Congress where i played a role in the founding of the Homeland Security department. I call myself one of its grand mothers. One of its grandfathers that would be thad allen, or i think hes one of the grandfathers, im not sure, is on the call with me and the rest of you children are the successors and i think that it is really wonderful today that we are having i guess hes been phone now, a lot of zoom issues, with chris and a panel organized by meg king who heads our science, technology and Innovation Program and a number of a rest of you on the phone. The topic is whats critical, evolving the security playbook for managing ones, zeros and everything in between. While its not as much fun to see you all or some of you on line, chris is on the phone, its not as much fun to see you in person. If any group could make a conversation interesting its our science, technology and information program. Today were joined by the nations chief risk officer chris krebs, director of the department of Homeland Securitys Cyber Security and Infrastructure Security Agency leave it to congress to include security twice in your title chris. Chris will talk about how the department has protected americas Critical Infrastructure in the past and what we need to do going forward. Chris has briefed me frequently as a member of the Homeland Security advisory committee, and the Homeland Security experts group, doesnt have security twice in either name, and even showed up last year at the hacking conference in las vegas. I was there too. I was a dinosaur in the room. This is chriss second tour at the department. He was previously Senior Adviser to the assistant secretary for Infrastructure Protection and part of microsofts Government Affairs team after that. Chris has an impressive command. I know this from talking to him. Of the threats we face and has been at the forefront of tackling our Election Security challenges and ensure our networks remain be resilient during a Global Pandemic and when the workforce even when the workforce all moved online from home where security is harder to verify, et cetera. Chris will give remarks and our newly minted berkeley ph. D. Public policy fellow Melissa Griffith will interview him. Then a panel of geniuses with the abled thad allen in his pickup truck, Homeland Security bob polasski and century links Kathryn Condello will follow to dive deeper into the challenges posed in securing Critical Infrastructure both digital and physical and just before turning this over to chris, let me say again, how blessed i have been to have meg king in my life for a decade. Shes taught me lots of stuff, especially about all this. Please welcome, i think by phone, the director, chris krebs. Hey [ inaudible ] i actually i dont know if youre seeing me, but i was able to do a couple runarounds here at the office. Does the video come through okay . Yeah. Okay. Great. We see you but your mouth isnt moving. You may be frozen a bit but we can hear you. That all right. Heres what im doing. Okay. Okay. How is that . All right. Lets try this here. Okay. All right. I think i got it now. Sorry. Its giving us some challenges here. Thats much better. Its much better. Came. All right. Heres what were doing. I will give you a little bit of an overview of what we do. Thank you, congresswoman, for that overview. I will talk to you a little bit about the things that were focused on right now and some of the developments and shifts weve seen in the Critical InfrastructureRisk Management space. As pointed out we are the cyber and Infrastructure Security Agency. For shorthand purposes i drop that first security. We made the argument that the Second Security was an appropriate modifier that we didnt need Cyber Security but congress felt it was important to have Cyber Security and infrastructure security. Its a better name than we used to have, the National Protection and programs directorate which if you can tell me what that means, ill owe you 100. It was not a very discryptive name for an organization that is the nations risk adviser. Primarily our authorities are voluntary, Public Private partnership oriented and what that means more than anything is that i cant make anyone do anything. Weve got to really understand where the risk is out there, the shifts, the trends, the best practices that are happening across industry and in government, distill them down into something thats usable, shareable, actionable and then get them out to as many of our stakeholders as we possibly can. Shouldnt be much of a surprise to anyone but the United StatesCritical Infrastructure community is quite large and, in fact, you know, being kind of the american go big or go home approach, 16 Critical Infrastructure sectors. I say that to be able to contrast it against some of our partners in europe and elsewhere that in some cases only have five national Critical Infrastructure sectors or eight is probably the most ive seen particularly in europe. We have a larger footprint of infrastructure here, but we view it more expansively and thats important and i will touch on that a little bit later. But nonetheless, given this voluntary approach, we do style ourselves as the nations risk adviser. We are not the nations risk manager. The nations risk manager would have more of a compulsory authority where i could tell people to do things and then they would do it. But but instead, we ask people to do things, gently, we give