Chief Information Security officer, meredith harper. Welcome, and over to you. Thanks very much, john. Its nice to see you, even virtually. So, today, you have everyones bio. So, i dont think i need to reintroduce our panel. But what theyre going to offer us, i think, is a way to look at the year, and back at the year in a context of cyber and health care, and give us a little bit different way to look at the latest efforts to get the vaccine out to the public. We actually have some news on this today, by the way. Well get to that a little later. Basically, the New York Times reported that Cyber Attacks related to cold storage of the vaccine have been going on since august. Its unclear whether this is about ransomware or something more sinister. But well get to that in a minute. What i thought wed do is divide the discussion basically into three parts. Were going to look at the broader issue of cyberthreats and attacks of the Health Care Sector as we sort of wrestle through a pandemic. Were going to look at the security and protection of intellectual property related to the vaccine. And then finally, as related to todays news about hacking the cold chain, well talk about the Security Protection and defense of the supply chain for the vaccine. So, what id like to do oh, and if you have questions, ill try and field those as we go along. And we may have time for questions at the end, as well. Theres a q a function, i think, the team at aspen will explain how you guys need to put those questions in. And with that, i just wanted to start, maybe with meredith, i thought i would start with you, as the ciso at eli lilly, having to deal with all that were dealing with, but in a laboratory setting, with Laboratory People either having to be in pods or working remotely. Are you dealing with more attack services because people arent all over the same building . Theyre spread out. The answer is yes. We do have an unique footprint as relates to our service because we made a decision quite early in the pandemic around the march 8 time frame to send all of our team globally home to work. Now, there were a subset of individuals that need to touch specific equipment in our labs and places like that so we put some measures in place to be able to protect their safety while they were actually interacting with that specific Lab Equipment that we could not pick up and take to someones home. So, we did have an opportunity to still have a small portion of our team still going into our physical location. But it was far and few between. Over 16,000, 17,000 of our team members were deciding to work from home based off of the concerns about their health and safety. So, yeah, the attack surface now has incrementally grown over that period of time. Continuously,to as an organization, ensure when our team members are at homeworking, theyre still putting those security principles in practice even if theyre sitting in their own home offices. I think sometimes we can get a little lax at home and we dont always think the same way when were in our physical work location. But i think weve done a really good job of rolling out a robust Education Awareness Program of how to protect those secure spaces within your home environment. So yes, we have seen an increase in that and attacks as well because the pandemic. So, it goes beyond just dont double click on that weird phishing email. It may have to do with authentication of routers, things like that. Is that what youre talking all talking about . All of that, yes. We put together a packet with our team members to say now that youre in your home environments, heres the technical controls you need to have to operate and carry out the business of lily. We have a vpn. We need to access the data you that need in order to perform your role without you putting that information on your local device and things of that nature. So, we gave them a toolkit to follow, say heres the questions you may be asking. Heres our recommendations for how to deal with that. And then we work with those things together to make sure were not seeing increased exposure. One of the other things that we talked about, initially, i can say, we didnt really think through i think at the beginning was around the idea of printing. So, we get so comfortable printing in our physical locations at work. But now youre starting to print things that may be confidential at home. So, how do you support those printouts . How do you destroy them appropriately . We tried to pick it up on what a home worker would need to know to make sure they make themselves and their devices and data and the things that they print are protected. So, you were sending out shredders and safes . So, we didnt do that. We did give opportunity to say if you have a home shredder, heres the ones we recommend if you do that. One of the other things that i recommend that i really appreciate our leadership going down this road. We knew that people now working in these home environments and from an ergonomic and security perspective, we gave each member of the team to say i need to outfit my workplace differently now that im working 100 from home. So that meant you needed to get a recommended shredder so that you could now destroy documentation appropriately. If you needed to get even a new chair so you can get functionally careful as youre working every day. There was an allowance offered to every team member who needed to make adjustments. So, we offered the recommendations. We gave them options and said heres what you can pick from. And then you chose what you can bring to your work space to make it comfortable, but also make it secure. Yeah, npr gave us chairs, so thats clearly on this. So, are your concerns and ill get to the other panelists , as well, but have your concerns changed since march . I mean, have you seen things when we think about ransomware or phishing attacks, are you seeing things, is this progressing or evolving . What were seeing is, and i know maureen and i had this conversation