If someone does go into the content Management System and grab a document, which they have access to, which is fine, and they turn around and email it to a friend or in turn they get hacked at their computer and they lose that document, the gone. Byebye. But if the encrypted and you can still have an encrypted document sitting in the content Management System, thats fine, that can operate. The just an encrypted blog. Looks like a p. D. F. Take it out, send it to fridays friends. They go to open it, they have to try to decrypt that document at the application and so theyre going to have to try to authenticate it. Thats about keeping secrets. Keeping your documents and your data secret. Integrity, i love that one. No one ever talks about. It Digital Signatures are one of the greatest things ever. We use them every day, we dont eel even realize it. We use them when we go to eab site that has website that has h. T. Http. How do you know youre going to your banks website . Do you trust that little u. R. L. You typed in . No, you see the lock. The backed by a certificate. You check on the integrity and the authenticity of where that came from. Its a visual signature. How do you know to run some code on your computer . Ey digitally find it you get a little warning. This code is coming from an unknown source. Ok, so what do you get from a Digital Signature . Integrity and authenticity. Who the from, whos the originator, has it been altered in transit. You can do this on documents as well. If i get a p. D. F. , its almost the same concept of going to an http website. I can see who the document came from, who signed it and if anything has been altered on the way. If someone changes one pixel on that p. D. F. , it will break that Digital Signature and have a big red x on it. Whos using this today . Hats a good place for it . The transcript, thats a nice thing to be able to say, hm, my electronic transcript, i didnt like this, going change it, excellent, send it off to my employer or my potential employer. So schools like stanford are starting to digitally sign their transcripts before they release them. Thats pretty good. I can see the transcript now as an employer came from stanford university. And if someone laid to tride to alter that little tech, it would give me a red x but i get a nice blue ribbon that says, this thing has not been altered since its been signed. The Government Publishing Office, they changed their name, they used to be the , vernment Printing Office because they printed everything on paper, theyve moved to electronic delivery, the Government Publishing Office now. Great, good marketing. But they sign their documents. The budget, for instance, thats the electronic signature log, stats are up there, because its cool. Imagine getting a budget which change with changed values on it. My friend from cloudflair, who is busy on his phone, but he set me up for this, thank you. Oh, youre recording. Oh, youre tweeting me. Wow. [laughter] ive never been tweeted. Cool. Thats Digital Signatures. Again, more about integrity. Also get authenticity of documents. Confidentiality, were talking about data Sentry Security solutions. Weve had the fallback with additional layers of security, layers of security, we can put security mitigations on the data itself, we can encrypt it with d. R. M. , we can monitor it and analyze it with our analytics engines. And then we can also protect things like integrity of our data. Ive blaggettered on enough blaggettered on enough. Im going to blathered on enough. Im going to throw up security u. R. L. s you might be interested in. Am i allowed to take questions . Really . Absolutely, yeah. Mr. Gottwals are there any questions . Chickens. Come on. Nothing. All right. All right. Thank you. [applause] a shy group. Mr. Gottwals yes. Now the my pleasure to introduce our esteemed panel. Frank, why dont you just have everyone tart so come up with you for the panel. I think we have two panels right there. While theyre doing that, i am going to introduce them. On our panel we have marion, the principle director and c. I. O. For cybersecurity at the department of defense and cheryl, chief Information Security . Officers a ath the Central Intelligence agency. Moderating todays event is frank konkol. I also want at that to take this opportunity to thank you all for attending today. Thanking our speakers and also akobee for their gracious support of todays adobe for their greashes support of todays events gracious pport of todays events like todays. Frank that sounds better. All right. So i will introduce our panelists quickly. Although connie just did. You guys can talk about yourselves just a little bit before we get started. Tell us about your jobs. Cheryl, well start with you. Cheryl im the chief Information Security officer at c. I. A. All of our systems get looked at centrally. Before that i actually spent quite a bit of time in the iccio over at the d. N. I. Mary andrew and i worked together rather close i had maryanne and i worked together rather closely throughout that time. Weve known each other for 15 years. T Small Community. Its a Small Community although i think were trying to grow it. Frank im the third wheel. Worst tindr date ever. Third wheel. Mary anne, tell us about yourself. Mary anne im in a joint duty assignment in the pentagon. Im an n. S. A. Employee, ive been there for 30someplus years. Interesting, i had a group of makes me realize how long ive been there, a group of young coops come in the other day, come into the pentagon from n. A. S. , and they asked me if id come talk to them. One of the last questions they asked me was, how long have you been at n. A. S. . Im like, longer than any of you have been alive. Marianne really looking across the whole department of defense, which is a huge landscape, at all the fiber security activities that were undertaking and how do we make progress in this area. Frank i think trevor did a pretty good job earlier kind of discussing what happened last year. Wasnt the best summer for federal government in cybersecurity. I think he covered the civilian side quite well. I think this panel well get into, have the d. O. D. And i. C. Have been affected. When we were on a call, we always do little calls to make sure i dont ask anything too outlandish, especially to our i. C. Folks. We talked about what you guys got done wrapping up doing, which was the leg work of sending out the letters to people who had been affected. So, i guess with that in mind, kind of, whats been the impact broadly since then . Cheryl it was a monumental activity. Marianne not just the letters. The letters were a monumental activity. One of the things we learned from it, especially at the Senior Leadership level, and from everybodys level, is that there are systems and data that we didnt pay enough attention to that we probably wouldnt have considered missioncritical data, that impacted us so broadly. As an o. P. M. Breach. Huge impact. We finished mailing, were going to have a party, 21. 