The department of Homeland Security. Dj johnson from the fbi. Jen silk from the department of energy. Let me set the stage for you a little bit before we dive in. Over the past eight years, and someone say longer, the country has faced an alarming increase in the number of Cyber Incidents against the public and private sectors, incidents which have ranged in scale and sophistication and severity. Last week, president obama ued we are pleased to convene this group of experts to provide feedback. It is so important that we provide feedback on how best to implement this policy. It directs the department of Homeland Security in coordination with a variety of different federal agencies to submit a National CyberIncident Response plan within 180 days. We understand that a draft plan will be ready for you in september for your comments. In the meantime, we hope that you will use todays events to talk about the plan to ask questions about it to ask questions about how the writers intend to coordinate with all of you, the stakeholders. Many of you have participated in the Chamber Cyber education and Awareness Campaign and youve come to the events held around the country. We appreciate that. One question unfortunately that we still hear is far too often, is who do we call for help . Who is in charge . Where do we go if we have an attack . Were going to answer some of those questions today. The new directive map out these lines of responsibility within the federal government when responding to significant Cyber Incidents. And michaels going to define for you what significant actually means. Its important to note that the directive doesnt apply to every cyber incident intrusion vulnerability or breach and michael will explain how the directive goes into detail on each of those. We appreciate the administrations efforts to take the Lessons Learned from previous Cyber Incidents and provide the needed clarity to chart a clear path forward for interagency coordination about the roles, responsibility, whose in charge during significant Cyber Incidents. Todays discussion is an important step in bringing together government and industry. An open dialogue is the only way well be able to effectively address the increasingly sophisticated Cyber Threats facing american businesses and businesses around the globe. We look forward to a continued conversation to help shed light on the role that the federal agencies play in responding to attacks while implementing while emphasizing the importance of coordinating with victims that voluntarily report a cyber incident. This may surprise some of you but businesses genuinely want government partners in the fight against organized criminals, and groups carrying out state sponsored attacks and the Chamber Welcomes the administrations move to incorporate the new policies. New policy guidance into the exercises. Let me turn this over to michael and his colleagues. Thank you. Michael thank you. thanks, and thanks to the chamber for agreeing to host this event today and thanks to all of you for taking time out of your busy schedules to take time to talk with us. Theres no substitute for these kinds of discussions. And im really very excited to have this opportunity and very interested in the conversation. Thank you also to my colleagues from dhs, f. B. I. , the ctic, energy treasury, for being here as well. I think theyll really be able to give you a flavor for the inner agency approach that we have to take when dealing with significant Cyber Incidents. Let me just set the stage a little bit for you about how this policy fits into our larger strategic framework and then we can talk about sort of the core lmingts of the policy and then i will turn it over to my colleagues to go into more detail about their specific sections. This administration has consistently pursued three overarching strategic goals. One is how do we raise the level of Cyber Security in our public and private sectors and do that over both the short and the long term. How do we better disrupt, deter, interrupt our adversaries in cyber space. And because we know those first two things are going to fail some of the time, how do we actually get better at responding to and recovering from Cyber Incidents when they occur . And this policy, which were still getting used to the number because they dont number them until literally the president signs it so were still incorporating the number. But ppd41 fits squarely into that third pillar of getting the governments house in order. And its a president ial directive aimed at the Government Agencies to tell us how to get ourselves organized more effectively to address Cyber Incidents and specifically significant Cyber Incidents. It draws on the lessons, as ann said, that weve learned over the last eight years both from doing cyber Incident Response everything from opm to sony to the ddos attacks on our banks, to ukraine, to you name it. We drew on that experience. But also, the learning that weve done with responding to our long history of responding to terrorism incidents and our history and responding to natural disasters. And how the government uses its machinery to respond to those types of incidents. All of those lessons have been incorporated together into this ppd. So let me give you sort of the overview of the structure of what we were trying to accomplish and then we can take it from there. First and foremost, the ppd establishes a set of principles up front that we actually will apply to our response to any cyber incident. And none of these are particularly i hope none of you found them shocking. None are