Combining intelligence, r d, and operations and combining them with policy and partner building. So without any further adu over to you sir. Thank you. So just to get you into the atmosphe atmosphere. Yes, so we have big competition in this conference today. Were competing with national phenomena, with this who doesnt recognize this is dorian, just climbing its way up from florida after the bahamas, i hope far enough from here. But national phenomenas are a disruption to the main thing that were here, and another thing that may look like things that we need to take care of more relevant than a hurricane is the measles. So we came over to talk about cyber, so why im talking about measles . Measles is a highly contagious and very infectious disease, and we thought that most of the population thats at risk are two kinds. Those who are not immune, and those with a weak immune system. Now, we thought that it sounds like measles, like kind of pronunciati pronunciation, but its not funny. It kills a lot, and erupts an outbreak even in these days as we can see more and more in the news around the globe. We thought we e rad karadicatedk in the 60s but its still here. Why . Because of the two populations, those with the weak immune systems and those who are not immune, and this brings us so cyber. With e newe need a vavaccine. The need for vaccine goes for biology, for contagious diseases like measles and all kinds of things. If we take a look at the World Economic forum main threat s, their annual report they issue it in january, and you can focus, zoom in. The most global risks, the biggest and most dangerous risks are here. Cyber is only number five, but its number one man made. Now we talk about measles. We talk about hurricanes. This is man made, and its growing louder and faster and in fact, i got this morning an email from the World Economic forum asking me for the next years survey. I fear that its going to raise from the fifth place to even higher. So we have cyber crime. Cyber crime, the numbers are fantastic, more than 2 trillion only this year, and its climbing and raising up. I think its already six years now that the number, the amount of money stolen by cyber is larger than all the rest, different measures, physical measures et cetera and it keeps rising. Why . Because money is actually data. That we attribute value to. So if we take a look ten years ago, now its still popular to do the ten years challenge, although we have some new challenges. Critical infrastructures, after me youre going to hear chris krebs, dealing with Critical Infrastructure. Those still deal with this, yes, ten years ago black and white in cyber terms really, but still deal with the traditional, if you can call something in cyber traditional, Critical Infrastructure. We have trains. We have energy, oil, transportatio transportation, health care and others, but today, and its in a growing volume. We deal with much more Critical Infrastructure, which is Peoples Trust. The problem the Peoples Trust is much more vulnerable and much easier to undermine. When we talk about Peoples Trust, its very e louis sielusi dont need to mention here in washington, d. C. What happened three years ago and what would have happened unless the usg, the u. S. Government prepared for the midterm elections in the democratic society. We have elections in a couple of weeks, all democracies will face the same threats. All also with the financial system, its not about stealing money. Its about undermining all of our trust in the system, and its governance, its health care, its everything, and the problem is were getting more and more vulnerable as the mankind is going more and more digitalized, more and more dependent on web and dependent on Peoples Trust. The problem the bad guys. Bad guys from cyber crime groups to terrorists, terror groups, to rogue states. Well talk about iran and others, they all understand and realize that were getting more and more vulnerable, and they dont. Theyre less dependent on digital. Theyre less dependent on Peoples Trust, and they realize that we are. And this asymmetry is one of the biggest problems, but its not everything. The middle east unfortunately is kind of a magnet for all the many kind of troubles, also good things, but in our case, the cyber thing, its a magnet for Cyber Attacks and it mainly comes from a specific actor. I cant state it here. Its no secret no longer at all, its iran, and its not me saying. Other Intelligence Companies that say that. In fact if you watch some leakages coming out from the iran cyber squads, someone leaks it out, and you see a big operation that is aiming not only to israel, not only to moderate arab states but to the u. S. , to the west. This is one of the problems but not all. And another threat is that the attack services. Well, ten years ago we had emails. We even had gmail, so that was ten years ago. Today, well, too many attack surfaces. If we take a look, and i dont have the time, although its interesting to all of them, but when we talk about cyber, its no longer computer. Its about space, we just heard about the Civil Aviation things. Its much more difficult because its rf, frequencies, gps and spoofing, et cetera. One thing you should bear in mind, a. I. Becoming the new buzz word, the new thing, and rightfully. Its sfwrinteresting. The abuse of technology as ancient as mankind. Since the beginning of technology we developed the help ourselves, and the same goes with computers, cyber, a. I. In this case you can see and you can google adversarial a. I. , probably youll land on examples of kids play, photo recognition algorithms and turning it from the panda bear or school bus into whatever they want because its easy to fool them. If you reverse engineer, if you understand the basis of the a. I. Algorit algorithm. Its much less funnier when you remember that Autonomous Vehicles thats going to be all over the prailace in a couple o very short years, Autonomous Vehicles use the same algorithm to identify whether its a road, pedestrians or other cars. Now its much more serious and remember the measles. So in israel we defined cyber in a wider definition. We deal with all of that, and we dont have any privilege to know one tech surface or the other. Last but not least is remembering the nature of cyber weapons, unlike kinetic warheads or