We will now have our first general session which we will look at the big pick hour of the cyber lens. The first general session is on the state of the evolving cyber threat. Moderating this panel will be rob knowland and for discussion we welcome to the stage ep matthews, deputy cio, cia. Dave, dod, anthony greco, Senior Vice President , chief Information Security officer cisco. Tan richard, chief cyber policy adviser cia. Everyone please join me in a please in welcoming [applause] all right, thank you, everybody for your time today, appreciate it. Just to confuse you we all sat in a slightly different order and now you have to guess who is talking. We will get right into it. First thing first, i will ask a question of everyone in the panel and we will start withtive, i want to get your takes on world events and the impact they are having inside the digital world. You know, dave, lets start with you, china increasing edging towards taiwan and emerging as a worthy economic competitor, in terms of the way they are doing business but innovation and the pacing challenge that we are facing k. You talk a little bit about some of their recent Cyber Operations targeting our make and policy leaders, how does robust china change the threat equation . Thank you, thanks everybody for being here today. First of all, i want to challenge the idea that theyre innovative. I think what weve got going on is espionage and stealing our thoughts. [applause] [laughter] our good partners are losing tatta to them. Im not saying they are not sophisticated in their cyberattacks because they very much are and they can to it at volume but weve to to a better job at cybersecurity Going Forward. I think one of the lessons that we have the learn is they have a lot of people and so we are going to have to automate a lot more, taking advantage of ai and ml and some of the true innovations that our Industry Partners have developed in the United States of america to combat these things at scale. We will not do human to human and we have to have automation and we depend on Industry Partners to deliver that for us and they to that every day and we are seeing that and we are thankful as we move toward zero trust within our own environments, prioritizing with our Industry Partners and other partners throughout the world, other allies throughout the world that we need to take advantage of our technology and our ri, ml and zero trust technologies. Over to you, dan, maybe we can shift to different part of the world when we talk about ukraine for a second. What are some of the lesson that is we are learning as this is unfolding from a cyber threat perspective . Yeah, thank you very much, and thank you to everybody for coming to participate in this. I think there are sort of two lessons that we have seen in the ukrainerussia war in terms of russias disruptive cyber activity. One, on the military side while its true their cyber forces did on tribute to the initial invasion the impact that they had, i think, was nominal from the Bigger Picture perspective. I think analysts will spend a lot of time trying to decipher that was the case and they thought the invasion would be rapid and successful, whether their cyber actors were not involved in the actual invasion planning or whether the ukrainians were just very adapt being able to adapt to what those actions are. What was clear, however, is once the war got started, the pace of military activity made it difficult for cyber actors to keep up with that sort of military pay especially when you have kinetic options that are available and i think thats observations on the military side and i think more importantly and this complements what you just said about china, the impact private industry had in helping ukraine in their resilience efforts. And i think as we look to possible conflicts that we may be involved in, that partnership is just invaluable and thats really what we need to build to make sure that we are able to respond to something that possibly threatens the United States. If you want to weigh sure. So i think just general observations right, unclassified level. I think the first thing we saw is that russia attacked networks and infrastructure. Number two, inch everyone was a collector which is different from 20 years ago and i think number 3 it is not just russia and ukraine but on the ukrainian side they are using google. 30 countries involved. To use that and extrapolate that on what a crisis with china would look like is russia attacked networks and infrastructure, you can make the assumption that china would attack networks and infrastructure. How do we build and design resilient and redundant networks. Number two, if you have multiple countries, how do i set up my infrastructure that i can share data in a secure and in a meaningful manner, right, how to i get up standards and how to i know my dada is protected and tatta governance, how do i do that and then number 3, i used infrastructure, i 5 is, nato and traditional and nontraditional partners. The totality of all this is Lessons Learned that we see in russia that, the russia and ukraine conflict that we can extrapolate. I think when you look at especially if you take ukraine as a specific example, theres a couple of observations that are super important. We think a lot of the traditional kinetic married with cyber as part of russian invasion. We started tenning back with ukraine especially with privatesect reurgeses. You know, it takes years to build the level of trust that is necessary to deal with, advanced actors coming at you in a war setting, period. And you look at what we did in many