and they were discussed uhintensely and at length and whetherthose concerns were overblown or not Ithink that had a a really interestingand positive effect it it focused Mindsand in the UK at least and I can speak abit about that I was an adviser to thesecurity minister at the start of theyear and he was responsible for thesecurity and integrity of the of theelection and you know saw firsthand theextent of the effort that was made toplan and prepare and train and raiseawareness and you know we had on thestage earlier uh fisy Oswald from ncscand other colleagues from the five eyesand I think we should pay tribute to thework that Felicity heard team and theirInternational colleagues did to getahead of some of these issues and toprepare for them against an eventualitythat we were all concerned about now andI think it was the dog that didn’t bitein the UK election you know the the itwas a uh it really did not you know wedid not see a great deal of uh of Missand disinformation or the use of AI inany way that shaped or affected theelection um I think Becky hada great comment when we were talkingbefore about this about an influenceoperation not necessarily being aninfluential operation uh so there mayhave been things taking place but theythey had no impact but the interestingthing for me at least is then no longerthan a week or two weeks later we had aseries of of riots in the UK um and muchof theuh much of that was driven by uh falseinformation being spread uh on socialmedia I should say that you know I askedthe team I asked the recorded futureteam to to look at that specific um setof events to see whether there wasforeign influence you know deliberateattempts to incite violence and andexacerbate tensionsand there we’ve seen no evidence of thatso it’s was just a home homr Mrdisinformation it was spreading virallyyou know interesting to hear rishy andand Becky talk about you know viralmisinformation been around for a longtime turns out still a thing yeah um butuh right yeah all right well here so wewe’re obviously within what are wewithin 50 days of the uh of the USelection um what are what what are sortof the risk lessons for the US here Imean do we just say you know no concernswhatsoever I mean we’ve heard a a paradeof speakerstoday talk about nation state threatsand foreign adversaries trying toinfluence our election and even if theyare not using you know some spectaculardeep fakes which are probably not aneffective way of using it again you madethe point that AI is an amplifier to beable to facilitate the spread andtargeting of that Miss anddisinformation so um so you’re you’relooking at at foreign operations whatare you seeing inside the United Statesyou talked earlier about the rest of theworld yeah um so I mentioned earlierthat we’ve seen sort of thesewellestablished entities camouflage dodoppelganger um and I mentioned thatwhat we’ve mostly seen them do isproductivity and creating content topost on social media but I I do want todouble click on what Jonathan said thatyou knowthe these groups have been around for avery long time they are uh continuing tooperate but the content that they’recreating does not necessarily getdistributed just like at um just likeany of us on social media anyone somebombs a lot of bombs yeah know if anyonehas tried on behalf of an organizationto have something get a ton ofdistribution and go viral it turns outit’s very hard um and it also turns outthat these entities have the same kindof problem to to really get theircontent out into the world anddistributed is hard and they might beusing AI to sort of create more contentat faster clip but that doesn’t meanthat it’s necessarily getting engagementand what we’ve seen both through ourinvestigations and through uh ourPartnerships with the platforms um whereyou know there’s information sharing andI think a really robust productivediscussion to try and find these uhthese operations quickly and shut themdown is that for the most part thatengagement isn’t happening we’ve seen alot of comments get no engagement veryfew views no no likes no follow onaction and so I think uh one of thethings that we need to be careful aboutwhen thinking about and that’s not tosay that we don’t continue to find theseguys that we don’t continue to putresources and and um efforts againsttaking them off platforms but I do thinkwe need to always couch it and what’sthe actual impact of this operation andso far not so much Jonathan you go aheadcan I just follow up on that because youknow Becky mentioned doppelgangerum we produce you know we produceIntelligence on these the entitiesbehind those campaigns and our uhdoppelganger and another one copy copvery clearly cop copy cop RussianAffiliated actors as Becky saysexploiting technology just like we alldo to help them with their work um andpushingout credible but inauthentic materialwith a specific aim in mind and thoseaims we should talk about they’re theaims of their Affiliates you know thethe nation states that behind thosecampaigns but Becky’s absolutely rightit doesn’t mean that they get right anyengagement we live in a intenselycompetitive environment for informationand just having access to the tools doesnot mean that you’re necessarily goingto have impact withthem one other very brief thing is um wetalk about in the US we we think a lotabout how these operations are impimpacting the US election but what we’veseen far more is that these operationsare actually focused on other Globalareas oh sure yeah so um youknow the vast majority of what we’veseen has been focused not in theUS if if I can just add uh one thing cuzwhat what Becky said reminded me of ofuh something around the Indian electionI was talking to to some researchers whofocus on on what’s Happening whats thatmisinformation and something one of themsaid um stuck with me which was that uheven if you use AI to make the most kindof sophisticated thing you and and like20 people see it but you you hastilyPhotoshop something or even just take apicture from some other conflict and andput a caption on it saying this ishappening in India and and that blows upthat it’s it’s more to to your pointabout the the distri bution mechanismsbut the the other thing I’d say is thatin India and this is I think true of alot of other countries Indonesia comesto mind as an example Brazil where a lotof people literally like tens ofmillions of people hundreds of millionsof people have come online in India’scase the the um mobile like dataexplosion has been immense but it hasn’tcome with the requisite sort of umdigital literacy so people will theyhave this suddenly have this cell phonelike India Leap Frog the desktop era inmany ways and everyone has a cell phonein their hands and and there there arethere’s a significant chunk of thepopulation that will believe like oh Isaw it on my WhatsApp and that’s why itmust be true and that’s that’s somethingthat’s a a d a kind of dangerous um sortof dynamic as well right can I yeah justjump jump in there because I I think theum the the phenomenon that rishy isdescribing there you see in uh in thesecampaigns a and they are campaigns umand we should be concerned about themand we should continue to monitor themyou see a a an erosion over time ofconfidence in certain forms of media andcertain institutions and that’s verydefinitely um part of the uh incentiveby behind them this is a a long andstrategic effort say more what what doyou what do youan say more about thatwell if you take the example of deepfake Becky mentioned deep fake de deepfake has been around for a very longtime but they’ve only really entered themainstream in a in a sort of as qualitylike believable things more morerecently but they’re being used in quitesubtle and sophisticated ways so in theUK you’ve seen uh the use of uh graffitifalse graffiti which is then um sentinto news papers as being um actualgraffiti so it’s not just it’s not afake of a person it’s it’s sort ofrather interesting and sophisticated andthen that gets spread via uh viamainstream media and the sort of andthen