kinetic weapons. It sploeexplodes, if not it get wrinkled. The bad guys cannot take the warheads and send it back to the good guys. In cyber they can because its in code, words, letters written by human beings, so they do that, but its not enough because it leaks all the time because its cold, unlike Nuclear Material god for bid only in hollywood movies crazy terror groups. Why is it important . Its important to remember in our intelligence assessments when we are in decisionmaking process, we usually say about this big state, rogue state or others, they have air force. They have navy, they have missiles, but theyre more de r deterred. They are more responsible. They have constraints. The terror groups, theyre crazy. In israel we have hamas. They decide immediately to launch missiles over tel aviv, they do that, but they dont have air force. They dont have submarines and strategic weapons, but they do have Strategic Cyber weapons because they got hit by all they got from leaks outside the web. So they dont develop it. They dont have nsa, but they get their hands on because this is the nature of it, and thats a big difference from all the traditional weapons that we know. So i can talk for hours. I dont have the time, about new trends, new ttps, new things targeted ransomware, things that we discussed here in this great two days. But its a very lovely day here in washington, d. C. We need to remember and to be vigilant that its all this w l vectors and others that bring us to the gloomy conclusion winter is still coming. We havent seen the worst yet. What we should do about it . The antidotes in this case, the israeli antidotes. The first and most important things of course, mission is securing cyberspace. Second, and this is unique to the israeli model, you see that and one of the examples of that well come to it later is what you see on my right. On your left the innovation arena of the israeli companies, well get to that. This two goes together. We have arrows until recently, just almost two years ago we converged all the different entities into one, all the fingers into one strong fist that we call the National Cyber directorate, and the importance is to have one agency that can supervise. We have military, we have police, we have other agencies but one agency that reports directly to the israeli Prime Minister deals with cyber. Unfortunately, i dont see enough equivalence all around the globe, although the u. S. And many countries got the idea and also have the same solutions. This is critical. Something more critical, strategy. This is our strategy very simple, three layer strategy, the first one we call robust, preventative medicine like washing hands. The second is understanding and this is important to realize theres no Hermetic Solutions to cyber. Whoever tried to sell you that, kick him out of your office. Eventually were all going to get sick. So how fast we detect, how early stage we detect the how early detect the disease. How fast can we remove it and how strong are we to keep on our feet at the end that is the resilience. And lasts but not least is national defense. Its people against people. We need to treat them as alike. In this case the last example a couple months ago after hamas launched missiles and try to use cyber techniques against israel they went to the cyber squad in gaza you can see how accurate and how surgical it is , only the two floors above it are intact. No one was harmed because there was lots of warning before and thats how we still act in gaza. The hackers ran away , but not far enough. Enough to seize their computers and blasted into 1000 pieces. This is something that works. I strongly recommend not being afraid of using whatever is needed against attackers. This is something that we do not do directly. We have other forces but we are involved in prioritizing and pointing out the targets and etc. Time is running out. We have some National Solutions i will give one or two short examples. The first is the cybernet. Its a social media that connects trusted members of the israeli private and public sector. They are all connected. Very heavily secured they can all interface and interact in equal share information. This is a platform it is so successful that we got israeli members to connect solutions directly to their systems. I had a stomach ache before i did that but we send it directly to their systems another example is defacement. Every year we have a major attack around the globe. Its critical, remember Peoples Trust in such a volume i got tired of that and we developed a National Solution scanning all the major websites which is a couple hundred thousand and it detects it the moment it happens. Its a basic ai to see that something is changing in this manner. We see a rate of success. Last her before we had that we had these and numbers of attacks. You can see 19 a drop this year. No success for the bad guys just using a basic technique most of the victims didnt even know they were victims because we n to identify in the middle of the night before it was a scene and we were able to correct it a couple thoughts about echo system, here we have some great examples. This is a funding of a 4 billion. The Global Investment goes to israel it basically is based on new capital and academic research. In israel we focus on the capital. This is how it looked eight years ago when the first building opened. Six years ago you can see it looks like this. Now it is three buildings that are all operational and occupied. And the fourth is about to be opened in coming months. This is for anyone who hasnt seen it come over and see with your eyes. Even when you see the buildings besides the ones from a couple of years ago. And do not forget to visit we hope you will come and visit the israeli invention center, you can find them on the east coast of the United States. We deal with the different things, i will skip that. We are opening a small transportation. Two simple examples of what we do. We opened a direct line, and it begins with one. Polices 010. We did 911 and the opposite. Its a 119. Every civilian can call 24 7 and ask for assistance and we can send out a Response Team and assist in whatever we can do. We are controlled use center , remember the measles it behaves like a epidemic. This element can give us an essential of the first signals