Transcripts For CSPAN3 Federal Cybersecurity Policy Prioriti

CSPAN3 Federal Cybersecurity Policy Priorities Forum - PART 2 July 13, 2024

Well bring our next panelists here. Thank you again for keeping your conversations a little bit more quiet on the outside by the booths so we can listen to our panelists. So this next panel is very interesting called new models of public, private cyber collaboration. The moderator is mr. Will ash. He is a senior director of Security Sales used Public Sector global Security Sales for cisco. Joining him on the panel is Major General ed wilson, United States air force retired, secretary of defense, assistant secretary of defense for cyber policy in the office of the undersecretary of defense. Also joining us is claire caroma from the Defense Digital Service. Also Lieutenant General stephen fogarty, commanding general, United States army Cyber Command. Also ms. Tonya ugoretz, a Deputy Assistant director cyber readiness, outreach and Intelligence Branch for the fbi. And last, miss Jennifer Walsmith, sector Vice President and general manager cyber and Intelligence Solutions division, Northrop Grumman mission systems. Over to you, will. Thank you, ed. Hello and good afternoon, everyone. Welcome back. Before we get rolling i thought it would be appropriate to give billington a round of applause for the great contest and guests weve had so far. So lets get that going. That served multiple purpose, got your body moving again and draw some of the exhibitors back into the hall. Welcome to what some would argue as the Signature Panel of the summit. As grant mentioned, we have the operators in the afternoon so indeed we have the operators here on stage. At least six would argue this is the Signature Panel. All kidding aside, if you look around the room and exhibit halls, there are public officials, private representatives and this is top of mind for all of us in the cybersecurity business and industry, public and private partnership. In this case new models of public and private collaboration. For the next 35 minutes or so, were going to explore some relevant topics in this area with this exciting panel. The format is going to be were going to have a quick introduction right now and have each of our panelists not only go a little deeper on what their role is beyond the title that ed mentioned, but we also wanted them to share a use case in this space, the Public Private collaboration. It means a lot of Different Things to a lot of different people. Its a very broad topic. So thats how the introduction will flow. Major general wilson, if you wouldnt mind starting us off. Thank you. Absolutely. Its good to be here with everyone today. Ed wilson. Our term for cyber policy at the pentagon and in that role were responsible for the strategy, different policies for the department as well as the authorities for all of our Cyber Operations across the department on a global stage. I thought what id do is just maybe share given the content of the panel, i dont want to steal any thunder from the Defense Digital Service or general fogarty from a component perspective but maybe something were partnering with industry on with an interagency context. And so last spring as we were crafting our cyber strategy, one of the key aspects was a realization that we had not defined and clarified the role of the department and defense of the homeland. I think we all understand that the homeland has a role in defending it. In air, land, sea and space. There were questions at times whether the department and what our role is for cyberspace. As we begin that journey, weve articulated that and worked with interagency partners. So really the use case that i want to put on the table just briefly is a thing we call path finders. In the defense of the homeland we have begun to partner with the department of Homeland Security and the requisite Critical Infrastructure segment owners. The first one we started on was the Financial Sector so we have a financial path finder. As part of that what we do is work with dhs, the different isacs as well as fs arc which is an industry representation of the key banking industry, the Financial Sector representatives. Weve begun an informationsharing process associated with u. S. Cyber command and some of the Intelligence Community representatives in being able to share indicators of compromise for Systemic Risk in the Financial Sector. It may have been highlighted earlier. We also have a path finder associated with the electric sector, the energy sector, really focused on the electrical space with the department of energy. Karen evans who was on stage earlier. As part of these path finders the reason we termed it path finder, this is New Territory for the department so were not trying to overarchitect or overthink the problem. Were trying to get started and begin the process, begin the collaboration with Industry Partners, with our interagency partners, understand roles and responsibilities, and the unique attributes scale scope perspectives the department of defense can bring in Critical Infrastructure. So its a unique use case. A lot of wind in that sail now, were making good progress. I would say that really it could be gamechanging in some ways. Not that were the prime player but the duty, the weight, the scale, the scope that we can bring to the problems can be brought to bear in this particular use case. Excellent. Great use case. Thanks for sharing. Despite starting with ed, were going to keep you guessing, were not going to go down the line and also keep the panelists guessing, a bit of a game. With that well swing to jennifer. Jennifer, would you mind . Absolutely. Im Jennifer Walsmith Northrop Grumman. Cyber and Intelligence Mission solutions. Its by no mistake that we put intelligence and cyber in the same organization because i really see it as two sides of a coin. Im career government for the majority of my career spending the last ten years as nsas acquisition and procurement representative. I joined Northrop Grumman three years ago and have been having a grand time working Cyber Intelligence from a different vantage point. My use case is about creating a global ecosystem for the workforce of the future. It starts with what were partnering with the air force association and the Cyber Patriots. Long standing started in 2009, certainly long before i was involved with many of my predecessors and many partners across the country, but what started as a small effort in 2009, in 2019, ten years later, we had over 6,000 teams competing middle school and high school. Our Cyber Warriors of the future. We didnt stop there. This year we opened up our cyber centurion in the uk and cyber sypan in the australian cyber commonweal commonwealth. So its about creating that workforce of the future starting very early in middle school and high school and thats whats really exciting. If i take one example and then pulling that thread all the way through is really with the universities and creating not only the students but then the interns that are so excited to work on our customers hardest problems all the way through to research. And what excited me this summer was watching 30 young interns doing a codeathon against one small aspect of nsas hard problems and creating that environment as a partnership because they certainly had to create the environment that we could do that. But thats an example for me of Public Private partnership for the future workforce. Thank you for sharing, terrific. We will go a little deeper on the workforce topic later as well. Thanks for sharing. Why dont we come down the line. Tonya, would you mind going next. Sure. Im tonya ugoretz, the Deputy Assistant director in the fbi Cyber Division. Our Cyber Division is the investigative and operational arm of the fbi that works to deter and attribute cyber intrusion activity to hold actors accountable. So within that division we have two deputies, one who is responsible for operations and our National Joint task force and then i have the Everything Else branch. So that includes things like our intelligence workforce who focus on both National Security and criminal cyber threats, our elite Rapid Response team, our Cyber Action Team who responds on site to our most significant cyber threat activity. The people who make the place run in terms of workforce and logistics and finance and budget, and our policy team as well as what we term Mission Critical engagement. And thats where in my branch we have the nexus of the fbis Cyber Program to the private Public Partnership. So for the fbi, that sense of Public Private partnership is really core to everything we do, in every program we have, whether its crime or counterterrorism or cyber. And its manifested in our presence with 56 field offices around the country plus dozens of other offices as well as a global presence. Its really about how in each of our offices in our area of responsibility, we are out engaging with companies, individuals, communities ideally before something bad happens but also there with those relationships ideally already built to respond after, unfortunately, something does happen. So when we look at private Public Partnership, on the one hand we see it as not necessarily something new and unique. Its foundational to what we do. But in the Cyber Program, weve had to look at what aspects of it are unique when we look at cyber. And i think theres two key ways we look at that. One, its by virtue of the fact that apart perhaps from maybe federal networks, the majority of what we care about and the majority of what our adversaries are targeting are in private hands, whether thats individuals or municipalities or companies. And so we need to have those relationships there to both protect and respond across the federal government. But also, whats also in private hands are the companies who form the backbone of that Network Infrastructure as well as commercial Cybersecurity Companies who have unique information about malicious activity thats traversing or targeting u. S. Networks that the u. S. Government doesnt have and that u. S. Citizens dont want us to have because you dont want for some reason the fbi sitting on your network. So we have to have those good partnerships, and i think thats where it is unique in cyber. So weve been looking at this issue for quite a while and the case example i would point to is something we call the National Cyber Forensics Training Alliance or the ncfta. It was begun in 2003. Its actually a 501 c 3 located in pittsburgh, but its a physical location where representatives of government, academia and industry sit together and share information about primarily cyber criminal threats to u. S. Targets. And in one case example recently, we had a global botnet that was involved in malicious ad fraud. It was operating from 2015 to 2018 and it infected about 1. 7 million users. It would use hidden browsers to download fabricated web pages and then load ads onto those web pages. These generated fabricated ad clicks and what happened was that businesses ended up paying about 29 million for ads that no human user ever actually clicked on. So working with Industry Partners as we identified this activity, we were able to sequence a number of actions to eliminate it. It started with an arrest of one of the perpetrators and that arrest was enabled by our attribution, which is the cyber fancy term for identifying whos responsible for activity. And then sequencing events with foreign partners to take down servers and infrastructure as well as industry to reroute the malicious traffic or sinkhole it. And what happened is that in a matter of hours, we were able to take down that Global Infrastructure in such a way that the malicious activity stopped. Lest you think that Law Enforcement action never leads to consequences against actors located overseas, we were able to arrest two of the three persons responsible overseas, have them extradited and theyre currently pending action in u. S. Courts. The third one is in russia, so im not so optimistic about that. But thats just an example of how working with industry side by side, we can achieve consequences and were looking to expand that to activity against nation state actors as well. Thank you, tonya. Youre not going to see it coming. Were going to go to Lieutenant General fogarty next, please. Thank you. Good afternoon. Im Steve Fogarty and i represent almost 16,000 soldiers, civilians and contractors that represent army Cyber Command, a force thats dispersed globally. We have three principal missions for the army. Full spectrum cyberspace operations, so thats operate, defend and attack. The second big mission we have is Electronic Warfare and the third is information operations. And as we pull all of those together and integrate those effects, we think that really spells Information Warfare for us. So thats the direction that weve headed. If you look at two things that were required to do on behalf of two generals is enable partners and then act. We very rarely act without a consortium of partners. So it might be academia, it could be commercial industry, it could be interagency, it could be foreign partners, but the bottom line is i cant think of a single operation that weve conducted since ive been in command that actually didnt include multiple partners. So for us that is the key to success. We exercise it in a variety of ways, so it might be