Should i start over . I think i will. Its a pleasure to seek people here again break the last panel we had was primarily the kinds of vulnerabilities and risks for providers the providers are experiencing. This subsequent panel health, how can to mitigate and reduce the chance systems and services can be hacked or otherwise made less available for people who need them. We are going to talk about how to apply frameworks, Cybersecurity Framework. Platforms available we will talk about the kinds of issues or problems different segments of the industry confront when dealing with these problems so segments like different provider segment, different user segments like Public Safety and different segments such as small and mediumsized businesses which are providers that came up in the last panel so those are the things we will be talking about that more on the perspective how as opposed to what they let me introduce our panel to have catherine from mti a. Catherine medications policy specialist, welcome, catherine. Thank you. We also have brian daley joining us virtually, assistant Vice President for technology and standards and its good to see you again. We also have christian lori, the Risk Management sector is 20, Emergency Management work meter at fairfax county, department of Emergency Management security. Welcome. We also have a director of engineering and i think youre here virtually. We have harold price, thank you for coming and finally, kevin, chief of Security Division and Information Technology laboratory National Institute for standards and technology. So thank you for joining us. I will say i am going to go through the question at a brisk pace so if anybody has anything to say, please jump in. We have a lot of questions so that is what we will be doing and as the previous panel, specific people direct questions and i will announce that. The first question directed at christian from cisa and in excess of question, what are we talking about here. The question is when we use the term cyber Risk Management, what does it mean to you . You are from the Risk Management center so what is it mean to you in your daytoday life . I just want to make sure the mic is working. This is our bread and butter. Hopefully it covers it in a little more detail. Risk management and cyber management in my view relates to a sense of decision and practice identifying things that matter most to you and put assets for things you want to protect at risk and making decisions to manage or mitigate or transfer or except that risk. Risk management understood as a process, ongoing organization and we are talking about Digital Assets and networks and things like that but to emphasize the overall take away and when we talk about cyber fist, it is a process and something organizations need to do deliberately and proactively with care but also on an ongoing basis. Im going to add something to the question, i have asked, what does it mean . Now im going to ask why is it important for entities participating in this segment . One of the benefits of cyber Risk Management is it helps, proactively identifying things that could go wrong and how you would respond to them and plan against those who pretend they will come up, that is the worst case to put your head in the sand and assume nothing will go wrong. Something will go wrong. It could be in error, it could be a cold, it could be a malicious actor trying to attack, something will go wrong if you havent played around that and made decisions how to manage that risk and account for those things going wrong, you put yourself at greater risk so thats how i framed it. It allows you to plan for things to go wrong. Thank you, christian. Next question is directed to kevin stein and catherine and shamus. Let me start with planning cyber Risk Management and Cyber Attacks help protect communication sectors as well as segments of the sector delivering emergency alerts. I think dynamic and technologies involved externally driven rules and requirements organizations and evolves in their risk tolerance. These systems have a desirable target especially during an emergency. I think from broader risk assessment, one dimension of risk to manage, you see organizations in reference to this framework including a broader sector they use the framework to establish management programs and continuous process. The supply chain risk information partnership. We were created show supply line and risk information with small phallic medications and providers so part of our work we communicate a lot the community and try to hear their concerns so we can work with the United States government to provide resources, Lessons Learned best practices to these can securely invest in the network. We were starting out hearing from these entities we are so small, not a target, we dont need to do the same work the larger providers have to do. Unfortunately i dont get up as beasley because they are being targeted. Either they themselves experience in attack, they seek competitors or they stay on top of the news and seek bankruptcies and follow and other types of Cyber Attacks so they have this understanding they are the target whether by going to Cybersecurity Framework or another framework that provides similar guidance. Part of the shift we have seen is when you speak with practitioners and defenders, they understand the threats they are facing. We are still experiencing some disconnect between staff and leadership to make this a priority and allocate resources necessary to either invest in staff or the network if theres a particular piece they need to seek out. Well be back next Public Safety sector so im going to add to the question for you in addition to talking about planning, make an entity stronger in these risk, from how to live the Public Safety entity planning can make safer and secure in somebody who has to plan resources, what was planned. I will start with the wife. We hope for the best and plan for the worst so as part of that we need to understand we need to be able to alert the public and a timely manner and make sure we have a plan in place to do that taper taking cyber into consideration. Do i have the base to do that . To have the path to end this . There are processes we can explore and utilize and position ourselves to ensure we can get the message out to the public and