Hap havehave a very specias goigoing tp going to recg award today. Ththis nexp this next path the chief Information Security officers. Were fortunate to have some gregreat peoplp great pegr us today. Or oourp our moderatour preside president president e preside president presiden. Joinip joining frajoining nicholpnicholas ward, chien securiSecurity Officer from Th Department o department of just barney,psecurity divisiosecuri lalandp land securitland s. Lalandp land securitland phes the deputhes the de security and the d. O. D. Chief Information Security officer, ar and stacey dawn, chi Information Security officer ch expoexport import bank. R please have a ptth us today. R i knp i know ti kno thp this panel between lunc happ happy hahappy haur be panrpane panel weve i. We arwe are p we are a alr alalso makep alsoale aandr and weand wed p about that. P if we couif we could jus dodown thep maybe formaybe ft agencys security environment ar and sop and some of youp youyoure dealing w cyber. Sure. Identip identify the chief Security Officer for the department of we have ab25 differep differedifferen25 differep differedifferent t we hawe have to protect. R pa lot oa lot of per enforcemenp enforcement, w incarceration, the whole life cycp cycle cycle of crimin realreally what the Department Justice does. I tr i try p i try ibe. Some p some of tsome of th is looking atpis looip aand support missions. P i rapidrapidly catcp rapidrap br but kebut keep up b enabenable thosp enable ens ththey wanp they want toth ap and address those kind somethip somethingsomethin somethip somethingsomethi my career. R ip i im try r so we can do that. Se everybody no all the time. Pi w helping them complete their missions. Shane . R im shane barney. We ap we arewe are a compo security. We are responsible for the administration of the immigratip immigration sys the administration of the benefitp benefits, citizen permittpermits permitpermitsrpermits othp other components withi agenagency on immigration rela issues. Itp its a veits a very l complex mission. Therer theresp therethf complex mission. Therer theresp theret. Onr once once in p oon somethisomething about it inb wewere very spread out. We hap we have 2r we havp arouaround thp around thar, arouaround thp around tha end points. We are cloud heavy. Weweve beep weve been i tp ten years, about 85 poinpoint, maybe even more. Therertheres a lot of challenges. As r as a heap as a a constantlp constantlconstr developin securing cloud, whi againp against aagainst all we donp we dont evrwe we the challenge. Pso itso. Excellent. Thathank yo thank you fo d. O. T d. O. D. O. D. Si. We har we havwe havewet p 4 milli4 million end pma sor some kisome kind op. R if yif you loop ifif2 millimillion end points. I pretpretty bi pretty big s challeng challenge, when you h attap attack surfaattack larglargep large, itrlargp difficudifficult to fin9cl them. Rigright nop right now ifi. P its realits realli try and keep pace. Ir it seeit seems liex stp stop thstop that parton hahave ip have ispwhat we d. O. D. O. D. Defense a little bi contincontinue tp contintir capabilities. Thatthats kind op thats view. R p heari hearing yop your environmeyour env little bit of anxiety. R i ip im s state states. How many exd states . Fair number. Bpbut there are somep they providing credit and insurance ar aanp and guaranteed companip companies thcomp producproducts to other counb agencagency, we have the challf beir being abbeing ablp that you hap that you havth tthe samp the same standthm tthe samp the same standt tthe largest tthe samp the same standt tthe larges agencies. R so we hap so we havsot r sop modernizatiap today. Youyoure alp youre ayou systemsystemsp systems, rs objectives. Rwe cast it modernization. Theretheres four kep ther. Ip im hoping i dont have holidp holiday iholiday in. Tr the firthe first one. Thr that that is onpths thp that we hathat we hav implement our d. O. D. Cloud strategstrategy, trying to dri departmep department depare strategstrategy, trying to dri departmep department depa f commercial cloud. Tp the rethe real intentt o tp the pbring nbring new ca field faster. Phow weho country. Sr so thatso thats ho country. Sr so thatso thats th betwep between cloud and a intelligenp intelligence ma computir computip coco a. A. Ip a. I. Algoritha. I. A. I believe general shanahan yesterdp yesterday walked t little bplittle bit of whatn r is ap is and h department. Tr the thip the third p contrcontrol and communication basically how sttjsuppor modernization. You cyou can havp you cayp clo clocloud in the world. Thatthats kinp thats kin frfrom r fromfrom a fr tir ties p ties to ou knop know, boknow, both yo levr level ap level and level. Mpmy understanding of the ispbecause webecause wev as long as long ap as loh of these issues. I was reinforcepthe point that t together is that if infrastructup infrastructur security is code. Pso froso agenp agencagency level, if ar and p and my sock d y lor lost tlost the wal aware of it. Werweve hap weve had sowev interestiinteresting experienc, learned a lot. P c n you cp you can possibyou c it. Havip having thohaving thoe ras parp as part of you critical. R we startep we starte aboabout p andwh is ip is im having pure data sets. If onlp if only there was company that could help with that. Ill move pshane, ish. The security executive order and tther the i. P the i. T. Have bephave been encouragit agenciagencies tpagencies r increasip increasing the u services as well as Common Security frameworks. Hhow wilphow will sharedtp r as yas yop as you ash tr to cybto cyber ant across the federal p im a shared services thing. Sharp sharshared service s realreally unique opportunitie framewoframeworp framewofr. R aatp at dat dhs entientire socpentire sock on thepwe adopted i we. P model of how to asses elements are involved. Itr