a simple contract, it could be a memorandum of understanding, it could be a very specific document for a very precise purpose. But what we generally find is that the young people who work for us reach out to their peers, they have built their own networks, and what we find is theyre generally very, very successful at building these ad hoc relationships, ad hoc organizations, and they get after the mission. Thank you, sir. And, claire. Will you bring us home on this one please, thank you. My name is claire, i work for the Defense Digital Service which is a startup in the department of defense. We sit in the office of the secretary of defense. And my team is comprised of a s. W. A. T. Team of nerds that have been asked to come in to do a tour of duty for a minimum of six months, maximum of two years, to lend our talents to help the Department Force technological change that have a magnitude and order of impact on the department. We are comprised of a fairly set group of folks that work on our team. We have bureaucracy hackers, which is my role, so those are folks who have a really good understanding of government procurement, acquisition, policy, best practices and have some way in their past life a Technology Focus on their background. I started out as a developer and coder and then moved into management, acquisition and procurement and budget. We also have product owners on our team and those are the folks who know how to take a product, build it, start it from scratch and get it to mvp status and take it to a scaleable model. We have designers on our team, so User Research designers and visual designers. And last but not least we have engineers of all sorts and flavors, back end and front end engineers. The way that our team works is we partner with the secretary of defense and the different services. We have strong portfolios with army and air force. And we take a look at problems that they present to us and we go out and investigate if those problem sets fit squarely with the talent pool that we have in our organization. One major requirement for the problem sets that we take on is that we can have quick wins so we dont take on projects that take two, three or four years. There are many, many other great partnerships in the department that have those types of problem sets. Because our team members are asked to do short tours of duty, we want to make sure that we can do quick, fast and efficient wins for the department and problem sets they ask us to take a look at. So two good examples of the type of Security Sales<\/a> used Public Sector<\/a> global Security Sales<\/a> for cisco. Joining him on the panel is Major General<\/a> ed wilson, United States<\/a> air force retired, secretary of defense, assistant secretary of defense for cyber policy in the office of the undersecretary of defense. Also joining us is claire caroma from the Defense Digital Service<\/a>. Also Lieutenant General<\/a> stephen fogarty, commanding general, United States<\/a> army Cyber Command<\/a>. Also ms. Tonya ugoretz, a Deputy Assistant<\/a> director cyber readiness, outreach and Intelligence Branch<\/a> for the fbi. And last, miss Jennifer Walsmith<\/a>, sector Vice President<\/a> and general manager cyber and Intelligence Solutions<\/a> division, Northrop Grumman<\/a> mission systems. Over to you, will. Thank you, ed. Hello and good afternoon, everyone. Welcome back. Before we get rolling i thought it would be appropriate to give billington a round of applause for the great contest and guests weve had so far. So lets get that going. That served multiple purpose, got your body moving again and draw some of the exhibitors back into the hall. Welcome to what some would argue as the Signature Panel<\/a> of the summit. As grant mentioned, we have the operators in the afternoon so indeed we have the operators here on stage. At least six would argue this is the Signature Panel<\/a>. All kidding aside, if you look around the room and exhibit halls, there are public officials, private representatives and this is top of mind for all of us in the cybersecurity business and industry, public and private partnership. In this case new models of public and private collaboration. For the next 35 minutes or so, were going to explore some relevant topics in this area with this exciting panel. The format is going to be were going to have a quick introduction right now and have each of our panelists not only go a little deeper on what their role is beyond the title that ed mentioned, but we also wanted them to share a use case in this space, the Public Private<\/a> collaboration. It means a lot of Different Things<\/a> to a lot of different people. Its a very broad topic. So thats how the introduction will flow. Major general wilson, if you wouldnt mind starting us off. Thank you. Absolutely. Its good to be here with everyone today. Ed wilson. Our term for cyber policy at the pentagon and in that role were responsible for the strategy, different policies for the department as well as the authorities for all of our Cyber Operations<\/a> across the department on a global stage. I thought what id do is just maybe share given the content of the panel, i dont want to steal any thunder from the Defense Digital Service<\/a> or general fogarty from a component perspective but maybe something were partnering with industry on with an interagency context. And so last spring as we were crafting our cyber strategy, one of the key aspects was a realization that we had not defined and clarified the role of the department and defense of the homeland. I think we all understand that the homeland has a role in defending it. In air, land, sea and space. There were questions at times whether the department and what our role is for cyberspace. As we begin that journey, weve articulated that and worked with interagency partners. So really the use case that i want to put on the table just briefly is a thing we call path finders. In the defense of the homeland we have begun to partner with the department of Homeland Security<\/a> and the requisite Critical Infrastructure<\/a> segment owners. The first one we started on was the Financial Sector<\/a> so we have a financial path finder. As part of that what we do is work with dhs, the different isacs as well as fs arc which is an industry representation of the key banking industry, the Financial Sector<\/a> representatives. Weve begun an informationsharing process associated with u. S. Cyber command and some of the Intelligence Community<\/a> representatives in being able to share indicators of compromise for Systemic Risk<\/a> in the Financial Sector<\/a>. It may have been highlighted earlier. We also have a path finder associated with the electric sector, the energy sector, really focused on the electrical space with the department of energy. Karen evans who was on stage earlier. As part of these path finders the reason we termed it path finder, this is New Territory<\/a> for the department so were not trying to overarchitect or overthink the problem. Were trying to get started and begin the process, begin the collaboration with Industry Partners<\/a>, with our interagency partners, understand roles and responsibilities, and the unique attributes scale scope perspectives the department of defense can bring in Critical Infrastructure<\/a>. So its a unique use case. A lot of wind in that sail now, were making good progress. I would say that really it could be gamechanging in some ways. Not that were the prime player but the duty, the weight, the scale, the scope that we can bring to the problems can be brought to bear in this particular use case. Excellent. Great use case. Thanks for sharing. Despite starting with ed, were going to keep you guessing, were not going to go down the line and also keep the panelists guessing, a bit of a game. With that well swing to jennifer. Jennifer, would you mind . Absolutely. Im Jennifer Walsmith<\/a> Northrop Grumman<\/a>. Cyber and Intelligence Mission<\/a> solutions. Its by no mistake that we put intelligence and cyber in the same organization because i really see it as two sides of a coin. Im career government for the majority of my career spending the last ten years as nsas acquisition and procurement representative. I joined Northrop Grumman<\/a> three years ago and have been having a grand time working Cyber Intelligence<\/a> from a different vantage point. My use case is about creating a global ecosystem for the workforce of the future. It starts with what were partnering with the air force association and the Cyber Patriot<\/a>s. Long standing started in 2009, certainly long before i was involved with many of my predecessors and many partners across the country, but what started as a small effort in 2009, in 2019, ten years later, we had over 6,000 teams competing middle school and high school. Our Cyber Warriors<\/a> of the future. We didnt stop there. This year we opened up our cyber centurion in the uk and cyber sypan in the australian cyber commonweal commonwealth. So its about creating that workforce of the future starting very early in middle school and high school and thats whats really exciting. If i take one example and then pulling that thread all the way through is really with the universities and creating not only the students but then the interns that are so excited to work on our customers hardest problems all the way through to research. And what excited me this summer was watching 30 young interns doing a codeathon against one small aspect of nsas hard problems and creating that environment as a partnership because they certainly had to create the environment that we could do that. But thats an example for me of Public Private<\/a> partnership for the future workforce. Thank you for sharing, terrific. We will go a little deeper on the workforce topic later as well. Thanks for sharing. Why dont we come down the line. Tonya, would you mind going next. Sure. Im tonya ugoretz, the Deputy Assistant<\/a> director in the fbi Cyber Division<\/a>. Our Cyber Division<\/a> is the investigative and operational arm of the fbi that works to deter and attribute cyber intrusion activity to hold actors accountable. So within that division we have two deputies, one who is responsible for operations and our National Joint<\/a> task force and then i have the Everything Else<\/a> branch. So that includes things like our intelligence workforce who focus on both National Security<\/a> and criminal cyber threats, our elite Rapid Response<\/a> team, our Cyber Action Team<\/a> who responds on site to our most significant cyber threat activity. The people who make the place run in terms of workforce and logistics and finance and budget, and our policy team as well as what we term Mission Critical<\/a> engagement. And thats where in my branch we have the nexus of the fbis Cyber Program<\/a> to the private Public Partnership<\/a>. So for the fbi, that sense of Public Private<\/a> partnership is really core to everything we do, in every program we have, whether its crime or counterterrorism or cyber. And its manifested in our presence with 56 field offices around the country plus dozens of other offices as well as a global presence. Its really about how in each of our offices in our area of responsibility, we are out engaging with companies, individuals, communities ideally before something bad happens but also there with those relationships ideally already built to respond after, unfortunately, something does happen. So when we look at private Public Partnership<\/a>, on the one hand we see it as not necessarily something new and unique. Its foundational to what we do. But in the Cyber Program<\/a>, weve had to look at what aspects of it are unique when we look at cyber. And i think theres two key ways we look at that. One, its by virtue of the fact that apart perhaps from maybe federal networks, the majority of what we care about and the majority of what our adversaries are targeting are in private hands, whether thats individuals or municipalities or companies. And so we need to have those relationships there to both protect and respond across the federal government. But also, whats also in private hands are the companies who form the backbone of that Network Infrastructure<\/a> as well as commercial Cybersecurity Companies<\/a> who have unique information about malicious activity thats traversing or targeting u. S. Networks that the u. S. Government doesnt have and that u. S. Citizens dont want us to have because you dont want for some reason the fbi sitting on your network. So we have to have those good partnerships, and i think thats where it is unique in cyber. So weve been looking at this issue for quite a while and the case example i would point to is something we call the National Cyber<\/a> Forensics Training Alliance<\/a> or the ncfta. It was begun in 2003. Its actually a 501 c 3 located in pittsburgh, but its a physical location where representatives of government, academia and industry sit together and share information about primarily cyber criminal threats to u. S. Targets. And in one case example recently, we had a global botnet that was involved in malicious ad fraud. It was operating from 2015 to 2018 and it infected about 1. 