Interview of the new acting director of cisa, the department of Homeland Securitys key cyberofficial branden wells. Ill be back at the end of the day for the summits final session, a covering with three of the top Cyber Security voices on capitol hill. Senator mark warner, representative will hurd and representative lauren underwood. Pie would also strongly encourage you today, take a look at our new report released yesterday by the aspen Cyber Security group that laid out a National Cyber agenda for the Biden Administration and the 117th congress. It outlines actionable steps, the art of the possible, as we call it in the cybergroup. And help build a more secure foundation for the internet and our digital economy. A full report is available at aspenvi aspencybersummit. Org. And many of the key voices that went into writing that report youve heard from at the summit already and today. Im pleased to introduce my friend from npr who will be speaking with fbi Deputy Assistant director tanya hubert. J j officer and eli little by chief information officer. Welcome. Over to you. Thanks very much, john. Its nice to see you, even virtually. So, today, you have everyones bio. So, i dont think i need to reintroduce our panel. But what theyre going to offer us, i think, is a way to look at the year, and back at the year in a context of cyber and health care. And give us a little bit different way to look at the latest efforts to get the vaccine out to the public. We actually have some news on this, by the way, well get to that a little later. Basically, the New York Times reported that Cyber Attacks related to cold storage of the vaccine have been going on since august. Its unclear whether this is about ransomware or something more sinister. Well get to that in a minute. What i thought wed do is divide the discussion basically into three parts. Were going to look at the broader issue of cyberthreats and attacks of the Health Care Sector as we wrestle through a pandemic. Were going to look at the security and protection of intellectual property related to the vaccine. And then finally, as related to todays news about hacking the cold chain, well talk about the Security Protection and defense of the supply chain for the vaccine. So, what id like to do oh, if you have questions, ill try and field those as we go along. And we may have time for questions at the end as well. Theres a q and a function, i think, the team at aspen will explain how you guys need to put those questions in. And with that, i juchtd wanted to start maybe with meredith, i thought i would start with you, as the ciso at eli lilly, having to deal with all that were dealing with in a Laboratory Setting with Laboratory People either having to be in pods or working remotely, are you dealing with more attack services because people arent all over the same building, theyre spread out . The answer is yes. We do have an unique footprint as relates to our service because we made a decision around the pandemic around the march 8th time frame to send all of our team globally home to work. There are individuals that need to touch specific equipment in our labs and places like that so we put some measures in place to be able to protect their safety while they were actually interacting with that specific Lab Equipment that we couldnt pick up and take to someones home. So, we did have an opportunity to still have a small portion of our team still going into our physical location. But it was far and few between. Over 16,000, 17,000 of our team members deciding to work from home, based off of the concerns about their health and safety. So, yeah, the attack surface now has incrementally grown over that period of time. And we continuously as an organization ensure when our team members are at homeworking theyre still putting those security principles in practice. Even if theyre sitting in their own home offices. I think sometimes we can get a little lax when were at home. And we dont always think the same way when were in our physical work location. But i think weve done a really good job of rolling out a robust Education Awareness Program of how to protect those secure space within your home environment. Yes, weve seen an increase in that and attacks as well because the pandemic. So it goes beyond just dont double click on that weird phishing email. It may have to do with authentication of routers, is that what youre talking about . All of that, yes. We put together a packet with our team members to say now that youre in your home environments, heres the technical controls you need to have to operate and carry out the business of lily. We have a vpn, we need to access the data you that need in order to perform your role. Without you putting that information on your local device and things of that nature. So, we gave them a toolkit to follow. Saying heres the questions you may be asking. Heres our recommendations for how to deal with that, then we work with those things together to make sure were not seeing increased exposure. One. Other things that we talked about, initially, i can say, we didnt really think through i think at the beginning was around the idea of printing. So, we get so comfortable printing in our physical locations at work. But now, youre starting to put things that may be confidence on at home. So, how do you support those printouts . How do you destroy them appropriately . We tried to pick it up on what a home worker would need to know to make sure they make themselves and their devices and data and places they visit are protected. So, you were sending out shredders and safes . We didnt do that. We did give opportunity to say if you have a home shredder, heres the one we recommend if you do that. One of the other things that i recommend that i really appreciate our leadership going down this road. We knew that people now working in these home environments and