of an outbreak. Cyber epidemic that is about to outbreak and then we can identify patient zero , and contain it. This is the first one the second is a proactive scanning the web in the dark web to find exploits and then immediately going out and affixing them we find the exposed channels in this year took us 14 days to locate the channels and 90 of them were fixed. Last but not least, the international cooperation. In this case its Important Message to sum it up. Not a Single Agency in a single country can move the cyber successfully by itself. We need to partner up. Thats the nature of the web. These are a couple of countries that we work with. Some of them dont have as much is israel then we face some problems. One thing i want to mention was organizations like you see here. We just met with the American Development bank and we have a Great Program with him. Its a great audience here that speaks for partnerships. You can approach her, and the embassy and we are more than willing to partner. Remember we need to be immunized and Work Together and then we can eradicate the epidemic. Thank you very much. Is thank you very much yigal unna for that wonderful keynote and coming to share your insights. We are honored. Ladies and gentlemen, general Michael Hayden its a great honor to have you back and a great honor to introduce our final two speakers. Christopher krebs known to all is a great friend and is the director of the Cyber SecurityInfrastructure Agency at the department of Homeland Security we are delighted to have him speak it is my honor and privilege to introduce to you Christopher Krebs. Good afternoon im in that an enviable position between Ciaran Martin and the end of the day. I want to thank tom for having me here again. Its a great event i have a bit of a history with tom and i have spoken at his events but i remember a few years ago when i was in another role of handling a speaker request for the billington conference. I wasnt sure what it is and i needed to do a Little Research before making recommendations on whether or not to say yes or no. So i researched the event, and the founder Thomas Billington. And i was like who is this guy . Are we talking about dynamite kid, the anchor of the british bulldogs . I said who is Thomas Billington it turns out that Thomas Billington has a special talent in pulling off a meaningful Cyber Security events that bring together impressive array and variety of people. Todays event and last years event, and the prior nine years demonstrate that he plays a key role in driving the conversation in washington, d. C. And across the globe. If you take a look at yigal unna and hear globally. As that is for you. When i was thinking about what i wanted to say i had a couple of options a couple weeks ago down in Auburn University i released the Cyber Security strategic intent ive been making final tweaks and it was burning a hole in my pocket my thought do i wait for toms event or do i get it out of the way so that i can bore meaningfully talk about what this intent means. So i brought it out in auburn. I had an opportunity to lay out what this is and what Cyber SecurityInfrastructure Agency means what are vision and philosophy and priorities are today and in the out years the most meaningful part of the intent for me boils down to three different buckets. The first are the five principles of an agency. How will we execute our mission and then the goals that we will attempt to achieve. And then the five operational priorities that drive the majority of efforts. Going back to the five principles. First and foremost we have a Statutory Authority to lead the nations Critical Infrastructure protection efforts. But we do not lead alone we lead in a collaborative manner. Is working with the Cyber Security director at the nsa. Its working with karen evans at the department of energy. Alone we will fail and together we will succeed. And that is the ethos of the agency. The second piece we have to be results driven. We have to focus on a demand signal and identify the requirements that we are seeking to achieve. We do not do that alone that goes back to that collaborative. We have to work with stakeholders to identify precisely what they need address. The risk they need managed to build those coalitions. We are said to do it in a way that is a scalable. Im going to talk a little bit about elections and Election Security that is probably one of the most challenging engagements or disciplines ive ever had to engage in because its such a vast landscape. 8800 jurisdictions voting jurisdictions in the United States. How do we scale we cannot reach out and touch each and every one on a daily basis we have to have capabilities that hit Risk Management outcomes. Its identifying the risk and engaging in ways that help everybody. Almost in a train the trainer concept. And then i want to talk about risk we have to be at risk focus. We have to understand where the things that matter are , if everything is critical that nothing is critical i know thats clichi but it is true. Think about the Critical Infrastructure community in the United States. 16 stuck sectors we put a lot of effort in narrowing down what the critical functions and the strategic functions are. So however we execute we are going to be consistent with american values, privacy, Civil Liberties and civil rights. We cannot compromise the most basic concepts of the constitution in executing this mission. Were not going go out there and mass scan the internet. We cannot do it that way. We have to work collaboratively to figure out what our partners need from us and develop those solutions. And then as a new agency thats going through a transition phase we have to be able to execute and engage in a one team approach. Its emerging capabilities that historically have been across Cyber Security we are Risk Management organization. We are not a physical Security Agency we are Risk Management. The way i describe our role across the United States and the Global Community is we are the nations risk advisor were not the risk manager, ultimately we do not turn dials or pushbuttons we are an enabling organization we facilitate we provide capabilities we help drive capacity forward. We are advising risk managers on how to do their jobs more effectively. With those five principles in mind we identified