7 million users. It would use hidden browsers to download fabricated web pages and then load ads onto those web pages. These generated fabricated ad clicks and what happened was that businesses ended up paying about 29 million for ads that no human user ever actually clicked on. So working with Industry Partners<\/a> as we identified this activity, we were able to sequence a number of actions to eliminate it. It started with an arrest of one of the perpetrators and that arrest was enabled by our attribution, which is the cyber fancy term for identifying whos responsible for activity. And then sequencing events with foreign partners to take down servers and infrastructure as well as industry to reroute the malicious traffic or sinkhole it. And what happened is that in a matter of hours, we were able to take down that Global Infrastructure<\/a> in such a way that the malicious activity stopped. Lest you think that Law Enforcement<\/a> action never leads to consequences against actors located overseas, we were able to arrest two of the three persons responsible overseas, have them extradited and theyre currently pending action in u. S. Courts. The third one is in russia, so im not so optimistic about that. But thats just an example of how working with industry side by side, we can achieve consequences and were looking to expand that to activity against nation state actors as well. Thank you, tonya. Youre not going to see it coming. Were going to go to Lieutenant General<\/a> fogarty next, please. Thank you. Good afternoon. Im Steve Fogarty<\/a> and i represent almost 16,000 soldiers, civilians and contractors that represent army Cyber Command<\/a>, a force thats dispersed globally. We have three principal missions for the army. Full spectrum cyberspace operations, so thats operate, defend and attack. The second big mission we have is Electronic Warfare<\/a> and the third is information operations. And as we pull all of those together and integrate those effects, we think that really spells Information Warfare<\/a> for us. So thats the direction that weve headed. If you look at two things that were required to do on behalf of two generals is enable partners and then act. We very rarely act without a consortium of partners. So it might be academia, it could be commercial industry, it could be interagency, it could be foreign partners, but the bottom line is i cant think of a single operation that weve conducted since ive been in command that actually didnt include multiple partners. So for us that is the key to success. We exercise it in a variety of ways, so it might be a simple contract, it could be a memorandum of understanding, it could be a very specific document for a very precise purpose. But what we generally find is that the young people who work for us reach out to their peers, they have built their own networks, and what we find is theyre generally very, very successful at building these ad hoc relationships, ad hoc organizations, and they get after the mission. Thank you, sir. And, claire. Will you bring us home on this one please, thank you. My name is claire, i work for the Defense Digital Service<\/a> which is a startup in the department of defense. We sit in the office of the secretary of defense. And my team is comprised of a s. W. A. T. Team of nerds that have been asked to come in to do a tour of duty for a minimum of six months, maximum of two years, to lend our talents to help the Department Force<\/a> technological change that have a magnitude and order of impact on the department. We are comprised of a fairly set group of folks that work on our team. We have bureaucracy hackers, which is my role, so those are folks who have a really good understanding of government procurement, acquisition, policy, best practices and have some way in their past life a Technology Focus<\/a> on their background. I started out as a developer and coder and then moved into management, acquisition and procurement and budget. We also have product owners on our team and those are the folks who know how to take a product, build it, start it from scratch and get it to mvp status and take it to a scaleable model. We have designers on our team, so User Research<\/a> designers and visual designers. And last but not least we have engineers of all sorts and flavors, back end and front end engineers. The way that our team works is we partner with the secretary of defense and the different services. We have strong portfolios with army and air force. And we take a look at problems that they present to us and we go out and investigate if those problem sets fit squarely with the talent pool that we have in our organization. One major requirement for the problem sets that we take on is that we can have quick wins so we dont take on projects that take two, three or four years. There are many, many other great partnerships in the department that have those types of problem sets. Because our team members are asked to do short tours of duty, we want to make sure that we can do quick, fast and efficient wins for the department and problem sets they ask us to take a look at. So two good examples of the type of Public Private<\/a> partnerships that we have been fostering in the department. The first one and you probably heard of it is the hack the pentagon program. We come from an environment where many of us are accustomed to taking close looks at the vulnerabilities that exist in our networks, our systems and hardware. In private industry this is standard practice. We want to know where the problems are so we can solve them before the enemy does. And so about a year ago our former director proposed to the then secretary of defense that we should do a hack the pentagon program. There was a lot of fear about it. But once we joined in on the effort to start this program, it has been an incredible success. We have inked contracts with some of the best private industry vendors to help us to identify systems that have critical vulnerabilities and patch them before they become an issue for the department. To date we have found over 10,000 vulnerabilities in a series of public and private bounties. We just finished a bounty that was sort of unique. We didnt just look at a software system, we actually looked at hardware for the air force. It was incredibly successful and were moving forward with building that portfolio out. Another good example of some of the Public Private<\/a> partnerships that we have brought to the department are some of the work that were doing with army cyber. We have a really robust portfolio with army cyber. One of the unique things we did with army cyber, we asked them to let us take their talent and have them partner with our engineers and our team. So any project that we embark on with army cyber, we get them to give us soldiers who are active duty who have various types of talent sets that are very specific to the problem sets that were looking at. One of those problem sets that we just finished tackling and are working to transition on right now is an effort to rethink and reimagine the way that army cyber trains its enlisted soldiers. 80 of their army Cyber Workforce<\/a> are going to be the workforce that help the army to finish its mission in the offensive and defensive technologies and environment. And so we spent about seven months just rebuilding that training and helping them to think through how they train the soldiers, what is the curriculum the soldiers should be learning while they are going through the training, and what sorts of exposure they should have to the Operational Force<\/a> and to other folks who are in private industry who are actually working in the areas of the technology that they are learning so that they can have a good, solid understanding of how that relates to their work rules as they move into army. So we are actively working now having wrapped up that course in june of this year with Army Cyber School<\/a> to transition that over to them so they can continue to train soldiers with this new methodology that we have brought onboard. Terrific. Not nerds you want to mess with. Yeah. Thank you for sharing. Well, we met our intent through the introductions and thats really posing some rich, deep, diverse use cases of Public Private<\/a> collaboration and some new models at that and giving us all exposure as to some of the context within which these organizations are sitting. I wanted to pivot a bit for our next topic. Grant schneider this morning or this afternoon mentioned the may 9th executive order around americas Cybersecurity Workforce<\/a> so i wanted to explore this particular topic area with several of our panelists now and given your rich story, tonya, with fbi and your distributed model and the nice use case you shared, would you mind turning to your viewpoint on the Cybersecurity Workforce<\/a> in particular and how that relates to your Public Private<\/a> work . Sure, thank you. So just pulling up a second from that question, i think we all share talent challenges that we wont be able to hire our way out of. While theres always competition for a talent and resources, no matter what the issue is, in cyber in particular, we feel like its important to look at this really as a very interconnected ecosystem, so cyber is a very complex challenge in terms of combatting the threats. I think oftentimes what we collectively fall into is, you know, which agency is dominant or which element in the private sector needs the most resources, et cetera. But the way we look at it, we as general fogarty described, are so intertwined with each other in terms of how we support each other, enable each others operations, share intelligence, that we really are looking kind of ecosystemwide on how we can make sure that we have parity in our partnerships. Were not all going to be the same size or have the same level of workforce and other resources, but we need to make sure that as a whole were strong where we need to be. So thats just kind of the general lens that the fbi is looking at workforce challenges in. So more specifically if, for example, the fbi or any other Single Agency<\/a> were to be the predominant collector of intelligence domestically or overseas on a particular threat activity or threat actor, its not going to do the rest of the partners either in the government or in the private sector any good if we dont also have the capacity to manage, maintain, exploit and share that information. So we all have a vested interest in each others strength and workforce and resources. So more specifically, the way the bureau is looking at it first is that weve diversified our job roles. Ive been in the fbi since 2001. When i came in, it was very much a special agent dominated organization, as you may have read. We love our special agents. But im an Intelligence Analyst<\/a> by trade and for much of the post9 11 era we talked a lot about agents and analysts. Now fast forward almost 20 years and on the Cyber Operations<\/a> and investigations i helped support, were talking about agents, analysts, data analysts, digital operations specialists, computer scientists, Information Technology<\/a> specialists, the diversity in the job roles really reflects the complexity of the threats were facing and also how weve had to evolve and how we think about our workforce, what workforce we need to address those threats. Were also pursuing some innovative partnerships with the private sector in academia. The fbi is investing heavily in a new and expanding presence in huntsville, alabama, which i believe has the highest concentration of ph. D. S anywhere in the country. A lot of defense support and Technical Support<\/a> capability there. And were pursuing some innovative partnerships, for example, through the university of alabama at huntsville in terms of working with students there and Capability Development<\/a>, but also, believe it or not, with space camp, which we all know from popular imagination really kind of captures students at a young age with the possibilities of space exploration. So we are pursuing the creation of a cyber camp on that same campus there in huntsville to try to entice the Younger Generation<\/a> into the s. T. E. M. And cyber fields. And lastly i mentioned we cant recruit and hire our way out of this challenge. Were also looking at how do we develop the rest of our workforce. So were currently piloting some Aptitude Test<\/a>ing for our new hires in terms of special agents and Intelligence Analyst<\/a>s. You may come onboard to the fbi to be an agent or analyst with your accounting degree or your Foreign Language<\/a> degree and think youre headed down one path, but if you take an Aptitude Test<\/a> and you find you have a hidden talent, an aptitude for a more technical or cyberrelated field that you didnt know about, then were going to have a conversation with you and were going to talk about investing some of our training and Development Resources<\/a> to see if youre going to be a member of our Cyber Workforce<\/a> in the future. Great. And the list goes on, i imagine. I knew youd be a good one to start with. Ed, would you layer on some perspectives from the dod side of things. Absolutely. The dod makes up a large percentage of the federal Cybersecurity Workforce<\/a> or Cyber Workforce<\/a>. It really falls into several categories, but a little bit different for us is we have the military members. So we recruit and then have a challenge of retention on the military members. And so what is unique about that model, i think all of the service would stand up and say we do not have a recruiting problem when it comes to cybersecurity. We