before. Some of the activity, most of the activity that we see is standard for us. This is typically what we see in our environments in terms of exposure attacks, interest in our organization. Those things are happening every day. And thats no different. What i have found, though, is, i think, the use of social engineering, to be able to get a foothold in san organization by way of credential stealing and things of that nature, i think weve seen more of those attacks and theyve become a little more sophisticated than we probably have seen in the past. But that doesnt mean that the volume, in terms of what were seeing, is shocking to us. Its common at this stage of the game. But i think there is this turnup on the sophistication of it all. And if were not training our team members appropriately to look for those indications of whether something doesnt look quite right from the message, we can find ourselves in a world of hurt. So, we try to focus a lot on our training and awareness of our team members at this time. And specifically, as it relates to the individuals working in the development and research space, because we know that they will be a target. Theyre the ones who are actually working on our response to covid. So, from that perperspective, we tried to use training education to thwart some of those attacks. Do you think some of the social engineering is working better now because people are lonely and by themselves in their home their home . I dont know if its the loneliness. I dont know if thats what makes them susceptible to it. I know ive done it myself. I feel like im working more now that i am at home. Right. Being able to shut off and being able to disconnect is harder now because im sitting here in my office and i get a chance to get things done. But i think because were moving past and were moving to really tick those things off of our list, sometimes we can move a little too big quick. And then we click and open or expose our organization that way. I dont know if its the loneliness, but i do believe that we are moving quicker, probably, in some instances, that creates problems for us. Maybe journalists just get lonely. Maureen, let me move to you. One of the things we know from public reports is that there was a hack, a number of different medical or health Care Companies, including Johnson Johnson, with north korea. Those complaints came earlier this month. And they were trying to steal , allegedly, sensitive covid information from Johnson Johnson and others. Can you walk us through what that kind of experience is like . First of all, dina, thank you very much for the question. But i would say, whats called lets call it an attempted hack, not a hack. Fair enough. Clearly, it was a Cyber Security organization and theyre clearly different items. Health Care Companies literally have seen an onslaught since march 2010. That is the day that the chinese actually started a hard knock of most of the health care in the united states. And there was a lot of talk at the time, those who knew that they had seen attacks or had seen that stand by a nation state. And those who hadnt. There was a great outreach and a great pouring out, working with the fbi and Homeland Security, what was this all about . Especially in health care. I and everyone in health care are seeing attempted penetrations by nation state actors, not just north korea, every single minute of every single day. Primary threats i tried to categorize in health care. One of them is nationstates. The other is a criminal element looking for anything they can monetize. We have something called hacktivists, people who are trying to through social media attempt to sway Pharma Companies on the pricing or other items, as well as insiders. Developmentcine in and therapeutics, what we have seen is we are on a grander stage where people thought, wait a minute, there is a company i should be looking at, what should i do there . We have seen that rise. We dont know, and i see many different attempted assertions. Malware is just code. It is just binary somebody is going to try to put in my network. They are going to use things like email and links and social media to get someone in my company to click on it and bring it into my house. Just coming in the door. Industry, we Care Department ofth Homeland Security so we find information. We found this code. I dont have the resources to or, where it came from where they actually going after . Our federal agencies, government agencies, we provide that information, which then tells us, wait a minute. That code came from north korea. Then, warnings are going out. Companies have the skill and security organizations to be able to detect this malicious code and protect. Not everybody has that in the health care industry. Any indication there is a focus on trying to get something covid related because everybody wants it right now . Is there a bigger appetite . There is only going to be so many people who can get information and turn it into a vaccine. Then we are going to have the people who just decide i dont want the world to have a vaccine. There is not much of a difference. We have the Protection Capability we have built and then, in this instance, looking at the vaccine production, and , Johnson Johnson has a plant in wuhan, china. We were able to see what was happening all along. We saw with the virus about a 30 uptick in what i will call vist or criminal activity trying to monetize anything they could. Again, large companies, secured companies, have defenses against and are able to defend very easily, but in general, about a 30 uptick. Was it going for virus . It would be hard to tell. People will try to come in one the ability to detect it is what helped us. We took a concerted effort. Anyone who was working on vaccine production, anybody who was going to be working on , tollectual property provide minimum necessary access, those are terms we use to protected. We did that. The social media, about june time frame we saw one