a set of two goals defend todays secure tomorrow. Basic and simple. We have to address the risks that we know of today. Closeout the vulnerability, manage consequence today. If we know anything its that technology continues to evolve, 5g is a great example, its not here yet but will be ready when it is here are we ready for industrialized bandwidth with lower latency. The safety and security frameworks would they be in place for Autonomous Vehicles . That is what securing tomorrow is about making sure that we are looking at risk that is emerging and pulling that framework and partnerships together. A couple weeks ago we were quoted in an article talk about looking forward to the 2020 election, thinking forward on ransom where threats and Voter Registration databases. I and what is the worstcase scenario two weeks in advance of an election . It is a bad guy that is identified as a moment of weakness it would lock up a Voter Registration database. I have 13 months to get a job done, working with every state to secure their Voter Registration database to make sure that it is not moldable to a ransom attack. The operational priorities are with the defend todays secure tomorrow. The five operational priorities or where we can be the most effective today and tomorrow at the top its Government Networks we have a unique role in helping the 99 civilian federal agencies secure their enterprise. Its not just about how things are architected today but using some of our tools and capabilities like continuous diagnostics to have a more centralized approach to Cyber Security so that every agency is an out there doing it themselves so that we are leading in a collaborative way. How do we deploy more tools so that we can see risk emerging across the board . Once we have the capabilities you know as who can use them . State and local governments we could get more folks on the capabilities the second piece , the second operational priority is elections that is where were putting a significant amount of effort and where i personally am putting a lot of effort. And soft targets crowded places. This is the physical side of the shop, school safety, places of worship, domestic terrorism. We have a role on the physical side as well as a cyber side we have to provide capabilities, training, and the resources along with advice to the thousands of organizations out there that need help. The need federal government to provide a recommendation. That is our role. And the last priorities are in industrial control systems. Im not looking to deploy of bunch of sensors , i want to look at the inside , i want to help companies that manage technology and give them good basic practice whats essential for securing the environment based on our insight and the things that we have learned from Incident Response from partners in the intelligence community. We have a role to provide those recommendations and bad advice. And finally and this is probably the smallest , its actually not is the china supply chain and 5g. This is that phase where we have to put the whole of the nation strategy thinking and execution against what is not an emerging problem it has a been here. How do we shift the risk pendulum to address risk posed by a nation that has demonstrated aggression against us . Cloud hopper, its just one example about how into an intellectual property theft is one of the greatest risks replacing American Innovation across the world. Supply chain, do we know what we are doing, do we know what we are putting into our networks we are pushing out a new concept for the next generation of telecommunications we have that framework in place to we understand what is happening in the standard community. To wrap this all up and to go back to my opening principal i dont know how many of you have picked up gen. Mattoxs book, he makes a point that really resonated the hair stood up on the back of my neck. He was citing leadership quality of washington, listen, learn , help, need. The same ethos of my organization. Im never going go out and do anything alone. I need to understand what my community and stakeholders in need. I need to learn what those capabilities are and develop them. There will be places where we will lead and that is exactly what happened in 2018 with elections and thats where were going for 2020. In 2016 we were listening , what do they need. We were learning how Election Security happens at the state level and we helped in 2018 we provided training , exercises, and capability. In 2020 we will be leaving, we will not let the russians or the chinese or the iranians come we are going to be ready we are working hard every day and as you heard from pretty much every federal government representative its a top priority for us and we will continue to make sure that when you vote that your vote counts and that it is counted as it is cast. Thank you we are looking forward to the fireside chat a little bit later. Thank you very much. The last speaker is Ciaran Martin. That chief executive of the National CyberSecurity Center for the united kingdom. We are delighted to have him today with us to deliver the keynote. He introduced at the summit that we held three years ago, we are delighted to have him back here to speak from his important perspective as a special relationship with partner with the United States is so important to all of us. Its my great pleasure to introduce to you Ciaran Martin thank you. Very much tom. Good afternoon, evening everyone. Thank you for your patience. Its an honor and privilege to address this conference for a second time. One of the best Cyber Security events in the world. And i will try and do not put that at risk in the next few months. Its an honor to follow two outstanding Cyber Security leaders who i had the privilege of calling personal friends. We share the dubious distinction of leading Cyber Security agencies in their infancy. We are trying to make the internet automatically safer and using the best of Cyber Security technology. And events are great to catch up with friends and we can talk about how to secure elections that you werent expecting. Staying with elections , i want to patronage to chriss leadership in establishing cisa. I will quote him wildly out of context but one sentence from his presentation. Was a worstcase scenario two weeks out from an election . Thats not just a question you ask in london anymore. I do want to pay tribute to chriss leadership in establishing cisa. And i welcome his partnership and emphasis with allies like us. When i appeared here previously i said that so much of what the uk achieves an Cyber Security depends on the willingness of our enduring American Allies to share data and collaborate on everything from technological innovation to punishing proven bad behavior by our adversaries. Cisas establishment with its Ambitious Program reaching out to local government, industry , and Wider Society that will help us build a partnership further. Cisa together with the establishment of the new Cyber Security director at the nsa that and spoke about yesterday provides an opportunity to take the Transatlantic Partnership on Cyber Security to a new level. So chris, thank you. And from the bottom of my heart, thank you to the United States. This is a reflective moment for me personally. As tom said , three years ago i stood on this podium optimistic but nervous. It was my first public speech is a designated head as a National CyberSecurity Center at the united kingdom. And we were coming into existence within a month. I was optimistic, weve been given a clear mandate to take Decisive Action dealing with Cyber Security prospered i was a nervous, because i was worried we would fall short. The previous decade was full of wellmeaning but things that will shorten Cyber Security. I want to reflect briefly in what we have learned. First, what were we are defending . And what we are defending it from . And how we should defend it now and into the future . First , what are we defending . This isnt really a talk that tells the expert audience how important the internet is a to the way of our life. I take it for you get that by now. I would say the x substantial importance of what we are doing to protect our digital way of life has become more apparent. Weve learned is some truth , countries like the united kingdom, United States , and israel are open digital societies. So confidence in the security of our digital lives is more and more important. If are empowered free citizens think that their digital environment is unsafe, our prosperity and social cohesion is in trouble. Cyber vulnerability in Critical Infrastructure if left untreated are serious national risks to our societies. We thought it was about power grids and bank systems, it is but its also about soft power , our values , our freedom of speech , our electrical security. Cyber security is about defending our way of life. The internet did not invite entrepreneurship, freedom, its a brilliant expression its about defending those shared values that we cherish, defending our open society, in 2016 it seemed slightly over thetop , but not anymore. Because those shared freedoms are under attack . We know so much more than what we did in 2016. Heres how it looks from the perspective of the united kingdom. We benefit hugely from being part of the nsas equivalent. Heres what we find. We face a determined aggressive russia seeking political advantage by hightech means. We live in a business and corporate environment were chinese Cyber Attacks on our commercial interest is now something that our companies treat as business as usual. While we can welcome some mutually beneficial investment from chinas burgeoning tech sector, we have become increasingly aware of areas where we and our allies need to have our own trusted capabilities. We face intrusions from iran and trying to steal from north korea. Both nations prepared to launch aggression digitally. These socalled big four are constant over the past few years. We know more about them now than we did then. And that helps us fight back. Well so no more about the grave threat posed by a highvolume low sophistication cybercrime. That for me is a threat and that we underestimated. These are the people that attack wherever they think is money to be made. The people who rarely if ever attack anything with strategic significance. But cumulatively there attacks are real challenge to being able to have a thriving Digital Economy. If your cash or data has been stolen or ransomed youre not going to be at cheerleader for new Digital Economy we have to be mindful of the new threat two of the biggest crisis as were unintentional. One crime was a north korean attempt to extort money that ended up affecting our National Health service. We knew it wasnt intentional because the British Health service is the stupidest place on earth to extort money from. One month later a russian attack on ukraine affected Companies Across europe including the united kingdom. And we saw this happen by mistake. But it doesnt matter to the companies who lost hundreds of millions of dollars. These attacks on cold viruses are nothing. And their increasingly for sale. Leaving any well resourced nason nation with the capability of a cyber attack fairly easily. Maybe not lisle but potential a menacing. We are acutely aware of the risks of terror groups that do not have destructive but they will purchase them in the future. We need coordinated action with partners to manage this risk and together we need to maintain constant vigilance. Constant vigilance is a perennial message in that National Security and i will not dwell on what it means for Cyber Security defense. Instead having talked about what we are defending and what we are defending it from i would like to conclude with some headline thoughts about what we in the uk think we have learned about how we defend the internet and our digital freedoms i must stress that these thoughts are meant to strike debate. Im not here to lecture you. One lesson is that government matters. The internet is a creation of free society, but its also nonessential , even an open Society Government needs to do something. When i first started leaving uk Cyber Security in the end of 2013 i found the temptation to fall into a need to slogan industry to Work Together in partnership to encourage information sharing, form committees. Some of the stuff might help but its not big enough, its a proven recipe for inaction. In 2016 we had a decade of evidence to prove that. One thing we can do is lead. We can leave the detection of the threat and taking action against it. And thats one of the reason that we benefit from being part