Ok. That is the sign. Good morning and welcome to csis. A year ago roughly we had chris inglis and and newberger here Anne Neuberger here. But if you talk recently about the National Security strategy, we will talk about a lot of the opportunities in front of us so i appreciate you both taking the time to do this. Thank you. We will have the ability in the final 10 or 15 minutes to ask questions. There is a button somewhere on the screen online where you can submit a question. Well see what you can do. What usually happens is in the last 90 seconds we have questions. Do not wait. Do it first. But me start by asking you both where you think we are. It has been a year of some progress but where do you think we are on cybersecurity . Anne im happy to start. Hopefully we are on the same page so we will finish each others sentences here. The threat in cyberspace continues to rapidly advance. We live in such a digitized society and the more connected it becomes in our personal data, from a National Perspective and critical services. The more opportunity there is from countries to criminals, delivered state connection. We used to be concerned about collecting intelligence. Our concerns have evolved and we are most concerned about degradation or disruption of critical services. Over the last year we took that on in three moves or more. We are happy to talk about more and to focus on security as a critical thing in this country. But Texas Services that could bring hazards to justice from providers of support for chemicals, to hospitals, and focusing on putting in place security requirements to have confidence of what security is in this sector. So that focus on Critical Infrastructure has been one. And a shout out to the agencies who have led that before now. The second recognition that cybersecurity is a global fight and we want to be arm in arm with partners and allies around the world. There are coalitions to tackle things like ransomware, working with countries who we see compromises of setting standards for Critical Infrastructure for examples of the countries around the world get one voice from various governments. And finally, emerging technology saying it wouldnt it be wonderful to be secure by design . We are looking at areas from Digital Assets to photography come out doing that from the ground up so that we give our successors potentially an easier fica the one we are in. Chris i would say ditto. There is a focus on telecom. How we live are not just critical functions but the confidence that those critical functions will deliver for our that has been our limitless focus. Relentless focus. There are two things that have driven the focus on the means by which we do that. The first is resilience by design. Today or a year ago the focus oftentimes was on operational some dutch operational response. We responded well about a year ago, but we responded that we time after time, we just lose more slowly. You need to push responsibility for building resilience by design to the technology, the roles and responsibilities. And hopefully we avoid those events or we are in a place where we can fix it at the earliest moment to focus on how we have the responsibility is not just within the government federal government but in state and local levels and across the private sector. Want to make sure that people are up to speed. Hosted a conference at the white house in july this year where we could focus on those people and make sure that every person who uses cyberspace has enough information and knowledge and that intuitive and convenience that they can exercise their operations in cyberspace without worrying about that. We dont want them to obsess about threats, we want them to obsess about their aspirations. If we do those things cannot we get the roles and responsibilities right and we get the people in the right place, what are the attributes of technology and leadership . In 2021, delivered in may, it was a watershed moment to make the commitment to get the Technology Architecture rights. But on top of that, the other architecture is four years old. But how do we make it safe and our expectations of it . Last i would say is to get the resilience by design rights, happens on top of that, they have to walk away from the idea that we can do that by division sectors. We have two have collaboration, discuss things together, mitigate and deal with situations that they have to be old beat all of us to be one of us. That has been in many examples over the last year, like the ukrainian crisis. The underpinning architecture, resilience by design has a high leverage effect in their ability to protect it. There is a defense between the private sector and governments, plural, will hold its own against numerically and sometimes technologically superior threats. We need to focus on that to hold our own and achieve this. One of the things that impressed me in not necessarily a good rant was the willingness of you guys to take on one of the biggest problems. That is that we build infrastructure and internet based on touch regulation, voluntary efforts. Do people in your audience know what the shrinkwrap is, you remove the shrinkwrap and all liability transfers to you. This is a sector that is very different from others. You have been more than middling at the attitude. I say interest because it is a big bet. You intend to change the market. It is an open question but we can look at specifics. Talked about the regulatory, security and iot, i want to go back to the standards. A pet project of mine. What are you thinking in terms of shifting us away from the 1990s approach to how we govern cyberspace . What are the tools and policies he will pursue . Chris with all respect, we have done this before. We addressed the safety of transportation systems, whether it was the devices, automobiles and airplanes, or the systems to convey themselves one place to another. The manufacturers and their suppliers, there was discussion about safety precautions and safety features builtin. You might remember the day we started scratching into the walls and competing with those factors. You get to a point that what remains in terms of the features that must exist in order to guarantee the confidence and safe use of the systems has to be specified. I dont think it is not as much is the inevitable truth. We need to provide the lightest possible touch to provide those discretionary features. The good news is there is a huge degree of collaborative effort not just across federal bureaucracy and the states but across the private sector. When you talk to leaders, the technologists individuals in the board rooms, acknowledge that resilience has to be built within the systems. There are discussions about the degree to which we assign responsibility everyone agrees i think that the first and last line of defense cannot be the user at the end of the chain. We have to push that. Anne building on his comments, i think there are three