Well also hear from the defense departments Deputy Principal cyber adviser. This is just under an hour. [applause] well, thank you very much and welcome back from lunch. If those who are in the exhibit hall, if you could begin to move back, we would greatly appreciate it. I want to give a special thanks to Northrup Grumman. So Jennifer Walsmith and chris valentino, i know, are here. If you could raise your hands . Jennifer is here and chris from Northrup Grumman, i want to give a special thanks to them for this lunch sponsorship. [applause] i also want to thank them for their seven years of sponsorship and support which has been greatly, really a key reason for us being able to host this forum with the government, military and to be able to do this now for the tenth year. So thank you very much. I want to just also point, give to your anticipation, please, on your seats are fliers that describe the next years event, september 8th and 9th at the Marriott Wardman park. So that will be september 8th and 9th, 2020. We also have Corporate Executives that are interested, we have a series of quarterly Leadership Council meetings. Were in the third year of that. If you look at the flipside, youll see the corporate members include cisco, aws, booz allen hamilton, raytheon, hp, northrup, google cloud. If youre interested in that, please let us know. Id also like to recognize and express our appreciation for the Advisory Board members. Ill list those once again as theyve been very helpful. So Brett Scarborough from raytheon, dan from google cloud, general greg twohill from sex terra federal group, brad from booz allen, will ash from cisco, mark kerr and sean love from northrup gullman. So if we could all give them a round of applause, please. So just a couple logistical announcements. Im trying to keep us right on time. If youre a member of that, isc squared, you can get credit by going to Registration Desk and giving them your member number, please, and they can send you a certificate they can give you a print certificate or they can send you a digital certificate. If youre an osaka member, i gather you have to go to the portal to register for continuing education. So were flighted to part delighted to partner with those two continuing you would organizations to offer continuing education credit for those of you who would like it. So this is a very full and exciting afternoon. Im very excited about. Well have a number of, a keynote from general crall who will be introduced shortly. We then will have a number of panels, and well conclude with keynotes from the [inaudible] from israel and from [inaudible] from the National Cybersecurity center in the u. K. So weve got a full day ahead, and well then have a number of awards at the end of the day, and im very honored that well be giving a Lifetime Achievement award im announcing this now to general mike hayden who will also give final remarks to our audience. And im honored by that. So with that said, id like to now introduce greg potter. Hes the Corporate Lead executive for northrup Northrup Grumman at fort meade in aberdeen, and hell be introducing the luncheon keynote speaker. Greg . Thank you very much. Thanks, tom. Thanks to billington for putting on such a great conference. Its my honor and pleasure this afternoon to be able to introduce the keynote speaker for this afternoon. [laughter] Major General dennis crall is Deputy Principal cyber adviser. He was appointed to that role in february 2018. Major general crall is a career aviation command control officer who has commanded squadron and group level. Hes got deep cyber and operations, Information Operations background where he was the chief of the joint Cyberspace Operations center at Central Command as well as the deputy chief of their Information Operations center at Central Command. Lastly, he was the branch chief for strategic plans for Information Operations at u. S. Special operations command. If you would, please give a warm welcome to Major General dennis crall. [applause] well, ive been introduced before [inaudible] look, its my pleasure to have just a few minutes to chat with you this afternoon, and id like to split my time here to get done framing a conversation and then being available to take your questions. So i want you, im your afternoon caffeine. Youve just had lunch, ive got enough excitement for both of us, for all of us here. What id like for you to do is to take the conversation up a notch, and were going to talk about warfighting for my quick portion of it. And were going to think strategically. And the slide thats in front of you is, my staff is embarrassed about my slide. I built the slide myself, and it probably shows. Thats about as many words as i want to cover in a framing document, and i want us to think the way the department thinks and breaks down our warfighting mission in this very critical domain. And im going to use the language that comes from our National Defense strategy and the Cyber Strategy that flows from that in 2018. And this is language that our former secretary of defense used very cheerily about clearly about lethality, partnership and reform. And its a great lens by which to look at signer and a few other quick items well talk about. But i need you to remember something when we have this conversation. Theres a couple caveats. Every one of these framing ideas doesnt exist unto itself. This is all about outcomes. Gotta make sure that we pause and think about what it is were doing, why were doing it, and if it lends itself to the ultimate mission, the reason were doing it. Which means theres got to be execution the make sure that were still on track. Technology changes, we all know, at a rapid state. Its easy to Chase Technology and not the mission. Its easy to stay focused on antiquity and not adopt modernization. So theres got to be some level of balance. And we do this within a government system of funding which drives a lot