of the phq. Making it resilient is possible to Cyber Attacks. Thats not easy. The Digital World means that some companies who didnt exist five or 10 years ago are now crucial. We have to make the best of and in perfect picture. For example we have worked to secure smart metric system, Bank Clearing systems , social security, 5g security. These are important for the government to identify and with private sector partners to manage. Then crucially we need to make technology safer, the free market sadly doesnt always do this , time and again weve seen incidents of blowup because of the x plantation of basic structural flaws in the technological ecosystem. Plaza no one has a commercial incentive to fix. Uk im proud to say was one of the first to call this problem and do something about it. This very conference three years ago, we led a Major Initiative called automated cyber defense. Its a governmentbacked intervention to take away most of the harm for most of the people, most of the time its about well leading interventions , like a a takedown Initiative Like a reduction in uk global fishing from 5 three years ago to just over 1 going from the tax of 40 move of being the 16th a spoof brand the world to the 126 most spoofed brand. Its not just about making the internet automatically safer by making the internet easier to use a safely. For too long weve suffered from producer capture online. If you want to use my network use it on my terms. The average person uses Many Networks theyll end up with the closing of the average person being expected to remember a 600 digit number each month. Government needs to call out the stuff and nudge it in the right direction. That is what we are doing we need to give people and businesses better help. Theyve built a popular toolkit, a summary gives Corporate Leaders five slightly technical questions about their organization Cyber Security a Small Business guide, and exercise in the tool the any organization can use to practice their response to a Cyber Security incident, over the next few months will be sending out in detail how we can help people in areas like schools, universities protect themselves better. Major focus in the coming. And then let me leave you with two final thoughts. Friends and allies with the shared values, and the footprint we leave in a digital environment. We must preserve our freedom of action we must acknowledge that cyberspace is a domain of operations, and we must offer it, and it is primarily a peaceful domain where we talk, work, shop, communicate, and express ourselves freely. So lets support that free and open space. Its a practical and tactical one we need to keep the best capabilities, the best people to deploy when we need them. We have more to gain than our adversary by keeping the internet free and the safe. They will always have more to gain by detoxifying a digital environment. Finally let us look to the future. We have it delivered on the commitment to begin the process of making the process safer. Its easy to say that there will be more times, but it doesnt have to be the case, maybe because people are going to pay for products and services and we can move to a model where consumers have a choice and prioritize security. Lets look at opportunities in the future, lets look across the uk and u. S. Alliance and partner with friends like israel looking for opportunities to be a harder target. With full range of defending our freedoms because our cherished freedoms depend on us doing that. I stood at this conference believing that we can achieve something very special and i think we are on course, thank you for sharing this privilege with you today. Thank you very much to Ciaran Martin and Christopher Krebs for wrapping up the day so well. Money and with the fireside chat and ask a couple of questions to wrap up the conference. I appreciate the opportunity to be here to wrap up what has been a great day and a half. If i could take us. The ncsc is nearing its third and cisa its a first. The special relationship is 75 years old. What the Lessons Learned have you gleaned from your time leading your organizations for the u. S. And uk . Do you start 17 but ive just been speaking out here for 20 minutes in terms of the partnership, never take anything for granted. We have been able to build on the shoulders of giants and history. People who built a special partnership i its really important that people like chris and i build a Strong Foundation for future relationships and i think we are doing that. In terms of lessons . Setting up the organization i think you dont take anything for granted. We have Senior Management off site in london and kindly one of the industry partners, bank of america gave us the emphasis to do it. I remember thinking this is a bank of america with the Merrill Lynch logo. One of the biggest brands in the u. S. Financial services. And saying to my team you dont take anything for granted. We had a successful three years , but who knows where well be in 510 years. We need to constantly earn and retain the trust of government, people in international partners. You cannot stay still. We need constant renewal and i think that is the first thing. The second thing is being pragmatic. We only are worth doing in the transition of goals. We need really Good Technology to deliver that she needs expertise or it is a nothing. We need to bring in people who have that expertise that can apply themselves to the solution and the third thing is the skills picture one lesson that i have talked about which is very boring but real is setting up interface organizations. Its way harder than it sounds in terms of it and corporate services, having people who can make the Organization Work and powering the tech vision is really crucial. s but when you look at the relative differences between the two countries, i think their model works brilliantly for the uk, from a u. S. Perspective given the geography , and the number of Critical Infrastructure players that we have to get our arms around , the motto that cisa embodies. I think its the right tool for the job right now. I talked about elections, 8800 election jurisdictions. Thats tens of thousands of critical stakeholders. We have to have a fundamentally different approach based on the same core competency. Developing these capabilities that are scalable. Train