Transcripts For CSPAN3 George Washington University Cybersec

CSPAN3 George Washington University Cybersecurity Policy October 17, 2017

On tactical Public Private innovation collaboration, a number of the public and private sector issues on cybersecurity. Want to also echo frank and thank our sponsors for this event, north rup grumened, and Marcus Edwards who has been our sort of partner in getting this organizes for the past few months. In addition to his day job, hes also a doctor of engineering student here at George Washington university. I dont know how he finds time to do both of those things, but thanks, marcus for all of your work on this todays conference. Ill briefly introduce the panel that we have before us, and then well go right into a discussion with some time at the end of the 50 minutes for audience questions. First, immediately to my left, your right, scott aaronson, executive director for security and Business Continuity at the Edison Electric institute. Hes been there since 2009, working in a variety of roles before getting his current position. Before that, worked on the hill for congressman lantos, senator nelson for a number of years, and has a masters here from gw from the graduate school of political management. And also will be announced early this month, will be a member of the senators board of directors. Finally, to his left, Kiersten Todt is the president and managing partner of Liberty Group ventures and also a resident scholar at the university of Pittsburgh Institute for cyber law. She served last year as the executive director for the commission on the National Cybersecurity team led by tom and sam and a number of recommendations in that report which was issued late last year have found its way into the executive order that was issued in may of this year and well be discussing some of those issues in the course of this panel. Shes experienced before that in the private sector and also up in congress. And finally, on the far end of the table, chris valentino, director of joint cyberspace program. Worked at nortlup grumened for long time in a variety of roles. And for many of their cybersecurity activities, so want to thank all of our panelists for being here, and you know, we sort of talked in the last panel about some of the cyber threats, Cyber Defense questions, but this panel is much more about the fact if you look at cybersecurity, its a shared endeavor between the Public Sector and private sector. A lot of oxygen on those issues in the past decade has been about information sharing, about regulation. I think theres been a shift in the last couple years away from the focus on those two issues. Information sharing still an issue, but legislation has been passed. Regulation still exists in a variety of forms but its not the all consuming issue it was i think now the Public Private sector dialogue is much more about how can the Public Sector and private sector Work Together, not just on sort of sharing information, passing it over a wall and barely interacting with each other, but collaborating, building, sharing information, working across the intelligence cycle. Working together on things like r d and Workforce Development and building the architecture for the incentives to be in place for government to be funding the right things, for the private sector to be doing the right things. So i guess turning first in general to the panel to make a few opening thoughts. You know, i guess focus first on the executive order from may. A key provision there was looking at how the u. S. Government provides support to Critical Infrastructure thats at greatest risk. Referring in some cases in the previous executive orders as the section nine Critical Infrastructure. Whats your sort of Baseline Assessment about how well the federal government, dhs and other agencies are providing support to this most Critical Infrastructure or the private sector in general against cyber threats. What additional types of support are needed . And where do we draw the line at whats the governments responsibility and where the private sectors responsibility should be . And if you want to take a first crack at that, scott . Sure. Thank you, christian. And yeah, good open ended question. Ill start with the last thing you said first, which is where is the private sectors responsibility end and the governments begin. Its not some bright line. I think its a really jagged line, and one of the more important things we can do is not just assume that the other half of the equation has it. So im privileged to support the investor owned electric companies here in the United States. But i also serve as a secretary for something known as the Electricity Subsector Coordinating Council or the escc. The escc is unique in Sector Coordinating Councils in that it is led by ceos. So woo have 30 ceos from all segments of the industry, across all of north america that get together three times a year under blue skies to do strategic planning. Looking just over the horizon, and ill quote our cochair, who likes to quote wayne gretzky. We want to skate to where the puck will be. Its about looking just over the horizon. Something ceos do particularly well. This in general, they create accountability. They provide resources. They set priorities, and most importantly, in the context of christians question, theyre a draw to other Senior Executives. That is other Senior Executives in other sectors with which we are interdemocrpend and with ou government partners. Its phenomenal. And part of the reason why its phenomenal is because we have senior