In this portion youll hear from coordinator rob joyce and Deputy Director george barnes. Good morning, good afternoon. One bit of housekeeping information, tom boss ert is duty calls, hes responding to obviously the devastating effects in puerto rico and since his job is to be head of Homeland Security, cyber, counterterrorism, hes kind of running in a million directions. We are truly fortunate to have rob joyce in his place. For those of you who dont know rob, rob is the cyberlead at the National Security council. Hes the socalled cyberczar, the coordinator for all things cyber. He comes to the white house from the National Security agency where, among other roles, he ran tao, which i think has gotten a little more notice in recent years, and there was a time we couldnt even mention that. But rob comes to this job with true professionalism. Hes worked these issues from a collector and an operators perspective. And he has a natural ability to translate sort of those ideas into policy and the like. So rob, thank you for doing this, especially at last minute. I thought wed start with a general question. The executive order that was promulgated in may. I know a lot of homework items were due early september, late august. Can you sort of give us a sense of where we stand . And i dont expect you to break all news in terms of what exactly was provided. But tell me where things stand and then in particular just because its been a common theme of our overall event today, the cyberdeterrence language in particular. Certainly. Please. The first question is this on . Sounds like it. All right, so thanks for the opportunity to be here and tom bossert did send his deep regrets. Hes in the middle of, you know, the white house response to the hurricanes, both, you know, as the devastation hit texas, florida and puerto rico and sister islands. So working that hard and asked me to step in. I appreciate the opportunity. Thank you, rob. To talk in this space. The executive order, let me give a brief thumbnail for those not familiar of what it covers and then well talk about the reports that come in under it. Four big areas in the executive order. The first is protection of our government networks. Those networks are the ones that transact government business, but also hold the information in the american people. When you look back at things like the opm breach, its not hard to understand why weve got to put effort in making sure those are secure and modern. And i think anybody whos either interacted with government i. T. , or is currently in the government knows that not every place in the government is at the same level of protection and security. Probably not the case that Everybody Needs to be. But we do need to make sure the most important information, the most important both National Security information, but also privacy implicating information is protected. So the e. O. Was tasking the modernization of those federal networks and thinking about how we do cybersecurity at scale. And a lot of that, you know, looking ahead, the recommendations coming in there where things like shared services. The idea of moving to modern cloudbased services, the concepts of getting connected to the experts in cybersecurity. When youve got the bureau of Land Management overseeing important things like hydroelectric power production, theyre not going to compete with dhs, nsa and dod in recruiti recruiting cybersecurity special circumstance lists, but you want those Networks Just as secure as other places in the federal government. Thinking about how we can do some shared Services Even in security operations. So thats area one is federal networks. Area 2 is Critical Infrastructure. In that area were talking about the critical 17 Critical Infrastructure sectors, things like power, energy, communications, health, water, transportation, maritime. All of those sectors where often those are run and operated by the commercial industry partners, but have implications to the safety and even National Security of our country. So that is a collaboration between those sectors and the u. S. Government as to how we improve security. You know, this year the trend line continues that advantage is going to offense. Thats a scary thing when you think about Critical Infrastructure. We cant have our power grid being held at risk. We cant have questions as to whether the Financial Sector can stay free from intrusion. So what that means is we have to have both security as well as resiliency in those Critical Infrastructure networks. Not to cut you off, do you see a day where the initiative can be with the defender or where it always be with the attacker . Red will always be ahead of blue, right . Given what you previously did. I think well, just one comment in that. I did tao, but i also was cnb, yes, yes, assurance. There you go, youre right. I encourage people to flow across that membrane, offense and defense, the phrase i use with others is it takes a chief to catch a thief. Absolutely. Both of those jobs i thought differently about the way we needed to move forward because of the experience of the other. So its which job trumped the other, not in terms of more fun, but i would say my tao job was easier, and the Information Assurance kept me up at night. There you go. So yeah. So Critical Infrastructure resiliency is important. We cant assume that offense wont get through the defenses we put up. So at that point youve got to have capabilities, one to find and uncover intrusions as fast as you can, two, minimize and lockalize the impact from those intrusions. Three, when you do have an impact, how do you recover and recover quickly . It only takes the devastation that were seeing from some of these hurricane impacts to know that when these