that is the real challenge. The message we want to send, we dont want to lose faith so there is a fine line, we get in as fast as we can to get the message out but we need to make sure no one else can send a message and multiple people have touched on the. The challenge in this case, we rely on the system so our local inflation technology, they are the ones who try to mitigate Horizontal Movement and would utilize so we are trying to figure out how to keep it secure and send the message. Thank you. We will go onto the next question participants. I will tweak it a little bit, we currently have cyber Risk Management plan you are using to reduce risk for Communication Services you provide. Nobody on the panel want to say no. I know nobody wants that because i know some of you pretty well so what i will say is it you say yes, can you tell us about the plan, the elements in your plan, the extent you are able to check that . If, why is it know and you may have good reason so im not going to be judgmental so lets ask the question, i will start with brian and what you have to say . Let me do a quick check audio. Thank you for the opportunity to participate on this Important Panel first off my answer is yes so we do maintain robust level security Risk Management plan with at t and it covers all Medication Services provided and that includes emergency alert. He may be familiar, we use a network to broadcast the alert. We receive alerts which comes to us through a security protected interface and once its in our network it follows our cybersecurity Risk Management plan. Our plan follows the framework and the notification. We have on multiple occasions a copy of at t Information NetworkSecurity Guard which provides a description of cybersecurity practices. They are not specific but it does make it clear we have to implement security controls sufficient to ensure confidentiality. We dont believe cybersecurity Risk Management plans are designed in a narrow area of application is appropriate use of resource because we do have broader Risk Management plan that covers all operations. Our chief Security Officer doug establish requirements as well as comprehend programs to make sure security is at t Computing Network environment. Security program make sure Information Access access will network facilities. Employee commercial will to protect the mobile network. Evaluations make sure controls are maintained and functioned according to policy. We do have Corporate Community plan to provide project management make for we Disaster Recovery security for at t and focusing on all aspects of operation below the reliability of security closely fully understand the aspects of the network fragments of local operation clearly anything from the but will suffer allow customers to gain more visibility and attempt to access the systems. On successful and reducing service in the old days, engineers for logs and things with Greater Alliance so the number of people who need to access the system, why you put your device on an unprotected network is reduced. We are trying to do that get more his ability to the operations. I will say and probably have an opportunity to talk about this later, majority of Radio Stations by numbers, coverage are small to very Small Businesses trying to provide tools for people thinking about this and the requirements they want to make an thank you for the opportunity to be here today. There is zero support on a regular basis, it is a one and done all. How to change it or anything about it. That is at the level that is important to raise awareness of the need for cybersecurity at that level of customers trying to do our little once they become aware and make them aware. Industry, im wondering if have anything to say. Yes, thank you for including us in this conversation. Harold made good points in the case of the company i work with. We are all the way down to places like fairfield, iowa. In the situation have a total of two people at that operation and neither of them have technical background so that case we are dealing with a situation where there is a contract engineer and the contract engineer has expert operation. This would not be what we call strong suit so to do things we are talking about are talking about bringing in someone completely outside of our normal sphere of operation to put things in place. Top. It like technical background in an operational stand in these small broadcast environments. There has got to be some comfort so they can understand the requirements and why it is a benefit to them and probably differentiates from the folks participating in this conversation because in most instances when we talk about commercial Service Providers and the like we got both keyed, and they put the hierarchy there, aware of what the situation is and how to address it. In our case we have a department, we do have procedures in place and they are focused around this and they focus on networks segmentation. Those to coordinate of effort to get blood in place to understand is will sub also i would ring up, in my other role as head of the Education Committee the broadcast of engineers interested in making sure we get the information out and help these situations to create awareness for books. I heard similar and we will refer close little later but there are ways to do this without hiring fulltime equivalents to do that and we will talk about this but im wondering about Resources Available to help with and so forth. We will save the four another moment. There intervening. I am wondering the key elements and what they are doing but in a more general sense, what are the most foreign elements to include . We will start with kevin. Thanks, i definitely appreciate this, we recommend using this framework as a start to establish the Risk Management plan. We are in an update process now and it is highlighting the important governments, the strategy and expectation and the possibilities laid out for cybersecurity and its considered more broadly across the enterprise. Following up with identifying the current risk and understanding current production capabilities in the right response and once its detected in having the capabilities in phase two recover and restore assets that might have been impacted. Establishing a plan and outcome that is important, there standards and Resources