Welcome everyone to George Washington university. We have an Awesome Group of panelists and participants. Let me also welcome our viewers on cspan. Obviously they play an Important Role in Public Service and better understanding how washington does and does not work. Im going to be hyper briefed because you are going to get more than you want of me throughout the day, but i will very quickly introduce my partner in crime, or maybe better partner in crime, lenny haynesworth who is Vice President from northrup, its been a wonderful partner of gw gws, of our center in particular, not only todays event but multiple reports weve done together and i think they play a Critical Role in advancing our National Security international interest. I will leave it at that. Thank you. Thanks for the introduction. The morning everyone. We are just very pleased and honored to cohost todays event, in partnership with George Washington university. Frank and gw, you have an exceptional reputation in leading rich and deep conversations about policy that will contribute to our collective ability to enhance the National Security of the United States and our allies. As we commit Cyber SecurityAwareness Month starting next week, i cant think of a better platform or time for all of us to get together to discuss and pursue solutions that will enable the policy objectives for Cyber Security. As a company and a mission partner, we are committed to delivering innovative Cyber Defense and fullspectrum cyber and Intelligence Solutions to our customers across the department of defense, the interagency and Intelligence Community and the federals space. From our work, we see firsthand how the threat is growing exponentially both here and abroad to combat the growing threat, we believe a multitier approach is necessary to protect our national and Economic Security interest. This approach integrates cyber capabilities, builtin cyber resiliency and executes the unified cyber mesh and with our closest domestic and international partners. In the spirit of partnership, todays partnership is a true collaboration between government, private industry and academia. We Exchange Ideas and pursue mutually beneficially ideas to advance policy objectives for the u. S. And our allies. Todays panels will be exciting. They will focus on issues surrounding cyber deterrence and Publicprivate Partnership with innovation on both the technological and workforce front. Later this morning we will hear from the white House Homeland Security mr. Tom bossert. And the Deputy Director of the nsa, george barron. Im sure you cant wait for us to get started so let me move on to introduce our first keynote speaker, congressman will heard. He serves on the committee of oversight and government reform and chairs the Information Technology subcommittee. He also sits on the subcommittee on Homeland Security and is the vice chair of the order and maritime subcommittee. In 2017 he was appointed by speaker ryan to serve on a House Permanent Intelligence Committee where he sits on the dod intelligence and overheard architecture as well as the emerging threat subcommittees. Im sure everyone here is following theprogress of the federal ip modernization bill that he authored and is helping to push through and usher through congressional approvals now. Congressman is one of the most knowledgeable voices regarding Cyber Security in congress. Prior to being elected, he served as a Clandestine Service officer in the cia. The only current member of congress with this background that we know of. [laughter] , and in industry he was a Senior Advisor with a security firm. We thank you for your strong leadership on cyber and the Intelligence Community and we look forward to hearing your perspective today and your insight. Everyone, please join me in welcoming congressman heard. [applause] thank you congressman. Let me just}the purpose of this is to try to shed more light on issues facing our country. I know i sleep better with you fighting the good fight on capitol hill. As a bit of a backdrop, let me say. Your bar is really low. My bar was very high and you worked for a good friend of mine. I think it generally is important that those who legislate understand, if you are providing menu, you better understand what it looks like, and i think thats really important. I might also note, your committee, the Homeland Security committee and on the House Permanent Select Committee on intelligence, you been incredibly active as a legislator as well. Youve got a lot of members of congress who can speak to the issues, but not necessarily follow through with legislative prescription. Thank you, on behalf of of all of us. Lets start with a general question. You cant turn on the tv to me cant pick up a newspaper or click on a link. Be careful which link you do click on, without reading and hearing about equifax or you name it, every day there seems to be another one. Lets try to put into perspective, not all hacks are the same, not all hackers are the same. Intentions very, capabilities very, but before we jump in to some of the legislative and congressional initiatives, can you help us rack and stack the threat as you see it, what keeps you up at night, and what should we may be pay a little less attention too, if anything. Thanks for the invitation, and thanks for helping facilitate this conversation, we still have to be worried about the nationstates. The advanced persistent threats are still at the top of the