Interview of the new acting director of cisa, the department of Homeland Securitys key cyberofficial branden wells. Ill be back at the end of the day for the summits final session, a covering with three of the top Cyber Security voices on capitol hill. Senator mark warner, representative will hurd and representative lauren underwood. Pie would also strongly encourage you today, take a look at our new report released yesterday by the aspen Cyber Security group that laid out a National Cyber agenda for the Biden Administration and the 117th congress. It outlines actionable steps, the art of the possible, as we call it in the cybergroup. And help build a more secure foundation for the internet and our digital economy. A full report is available at aspenvi aspencybersummit. Org. And many of the key voices that went into writing that report youve heard from at the summit already and today. Im pleased to introduce my friend from npr who will be speaking with fbi Deputy Assistant director tanya hubert. J j officer and eli little by chief information officer. Welcome. Over to you. Thanks very much, john. Its nice to see you, even virtually. So, today, you have everyones bio. So, i dont think i need to reintroduce our panel. But what theyre going to offer us, i think, is a way to look at the year, and back at the year in a context of cyber and health care. And give us a little bit different way to look at the latest efforts to get the vaccine out to the public. We actually have some news on this, by the way, well get to that a little later. Basically, the New York Times reported that Cyber Attacks related to cold storage of the vaccine have been going on since august. Its unclear whether this is about ransomware or something more sinister. Well get to that in a minute. What i thought wed do is divide the discussion basically into three parts. Were going to look at the broader issue of cyberthreats and attacks of the Health Care Sector as we wrestle through a pandemic. Were going to look at the security and protection of intellectual property related to the vaccine. And then finally, as related to todays news about hacking the cold chain, well talk about the Security Protection and defense of the supply chain for the vaccine. So, what id like to do oh, if you have questions, ill try and field those as we go along. And we may have time for questions at the end as well. Theres a q and a function, i think, the team at aspen will explain how you guys need to put those questions in. And with that, i juchtd wanted to start maybe with meredith, i thought i would start with you, as the ciso at eli lilly, having to deal with all that were dealing with in a Laboratory Setting with Laboratory People either having to be in pods or working remotely, are you dealing with more attack services because people arent all over the same building, theyre spread out . The answer is yes. We do have an unique footprint as relates to our service because we made a decision around the pandemic around the march 8th time frame to send all of our team globally home to work. There are individuals that need to touch specific equipment in our labs and places like that so we put some measures in place to be able to protect their safety while they were actually interacting with that specific Lab Equipment that we couldnt pick up and take to someones home. So, we did have an opportunity to still have a small portion of our team still going into our physical location. But it was far and few between. Over 16,000, 17,000 of our team members deciding to work from home, based off of the concerns about their health and safety. So, yeah, the attack surface now has incrementally grown over that period of time. And we continuously as an organization ensure when our team members are at homeworking theyre still putting those security principles in practice. Even if theyre sitting in their own home offices. I think sometimes we can get a little lax when were at home. And we dont always think the same way when were in our physical work location. But i think weve done a really good job of rolling out a robust Education Awareness Program of how to protect those secure space within your home environment. Yes, weve seen an increase in that and attacks as well because the pandemic. So it goes beyond just dont double click on that weird phishing email. It may have to do with authentication of routers, is that what youre talking about . All of that, yes. We put together a packet with our team members to say now that youre in your home environments, heres the technical controls you need to have to operate and carry out the business of lily. We have a vpn, we need to access the data you that need in order to perform your role. Without you putting that information on your local device and things of that nature. So, we gave them a toolkit to follow. Saying heres the questions you may be asking. Heres our recommendations for how to deal with that, then we work with those things together to make sure were not seeing increased exposure. One. Other things that we talked about, initially, i can say, we didnt really think through i think at the beginning was around the idea of printing. So, we get so comfortable printing in our physical locations at work. But now, youre starting to put things that may be confidence on at home. So, how do you support those printouts . How do you destroy them appropriately . We tried to pick it up on what a home worker would need to know to make sure they make themselves and their devices and data and places they visit are protected. So, you were sending out shredders and safes . We didnt do that. We did give opportunity to say if you have a home shredder, heres the one we recommend if you do that. One of the other things that i recommend that i really