is debunked and then you get a sortof General kind of loss of trust in thein the system in general and I thinkthat that’s a very but isn’t that partof the point it’s something I wanted totalk to you about which is there hasbeen so much and I blame as a recoveringjournalist you know I I blame my dear uhmy dear colleagues in the in the newsindustry in a way for doing so muchreporting um about the potential risksaround AI a lot of it about oh the bigspectacular deep fakes which you knownever really felt like the tremendous Rrisk it was the quieter more targetedyou know synthetic media that I thinkmany experts were worried about beforewe even went into this year but is therenot a risk that with so much coverage isbasically saying don’t believe what yousee that people will it will continue toerode what is already record levels ofTrust basically in anything how big ofconcern isthat so I I think there’s sort of acouple of things first we can’t put itall onjournalists thankyou um and uh I I do think mentionedProvidence at the top which is uh thissort of area of research currently andTechnology to have tools to allow us toidentify the origin of Any Given pieceof content and um there’s a fewdifferent modalities or ways that peopleare working to improve upon ourProvidence um sort of Suite or set umone area that I’m particularly excitedabout is something calledc2p which is sort of the standard umAuthenticationuh like a metadata you can think of itlike a passport it travels around with apiece of content on the internet and youcan see where it came from and one ofthe reasons I’m so excited about c2p isbecause it’s not just led by the techcompanies it’s not strictly an industryuh tool we’re also working with umcamera makers and the BBC and other umjournalists and um we recently have sortof this resilience fund that is workingto bring more newsrooms on board withc2p reason I think this is important isbecause ultimately the kind of contentthat you’re seeing in the news you doneed to be able to trust authenticatesure we need to be able to authenticatebut we can only do that if thattechnology is sort of widely adopted andthat standard is continuously improvedand um and used by not just the uh techcompanies but also a broader set offolks who areonlineum I’ll pause there I can’t rememberwhat I was going to say there but yeahcan I say something about attributionsure because we we heard on the um fiveeyes panel earlier I think um ourcolleague from New Zealand talk aboutattribution and the success they’d hadin identifying the actorsbehind um I think in that case a cyberincident but could equally apply to a amiss or disinformation campaign but Inoticed that even then she wasn’twilling to say who it was uh even havingmentioned that it was attributiveand now we don’t have that issue rightthis is where sort of the open sourceCommunity technology companies those ofus who are working collaborativecollaboratively on this like we can callit out right like we’ll say copy copycop doble G that’s Russia yeah you knowEmpire Dragon that’s China you know wewe can call these things out because wesee it we have the evidence for it wecan attribute malicious actions to thoseactors and I think that is part of thiswe need to be a little moreum direct uh in calling out uh actionmalicious action where we see it becausewe have to give people confidence thatwe’ve got this like we’re good at thiswe’re really good at this we are good atidentifying malicious action onlinethese guys are the best in the world atwhat they do we’re the best in the worldat what we do and we work together andwe will we will spot Bad actors wherethey where they’re taking that actionand we’ll call it out yeah I havenoticed I mean we even we even seeingeven just today more sort of openness tobe able to share with the public weheard it from um the director Ray weheard it from the deputy attorneygeneral more sort of sharing what theyknow when they know it maybe not in thefull way that you can but it certainlyseems like quite a quite a step changethat’s part sorry richy that that’s sortof part of my point sometimes it isn’tpossible for um the FBI or for whoeverit is to share they have sources theyhave to protect they have legalconstraintum if you if you have identifiedsomething from open publicly availableunclassified material you don’t havethose constraints yeah um yeah as the asthe non- recovering journalist on thepanel feel compell to speak up but butit um I I think I think what you saidthe the slight sort of CounterPoint tothat and I’ll use a specific example ofanother election I I wrote about whichwas the Taiwan election and I wastalking to a lot oflike folks there government civilsociety and and the Civil Society sortof factchecking organizations there thethe message from them was even in Taiwanthere was a lot of like AI generatednews anchors uh going uh viral on TikTok about about one of the candidatesand and they were saying that the thewhat saved them quote unquote or whatprevented it from being uh being reallydamaging was the level of societalawareness um that that they were able toso Taiwan one is used to facing anonslaught of Chinese cyber and andmisinformation campaigns they’ve they’vedone it for years um but as as a societythey are they are kind of inherentlyskeptical and and so I think there thereare reasons that that maybe doesn’tapply everywhere they’re are relativelythey’re quite small relatively Harmoneven on the political Spectrum there’sdisagreements but not the divisivenessyou see in in many other places hereincluded but at the same time there issomething to be said for sort of raisingawareness of the things that couldhappen so that so that you’re the aspeople are aware and people areinherently sort of skeptical right ofwhat they that is that is the balancethough right I mean in the United Statesfor instance you certainly want to raiseawareness for people so that in theevent that they get a message a robocall or text message saying um the placeyou’re supposed you know you’re you’repolling place which because thetargeting is so sophisticated yourpolling place is closed for a water mainbreak or worse or it’s closed becausethere’s riots do not go vote you knowwe’re going to keep voting open andagain on Wednesday you can go then Imean you want to raise awareness forpeople to be suspicious of that and knowwhere to check but you know push too farI mean this is a delicate balance thenwe get into to uh you know the uh thethe phenomenon of people just you knownot not believing anything they say anduh anything they hear so um the Liar’sdividend of course is a is a famous uhphenomenon um which uh in which the thatmistrust benefits the liar who can saydon’t believe just listen to me you knowall these other sources of informationare not true just listen to me personalview people can cope like give them givegive them the information like yes we’redefinitely in a different InformationAge yeah we need to adapt yeah we adaptwith access to information so like I’mmaybe a little more bullish on this thanthan some you know and and again I goback to the experience in the UK thisyear you know really really seriousefforts to prepare both withingovernment and then using publiccommunication so that people kind ofknew what to expect yeah and and youknow look it’s a very differentsituation here the election will befascinating every The Whole World’swatching by the way um super interestingum but you know that I I’m much more onthe side of talk about it this is suchan optimistic panel my God it’s great II do think you need to pair that with uhfor certain populations that are maybemore vulnerable to umto maybe believing misinformation orsomething that doesn’t quite smell rightpairing that with digitalliteracy um we we this year we uh inpartnership with u Microsoft I know theywere here earlier todayum are doing sort of small literacy uhfund to try and understand what actuallyworks what moves the needle we’reworking with various groups includingARP um for older Americans um some uhnon-english speaking