of the other companies having issues with social media which we talked about at the Board Meeting and one of the things that happened was we had all started to see some of that, so we informed our people to be aware of it. ,ont go and click on anything giving people some guidelines to make sure they were secure. Do you have a little cybersecurity moat around covid stuff or is it everything . Moat. Have a huge honkin thats what we do. We create moats. Sounds like we close ourselves off. Is, is that we provide the ability for the business to operate in an insecure environment, giving the right controls and the right risks. That was excellent in terms of the example you showed. One of the things we also showed on our end was that our thirdparty we partner with to carry out the mission here, we did see an increase in terms of ford parties being impacted attack. Inrd parties who are close the Development Research arm of getwork we do, when they attacked it becomes a problem for lily. We have to spring into action to ensure our value chain is projected and that we are is protected and that we are able to deliver lifesaving medicines. We did see an increase. This year we have done way more around our third parties that have seen the last couple years. Attacks generally are coming through some other vector. That is why i ask you about routers. I wanted to bring you in nice to see you and talk about the security components of operation warp speed. Eli lilly and Johnson Johnson are among the players. We dont know very much about the cybersecurity side, what it looks like. Maybe just because geeky people ask those questions. Can you give us an idea how that works in practice . Can speak to the unique role the fbi plays. There are a lot of different players across the federal government and the Health Care Sector as well. From the fbis perspective, we have the advantage of being a domestic Law Enforcement and intelligence agency. Int that helps us to do service of this mission of protecting the Vaccine Research use ourly chain is to role having access to classified intelligence to understand what adversary plans and intentions are to see threats as they are forming. Our domestic presence with 56 field offices and satellite agencies, we are really embedded in communities and we have enduring partnerships, research institutions, companies, etc. , where we can have that information downgraded which effectively means at a level that we can share it, ideally before something occurs. We can actually act on what we see and that is where the types of direct engagement these organizations is so important. One organization like a university or a company sees this type of threatening cyber , it can be used not only to investigate but to share that information with the Intelligence Community with networked offenders, share it across, and help everyone strengthen their networks. Are you getting in this current environment, more backandforth than you were in the past . I think companies are more reticent to let dhhs know they have been compromised. We have been proactive and the has been a combined effort. That is a maturation in the federal government over the past few years. Some of that was in response to welldeserved feedback we would sector,from the private not appreciating having several federal agencies knocking at their door or sharing the same threat information with them. Increasingly that is a partnership and that has been simplified by warp speed and even months before speed started. As early as march, when we were starting to see the indication not only of cyber criminals, but also of nationstates targeting covid research. We very quickly formed up with the department of health and Human Services on a couple different fronts to warn those who were being directly targeted and to do some research and expand that circle out to sea, of if we know these types entities are being targeted, who is likely next . Thirdly, we did something unusual for us in may, which is that we issued a Public Service announcement with cisa about the chinese cyber actors targeting covid research. That was for two purposes. One, to warn, but also to let china know we have an understanding of what they are doing. There would be some risk and consequences to them for that activity. By virtue of that extended that sustained engagement, we are seeing collaboration with the Health Care Sector, even on issues that are not specifically related to covid research, for example, recent credible threat with ransomware against hospitals and other health care providers. We got tremendous feedback from the Health Care Sector organizations like the American Hospital association in response to that because, again, with cisa and hhs we put out those indicators, we had video calls and ways of engaging directly cisa to let him know we were taking this seriously and as a result, we were advising that they do, too. And then keeping up that contact because we know that is a real resource strain when we are advising a threat like that. Resourcess a shift in and that is only sustainable for so long given that continued communication is important so we can keep them updated on what we are seeing. One of the strategies that has been used in the past is to actually bring charges against people. I am thinking of the pla hackers that were brought charges against. Effectat seem to have an . However long it did, it had some knock on effect. Did the psa have a knock on effect . We are aiming at a number of different audiences when we do things like that. There are many different tools being used, not only by the fbi, but across the federal government and the private sector partners, too. There is the psa, but that was also followed by an indictment shortly thereafter that did identify chinese cyber actors responsible for targeting covid research. Increasingly, this is part of our new fbi Cyber Strategy that director wray announced a few months ago. It is not so much about an indictment. That is one mea