Source. This is about an hour. Thank you for coming out today. The first u. S. Regulations were drafted more than a century ago. The one i remember was a steamboat explosion that led to safety regulations that we see now. 50 years ago we entered a time of deregulation. We found is a unique balance that looks at the burden on companies, the needs of safety and security. Also, it avoids Technology Specifics as much as possible. That would be an ideal system moving ahead. We are going to talk about the role that agencies and sectors play, the approach that tsa has put forward, one of the Success Stories of this administration and any other. Well talk about what dhs is doing. This is an exciting time for cybersecurity. On a final note, when we look at regulations that began in the 1820s, there is a series of automobiles and telephones. Somewhere between 20 and 40 years it takes to develop adequate regulations for a new technology. The one difference is that unlike some previous efforts, we have foreign opponents and they are eager to exploit things that we leave unlocked. Our speakers today are going to discuss this. I will read the titles. A few a full bio is available on the website. It is great to be here. Jim always has great insights on cybersecurity. When we are thinking about new ideas, he is one of the first people we call. As much sounds like an explosion in the 1830s, the Colonial Pipeline hack was a transformative moment in the United States. Oil and gas, pipelines across the entire east coast were disrupted. Cars were lined up at gas stations. We were confronted with the idea that a criminal group could disrupt major Critical Infrastructure in the United States. When the president asked the question of what are our cyber safety for infrastructure, the companies that promote hazardous materials, promote clean water and health care, Critical Services that americans rely on, the answer was that almost in all cases, we did not have minimum required cybersecurity practices. The president gave direction to say, take this on, address this. I will till the end of the Colonial Pipeline story in a moment. That work led to a review to say what executive authorities does the government have . We know there has been attempts at legislation over the decade prior. How can we put in place practices that we have heard so many times . The first authorities identified where the department of Homeland Security and a combination of what had occurred in colonial regarding threats to pipelines and other Critical Infrastructure. Both rob and dave will talk about that. The way that was done list to first bring in those companies, and engage with them. They will talk more about that process. First time visibility that it has provided, not only regarding specific threats but across a given sector. We know there is a threat and now there is a common visibility about the level of resilience and if it is appropriate for the threats that we face. That model was then used sector by sector. I want to show you this chart. I want to call out on the National Security council who has been driving this work. And the agencies who participated. It captures the Biden Administration efforts to drive for those Critical Services we rely on as american citizens. I will say that the beginning of the administration, there were minimum arm and since sectors like the nuclear sector. Rob will talk a bit more about what was in place for the chemical sector. The first column you see ahead of you is the set of sectors that were largely unused authorities that could be used to require minimum resilience practices. The middle area are areas where required some level of rulemaking. Looking at existing regulations for safety and applying them to cybersecurity. If we need safety for the amount of chlorine applied to a weather system, given that these are digital systems. The final column shows you the sectors where there is no ability to impose minimum requirements that we rely on. You will see clearly some of the sectors there. I wanted to show you this chart to highlight that cross picture across all of Critical Infrastructure. We will deep dive on the First Program where major progress has been made. Making those movements as well as the epa and Real Progress that has been made in the health care sector. With that, we will turn it over to that deeper dive and put in practice how this played out in those minimum cyber requirements. We will distribute the charter after the event. I could see people trying to take pictures of it. We will make it easier for you. If you look at that chart and think, oh my, there is a lot of information. Next up is david. Thank you. It is great to be here and see everybody in the audience. I appreciate your comments and the reference to the regulations. It is really apropos to what we are seeing today. We had the advantage in tsa of having really strong law that gave us authorities to require transportation entities to address threats that we saw, sometimes on emergency basis, other times with limited notice. We did when we saw colonial, i saw this occurring a little over two years ago. We have to think about that and think about all that has happened in a short amount of time. It is not just tsa, it is many Government Agencies involved in this. What we did, colonial had the report. Where the first questions asked was how common a Ransomware Attack in the pipeline, how common . The first thing we did in the same month was be issued a directive requiring critical cyber. We defined what the incident was. Really important thing we did was we decided that this reporting would be something we want to have across critical sectors. Lets make that go into one place. All reports went into the agency