food chain and abts are what we have to ultimately defend against and that is where the federal government should be spending the bulk of their time. The theft of information will continue to go on and we have to be able to start thinking about authentication and what does that really mean. I think when we look at the facts, we are not going to see the impact right away. This really has to change the way we do authentication. American people do not opt in for their information to be with aqua facts or other credit agencies. Now, weve use those credit agencies so much for authentication, how do we change that. The growing area im getting concerned of is this information and while it is not Cyber Security in practice because its actually, its not technical, we have to be able to defend against it and there are technical ways we can bring ourselves from this information, track this information and thats why i think these issues should be talked about very closely. The broader problem on this is ourselves. What is a digital act of war. Everybody asked that question. Everybody thanks of it differently. We do not have an overriding policy. If north korea had launched a missile into equifax headquarters, we all know what the response would have been. Nobody knows what the response should be now, and that requires industry, government, legislators to finally work those issues out. In working with our allies, you have the talent manual, i spent some time in dystonia and there are 1. 3 million people, but the fact that there are people who have trust in their ability to defend their infrastructure, to do everything online is a pretty goo big deal and i think we can learn from that. We have quite a bit of experience given their neighbors. I think they demand their pretty good at their job. Im not one to look to the un to help solve a lot of problems but they defined acts of war. The manipulation of the utility grid is identified as an act of war. When the russians did this to the ukrainians, what was the international response. Crickets. These are some of the things, some of our responses we should they were not going to tell you. Strategic ambiguity is valuable. We also have to have these conversations on attribution. His general attribution enough . I think it is in some cases. We also have to continue to work with many countries to make sure hacking and things like that are considered criminal laws. Thats another level we need. Thats why think the work they were doing is an important tool in our tipple medic toolkit. I hope we see some changes to reinstate that. To just put a little backdrop, nationstates both engaging Commuter Network attack, pure nations that are integrating cyber into their strategy, countries that may not be yet at the capability of those but what they lack, they must make up for. Foreign terrorist organizations, is that given all your traffic work, does not warrant any concern on your end. It does work concern but also, for me, can a terrorist Organization Take down our grid, can it manipulate markets, i dont think there is evidence out there that suggest they have the capabilities to do Something Like that, but again when it comes to the digital space, i say, looking at, part of Cyber Security and where i look at it the broader, how do you engage in the cyber domain just like air land see in space. Part of it is the rules of engagement within cyberspace and when it comes to isis, their ability to leverage social media to promote a message and counter messaging is important as well. When you have people using social media, you are increasing your surface area of attack for the good guys to go in and get information. I left in 2009. Social media was not used as much it is it is. I wish i wouldve had that information to do my job because the info that i can gather from that is pretty significant. Not only is it an opportunity for us especially in the intelligence space. Im really glad you brought that up. I think its fair to say we will never defend or firewall our way out of this problem. At the end of the day, you touched on themes we will pick up in greater depth throughout the entire day, deterrence, signaling and the like, but when we think about our own capabilities, do you think we should be more transparent . Whats the good of having a doomsday machine if there is no one who knows you have it. If we have to deter, we have to demonstrate. I think theres a lot of mixed signaling. There is, but this is an ageold question and an ageold intelligence question, if you have access to intelligence, do you use it to do something, and if you use it to do something, you are going to reveal the intelligence and possibly lose the intelligence stream. Thats why its important for policymakers to make those decisions, not the practitioners. This is a decision, i think the future of Cyber Command, you will see an essay providing a perspective saying we need to preserve longterm intelligence value then you will have Cyber Command say we need to use this to put the equivalent of lead on the target and they will always be in friction. You want that tension, but its the policymaker that ultimately makes the decision on the impact, the ability to act is worth the loss of capability in the future. This is even more germane and important in cyberspace because as soon as you reveal a tool or a tactic, Everybody Knows it and it can get turned around and used against you. Exactly. That means pulling and defensive community