Thank you all for coming here. We are acutely aware that we are the first session after you have come back from lunch. We will try to keep you awake and lively as well as we can. We have a terrific group for this discussion today. To my leimmediate left your rig isnd comaer Steven Fogerty of the United States army Cyber Command. Rick howard, old friend, key Security Officer at palo alto networks. Jeannette mantra, the assistant director for Cyber Security at the department of Homeland Security and of course is its still relatively new agency sissa. And Tanya Ugoretz the deputy direct for cyber at the fbi. This should be a great discussion. Tonya, let me start with you and ask you to just describe, if you can, the rfbis role in cyber space and the threat environment, how you think it has changed over the past year. Sure, thank you, david, and thank you to insa for hosting us today. As we at the fbi look at the threat environment from a macro level it is not necessarily the best news story in the world. But it is certainly complex. We are looking at an environment where there is no shortage of vulnerabilities and opportunities for malicious actors to exploit those vulnerabilities. We see that landscape only growing in complexity as we consider the number of devices that are going to become connected, in the billions over the next few years, many of which dont have security built in. We live in a world where we see nation state actors conduct wholesale theft of permanently identifiable information targeting not just our Government Networks but our citizens as well as Health Care Information and intellectual property. Then we have a growing universe of actors who are growing in their capability, a proliferation of tools that are available for them to use. And at the fbi we look at both the National Security and the criminal space. So we increasingly see crime and cyber crime as an economy, crime is a service. The growth of organizations and individuals who are marketing different elements that are necessary to conduct cyber crime at scale that only kind of embolden and enable more actors. And apart from this, you have the complexity that apart from federal Networks Much of what we care about is in the u. S. Is in private hands. Whether thats Critical Infrastructure or also as we see for example, with ransom wear targeting of other potential victims such as municipalities, et cetera. And then the wild card in all of this is adversary intentions which is where we rely on the Intelligence Community to help us prioritize and make sense of this complex space, who is it that we really need to worry about, who is most intent and most capable of causing the most harm to us . So thats the big picture for us. So as i mentioned, thats a complex picture. And we feel that often, especially in government, but throughout our society, we reflexively look for a simple answer, even to address as complex a system and problem as i just described. But how we see it at the fbi is that it is only through a woven fabric of the authorities and capabilities of all the entities i just mentioned, whether its u. S. Government, foreign partners, the private sector, who have to come together with their authorities and capabilities in an agile way to be able to counter that environment. So thats a longwinded wind up to where do i see the fbi in that . We see it squarely in the middle. I wont speak for other agencies but i will say generally we look to partners like siza who are in the lead in assessing risks to our networks and helping to support through mitigation and defense. We look to our right and we see our partners in the Intelligence Community and d. O. D. Who are taking the fight to our adversaries overseas both seen and unseen. Then we see the fbi in the middle enabling the activities of the whole range of partners plus the private sector are our unique authorities and presence. And briefly, that comes from a long history, 100plus years now that we are building on in cyber of having presence in our communities throughout the countries and global where we are engaging in our communities before something happens so that we are ready after something happens to engage victims with the response that they need to conduct investigations and operations focused on two things, attribution, finding out who is responsible, and accountability, whether thats through our own tools in the criminal Justice System or providing those nuggets of attribution to other partners who can use their tools to hold our adversaries accountable. Tonya, we will came a little bit later on to the ransom wear issue which you just alluded to. One question coming out of your scene setting there. Of the four big state actors we often talk about, china, russia, iran, and north korea, are you seeing a significant difference in the level of activity among those four over the past year or so where we have had a obvious low geopolitically a changing environment with all of them . I always hesitate to rank because i think it is a pretty fluid situations and different adversaries are focused on different things. Different things and have different capabilities as well. For example, i think we continue to see china quite active in terms of economic he is espnage which our director has been very forthright in speaking about alongside other agencies. Russia certainly continues its malicious cyber activity. And its no surprise that there has been a fair amount of attention to the potential for geopolitical tensions in the middle east, particularly with iran to perhaps manifest themselves in the cyber arena. Are you seeing any evidence that the rnaians are doing that right now . I dont want the speak to particulars. Jeannette, you heard from tonya where the fbi sits in this. My guess is that siza, which is just about ayearold now, right, is probably a little less wellknown in their role just because it is a newly created