particularly earthshattering. They were very straightforward but we found it very important to articulate that these are the principles that were going to apply when we respond to Cyber Incidents. So this is the idea that were going to come with a unity of effort, that the government is going to bring that full weight of our machinery to bear but in a way thats actually organized. That we recognize that we have to do this in partnership both across the federal government but also with state and local partners potentially with our International Partners and with industry, with the people, for example, that are sitting around this table. We recognize that one of the things that we need to do is to focus on safeguarding the victims information and actually also treat the entity thats been affected by a cyber incident as a victim because thats what they are. And so and also to foster restoration and recovery. So the ppd then goes on to establish lines of effort and a coordination architecture for dealing with significant cyber incident. And this is an important point. That what we found is we looked out at our experience with Cyber Incidents over the past seven and a years is that for half many incidents the existing machinery, whether in f. B. I. Or d. H. S. Or energy or treasury was perfectly good at responding to your run of the mill cyber intrusions that unfortunately have become way too common but those could be handled with existing agency machinery and procedures. But where we needed additional help, where we needed an additional framework put in place, where those incidents that could not be handled through normal means, those incidents that exceeded the capacity of any Single Agency to deal with under their normal resources and normal sort of standard operating procedures. And so those we defined as significant Cyber Incidents. Those that are going to pose a measurable threat to our National Security, our foreign policy, our Public Health and safety, public confidence, all of those things. To organize our thinking in that space and to make that a little bit clearer, we developed a Cyber Security severity schemea for sort of measuring caltgriesing incidents that constitute those threats. And we actually published that severity schema with the ppd so you can have some insight and transparency into hour were thinking, Cyber Incidents within the federal government. And basically the idea is that the ppds machinery that im about to talk about that puts in place for the government is really aimed at those incidents that cross the line into the significantance category. Those that pose that unusual threat to our foreign policy, our Public Health and safety, our National Security, our National Economic security. And thats really how this ppd is designed. So theres two big parts of the architecture that i want to talk about. One of which is applying the idea of the lines of effort. One of the thing that is we realized that as we are responding to a significant cyber incident, we are going to be pursuing three lines of efforts simultaneously within the federal government. Now, that does not mean that they will all proceed exactly in lock step with each other, but all these activities are going to be going along concurrently. And this is how are we responding to the thing that was impacted by the cyber incident. Thats what we call the asset response. How are we responding to and trying to figure out who the bad guys were. Thats the threat response. And then how does this fit in with our larger picture of whats going on and how does the larger picture of whats going on influence how were responding to those first two lines of effort. And thats what we call our intelligence and supporting activities. The ppd also recognizes that theres a fourth line of effort out there that if youre the effected entity youre going to be doing a whole lot of stuff and if the affected entity is a federal Government Agency, that federal Government Agency is going to be doing a whole lot of stuff including communicating with its workforce, communicating with stakeholders, whether its shareholders or congress. Communicating with the media, customers. Trying to just figure out how to keep revenue coming in the door, how to keep Business Operations going. And we sort of think of that as the Business Continuity line of effort. So we recognize in this structure that all of these things are going to be happening simultaneously. On the government side, the ppd assigns a lead. So d. H. S. Is the lead for the asset response in coordination with the sector specific agencies for that particular if that company happens to fall into one of the 16 Critical Infrastructure sectors. F. B. I. For the threat response. And the Cyber Threat IntelligenceIntegration Center for the intelligence and supporting activities response. And we recognize that the impacted entity is going to be leading the Business Continuity response. And so thats really the way that were framing up the lines of effort. And then within then beyond those lines of effort the ppd actually provides a coordination architecture for the government. And it really directs a couple of things or really three things that i think of. One it says that the field level make sure youre actually coordinating agencies that have people deployed in the field. Make sure that youre actually coordinating with the affected entity so that you dont have 16 different federal agencies all showing up knocking on the door saying hi were here from the federal government, were here to help. So it looks like were actually coordinated at the