government officials from the department of energy, the department of Homeland Security and the white house, getting together on a regular basis when the skies are blue with leadership of the electric sector. The last month, we have been getting together on a fairly regular basis because of storm response. And so i think, i can draw the position between cybersecurity, the topic of today, and what we have been doing with respect to storms. I think there is this focus on left of boom, before the bad thing happened. How are we preparing, protecting, defending . All really important pursuits, to be sure, but you cant negotiate with mother nature, and frankly, even with in the intelligent adversary, if we have to be right 100 of the time and they have to be right once, if were not focusing on consequence management, hoe do we respond, how do we recover, how do we get this Critical Infrastructure operational again, were missing an incredibly important part of the equation. I can say for the last five weeks and one day, whos counting, we have been working really closely at all levels of government to leverage the resources and capabilities of both the industry and the government in response to major natural disasters. And the same would be true in a cyber or physical attack situation. So a lot of what were doing with this blue sky planning is prepare for when these bad days happen. I can say from the last five days of experience, the foundation we have built of government industry coordination at a senior level that sets those priorities, that creates that accountability, that provides those resources and brings us together has been invaluable. Thank you, scott. Kiersten, did you want to add anything to that . Always. Thank you very much. And thanks very much for the opportunity to be here and for this conversation. So you asked a lot of great questions, and there are a lot of different ways to look at it. Ill take two pieces to this because you talk about Critical Infrastructure. One of the key issues that the commission looked at was how do we define Critical Infrastructure . And the challenge that we have now in an interdepend world, and particularly in the internet of things is how we all rely on each other. So when we define Critical Infrastructure as its been defined over the years, it very much has the boundaries around it. Scott knows this better than most given the industry hes in. We talked a lot about how technology and innovation can start to blur those lines, and some of you have heard the analogy i used from one of the commissioners who talked about a goal of uber timing the traffic lights in San Francisco because they can saturate the roads, but the last thing he wants to be classified is as Critical Infrastructure. And facebook as a communications redundancy, the last thing they want to be defined as is Critical Infrastructure. So we have to evolve the framework of how were thinking about what is critical to our society and there is honestly no better current event to demonstrate that than the equifax breach. Rest assured, equifax was not identified as Critical Infrastructure, but if youre one of the 143 million whose files were hacked, youre thinking its critical because its critical to you. We have to think much more thoughtfully about this definition. I struggle a little bit and i know dhs came out this week to say, hey, were going to look at how we define section nine. Thats a very important step because section nine and what it means has to evolve with the time and the threat. The times that were in right now and the corresponding threats. And its interesting because i have i agree with everything that scott said about how we look at it. And i think given the industry that scotts in, and particularly with the unfortunate exercise of what theyre going through right now, what i would argue throw writ large in response and recovery is that the challenge we have had with government and industry tends not to be in response. Government does Incident Response really well. We heard from aaron hughes about ppd41, and thats great. We tend to react when if comes to cybersecurity very effectively or in other places. The other example we use a lot in this is looking at obamacare. We spent a lot of time putting that together and then it failed, and then in 60 days, we got up and running a fantastic system regardless of where you stand on the issues as far as technology and where it goes. So our ability to respond is actually very effective. When we look at cybersecurity, though, the challenge we have is what were doing beforehand. And if we you talk about information sharing, and we joked around on the commission that we never use the term information sharing because its really lost its meaning. We heard on theprie previous pa the difference between partnership and collaboration. In the commission, we talked a lot about collaboration. One of the commissioners was adamant its about industry and government coming together before the event happens to Work Together to develop the relationships that scott cites very effectively, and because of those relationships, youre then able to respond very effectively. But in a cybersecurity situation and how were looking at government industry, we havent taken the time to develop those richs, to take a page out of the pentagon playbook and talk about deliberate planning, training exercise, and by doing that, and theres a recommendation in the Commission Report that talks about engaging Senior Leaders of industry and government, you look at and hold each other to a high standard, and