into any of the offense of discussions and it becomes more important today than it did in the past. One thing i my}, and its not to get a draft and will move to other topics in a second, but when you look at the greatest breakthrough since 911 on the counterterrorism front, it will really was synchronization of title ten, title 50 where you saw the joint Operations Command when you string them up, when you string them along and when you take them out. I think there is some history that rather than relearn the hard way, we can apply. I wrote a piece with a few friends of mine so i think there is something there that can actually get the two entities, theres always going to be complex, but they have to come together to have concerted impact. And we should be perfecting that right now today in eastern ukraine. The russians, this is where Electronic Warfare and disinformation come together. The russians have been able to convince some people there is a separatist movement. It is a russian invasion of a sovereign nation. They annexed crimea which is in the southern part of ukraine. They invaded eastern ukraine. They have 920 tanks and they are using the latest and greatest. We should be testing our latest and greatest and we should be doing that to support our ally the ukraine. This is a real opportunity where we should be testing some of our capabilities and were not doing it to the level of where we should. One of the questions ive been asking is who is the cyber. Theyre here, theyre looking for me. So that is where, that should be the pointy end of the spear. Let me go back to something before we move on, when we talk about what are the biggest issues and what keeps me up at night, what keeps me up at night is actually quantum computing. Quantum computing is closer, it will be here soon. I know Vladimir Putin said whoever gets ai first, no, this will be decided by who gets to quantum computing first and in real broad application. That will change how we do things and us and our allies should be focused on this. Canada has some really interesting things going on, of course here in the u. S. , and this is something that the only way we will achieve. The first is industry and government working together. And we did a major report last year looking at proactive steps companies can take. What makes cyber different is they are on the front lines of this war. How Many Companies went into business thinking they have to defend themselves against Foreign Intelligence Services who, by the way, are not only bringing cyber but all source intelligence. But also, dont be a victim. Most of the major attacks weve seen are not zero day attacks. They are, if youre patching your network, if youre doing proper credentialing committee would solve these problems. So utilizing good digital System Hygiene is where we should go and the government is some of the biggest violators and thats why we spent so much time trying to shine a light on that problem prevent that from happening again, that were following some of the most basic activities, and guess what, a lot of my work is focused. [inaudible] but the military is just as bad. The cloud is not new technology. The cloud is secure. You can secure the cloud. We should be transitioning to this as quickly as possible and by dragging our feet and those who are responsible, guess what. Get up to speed on it. Thats why it procurement is so important because i will make sure our chief Information Officers across the government have the tools they need in order to modernize and make sure they are defending our Digital Infrastructure and providing the service they are supposed to be providing to the american people. It is still two thirds of all attacks are due to fishing expeditions. The fissures are getting more sophisticated in doing intel. Thank you for raising that. When i quickly introduced in the very beginning, youve been legislatively incredibly active and in both hats youre wearing, that is just rich with legislative prescription, im not sure if theyve all been followed up on capitol hill, but tell me, in particular about your it modernization. So two things, thanks for those comments, but its also Homeland Security mccall, that are intimately involved on this. When john was the chairman that looked at foreign fighters that produced interesting legislatio legislation, theres a lot of folks that are intimately involved and you also talk about reform. Its smart government that i like to call it. Now we will go to conference and make sure we keep that language and hopefully get that conference version passed before the middle of december and theres one more tool for cios to use. The omb an American Invasion office have been intimately involved in this process. They have ideas on how they want to implement it in my against view is that cios are not prepared. As soon as this goes in, that is where many of the families who are watching here today can be helpful in watching them through three could vantage. One thing i will be doing on the subcommittee, we do a scorecard which is evolving to a digital hygiene scorecard. One thing we will start keeping track of is the working Capital Funds for modernization. I think that is if youre taking advantage then guess what, the culture of modernization in your organization and i think that is one more metric we should be looking at for our various agencies. Some agencies will be able to take advantage of this, others will not. That was the reason