Available and others in the industry and resources to help implement to realize the capabilities and practice. Thank you, kevin. Ill ask the same question in christian. One thing i would ask the process of identifying risk we deal with reorganization and how to scale a solution and one thing we keep coming across one organization of any size dependencies that are not easy to identify so comes from the supply chain but it really is earlier points, it is the whole Business Continuity when it comes to electric power for facilities. Minimally fact and selfsufficient it may be people can get their own roads. My overall recommendation is Organization Take the broadest possible view certainly can cybersecurity context a specific set of concerns and things like that but in terms of the overall risk, it is broader than that. Next question. Instead of talking about cyber Risk Management plan, its cyber Risk Management extract and the question, how can cyber Risk Management focus on planning preparedness . How can it contribute to protection, infrastructure and reliable learning im going to over and start with harold. Cybersecurity on another slice. It comes down to the context, the greek planning stage. Like a good number of society should i have my Radio Station informative . That is there Resources Available. You need to hire an alltime so they maintain it. Resources available, based on the agenda i googled for security. Scott is popped up on the screen early in the morning. It is incomprehensible for people doing it, there scholarly papers with titles to long and how do you find it and why does it pop up as 25 if not 21 . You have to be proactive and they should follow the frameworks. They will need to discuss why they are good, you do need the system how can you make it relevant to small operators . Than necessary, not as hard to do as one might think but has to be done. Rule making saying you have to have apollo, it is okay but needs to be scanned into simple language. Give them thing second to get the awareness and start to plan. That is the real thing, good thing to make a. To turn now for the same question. I agree the systems target some of the potential challenge with this implementation bears full of entities in this opportunity but also challenges implement it and managed. Lets move on to the next question. How can cyber Risk Management planning the infrastructure the next question is about preventing or mitigating the effects that will occur so in what ways can cyber Risk Management help prevent or mitigate the consequences . Or sport three score mecca recovery for them, doing the planning upfront early and often someplace, i think part of that planning goes back to the earlier questions from the panel, having the Risk Management plan plan and prioritize their efforts aligned with your missions and make sure they are responsive the landscape as well as your organization but internally and externally. When you do experience this, you are more prepared and part of that is not just prepay in place. The next question we touched on a little earlier, what other challenges communication providers might face in particular smaller midsized providers when they considered developing and adopting, how well or if mid sized providers and communications in these challenges. One of the things that is a challenge in one thing we can addresses how we interface with the most individuals for understanding and what they are dealing with. In reality i expect examine the will find out because we might populate from those individuals who arent necessarily the most educated folks putting information in, if there is a blank buildout that shows Outdated Software they might not understand why it needs to be checked and put in, producing okay, thats it. Thats one of them. I think we need to go back through and designed this when we are dealing with it so we eliminate those possibilities so it is not automatic. Its not necessary because my experience the testing and stuff done almost every time we got new software so they are there for the previous test and it will lead you to improper conclusion if we leave at the end it is one of the observations but we need to make it user friendly to folks who are the least knowledgeable individuals because unfortunately they are the ones putting the information in. We ask them to give information within a matter of hours so we can evaluate and that is great but are not going to deal with it dealing with that coming from lowest common denominator users. That is just one observation. Im going to turn now to brian, one of the challenges from different segments face . Some of the providers will have resources that could potentially have an impact and the Security Framework that allows them to tailor cybersecurity Risk Management plans to their resources and circumstances they may have. The other aspect training. Training is important all up and down, i think we look at what i call misfires an emergency alert, a lot of them are used the origination site so increasing training, doing the exercises that bringing we intend to exercise the system and environments and we look at the vulnerabilities to tabletop exercises to address those getting back to the training aspect, i think it would overall help improve the system and the small as well as large operators. Im going to go to the next question and this is something touched on in an earlier panel. We talked about cyber Risk Management plans which are higher level. I am wondering, are there things that might be closer to controls or best practices that should be included in what learning providers do in their infrastructure . Something more detailed than cyber Risk Management plans so im going to start with shamus. There is a lot of trepidation, we dont want to send these, we know we need to at times, i think we are always trying to have the balance of wanting to keep it secure but understanding side of the test, the people defending it will be nervous so they have to be able to get in and there is many opportunities send a bad message as worried about somebody getting in asset of the people. One of the talking about security and upping provide best practices those on the radio side one parttime person, they arent as fortunate as others so trying to come up with best practices and how you get into the system