And great set of speakers today, along with acknowledging additional support. I am here for the next 30 minutes with brandon wales, the acting director of cybersecurity and infrastructure security agency, for what i hope is going conversationnating about the election, about the covid pandemic, about the state of cybersecurity and infrastructure security and Critical Infrastructure across the country. Brandon, thanks so much for joining us today. Brandon garrett, thank you so much for the invitation. I am very happy to be here and talk about the important work our agency is doing. Is december 3. It is hard to believe that exactly a month ago on november 3 we were sitting down as a country to watch the first Election Results role in. Roll in. It feels like as a country we have lived about 25 years in the last month, and i would imagine for you, it has actually felt somehow longer than that. Byanted to start off today taking you actually back three thursday after the election. They put out a statement i wanted to quote three lines from. The november 3 election was the most secure in american history. There is no evidence that any Voting System deleted or lost votes, changed votes, or was in any way compromised. While we know there are many unfounded claims and opportunities for misinformation about the process of our elections, we can assure you we have the utmost confidence in the security and integrity of our elections, and you should, too. My question, brandon, we have seen a lot of claims, a lot of arguments, a lot of court cases over the three weeks since that statement came out. Is there any reason in your mind, anything you have seen, anything you have read, anything you have heard that would cause you to change that Statement Today . , the agencyrett stands by the statement that was issued at the beginning of november. But i do want to add a little bit of context to that. First of all, it was not a statement that cisa issued alone. It was a statement that was by the entire Election Security community, the people who work for the security of our election infrastructure, people from the federal election assistance commission, people who represent the secretaries of state, the state election directors, the private companies that actually provide the equipment for most of the elections. Secondly, a lot of the claims that are out there have to do with Election Fraud, which is beyond the scope of the work that we do here at cisa, and of the work that we have been focused on building. Election fraud is the purview of the department of justice and state and local authorities that have the responsibility for investigating and prosecuting that. And the attorney general has been on record talking about his views on the scale of Election Fraud during this election, while recognizing they are continuing to investigate potential claims of fraud. As of right now, we do not have any specific evidence of systems being compromised, but we continue to work with our state and local officials. If they have concerns, we are one phone call away from helping and assisting them. I think there are times when our statement has been misconstrued to say there have been no problems with the election, that it was fraud free, and that is just not the case. Secureelieve that it was from external interference, which is our mandate, and we are proud of the work we did to get to that point. Garrett i want to stay with the election for a moment longer to talk about the rumor control website that cisa launched in the runup to the election. Tell us a little bit about what the agencys goal and hopes were for that website, and what lessons you feel like you have how that website has been used and the mission it has fulfilled over the last couple weeks. Brandon we originally put that website up in the weeks before the election, partially in response to activity we were seen from the iranian government, associated with voter intimidation emails. We thought it was an important way for us to put out Accurate Information about the security of voting infrastructure, that foreign adversaries were undermine peoples confidence in that voting infrastructure. And since that time, we have continued to highlight key parts of the process and talk about the security and resilience measures that were either always in place within those systems, or have been put in place over the past 3. 5 years to give us greater confidence in these that these systems perform as expected. We are putting out very broad information about how these systems normally operate, the systems that are in place, the laws that govern it, and providing information where people can get more detailed information. You will notice that our website is not the same as Fact Checking done by media organizations, which tend to be extremely specific to claims that are made in specific locations and have unique circumstances. We are talking more broadly about the overall processes in place, the overall site guards that are in place. That continues to be important to educate the American Public about how these systems work and why they should have confidence and why there should be a high theser perusin proving systems have been compromised. Garrett do you intend to keep the rumor control website going through the Georgia Senate elections, or is this something where it was a website targeted at the president ial federal races and you see it now winding down . Brandon what i have told our staff is our Election Security mission, particularly associated efforts,protect 2020 will continue until all the elections are complete. Rumorl continue issuing control entries as we think the situation warrants it and where we think we can have an impact. We will do that through the end