them useful guidance that actually provides some value and we find that in that approach, where you do try to understand what our partners need, we can get them to do things. Really quickly, over the last several years weve identified i think five key shifts in the way the Critical Infrastructure community is managing risk. The first aspect is that its becoming quite clear that risk is shared across all sectors. The second is that supply chain Risk Management is critically important. The third piece is Vulnerability Management is also evolving and becoming more effective. Fourth is it used to be a security practice, its now evolved into a resilient approach to Critical InfrastructureRisk Management. Thats evolving further into antifragility approach where you get better with each event rather than just surviving the event. And lastly, were seeing organizations take a much more enterprise level understanding of cybersecurity Risk Management and that really begins in the c suite and then percolates across the organization. Back to the top, shared risk across all sectors. Its something that youve probably heard me or others say that if you tackle risks in a in silos youll miss the bigger picture. And what we have seen over the last couple of years in particular is that adversaries, particularly russia, china, and a few others, dont necessarily come in knocking on the front door. What they understand are some of the dependencies between organizations and will exploit some of those trusted relationships. Theres one event the russians a campaign that the russians launched a couple of years ago where they came into the Energy Sector but not directly into the Energy Sector. They actually came in through a construction contractor. When you think about target, target was breached through an hvac contractor. So shared risk risk is shared across organizations and in part, thats because the commonality of the systems we use far outweighs any of the uniqueness within specific sectors, control systems is another example. So those things that make Water Treatment facilities, their equipment move and click and tick and work, that equipment is very similar to critical manufacturing, you know, thinking about hard infrastructure and manufacturing or power generation. A lot of those control systems are consistent with unique applications at the edge across these control system spaces. Second piece, as i mentioned, supply chain Risk Management. Three or four years ago, supply chain Risk Management was not top of mind for most organizations. Youll get to hear a little bit on the next panel from two folks who think a lot about it, including kathryn from centurylink, one of my longtime partners in crime in Critical InfrastructureRisk Management. But some of the work that weve done on the supply chain Risk Management side is really sprung up over the last few years through some of the work weve been doing at cisa. You should absolutely Pay Attention to the folks on the panel. Next, Vulnerability Management. This is particularly come into stark relief over the last six months. Its been a heck of a year for vulnerability disclosure. What used to tenplus years ago where you would have researchers or other organizations that would find vulnerabilities they would race to the public and release them and what would happen in that sort of situation is you actually give the adversary or any number of adversaries the advantage over the defender. So really arising out of industry in the security Researcher Community with the development of a coordinated vulnerability disclosure process where theres actually a brokering that happens now, where a security researcher that discovers a vulnerability and say, hey, i found this thing. Lets Work Together to make sure the systems get patched, the updates are broadly provided and then i can get my credit in the community for discovering this and you can attribute the discovery to me. That, again, coordinated vulnerability disclosure, is something we do, we play a key role here in cisa and we manage and fund a project that handles that facilitation of the researchers and the vendors and we play a broker role and we can help amplify once patches are available. And even in organizations more broadly were seeing the researchers brought into the zwomt process. Were seeing researchers brought into operations and maintenance. Theres been an absolute serge in bounty programs where organizations like microsoft, where i work, will offer money, in some cases, big money, a hundred thousand dollars, for at least at one time, for a windows 10 vulnerabilities to researchers that would, you know, conduct their research in an appropriate manner but if they found something, they could turn it over to the company. Theyd get the money and the recognition and the good aspect of all this is the good guys can patch it before the bad guys can exploit. The fourth piece is this security to resilience to antifragility. Back at my last tour here at dhs i was in an Organization CalledInfrastructure Protection. Its all security all the time. Its not necessarily true because resilience was one of our top priorities. But there was, you know, the thought was that it was only about security and guarding at the perimeter. But over time what weve seen is an absolute embrace of this concept of defense in depth. Its not just the perimeter you want to secure, but you have to assume that the bad guys