groups to Pilotprograms doesn’t understand what isactually going to help move the needlein terms of understanding education andthat healthyskepticism that we want to build forresilience long-term resilience purpmaybe British natural skepticism helpsmaybe no no absolutely in focusing on onthe demand sign but look there is thereis ample evidence that people listen andabsorb and believe falsehoods that theyin the United States there are plenty ofpeople that tune in to certain networksor go to certain websites or listen tocertain podcasts that we know um areattracting people and maybe are notalways telling the truth we’ve got acouple of minutes I have more questionsbut I’d love to open it up um just cometo the mics uh in thefront all right come on somebody’s gotto like dampen the buzz of this veryoptimistic group of people there we gohello uh Joey Hammer’s uh media cause wedo a marketing for nonprofits um sowe’ve seen uh examples fromunfortunately former presidents and likeNBA Executives where they’ve caughtaudio maybe saying something theyshouldn’t have right now we’re worriedabout people believing what is fake dowe also have to worry about people likesaying what’s true is actuallyfake and how do we um like combat thatmaybe that was already answered I’msorry for BL who wants to take that oneI I can take a first uh for very brieflyto come back to Providence I I think soProvidence there’s a whole bunch of waysthat uh you canum sort of tag content and identify thethe source of it I think as generativeAI companies are starting to develop andput out particularly synthetic voicemodels we have not publicly releasedours at this stage um because we’retrying to understand how to reallySafeguard it but um Providence toolslike water marking that allow you toidentify if something has been generatedvery quickly um and with relatively Highdegrees of accuracy I think are going tobe increasingly important and probablythe best um these tools are not silverbullets right now to be clear but Ithink that furthering that research isuh one really important pillar inaddressing that kind of risk so yeahjust quickly and then we’ll go on to thenext question so this actually happenedin India as well there was a case of apolitician claiming that audio thatcaught up saying something he shouldn’twas there were two clips and he claimedthey were both deep fix and and it was aa a journalistic organization actuallythat kind of could checked them and thenfound that one was one was real and andone was a was a deep fix so it it’s kindof it there there’s no perfect answerbut like but there are sort of it’s athere are ways and of course thequestion is and how many I mean how manypeople need to be examining how manypieces of content I mean you rememberthe global scrutiny on the on the um theprincess uh uhuh Catherine thank you the video of herand herchildren yeah yeah forgive me I’m I’msorry I’m not up with my Royal titlesbut you remember the you remember thephoto with her and her children and itwas just like slothes around the worldtrying to figure out whether the threadmatch the other one anyway we will moveon there was um I yeah but you you werehere first so I’m doing this in order ofwho came up first hi I’m a student atGeorgetown University and um a lot ofthe conversation around disinformationseems to be reactionary in terms of howwe respond to disinformation campaignsand disinformation attacks and I waswondering what if any efforts currentlyexist to be more Innovative in the waywe uh act proactively when dealing withthisinformationattacks I think so it’s a great questionand I I think it’s the right it’s theright thing to ask you we we for me thesort of Miss and disinformation is sortof the new Cyber like it’s it’s thething we all sort of talk about worryabout but the um the opportunity isthere to use these tools um and I’m notgoing to be that person who says youknow AI fighting AI let’s not let’s notgo down that part but but if you you cando some really creative things tocompare and contrast the things thatyou’re hearing and ask the system to dothat evaluation for you you were talkingjust then uh about scale and thechallenge of how many you know how manypeople can you have assess it well itturns out like computers really good atthat yeah you know and that’s exactlyhow we go about doing some of the thingsthat we do we are comparing things atvast scale in seconds to reach adetermination on Providence to reach adetermination on intent and and we cantherefore I think we can be confidentthat we will innovate our way to some ofthese some of the solutions so it is AIto solve AI to a certain extent to acertain exent we we do use our own toolsto do investigations on this stuff andit has sped up our processes and nor Ishould I should you know declareinterest we we use open AI Tools in ourplantform okay good all right I’m goingto ask uh the remaining questioners toall answer ask their questions and thenwe’ll do in one round so Kate you werenext yep you were I’ve been tracking youwere there next and then I’ll go overhere okay Katherine GTO retired publicservant from Kenya so we spent a lot oftime on misinformation anddisinformation but what aboutconventional election technology and themanipulation uh things like votersregisters uh for example in Kenya youcan almost tell somebody’s region fromthe surname and there have been timesfar in the past where certain parts ofthe Electoral register have beendeliberately lost to to um excludepeople from voting by region and nowwith the electronic registers maybe andAI thatbecomes easier um there have also beenallegations of manipulation uh duringtransmission of electionresults um especially from remote areasso um maybe if you could talk a littlebit about how Ai and emergingTechnologiesuh could become a threat in those areasbut also how they could be used tomitigate the threat by the positive useof that techn that’s a great questionhold on a second I’m so sorry we’rewe’re we’re out of time even for theanswer so I can’t take your questionsbut just if I know that’s a big that’s abig question but if just veryshort answer from anyone yes um I it’s agreat question uh and demands a muchmore in-depth answer than I’m going tobe able to provide but I think um we onsort of the very traditional cybersecurity front um evaluations to date myunderstanding is sort of like where thefrontier models are we haven’t seencapabilities that to date um are sort ofabove and beyond allow for these cybersecur you know the sort of breaking intohacking into any kind of traditionalelection security um stuff so it it’ssomething that we need to have reallygood evaluations around to understandhow uh robust both the mitigations areand how advanced the technology is forthis as it continues to develop and i’just say that you know there arefullback system you know you need tohave right as much it’s process as it istechnology paper balance okay thank youthank you so much to our panelists anduh appreciate your attention thankyou and now for our closing discussionplease welcome Nick Thompson CEO of theAtlantic who will be joined with thepanelists Rohit Chopra director of theConsumer Financial Protection BureauLena Khan chair of the Federal TradeCommission and Jessica Rosen worellchair of the Federal CommunicationsCommission please welcome the[Applause][Music][Applause]panel all right greetings good afternoonhello everybody this is an incrediblehonor to be on stage with these threeRegulators I feel a little bit like I’mon stage remember that Barcelona teamthat had Messi Suarez and Neymar upfront little bit like that they’re allincredible Regulators they’re allextremely controversial they all havelots of allies they also have enemiesthe thing that I like is that they allhave some allies on the right RosenRussell huge support from the RepublicanSenate when she was announced Lena KhanJD Vance’s favorite regular in all ofWashington rooh Chopra career saved byClarence Thomasso allright s well there was a Supreme Courtruling where they tried to take away allthis funding