by design. There was the responsibility to transmit to other agencies that had an interest, that would have been tsa and hazardous Safety Agencies in transportation. The department of Homeland Security had a keen interest in the department had an interest as well as the department of defense. Singler reporting was very important. As we have gone from the pipeline sector to the rail line and announcing in aviation. I think it has proven its work. Reporting goes in, everyone gets the same reports. Information can be different enough to cause some confusion. The second thing we did, we required that the companies assign a cyber point of contract that was available. We got the report, we had someone that we could call for Additional Information if that was necessary. Even if it was two or three people, it was helpful overall. In may and incident occurred and we issued the report. There were specific measures that we required companies in the pipeline sector to implement as quickly as possible. It is important to note that when we issued this directive, we intentionally did not issue to every pipeline in the country. We looked at is how Distant Department define the critical elements of a critical structure. Which owners and operators are more critical to that sector . It was those that we chose to cover by our security directive. We issued that to fewer than 100 pipeline countries. With very specific requirements. The reaction was, are you asking us to stop doing some of the things we are currently doing which we think are good . This will require significant investment and probably change some of our core business practices. We looked at that and had a lot of back and forth with industry representatives. We had a series of roundtable discussions with them and in the span of a year they did a lot of work on the requirements we had in place. This was from a Cyber Security directive. Within one years time, we did a direct pivot with the help of the industry and came up with performancebased regulation. Rather than saying to them to do specific activities, we outlined four key outcomes for them to achieve. Then we said, here are the outcomes. We want you to come back to us and give us an input pit give us an Implementation Plan to tell us what works for your business to achieve the outcomes we have required. Those were network segmentation. It was the lack of that because the major disruption that we saw in may of 2021. The first was, we need to ensure network segmentation. The second was to put measures in place to achieve Access Control of the critical cyber systems. The third was to do continuous detection and monitoring. Is one thing to put measures in place, but if you are not monitoring constantly, that is not as helpful. The last was, particularly in pipeline, there are literally thousands in a pipeline. Going across vast distances. Mainly they are controlled through electronics. Some are not. One of the things we set was, you need to give us a prioritized plan using the system established for patching systems. Give us that plan. The industry, i would say did an incredible job on this. We saw from an Agency Perspective has been an enormous help to us in designing a Regulatory Framework that i think works really well. Secondly, they invested a lot of money and time to be able to put measures in place and pivot to this performancebased model. The second thing i required was a Cyber Security assessment program. The stance for the proposition that we have the outcomes, we need to see objectively how you are achieving those outcomes. That will feed back into the revisions of your Implementation Plan. As you offer up measures and we approve of those, are we seeing the improvement of the achievement that we require to see it and if not, what do we need to change . This builds in a constant revision process into the entire system. The other thing i think is really important is that we also require them to do vulnerability assessments and have a response plan. It is one thing to be able to prevent, it is another thing to build resiliency. If the attack is even partially successful, you can be as resilient as possible is a critical operator in the system to be able to respond. We are going to do them issue our directive coming up this summer, is to add an additional requirement which we have already exercised with one of the companies. Tabletop exercises. We found learning from not to be incredible. It was important to understand how youre going to receive information, when a cyber attack occurs secondly, how do pivot from responding to the cyber incident to responding to what would be a crisis in many cases, depending on the extent of the intrusion and the level of interest from the republic. Att x found a significant value in that. Is one thing to have a plan, it is another to execute off the framework. It is unlikely that it will have the exact scenario in place the other thing that we have worked really hard on is, how do we bring all of the federal agencies in alignment to be able to make an incident in the response to the incident as effective as possible. When the Colonial Pipeline incident occurred, the ceo was fielding calls from all agencies. Often times asking the same question and sometimes in a slightly different way. We were able to do here was bring the federal agencies into the exercise so that the company could see that we have got all the agencies here. That for them i think was reassuring. That there would be some level of that. It would not be perfect but there is an effort to coordinate forward. In closing, we have done since then is gone from the pipeline sector to a rail line sector and use the exact same framework, which allows for the tailoring of the specific