appreciate our leadership going down this road. We knew that people now working in these home environments and from ergonomics, from a security perspective, we gave each member of the team to say i need to outfit my workplace differently now working 100 from home. If that meant you needed to get a recommended shredder so you could destroy documentation appropriately. If you needed to get even a new care so you can get functionally careful as youre working every day. There was an allowance offered to every team member who needed to make adjustments. We offered the recommendations. We gave them options and said heres what you can pick from. And then you chose what you can bring to your work space to make it comfortable. Npr gave us chairs so thats clearly on this. So are your concerns ill get to the other panelists as well, have your keconcerns changed sie march . I mean, have you seen things when we think about ransomware or phishing attacks, are you seeing things, is this progressing or evolving . What were seeing, i know maureen and i had this conversation before. Some of the activity, most of the activity that we see is standard for us. This is typically what we see in our environment in terms of exposure attacks, interest in our organization. Those things are happening every day. And thats no different. What i have found, though, the use of social engineering, to be able to get a foothold in san organization by way of provencal scaling and things of that nature, i think weve seen more of those attacks and theyve become a little more sophisticated than we probably have seen in the past. But that doesnt mean that the volume in terms of what were seeing is shocking to us. Its common at this stage of the game. But i think there is this turnup on the sophistication of it all. And if were not training our team members appropriately to look for those indications of whether if something doesnt look quite right from the message, we can find ourselves in a world of hurt. We try to focus a lot on our training of team members at this time. And specifically as it relates to the individuals working in the development and research space. Because we know that they will be a target. Theyre the ones who are actually working on our response to covid. So, from that perperspective, w tried to use training education to thwart those attacks. Do you think some of the social engineering is working better now because people are lonely and by themselves in their house . I dont know if its the loneliness. I dont know if thats what makes them susceptible to it. I know ive done it myself, i feel like im working more now that im at home. Right. Being able to shut off and disconnect is harder now because im sitting here in my office and i get a chance to get things done. I think because were moving past. Were moving to really tick those things off of our list, sometimes, we can move a little too big quick. And then we click and open or expose our organization that way. I dont know if its the loneliness, but i do believe were moving quicker probably in some instance that creates problems for us. Maybe journalists just get lonely. Maureen, let me move to you. One of the things we know from public reports is there was a hack. A number of different medical or Health Care Companies including Johnson Johnson with north korea. Those complaints came earlier this month. And they were trying to steal allegedly sensitive covid information from Johnson Johnson and others. Can you walk us through what that kind of experience is like . First of all, dina, thank you very much for the question. But i would say, what is called an attempted hack is not a hack. Fair enough. Clearly, it was a Cyber Security organization and theyre clearly different items. Health Care Companies literally have seen an onslaught since march 2010. That is the day that the chinese actually started a hard knock of most of the health care in the United States. And there was a lot of talk at the time, those who knew that they had seen attacks or had seen that stand by a nation state. And those who hadnt. And there was a great outreach and a great calling out, working with groups like the fbi and Homeland Security, on what was this all about. Why discussions, discussions in health care, of what was needed in a space to secure us. Meredith and i and all seats in health care are seeing attempted penetrations by nation state actors, not just north korea. Every single minute of every single day. We have four primary threats that i try to categorize. In health care. And one of just one of them is nation states. The other is a criminal element, looking for anything that they can monetize. We have something called ha ed hacktivist, people who are trying to either through social media or attempt to sway farm ma Pharma Companies about what the prices should be as well as a threat. And with the vaccine and with development and therapeutics, what weve seen is were now on a grander stage, where people oh, wait a minute, theres a company that i should actually be looking at. Hey, what can i do there . So, weve seen that rise. Now, what we dont know, and i see, you know, many different attempts at consortium, now where its just code. Its just a binary that somebody going to try to put in my network. Theyre going to use things like email and links to social media to get someone in my company to click on it. And bring it into my house. Just muddy boots coming in the door. And in the Health Care Industry, we have the health act with the department of Homeland Security working with cisa. We Work Together and we have this code. I dont have the resources to know where it came from, and where its been hacked from. And working with our federal agencies, working with our Government Agencies and others, we