of this cycle, which hopefully will happen sometime in early january. Curious ifwould be you could talk a little bit about this is the first president ial election that cisa has existed for. Two years old last month. I think it was november 16. Happy birthday. Whatu look ahead now, lessons do you take away from going through this president ial election, both in terms of looking ahead to the future of elections, the Election Security missions, but also what have you learned from the security efforts of this election that you apply to the Critical Infrastructure role that cisa plays . Brandon sure. It is four areas and i will try to make it quick. First is the degree of partnership that we were able to build in the election Infrastructure Community and it was incredible. Extremely broad relationships, extremely deep into counties and election vendors, and those relationships were essential in allowing us to execute a broad range of activities. Second, we were able to dive into that sector, understand how it develops, decomposing into critical functions, look inside those functions and see what was critical to those functions, and that fed into our operational work to understand vulnerabilities and apply enhanced security practices around those. Third is our relationship inside the federal government, where we had information sharing that has been second to none in my 15 year industry working at the department. Information being shared between our colleagues, the fbi, with us, early awareness allowed us to take quick action, get Additional Information, pass it back to our colleagues in the Intelligence Community for them to get Additional Information where they had insights and access, and that cycle allowed us to get ahead of threats. It allowed us to hunt for activity more quickly. It allowed us to be intelligence driven, which it should have always been. Those are some key lessons we are now applying to our broader cybersecurity work in understanding in an area where we may not have the amount of leadership focus and attention like we did across the entire u. S. Government. How do we continue to get as much progress made on our mission . , and thishe fourth is is frankly an area where we will have to continue to work, what is the appropriate role for the federal government in countering disinformation . Where can we be that trusted voice and where might we not be able to make a real difference, and how do we rely on other voices . How do we empower other people who can counter disinformation and misinformation that is out there. . Garrett i want to stay with that last point because i think it is such an interesting question. One of the things that was unique and somewhat unexpected is this countering disinformation role. That is not something that federal government traditionally did in past elections. Four years ago when we saw the russian attack on the president ial elections, the Internet Research agency, there were no capabilities by the federal government at all to combat this operation. And i wonder, particularly around the question of we are about to go from this very heated and fraught election information environment into over the next couple of months presumably a very heated and fraught information environment around the Covid Vaccine and the efficacy and the effectiveness of the vaccine and the treatments that are going to be rolled out by the federal government. Do you see cisa continuing to play a role in combating disinformation and misinformation around the vaccine . And do you think the federal government should have something who a misinformation czar has the inner agency, crosscutting role to take on big issues like this in the public sphere . Brandon i would say a couple of points. Outt is we rolled this based upon things we were seeing out there. Partially in response to iranian government activity. But we were also taking lessons from work that was done by others, for example fema often has rumor control during major disasters to dispel misinformation related to the incident or aid that they release, and they operated rumor covid earlyted to on during the pandemic. That being said, more broadly, i think this will be an important issue for future Political Leadership to look at. I dont think the u. S. Government has yet cracked the code on the best way of countering disinformation. As i pointed out, the federal government may not always be the best option, the right trusted voice, on these kinds of challenging, divisive issues. And certainly for cisa, i am not sure this Cybersecurity Agency will be a trusted voice when it comes to things like vaccine safety. And there are other people in the government who are better positioned to provide Accurate Information to the American Public, so they have confidence in the decisions that are made to approve, for example, vaccines for public use. You have been playing an active role in operation warp speed. We have seen reportings in the last 24 hours, including this actors, about foreign north korea and otherwise, attacking the intellectual property, attacking the Health Care Companies involved in vaccine development. What can you tell us about this threat that you are seeing involved the companies and the supply chains involved in the development of the vaccine . Brandon it should be no surprise to people within the Cybersecurity Community that from the very beginning of the pandemic foreign nations were targeting Vaccine Research and Development Efforts across the country, using a variety of mechanisms together information. We are seeing that continue to this day, and it is one of the reasons why we are in Close Partnership between cisa, the nsa, the fbi, with the department of defense and hhs to provide as much