have people lined up out the door that are ready to come onboard and do the mission, whether its Cyber Operations<\/a> or traditional cybersecurity. So recruiting is a pretty easy turf. The training model to bring qualified candidates onboard, each of the services has stepped up to the plate and is generating a lot of talent, a lot of capability in terms of Human Capital<\/a> for the nation. Where we do find challenges sometimes is on the retention side. Clearly we dont compete well on salary in the military but weve begun to handle that with bonuses, like we do with other critically manned unique skill sets, and that seems to be working for us fairly well with a few exemptions in some niche capability areas. Theres a good news story there. We also have an advantage and take a hard look at it, i can speak from being a former commander like general fogarty is that when an active duty member, military member, goes to depart a service, especially the army and air force base has a bit of an advantage with the guard, whether its Air National Guard<\/a> or army National Guard<\/a> but also reserve components. And so the active duty members we recruit heavily to be able to join and stay with us if you will maybe not in a fulltime capacity but that gives us a reserve component, if you will, across the nation. On the civilian side, weve made a pretty dramatic shift with the help of congress. What we term as the cyber accepted service. So its given us unique authorities inside the department of defense under title x u. S. Code to be able to hire with a bit more agility based on the talent, not necessarily what theyre going to fill and be able to tune and tailor the pay packages, the bonuses, et cetera, associated with that. So thats been a real big win for us. Weve just begun to get that in motion, if you will, over the last 18 to 24 months. Were seeing very good results. Were able to bring onboard people much quicker than we could in the previous regime. I would just double down on the comment with regards to the Cyber Patriot<\/a> program and the unique attributes of a Public Private<\/a> partnership. In this case with the air force association. To my experience thats probably one of the best models that ive seen. Its really in my mind thinking about how do you expand or grow the denominator of talent coming into the workforce not arguing or competing with the limited pool of resources that do come out. Its getting ahold of those young men and women in middle school, high school, and getting them excited about potential Career Opportunities<\/a> in cybersecurity. I would argue that the secret sauce in that is Public Private<\/a> partnership that allows us to scale those types of problems. Theres a bit of training and Knowledge Transfer<\/a> with mentorships, but you add competition in the middle of that and it becomes fun and exciting and gets that young workforce, if you will, thats the future workforce. Were seeing very high Interest Rates<\/a> out of programs like that. So i think we cant forget that, so its the whole ecosystem from our perspective. I love the positive progress piece that you reinforce there. With just a few minutes remaining, were going to allow general fogarty to talk on one topic. Jennifer, you mentioned workforce in your opening comments. Anything else youd like to add . Im going to add very briefly something i have a passion about and that is capability delivery and the Technology Aspects<\/a> of the Cyber Workforce<\/a> and how critical it is to our new workforce to have speed in so many aspects that they dont want to do things manually, they want the automation, they want the modern environments, and thats one that i think we can all contribute to and is a very important ingredient to our future together. Wonderful, thank you. Sir, i hate to do this to you in true speed round format. Were going to shift topics in the seven minutes we have remaining and talk about the opportunity of accelerated Capability Development<\/a> that the Public Private<\/a> Cyber Security<\/a> collaboration offers us. And if you could take us home. I know you and claires organization are very collaborative in this space so feel free to ham and egg as you will. Absolutely. So we have 3,000 cyber professionals in the cyber branch in the army. And so some people say thats actually quite a few people, right . Some people say thats just a drop in the bucket. But 3,000 is what i start with. And its the combination of enlisted, warrant officers, our Commission Officers<\/a> and our department of the army as civilians. Its principally a military workforce, but we do have positions for government civilians also. Then of course we cant do it by ourselves, so we have a large contract workforce that works for us. And so if you start to look at where they come from, the dna is principally either from the signal force or from the intel force. And so you have a group of individuals that has kind of grown up either operating and defending a network or they have been intelligence collectors. They create accesses. You get very deep into a network and then generally generate foreign intelligence, but that access for foreign intel collection can be flipped immediately for effects generation. What were seeing right now is the requirement, the need for speed is so great that weve built within that small branch an even smaller cohort of developers. And so theyre the ones that are helping us build out our operational infrastructure, theyre the ones that are helping us build the tools, the apps, that are required to get after the mission. And so im in the same place everyone else is. Anything i can automate, anything that i can use to take routine tasks that, frankly, i dont need a human being to touch, thats incredibly beneficial for me. As a matter of fact, today we sat down and had the semiannual training brief for our Cyber Operations<\/a> brigade, the 780th Cyber Operations<\/a> brigade. One of the people we recognized was a warrant officer, cw2 so relatively Junior Warrant Officer<\/a> who had developed a script, so a simple script that the brigade estimates will save about 12,000 manhours this year. And what that allows me to do is free up that manpower that would otherwise be conducting that activity and apply them against higher order tasks. So thats one individual and thats the difference that they can make. What i will tell you is any operation that we conduct, our tool developers, we found, our malware analysts, those are the ones that are absolutely critical to success in getting after it in the speed we want it. When we built the Mission Force<\/a> initially, it was this idea that we would pool the developers in a very central location. If youre on a team conducting an operation, you would send the problem up, they would work it and send it down. In practice that just doesnt work. What happens is you spend a lot of time trying to describe the problem, trying to interpret the solution that a developer in that environment has provided for you. So what we found, at least in the army, is putting the developers as integral members of the team is essential because they see the problem, they understand the sense of urgency for a particular problem. They can develop a solution. You can test it in line. And what thats allowed us to do is tremendously expedite that development cycle. Now, that takes, we believe, a dedicated developer workforce. So the training that we provide, we actually have established a separate mos for that workforce and our developers are enlisted warrant officers, officers and civilians. So if you have the skills, thats a really special capability and for us its an absolute key to success. Now, does that mean we dont partner with commercial vendors . Absolutely not. We have great relationships. Many of the tools that our commercial partners provide are very, very useful for us. But in some cases that flash bang just isnt as tight as we need it to be. So having that core group of our own developers who are very highly skilled, again, integrated on the team, and what ill tell you in a couple of operations that weve conducted over the last 45 days, weve watched a developer come into a problem, break it down very, very rapidly, develop a script, fix a tool, modify a tool to meet that exact situation. And within minutes to hours, not days or weeks, were able to create that solution. Now, one of the things that we always have to judge is the risk. If youre developing a tool that you dont take a very rigorous ela process, what risk do i accept for both the operation and for the force that were employing. And so we have to be involved really alongside of the developers. You know, the team leaders, the commanders of the mission will come back to me and tell me we have a tool, we have a capability that weve been able to test. We want approval on it because weve got to get this thing, you know, on target immediately. And then based on frankly our confidence and the level, the maturity of the technology or the capability, if its a simple modification its pretty easy. Its a completely new technique, then sometimes we may not employ it right then. The other thing that has allowed us, though, to reduce some of that risk is a Development Network<\/a> that weve built where i can mock up targets that im operating against. I have a very high level of confidence on a very realistic rendition of an actual target that were going to operate against. I can throw that tool or that exploit. I can determine what the utility of that capability is and then generally go to the general with very high confidence that the capability will work. Its within an acceptable level of risk for employment and then we can get on with the operation. Excellent examples. Thank you. In closing, id like to thank all of you for your attention and id like to thank all of our panelists for your insights and more importantly your service in defending this great nation of ours. Thank you. Thank you very much. Id like to introduce our next panel. Tom, did you have a okay. Id like to introduce our next panel about enhancing cloud security. Also, if youll note theres some index cards on your seats and also the ushers all have them. If youd like to pose a question to the panel, you can write that on the card, just hold it up. The usher will take it, bring it up here and theyll do their best to address your question. So again, no cards on your seat or just find one of the ushers and theyll have them. The moderator of this panel is mr. Rob potter. Hes the chief revenue officer at veroden. The other speakers are miss ashley mahan, acting director from gsa of the fed ramp and secure cloud portfolio. Steve grobman, senior Vice President<\/a> and worldwide chief technology officer, mcafee. And scott fleming, head of professional services, Public Sector<\/a> and security from google cloud. Thank you very much. Rob, its all yours. Yeah, thank you. Thank you so much. So first off, thank you all for being here and thanks to the Wonderful Team<\/a> up here. Im glad we were able to fill out all the seats down there. So today we want to just talk about some aspects of cloud. Weve got some great experts up here to talk about that. I thought maybe a good way to kick this off was to really think about the differences and the comparisons between kind of traditional computing and Cloud Computing<\/a>. I thought a good way to open it up is to get some viewpoints on what youre seeing out there as what organizations are doing, the new risks that are being applied, some of the compliances around that, and just some thoughts. Ashley, ill start off with you. Really Cloud Computing<\/a> really presents that change in the way that i. T. Services are now being delivered. In my role at fed ramp, were seeing cloud and were seeing the government really look to cloud to innovate and to modernize their traditionally legacy i. T. Capabilities. So cloud presents that paradigm shift in the way an organization and one would leverage these technologies but a mind shift in the way we have to think about security. Absolutely. So theres a big shared security responsibility model with cloud. And its something that each organization really needs to have a customer approach, whether theyre going to be using a ias, a pas, a sas. Theres different responsibilities that a customer or end organization has to understand and be vigilant and deliberate in providing those. This is their craft, this is their trade but theres a lot of good security that is available to them and thats being done on their behalf. So its really kind of that partnership, which is very different than that traditional onprem model. And partnership with the vendors. Steve, what are your thoughts from mcafees perspective . What are you seeing out there . Absolutely. So cloud has really given us the opportunity to redefine how we build a Security Architecture<\/a> given the fact that weve been able to create the Cloud Computing<\/a> technology in the 2000s versus taking all that technical debt of the 90s forward has let us create new paradigms that give us inherently better security. But we also need to recognize that the scale that cloud operates means that when there are issues, the impact of those issues can be much bigger. Its almost like if you think about the comparison of automobiles and airplanes, clearly airplanes are incredibly safe, triple redundancy, lots of safety systems. So