Security department, i call myself one of its grandmothers and one of his grandfathers, im not sure is on this call with me and the rest of you children are the successors and its really wonderful today that we are having, i guess hes by phone, weve had a lot of zoom issues, phone conversation with the panel organized by the Wilson Center very own meg king who has our technology and Innovation Program and a number of the rest of you on this phone. The topic is what is critical, involving the security playbook for managing ten and everything in between, while its not as much fun to see you all in some of the online its not as much fun to see you in person and if anyone can make a conversation interesting, interscience technology and information program. Today as i said were joined by the nations chief risk officer, director of the department of Homeland Security cybersecurity and infrastructure, securing agency, leave it to congress to include security twice in your title, chris will talk about how the department has protected americas Critical Infrastructure in the past and what we need to do going forwa forward, chris has briefed me frequently as a member of the Homeland Security advisory committee, the Homeland Security experts group, it does not have security twice and even showed up last year at the hacking conference in las vegas. I was there to, i was a dinosaur in the room, this is the second tour of the department, he was Senior Advisor to the assistant secretary for Infrastructure Protection and he was part of Microsoft Government Affairs team after that, chris has an impressive command, i know this from talking to him about the threats that we face and has been at the forefront of tackling our Election Security challenges in securing our networks remain resilient during a Global Pandemic and when the workforce when all moved online from home and security is harder to verify et cetera. Chris will give remarks in their berkeley phd and Melissa Griffith will interview him, then a panel of geniuses would be able in his pickup truck, the Homeland Security and centurylinks catherine will follow to dive deeper into the challenges posed in securing Critical Infrastructure, digital and physical and just before turning this over to chris, how blessed i have been to have him in my life for a decade, she has taught me lots of stuff especially about all this, please welcome by phone the director. I dont know if youre seen me but i was able to do a couple of runarounds of the office, did the video come through okay . Yeah. We see you but your mouth is not moving so you may be frozen all right lets try this here. Okay, i think i got it now, sorry its giving us some challenges here. That is much better. That is much better. Okay, here is what were doing, ill give you a little bit of an overview, thank you congresswoman for the overview and will talk to you about the things that we are focused on right now and some of the developments in shifts that we have seen in the Critical InfrastructureRisk Management space and just for short ham purposes i dropped the security, we made the argument that the Second Security was an appropriate modifier so we did not need cybersecurity with congress at the time thought it was important to have cybersecurity and nonetheless, better name than we used to have which is a National ProtectionProgram Director which if you can tell me what that means, i owe you 100 bucks, it was not a very descriptive name for an organization that is the nations risk advisor, primarily our authorities are voluntary, publicprivate and what that means more than anything i cannot make anyone do anything, we have to really understand where the risk is, is shifts the trends in the best practices across industry and government to fill them down into something that is usable, shareable, actionable and get them out to our stakeholders as we possibly can. It should not be much of a surprise but the United StatesCritical Infrastructure community is quite large and in fact being the american go big or go home approach, 16 Critical Infrastructure sectors, i say that to be able to contrast to our partners in europe and elsewhere that in some cases i only had five national an critil infrastructure, eight is probably the most ive seen in europe, we have a larger footprint for infrastructure but we also view it more expansively and thats important and ill touch on that a little bit later. But nonetheless, given the voluntary approach, we do see ourselves as the nations risk advisor, were not the nations risk manager but it would have more of a compulsory authority where i could tell people to do things and then they would do it. But instead we ask people to do things jointly who we give them useful guidance that provides the value and we find in that approach where you do try to understand what our partners see we can get them to do things. Really quickly, over the last several years, we have identified five key shifts in the way the Critical Infrastructure community is managing risks, the first aspect is that it is coming quite clear that risk is shared across all sectors, the second supply chain Risk Management is critically important, the third piece is management is also evolving becoming more effective and forth is what used to be a security practice and has evolved a resilient approach to Critical InfrastructureRisk Management and that is evolving further into antifragility approach where you get better with each event rather than surviving the event, lastly we are seen Organization Take a much more enterprise level of understanding