4 million letters of. Of those, two million of those got a return to sender. So then we had to go find correct addresses. But that doesnt seem like until you go through Something Like this, you do not understand the undertaking of all the facets of everything that was involved in that type of a breach. I met with more privacy lawyers than i knew existed. Actually going through things for the first time. We had a lot of help from the white house because they certainly wanted the situation handled in a certain way. A lot of political help and just kind of a Lesson Learned for all of us. I dont know if you guys know, but as a result of that whole thing, congress decided that the department of defense would run the i. T. For the clearance process system in the future. Were in the process now working very closely with o. P. M. And making sure the Current System is secure enough , at the same time were working very closely with them to make sure we develop a new system. Frank i didnt realize the i. C. Had been impact ad lib differently by the o. P. M. Breach than your standard d. O. D. Person with a clearance. How was it for you guys . Cheryl thats both true and not true. For our agency, we were probably not impacted quite as heavily as most of the rest of the government with cleaners or whose information is regularly processed through o. P. M. Sherrill we do our own cleenches but we also hire from outside clearance but we also hire from outside. We do have people who have involved and got letters because their previous employment might have been in d. O. D. Remember, a good chunk of the i. C. Is actually d. O. D. And goes through that same clearance process. Frank you wouldnt have gotten letter. Marianne i did not get a letter. Sherrill i did. As well as my husband and children. We had a lot of people who did get letters and who were upset. We still worry about it. We have to worry about it. But as marianne said, one of the best things that came out of this theres always a Silver Lining in every one of these bad things that happens. Terrible to say. But none of us were as aware of what data was being processed in o. P. M. And what data was potentially accessible via internet connecttivity until this happened. And the much more extensive than any of us thought. So the good news is, a lot of attention and focus was paid on this. And we think we are on a path to improve the protections around that level of information in the future. Marianne also, what other missions do we have that retain privacy data, medical systems, all those kinds of things, and what are they doing with it and how are they protecting, it protecting it, right . Where else do we have this kind of data, who has it, how are they holding it, what are they doing with it. Frank that concludes the negative nancy portion of our panel where we talk about the bad stuff. [laughter] now lets get a little bit more forward thinking. I want to start with you, marianne, on the d. O. D. Cybersecurity that came out last april. You have a lot of roles in that. Theres a lot we can dive into with it. But just lets go broadly to begin with. On what d. O. D. s doing. And then well get to some of your specific duties with that. Because you have a lot of roles you have to do. Marianne the second d. O. D. Cyberstrategy, its very encompassing. Im focused on the cybersecuritya aspects of it. After he released the cyberstrategy, the Department Released the cyberimplementation plan, which goes through all the fat fastets. It would facets. It would have fine ops and fiber ops and fiber defense. We have the cybersecurity implementation plan. About a year ago, a year and a half ago, we made a very concerted effort that we were going to focus on the basics. Theres a million things things you can do in cybersecurity, and we decided we were going to do basically a back to Basics Campaign because we looked at the intrusions, any successful intrusions wed had in the last year or year and a half and probably 98 of them were due to something simple and trivial that somebody knew they should have done but that wasnt implemented. So we went back to coming up with kind of a top 10 list. And we pushed that out and so we have been marching down that path. I can talk, i mean, do you want to ask me questions or keep talking about it . Frank you can keep talking. Sy have a few questions i have a few questions. The one aspect, when trevor was talking about accountability and following up on this stuff. I wanted the scorecard part in particular. Thats new and important. Marianne all of these top 10 things, there have been formal military orders have gone out to do this stuff. So the not like anybody should have been surprised by it. People werent doing. It because they have so many thing to do. Obviously it didnt get prioritized high, along with all the other mission things they had to do. So what we decided to do was do a scorecard. That has been a tremendous amount of activity and effort on our part, but has been pretty incredible because nobody, i dont care how many stars you have on your shoulder, nobody likes a bad grade. Nobody. We started doing c. I. O. Meetings. We have them every single friday. Every single one of the service, all their data rolls out. They have 