of this which at times is a bit episodic. And so the challenge is balancing really those three tendencies but not to forget this is all about outcomes. And driving to an [inaudible] what makes this difference in our different in our a approach is the right emphasis and weight to what we call per sunt engagement. The items that ill talk about especially under that wouldty lethality really lend itself to think about is this something were doing episodically . Is this something that i can stay in steady state, or is this a series of fits and starts . Which means you break continuity, lose momentum and dont have the ability for proper exploitation of success. These are all principles that we talk about in every other domain that we somehow shy away from in this one. And its just as applicable. In order to seize that advantage and to maintain that advantage throughout the operations. The other piece is we talk a lot about operations in a contested environment. And ill be honest, im not sure that we are as practiced as we need to be to be successful given the threats we believe were going to face. So im fully aware that there are those who believe we have painted our adversaries 10 feet tall and may be giving them more prowess or acumen than they deserve. But ill also tell you that there are time because we really believe that we can fight through certain things that are not well rehearsed that we may be in for a rude awakening if were not practiced and postured to succeed. So think about what an information contest would look like. Thin lines, red lines, very low bandwidth, the ability to prioritize information at the need of speed. One of the minimum elements a commander needs to fight. If those have not been defined, if theyre really difficult to figure out how youre going to employ that on a battlefield when you realize that its at that time under this crucible of challenge that youre not going to have a pause point. The fog of war creeps in, and everything becomes more difficult. These have to be practiced. And you have to understand what it means to your perfectly rehearsed plan when you do that in garrison, what it means to meet that plan on a battlefield. A famous boxer once said about his competition, said every man has a plan until i punch him in the face, right . You think about that. We all plan and we think about what its going to be like, and then we meet the crucible of contest. And weve got to be ready for what that looks like. And so when we talk about these principles, theyre not esoteric, theyre not things that sit out there to be admired, but theyre to be practiced, vetted, rehearsed, challenged, improved and implemented with confidence. Thats where we need to be. So lets talk about these things that are lee that wouldty first. Lethality first. Important the way i look at defining them. The first one would be the idea of authorities. Weve got to have the right authorities to operate in space. And it doesnt matter what kind of activity were talking about. Whether were operating networks, were talking more of an i. T. Centric role, whether were talking about defense or offensive operations, they require the requisite authorities in order to move at pace. This persistent engagement means those authorities need to be deep enough to characterize the battlefield as well. Not just simply execute. Youve got to anticipate in that authority realm that these things will be inculcated in plans, not sprinkled on afterwards. There are fore thoughts, built in, planned for and tested, as i mentioned earlier. Now, ill be honest with you, weve had a lot of help and mean that in a good way from this administration and congress in this area. They have loaded us up with authorities that we havent had before. Its important that we utilize it and line up a couple other items that go along with it. Thats one idea of that triad, but two others have to lined up concurrent with that. The other one is process. Youve got to have a process in place that takes advantage of the authorities that were given. If the process isnt repeatable, if its mired in quagmire, this idea of constant uphill ballots and fight battles and fights. Im not intimating that we should not share information with others and other interested parties. But the point is that the process has to lend itself to a successful and timely outcome. Not for a process that exists unto itself. Anyone whos worked in the pentagon personally and see the pentagon process up front knows exactly what im talking about. Secretary mattis used to have a phrase back when i worked for him as general mattis that when good people meet bad process, bad process wins. Bad process can take the most energetic, forceful, excitedded individual and crush them through a series of bureaucratic morass that doesnt lead to an outcome. So these are areas taking advantage of the authorities were given and working on new ones, looking at this process within the building and outside of the building to execute operations in a timely manner. And the last piece of this threelegged stool is on the idea of capabilities. Weve got to make sure that we have the Trained Work Force and the equipment to perform the mission at hand. Weve taken really a hard look at this work force, and in some cases i think weve taken it maybe for granted that the work force will be available. The amount of training thats required, the recruitment, the competition that were under to retain individuals given theres a lot of walks of life that people can go do. But looking at models that lend themself to attracting and retaining the best and brightest for our mission is critical to what we do. Also the capabilities in the terms of our tools that we have, to employ these are critical as well. We have got to make sure that we employ cutting edge technology. Weve got to make sure that when we start looking at ways we can take advantage, that we do so in a timely manner and that were