Supreme Court opinionsaying no don’t take away his fundingwas am I wrong he did vote for it yeahhe did write the opinion did he not okayall right let’s get cracking so thefirst question I want to ask you what Iwant to do in this conversation is Iwant us all to leave with a little bitof a sense what we’ve gotten done whatyou’ve gotten done in the last fouryears what some of the most importantFrameworks to understand are and then alittle bit about what you think needs tohappen to set us up for this age of AIand what you think you hope will happenin the next few years but I want tostart with a question that was thequestion and any of you can answer thisyou all work on sort of some similarissues individual privacy competitionmaking sure everybody has access ofgetting online the first question in theHarris Trump debate was one that’srelevant which is are we better off thanwe were four years ago do you think onthe issues of your concern particularlythe size the tech Giants access privacydo you think we are better off than wewere four yearsago Rohit you have a small smile bringit well I think if I compare my the lastdecade and I actually want to go back 40years it’s pretty clear that a lot ofthe agencies instead of actuallyregulating they more were in the mind ofworshiping they got really interested inseeing how bigger could always be betterand across so many sectors of theeconomy we’re finding where bigger isactually exposing some realvulnerabilities um you know it wasn’tthat long ago where we saw just theinconvenience of the crowd strikemeltdown but actually could have beendisastrous potentially leading toproblems with our electric grid ourbanking system and so much more so whathas been good is we now have focusedattention from people who really arethinking about using all the tools thatwe have and not waiting for there to benew laws we want there to be new lawssometimes but we have some text in thepages of our statutes that we’re puttingto use I’ll give you one exampleI I’m really mostly a consumerprotection and fair dealing regulatorbut the cfpb was put very forward in anexecutive order on National Securityprotecting people’s personal data frombeing sent to countries of concern andwe know take the big credit reportingconglomerate Equifax it wasn’t just thecfpb and the FTC we found out later thatit was China’s people’s Liberation Armybehind a lot of it so we’re going to beusing some laws from 1970 to cover thesedata brokers who have been hoovering upinformation about all of us and it’sbeing sold all over the world sometimesfor some really harmful things so Ithink Nick we have woken up to the needthat Tech needs to be something thatcombines with our personal values notjust we’re going to hope for the bestwhen we move fast and break thingsthough it is also true is it not thatthe idea that bigger is better the largetech companies are a lot bigger thanthey were four yearsago so Lena do you think we’re betteroff than we were four years ago Nickhave you missed we’ve sued Facebookwe’ve sued Amazon we’ve sued go Ibelieve you’ve sued them all so I thinkif there’s a sense that can we snap ourfingers and things happen we live in ademocracy we live in a place wherethere’s checks and balances we live withcourts and I think what you’ve seenacross the board is we’re willing to usethose tools and go through the processand I think we’ve seen some big resultsfrom that already the weirdest thing ofthe week is there’s the cover ofHarper’s magazine and has a picture Ibelieve it should be of a regulator itmight be Lena here with a sword and it’sgoing through the logos of four of thebig tech companies and the Atlantic andno one knows why they might have made anerror and they thought it was open AI oradobe but regardless something we willfigure out down the line I kid you not Iwish I had a graphic um all right let’sgo to some specific questions um Jessicawhy don’t I start with you oh well firstI want to want the big one yeah do Iwant to say I’m an optimist okay I wantto say that four yearsago we were in thepandemic all of us saw kids sittingoutside of fast food restaurants withlaptops on their knees because theydidn’t have the internet access theyneeded to go to onlineclass we decided as a country that weare going to fix that we have devotedmore resources to ending the digitaldivide than at any point in our historyI think that’s a positive thing and Ithink that’s a development that you’veseen during the last four years and uhwe’re still working on it we’re not donebut I am uh proud of the work my agencyhas done to help that and also the workwe’ve done to be data driven in ourefforts to do so because we now m mapexactly where Broadband is and is not inthis country down to the household sothat when we do have federal dollars tohelp address the digital divide they goto the right places so if the internetever goes out callher you sound like my kid youscary Big Brother Lena what is thechange in the last four years that youfeel is most positive well look we’redirector choer mentioned a reallyimportant one uh relating to you knowactivating all of the tools andauthorities that Congress has given eachof our agencies in making sure that weare being faithful stewards of thoselaws another key dimension of change hasjust been that we’ve learned a lot ofhard lessons over the last 40 yearscandidly over last 20 years and the Web2.0 era unfolded in a way whereenforcers were making certainassumptions that have now been tested byreality and we’ve had to update thoseassumptions to make sure we’re not justgoing off of theory but are actuallyreflecting how the real world actuallyworks so you know in the early 2000sthere was a sense that well digitalmarkets are so fast moving and there’sso much Innovation and we don’t thinkthere’s going to be monopolization orMarket power but even if there is it’llbe disciplined so quickly because entrycan happen soquickly a couple of decades on we knowthose assumptions weren’t just wrong butthey were actually the exact opposite ofwhat we see which is that in digitalmarkets you actually have significantentry barriers we see how thereinforcing effects of Data Networkexternalities can actually allow thesemarkets to tip can actually allowmonopolists to really entrench anddeepen their Moes in ways that becomesmuch more difficult to fix on the backend and is much better handled throughbeing vigilant and active on the frontend and so there’s just been a realrecommitment to to reality candidly andwanting to make sure that we are usingall of our Tools in a way that’sreflecting how markets are working inthe 21st century rather than working offof assumptions and theories that arejust somewhat outdated okay so let’slet’s stick with that there and I wantto ask you another question because oneof the most interesting things I’ve readand heard in the last three months isvery much on this theme and which is youtalking about how antitrust couldactually uh be happening at the back endthrough the agreement among companies touse the same pricing algorithms or thesame meta algorithms so explain thisargument which is a new argument abouthow price discrimination could work so Ithink it’s a very interesting theoryabout the new world we’re going into sothere are a couple of different thingsgoing on so there have been a set oflawsuits bringing to the surface howcompanies may be effectively colludingthrough algorithms and so you have youknow major lawsuits against propertymanagers alleging that all of theselandlords through using the samealgorithm effectively may be engaging inprice fixing and it’s really importantthat we’re all clear that there’s no AIexemption or algorithmic exemption tothe laws on the books and so we’ve seenmajor lawsuits filed noting that price Ffixing is still price fixing regardlessof whether you’re doing it through analgorithm or in a more old school waythe other thing that the FTC is reallyfocused on is trying to figure out whatare the next Frontier of how all of thisdata about each of us could be harnessedyes and you know