its goiits goinitn itr its goiits goini s to compap to compare oto c to serto see whp to se excellence excellence in certan to serto see whp to se excellence excellence in cert leverap leverage that for t donp dont have that cente excellence. P that is a good urthat framework. Are required based on our we hit all 17 points. Were rock stars. Were not even like kind of green. Were 100 green. Thats where the danger starts to creep in and it makes an assumption that youve checked a box and youre now secure. It involves far more than making sure that youve checked all those boxes. That youre activity engaged in doing bug bounties, that youre always assessing all your risks and understanding what is critical and what is not critical so you can assess it appropriately. Theres those elements. I dont think the frameworks always capture that. The shared Services Offer us the ability to save cost so long as it becomes the standard by which we define ourselves. Makes sense. You know, for me shared services, i think, is a critical component on the even attempting to win this fight in cyber. How many federal agencies are there out there. Theres just not the talent to be able toni actually fight thi war. Theres no way every Single Agency can possibly recruit all the best people and be successful here. Thats one area that we saw. We did well in Security Operations so we built a Security Operations as a service. We offer that out to other federal agencies because we just think its really important to have good strong capabilities that can be leveraged across any agency and we shouldnt be trying to hoard those things and keep them for ourselves. We need to share them with everybody else. The cost savings is definitely a piece of that, but i think it has more to do with how do we share the best capabilities we have within the federal government. Leveraging pockets of expertise. Absolutely. From my perspective it becomes id almost love to talk about an a. P. I. Framework. I always get back to the data because a lot of these conversations that i would have at the department at my level, it always comes down to that data element. Api models within that framework would actually really extend our capabilities and allow us to know where we have our gaps. In terms of shared resources, absolutely. I dont need Digital Forensics in my sock ever really. Im happy to push that off to somebody else. But there are things i do need that are unique to me that a shared Service Model doesnt always permit. Theres got to be a good balance, is my view. Using the Defense Industrial base as an example, youve got the big guys pretty well situated. They understand how to operate a sock on down the line in terms of cyber capabilities. But you have very small suppliers that are not going to be able to handle the nation state attacks directed their way depending on what theyre supplying to us. If we can target the guys that are not going to be able to attract that Cyber Security talent to kind of build it all themselves but at a price point where they can afford it, i think thats kind of the optimal use of a shared service. How we apply that to the larger organizations i think has to be done with a lot more care just because they do have a lot of expertise. We rely heavily on the shared services and the economies of scale to get the prices down for some of those tools that we wouldnt be able to negotiate on our own with only 500 users. Its really important to have those shared services and the staff to test those tools and to give us feedback on them because we dont we have large agencies to small little ones. You brought up something i think is really important for this audience about the Human Resource issue. One of the Biggest Challenges ive heard from other government leaders is the skills gap in the shortage of cyber personnel. This is impacting everyone but more acutely government. These are my opinions and not those of my agency. Splunk did not pay me to say this, but its really hurting the small agencies to attract that cyber talent and the federal government is seen as a place if you come out of school, theyre old,theyre backwards, they dont have the latest tools and it takes so long to get something done. So the federal government as a whole has to look into modern technologies, keep modernizing and bring in the workforce and have them get challenging assignments. So we need the career progression path clearly defined for them. And we need to use other agencies. Mines so small, we need somebody thats at an advanced level and we need tools like splunk so we dont need as many humans, that Technology Helps us to fight the bad guys. Its really important to stay on top of whats modern, use those tools, train the workforce. The way i look at it is if were in the government and one of the agencies trains somebody and they get a promotion to go to another agency, thats better for the government as a whole. If we train them and they go into industry, its still better for our country. So we shouldnt not train somebody because were afraid that were going to lose them. But giving them that training might actually keep them happy and retain them more. Its interesting from a larger organizations perspective. We have a lot of the same challenges in terms of Cyber Security talent. So my organization is the functional Community Manager lead for the cyber workforce. Were in charge of figuring out what are the standards and then also of standing up whats called the cyber accepted service, which is a tool Congress Gave us to be able to help better attract, hire, retain, train our cyber workforce. As we look at building that out, we have a huge advantage in terms of our mission. We give people an opportunity to go toe to toe with some of the best Cyber Warriors of other countries. But at the same time theres a lot of jobs that