in aggregate its a more safe way to travel. But when there are issues, catastrophic things occur. I think thinking about cloud in very much the same way that although we can secure our environments using a lot of new capabilities, we do have multiple tenants worth of data. We are using things such as elastic computing which can make troubleshooting more difficult. If you think about the underlying technologies that cloud is hosting, its really a superset of what weve done in traditional computing. While you can still run traditional workloads in a lift and shift sort of mindset with public cloud or other clouds, you have all the cloud native technologies that we need to think through and make sure that were securing very much in the same way that weve thought about traditional capabilities. Thats great. Scott, what are you seeing out there from a Google Perspective<\/a> . Yeah. I think one of the big things is a lot of the fundamentals at a high level havent really changed, right . Confidentiality, integrity, availability, its all the same but really the details of how you implement that and how you meet those controls is really where it started to shift. So understanding the detailed technical level of that. Also understanding some of the different tradeoffs that you have that cloud provides. For instance, historically maybe you would have deployed a hardware security module in your data Center Versus<\/a> now you can leverage the cloudprovided Key Management<\/a> systems. Historically you may have dealt with Virtual Machines<\/a> on prem where you had a patch management structure, versus now you can think about moving to a managed service and shift some of that responsibility for patch management to the provider and now spend some of the time that you get back, right, to focus on other portions of maybe the data life cycle, other components relative to the broader security. So really the fundamentals havent changed, but understanding the details of how you really implement them is really, i think, the change that cloud has provided. Thats awesome. Simon, before i get some input from you, first i want to welcome you to the stage. We missed you a little bit on the intro there. I believe managing director at nominet here visiting us from the uk. I am indeed. So youre giving us the global perspective of whats going on in the cloud. Yes. Im actually giving you the global perspective. We recently commissioned a Research Paper<\/a> specifically looking at cybersecurity in the cloud. There is definitely a huge wave of organizations and different segments and verticals in organizations that are actually moving to the cloud. And we took a Research Poll<\/a> of about 300 companies through various verticals including some Government Agencies<\/a>. Out of that we found that 88 to 90 of Global Enterprises<\/a> are moving to the cloud at a rate that drops down significantly when youre talking about Critical National<\/a> infrastructure or more highly regulated organizations, down to about 64 . And then about some 50 for Government Agencies<\/a>. Obviously we work very closely with the uk government. We provide some of their services around their protected dns security, keeping the uk name space safe and available. And weve been working very closely with them to try and understand what that dynamic is and why governments and not just governments here in the u. S. Or in the uk but why the adoption is so slow. I think some of it comes down to theres data privacy issues certainly when youre talking to enterprises. Theyre very keen to understand when theyre pushing their infrastructure as a service, their platform as a service or business process as a service, where is that data being kept . Is it being kept locally . I think for Government Agencies<\/a>, especially when you have embassies and you have youre out in theater, et cetera, you want to make sure that that data is secure and you have some control around it. I think thats one of the big challenges we see out there. Yeah, i think that its interesting you bring up the concept of the government participation. I mean the cloud has definitely lowered the barrier of entry for Many Organizations<\/a> to participate, even in the startup world as much as the major enterprise world of the and i think thats where the importance of having some kind of conformity or compliance there is important. Are you seeing organizations embrace that concept with fed ramp or whats been your experience with that so far . Yes, certainly. So just within the last year alone weve had over 40 new Cloud Service<\/a> providers achieve a fed ramp authorization for their products so were continuing to see an uptick. But from a government standpoint, we want to make sure when were using these Cloud Technologies<\/a> that theyre secure. For any of the folks in the room that are aware of fed ramp and the program, there are quite a few security requirements that we have in place for our vendors to meet. And so thats one of the things is that theres a little bit of a cultural move. As agencies are getting out of the habit of kind of having it in with their own data centers, these onprem environments and maintaining those, getting them into the mind frame of moving things to the cloud, not having the control like simon mentioned, you know, theres definitely a lot of things there that theyre looking at. Theyre looking at contracts, theyre looking at slas, theyre looking at the monitoring they need to do. Its a different role and it tends to be a little bit of a slower movement. But what i advise a lot of agencies is make the move deliberate, well thought out crafted plan to move to the cloud. Its not going to be something that can be done overnight. You really need to make sure your organization is mature and enabling to start using the cloud. It seems like also there is definitely a shared responsibility. You talk about the role of government, but i think also as you guys have indicated, both steve and scott, theres a responsibility coming on from the Vendor Community<\/a> as well. Can you talk a little bit about how youre seeing that partnership and that shared responsibility . Absolutely. If you think about what cloud really is as its core, its about delegation. So for the core public cloud infrastructures, were delegating to a set of providers to run the physical environment, network power, all of those things, built on top of that were now having sas capabilities that is being delivered by a multitude by cloud vendors but recognizing that even when youre using all of these services that others are providing, its still ultimately the responsibility of the customer, of the agency to look at things like data loss prevention. Is your data going where you expect it to go, recognizing that youll have Security Policies<\/a> that need to span different types of cloud environments and different functions within the cloud. If we look at some of the cloud breaches that have happened recently, theyre generally not one type of exploit that has ended up in a breach, its been a cascade or sequence of events, very similar to what weve seen in other cyber intrusions. So theft of credentials, misuse of those credentials, using those to get access to a system and then exfiltrating data and even though youre providing on a cloud provider or application provider, its still ultimately putting all of those pieces together for the organization to have a Strong Security<\/a> framework and foundation. Yeah. And, scott, as youre seeing the expansion globally of different cloud infrastructures in that race to scale obviously is a challenge for many companies. What are you seeing as the new vulnerabilities as to how these infrastructures are being attacked or compromised inside of those infrastructure . Thats a great question. When weve looked over the last several years its been consistent. Credential theft, hijacking, phishing, right, and misconfiguration. Including patch management and misconfiguration. So theres a couple of consistencies there. One thats generally whether youre talking about ias, sas, pas, generally a customer responsibility component, partially assumed in some cases to have been the provider doing it or doing more. And so with that its really the expansion of how do we take these known kind of fundamentals, right, your account security, identity and access management, configuration control, and how do we apply those kind of fundamental principles now to cloud, right . How can we apply good account security, good phishing protection, phishingresistant multi factor authentication which has been around for some time but is not widely deployed. So how can we apply those fundamentals and get to that baseline is still an important part of cloud deployment as well as onpremise deployment. One thing id add to that is one of the things that cloud has brought us is a multitude of finegrain technologies so were able to do things at a much more granular level, which in many ways is tremendously empowering, but it also makes the Access Control<\/a> and the control model much more complex. So an i. T. Organization that is used to typically thinking about network controls or file share controls, the types of controls youd have in a classic organization that all of a sudden now needs to understand serverless functions, manage services, manage databases, a whole multitude of services that also innovate at a much different rate and pace than weve seen in traditional computing is something that we just inherently need to be prepared for. Yeah. I think one of the key things commonly that i hear out there in the market today is that complexity is constantly challenging organizations to understand how do they actually measure the effectiveness of those controls both in that hybrid environment, on prem and in the cloud, which i think simon really rolls into how do you make sure youve got assurances in place that are protecting the identities and some of the things that you had addressed and talked about. How are you seeing that be a challenge in terms of where youre seeing the attacks and where youre seeing the compromise of those identities internationally . Yeah. So i dont think it changes internationally from domestically. Yeah, i dont either. Moving on, the threats are the threats. Yep. The approach that most companies and organizations take, you still need to have a layered approach. Youre just adding some more complexity to your environment potentially. When you think about half of the organizations that are going up into the cloud probably have multiple cloud providers. Some have single cloud and some have a hybrid model. But the principles are the same. And i think putting mechanisms in place mitigates some of that and are key to multi factual authentication but its also about education. Education of your staff around this isnt an internal thing necessarily, you know. Youre putting all of these applications up into the cloud. It stimulates a different type of behavior, because they are im sure well talk about shadow i. T. In a minute, but the flexibility and the ability for the staff to start to use maybe nonpolicydriven applications that are based up in the cloud is much broader now. And actually you want to encourage that but there needs to be some policy around it to ensure that theyre educated in both the ramifications or the risks involved in using some of those nonpolicydriven cloudbased applications. Okay, great. Were going to augment a little bit here because the audience doesnt like my questions because theyre loading me up with a ton of questions. The first one i think is a little directed towards you. People are asking where do we see fed ramp expanding to, and then i think it expands to the rest of the panel in that a lot of companies and governments outside of the u. S. Are starting to look at this. How much of this are you seeing embraced outside of the u. S. And maybe some perspective from some of the Global Companies<\/a> here as well. Sure. Let me address that in two parts. The first one is where is fed ramp expanding to. Were really looking to embrace automation and a threat based approach to authorization and continuous monitoring. Right now were working on obtaining that Threat Intelligence<\/a> information, what is posed to our federal i. T. And were mapping that to the security requirements that our Cloud Service<\/a> providers need. From there well help empower agencies to have a risk based approach to this authorization where they say, okay. Maybe these 50 security requirements, if these are implemented on day one, youre going to address about 80 of the worldwide threats out there. And then in time start to incorporate the other ones into the boundary. But it gives the agency the ability to start using the product faster. As well as with those benefits. And not only that, were going to take that information and also apply it to continuous monitoring. So right now our Cloud Service<\/a> providers, they go through annual rechecks, audits of all the requirements. Many of them. And what were going to look is make that much more smarter. This real world threat information will also dictate what are the things we need to audit on an annual periodic basis as well. Just in terms of the second part of that question then ill turn it over to my industry colleagues here is that weve gotten a lot of feedback from state, local, tribal governments along with other