sometimes we talk aboutprivacy and a bit of an abstract way butincreasingly we’re seeing firms boastingabout the fact that these surveillanceecosystems could be used in ways thatallow companies to Target each of uswith a unique price based on what theyknow about you so imagine you know afamily where a kid has a nut allergybeing charged more for the granola barswithout nuts or a person being chargedmore for an airline ticket because thecompanies know that they’ve just had adeath in the family and need to flyacross the country for a funeral right Imean as we see firms Market some ofthese capacities we want to make surewe’re really understanding what’shappening here and how do we make surethat we don’t just wake up one day inthis new world where all of this isfully baked in and we can decide as ademocracy as a society is is this wherewe want to go or do we want to have somerules that prevent what data can becollected and how it can be used thoseexamples are gross but are they illegalright if I own uh two CVS stores I cancharge different price of toothpastebased on one being in a wealthier zipcode than the otherone yeah look you need to look at youknow what are the dimensions on whichdiscrimination is happening you’re rightthat our current laws prohibitdiscrimination on some categories insome sectors but I think it’s an openquestion and you know our agenciesgenerally have authorities that areframed at least the FTC as prohibitingdeceptive practices prohibiting unfairpractices these generally Congresswanted them to be flexible to addressbusiness practices as they evolve andand what’s been important is that we’relooking at iteconomy-wide but then also deployingsome specific tools by sector so youknow I I’ve spoken with some of you alot about this we’ve had personalizedpricing in Financial Services foreverand we’ve had a social score for a whilecalled FICO and that determines theprice that you pay on so many parts ofyour financial life giving anincentive for sometimes you to bemanipulated or coerced when someone hasput inaccurate information in there ordistorted that and these are toughquestions but what’s interesting is someof them were already answeredin the 50s and 60s there were literallypeople who were making dossier about allof us including rumors about yourreputation and we basically said why isthis stuff being bought and sold aboutus and we pass laws forbidding some ofit those dossier which later becamecredit reports are some of the same typeof reports that large data Orient dataintrusive companies are using as welland personalized surveillance-basedpricing is one of the ones we reallyneed to tackle now to figure out whereto draw even more lines because what theeconomist thought was that this wouldcreate all sorts this was like magic wecould just personalize price everyoneand optimize our graphs but actually itserves also to be a tool for abuse aswell it could be a Jessica yeah I wantto talk about a different dimension ofsurveillance because something that welearned at the Federal CommunicationsCommission is a while back our wirelesscarriers were making a Marketplace outof where we go and what we do with ourphones that’s some awfully sensitivedata where you go and what you do is arecord of who youare and we learned that our largestWireless carriers were taking this dataselling it to an aggregator to a skiptracing firm and then to a bail bondsmanand bounty hunters so that you couldvirtually look up anyone’s informationabout where they go and what they do inthe United States so we took our old lawin this case one from1996 and uh we made sure that thesections that protect consumer privacyand Communications prohibited thisbehavior and we find the companies andstopped it but it is a measure of justhow much the digital age can trace wherewe go what we do what we buy and howmuch we have to be nonstop Vigilant totry to draw lines where we think it’sinappropriate before those becomemarkets that are harder to police theworst is this kind of thing right CUit’s not only tracking me but it knowseverything I’m doing I’m not wearing oneyeah saying what I well in factthose interet Fitness others we wereactually able on a public websiteseveral years ago to see the runningpatterns of active duty service membersin supposedly undisclosed locations inNorth Africa and really we used to thinkof databreaches as oh it’s just like a scammeror a hacker if you look at the very verylargest intrusions into our commercialcompanies not just Equifax Anthem theMarriott the long list most of it is bystate actors and I think we need tostart also worrying that we used to havethis kind of debate um about privacyundermining NationalSecurity it’s sort of flipped now and itactually feels that greater protectionof person personal data is now also away to better secure our homeland and Ithink that’s been a big change inthinking make it hard for us reportersyou know like I rely on looking at TechExecutives on straa to figure out whothey’re meeting with and what deals arecoming um let’s talk a little bit aboutthe age of AI because one of the thingsthat’s coming that is so interesting tome is that because of the development ofAI and the path that the AI companieshave pursued it will be very soon thatyou will have systems that can perfectlyimpersonate us right in fact we alreadydo have that um our voices texteventually our images clones will becoming very quickly um why we start withyou Jessica you had a fun example Umaybe N9 months ago where you had tocrack down on voice calls cloning thevoice of President Biden what are yougoing to do when the same thing happensbut much more efficiently and muchbetter the day before the election uhwell let’s roll back and describe uhearlier this year a bunch of Voters inNew Hampshire woke up to find outPresident Biden was on the phone tellingthem not to vote for the primaryelection needless to say it was not thepresident but a voice cloned version ofthe president and it was a very clearexample of just how cheap and easy it isto take the voice of a public figure anddistribute fake stuff andmass so when this happened I turned tomy colleagues very fast and said okaythis is the early warning shotwe have got to figure out what lawprevents this because I don’t want tolive in a world where we don’t have lawsthat prevent just this kind of voicecloning and fraud intended to manipulateanelection so uh we found in the telephoneconsumer protection act of 1991 there’sa Prohibition on artificial andpre-recorded voices and we very quicklydecided that this applied and we findthe carrier that sent this call $2million the individual behind it $6million and we worked hand inand withthe Republican Attorney General of NewHampshire to make sure that thisindividual is getting prosecuted so wesent a very clear early signal with thatcall but um we’re going to have a lot ofwork to do because it’s so cheap andeasy to do this and as we near theelection I think we all have to be onguard for more of this fake stuff comingour way there’s one thing in there thatyou said that scared me which is thatthe law comes from 1991 and I remember1991 we all had landlinesum and we didn’t have a lot of deep F Ithink I had an AOL account and was proudofit the history of writing tele uhwriting Tech regulations based on saylaws from 1934 and 1991 is imperfect allright or even as we have now the 1994right in section 230 how do you how doyou think through maybe rohad or Lena doyou have a framework for how you thinkabout when you can use an old Tech Lawto solve a modern problem and when youjust need to have a new law well we’reunder a statutory command that lawsdon’t Sunset unless it’s in the law soit’s still prohibited to do these thingsand often it’s in some ways like alittle bit of a Trope to say like wellthey couldn’t possibly have thought ofthis but they’re actually solvingsomething through the Democratic processon a values-basedorientation that I think gives a lot ofclues about really where were the linesbeing drawn look we would love if theyamended and updated things