in conversations i have had with several leaders of industry since equifax, part of that value is saying, hey, are you doing the basic Cyber Risk Management actions . Are you patching . Are you doing these things that Everybody Knows you should be doing . If youre a part of this group, and i think the groups that scott is a part of are really role models in this situation. Youre actually holding each other to a higher standard to prevent some of the very basic gaps and arguably gross negligence were seeing right now in the industry. So we have to redefibhow were looking at Critical Infrastructure. And from a cybersecurity side, we really need to look at what happens before the event so when the events do happen, we have all of those relationships in place. Thanks, kiersten. Ill turn to you in a second, but i want to ask one quick thought to kooursen. The whole concept of Critical Infrastructure as we use it within the federal system goes back to physical attacks against infrastructure, back in some of the work done in the 1990s. Are we really should we really be thinking about is the, as were thinking about cyber or cyber enabled threats and you mentioned equifax. The attacks on the election systems are also an example this. Is Critical Infrastructure still the framework that is suited to the times or do we need to basically be starting over and be rethinking the way we classify and look at different types of infrastructure thats at risk to digital enabled threats . I have a policy perspective on this. I would love to hear scotts view on this. I do believe so, to your point, the definitions are based on physical attacks. They are not based on what the threats are today. So how do we reframe how were defining it. Its not to say that we dont need support and extra support around those functions that are critical to operations, but the challenge is that you have critical functions that are dependent on noncritical functions. Thats because of the Cyber Infrastructure we have created. So how do we look at those definitions to honor that . Ill make the quick point that at the beginning of the collaboration deliberations, we said we have to look at standards for things that are life affecting. Driverless cars, pacemakers, then last fall, its like, of course, this is about the weakest link. If you can access your Critical Infrastructure through a baby monitor because theyre looked up to the computers, then what are we doing to actually look at that . And that gets into the cascading discussion around incentives and security. And scott. Jumping in to react. I do want to react just a little bit. I think much like i couldnt agree more that information sharing has lost all meaning, to me, its information flow, and we can talk about that in a second. But with respect to the question about Critical Infrastructure, i do think on some level were over defining what is critical. I like to juxtapose i. T. Versus o. T. Look, none of the companies that eei represents wants to lose the personally identifiable information or credit card information of their customers, but thats not critical to National Security. Attacks on electricity infrastructure, attacks on communications infrastructure, that really is a national and Economic Security threat. And so i think if were talking about Critical Infrastructure, we really have to think about it in terms of Operational Technology and the impact that can have on the life, health, and safety of americans in their daily lives. Chris, turning to you. Northrup grumman in addition to supporting the government, is an Owner Operator of Critical Infrastructure. If you want to jump in and react to any of this or make a few opening comments of your own . Relative to the eo and what it tries to establish is three key points. First and foremost, leveraging in this framework is a consistent set of standards. And even just an approach to doing the basic kind of blocking and tackling from a protection standpoint and then shifting from a Risk Management aspect to what kiersten said about the weakest link. With our industrial base, the weakest link becomes the Supplier Base which hasnt been held to the same set of requirements and standards that the rest of the industry has, whether it be their size, their focus, or whatever you might say. So being able to transform that core Supplier Base to the same set of standards, and that will then enable the ability to share information in a more effective way. We dont even have the tools and technology to accept the information you want to share to create some type of proactive defense or response. You dont even have a starting point. So thats kind of job one, just to establish the core framework and go from there. Any of you want to react to that . So scott, as you mentioned, you know, the response in texas, florida, and now puerto rico, you know, and the impact on the electric sector, one of the provisions of the cybersecurity order requires the department of energy and dhs to assess response capabilities due to the disruption of electricity. Do you have any sort of insight into where things stand with that review from the industry perspective as it pertains to cyber risks . And how do we think about these cyber risks to the electric grid from a hazard standpoint as they relate to manmade or rather sort of other deliberate attacks against the cyber barrier . So maybe this is blasphemous, especially as were talking about cybersecurity, but im kind of threat agnostic. I dont really care why our systems have an outage, whether its a cyberattack, a physic

© 2025 Vimarsana