the trainer approaches. Get as many touches as possible but also recognizing that within the federal government , everyone has a role to play, and competition within inter agencies it does not help. And was here talk about the new Cyber Security director. Gives me another ally and capabilities that i do not have inherent that i can work with and and safe here are the things that we understand about risk. Help us protect this infrastructure, an essay doesnt understand fundamentally what the elements of the u. S. Banking system looks like thats not within their mission. We can help work with the treasury to define that capability, going back to that core competency ultimately we have the same outcomes in the mind, the same philosophical approach is just the execution that is a different. And thats a critical point to make. When i look at Ciaran Martin as a partner i have shamelessly copied many of his efforts over the last couple of years. I think that ncsc is one of the most effective communicators in the Cyber Security space. They have a no nonsense approach. I challenge my team every day saying be more like them , be more approachable, ultimately thats a good thing if we are all following the same model and we have a similar approach for the same thing goes with yigal unna. How can we talk about the same things together in a consistent way . Thank you. Very much in light of Critical Infrastructure which both of you have discussed, given the 90 of it is in the private sector. Can you cite a case that you are proud of between your two countries . Ways that you have partnered in helping secure infrastructure that we all rely on . Whether its the grid, the financial system, if you could share a case that would be helpful but i would make it more of a cross cutting example and that would be the alert that we sent out a year ago on russian targeting of the Network Infrastructure devices. That was a joint product between multiple agencies. In the first of its kind the first time we done a public alert on what russians were doing. And as defenders you need to be looking out for these indicators , you need to reset the devices. It was a really good example of how we are not focused on one infrastructure but that cross cutting infrastructure in a general i took these one sorry. Is a good example the thing that made that special i remember talking to one of my cyber defenders about the top end of the threat , they said 10 years ago this information wouldve been classified top secret an hour putting it on the internet to make it useful. It is shows the cultural challenges in the topsecret environment making things useful. In terms of the other answers to your question. The private sector deserves a lot of credit. I think if you look at the transatlantic financial center, and you look at the way that the regular models have big ten requirements the fact that frankly most of the major institutions will operate and have a initiative and a wall street but theres some really good examples. Its no coincidence that we are talking about one of the richest industries and most lucrative sectors in the world. Making sure that some of the economics are harder to incentivize, looking at those really cleverly. If we can move to the future, this is the 10th year that weve hosted this summit, i founded the company with my wonderful wife susan, shout out. Looking forward we have a lot of innovators , some of the greatest innovators in Cyber Security are here in this room. If you look around the room as the leader of cisa looking forward over the next year, what would you say your top three priorities are . Guard he talked about my operational priorities but it boils down to three things. Continuing to transform the agency. Went from a component that couldnt stand on its own 2 feet to really pushing it forward as an Operational Agency on par with the tsa. And ultimately the challenges achieving an fbi level of operational capability. Is pushing the Agency Forward to stand on its own 2 feet. And focusing on the things that we need to be doing. Stopped duplicating what other agencies are doing. Focus on our unique value. Was seen in understanding what our partners are really neat. What do they need us to do for them . And yes there is an excellent point that karen made earlier. Thought about committees and task forces. We have to be able to strike that balance of support and assistance, being willing and able to call out a lack of performance as we see it. The three priorities that i have set our lets get out into the public conscious consciousness. We are looking at how we get that message out there . Trying to get into the education system. Doing research that older people get information on Cyber Security and technology from teenagers. How do we get that when people are opening businesses. When using banks to get our Cyber Security. And making the impact with the general citizen. A paradigm shift , as all of these a legacy commissions, how do we build, and some of the things that we spoke about, its 100 and billiondollar global industry, graded capability how do you industrialize cyber trend and establish an ecosystem. Its a vicious circle that is plagued Internet Security for years. The three messages to the Cyber Security committee their like minded people its probably three things, stop scaring people it does not work. Fix stuff or where you cant. Making it easier to be safe. We made it more complicated. The theme this year is a call to action weve had more than 75 the speakers weve had them address various areas of Cyber Security, whether it is artificial intelligence, crowd security, supply chain. What would your call to action be for the audience today . When they leave and go back to their office what would you like to see. This is come from the Moonshot Initiative that has been explored. What would your call to action be . I will be slightly targeted here. What i find is a big things, from small things. When i say small things i dont mean small objectives. I think from focused engagement and efforts. Early this year at another conference across the country. I launched a concept it was really a brand for a bigger broader effort and its protect 2020. The concept is we have an election coming up in 2020. We know its going to be on the target list of adversaries. In every person in