sectors in the United States<\/a> that are outside of government that have recognized the rigor and security our Cloud Service<\/a> providers afford for. And the Cloud Service<\/a> providers afford for and we are we are in conversation, right, to talk and to provide that understanding, but we have seen, and ive heard time and time again from my industry colleagues that they do mention that a lot of other markets out there are very interested in that advanced status, as well. Thats great. Its great that were moving in this direction. If you think about our traditional environment, its very much, were protecting them and also comprehending, we might have to detect threats and then have plans to get back to a state very quickly, and in cloud, it feels like in the early days weve overrotated on just focusing on the controls and hearing that well actually expand much more into focus on detection monitoring, and ensure that if there is a threat within this environment that were prepared to detect it and then work through how do we actually recover. So not making the assumption that because we have this wellset controlled framework that we wont have any issues and then just have to deal with them as they come. I think its freiggreat that wee mauving in that direction. Ill jump into another question as we move into simon and scott and ill blend two questions here together, okay . So theres a lot of questions. There are about three of them talking specifically about how is cloud addressing, you know, protecting the supply chain as it moves out to the cloud and then more importantly, how are you also seeing iot organizations move out of that cloud and what are some of the aspects you see there related to security . Definitely. I think on the supply chain, one of the things that you see especially with the hyperscalers, right . You know, being able to manage that supply chain is critical, right . Yep. And also to have additional components to it and sometimes to manage that supply chain is certainly something that weve done and we bment out relative to that. So certainly very important there. Also just to touch back a little bit on the broader demand, i think that goes across the board, right . So from a fed grant perspective, its not just for having fed ramp or having a certain compliance standard, but then what does that bring relative to things like supply chain and having that in some ways already verified or checked, right . Understand that theres an overlay there, i think theres a critical part to that. Simon, i dont know if you want to expand on that. Its a massive challenge especially with the larger organizations probably in this room and when you talk about third party, fourth party, youre getting into thousands of supplies and its almost impossible to manage that volume and make sure theres little risk or reduced risk or an understandable risk in the uk. We brought in something called cyber essentials which was basically designed for smaller organizations that wanted to deal with the ministry of defense to give them an opportunity to still bid for larger contracts. It probably has had some success, but its very much certification and its on a trust basis because thats really the only way we can do it today unless you put some technology on their environment and youre starting to really sort of understand, you know, their own internal security posture. Yeah. So it is a huge challenge and theres not an easy solution for that. Simon, you made a reference before to shadow i. T. And since the next question comes up ill go right back to that one. It seems there are a lot of people interested in the whole leveraging the cloud for shadow i. T. , and how do you recommend people looking at that and making that move . Is it a is it a stepbystep process and are there certain best practices youve kind of seen . Best practices im probably the wrong person to ask for that, and you have Better Qualified<\/a> people in the audience. Fair enough. What i. T. Spend doesnt each go through the i. T. Group and it gets spent on things that they dont even have visibility of, which i think is a huge challenge and its about identifying the cloud applications that you can see, understanding the risk and the efficiencies of the applications and making decisions on whether they should be blocked or not. The second challenge is once youve blocked them you tend to find employees or another technology that theyll spin up which is probably less mature and actually probably more risky for the organizations. Its really difficult to manage certainly on the large scale and different departments and actually how they embrace shadow i. T. I think shadow i. T. Has really evolved in the way that we think about it when cloud first came out, shadow i. T. Was very much of a binary and either groups were doing things sanctioned or unsanctioned and having visibility to that was critical. The maturity has gotten to where organizations understand that there are some functions that having some level of autonomy and empowerment is a good thing. So if you have an engineering organization, and it wants to take advantage of the rapid cadence of new cloud capabilities. Right. Having that team be able to use them is a good thing as long as theyre operating with accounts that want to be managed as long as there are things like individuals leaving the organization and all of the controls around those sorts of processes are comprehended and if we recognize that theres a wide range of functions and everything from i. T. To finding very precisely exactly how a Cloud Service<\/a> will be used all of the way to a monitored and managed semiautonomous environment for say a highly technical team. I think we do need to be more embraceful of that, and im sure that we can at least monitor it. I think to that point, its important to point out that theyre trying not to do something malicious. Theyre trying to get their job done better and faster and thats where cloud is an enabler and when they have code even to the level of compliances code where you can deploy the environments in a rapid manner and you can make the right choice, per se and also the easy choice for those users and thats where cloud can be an enabler upon. In some of the research that weve done as a program is we created basically a whole new baseline catered to the use case that we saw in government for using shadow i. T. It was lowrisk situations where the data going into these environments was relatively low risk, right, to the agency and we wanted to make sure that we had a manageable framework for this type of use and a lot of these products were easily available in terms of 19. 95 a month and it might have been too much, right, from a security standpoint and so we created fed ramp taylor in the spirit of addressing the shadow i. T. That weve seen out there. Thats great. Thats great. I find it interesting. All of you mentioned through the talk, the concept of data. I think ive seen at least three of these questions talk about the challenges and the cloud of really establishing a multitenant environment where you can stop the bleeding of data. Obviously, theres been a couple of huge types of data breaches in cloud environments over the last several months where it had to do with the controls that were in place and not creating the multitenancy with the bleeding of the data. How do you see that changing and becoming a focus from the Development Perspective<\/a> and implementation perspective. I think it becomes the responsibility at every level of the stack to understand how the data is controlled. So if youre a vendor building a multitenant architecture, understanding what is providing that separation of data. Similarly, if youre an organization using Cloud Service<\/a>s and coulding where your data is going is critical. So anne just talked a little bit about shadow i. T. And theres a lot of these lowrisk capabilities. There are also a lot of very high risk, and a lot of things that weve seen with our customers is people using services that convert documents to pdf is one of the most common and the fact that its run by some Chinese Company<\/a> with no name. Like, that would be a good example of you definitely want to block those and then make sure that data that is lowrisk data can freely go to places that youre okay with. I think one of the other things from a cloud provider perspective that we can really help with is understanding the implications of the controls that you put in place or of the settings that youre changing of the actions that youre taking, right . So helping customers understand if i do this with this data here and i set this fire wall ruler and i set this control. What are the downstream implications and one of the things cloud does provide is the set and its more of a rule set valuation and if you do this, and heres the ten downstream implications you may not have thought of and you can bring that information to the forefront and you understand the implications. Simon, youre seeing the same challenges especially with gdpr and thats becoming a multifactor protection. Weve been through that process to making sure because of the nature of the government business is actually critical to make sure that we can prove that that date is is segmented and is safe, but it needs to be taken into the context at the start of a process, not at the end of a process. What were seeing with the rfps and the itts coming out, thats something that theyre stipulating and what i want to understand is the segregation of data even within their organizations. I want to thank you for participating today and thank you to the audience for the Great Questions<\/a> and we look forward to interacting with you through the rest of the day. Thanks a lot. [ applause ] thank you very much for a great panel. Now it is my great privilege to introduce to you the last, concluding session for our firsthalf day here. Our fireside chat will include Ann Neuberger<\/a> and general akasoni named her the new director of cybersecurity at the nsa and directly reporting to emperor nakasoni and he launched a new cybersecurity directorate which she will lead. It will become operational so this is a very timely fireside chat that will be delivered and run by milu howel known to most of you a longtime cybersecurity investor and executive. So if those of you who are on the sides can come in, we look forward to a great fireside chat and we will now begin. So ill turn it over to nilu. Tom, thank you so much, and this is a thrill to be having this conversation with you. With the announcement of the cybersecurity directorate. Before we get to that i want to talk about you for a second. You have had interesting roles being in the Operations Directorate<\/a> and being the first chief risk officer and working in the commercial Solutions Center<\/a> all of which sets you up to be the Perfect Choice<\/a> to run the cybersecurity directorate. Whats even more interesting and unusual is that you didnt start your career at the nsa and its an agency thats known for having a lot of people that spent their life there and you came in as an outsider from the Financial Services<\/a> sector. I would love to understand first what led you to make that decision and maybe what were the Lessons Learned<\/a> from the private sector that you brought to the to your work at the agency. Thank you very much, niloo, its great to be here and have a conversation with you as a cybersecuritydirector. I was a refugee in new york, and my grandparents came as refugees and they raised us to feel a tremendous sense of gratitude and have the opportunity to be americans, to have the opportunity to my father would often talk about just the freedom of opportunity, the ability to pursue what everyone wished and to try to make the most of oneself in a country where there wasnt a sense of class, and to feel that was a debt that one had to pay. As a new yorker, i lived in new york through 9 11, and in 2007 i just had this sense driving home from work one day that it was the u. S. Government was struggling with our world in iraq. There were civilians dying, Service Members<\/a> dying and i heard my fathers voice saying sometimes for freedom its time to give of oneself and give of ones time. I recall i had a professor tell me about the white house fellows program. I quickly called him before i could change my mind, and i came into govern chlt as a white house fellow and i worked with secretary gates and secretary of defense and then after a stint in the navy moved over to nsa. So you asked a question about how those private sector experiences shaped the way at least in this role, seeking to approach cybersecurity, and there are a few different ways. First, i started my career as a Computer Programmer<\/a>, built some of the companys first efforts to allow people to buy stock shares online and i recall the pressure to get code out versus get secure code out and thats certainly something. How we drive to secure code, as a cybersecurity industry we need to address today. The second factor certainly is, within the Financial Services<\/a> there is something called the back office and it sounds really boring and uninteresting and that back office is what drives hundreds of millions and billions of transactions every single day and theres a cross sector that no one company can address alone. So seeing that and understanding that the weakest link