field level. At the national level, it really directs two things. One is it says agencies, if you participate in cyber Incident Response, you need to have a surge capacity. You need to be ready to have the ability to surge additional resources, assets into place. And we call those the enhanced coordination procedures. Make sure that you have that ready to go. And then the other thing it does at the National Sort of headquarters level, and were going to borrow this concept from the fiscal response world thanks, dad, called the ucg unified Coordination Group. Thats how were going to make sure that the activities occurring at d. H. S. , f. B. I. , energy and other places are coordinated when were actually dealing with a significant cyber incident. And then it reaffirms the role of an nsc chaired body called the Cyber Response group but the National Policy level to connect in and oversee the coordination of the response to the significant Cyber Incidents at the national level. And thats really the machinery and then i should say within that the crg is the plug into the and so then what are we going to do about this significant cyber incident more globally in the long term. Once weve identified the threat actors, if we can, what is going to be our broader response to that. And thats the responsibility of the crg to plug into the broader federal government policy process to arrive at those conclusions. So of course no president ial policy document would be complete without a list of additional things to do at the back. And that is where you see the taskings that come out of that that will be generating quite a great deal of work loord for us over the next months. But including we now have to figure out how to implement this. What does that mean . We need to work out the concept of operations for how a ucg is going to actually operate and these folks can talk about that. We have some lessons from the fiscal world but of course cyber doesnt exactly work that way so we have some new things to work out. We need to update the National CyberIncident Response plan. Thats where you come in. We need your input in particular into that. Because that is where you will be able to plug in, especially. We need to, for example, move out with the exercise programs that ann talked about. We need to update the charter for the crgs. Weve got homework assigned to even the 2346r7b rc. I wasnt successful in pushing that out. Weve got a lot of work to do ahead of us. I really think this policy has come out now because this is the right point where we have amassed enough Lesson Learned that we can actually codify a cogent policy that really reflects all of the lessons that weve learned. It still gives us enough time to finish out the implementation before this administration is done. So with that let me turn it over to some of my colleagues to step through some of their specific points. Andy, if you want to start on the asset response side. Sure. So i want to highlight that when were talking about this ppd implementation of the three lines of effort, we are talking about significant Cyber Incidents as michael noted. I will speak today about d. H. S. s role. Ill note that d. H. S. Has two organization that is participate in threat response. Thats i. C. E. , Homeland Security investigators and secret service. But i want to talk about my organization and the asset response side. Ill note though that as we do that our sector specific agencies are keep partners and we have representatives from two, department of energy and treasury, today. So they will be chiming in about their role. So i like to think about a significant cyber incident as being equivalent to an arson in the real world. If you have an arson in the real world and just the firefighter showed up you would kind of wonder who was going to catch the arsonist. Or if just the Police Showed up you would kind of like some help putting out the fire. So youve got to have both. Touf have both police and firefighters in an arson. Thats the firefighter is the role that d. H. S. And the ntic bring on the asset response side. I will note that obviously leaving the analogy somewhat both of these two threat response and asset response are really hugely fueled and empowered by the intelligence role that tanya will speak about later. But for a private sector victim, you arent going to see the intelligence role so much. You are going to see the threat and asset response. So im going to focus on those from your perspective. So you have your arson, you have a firefighter, and the police there, the threat responders as the police, if you will. What is the firefighter doing . The firefighter to leave our analogy is going to help you find the bad guy, clean up the mess, figure out what did they do to you, and what can you do to improve your security so that this doesnt happen again. And kicking off the bad guy is no small matter. It usually will take a combined effort of the threat response Intelligence Response and asset response to effectively kick the bad guy off your network. Now, in addition to helping you improve your security after the fact, part of our job is to take what we learned from helping you and distribute it to others in the private sector and government to help them protect themselves. So asset response is both about helping the victim clean up after the incident, kick the bad guy off, be more secure, but helping other people not become victims. Spreading awareness of what happens so others can defend themselves. Let me talk a little bit about the role we are playing in what i think of as tactical asset respon