other privatesector companies, we are there for six, seven and eight years before the invasion partnering, building relationships, helping both sides understand what does good look like and thats the fundamental that most people dont think about but it is a critical component to defending well. I think the second thing is the biostore action. A lot of the cyber defenses particularly happening in ukraine, i would say theres an efficient to it thats nice. Theres very little wasted motion on things that really dont move the needle from a cybersecurity perspective and so using that those lessons and thinking about how we prioritize the most important and impactful things from a cybersecurity Going Forward i think is an important lesson as well. I think its important what cisco and nod put out intelligence on the russians tactics, procedures prior to the war kicking off. Many of you were probably involved with that. We even had calls with u. S. Companies that had a presence in countries across that region warning them of the tactics, techniques and procedures. I think thats important. Recently with the chinese also sharing their living off the land tactics and procedures its important for us all to Work Together to share intelligence so that we can react and know what adversary we are up against and what their techniques are. You know, the trust thing i think is important. We cant build the coalitions immediately. They have to be in place. Vp, what are some of the things that you have send or worrisome trends that you guys are thinking about, maybe give thoughts to the audience on . I think i will give it in three parts, right, so looking at the audience, you have people from the federal government here. It budgets is an area where people tend to take a risk on, right . If you take risk on refresh, networks, infrastructure, right, or you will see you taking risks, you cant skip steps, right, you cannot skip steps. The vendors will not led you skip steps. [laughter] you have to to all that work whenever you styed not to take the risk and typically the risk is manifested in some kind of exploit. Number one for positions in authority that control budgets, is additive. For vender partners who the federal government had dependency on, security or supply chain, and that includes both hardware and software. We see it where fraudulent hardware has showed up and weve seen those kinds of tactics and playbooks but thats not limited to just hardware, right, even in software especially in the open source, you adapt components of Opensource Software where you do not know and are not of the on where those things are coming from, you could be adopting capability that carbate vice or foreign adversary that could be embedded as part of larger software and its on your Production Network only to be exploited at a later point so i would be careful with that. I think the third as mentioned earlier in totality, both the a testimonyic and the vender community is that information sharing, what has changed so much today is that the speed, the speed of which vulnerabilities are being able to be exploited, right, malwares being created as a result of ais is exponential, you get the email from Family Member in nigeria, hey, you send me your credit card, send me a thousand dollars, 50 million available for you or something to that effect. Im sure someone has gotten or someone in the room have gotten it one way or another. Broken english and sent to mass email. Today you can now create customized email that is sent at mass scale based on your pattern of life that look very authentic, right, so these three things. Generative ai is definitely changing how we are going to function in the future but the landscape. Thats a big part of it. Tive, i was wondering if you could weigh in on cloud. So ep talked on clouds in use for federal federal Government Agencies and realizing a lot of benefits from those and the cyber model has today to the adjust when you talk about cloud, can you share thoughts on cloud use . I would love to. We have been heavily adopting cloud. Cloud computing contract earlier this year and we are driving people to adopt the cloud at the unlass and top secrete level. We have found several instances on the uncloud side where errors in the management side of different venders have lead to ip addresses being expose today the public for a period of time and, of course, the bad guys dont wait. They are constantly scanning the networks looking for a door that they can go in and we lost tatta as a result of that. We had to look at the governance process there along with the Cloud Service providers, how can we help you defend your loud that you built for us and jwcc clouds are custom built clouds so they are not the traditional commercial clouds but they are visible from the internet. They are attackable from the internet. We have partnered with them to understand better how to help defend. One of the things that we looked at initially, maybe we can use our tools to scan where your management network, we have agreement, we are starting to do that, jf will get full report of protocols that are open and vulnerable and work directly with the Cloud Service provider to get those rectified. So thats one innovative thing that we are i think to. Another thing that we are doing is we are trying to get the zero trust by 2027 and so weve developed a strategy for that and an Implementation Plan and 91 characteristics that you have to implement to get to a target of zero trust. We have been working with those same Cloud Service provide irs for them to build Us Integrated zerotrust solutions that we