this room can do something to protect 2020 it boils down to preach, plan, anticipate. Preach it get out there and instead of scaring people about vulnerability its get out there and engage the Election Community with your expertise and help them get better. This is a preach park talking about the significance and the importance of security. Its understanding your role as a voter. What are the things youre going to do for yourself to ensure that you do not fall prey to the next disinformation campaign. Rereleased a product called the war on pineapple. Walk you through the steps of how the russians and 2016 weaponize the media. The is a very nonconfrontational medium of pineapple pizza. People either love it or hate it. It was that concept of divisive issues. The idea is to understand how your being manipulated. How your brain is being hacked, and when it comes to voting, do you know what happens when you get there. You can ask for provisional ballot. In the third piece of participate when you talk to Election Officials , and when you volunteer and your part of the election process, everyone is part of this process everyone has an ultimate objective as an american voter, something that we can all do. Spoke last year the general said that was his top party. You are keeping that is a top priority . Critical to the countrys democracy what would your call to action be . Is not something to give an answer to chris was targeted so ill be vague. Scaring stuff and making things easier. It was the way we used to do Cyber Security we talked around the turn of the decade government it systems are weak and unsupported we talked about how Cyber Security is extremely difficult challenge for governments we were briefed and i was given advice. Can follow security procedures and so forth. He said in the self depreciating way that im too stupid to do this. This politician is one of the most distinguished lawyers in the country. One of the highest rankings of a british lawyer. He is not a stupid man. We give them that advice on behalf of the government and he cannot use it safely. That is everything that is wrong with how we do Cyber Security. Take that story and think about it. Think about all the people that really matter. The people who do important things , whether as commercial transactions, government strategy, journalism, academic. Whatever theyre doing. Theyre doing really important work that the adversary is interested in but theyre not think about Cyber Security because thats not their primary goal. How do we make it easier for them in the organizations that they work and to be sensible and safe. And when the adversary does work hard as they will. We bring the capabilities of a national Security Agency to look after the really bad stuff. Lets raise the bar. But thats a positive way to end the conference. I want to say that the u. S. And uk relationship is alive and well, and vibrant. Thank you for leading your organization. This is not an easy problem that we are addressing. This is the 10th year, and the 10 years that ive covered this, it has moved from an issue in the it room all the way up to the board room and up above that concludes the conference , that being said we have several announcements to make. And i like to make them now if you could remain seated please. Lets give them a warm round of applause. I would like to give a couple of awards to conclude the event. Thank you to each of you for being here today. Its been a true honor and i want to thank you yigal unna for coming from israel to be with us and to bring your israel a delegation its been terrific to have you. Thank you to Ciaran Martin for coming from the united kingdom. And bringing 2030 organizations to be here with us. Thank you to canada who has brought a number of their companies and thank you to everyone here. With that being said each year we give a Cyber SecurityLeadership Award, hopefully that is slide will come up that will list some of the prior winners of the award. We are very honored that the president of estonia was awarded the first award. And you can see gen. Hayden, michael daniel, its my great honor to award for the 18th year the Cyber SecurityLeadership Award to a great friend and patriot Christopher Krebs. Thank you. We appreciate it last year we also gave the international Leadership Award to a person that they know well david the Cyber Security commissioner for singapore. It was a very snowy day and we were delighted that people were able to come out on that a snowy day to be there and honor david. This year we are honored to give our Leadership Award to Ciaran Martin. Thank you so much for being here. We appreciate it very much. And its my honor to recognize a great patriot, general Michael Hayden the former director of the cia and nsa who served our country with great distinction. We will be honoring you with our first Lifetime Achievement award. Its my great pleasure to introduce to you general Michael Hayden. It is our honor to have you serve, thank you for serving so valiantly for all of us. Thank you sir. Its great to see you. Thank you. This is only a minute. I am delighted to be back. Its been a long time, and i still have lots of problems doing things. But everythings going all right. Thank you very much. And thank you for everything you do. Thank you again. Let me also recognize and thank janine has wonderful wife, thank you for being here. And its a great honor to have user. That concludes our summit and i want to thank each of you for being here for this conference. I want to thank all of our sponsors who made this event possible. And i recognize them. Its really their support that has allowed this to happen. And we thpeakers who have come from across the world to be with us and if you want some continuing education credit, you can go back to the Registration Desk or the registrar. With that being said , i want to thank everyone for coming and give a shout out to one of my oldest long time mentors, ted eagles. Who was my high school teacher, and a great friend. With that being said. Thank you very much for coming, godspeed, we look forward to seeing you next year. Thank you. Ican artifacts, the Norman RockwellMuseum Traveling Exhibit on fdr and the four freedoms. Explore our nations past on American History tv. Every weekend on cspan 3. Next, Senate Oversight hearing withth