measures to the business model. Some are brandnew, they recognized from the threat that they need to do more. It also allows us to account for technology changes. We dont need to change the Regulatory Framework. That provides for a great deal of flexibility. I would like to exercise how important the partnerships were to our collective success. We would not be where we were today without the partnerships in the pipeline sector, the real sector. The rail line sector. To the extent that we can bring some standardized asian standardization is really important. It reinforces that we are really trying to partner very closely with them because we view this as, we are all in this together and we all need to Work Together to be able to increase our cybersecurity resiliency and improve on the protections that we have. Thank you. Thank you. That is interesting, we will come back to those points. What Companies Might expect moving forward. Rob come over to you. Rob, over to you. Thank you. People expect us to protect them when they cannot protect themselves. Food safety, national defense. American people are in a position to be in those lines of work themselves. The same goes for this modern area of digital threats. Whether it be very sophisticated in ransomware or, the most sophisticated. We saw with Colonial Pipeline and when you see gas lines in North Carolina and virginia, the American People asked, what can be done to protect me from that as well . That is why we have gone into action. Our work to protect the American People is a mix of voluntary programs and mandatory programs with companies. I would say the vast majority of our work is under voluntary. It has been growing in success and sophistication. Theres also the realization that there needs to be a standard that any Company Delivering essential services to people needs to adhere to. That is not a new concept. There has been regulations over the financial sector, the nuclear sector, the energy grid and others for a long time across administrations. What youre seeing from this administration is a thoughtful and to systemic approach. We are doing this to say, lets make your there is coverage where there ought to be and it is rational. So that the industry knows what they are stepping into. In that regard, we have put a lot of focus in insuring that in those cases where every other approach has failed and some regulatory approaches required, we are doing it in a surgical and tailored riskbased and thoughtful way together with industry. That means we are doing things like setting common frameworks from which regulations can springs. They are not mandatory, prescriptive controls saying you need to have that on your i. T. Or other, but rather are outcomebased. Once that companies should drive toward. They can pick the way and have flexibility within the context of their business and how to get there. That is a more efficient, less costly less burdensome way that can allow for experimentation from companies that can figure out what are the best kinds of expectations. We are also taking steps to make sure that only does entities that need to be regulated are regulated. That goes to daves point about selecting only the highest risk tears or have multitier systems where they have to meet higher thresholds and lower tiered or smaller may have smaller businesses. They dont have to undertake such a great burden. We are also looking at harmonization opportunities. It is really imperative upon us as we take the steps to make sure that we are doing it in a way that makes sense when you look across the different actions that we are taking. For example, Congress Last year passed landmark legislation that called to issue regulations to mandate Incident Reporting for very significant cyber incidents. That mandate from congress falls into a sea of other Incident Reporting mandates, from fake federal regulators, International Regulators that can be overwhelming for eight company that already has a lot going on in the 48 hours after falling victim to a cyber attack that it is incumbent upon us to make sure we are minimizing paperwork requirements. One thing that we are doing and we expect to report to congress in the next month or two is through the cyber Incident Reporting council, all of key federal agencies including federal regulators is, we are closing in on proposed model definitions, timing triggers, ways to structure a regime so that a Victim Company has to have the minimum amount of destruction as he gets to the information that the government needs to protect the nation, but not more. We are undertaking all of these mitigating approaches as we deliver the kinds of protections that the American People expect us to protect, when it comes to things like their drinking water, their power supply, their ability to transport themselves by air or rail or otherwise. That is our strategy. Great. You covered a lot of ground and that was hopeful. Rob hit at least three of my questions. Let me start with one that is a nice think take discussion. You said you select companies in the highest risk tears, how do you do that . How do determine who is highest risk . When we started doing this i said, i would pick the 10 biggest and forget everyone else. That did not fly. How did you do it . I will start. I will use the real sector as an example. To the example you gave, if you just look at the biggest freight railroads, you would not get all of the ones that are critically important. Sometimes the last mile are important to get something onto the freight system. As part of what we look like. What are the largest systems, what cargo do they typically carry, and are there any last mile operators that need to include . That is where a lot of the great