for having working Capital Funds because they should be 20 different experiments going on in how we modernize. Im excited about this, i always joke, ive been in almost 50 parades in my two and half years in congress. Have never seen a sign that says it procurement. Its really exciting to be able to see this come to fruition soon. No one resolved patching them either because they were on to the latest and greatest. San antonio on one end, el paso on the other, one of the safest largest cities of its kind come in the middle, more people, but when you tell people the federal government has 90 billion on purchasing it goods and services and 70 of that is maintaining, they are outraged. Two other legislative initiatives, also the specific cyber and what that could be from a good guy, from a red and a blue, and also, i was really intrigued with your proposal to initiate a stronger role for the National Guard. I think the men and women serving in the National Guard is an incredible resource that when bad things happen, they can be so much more, especially with respect to cyber you can men and women who want to serve their country but may be one a salary or lifestyle with their family just a little bit different to do both. You mentioned dystonia earlier. They have a Cyber Defense where they have a National Guard with a can support foreign intelligence. Theyve expanded the way we feel under title 32. Id be curious about both those bills. I represent 820 miles of the border and i chase al qaeda and russian Intelligence Officers all over the world. The premise is building a 30foot high is the most expensive and least effective way for border security. We should be using the latest security in order to understand the difference between the bunny rabbit and the person coming across the border. The border is broken up into sectors. El paso sector has 300 miles. That technology is 20 years old. We dont need a Hubble Telescope on the border. We just need a camera that can see at night. We can use radar, layup fiber optic cable and use the analytics off that. Reality is, technology has come so far and is so cheap its basically disposable. We should be thinking of it that way. All that information were gathering, we should take a mile by mile perspective because a onesizefitsall solution doesnt work. We need to figure out what the best tool is for that location, have the information that you gather and beam it to the man or woman and Border Patrol for them to do their job. The Cyber Security implications of that is basically Cyber Security is the internet of things. Making sure that, this is, i think one of the biggest debates that we have to make sure as we are building the internet of things we do not make the same mistakes that we made with the internet. Dont hardcode passwords, make sure your systems are able to update remotely. Ultimately, being able to secure a Sensor Network along the border is not an unbelievable challenge. We also have to remember that human smugglers and kingpins dont have jurisdictional debates in congress. They arent having congress, congressional approval for their operation. The bad guys are wellfinanced, wellequipped, and they will be using toner techniques. With the intent, will you have Cyber Security requirements . We did a couple in the past with their cio and it was baking security into the design and it played a role, would that be the stipulation. I think it already kind of covers some of those requirements and that is something that would ultimately get pushed down to do to us procurement, but its something that needs to be. Youre open to looking. Absolutely. I want to get this done. We dont have operational control the border because we havent looked at the border at the exact same time. You cant look at the entire border if youre not using manpower. The notion is, now that we are close to the finish line, we will start focusing on this. What i call the cyber National Guard is simple. Theres a kid that wants to indicated degree in something related, we will try to find federal dollars. If you go to school on a scholarship, you get to go in working government. Then you go work at the census bureau, the department of interior because we need people there. After he worked there you go work in the private sector, that company, like northrup are going to bring you back for the proverbial one or two weekend. Year. Think will be somebod Something Like ten days a quarter. The 15000 holes in it job in the federal government, we dont have common job for that. We have to make sure theres common Job Description across it positions in the entire federal government. I think this is something that can be solved in 60 or 90 days. Lets just take someone who has Job Description, tell federal cios each position need to be matched to one of these 300, put it in a database or ready to go. Thats one of the preconditions we have. I think we have ideas on how to sort out the money, but the other question is bringing people back into the federal government, how would businesses come before that and we also have to Start Talking and streamlining the process of getting security clearance as well. That will allow cross pollination of ideas and we accept the fact that the federal government is never going to be up to compete with the private sector on salary, but mission and, theres not too many other entities out there where it has a scale of any Agency Within the federal government so that is a skill set and a