as thingswere going on it would make our liveseasier but we have the tools that wehave and all of us essentially havederivative laws from a very long timeago often the the 30s or the teens thatis a Prohibition on using these types ofwords unfair deceptive un just they havea very values-based orientation and aclear framework for how you condemn themso we go through that process and oftenwe’ve had great success do we want moretools sometimes that help us get thingsthrough the courts quicker of course dowe want there to be more certainty as toreally where we can stop things do wewant to stop harm before they happen ofcourse but I think technology you knowI’m also a fin I’m a financial regulatorlater there was lots of things of thatare happening today in AI that feel asmagical as the launch of wire Servicesmany years ago but the principles thatprotect fed wire are some of the sameones that protect your voice and yourimage so I think what you’re going tohear from us is we’re going to use whatwe got and we’re not going to pretendthat we’re powerless and help helplessbecause we saw when Regulators perceivetheir own powerlessness the results arecatastrophic do you think there shouldbe a federal law Banning the use ofcloned voices in the banking system orof AI voices like in customer servicethat seems super efficient right I likeI call Chase I’m my God take me foreverlike bunch of voice clones people Icould talk to so much better well Ithink we we sort of operate in a verydiscreet way so if if Chase is cloningyour voice we don’t want saying this isNick Thompson they’re cloning your voiceno I’m justkidding they’ve created an AI characterwho is a customer service well they havethat so Bank of americaas is calledErica many of them have names um thatsound like humans they’re always femalethey’re always they’re alwaystraditionally female sounding names ourstudy led by Erie Meyer did a fullreviewof the chatbots and generative AI usedin customer service now look are therecertain things about those technologiesthat are going to open up somepotentially good things yes for examplemaybe it can detect my preferredlanguage really easily maybe that that’sa good thing most of it though based onwhere we see some of the businessrationale how can I lower my operatingexpenses how can I actuallyget people to not have to talk to a moreexpensive human and sometimes it createsincentives for Doom Loops where you’rewith the chat or with the chat bot andthen they hope you give up so I thinkwe’re trying to make sure that one thechat bot they don’t they can’t tell youwrong information and blame the AI theyhave to actually make sure it works twoif there’s existing protections on thebook such as disputing a fraud in chargeit better be able to do that or at leastget you to the right person the cfpb isalso considering a Ru making that wouldat least create some balance including apotential dial zero for a humanrequirement especially for those havingan urgent need or emergency what aboutin the other direction so what if I makea Nick bot to handle all of my clone myvoice with 11 labs and I make a Nick botto go out and sort of you know not do mybanking because probably I want to dealwith my banking but like I said at mydentist appointment is should be therebe regulations restricting that you knowI don’t regulate Dentistry um okay yeahthat’s true but certainly I think theuse the value system I’d use and I thinkchair Khan has talked about this it’s abig difference when you’ve authorizedyour voice to be used and how versusyour voice being mined and cloned anddeployed that seems fair chair con letme ask you a question about um AIregulation which is something I wonderabout a lot so when AI came out all um alot of the big tech companies came toWashington and they said please regulateus and they wrote off EDS and they saidplease regulate us and they heldcommittees they join groups how much ofthat was because of something youmentioned earlier which is locking inyour power right and if you can getregulations that create a real hurdle ofcompliance and you need many manylawyers to comply with the law then asmall company can’t compete to whatdegree is the desire for regulationactually been a desire to lock outcompetitors well look every time I satdown with Founders and startups inSilicon Valley they have this exactconcern and they’re very suspicious whenthey see a parade of big Tech CEOs comeinto DC and have the red carpet rolledout for them that there is going to be arisk of regulatory capture and it’simportant to remember that not all rulesand regulations are created equallyright there can be regulatory regimesthat are extremely bureaucratic that arecreating red tape and that big companiescan navigate much more easily becausethey have all of the expensive lawyerson their team at the FTC you know I havea preference for rules that are cleanand simple that are you know codifyingbright line rules that everybody canunderstand and you don’t have to go hirean army of lawyers to try to navigate soit is important to remember that not allregulations are created equal and thereare ones that can actually help levelthe playing field rather than createsome of thosedistortions you’re also right that thereis a risk right now and historicallywe’ve seen that a lot of these momentsof technological inflection points haveactually helped open up the market tonew competition and new innovation andsometimes breakthrough Innovations butoften times those breakthroughs comecome from The Outsiders and thedisruptors that are not worrying aboutoh will this new technology cannibalizemy existing Revenue stream and it’s thedisruptors and The Outsiders and theentrepreneurs that see things adifferent way spot an opening in themarket you know sometimes monopolistsget lazy right it’s like historicallywe’ve seen that and so making sure thatwe have markets that are open and allowthe best ideas to come in and scale upand compete on a Level Playing Field isgoing to be absolutely critical at theFTC we’ve made clear that we are lookingacross the entire stack from the computeand the cloud to the models to the datato the underlying apps um to make surethat especially if you have layers wherewe do already see some consolidationthat that’s not being used to undermineor coopt competition in a differentlayer and so earlier this year welaunchedinquiry into some of these Partnershipsand Investments that we’re seeingbetween existing incumbents and some ofthese newer firms to try to understandwhat’s really going on here are thereparticular strings attached are thereways that this is going to allow forcertain types of special privileges orspecial access or exclusion in ways thatwill undermine competition um and we’vemade clear that you know these marketsin particular are ones where we need tomake sure that are staying open andcompetition is allowed to actuallyflourish where else are you seeing signsof potential anti-competitive behaviorin the stack inAI well look I think we’re alreadyseeing some of the allegations aroundhow these models could be you know bothscraping information from entitiesacross the web and then maybe spittingout stuff that is competing with them ordiverting I’ve heard of that issuetraffic from them yeah you might befamiliar with it we’ve also heard a lotof concern about consolidation at thecloud level and that’s an area thatcould create not just competitionconcerns but also real fragilityconcerns right and if you’reconcentrating production especially inlayers that can effectively serve asinfrastructure for huge parts of theeconomy for the government we want tomake sure that you don’t have a lot ofvulnerabilities where a single hack or asingle attack is not leading systems tobreak down so we’ve seen concerns um atthat layer as well so let’s go back tosomething you were talking about alittle bit more which is the trade-offswhich is sort of the premise of myprevious question I’ll ask any of thethree of you so I had an AI startup andyou know we were trying to build AI tomake conversations online