agency. Tell us a little bit about that. And also tell us how your responsibilities differ from the fibs. Sure. I think tonya set things up very nicely. In where we sit is there is a lot of people in the government and in the private sector increasingly that are very focused on how do we understand the threat . And for us, we believe that threat is just one component of what we need to understand. And you talked a bit about geopolitical dynamics. Oftentimes i think we have cyber conversations in a bit of a silo and not thinking about the broader geopolitical dynamics which has been that over the last few decades weve created technologies and ecosystems that have allowed the United States to be at at least potential to be held at risk in the homeland. Oftentimes that manifests itself through cyber means. Not completely. And so my organization, while siza, the Cyber Security, Infrastructure Agency was created last year by legislation last november is nearly ayearold, we do have a legacy going all the way back to the founding of the department with many authorities that were given actually dealing with the counterterrorism issue. And in thinking about what happened with 9 11 and that there wasnt anybody and this also picks up on tonyas point about the coordination, is there we didnt have somebody who was focused on engaging with the private sector exclusively. Not in Law Enforcement. Not intelligence, not from a defense perspective, but somebody who could think about risk, bring government partners together, not be the one to execute, because as tonya mentioned everyone has a lot [ no audio ] but being the one who is bringing everyone together letting the Intelligence Community understand what would be useful for the private sector to take actions and being in a position to be able to alert and warn when we do learn thing. There was a lot of Lessons Learned from counterterrorism. And about two years ago now we have started to think about well, how has cyber, and frankly, even the terrorism, bass we actually have physical security responsibility as welt. How has that dynamic and the threats to the homeland really changed . What we realized is that woe ourselves were missing the Bigger Picture a little bit by focusing on what are we doing for the Financial Sector . What is i. T. Doing . What is coms doing . And really adversary what is they want to do is hold functions of our society at risk. And we learned this through elections. Weve learned this through energy engagements, is its not and the interconnectedness of course makes it sometimes easier. So if they want to have a situation where we have a loss of Public Confidence in our financial markets, there is ways that you can affect that outcome potentially. If they want to take out our ability to generate electricity there is ways that you know you can contemplate going about that. But it cant be just a conversation with the utility owners or the Global Capital market banks. You have to have the Service Providers in the conversation. You have to have the broader internet ecosystem owners and operators in the conversation. So we have switched to a functional approach. And we released our National Critical functions the first time we have ever done this, in april, i believe, it was. And what we are looking there thats the foundation of what we believe we are, is understanding what is the risk to the country, help inform the threat with information that we are able to gather, help drive and ask questions of those who collect on the threat to better understand the risk, but also to understand vulnerabilities, and really importantly understand the consequence. If you have a very capable actor who has an intent and there is a vulnerability and the consequence isnt a big deal then we have a way to mitigate this. If you have a very significant consequence but nobody is looking the see if there is any actor who can actually affect that consequence then we should probably be pivoting resources to be looking at that as a potential. It is forcing not just us but all of government to think very, very differently, whether this the Intelligence Community or those of us here on the stage about the role of government and the private sector and the federal government and state and locals, the u. S. , and our partners and having much more open conversations about what do we know . What do you know . And how do we share that information and not just hear some i. O. C. S good luck. It is really getting into much more contextual conversations is i think we think that russia might be doing this. Actually i dont know if it is russia, but we think that somebody is trying to do this here to your systems. Are you in the private sector willing to share what could be happening there back with us, back with nsa, fbi, d. O. D. , all the different components coming together. Thats where we see that we are sitting. We are not going the ones who are going to have every single tool to solve all of these problems but we are positions to be that risk advisor, to understand how is the homeland at risk and what can we do about it . What are the levers that we can pull . Who has those levers . And how did we take actions . Thats why we are focused. The National Critical functions are the core of what is going the drive us and prioritize. We have had success in all of government in thinking differently about the u. S. As a target. How do we orient ourselves to drive down that risk. I am glad you mentioned that. And when you said before that its different than just handing people the i. O. C. S, the indications of compromise and say good luck, there was a bit of that going on for a number of years. And usually companies would say to me when they got those warnings which either came out of dhs or fbi, they would say this is great, we saw this four months ago and dealt with it. Which takes me to rick, because one of the big changes, it