perspective that you cant get in many places in the private sector call too. Im glad you touched on the work and building career paths and professionalizing the process. Its really important. Weve got ten minutes for questions, seven minutes actually so please identify yourself before you asked the question. What do to hear and then well go to the back. We do have a microphone coming. On other legislative issues, can you talk about the reorganization bill passing Homeland Security, government oversight is looking at it, can you tell us when it will come to the floor. I think this is a good piece of legislation. I think the chairman is exactly right in the needs for that reorganization, and this is one of those issues where the term, the issue jurisdiction gets in the way. Ive heard that term more in the past two and half years of my life than the previous 38 years combined. The real answer is i dont know, but its something i think we need to move forward. I think mp pd is so important, they are the bellybutton and sharing between the federal government and the private sector. They are the only entity that can transition from need to know to need to share, and they are. That is why i think dhs is so important when it comes to coordinating it. I always use an example of why need to share so important. We know that came out of the 911 Commission Report about intelligence sharing in communities that translates into the cyber world as well. Ive been out of the cia since 2009. I have never ever said the true name of the farm. Dont start it now. I will start it now, even though its in every book in every movie. I just cant do it. Thats why culture matters and why dhs is so important. I want to see that bill moved. I think theres a hearing coming up next weekend. Brendans in the back of the room speaking out. Mike nelson with cloud fair. Im a technologist working for a technology firm. I always look for Technology Solutions but im actually in i asked about economics. Seems like theres Little Research done on how we can make spamming, malware, iran somewhere less profitable for the criminals and we have even less Good Research on how we can change the economics so we can get people to fix the problem. One good good example is in the federal government where we have hundreds of servers used in almost every attack because they amplify the attack. Somehow we have to get the economics right so the people who run those servers are punished. Thats helpful perspective. Legislative director is here and i think thats really interesting thing to follow up on. It does play into some of the perception management and psychological operation. Whats the cost if russia gets it wrong on twitter. The cost is nothing. If they get it right its low cost and we all know they started the hiv rumor which is all false women now theyre just doing it with old intent in new tactic. We had a question back here. If we can do quick questions. I think youre being a little tough on federal cios. Arent many of them appointees . At the state level mostar appointees and only stay two years. Very rarely will stay for years. I think one of the major problems as we dont have continuity and management because that position has been made in an appointee and not a permanent position. This week all the cios will be meeting in the governor across the way is being really strong in bringing the states together so could you comment on that. I completely disagree with your premise that im being tough on cios because im trying to get them more tools. Im trying to, i dont just bring them in front of my subcommittee, i bring the cto because they should be getting all the responsibility and authority. You cant hold someone accountable if they dont have the authority to do their job. For me, everything we have been doing is to strengthen their authority in order to do this but we should be, there is not enough continuity we have to look at why that is. Is it frustration with the ability to do their job, is a lack of adequate manpower, these are issues that gao has looked at. There still many agencies where they dont report to the deputy and thats unacceptable. Making this issue more of a c suite responsibility, i think you will see our cios feeling like their work is valued. Theyre not getting paid enough, they have huge issues, and they have congress breathing down the throat. I recognize the difficulty of that. Thats why will make sure we have the tools. Last question, because we are actually out of time, with that state and local question, what are your thoughts on dhs, as not a sub critical, but government operation. Think jay johnson convinced me, which is a good move. What it does it allows and prioritize state cios to get support and training in dollars from dhs, voluntary. I think the concern many had was that they will try to take over managing elections. The utilities are considered Critical Infrastructure providers. Dhs are not running utilities. Telecommunication infrastructure is considered Critical Infrastructure. Dhs is not running the phone company. I think those fears have been misplaced and, as we saw at black hat where 26 of the Voting Machines were brought and they were all hacked within six hours, this is something that our local municipalities state and federal government have to be working together to ensure the protection. Thank you for joining us. Thank you for your service and thank you for getting things done. Its my pleasure. Thank you. [applause]