of cybersecurity Risk Management and that begins with percolating across organization, the shared risk across all sectors, it is something that you probably heard me or others say that as you tackle risks in silos, you will miss the bigger picture. What youre seen in the last couple of years and particular, adversaries particularly russia and china and a few others dont necessarily come in, knock it on the front door, what they understand are some of the dependencies between organizations and will exploit some of those trusting relationships, there is one event where the russian campaigns have launched a couple of years ago where they came in through the Energy Sector and not directly into the Energy Sector, they came in a construction contractor, and about target breached through an hvac contractor, risks are shared across organizations and part of that is because the commonality of the systems that we use far outweigh any of the unique specific sectors, control systems is another example, those things that make Water Treatment facilities, their equipment move intake and click, that has put very similar to critical manufacturing, thinking about hard infrastructure in manufacturing or power generation, a lot of those controlled systems are consistent with unique applications on the edge across the controlled systems. The second piece as a mention supply change, three or four years ago we had supply chain Risk Management and it was not top of mind for most organizations, you get to hear on the next panel from folks who think a lot about it including catherine which was my longterm partner in crime but some of the work that we of done on the supply Chain Technology sector is really sprung up over the last three years through some of the work weve been doing. We should absolutely focus on the folks on the panel. Next management, this is particular come into stark relief over the next six months, its been a heck of a year for vulnerability disclosure, what used to be ten or less years ago we used to have researchers or other organizations to find mobility to the public and release them to what happened in that situation and you actually give the adversary were many number of adversaries over the defender and will be rising out of industry with the Research Community with the development of a needed disclosure process and theres actually a brokering that has happened with the Security Researcher in the organization that i found this thing, lets Work Together to make sure we get past the updates and their broadly provided and i can get my credit in the community discovering the attributes. In vulnerability disclosure is something that we do and put a key role and we manage and fund a project on our universities that handle a lot of the best facilitation of the researchers and defenders and we played a broker role. Even in organizations more broadly we are seeing the researchers brought into the development process, were seen researchers brought in to operations and maintenance and there has been an absolute surge in the program like microsoft word i work that will offer money in some cases bigmoney, 100,000 for at least one time with them vulnerability to researchers that would conduct the research in an appropriate manner but if they found something that they can hide over to the company and the good side or the goods back to volvo this, the good guys can pass for the bad guys can exploit. The fourth piece is the security to resilience for fertility cream. You have to assume the bad guys will compromise your perimeter and, in this case, your networks, cybersecurity so how are you guarding or defending the crown jewels . There has been a significant amount of work and an emergence over the last year or so and to what is known as a zero trust concept where you assume the network fronts back and adversaries territory and you have to figure out how to basically how to have security medications in an untested environment. That resilience piece has the continuing involvement because effectively it turns into a whack a mole game. Really excited about the research happening and the adaptions and this was a big push prior secretary nielsen springing forward in an incident or in a response. How do you become anti fragile . Really all that is learning and realtime employing defenses that improve your posture, not just maintain your posture through an event. That is, i think, the next evolution of the security resilience shift. Fifth and final risk shift that we have seen over the last several years is this cybersecurity and enterprise level. Typically, historically security has been the domain of the Security Team, and thus the iso, but what i am keenly aware of is that the Security Team alone, without executive support in the funding and the push to become more innovative, will never achieve their objectives. We havent really expanded our outreach and efforts to not just the info sect team but the general counsel for lawyers and the boards of directors who really educate them that cybersecurity is in fact a business caressed, as much as financial risk and they need to treat it accordingly. This past fall or coming up a year now where did 2020 go . Last fall we issued a cyber essentials product that pocketed good security practices into three primary areas strategic, technical and tactical. The strategic bucket focused on two things, first, cyber queue security starts with leadership it will only have a Successful Program if your leadership buys into support and takes parts. The second piece of that is in the strategic side is you have to have