across the sector could bring Systemic Risk<\/a> to the entire Financial Sector<\/a> was something i lived working in a back office and certainly the Financial Sector<\/a> has made a lot of progress in the last 12 years since i left the private sector and thats the way we approach risk. I think then, finally, as i mentioned i was a Computer Programmer<\/a> and at the time the sec had a rule that company his to retain stock certificates for seven years. Right. And we had floors and floors of stock certificates to retain for transactions and at the time, we wanted to scan those and make them available quickly. Any time someone called in with a question, so we were making the case that retention could mean retaining a virtual copy and not a physical copy. The answer is scanning it when theyre off would throw off the machines so we had to do interesting things coding with action and daisy chaining cereal printers to generate bar codes. Bottom line, policy has to keep up with advances in technology for us to make the most of technology and thatsing certainly in the cybersecurity and we see it in the Intelligence Community<\/a>, as well. Thats a fantastic segue to talk about the cybersecurity directorate because theres no question that we have to reimagine cybersecurity and its just phenomenal to see the agency taking a leave by setting up this directorate. What what led to this . It happened within the first day of general nakasoni becoming the head of the nsa ask Cyber Command<\/a>. Is this simply reorganization or is there a strategy behind it . After a year, the director of nsa talked about a sense that the National Security<\/a> landscape of the country had changed. Our adversaries could achieve impact by tactical actions so attempting to shape confidence in a democracy, stealing intellectual property to gain military parody with the United States<\/a> as the most advanced military in the world and he had a sense that as those trends in the cybersecurity area also changed more sophisticated capabilities and easier to use, sophisticated capability that nsa had to up its gain and thats what drove to stand up the directorate and to set up a mission come is to prevent and eradicate cyber actors from the National Security<\/a> systems and Critical Infrastructure<\/a> with the focus on the Defense Industrial<\/a> base. I want to pause are pause for a election, to prevent and eradicate threats. Its, i think, appropriately aggressive. Can we get there . We must. The nation sighs it of us and we see the scope and scale, thats everything that we do we do with other agencies andal lease around the world, but the threat demondays it and the nation works to achieve it. As you work it achieve that Mission Statement<\/a> and the initial standupdate is october 1st, and by the way, assuming it comes from the private sector, any time someone says the government doesnt work fast enough i hope people appreciate how incredibly fast the new directorate is being created within the Intelligence Community<\/a> and its months from announcement to initial operating capability. So october 1st is the standupdate and what is the first director ate. Ill take a note to publicly thank my team. You are correct. Are you getting sleep . To get that done. So what are our priorities . Three things. I would characterize them as unify, focus on the cybersecurity problems and enhance collaboration. What do we mean by unify . We want to deepen the collaboration between our threat Analysis Community<\/a> and our Assessment Community<\/a> and there are mitigations community and most importantly the people in those communities, so the people who really understand threat, there is ader havarie ader have combine that with defense and the people that understand the significance and the scale. Bring those communities together, deepen that and focus them on cybersecurity outcome. Ill give an example. Ns hshg nsa generates hundreds of reports and in it we assess threats and we also have a defensive mission that builds a crypt on graphic algorithms and provides security advice for the nations most sensitive systems. They Work Together<\/a> and we want to deepen that and generate one product, ideally unclassified and quickly to make it really usable. As i noted, the final priority is enhancing collaboration and doing it in the unclassified space to truly bring together all of the elements needed to quickly identify a thread and pull on it. One of the unique attributes of the nsa is that it signals a Cybersecurity Mission<\/a> and that could be a virtue if one informs the other and its certainly been aspirational, and it sounds like the goal is not just aspirational and get to a place where offense is informing defense, is that right . It is. Theres also a shift. Weve heard a lot of feedback that some of the information we would share. For example, do main names are temporary and by the end of this year theyre no longer useful so its a shift to say yes, and when we share threat information at the unclassified level it needs to be more context. What are the overall goals of the after . How do they pull together those goals using particular infrastructure to launch against a particular set of targets and we want to change to the more tactical information being shared to pictures that help cybersecurity individuals every day use that information for better impact. So what are the biggest threats that were facing in cyberspace and are we actually set up to face them, prevent and eradicate them . So first, clearly, ransom ware is the focus and weve seen the roughly 4,000 ransom ware a day and in the Intelligence Community<\/a> we put a tremendous focus countries and what their plans are and how they use cyber to achieve their strategic objectives and each one does things different because their strategic objectives are a bit different. When we look at russia, we see a country that uses cyber integrated and below the level of armed conflict. They also use entities that arent necessarily easily tied to the government whether the Internet Research<\/a> agency for potential elections influence or mercenaries to fight military conflicts in ukraine or syria, for example. So certainly a very sophisticated actor and always thinking creatively about how cyber help achieve its broader objectives. When we look at china, i think theyre perhaps best characterized with three examples of the kinds of operations strategic, capable, scope and scale of how they use cyber to achieve their National Security<\/a> objectives and military. Three examples. The opm attack, the cloud hopper set of activities and ip theft. So opm. Essential essentially stealing information about every american that holds a clearance. You can think of how easily that could be useful to a country seeking to identify potential spies. Certainly, secondly, cloud hopper, a set of activities targeting managed security providers and managed Service Providers<\/a> and of course, thats of interest because by accessing one, one can gain credentials and move across those trusted connections between different targets, and then finally ip theft. China has done ip theft, the subin case a recent fbi indictment is a businessman directioning military hackers toward specific Aircraft Technology<\/a> that would be useful to china to accelerate their military development. Ill quickly sum up two other major actors and clearly iran, very volatile to use its attacks primarily, and north korea who always fascinates us as nationstate criminals using creative ways whether its crypto, and Crypto Mining<\/a> to gain hard so if we gen gain the per near, do we have the place place to give this information to controls the National Security<\/a> systems and ultimately Critical Infrastructure<\/a>. You know, the mechanism is the easy part. A number of people in this room have been involved to create a mechanism over the last number of years. Whats more challenging is creating the under enzi and the Operational Intelligence<\/a> to rapidly share what everything is relevant and ideally were sharing the prevent exploitation rather than be a part of the team that helps with incident response. Bottom line, its recognizing the power we have to prevent an attack through rapid sharing and ideally at the Unclassified Network<\/a> so it could be easily used to defend a network. The great example might be the Russia Small Group<\/a> and that was a specific task force that was created to protect the 2018 midterm elections and you let that task force. What were the Lessons Learned<\/a> and how do you apply them more broadly with the cybersecurity. First of all, i coled that with tim hawk, was a great example of bringing those organizations together and each bringing the capability for a better effect and it stood up out of a realization that something had dramatically changed and we had to reboot as a u. S. Government. No influence operations had been around since the days of adam and eve, but what i would change was the age of social media where a country seeking to influence could do direct focus and also broad messaging and very specific to particular ethnic groups and particular elements of a country in a pretty cheap way and second, cryptocurrency which essentially allowed doing it anonymously looking as if one is an american if youre aiming to influence americans. So we realize that that took a more creative approach to address and protect our democrat see. We work closely to ensure and work with dhs and feeb, bi, and work in a way that could be quickly actionable and had information about how social media was being used and how individuals were seeking to be anonymous so that could be rapidly shared with social media providers and hopefully those accounts have been in their one terms of use. We also work to share our lessons with other countries and ask them that when they had their own elections they should please come back, share with they learned with us so we could together ensure that we were defending a population and our democratic processes to the best that we could. How successful were we with russias small group and with protecting the election. Were tremendously proud of the work we did with nsa, Cyber Command<\/a> and dhs and the fbi, and let sure that every american knew their vote counted and their vote mattered. How do we take this forward to 2020 and what are the biggest threats that we should be concerned about with respect to the 2020 election . So were taking the same threepart approach and ensure this Threat Intelligence<\/a> and gain those insights and share that intelligence and be prepared to impose costs on an adversary who may attempt to influence the elections. And im sure you saw chris craig stated elections as one of his cree priorities as well. You mentioned ransom ware earlier. How nervous should we be with ransomware with respect to the 2020 elections. It is interesting and according to a malware bites, they talked about targeting individuals and targeting entities and that would be a key concern. The best protection is the best security advice we give and ensure it has computers with admin access shouldnt have access to the internet pact and mostly make stay and elections are managed by state and local and teach them and make them aware of the dangers and many Ransomware Attacks<\/a> sta are the by clicking on the wrong thing and if they have a kriet cal roll, and what were protecting is the root of trust which our and whether its election interference, weaponization of news media and deep fake, it seems that a cybersecurity director would be to help that root of trust. Does nsa play a role for the nsa rule of trust with the democracy. This is something im particularly passionate about because my family history. My dad grew up in communism and thats shaped by growing up as a child in a country where the average citizen does not have trust in government and at its root its a question of bush nyer talks about democracy dilemma which means that its the ability for individuals to talk and influence each other and debate big issues is also, in many cases the root of our weakness and that people can be influenced and their opinions change with false information. So the best defense is each of us as americans understanding that there are malicious entities who seek to influence us online and seek to appear to be children americans and influence online and really learn to question what we see online, the role of anonymous accounts and how we communicate with those. Yes. Looking who and share that with the fbi so they can work closely with mead why partners to shut down that activity. What youre talking about is a while, because its about individuals and its about academia, schools and education broadly. Absolutely. So lets shift for a second to the Defense Industrial<\/a> base, a place where nsa has very Clear Authority<\/a> to protect. 