are going to compromise your perimeter and in this case for cybersecurity, your networks. How are you guarding and defending the crowned jewels . And so theres been a significant amount of work and an emergence over the last year or so into whats known as a zero trust concept where you just assume the Network Front to back is adversary territory and you have to figure out how to, you know, basically how to have Security Communications in an untrusted environment. That resilience piece has to continue evolving. It effectively turns into a whackamole game. Excited about some of the research thats happening and this was a big push of springing forward in an incident or in a response. How do you become antifragile and really all that is is learning in realtime, employing defenses that improve your posture not just maintain your posture through an event. And thats i think the the next evolution of this security resilience shift. And the fifth and final risk shift that weve seen over the last several years is the cybersecurity at an enterprise level. Typically, historically, security had been the domain of the Security Team but what im keenly aware of is that the Security Team alone without executive support and the funding and the push to become more innovative will never achieve their objectives. And so we have really expanded our outreach and efforts to not just the infosec team, the board of directors to educate them that cybersecurity is a Business Risk as much as a as much as financial risk is. And they need to treat it accordingly. This past fall, coming up a year now, where did 2020 go . Last fall we issued our cyber essentials product that bucketed good security practices into three primary areas, strategic, technical and tactical. And that strategic, the strategic buckets were focused on two things, first is, cybersecurity starts with leadership. Youre only going to have a Successful Program if your leadership buys in, supporting and takes part. And the second piece of that is on the strategic side, you have to have a Security Culture throughout the organization. Anybody that touches the network or has a device thats on the network is part of the team and you need to make sure that youre defending them properly but also they have the tools and resources to secure themselves. So, again, you know, its not just about the Security Team. Its about getting the executive buyin. And thats important because once youve got awareness where you need awareness and principally im talking about Capital Expenditures and investment. Once youve got that awareness and the ability to really set the organizationwide budget, youll get the investment. Through that investment, thats where the real capability shifts and you close the gap on security, where that really happens. I think ill wrap it up there before we shift over to the fireside chat. Five things that weve really seen a significant shift in over the last several years is that risk is in fact shared across sectors. The second is, supply chain Risk Management is as important of a discipline as cybersecurity in and of itself, third, within cybersecurity, Vulnerability Management is the place one of the places where you can make the most advances to secure the network. But relatedly, it is about resilience, it is about defense and depth and lastly, if the leadership is not bought in at the enterprise level, then youre never going to get where you need to both on the investment side as well as capability and development. Just a few thoughts out of cisa. Looking forward to the fireside. Im not sure if its going to congresswoman harmon or melissa . Thank you so much. We have gina harmon who has the first question. Well start there. I actually have a twopart question and an observation, chris. I think youre a breath of fresh air. I think you know youre brief and every time you give it and now we can see you, we were just going to hear you, now we can see you, i think you are a great, great credit to this administration and to the department. So there. So my question is, first, the recent hack of all the fancy twitter accounts was principally done by a kid of age 17 with two polices. That prompts the question, do you have the people you need to stay ahead of 17yearolds metaphorcal, 17yearolds, and the second part of the question, i recall back in the old days when we were putting the department together and doing nctc is doing intelligence reform, we kept talking about the need to change a need to know culture into a need to cha share culture. Obviously, sharing is good. However, sharing also means that you have more vulnerabilities. I guess do you have the people and is this need to share idea still the tag line or is there some new one that im missing . So on the hiring piece, i had suspected it was probably not animation state, th animation a nation state and criminals. It speaks to the way we need to evolve our hiring practice. Through the general schedule approach that is based on a system from 1929 almost a clerical hiring approach for supporting prior administrations or the government in and of itself, it really prioritizes experience and a professional setting, college degrees, post graduate degrees, certification. Thats just not how cyber works. What ive found is there are some candidates that were getting that come out of college and do a post get a graduate program and then one year of experience and then there are othe