10 scorecards for each service and they have to sit in front of the d ombing dcio and tell him why they have dodcio and tell him why they have the numbers they have. Every user logs in with a p. K. I. Why dont do you that . What percentage is the air force . What percentage is the navy . Everybody should be 100 . One of the other big pushes we have is windows is a huge operating environment that we use in the department. Getting off of all that legacy stuff, especially for end user machines and moving to windows 10. We have something that tracks that. External facing web servers have to be behind the d. M. Z. All those thing. Briefing that to the c. I. O. Once a week gives people a gets people mr. Ayotte tension gets peoples attention. The secretary of defense gets to see it. He gets a briefing on it once a month. Then they have a chat about it. Frank are those chats usually positive or not so positive . Marianne for the secretary, i think he thinks theyre very positive, right . Frank i bet he does. Marianne what ive seen is initially when we first started this, at the very senior level, they really thought it was kind of the commander at the owner of the network level. So to worry about this stuff. They really didnt have visibility or have any idea how good or how bad they were. Very quickly we got into the thing where they need to care about this. When secretary of defense is care being it, your congressman is caring about it, we need to care about it. Weve seen tremendous improvements. The accountability and that culture, weve been waiting for this our whole career. Accountability and people caring at the very senior level about cybersecurity. Frank you have seen the d. O. D. C. I. O. Speep speak before . Arianne i see it every day. Frank i feel like hes a pretty intense dude. Hes right up in your face. Marianne very, very smart person. Frank lets switch gears. How about from your c. I. A. Perspective. Whats changed since o. P. M. And then i want to get into how thats feakted how the agency deals in cyber. First of all, i guess there were two questions there. Sherrill o. P. M. Didnt really cause major disruption, change, at our agency. Ill just start with that. We spent the last year trying to get the definitive list of what might have been compromised from o. P. M. That belonged to us. But as far as did what happened at o. P. M. , absolutely changed the focus or direction of how we protect our agencys information or systems, absolutely not. Weve been on that path for a long time. Frank ahead of the game. Sherrill i dont know if id say ahead of the game. Ware of the issues and i shouldnt say the bad word, the not in my talking points, but we had aim. Weve been focused on Insider Threat and protecting the data for pretty much as long as ive been doing cybersecurity and thats been quite a while. Frank going through a strategy, five, six years ago now, you guys had a big move to cloud, which was, you know, got a lot of headlines and attention over the years, whats changed within because of that . Has been there been a huche learning between mutual learning between the cloud provider and you guys . Has it changed the way you do business internally at all . Sherrill eye sight and cloud have been significant changes for the entire i. C. And our agency in particular. We are the ones with the contract with amazon, so we are responsible for the security of what is provided to the entire i. C. As far as hosting infrastructure. Hen amazon came in, we started off with what we thought was still a very short timeline for approving its operation. When i say short, if you go back historically, big acquisitions like that and big Services Like that, you could see years being spent on analysis of the system. In our case, when amazon really got everything in place and where they thought it was ready for us to make sure it was secure enough, we ended up with two months. In that two short months, we had the assessors across the i. C. Working with us and working closely with amazon. We may be one of the first that they actually opened up the hood and let us see some of under ner workings specific disclosure agreements. I cant give you anydy at that detail what have we might have found. It was a really good learning experience. We got to understand all of what amazon does to protect your information commercially, and our information internally. We also found a few things and gave them feedback on changes we would like them to make for us and the good news is they took a lot of that to heart, so they implemented a lot of the changes they made for the Intelligence Community commercially and you all are benefiting by that as well. When youre using a. W. S. Hosting. Its a great learning experience. The other thing thats changed significantly as a result of eye sight and the cloud is the focus on, hey, you know what, i can spin up the cloud instance on the internet, i get this all the time. In two hours and im up and running and all my datas out there. I still cant meet that twohour time frame to give you an approval to put a system out there. But were under extreme pressure to enable mission to spin things up much more quickly, put things out there more quickly, and so you talked a little earlier about that need to share, need to protect, we are focused on both. Were focused on trying to move at the speed of mission, and yet ensure that that mission informations at ad quatly protected. Informations adequately protected. Its been a great experience. One more thing about amazon that we hadnt realized. People love that compute. You think about it more for analysis and for getting results quickly. From a cyberperspective, its great. Because think about it. In the past, when we would tell people to audit, youd see systems shutting down because they would fill up with audit information and cyberpeople would get yelled at because that system doesnt work because we put too much security on it. Or we tell you to encrypt the data. Well, the time for encryption and decreppings decrippings often makes the users too upset to use it because it takes too long. Now go into elastic compute. When