provide that information which then tells us, wait a minute, thats code that came from north korea. Now, the warnings are going out, now, much of the large Pharma Companies have the skills and Cyber Security organization to be able to detect this maliciouslike code and protect against it. Unfortunately, not edge has tve that in had the industry. And working any indication that theres like a focus on trying to get something covid related because everybody wants it now . Is there a bigger appetite for it . Well, theres only going to be so many people who can get information and turn it into a vaccine. Then, were going to have the group of people who just decide that, well, i dont want the world to have a vaccine. So, theres not really much of a difference. So, we have the Protection Capabilities that weve built. You know, in this instance, looking at the vaccine production. And you got to remember, j j has a plan in wuhan, china. We were able to see what was happening all along. We saw with the virus about a 30 uptick in what i will call hacktivist or criminaltype activity trying to monetize anything they could. I guess when people were out of work, they decided to be hackers on the side and coming in and see what they could monetize. Again, large companies, well secured companies have the defenses against that. And are able to defend very easily. But again, in general, about a 30 uptick. That was specific. Ill be honest with you most of it didnt wasnt going for virus, you know, it could be hard to tell because people will try to come in on one side to loudly move across the company. Sure. And then if theres ability to detect it is what helped us. Now, much like meredith, we took a concerted effort, anyone who was working on vaccine production. Anybody who was going to be working on intellectual property, what were all of those systems to lock them down, provide minimum necessary access. Those are just terms that we use in the Security Industry to say, protect it. And then we did that and as meredith talked about, the social media. About the june time frame, we saw one of the other Companies Really have some issues with social media which we talked about at the h. I. Board meeting. One of the things that happened when we put that out, we all started to see some of that. So, we informed our people to be aware of it. If you know, shut off social media. Dont go in and click on anything that is linked and gave people guidelines to make sure they were secure. And do you have a little Cyber Security moat around covid stuff or is that everything . No no, were in talking mode, thats what we do. We create moats. And a moat sounds like we closed ourselves off. Well, what reality did is we provide the ability for the business to operate in an insecure environment, given the right controls and the right risk. Gotcha. I think marene, that was excellent in terms of the examples that you show. One of the things we also found on our end is that our third parties that we party with in order for us to carry out the mission here at lily, we do see an increase in terms of third parties being attacked or victims of ransomware and things of that nature. Of course, the third parties critical in the research arm what we do, when they start getting attacked it becomes a problem for lilly, to make sure our chain is protected and that were continuously able to deliver those lifesaving medicine. We did see an increase in that. Probably this europe, weve done way more incidents around our third parties than weve seen in the last couple of years. Right. The really big hacks they generally are through an hvac system or Something Like that. Thats why i asked you about routers. Tonya, i dont forget that youre here. I wanted to bring you in. Nice to see you. I wanted to bring you in and talk a little bit about the security components of operation warm speed. And eli lilly and Johnson Johnson are morniamong the playf that. I dont think we know what the Cyber Security side of operation warp speed looks like. You can give us an idea how that works in practice . Sure. Well, i can speak a little bit to the unique role that the fbi plays as part of that. But as you alluded to theres a lot of different players both across the federal government and the industry and Health Care Sector as well. I think thats what has made it so strong. I think from the fbis perspective, we have the advantage and unique role of being both a domestic Law Enforcement agency. And we what we attempted to do with the supply chain through the threats is to use our role having access to classified intelligence to understand what adversary plans and intentions are. So, see the threats as theyre forming. To use our broad domestic presence with our 56 field offices, hundreds of other satellite agencies, were really embedded in communities and we have enduring partnerships with research institutions, companies, et cetera. Where we can have that information downgraded which effectively means at a level that we can share it, ideally, before something occurs. Then as an operational agency, we can actually act on what we see. And thats where the type of direct engagement with these organizations is so important. Just like marene described, when one organization, like a university or a company, sees this type of threatening cyberactivity they can use not only to investigate it, but also to share that information with the intelligence communication. With network defenders. Share it across and help everyone strengthen their networks. So its really most effective when its operating at all of those Different Levels. Right. And in this kind of environment, are you getting more back and forth than you were in the past . I think there were sometimes when companies were a little moretta sent