better to tryto lead people to positive conversationsand understanding instead of toxicityand we launched a little beta and wedidn’t launch it in Europe because wejust we we couldn’t figure out gdprright we’re like no kids no Europeanseverybody else in the world is fine andand that was a function of European lawwhere was a series of trade-offs butthey did make it significantly harderfor small stups without lawyers arethere any rules or regulations whereyou’ve thought this might be a goodthing but we’re worried too much thatit’s going to create just another hurdlefor little startups and so we’re notgoing to do it how do you weigh thosechoices so we we think about thatliterally all the time in terms of Iinherited uh the cfpb was started afterthe financial crisis so all the rulesand orders were transferred strippedfrom the fed and the FTC and given tothe cfpb and it was very obvious thatmany of those rules were because theagencies were twisting themselves into apretzel to accommodate theincumbents so it’s hard because there’sa lot of push back on bright line rulesoften we see it everywhere that wellwhat about what about thesecircumstances and I think sometimes wehave to discipline ourselves that theregulatory process is going to O be overindexed on input from incumbents and wayunder indexed on the voices of thepeople and companies that don’t yetexist or consumers of course and I thinkwhat we for example think a lot aboutopen Technologies you know our openinternet as a foundationdriver of so much next month we arefinalizing rules that will set theparameters for open banking the abilityto switch in a more frictionless waypermission your data not allow companiesto form Moes or make you jump throughhoops to switch in the same vein thatthe FCC made sure that every Wirelesssubscriber can Port their number and wetake it as a given right now but if youlook at the history of the agency whenwe first proposed the idea that youshould be able to take your telephonenumber from service provider to serviceprovider incumbents rushed the agencybecause they wanted to lock all of us inand look at new new players it itchanges but there’s competition for yourphone business and your wireless phonebusiness in particular as a result ofthat portability and the question is howcan we export that to other markets andmake it just the expectation ofconsumers that we have thatfriction-free experience that if wedon’t like a service we can pick up andwalk somewhere else let me ask you aquestion about the age of AI we’re goinginto so uh one of the presidentialcandidates I can’t remember which onesaid they wanted to be dictator for aday and the idea would be to come in andjust sort of do whatever you want butone day so let’s say you got to bedictator for a day and you could changeany rule r or any policy you could setup a new agency that will have completecontrol of AI you can give all controlof AI to theFCC what is thething what is the thing that you woulddo what is the problem that you wouldsolve if you had suddenly you have thepresidential pen you have control ofCongress and you can just make one thingbetter you know I don’t know asRegulators if we ever really thinkthrough that frame so I’m sort of makingsomething up also like smart interestingintellectual well I think for me theworry I have as a as a law enforcerwhich isprimarily my job is I really worry thatwe’ve baked into some of our statutesthe concept ofCenter in a placewhere algorithms can commit crime thatis serious and people can say it wasn’tme we have to really make sure that ourlaws adequatelycapture the recklessness and all of theways in which serious harm fraud andothers can occur and until we can holdindividuals accountable it won’t reallybe sufficiently deterred so that’s justsomething I think about a lot when itcomes to how generative AI can be usedin ways to impersonate and create realumreal experiences with actualcarbon-based humans that harm them andthere’s no accountability around it sohow do you how do you do that well wehave criminal laws on the books and Ithink there’s got to be work and theexecutive order on artificialintelligence set out some framework forthinking about how do we protect againstsome of these harms and I do think theremay be places where some of our criminalstatutes need to be commended okay chairKH so one thing that I worry about ishow do we make sure we’re getting theliability framework right in this areaand how do we make sure we don’t havemarkets where bigger firms and theentities that are really designing andcreating and setting the rules of theroad are allowed to let some of theseTechnologies and tools out into the wildand the cleanup is is done by enforcersand you know Civil Society who have lessresources less information and lessability to fix the stuff on the frontend and I worry about the bad incentivesthat could be created when you you knowallow that type of moral hazardeffectively and where liability is notbeing aligned with capability andcontrol and resources and so making surewe get that right so we don’t have asituation where civil society andenforcers and others are having to dothe cleanup and a situation where we’renot creating enough deterrence in themarket because the entities that wouldbe best positioned to prevent a lot ofthis harm are not at the end of the daycarrying the ramifications so okay sothe logic massive oversimplification butwe spent the last 20 years debating itthe logic of section 230 was essentiallythe platforms are not responsible forthe actions that people take on them orthe things that happen because of thatdo you think that logic should beflipped around and the creators of baselevel large language models and basedlevel AI should actually be responsiblefor what is done with their products byusers well look there probably will needto be some fine-tuning and it’s hard toanswer at that type of categorical levelbut I don’t don’t think you should havea system where the entities that areenabling and facilitating the lawbreaking in a way that is somewhatforeseeable are at the end of the daytotally able to walk away from thesituation and so the risk of that let’sjust stand this because this is anextremely interesting thread the risk ofthat is that you then disincentivizepeople to if I’m trying to decidewhether I want to do my large I’ve got agreat idea for a new large languagemodel new gener of AI system should Ibuild it here should I build it in SaudiArabia you know where should I build itoh my God somebody’s going to use thisthing and they’re going to like make acheem they’re going to do something badthey’re going to do something harmfulthey’re going to plug it into a car it’sgoing to crash all over the place Idon’t want to be liable for for thatI’ll go building in Saudi Arabia what isthe risk that you drive some of theInnovation out of this country becausethe argument made with Section 230 isokay it’s led to a bunch of bad stuff onthe internet you know maybe twisted anelection or not but all these companiesare here are you worry about that welllook of course you need to figure outhow to thread the needle and get theincentives right you know we’re sittinghere as law enforcers and so we areindexing more for making sure we don’thave lawlessness in the marketplacebecause the incentives are distortedyeah Nick let me just share we we have alot of corollaries when it comes toscience where we think about thisproblem many of you know the companyPurduePharmaceuticals who together with Ibelieve McKenzie and Company where Ionce worked they basically knew abouthow their oxy content or other drugformulations were being crushed theyknew that it was driving addiction sothere’s questions the way we analyzesome of these problems is how were youprofiting and often there’s a knowledgeDimension to it or a recklessnessdimension to it all of these things areimportant as we think about what do wewant the liability framework to be aschair Khan said I really do think thatthe original section 230 and I’ve arguedthis for many years was really designedfor