services are down it has tremendous implications to health and safety and welfare. Which, by the way is part of a deterrent, too, the ability to bounce back minimizes the reason a perpetrator may turn to those directions, if you can demonstrate the ability to bounce back. Absolutely. You asked about our deterrent strategy. You know, one piece of that will certainly be demonstrating resiliency. So if you have a question as to whether an effect can hold someone at risk, whether an effect will succeed or whether it will have the impact youre seeking, it may change the calculus of your willingness to go ahead with that. Absolutely. And on the Critical Infrastructure side, i mean, no one will disagree that the 17 Critical Infrastructure areas are all important. But some are arguably more critical than others. Absolutely. The lifeline sectors, energy, electric, energy and electric, telecommunications, Financial Services, water, transportation. How do you we cant have Peanut Butter approach where we treat everything equally. Or can we . There has to be priorities. We dont have unlimited resources. When youre faced with scarcity of resources, you have to prioritize. For me the base of that pyramid is the power sector. If you look at when the power goes down, things cascade from there. The sugar daddy of all, yeah. Can only run so long on generators. The communication sector goes down, the banking and finance sector isnt going to be able to transact. Theres this cascading effect. In fact, were working on the grid exercise that will be coming up we always do an Energy Sector cyberexercise. This year were trying to make this joint with power and the Communications Sector im sorry, the banking and Communications Sector to look at some of those knockon effects and make it more realistic as to how society would react. Even defensive standpoint, why rob banks, thats where the money is, clearly the Financial Services sector is very far along. And quite bluntly, theyre only a few sectors that could genuinely absorb some of the high end threat indicator information intelligence, whatever we want to call it. I dont remember, theres nyack or n stack, creating sort of a super sector. Is that something you think worth looking at . Does that infairly put forth ahead of others . I dont think well create a supersector, but well spend more time looking at interaction between sectors and making sure that all of the dependentsies in one are teased through and the threads are pulled to impacts to others. Then that gets to sort of the concept that we have unlimited vulnerability, limited resources and a thinking enemy that based their actions on our actions, its not like security is an n state, its a continuous process. The question there becomes sort of in that prioritization, anything new coming out of the executive orders that you think can because weve all heard Public Private, everyone agrees with that, i think. But ive been known to say long on nouns, short on verbs. Weve talked about it. Weve admired the problem. What are some and its not to suggest there arent solutions. The Energy Sector we just heard from scott erinson at ei, Financial Services the fsr and the fsi sack and theyre doing phenomenal work. But it still comes to the policy without resources is rhetoric. So where do we see that coming down . Sure. So i think it is a joint activity for both of us. Private industry has invested, government has invested. I dont know that the gears on the teeth are meshing yet, so one of the calls we often get from the isacs and the fs arc is we need more sharing of the government knowledge and information that you have. In the classified arena, thats hard to push everything the government has, sources and methods are, you know, implicated in some of that. So what weve been talking about is instead of the push model, send us everything youve got, is finding ways to integrate a few of the key analysts with Sector Knowledge into the government areas where they can then look for their equities, identify information that then needs to be pushed out for action. And how about the vice versa . Do you see that going where government can spend more time in these Critical Infrastructure areas, not just hiring them out of government but we think it is important not only for the connection but also for the development of the government expertise and the relationships. Awesome. Awesome. But i think that the most impactful step well have is bringing more into the analytic sectors from the commercial side so that they can have expansive access, but in a controlled way where the data isnt as at risk and we can keep track of what then is pushed out and shared with industry. Coming to your role as sort of a primary producer of information and customer of other bits of information, but largely a provider, i mean what did you find coming into a white house kind of role . This is more of a personal question. What did you think made sense . What didnt . All of these executive orders that we have all put a lot of blood, sweat and tears in in this room, and of course you guys, but what really works . Did we have the ability to know in the event of an incident what would trigger an escalation, what a significant incident is . When are you going to get your war room together to be able to manage the consequences of an incident . Are those still well know it when we see it or what are your thoughts on that . No, weve got a process. In the end it is going to come down to expertise, right. Thats why it is really good youre there, by the way. We have a wide array of really smart folks distributed across the community. So when you look at what dhs has, what odni has in the ctick. Ctics is that taking flight . It is. I consume intel from that. For