to let dhs or fbi know they have been compromised . We have been extremely proactive in our outreach. Thats been a maturation in the federal government, especially in the past few years. Some of that was in response to welldeserved feedback that we would receive from the private sector, not really appreciating having multiple federal agencies knocking at their door for sharing the same type of threat information with them. Increasingly, thats a partnership and been amplified by warp speed as early as march. When we were starting to see the indications not only of cybercriminals but also of nation states targeting covid research. We very quickly formed up with cisa and the department of Human Services on a couple different fronts. One, to warn those who were being directly targeted. And then, two, to do some research and expand that circle out to see, okay, if we know that these types of entities are being targeted, whos likely next . And try to get out and warn and get ahead of that threat. And thirdly, we did something kind of unusual for us in may which is that with cisa, we issued a Public Service announcement, particularly about the chinese cyberactors targeting covid research. And that was for two main purposes, one, to warn. But, two, to also alert china we have visibility and an understanding what they were doing. And to let them know there would be some risk and consequences fortothem for that type of activity. I think by virtue of that sustained engagement, we are seeing a great collaboration back with the Health Care Sector. Even on issues that arent specifically related to covid research. For example, the recent credible threat that we warned of with ransomware against hospitals and other health care providers. We got tremendous feedback from the Health Care Sector organizations like the American Hospital association. In response to that, because, again, with hhs, we very quickly put out those indicators to watch for. We had, you know, video calls and ways of engaging directly with cisas who might be affected to let them know that we were taking them seriously as a result advising them that they do, too. And then keeping up with that contact because we know thats a real resource drain what were advising of a threat like that, and it requires a shift in resource and thats only sustainable for so long. And then the continued communication is important so we can keep them updated on what were seeing. One of the strategies thats been used in the past by doj and fbi is to actually bring charges against people. Im thinking of the pla hackers who had charges against. Did the psa as long as it did had a knockon effect. Did the psa, putting out the Public Service announcement, did that have a knockon effect . So there are many tools being used not only by the fbi but across the federal government and private sector groups, too, when were doing efforts like that. So, theres the psa. But that was also followed by an indictment shortly thereafter that did identify some chinese cyberactors responsible for arguing covid research. But increasingly, this is part of our new fbi cyberstrategy that director ray Just Announced a few months ago. Its not so much about an indictment. Thats one means to an end. But because of the unique lull in authorities and partnerships that i just described that the fbi has, we want to make sure were sharing the relationships and information with our partners in the federal government, overseas, in the private sector, to do whatever steps we can. Whether thats an fbi action. Treasury sanctions, publicly outing. Some more covid action that you might not see. And to do that, in a join coordinated way to have the maximum impact. Because for too long, we think these adversaries have contacac with what they think is impunity and we want to change that risk calculus for them. Got it. So, let me talk about intellectual property and how difficult i think it is to be a Health Care Company trying to do open and cooperative research and the need to protect i. P. Against hackers. Meredith, what are you guys doing in that respect . One of the things is making sure we know where all of our i. P. S sit. We have vast networks and we have vast areas where we can store and house those. As relates to the eresearch, though, as were dealing with collaboration that we might have with external research were also ensuring that were helping to assess the Security Posture of those organizations as well. Because, again, theyre participating and collaborating with us, as it relates to that specifically research which is going to start to create i. P. From there. But we do have controls, not that we will get into that, we do have controls wrapped around those godepositories, to make se exposure to data, we know how to monitor that on our end. Marene, did have you something sfo ato add to that . No, just the other tactics that we talked about before. Education with your workforce, what theyre dealing with. Once you handling something for such a long period of time you lose sight. At the end of the day, we have a credo of the importance of the data of what it is to health care and health care and humanity. Meredith had hit it on it really well no one Company Creates a vaccine for a drug by itself. There are multiple third parties, legal entities. Patent filing, patent offices, as well as your manufacturer. And your distribution. That youre going through. So, you are continually looking at those third parties. The one thing on the road to the Covid Vaccine did show my organization in a very, very quick period of time is look at the data flow. When you look at the data flow for intellectual property for something specific like a vaccine production, we learned a lot. And looking at helping in the business in other