a Security Culture throughout the organization. Anybody that touches the network or has the device on the network is part of the team and you need to make sure you are defending them properly but also they have the tools and resources to secure themselves. So, again, its not just about the Security Team but getting the executive buyin and that is important because once you have gotten awareness where you need awareness and principally im talking about Capital Expenditures and investments, what youve got that awareness and ability to set the Organization Budget then it will get the investments and through that investment that is where the real capability shifts and you close the gap on security where that really happens. I will wrap it up there before we shift to the fireside chats but five things we really have seen a significant shift in over the last several years is that risk is in fact shared across sectors. The second is supply chain Risk Management is as important as a discipline and cybersecurity in itself. Third, within cybersecurity Vulnerability Management is the place or one of the places you can make the most advances to secure the network. But relatedly it is about resilience and about zero trust approaches emerging and if the leadership is not bought in at the enterprise level then you will never get where you need to both on the investment side and capability development. If you saw that, looking forward to the fireside so i am not sure if it is going to the congresswoman or yeah, or melissa. Thank you, director. We have the first question and they have a burning question for you. I actually have a twopart question and it is an observation and i thank you are a breath of fresh air. You are brief and every time you give it a not we can see you and we were just going to hear you but not we can see you and i think you are a great, great credit to the administration and the departments. My question is first, the recent hack of all the fancy twitter accounts was principally done by a kid of age 17 with two accomplices. That bends the question, do you have the people you need to stay ahead of 17 yearold metaphorical 17 yearolds . The second part of the question is i recall back in the old days when you were putting the department and doing intelligence reform we kept talking about the need to change and a need to know culture and share culture and obviously sharing is good, however sharing also means you need more vulnerabilities so i guess do you have the people and is this need to share idea is still the tagline or is there some new one that i am missing . On the hiring piece, i had suspected it was probably not a nationstate but criminal. Particularly, and cyber, im not sure if it matters you are 45 or 17 which speaks to the ways we need to involve our hiring practices. To the standard general schedule approach that is based on a system from 1929 but almost a clerical hiring approach for supporting it really prioritizes experience College Postgraduate degree and certifications but that is just not how cyber works. I have found there are some candidates that we are getting to come out of college and graduate program and then when you are experienced and there are others that i am getting 17, 18, 18 yearolds that apply through practical operational effectively experience in Security Research and online white hackers because they can turn on a paper computer. We got to reconfigure the way and weve got to think about highs hiring and talent tools and maximize those approaches and that includes a diversification of a k12 Education System but also might, to your two year colleges. As a trade almost in institutes rather than going to law school or Something Like that. But also along the same lines i think ive taking in Stem Education and as long as we factored in the security has to be has to be a part of technology in education and i think we can get away from this overwhelming or ongoing narrative that there are cybersecurity jobs open if we can make more stuff secure by design and appointment that we will need all those we will have although cybersecurity openings but that is just to put more pressure on the Technology Jobs and second piece on info sharing i was hoping a 2015 when the cyber information sharing act of 2015 when that past we never talked about information sharing and i was wrong but it refuses to die but the way i look at it is it is not so much the wheatley to share information but it is that we need to operationalize our partnerships. We need to make sure that the things we are aware of and where we are able to do is reducing risk. One quick example of why i think the 15 year approach we have taken, at least in cyber, is off is that we talk in generalizations and share what youve got so we can stop the next attack. The way it is general and people cant say maybe that thing is important and i need to share that thing, you dont make the progress or get as many people involved. But when you figure out a specific objective and you decide we are going to defend the 2020 election from foreign hackers, okay, that is something i can scale my resources to address that issue. During need to work on that team . If we get state and local Election Assistance Commission and the director of national intelligence, nsa, cia, cyber command, fbi, lets get everyone together and then you can, in a much more practical with executable manner, share information with a purpose that has the right context around it. That is where we are seeing the most progress right now and to a certain extent this is a model that we develop f