those Prodigy and compus servebulletin boards but in a world ofsurveillance-basedadvertising and behavioral targetingsome of the activities may not bepassive pipes but may actively becontent for which I think increasinglycourts are moving toward that sointeresting all right well let’s go backto the original question dictator RosenRussell yeah oh my gosh we don’t have alot of time and I have lots of asks anddemandsyou know were you Congress talking to meabout what authorities I want but let mejust focus on something simple withartificialintelligence because we have done inWashington a lot of hand ringing andpearl clutching about artificialintelligence and what it’s going to meanfor our broader economy and there’s alot to be concerned about withconcentration and the lack ofcompleteness in models and who gets ajob and who gets a loan and who getsparole we should be concerned about allof that but I think we also have toreturn to First principles and I thinktransparency is the most essential oneif you are talking to a bot that’sacting like it’s a human it needs todisclose that fact if you are getting arobocall using voice cloning technologyit needs to be disclosed and if you arewatching an advertisement for apolitical campaign that manipulates animage that also needs to be disclosedbecause I think that Baseline oftransparency will allow us to understandits effect on our Civic life in oureconomy and also let us as viewersvoters and citizens make informedchoices what do you think is the worstidea circulating right now in AIregulation there’s a big competition forthat well one just final plug I’ll makeis it’s incredibly important that thesemarkets actually stay open and one riskwe see is that the incumbents actuallymay already have a leg up yeah andthat’s why making sure we are allowingthings like open weight models to reallyopen up the market and allowentrepreneurs and startups to have evena foothold in the market is going to bereally important rather than doublingdown on rules or regulations thatprotect the incumbents so that’s kind ofa plug for Facebook there at the endchairman Khan well look we need to alsoremember that we’ve seen historicallycompanies engage in a bait and switchright where they’ll have openness in thebeginning try to gain scale that waycreate Reliance and dependence and thenbe able to flip the switch and so weneed to stay vigilant all righttransparency shifting liability concernsopen competition a lot of Great Hopesfor the age of AI we’re out of timethey’re all doing amazing work andthey’re wonderful to speak with on thispanel thank youso I’m just going to dropit please welcome Sasha oconnell seniordirector of cyber security programs atAspen digital for a special announcementand our closing remarks[Music][Applause][Music][Applause][Music]so thank you um so one more bigannouncement before weclose this summer with generous supportfrom Craig Newark philanthropies Aspendigital held a cyber security and dailylife poster contest drawing inspirationfrom a long history in American civiceducation to leverage printed posters tospread awareness about how to keep ourcountry safe artists age 14 to 17 fromacross the country were encouraged tothink creatively about the followingquestions when designing posters whatdoes everyday cyber security look likehow is cyber security part of your useof technology and why is cyber securityimportant to you and as you can probablynow guess I have the privilege ofannounc announcing the winners none ofwhom unfortunately are in the room withus but many of them are on the livestream and will’ll ask that you holdyour applause and appreciation till weget to the end and then I would love totake a moment to acknowledge theiramazing work today we are so pleased toannounce the winner as I just said whothanks to the generosity of Craig Newarkphilanthropies will receive a $2,000grand prize as well as eight Runner UPSeach of whom will receive$1,000 our runner UPS in the four 1 to15 age category R and we’re not usinglast names because we’re securityconscious Charlie’s s Julia M Maya D SOAM are Runners up in the 16 to17-year-old age category R Dalia VSophia n uan d Miley M and our grandprize winner is aen L age 16 a hugecongratulations to all of our winnersthank thank you it’sreally inspiring and beautifulwork so if you’ll bear with me just afew more announcements and directions tojoin us for our reception this eveningum of course I want to once again thankour incredibly generous sponsors withoutwhom we would not be able to have thisday with all of you so a special onemore thank you to Craig Newarkphilanthropies Google Splunk aiscocompany Capital 1 PWC Apple R PaladinCapital group Booze Allen Brunswickgroup Coalition Inc recorded future AWSand sa I a huge thank you again to oursponsors we appreciate you so much somuch um and ask of course from me uhthis week you will receive a follow-upemail with a request for feedback viasurvey please take the time and give usfeedback we value you as partners and wereally do want to hear from you Iunderstand our brilliant team also rigsit so if you fill out the survey you getaccess to photos from the event it’spretty smart move so please join us umin that followup for those of you whowant to share today’s discussions withfriends a video recording will beimmediately available at Aspen cyerssummit.orgto find out more about Aspen digitalprogramming throughout the year andplease do come see us again on cybersecurity AI responsible Innovation andmore you can visit us at Aspen digital.organd now I invite you to join us upstairsat the Skylight Pavilion so it’s up andup again we have staff throughout theroom and on the way to show you the wayfor refreshments and drinks and I lookforward to seeing you there thank youagain for joining us and we’ll see yousoon
Cybersecurity intersects with every aspect of modern life, from clean drinking water to financial transactions to free and fair elections. This is a human problem as much as it is a digital one, and it can’t be fixed with lines of code alone. Attackers exploit psychology, not just technology.
Cybersecurity involves everyone, everywhere.
The Aspen Cyber Summit connects the dots between the cybersecurity challenges of today and the topics that matter to you. Whether you attend as an engaged member of the public or a Chief Information Security Officer, you will come away from this nonpartisan event with a clear understanding of what’s at stake and what role you can play in building a more secure future.
On September 18, the 9th annual Aspen Cyber Summit came to the REACH at the John F. Kennedy Center for the Performing Arts in Washington, DC, to put cybersecurity front and center for the government officials, business leaders, nonprofit advocates, future defenders, and everyday people who are crucial to creating a safer world, online and off.
The speaker lineup and event agenda is available at www.aspencybersummit.org/2024-agenda. Visit the Aspen Cyber Summit website to watch recordings and view agendas from previous events.
This event is an external rental presented in coordination with the Kennedy Center Campus Rentals Office and is not produced by the Kennedy Center.
{"includes":[{"object":"page","value":"202231","label":"2023 Aspen Cyber Summit","type":"event"},{"object":"page","value":"40","label":"2022 Aspen Cyber Summit","type":"event"},{"object":"page","value":"173247","label":"2021 Aspen Cyber Summit\u2014 Day 2","type":"event"},{"object":"page","value":"172763","label":"2021 Aspen Cyber Summit\u2014 Day 1","type":"event"}],"excludes":[],"order":[],"meta":"","rules":[],"property":"","details":["description","title"],"title":"Watch Previous Summits","description":"Catch up on recordings from pervious Aspen Cyber Summits.","columns":2,"total":6,"filters":[],"filtering":[],"abilities":[],"action":"swipe","buttons":["arrows","bullets"],"pagination":[],"search":"","className":"random","sorts":[]}
Watch Previous Summits
Catch up on recordings from pervious Aspen Cyber Summits.
Facebook
Twitter
LinkedIn
Email