can readily consume. We are not good at integrating the products that we have today. We have a lot of products that do one thing or another but getting them all the work well together has not been our forte so we are challenging providers to build integrated zerotrust environment that we can move into and be protected. Those are some of the good news stories. Can i add another component, if the integration doesnt take place, think in terms of a crisis with china and think of the countries that will be involved if the crisis with china will take place. If those countries dont have the same cloud providers, right, the ability to share data becomes challenging. I think the second aspect that i would also add that cloud for us, so a few years we were cloud first and cloud only, right, our goal was to move everything to the cloud and we are seeing the different between fighting in iraq and afghanistan versus russia and china when youre fighting versus iraq and afghanistan you can you can do things in a centralized manner, right, it can be centralized and cost efficient and what we see against russia and china to be better to bety centralized. Moving from costeffective manner, costefficient manner. Two different outcomes of design. When i think what about we see our Global Customer fingerprint, theres no move everything to the cloud. Everybody is in this hybrid world. Usually with multiple clouds and multiple private data infrastructures and so i think that puts especially large stress on administrators and people who are responsible for architecting and defending and they have to learn a whole bunch of nuances and how do they provide Effective Security and continue to defend internally. So i think hybrid is here and its forever and really focusing on how we simplify those paradigms such that defense is easier i think is really important. I think the other thing too that we dont often talk about but i think is important in this cloud transition, we have to teacher Application Developers to really live in the cloud world. Youre out a lot closer to the edge. There are a fewer people that protect you when youre out in the public cloud touching internet directly whereas many grew up in world operated in private data centers and theres a mentality shift that has to happen that we have seen manifest in real threats to customers and applications and data. I think thats to me one of the biggest shift that is we see from a threat perspective, the newness is still working its way through the system. Education on the differences, getting people trained and making sure they understand benefits theyll get from it and what they need to consider from the modern threat world. Dan, i want to jump over to you. We talked about publicprivate partnership. For those in the audience, you know, can you help us understand what you think about when you think about the public side of a Cybersecurity Partnership and how the Public Sector will need to change and and interoperate with the private sector . So at the agency our focus is identifying and trying to collect on possible threats to both public and private sort of infrastructure. We bring that information in and our analysts will take that information, will take opensource information, Technical Information to try to provide the best picture of the threat environment and then get it out to the folks that can actually use it. Historically that has been other Government Agencies, you know, the war fire, diplomats, folks overseas but today because 80 of the critical information is in private hands, a lot of times its those folks who are the actual folks who can use that information to mitigate the threat. We do have mechanisms to share that information we can sanitize it but we need to be faster, talked about talked about automation, we need to sort of build those pathways where that information gets flowed, maybe sanitized but it gets out there more quickly. A lot of times federal Government Agencies are speaking to vendors behind the scenes, there are agencies like cia who are helping build that picture to try to make it as comprehensive and as accurate as possible. Its not a oneway street either. We very much need the information that the private sector has, the threat that is they are seeing to feed into that allsource picture of what our adversaries, whether state actors or nonstate actors are trying to achieve. Anthony, maybe you can give us the privatesector view of that, thinking about faster decimation. The intelligence is super important. We have seen the effects in ukraine and i think its an an essential component for us to continue to refine. I would say if youve been in this game for a while and you think where we were ten years ago i would say its fortunate recognize the progress thats been happening. I think on both sides of the transaction where its private sharing with public and the inversion. Certainly from a private sector perspective we are worried and making sure that we are focused on Customers Trust because thats an important component but the notion of sharing in realtime efforts and information which would allow us to better protect customers i think its a really important component. Beyond the intelligence sharing, though, i think theres a broader too muchic for me around public and private partnerships going on today which is if you look around cybersecurity is getting the attention that i think ive been in this industry 24 years, we often wanted it is a toplevel topic. I think with that level of focus and energy, theres risk of distraction frankly and i think weve got a really collectively together come