have to be filled when youre an organization as large as ours. We have a massive number of opportunities and its really difficult to find the good talent. Our team is heavily focused on trying to find ways to incentivize people, make sure that we raise awareness and try and help connect people to the opportunities. Were running short on time so im going to go to one last question. Nick, ill start with you here. The Investment Community has been rapidly funding cyber related startups for years, if not decades now. And we just have to attend any industry event and see more vendors popping up and new startups showing up at all of these cyber events. Have we reached peak cyber yet or is there still room for technologies and where would you like to see the investment world spend time on innovation . I sure hope it hasnt because weve still got a lot of ways to go in trying to fight this war. Weve got attackers building a. I. Into their malware to attack us and things like that. Were still playing cat and mouse. I sure hope it has not hit peak. I dont think we have. Some of the areas where i think we need to do better from an industry perspective is we have to be better methods and better ways to get that stuff rapidly built in inherently rather than trying to catch up. It just needs to be there by default going into it in the front end. There needs to be more ways to easily get those legacy systems into those kinds of models too. I think those are some big challenges. Its not easy to move a 20yearold system into a modern architecture. I think we need to see industry come up with better ways to allow these old systems to become more agile. Shane, any thoughts . We definitely havent reached peak. Theres a lot of room for growth. A. A. I. Ops, those sorts of technologies are really in their infancy. Supply chain is huge in different ways and different methods. Supply chain is traditionally thought of as hardware. You know, im mostly cloud, code is my problem. Code becomes commodity and it becomes a supply chain problem. We rely heavily on open source. So supply chain, definitely a lot of growth there needs to be done and a lot more advancements. Theres room to grow. Fortunately f i have lots of thoughts on that but im looking at the time ticking down. Its optional. Excellent. The one id lead with is complexity. We have a tremendous amount of complexity in our environment and we need to find a way to drive some of that complexity out. Im much less interested in the new tool to solve the latest and greatest problem, much more interested in what is that wholistic picture that allows me to cover a broad swath of threats in an agile manner. I dont think were close to being done with this. We are hitting new technologies like i talked about before with quantum computing, with 5g and we dont know what we dont know yet and we dont know what the adversaries know. So we have to keep creating new tools and theres a lot of room for growth in this industry. Excellent. Well, i want to thank you all for your time and for your expertise today. Thank you for the service to our country and i hope this is valuable for anyone. Thank you so much. Thank you. Thank you very much to our last panelists. The next panel is called the next frontier, aerospace and Cyber Security panel. Id like to thank our moderator mr. Casey ellis, hes the chairman and Technology Officer of bug crowd. Joining casey on the stage are mr. Brian connolly, Vice President , senior chief engineer Cyber Systems at boeing. Mr. Layuper. Thank you very much. Good afternoon, everyone. Thank you for joining us for this panel. Very excited to be talking on this subject this afternoon. Just as a point of order, we do have q a cards being handed out by ushers at the moment. Well do our best to get to them at the end of the panel. If youd like to ask questions as we go, have those in mind and hand them to the ushers. Aircraft safety, Airport Security and Civil Aviation regulation, the whole idea of making Aerospace Security for users is a concept thats commonly understood and its been around for quite a long time. The idea of aviation and aerospace Cyber Security on the other hand is comparatively novel, its comparatively new. There are a lot of people who have been working on it for a very long time but as a socialized concept its comparatively new. Thats why im really excited to have this group of people up on stage with me today. Representation from aircraft manufacturing, representation from the airports and representation from the regulators that define Civil Aviation regulation and so forth. So well kick that off with introductions. Brian, do you want to lead that off . Sure. Brian connolly. Im the Security Officer for the boeing company, responsible for security and resiliency of our end item products on the commercial aviation side, Defense Space and our global services. Thank you. Good afternoon. Im the head of the Cyber Division for the israel outputs authority under the ministry of transportation. It controls and manages the international airports, domestic airports, land border crossings. One thing thats kind of unique that we also control the air space itself, meaning the air Traffic Control towers and the accs. This is kind of unique in the aviation landscape. The Cyber Division is in charge of the entire operations. Hi, everyone. I lead Aviation Program for dire dire directorate. Very good. Kicking off the discussion around the subject, where are we up to with aviation Cyber Security . This is something we were discussing before just around the difference, you know, innovations, improvements, innovations that have been completed successfully, things that are ongoing and gaps and m improvement for the future. The Civil Aviation is undergoing tremendous changes these days. The numbers of global passengers is increasing expon