not looking at Old Technology delivered too late. Theres a mythical quadrant that i keep on my board that i try and avoid, and thats the phrase of, you know, this may not work, but at least its expensive. Like, we want to avoid the idea that were paying premiums for outdated technologies. Weve got to be more responsive to onboard and use whats available. Think about lining up the authorities, the process and the capabilities, how critical that is to the lethality rubric that ive got in front of you. The next piece is the idea of partnership. We have a couple areas that challenge us here as well. On the good side, we know that partners many of our partners have unique authorities and capabilities we dont have. And we want to make sure that we take advantage of those. We want to make sure that we build their prowess and capabilities up through our practiced relationships. And as they get better, were better. Its less threat surface for us to look at. On the challenging side, however, with partnerships we still struggle with information sharing. How do we Exchange Information in a timely manner . Not just on the battlefield, by the way, as we have joint and Coalition Partners right next to us. In fact sharing gets more anytime information sharing gets more difficult. How do we move information at the speed of warfare and then take the it one extension further to our Defense Industrial base . How do we help safeguard our nations most critical secret ss at the time theyre thought of, through supply chain and eventually for the introduction in our warfighting apparatus. So partnering from the idea of Mission Execution and planning and then on the side of insuring that were able to share information with a common level of protection is critical for us. All of these have varying efforts that are ongoing in the building today and serve, again, that framework that i just described. The last piece, and ill tell you its one of the most critical because it involves the level of trust. Trust of the taxpayer, trust of our government of and keeping that trust and not breaking faith with our work force. And our war fighters. We need reform. Some of this reform is going at pace if, which is pretty respectable, and others may be at pace that needs to be picked up and made better. So what do we mean by reform . This is the idea of scarce resources being applied in the most consistent, meaningful and thoughtful ways. Gone are the days for everyone doing whats right in their own eyes. So the word that really surfaces to me the most under this category is standards. Weve talked a lot about standardsetting. We already understand what the requirements do to the acquisition cycle. Im not talking about that. This is the idea of making sure that we have common standards that we drive to and that we have an apparatus in place e to inspect what we expect, that we have adherence to those standards. Better were pretty organization as a result. This perform has to be deep, all the way through the lowest level looking at the workforce all the way up to the most extreme strategic waste that we palm action and activity. We have got to look across the department to make sure we do not have unnecessarily redundancies, there was a time in the information environment when it was new, when we use terms like operations, military operation, that we went to congress and asked for money on a new frontier. It is always been practice but this was a scale and embraced by the department and there was a time without money flew a bit too freely. And we cannot always account for how this was spent and we cannot always look at measures of effectiveness, we had a lot of measures of performance but not to provide the so what of money we were given and what was a permissive friendly giving environment turned into a very challenging environment to demonstrate a level of sufficiency and rebuild trust. I will tell you i think were probably not too far off in some of the realms within cyber of we are not careful. People want to help us, our leadership wants to help empower us in this area but we have to be very good stores on how the money is spent. You have to have something to show for, datadriven, really show the level of effectiveness for how we commit these measures. So every single day, we wake up in the office and the relationship with the chief Information Officer to be pushed with the relationships with our services, components, et cetera could not be closer and we think in these three terms, because the National Defense strategy tells us to think this way in her Cyber Strategy demand we think this way in the reveal are framed of partnership and reform. Strategic thoughts . A way to share a broad picture in less than ten minutes with you, i stand ready to take what will be your challenging questions that i can answer and i look forward to answering. Thank you. [applause] i dont know what the rules are, youre right in front of me with your hand up. [inaudible question] thats a great question, for those who cannot hear, this is about how the dd a d response to cybersecurity. And one of the safest, i would agree with that mpca could maybe unsatisfied with the answer they would get since that pulls outside of our primary work goals but not outside of the responsibility. I will say this, the answer will not be as detailed as you would like, there are challenges, similar challenges to how we share information and who owns a burden to responsibly in the liability if information is shared and solutions provided. These are not easy questions to answer, i dont pretend they have been solved at our level. I promise you this year they received more attention than i personally witnessed and there are fickle choices in the road ahead for the department to make. I dont know what the balance is personally and where the leadership will side but if you think about this, how much should the department do, and how much of the solutions a