together and public and private and make sure that we are prioritizing efforts and initiatives that are going to have no kidding impact on raising resilience and oftentimes meaning doing things that are necessarily shining new things but doing the foundations of work as my colleague shared a minute ago first and foremost and i think when it comes to where we need to go in public and live, really rich dialogues about what Effective Security is is going to be essential Going Forward. Effective security and making sure that we are doing that threat modeling together up front, zerotrust thing i think is a great example of that. All right. Well, as we wrap it up, i want to give everybody a chance to leave one last thought with the audience. On the vein of publicprivate partnerships, we are going to leave here and we are going to go to happy hour, but after that, we are going to talk about we will two home and think about the one thing that we are going to do either as Public Sector or primesector person to start fomenting the partnership and growing it. Whats one of your Top Priorities or things that you think this Public Sectorpublicprivate partnership should focus on . Are the things that we are prioritizing, things to promulgate throughout industry and the world, is it the most effective thing that we need to be doing to prepare ourselves for the threats and that we talked about in the geopolitical situation that we will be facing in the near term. Its an opportunity cost and we have to be pragmatic about the things that we are pursuing. Okay. I think at least for me it start with information sharing. When you talked about, you know, the public ip addresses that was kind of exposed, it was the cio that told me that and we became aware of that. I did not get briefed on the weekly basis on the intel cyber threats. That was like unheard of ten years ago, right, and now because im aware of those things we can now start to design and choose countermeasures against that, so from a publicprivate partnership, i think we in the public side have to work with our vender partners to let you know, hey, here are some of the threats that you need to be aware of and foreign adversaries are doing and here are some of the things that are going out in the wild, right. I think for our vendor partners, privatesector partners, understanding that you can Design Capabilities and tools around that. And number 3 is training our people to understand and leverage those tools so that we can defend our networks. I want to sort of build off the last point because i think the investment in the people is probably one of the most critical things that we have to do. A fierce competition for challenge in the area and how many people actually have the skill sets needed both to build your networks and defend the networks and find out threats about those networks. And i think it would take time for our investment to sort of expand the pool of folks to the size that we need it, i think the ability to crossfertilize those in the private sector and public side and Getting Better appreciation and i think that vice versa will pay initialed by the ends to allow us to address the threats which quite frankly the federal government cant to by itself nor can private companies to by itself. Its only by working together can we address these threats moving forward. We have seen a lot of great learning from both sides when we do those Exchange Programs at amazon. We have Government People come in and sent folks to work in the federal government. I think thats a great way for people to get exposed on both sides of the coin. I understand what youre thinking about and youll understand how we have to look at the problems sometimes. Exactly. Yeah. So dave. Thanks. So we have been engaging with industry for years now on a lot of fronts, you know, i have a cisco engagement with a lot of cloud companies, understanding what they have to offer, understanding how we can utilize that, letting them know what our requirements are as we two forward with zero trust, having them pilot certain capabilities, redteaming those to prove whether they are going to satisfy what we need or not. It is vital for us to partner with industry. We are not going to be successful if we dont. When we bring allies from other countries, we are actually pushing them also to partner with our industry because in terms of cloud computing, ai, you know, the United States is in the lead and we need to be able to help them out as well as we go forward. So those those face to face engagements, those kick the tires on Different Things is very, very important, additionally we are trying to work with our good partners to make sure that they have some minimal level of cybersecurity, the big venders have no problem doing this. If you have like a billion dollars revenue you are pretty good at cybersecurity and theres a lot of companies that dont have that and we are establishing Security Model for the program and also offering a wide variety of Free Cybersecurity Services that a company can adopt including Threat Intelligence sharing and we want to bring more and more companies into the fold there and try to help them out as we go forward. Awesome, i want to thank everybody for joining us today, interesting thoughts. Partnership training, Building Trust getting, working together and amping that up, dave, you hit on an interesting point, thinking about our partners, you know, we are not going to go at this alone a lot but extending the trust where we can to help our partners. With that, thanks, everybody, im releasing you for the reception, appreciate it. [applause]