from ergonomics, from a security perspective, we gave each member of the team to say i need to outfit my workplace differently now working 100 from home. If that meant you needed to get a recommended shredder so you could destroy documentation appropriately. If you needed to get even a new care so you can get functionally careful as youre working every day. There was an allowance offered to every team member who needed to make adjustments. We offered the recommendations. We gave them options and said heres what you can pick from. And then you chose what you can bring to your work space to make it comfortable. Npr gave us chairs so thats clearly on this. So are your concerns ill get to the other panelists as well, have your keconcerns changed sie march . I mean, have you seen things when we think about ransomware or phishing attacks, are you seeing things, is this progressing or evolving . What were seeing, i know maureen and i had this conversation before. Some of the activity, most of the activity that we see is standard for us. This is typically what we see in our environment in terms of exposure attacks, interest in our organization. Those things are happening every day. And thats no different. What i have found, though, the use of social engineering, to be able to get a foothold in san organization by way of provencal scaling and things of that nature, i think weve seen more of those attacks and theyve become a little more sophisticated than we probably have seen in the past. But that doesnt mean that the volume in terms of what were seeing is shocking to us. Its common at this stage of the game. But i think there is this turnup on the sophistication of it all. And if were not training our team members appropriately to look for those indications of whether if something doesnt look quite right from the message, we can find ourselves in a world of hurt. We try to focus a lot on our training of team members at this time. And specifically as it relates to the individuals working in the development and research space. Because we know that they will be a target. Theyre the ones who are actually working on our response to covid. So, from that perperspective, w tried to use training education to thwart those attacks. Do you think some of the social engineering is working better now because people are lonely and by themselves in their house . I dont know if its the loneliness. I dont know if thats what makes them susceptible to it. I know ive done it myself, i feel like im working more now that im at home. Right. Being able to shut off and disconnect is harder now because im sitting here in my office and i get a chance to get things done. I think because were moving past. Were moving to really tick those things off of our list, sometimes, we can move a little too big quick. And then we click and open or expose our organization that way. I dont know if its the loneliness, but i do believe were moving quicker probably in some instance that creates problems for us. Maybe journalists just get lonely. Maureen, let me move to you. One of the things we know from public reports is there was a hack. A number of different medical or Health Care Companies including Johnson Johnson with north korea. Those complaints came earlier this month. And they were trying to steal allegedly sensitive covid information from Johnson Johnson and others. Can you walk us through what that kind of experience is like . First of all, dina, thank you very much for the question. But i would say, what is called an attempted hack is not a hack. Fair enough. Clearly, it was a Cyber Security organization and theyre clearly different items. Health Care Companies literally have seen an onslaught since march 2010. That is the day that the chinese actually started a hard knock of most of the health care in the United States. And there was a lot of talk at the time, those who knew that they had seen attacks or had seen that stand by a nation state. And those who hadnt. And there was a great outreach and a great calling out, working with groups like the fbi and Homeland Security, on what was this all about. Why discussions, discussions in health care, of what was needed in a space to secure us. Meredith and i and all seats in health care are seeing attempted penetrations by nation state actors, not just north korea. Every single minute of every single day. We have four primary threats that i try to categorize. In health care. And one of just one of them is nation states. The other is a criminal element, looking for anything that they can monetize. We have something called ha ed hacktivist, people who are trying to either through social media or attempt to sway farm ma Pharma Companies about what the prices should be as well as a threat. And with the vaccine and with development and therapeutics, what weve seen is were now on a grander stage, where people oh, wait a minute, theres a company that i should actually be looking at. Hey, what can i do there . So, weve seen that rise. Now, what we dont know, and i see, you know, many different attempts at consortium, now where its just code. Its just a binary that somebody going to try to put in my network. Theyre going to use things like email and links to social media to get someone in my company to click on it. And bring it into my house. Just muddy boots coming in the door. And in the Health Care Industry, we have the health act with the department of Homeland Security working with cisa. We Work Together and we have this code. I dont have the resources to know where it came from, and where its been hacked from. And working with our federal agencies, working with our Government Agencies and others, we provide that information which then tells us, wait a minute, thats code that came from north korea. Now, the warnings are going out, now, much of the large Pharma Companies have the skills and Cyber Security organization