strikes me has been the creation of the Cyber Threat Alliance so that this sharing is much more of a twoway thing. You are going to see things that jeannette or tonya may not see first. Or you will see them from a different angle. So tell us a little bit about how that works and a little bit about how it has got to speed up. It is still a pretty manual process. Before i answer that question let me plug your book. Before i read davids book if you would asked me what is the book i would want you to read i would have said skifrd stoles cuckoos egg book . Still read that book. After i read davids book, its davids book, perfect weapon we know most of the things he talks about this there but we dont understand it until you read his back. The takeaway i have from it is we have been in a continuous low level cyber conflict since 2010 and we are just now starting to get our hands around it. I did not pay rick for any of this. I didnt know we were supposed to suck up to the moderator. I also want to plug him. I will give you a cut of the check. From the commercial perspective, david is right. The thing that the commercial world has realized is that the adversaries have automated their attacks and most of us in the commercial space and the government space we are trying to deal with that manually. If you have an Information Sharing Program you are sending it around in spreadsheets and in email. If your organization has the time to even consume those things you may get around to it in weeks to months to never. What we decided to do in the Cyber SecurityVendor Community is automate the threat of information sharing between security vendors. Heres the reason. Every security vendor out there worth anything is a giant intelligence collection engine. Palo alto network says 70,000 customers all with ten to 200 devices deployed on their networks. We can deliver controls automatically to those devices because they are our customers. Unit 42, how many people have heard of unit 4 . Marketing ducked for us. Totally free intelligence if you want it. But when they discover something new we can convert that into multiple prevention controls for our product set and deliver it to 70,000 customers in five minutes. Five minutes amazing capability. All of the members of the cyber lines, 26 in there, at the all have similar capabilities. Ours is better. Thats the best joke i have. If you guys are not laughing now this is going to be a long panel. They all have similar capabilities. What is not happening from the government side is trusting that system so they can if we got information from lots of governments around the world, say we saw this thing and it is very damaging. If you just got it into the Cyber Threat Alliance we could get prevention controls and protect almost everybody on the planet very quickly. We have the fix that going forward. We will let you guys defend yourselves in just a minute. I understand the reasons why we cant. But . We will get to that in a second. General fogerty, of course before you were in your current role and you succeeded general knack sanny who we will be hearing from later this afternoon, check czech you were at Cyber Command as well. So you come at this from a bit of a different perspective. And the phrase we have heard since your concept of operations changed just as admiral rogers was leaving office was persistent engagement which is perceived by most people as being largely overseas, in the networks of adversaries, so that you can see a threat gathering before it is delivered, before rick sees it show up in the Cyber Threat Alliances networks. Presumably, before jeannette and tonya see them as well. Tell us how this works day to day. What does this look like . And in a world where people are concerned about sovereignty, how do we explain to the rest of the world why we can be in their networks and yet we get so upset when as jeannette points out we have got foreign operators sitting in our electric power grid . First of all, persistent engagement, i think the big idea there is that we are going to start using the entire operational depth of the cyber domain as wields frame it or the information environment. So we are not going to see red space. We are going to goet the right actors, olympianing, preparing, testing rehearsing. They are trying to defend themselves. We are not going to see grace face so that i am allowing it to maneuver out of their sanctuary get into an attack position and start to pummel us. If you think about where we were just a couple years ago thats what it was. It was shields up, we were principally focused on blue space and we were trying to shoot the arrows or block the arrows from penetrating us. Tonya said it well, the volume, the velocity, the variety of the threat, it just continues to improve. Rick said they have automated this. You are going to be in a defensive crouch, you are just going to bleed out. You are going to get knicked by a thousand arrows or a million arrows. The big idea is that we will manipulate in all of those environments. We dont act by ourselves. We engage with foreign partners, we engage with commercial partners, we engage with our interagency partners. It is really building that irk no. Now this is an intel audience, what i would say operations in the cyber domain in the information environment are like operations in any other operational domain. They are driven by intelligence. From cyber coms perspective, nsa is its most important parter in partner. All of us on the stage have different responsibilities and different authorities. The idea is bringing all of that together. We are not operating, we are not ceding space to the adversary. I am not necessarily crawling through a partners network. The partner is actually sharing. Im sharing with them to enable them to defend better, to doe detective, verify, to share back with me. I wasnt suggesting you were in a partners network, i was