ways that we wouldnt have known that existed if we hadnt done this during the short period of time. It also helped us we worked with the fbi and special agent tammy mattu out of the new york office who came and talked to all of the property attorneys, regulatory attorneys, to talk about the threat. And so that education in using our Government Entities to be able to help us in this space was tremendous resources for people to understand how important these intellectual property is and how to protect it. So, an example of protection, im just guessing here is data at rest being encrypted . Yeah, thats one. But i mean, its everything. You talk about data at rest. People think about databases and big networks. But i need to look at the data on my computer. You know, is that encrypted . I need to second it to tonya. Has that been encrypted . What do you do . So theres a lot of elements on how things are in making sure you have the appropriate repository and ability to steel pipe and encrypt that data from its beginning, all the way until its end. Got it. Okay. So, what i thought id do is save the news for last which is very unjournalistic of me. For those of you who may not have seen it ill just bring you quickly up to date. There was an article in the New York Times that reports on Cyber Attacks on Vaccine Distribution operation which is seamlessly goes to the next subject. The supply chain. So cisa said it was encrypted and basically these were officials folks cuffed on cold chain, which is basically the refrigeration process necessary to protect some of these vaccines. So, let me ask you this question, in terms of fill and finish and supply chain, meredith, whats the thing that worries you most about the vulnerabilities in distribution . I think that sometimes theres not an awareness by those organizations that provide critical part of our value chain and our development cycle. They may not have the same level of concern around security of their areas as i say we may. Because when you think about it, im not really delivering i. P. Im offering cold storage. Im not concerned about that, im just housing something, right . I think thats my biggest concern is them being aware that they are targets when they are partnering with us and providing that service to us to be able to get the vaccines to where they need to be. So, that would be my one biggest concern. Just not an awareness fully of the fact that they are a target. And in some instance may not have the same level of controls that we have some the larger organization. Because they may be a smaller organization. They may not have that. That exposure is real. As a general matter, i would assume if you have therapeutics or you have a regular flu vaccine, you havent had to think quite so much about getting it from a to b. Correct. Because theres a vaccine at least in the fine you are tranche of a hotter commodity . Right. As we look at the hackers and what the bad guys are doing as relates to that, i think its twofold. One is pure disruption. I want to disrupt the flow or cycle. Some may have a difference, a take on that, where they may want to damage or expose those vaccines. So once they are delivered to the patient, they will not be used the efficacy is not on there, but it goes to the patient. I think we have multiple intent behind why theres an interest in the whole consult chain or any other supportive we have our of chain. Marene, are you guys looking at this in a different way because its covid in terms of supply chain . No, we have a robust supply chain and a Business Continuity plan around that. Im happy to say that jench. Doesnt have the extreme temperature requirements that some the other vaccines do. For us, it really not that its not a big deal but what i would tell you is the overall security of getting the vaccine from the point of being a vaxxer into someones arm. Twice in some cases. The j j vaccine, its only one. I was giving you a plug there. Thank you. But what i told one of my good friends thats a cso at one of the companies thats going to help operation warm speed to make sure the vaccines are given out and also in pharmaceutical retail. What i told her is this, because i had come from medco which is a pharmacy benefit company and we did mail order delivery of drugs. Treat the vaccine like its a c2 drug. All c2 drugs in the United States have a follow from the very beginning to when its expensed have to have like a signoff. Theres security requirements around it. Its a long requirement for storing it. All of those things should be replicated for the vaccine. And i actually talked to the general in charge of the security for operation warp speed. Its dont try to reinvent the wheel. Use what you already have. Its a great practice. 50 boards of pharmacy across the United States that will all approve what to do for c2, just use it. Sorry, marene, for those of us in the Health Care Industry can you explain what a c2 drug is . So, a c2 would be Something Like codeine or month rphine, something thats highly addictive or controlled. Its called a controlled substance. So, with those controlled substances theres a whole chain of how they must be againsted. And even organizations like u. P. S. Or fedex, when they have those types avenue drug in their purschasview or their ownershipe delivered. They have protocols already set up. When you say talking to the general in charge, youre talking general personha no, i dont know if matt wants me to give his name. Okay. The pharmaceutical industry itself, you know, the requiring the extreme temperature or the sensitivity, how the drug must be dispensed is not something new. It doesnt the protocols in health care are already there. Just utilize them. Capitalize on them and modify as necessary for this instant. I