cybersecurity support to the entities involved in that effort. And i think in part based upon things like what was released this morning by ibm that there is more that we need to do to push deeper and further into these supply chains, not just the Big Companies behind the vaccine, but the companies that will be essential to get this vaccine from manufacturing through distribution, that last mile to the american people. We are doing everything we can to raise awareness in that community. Goal is toely, our secure that supply chain so that no effort by any foreign nation or other criminal organization has the possibility of disrupting this Critical Health care delivery. Garrett how has the deed and the partnerships you have been trying to develop through operation warp speed changed your way of thinking about the role of Critical Infrastructure sectors . Brandon i dont think it has changed how we think about our role. I think it has certainly shown us that we need to have deeper criticalhips with sectors before the Major Incident happens. I think our biggest challenge early on during the covid pandemic was that we were not able to as quickly as we wanted get the companies that we saw as highest risk, the facilities, the hospitals, others, up on our Cybersecurity Services because we did not have enough relationships with the right people and the right places. One of the key things i have asked the head of our Stakeholder Engagement division, we do stock taking on where we are across Critical Infrastructures because we dont know where the next issue is going to be that will require us to surge our efforts into that area, and do we have the right relationships at the right time for us to get our Services Fully utilized . That has been one of the key lessons we have taken out of this process. Garrett and that, by the way, what was learned out of the 2016 election, that we are starting to try to push back against the russian attacks. Dhs at that point did not have the election level relationship that it needed. This is obviously a hard thing to predict but you look at the failure of imagination that led us to now thehe relationship, failure of imagination in the relationship with the health care sector. Int are you thinking about terms of where we might see something we are not prepared for right now . Nation, whatss the do you think is the thing we are not prepared for next . Brandon i dont know that i could give that answer, if i could predict the future Major Incident and maybe we would not have it. That being said, i think partly the challenge is there was a big difference between elections in what we are doing with health care. In elections, we had no relationship with the Election Community because it was not on our sector framework and we had not invested time and energy. Health care is a little different. It has been a sector since the very beginning. We had relationships, they were not at the right level. We did not have the right executive Level Relationships to make a difference during those critical times. It is less about do we have no relationship in some of these critical areas, whether it is the electric power space or critical manufacturing or elsewhere, it is do we have the right relationships . Can we talk to the right Decision Maker if there is an urgent issue like a pandemic and get them to authorize some action, some partnership with the u. S. Government quickly when we see a potential problem . It is more thinking about is the relationship that we have maybe to their sock at a particular company, is that sufficient for what we need to engage with that company in the future . In a lot of cases, what we are seeing with covid is when we are in a really bad day, that relationship is not positioned. We need to have multiple levels and we need to do a lot more to engage with those companies and build the depth and strength of those relationships so we can take action more quickly. I am going to oversimplify a very complex, bureaucratic theme that has been playing out the last couple years, but this is primarily what i would describe as a carrot agency. You do not have a lot of stick you are able to better critical him batter Critical Infrastructures to do. Subpoena power, that type of thing. As you look back over the pandemic, do you feel there are authorities that should have or could have had this year help you navigate this pandemic more smoothly . Theett i think you raised administrative subpoena question, and that has been our top legislative priority during the past year. We are hopeful that if we get a National Defense authorization act, the authority will be captured in there. Even in that case, it is more carrot than stick, so that allows us to get information a vulnerable ip address that we are seeing out in cyberspace. It allows us to connect that to an individual company that we can go talk to. We still dont have sticks again site company. We will be showing up there in a voluntary way, asking them to close this vulnerability we have seen exposed on the open internet, and that that vulnerability has the potential to cause negative downstream impacts, and we want to have the ability to make contact with that company. Today, cisa cannot make contact with a company that has a vulnerable piece of infrastructure on the internet. We do not have the ability to compel that company to make a change, but today, we cannot even talk to them. We believe still that the voluntary approach that operates that cisa operates in his the best. There are challenges to trying to implement regulations in a space as cybersecurity. We believe the work we have done in things like elections, if we , we in a Close Partnership can have impacts even in a voluntary way. Garrett i am trying to