to be able to detect this maliciouslike code and protect against it. Unfortunately, not edge has tve that in had the industry. And working any indication that theres like a focus on trying to get something covid related because everybody wants it now . Is there a bigger appetite for it . Well, theres only going to be so many people who can get information and turn it into a vaccine. Then, were going to have the group of people who just decide that, well, i dont want the world to have a vaccine. So, theres not really much of a difference. So, we have the Protection Capabilities that weve built. You know, in this instance, looking at the vaccine production. And you got to remember, j j has a plan in wuhan, china. We were able to see what was happening all along. We saw with the virus about a 30 uptick in what i will call hacktivist or criminaltype activity trying to monetize anything they could. I guess when people were out of work, they decided to be hackers on the side and coming in and see what they could monetize. Again, large companies, well secured companies have the defenses against that. And are able to defend very easily. But again, in general, about a 30 uptick. That was specific. Ill be honest with you most of it didnt wasnt going for virus, you know, it could be hard to tell because people will try to come in on one side to loudly move across the company. Sure. And then if theres ability to detect it is what helped us. Now, much like meredith, we took a concerted effort, anyone who was working on vaccine production. Anybody who was going to be working on intellectual property, what were all of those systems to lock them down, provide minimum necessary access. Those are just terms that we use in the Security Industry to say, protect it. And then we did that and as meredith talked about, the social media. About the june time frame, we saw one of the other Companies Really have some issues with social media which we talked about at the h. I. Board meeting. One of the things that happened when we put that out, we all started to see some of that. So, we informed our people to be aware of it. If you know, shut off social media. Dont go in and click on anything that is linked and gave people guidelines to make sure they were secure. And do you have a little Cyber Security moat around covid stuff or is that everything . No no, were in talking mode, thats what we do. We create moats. And a moat sounds like we closed ourselves off. Well, what reality did is we provide the ability for the business to operate in an insecure environment, given the right controls and the right risk. Gotcha. I think marene, that was excellent in terms of the examples that you show. One of the things we also found on our end is that our third parties that we party with in order for us to carry out the mission here at lily, we do see an increase in terms of third parties being attacked or victims of ransomware and things of that nature. Of course, the third parties critical in the research arm what we do, when they start getting attacked it becomes a problem for lilly, to make sure our chain is protected and that were continuously able to deliver those lifesaving medicine. We did see an increase in that. Probably this europe, weve done way more incidents around our third parties than weve seen in the last couple of years. Right. The really big hacks they generally are through an hvac system or Something Like that. Thats why i asked you about routers. Tonya, i dont forget that youre here. I wanted to bring you in. Nice to see you. I wanted to bring you in and talk a little bit about the security components of operation warm speed. And eli lilly and Johnson Johnson are morniamong the playf that. I dont think we know what the Cyber Security side of operation warp speed looks like. You can give us an idea how that works in practice . Sure. Well, i can speak a little bit to the unique role that the fbi plays as part of that. But as you alluded to theres a lot of different players both across the federal government and the industry and Health Care Sector as well. I think thats what has made it so strong. I think from the fbis perspective, we have the advantage and unique role of being both a domestic Law Enforcement agency. And we what we attempted to do with the supply chain through the threats is to use our role having access to classified intelligence to understand what adversary plans and intentions are. So, see the threats as theyre forming. To use our broad domestic presence with our 56 field offices, hundreds of other satellite agencies, were really embedded in communities and we have enduring partnerships with research institutions, companies, et cetera. Where we can have that information downgraded which effectively means at a level that we can share it, ideally, before something occurs. Then as an operational agency, we can actually act on what we see. And thats where the type of direct engagement with these organizations is so important. Just like marene described, when one organization, like a university or a company, sees this type of threatening cyberactivity they can use not only to investigate it, but also to share that information with the intelligence communication. With network defenders. Share it across and help everyone strengthen their networks. So its really most effective when its operating at all of those Different Levels. Right. And in this kind of environment, are you getting more back and forth than you were in the past . I think there were sometimes when companies were a little moretta sent to let dhs or fbi know they have been compromised . We have been extremely proactive in our outreach. Thats been a maturation in the federal government, especially in the past few years. Some of that was in response to welldeserved feedback that we would receive from the private sector, not really appreciating having multiple fed