secure, obviously there are checks and there that come from the National Side and other things we have to do that provide higher level of security which needs to be there so there are things we can do on that but again keep in mind when it comes to having the message, we need to make it as userfriendly as possible to get the message out. The more we have for something too far away from what we do day in and day out then we run the risk of having a lot more problems. Okay, thank you, shamus. We are running short on time but i will add another way to think about best practices, a set of cybersecurity performance goals for specific then the things you find in have a Security Framework so that is a way to think about practice and i hesitate to use the word control, probably would object but that is on my mind and having said that im going to come back to you, shamus in 30 seconds. How does that idea strike . Theres a lot of good information in the challenge typically the end user sends a message from a the best practices and what it should be and thus public in a timely fashion. Again there are ways we could incorporate some of the in the items that would help. Those are conversations the locals need to have conversations with it people. We have another two minutes. I am going to wrap things up quickly. I want to thank you all for joining us today and sharing. I didnt get through all questions, i didnt really expect to because i expected a lively group and you are all lively and comfortable sharing so i am grateful to that, you made my job easy. Let me ask you all, i wish you all a good trip home and ill you know, gone through and contemplated your risk and made plans to address it. How will you stay informed on the latest and greatest threats . You work with others or many other partnerships to share information, vulnerabilities, all of these things. I encourage you to look at that as you move forward. Thank you so much. I appreciate that. With that, panel two is complete. If you would stay in your seats. We are expecting Eric Goldstein to give us a keynote. Hes the assistant director of Cyber Security. Is he here . He will be here in 1 second. Okay, great. Would anyone else like to say anything thats on the panel. Please. Im not allowed out if i dont support the Cyber Security performance goals. They are designed and intended to be accessible and usable by small means. They set a baseline and help you improve on the baseline overtime. This is something we are supportive of. Thank you, i appreciate that. Eric. All right, thank you for having me. This is a wonderful event. There are a lot of folks out there in virtual space. When my friend and colleague billy bob asked me to do this evertebrate i jumped at the opportunity. Billy bob knows this quiet well. I lead the cyber Security Division and worked in Cyber Security for most of my career. I was doing private sector Cyber Security before that. I was doing it for agencies. I came about my current role in a different way. My person nal story i was 16 years old. Weapon in medical school that was when the d. C. Sniper was effecting so many communities. Im sure a lot of you remember that. I object severed with such an emotional resonance. The fact that when so many people were, for very good reasons, cowering in their homes, canceling events. Taking precautions. Our First Responder communities were the ones surging to respond. I got my emt lessons. On a 20 plus year journey and working at the state fire academy in the state of illinois. Working as a volunteer firefighter and most recently in maryland. Public safety and the fire service has been the through line of my person nal self identity and lived exexperience into the Cyber Security area of our space. I volunteered in maryland until i had my third kid awhile ago. Thats more than i can bare. I did it until this point. I really have such an acute appreciate for the diversity of the Public Safety community and the fact our Public Safety community is dependent on network technologies. So, i was a volunteer firefighter in rural ill there was an outage at the dispatch center and that was 20 plus years ago. We have enabled the Public Safety community to not only receive information one directionally and the rich tap tapestry of information and patient information and allow the community between responding units and Public Safety dispatch centers and lets the community do its job much more safely so the risks we are responding to are more complex. That intersects in challenging ways. Here i am. We know there are adversaries that wish to do our country harm. I will point as i often do the remarks and the annual threat assessment. Dramatically stark picture particularly of enjoy na where they note during a potential geopolitical conflict its likely chinese cyber actors will seek disstructive attacks. This is the intent of our adversaries. To sow chaos. No target would have a more Significant Impact than the Public Safety community we expect when we pick up the phone and call 911 and increasably able to text 911. Thats pretty cool. We reach out to our responders and hear the call and come to the right place with what they need. The ability to degrade is profoundly disconcerning to thically rum. Enfact, this is not academic. We have seen far too many cases where they have disrupted the ability of other Public SafetyCommunications Assets and rely pon the technology. Requiring us to fall back on older manual less effective method odds. What do we do . We know that the criticality of the Public Safety community cant be overstated and we know they of course definitely dependent on the continuity of the Public Safety communications and we know, the threat space couldnt be higher first of all, we know this community is not a good resource. Fortune 500 Companies Back in and dump a few Million Dollars and say, let that problem figure itself out. These are communities and organizes that have to make the best possible usage of every single dollars. When i looked at todays agency. The colleagues from other agencies were talking everything we offer. The first is of course the voluntariry vulnerability reduction services. You heard from my colleague at the Management Team a few minutes ago. I cant overstate the fact the vast ma chorety are not leveraging some configurations. Unfortunately, they