those, thats the Cyber Threat Intelligence center. That is an organization that takes reporting from across the Intel Community to include open source and commercial and partner information, and then tries to summarize up what we need to know. Theyre at the front lanes of sensing a warning, but also the Intel Community and commercial entities. So every day across that wide array of participants, we all drink from these fire hoses of information streams, but what we rely on is the expertise and judgment of a bunch of different people and thing get elevated quickly. We have routine interaction where i host the interagency once a week. In that we talk about Threat Landscape can and other things, but with those daily information flows weve got a process when something is breaking to pop and call an ad hoc session, and theres a president ial policy on when we turn to a very formal Coordination Group that kicks off and is led at the dhs level that triggers some very formal processes, communications, interactions with the commercial entities, and even has a lessonslearned process at the end so that every incident we get a little better. Can you give us a sense of what that what sort of an incident would potentially trigger that . I mean would obviously i dont think the Equifax Breach went in, but if there were an attack on the grid, as you mention, as we saw in the ukraine, that probably would trigger it . Absolutely would. A great example is, you know, as wannacry hit the health sector. That triggered . It wasnt hitting in the u. S. , but we watched the impact it was having at the uk, and that kicked off, you know, significant interagency processes. What about iot, how big i mean youve got a vast universe when we talk about prioritization that im sure keeps you up at night. I used to say i get up i sleep like a baby, wake up every few hours crying. But in all sincerity, where does iot and the fact that our attack surface is genuinely growing exponentially and the realtime to get solutions is probably at the design phase, i mean systems to systems. For all of the engineers that are here, i believe you, i believe in what youre trying to do. But at what point, where does iot sort of come into your thinking . And specifically, the physical cyber convergence vulnerability in terms of how we should be thinking about that. So iot is at the same time both a huge opportunity and a huge threat. The things it is going to enable in our society, making lives easier, you know, the train is moving and we are going in that direction, right . Were not going to slow it down and stop it. But as we saw in the myriad bot net and other things, poorly designed iot is a real threat to infrastructure, to capabilities, financial and even National Security. So at this point theres been various calls, everything from do you do the Underwriters Lab to certify the cybersecurity of iot all the way down to let Market Forces drive. Were in the middle. Wed like to see great articulation of standards, what is best practices. We would like to encourage the Industry Groups to follow those standards. Theres some really simple things that every iot device ought to have and, you know, it starts with it needs to be updateable, right . The idea that when vulnerabilities are found that it can be updated. You would like to have the ability to make sure that it doesnt have default credentials and passwords. Beyond that, the curve starts going up. Ideally it ideally its update process is c cryptographically secure. Theyve thought about doing an update so it cant be spoof. Those are easy things that are understood how to do. Market pressures are not always driving the companies to do that right stuff from the beginning, and thats where i think the government and Industry Groups can push and help. You know, it is our desire not to see that pendulum swing all the way to regulation, which is why we in the executive order kicked off some bot net studies and other things that really go back to iot roots and some of the same root causes. Awesome. One other thought since you brought up crypto, the going dark dilemma and challenge. Obviously stymies Law Enforcement intelligence. The flip side is without strong encryption, the chinese, the russians, whoever the perpetrator is, is going to exploit that information. How should we think about that . And then we have key provisions to fisa sunsetting at the end of december. Is there a call from congress and we just had congressman herd here and many others, but whats the call if there is a call to action, and help me think through the going dark phenomena. Let me start with 702 first. Fisa 702 statute, it is just a critical tool in the terrorism and even Cyber Defense realm. Happy you said that. Yeah. So it is a tool that helps us understand threats, and it is a lawful tool under close court supervision. It is, you know, even based on some of the reporting out there, you can see that it is wellmonitored. Theres oversight from multiple levels, both inside those agencies and with independent verification. And so it is really important that we get a reauthorization. The administration has called for a clean reauthorization. So since you didnt get tom bosert here today, you can get a little of his information. He did an op ed piece in the New York Times a couple of months ago. I would encourage you to go out and look at the oped piece, but it is a tool we cant afford for our safety to let sunset. I think congress is wellfocused on it and were looking to keep that capability. Awesome. When you asked about going dark, i think that, you know, the first message i would want everybody to understand is strong encryption is good for the nation. Theres no black and white about that. Hear, hear. We need it for busine