dont have any visibility to what was done or whats goes on in that area. But that was my recommendation. So, does that mean that you feel pretty i dont want to go all the way to the word relaxed but you dont have huge concerns with respect to the distribution of the vaccines . No, no, i dont. I have full confidence in what the boards of pharmacy and the Health Care Organizations in the United States have already created. And leveraging what was already there. And i was in that industry for over ten years. And being able to ship. And we had a large amount of c2 drugs in that other company i worked with. A tractor trailer load of drugs went out every day from a warehouse to a distribution center. And all of the protocols, you know, gps, tracking, working with state police. Monitoring, all of those things are already and have been in place. And utilizing those and leveraging them will make the job easier. Is there an opportunity to provide better communication, better visibility with todays Digital Technology . Absolutely. But it is, you know, i have a lot of confidence in the u. S. Health care system which has already been put in place. So, this idea, sorry to keep harping on this, but i think that the average person thinks that this whole distribution, all weve been hearing is how this distribution is going to be the most enormous and complicated and bound to fail, or found one have problems. You dont think its as crazy its as complicated as people are saying, that weve done this in sort of Different Levels in the past . Oh, dont get me wrong about the distribution of controlled substances or substances that require low temperature efficacy isnt complicated. Its extremely complicated. Its a problem the u. S. Health Care Industry has already solved. Okay. And can leverage those learnings to be able to do to make to make this done in a secure manner. Will there be people have there been people who tried to steal c2 drugs in shipment before . Absolutely. Will there likely be some type of attempts . Maybe. But then the question is what do you accomplish . Right. Right. And thank you. And, tonya, let me get you in here as Law Enforcement. What are you guys gearing up for, when it comes in terms of distribution of a vaccine . Well, from a cyberperspective, you know, theres obviously a number of motivations for some of these actors who were trying to disrupt the supply chain. Or our biggest concern would be any sort of destructive attack that would really try to throw a wrench into that chain. And meredith made a great point about the third parties. Weve certainly seen our cyberadversaries move to targeting of those third parties in order to try to then move into the targets that theyre trying to reach. But the motivations go beyond that type of destructive, or disruptive attack. It could be trying to steal the intellectual properties. For financial purposes. Is it could be to undermine confidence in the u. S. Efforts to provide an effective vaccine. Or to advantage another countrys own development. Or it could be, you know, a number of other purposes. But i think the other thing, we try to keep in mind is that, you know, while this discussion is focused on some of the cyberrelated threats, we see our most determined nation state adversaries not just relying on one method to target the supply chain. But to combine cyberwith using kind of more traditional espionage and human sources to try to penetrate organizations. And even through diplomatic means to try to make entreaties and create relationships that might put them in a better position to disrupt or influence or steal information. So, its really our focus is looking across all of those, combining the efforts of our cyber and counterintelligence programs to make sure were looking across rather than just one type of attack factor. Is there something in particular that worries you about this next phase of the vaccine . I think the complexity of it, potentially, but honestly, hearing from meredith and mar ooene theyre hearing about it. As i said, this is work they do all the time. They have the full support, obviously, the entities from the federal government who are focused on protecting this research so that gives me confidence. Well, weve come to the end of our time. I tried to slip in some of the questions i saw in the q and a channel. I want to thank you three so much for talking about all of this. I was quite concerned about the whole cyber aspect of this and the distribution aspect. Its fascinating to know how you thought this through and the Building Blocks there already. For those of you who are going to stay for the next session, please stay tuned. Were going to be right back with the next session about emerging technologies in tech with some fascinating people, some of my favorite people in this particular arena. And i think you so much for being with us today for this session. Today, the Aspen Institute is hosting a discussion on Cyber Security. Beginning at 1 30 eastern, well hear from the acting director of Infrastructure Agency brandon wells. 2 00 p. M. Eastern, virginia democratic senator, mark warner, and democratic representative lauren underwood. And republican congressman will hurd of texas will talk about the progress that capitol hill has made investigating Cyber Security threats. Watch live coverage on cspan3. Jamie raskin is with us, the congressman sitting on the committee. Congressman, welcome to journal this morning. Good morning. We started the program asking viewers about the president s remarks last night on facebook. I dont know if youve had a chance to see any of that. Any reaction to that . Youre talking about the 45minute diatribe rant about the election . Yes. Well, look, the president has painted himself into a corner here. Theres