offer Free Services to do just that. One goal we serve collectively there is no reason why any Public Safety organize across the country police, fire, ems. Every single one should be enrolled. There is no reason not to be lets make sure. Everybody onboard thats one way they couldnt identify. Also talking a bit about our Cyber Security performance goals if they race the Cyber Security baseline. One of them is the known vulnerabilities they know they are targeting. There is a pretty small number of other steps on our Cyber Security. If you pick three to five things what should they be. Thats where they come into play. This is by impact and complexit. Cyber security performance goals assessments. Acrosscountry and walk through the list and where do we go next. One of the team members for a long way. This is the likelihood. There are a few more things we have to report on. One of the Biggest Challenges the fire service i would just offer a bit. I was getting my masters degree a long time ago. I was working at the fire academy. I was living in a firehouse in maryland, doing that fulltime. Going to graduate school parttime. Much less exciting. I wrote my masters thesis on are we able to show investments in this case are ability to show reductions in firefighter fatalities or injuries, reductions in property loss to target regions. If the answer was no, not because the programs dont work but the data was really bad. Anybody that will know this it was a voluntariry reporting system in most cases having a decent analysis. Similar problems today in private security. Vast majority of incidents are reported meaning we are unable to offer assistance, share information quickly to prevent other victims and unable to analyze trends and more targeted guides this will solve itself a bit Incident Reporting regulations and rule making. There is still more we can do today. One asset we would have for the community is when a partner in the Public Safety system. We need to hear about it to help prevent the same thing happening. In Cyber Security, there is a real culture of blaming and shaming the victim in a way the victim preserves well we did something wrong and face liability and face public recrimination. The only party that wins in that model is the adversary and criminal groups. We need to profoundly change that model. In advance of regulation coming online. The more we work with victims and they can engage on the ground and offer help and prevent other victims from experiencing the same significantly negative events. This is really important with this community. We know, particularly ransomware actors they would like to target victims they think will pay. A victim like a piece app would be really interesting. Their presumption is na facility cant go down. The more we can understand what kinds of actors are targeting the Public Safety communities and we can push out information that all of you and your stakeholders can use to protect yourselves to knack us more able to cutoff the emerging campaign. We talked about what individual organizes can do. The scanning services and goal assessment and talked about the importance of Incident Reporting so we can make sure we share information broadly to cutoff the campaigns. There is a third challenge and at the core to this administrations overall strategy. If you read the national Cyber Security strategy. There is an important narrative. This idea of a shift and accountability. Lets shift the burden for Cyber Security to those who can actually bare it. The system will be target rich. I could think of no better example they shouldnt have to be worrying. Cyber security. You have other stuff to worry about. Make sure the ecosystem of Public Safety responders and networks stay functional. What does that mean . It means the sector. The technology we use needs to be secure by design and default. Today, fundamentally, it isnt. I will offer by way of an example. Anyone of us working in Cyber Security are familiar with the patch tuesday. Once per month all of the Major Developers say here all of the things we found out. You should update your product. What happens vendors that are wrong with enterprise across the world. Scramble through the secure version. At the same time every single adversary acrosstheboard. Scramble to exploit the vulnerability. The fact that we normalize. We can say, they are running the technologies and critical functions of the society and tolerating a world in which the products are coming off. Its flawed we will fix them for the flaws. We keep losing repeatedly. We can do things differently. Enfact, a lot of the vulnerabilities we are finding in a type. We know how to fix. I know how to fix for 10, 20, 30 years. Thats a business decision made thats resulting in less secure products released into production. In tern underminding safety. Its like Public Safety communication. The director was released for International Cyber week is guidance document outlining practices. They designed product by 14 other International Government its pretty remarkable. We should all expect by secure design. Before that, released guidance for our partners in the k through 12 sector. If you are an educational official asked by new technology. We need the same model for this community. I appreciate you. We need the same model in this community. We need to make sure, when we are procuring, acquiring, using technologies, whether its software for on premises system or Cloud Service provider or managed service we are asking hard questions of ven tors vendors. This is creating unacceptable risk levels. This is a partner to the community and providing services that are useful to you and information thats timely and actionable. We need to make sure we are using technologies that meet our expectation. If we dont accomplish any of those, we want to hear from you. We know, the environment is changing quickly. We know the community has the best understanding through the close partnership. Our goal is to make sure we are providing the right support the right services and guidance. The right partnership to help us through the challenging period every american remains viable and full integrity. Thank you so much for the chance to chat today. Its a preledge and thank you for all of you in virtual land to keep our communities and families safe. [ applause ]