20 or 30 years ago is pretty clear what constituted the Defense Industrial<\/a> base, but as we move to off the shelf software, and as we move to cloud providers and operating systems that are commercially available, it seems to me that how we think of about the Defense Industrial<\/a> base has shifted, how should we think about it today and how will nsa engage with this increasingly broad set of organizations to protect the dib . First, we see three things and theres a great deal of risk because it allows countries to gain those technologies and put our, the United States<\/a> investments in rnd at risk by gaining parody. Similarly from a capability perspective it allows Foreign Countries<\/a> to jumpstart their advancements by essentially leveraging the United States<\/a> investments in research and technology and we see that as well across our economic sector. Were stilling intellectual prospectory and it can put a future economic strength at risk. So essentially we look at it in two parts. One, we cant expect a company to fully defend itself against a nation state actor who will put investment and effort, time and people to gain what it seeks, but neither can the government be completely responsible to do that work. So theres a balance between the two and were looking for certainly creative approaches to share Threat Intelligence<\/a> and also ways to allow Smaller Companies<\/a> to quickly jump their cyber capabilities. One of the things that we used to 100 rely on the nsa for is setting the Building Code<\/a>s and standards for what secure software and what secure hardware looked like and nsa seems to have retreated a little bit from that role with the standup of the new cybersecurity directorate and will it set the standard again and the Building Code<\/a> for har are hardware, and is that a way to address this issue of security with the dib number we talked earlier about the Mission Statement<\/a> and the first rule, you recall is prevent. At the end of the day we make our seesh Security Risk<\/a> far less. Nsa has a mission thats not well known which is essentially the National Security<\/a> system so we build the keys and codes and we build roughly a million keys and codes each year that are the root of trust for secure command and control for the armed forces and various Government Agencies<\/a> and allies around the world and in that mission we build the cryptography and we must play a role with other agencies like this in areas where we have unique expertise and its in all of our interest to have products built strong. And just to pull on that thread for a second, as we look at next generation of particular techs, 5g is one piece of it, but quantum and thinking about postquantum, how involved will this directorate be from the standpoint of thinking ahead of the curve in terms of the Technology Trends<\/a> that are happening and how can we make sure that we dont fall behind . Absolutely. Quantum is a great example where the potential development of a quantum computer puts a particular kind of cryptography at risk which is the root of much of internet commerce. So we are already playing a role in building quantumresistant cryptography and well be deploying that across where we deploy a million keys plus another set for Nuclear Command<\/a> and control. Its clearly an area of interest and an area that fits the category i mentioned earlier and unique, Technical Expertise<\/a> and clearly of interest to National Security<\/a> systems and the defense, the Defense Industrial<\/a> base and armed services. So as we think about those issues, the question of partnerships comes to mind and you had mentioned the new cybersecurity directorate, and what is the new expanse of set of partners that come to success and whether theyre Technology Companies<\/a> and Service Providers<\/a> and how important are the partnerships and what role will the nsa play . Partners are key, and when i talked earlier, you asked me is prevent and eradicate possible . We owe it to the nation and that was across our partnerships and across government, we can do the cio and the Acquisition Community<\/a> and Cyber Command<\/a>. Across government working in partnership with dhs supporting their mission of supporting Critical Infrastructure<\/a> and nsas long participated in something called common criteria and as countries, it makes it easier to build to a certain security standard and sell to multiple countries and clearly, the private sector and those unique insights and specialized insights that control systems and the private sector is often the first indicator of a significant threat or significant compromise and working sector in an unclassified mission is a big focus that we seek to achieve. So the theme of the conference is a call to action. When it comes to protecting the country, which is dods mission and protecting people as we said in cyberspace. The status quo is clearly not enough and its one of the reasons were all here and its one of the driving forces behind the new cybersecurity directorate. If you could wave a magic wand as we think about the call to action, what is one immediate thing that you would want to see done . Whats one midterm thing and as much as i dont like the term moon shot because its very specific, what would be one moon shot as pirational call. I would say this, first, cybersecurity is a leadership question across the private and Public Sector<\/a> and reach an agreement to do the things that are difficult that need to be done, and when we look at the things it we know it represents risk and whether its the connection to control systems and standards exist, but we havent chosen as a community to actually implement them so that would be certainly one thing and that leadership across the public and private sector, but ill go to more specific i cant resist the question here. So first, i would say from a media perspective one thing and then ill add a 1b, if i could, so one quick thing is we see rampant abuse of the structure and the internet wasnt built for security and it was built for ease of communication and in that case, implementing things which should have started which make that abuse of internet structure more difficult. The dmark, and the internet routing and the dns for internet addressinging and those elements that make that internet infrastructure more secure. Second and related to that would be broad access to protecting dns. Dns is a key way that adversaries use for command and control for exploitation and making broadly available and secure connection that they exist and theyre easy to use and a shout out to the british partners who made such Services Available<\/a> across government. We in government could help by adding or con tributing our tlet threat, from an immediate perspective and then from a medium or longer term there is identity. There is a hodgepodge a vam think about we being xhien kate. Beyond who to trust so mip of influence operations masquerading as americans is because anonymity is online. So if we can achieve that it would have a broader impact beyond cybersecurity. So that would be the longer term approach i would advocate for. No moon shot. Ill keep thinking. Okay. I want to wrap the talk up with this. Enduring Security Framework<\/a> is something you were involved with and its an interesting model on how to operationalize public, private partnership and achieve real outcomes and can you take a minute talking about esf and what it is what was achieved with dsf and how that can serve as a model . So Public Private<\/a> partnership is foundational to what needs to happen with sush security and that was a really good example of an effective private Public Partnership<\/a> and ill quickly tell the story that the nsa had sensitive threat information about an adversarys development of a set of exploits. So foundational to the first part of the computer that boots up. Yep. And through the security frame work that had Key Companies<\/a> we shared the threat information and then worked together to build the Technology Standard<\/a> with updated bias. And then we linked that to use the power of procurement and to the duty began saying in 2012 they would only are only clients and services, pcs and servers that met that standard. The industry is ready because of the advanced work they had participated in to define the technical standard and the key piece was that to actually implement that required linkage across to manufacturers oems and certainly in the operating systems. Since they were ready. So bottom line, from 2008 we are 8 of pcs and servers had bios that jumped from 2016 to routine servers and client that had firmware that met the standard that had been defined by technical experts working across, public and private to address the threat and the computers were more secure and i look at that as bringing the best of the governments insights and Technical Expertise<\/a> with private sectors Technical Expertise<\/a> and the willingness to partner and roll out improvements to address a key threat. I wanted to bring this up because esf is such an example of private ask Public Partnership<\/a>s to drive together much like Russia Small Group<\/a> is an example of a very different context and to be successful it just strikes me that thats how we need to operate. It cant be about silos and government here and private sector here and it cant be to, Everyone Needs<\/a> to drive to an outcome and how confident are you that its in a broader sense and not just with a specific set of activities. Ive seep tremendous progress. Government playing the unique role to improved and it demands, and a lot of work done between government and the private sector, the solution is private ask Public Sector<\/a>s working together figuring out what white looks like,ing is the when when is, to doing that together to achieve a world where we prevented and eradicated cyber actors from the systems that we most rely on and that we most care about. Fantastic. You actually finished on the dot as the countdown went to zero. So thats just how precise anne always is. I want to thank you for coming out for the leadership of the nsa and recognizing how much the Threat Landscape<\/a> has changed and the need to organize and address that threat. We really appreciate you being here and just a huge round of applause for everything you guys do. Thank you. Thank you so much. Im going to invite tom to come back on stage and give us closing remarks. Thank you. Lets. Lets please give them another warm round of arc mrauz, please. We couldnt end on a higher note. We thank you all for being with us today. We look forward to a great day tomorrow, and lets give a round of applause, please, to all those who have supported us as sponsors today and all those who have come as speakers. So if we could give them a round of applause, please. So we have a phenomenal day starting tomorrow. This exhibit hall will open at 7 00 a. M. And the sessions themselves will begin at 8 00 a. M. And i just want to remain you that the first session that mark kerr from sinak will moderate and will feature for cio for dms and the rebecca mckayo for boozallen and the sissel for the department of energy and scott roche from the cia and Chris Valentino<\/a> at Northrop Grumman<\/a>. So well have a full day after that, as well kicked off by final keynotes from the head of cybersecurity for dhs, chris krebs. From the head of the ncsc kyle martin and the interNational Cyber<\/a> directorate. We have a great day tomorrow. Thank you all very much for coming. Have a safe drive back and we look forward to seeing you back here. Thanks so much. Weeknights this week, were featuring programs as a preview of whats available on cspan3. Tonight well show you a university of Pennsylvania Class<\/a> on 18th Century Power<\/a> struggles among native americans and colonial settlers and european empires. Its part of a seminar for high school teachers. Thats tonight at 8 00 eastern here on cspan3 and this week were also airing book tv programs on prime time to show you whats available on cspan2. Tonight the theme is science and technology with authors gary marcus, Thomas Malone<\/a> and kelly harding. Watch that tonight beginning at 8 00 eastern over on cspan2 and on cspan tonight its more from campaign 2020 with former Vice President<\/a> joe biden. Hes in rochester, new hampshire, today. Watch that at 8 00 eastern on cspan. Thinking about participating in cspans student cam 2020 computation, but youve never made a documentary film before . No problem. We have resources in our website to help you get started. Check out our Getting Started<\/a> and downloads pages on studentcam. Org for producing information and video links to footage in the cspan library. Teachers will find resources on the teachers materials page to help you teach student camp to your students. My advice to anyone that wants to compete this year is to find a topic that youre truly passionate about and fpursue it as much as you can. This year were asking middle and High School Students<\/a> to create a documentary on the issue that you would like the candidates to address during the 2020 campaign. Cspan will issue 100,000 in total cash prizes and plus a 5,000 grand prize. Go get a camera and a microphone and go start filming and produce the best video that you can possibly produce. Visit studentcam. Org for more information today","publisher":{"@type":"Organization","name":"archive.org","logo":{"@type":"ImageObject","width":"800","height":"600","url":"\/\/ia601006.us.archive.org\/15\/items\/CSPAN3_20191009_195000_Federal_Cybersecurity_Policy_Priorities_Forum_-_PART_2\/CSPAN3_20191009_195000_Federal_Cybersecurity_Policy_Priorities_Forum_-_PART_2.thumbs\/CSPAN3_20191009_195000_Federal_Cybersecurity_Policy_Priorities_Forum_-_PART_2_000001.jpg"}},"autauthor":{"@type":"Organization"},"author":{"sameAs":"archive.org","name":"archive.org"}}],"coverageEndTime":"20240716T12:35:10+00:00"}

© 2025 Vimarsana