areas that are really guiding our approach to this. The three key areas that i think are at the root of the failure in cybersecurity he was describing. First, visibility. When someone is making purchase decisions for tech, other consumers buying a pc or the power demand on a center, they have no way of knowing what is the security of this device . The second is what makes a difference . What kinds of security features actually drive down risk . I will talk more about that. And the third, it is not correct to treat everybody and everything as the same, there is a spectrum of risk and we need to ensure that the security requirements match the risk in that area. First, visibility. At the root, the internet efforts in the spring, where we hosted an event at the white house a couple weeks ago, it is saying the data shows that consumers are willing to pay more for security. They value security but they cant make a decision when they are buying. Kind of like i am a new yorker. Think about the restaurants in new york, having to do the abcd rating in the front window. That help the customer rapidly decide where am i going . A lot of this has a c rating. Great work has been done across the tech industry. I want to shut up to the director and her team who has been thinking through how to make this real. That is the first. On the second, what makes a difference . The National Security memorandum a year ago task does to create performance controls. That was under the great leadership, that will not just last week. That mold out what will impact security. And finally, what is the spectrum of risk . Clearly, and here im going to highlight the administrative tsa and the tremendous leadership he has done. He uses security directives to improve the security, oil and Gas Pipelines and more. They started by saying who are the critical providers in this sector . The 57 entity is. And start with them who our highest risk because they transport hazardous materials, the largest in the country, and those three things, giving visibility so people can make the choices they want to make but dont have the data for, they can get easier by saying here are the standard controls we are bringing for you and finally the leadership of key lead agencies for the sector, saying not everybody in the sector is even equal. We will start with the highest risk. Chris i think we agree on one thing more, there are distinguished, differentiated attributes in the sectors. But it will be well realized there are some entities in this ecosystem that operate in many of them. We need to make sure that we harmonize these galatians and expectations even within some sectors, multiple state and International Organizations that way in and the expectations in the form of reporting requirements or regulations about the attributes and the architecture theyve built and we need to make sure that we rationalize that so again we specify what is necessary with the lightest possible touch so that innovation and Capacity Generation can continue. So it is great for the last 40 and 50 years. You talk about regulation and there needs to be a third rail. Lets talk a little about that. Later i will tease you about voluntary digital entities. But what are you envisioning when you say regulation . Is it the sector specific approach we have been taking . How are we going to do this . Anne rule number one come out use what you have got because you can move fast is in that way. Number two is one size does not fit all. In each sector, it is different. If you have a large system, the operational system, we are concerned about the larger risk. In his defense from those materials. Principle number one is to approach this by saying, what are the requirements . The standard is in place. And sector by sector, what is the additional we feel that. Energy, chemicals. They have the best understanding of their sector to design this, where there is a commonality, they learn from each other and the distinct differences to address the core risk there. The word regulation or the report has a sense of burden. Someone is about to require a burden, bear some penalty or cost. We seldom think about what is the more important feature, which is who are the beneficiaries . I think congress has been saying in the reporting law, they were careful about spending and the beneficiaries and left some liability in the report. The two will not be held accountable under compliance. But if she areas in all of these are intended to be the ultimate users in this ecosystem. So they can have confidence that the critical functions that they used to conduct their daily lives will work as advertised. They have every confidence in the world and when we thats when we flip the switch it will come on. That benefit is often looked at as not in the conversation we talk about how best we can deliver that confidence. There needs to be expectations across their. Users participate in his or her focus and we hold our citizens accountable to not drink and drive come out to not text while they drive. There is an equivalent in cyberspace. But they alone seem to be bearing the entire burden. So the beneficiaries, they can process profit. The lightswitch analogy made me think about Cloud Computing and thirdparty services. Which is sort of how you began your tenure with a welcome presence from our russian friends. They have been doing it for a while. Theres actually some retro session. They are moving away from using the cloud which is a mistake. It is a contentious issue. What do you think about securing the cloud and how do you think about where this fits into a larger federal i. T. Ecosystem . The cloud its an important commodity going forward. It is. We have to make sure it is resilient by design. Let me use a rough analogy. When you have this, you have an expectation you dont have to go to a separate showroom to argue what security features you will be paying for. We dont do that with cars. When you buy a car, it comes with a seatbelt and breaks builtin. We need to cleat the dutch treat the cloud the same way. There is a willingness that exists within the space where that is happening naturally. The need to make sure that those critical services, that the commodity can deliver the goods. So we will ensure that the specifications about what is not discretionary, what must be in there is in their. The economy to scale, i think we will make it economically viable and at the end of the day, for all of the users and not just the federal government, something that is well worth it. Anne this move to the cloud is far easier. Large enterprises, private or government, have thousands of devices they have to manage, maintain. So moving to the cloud first from eight security perspective and also use of tech, there is a sense of paying for what you use versus what is in every desktop. Moving to the cloud does make it easier. But as he mentioned, the move itself, unless the cloud is properly administered for security, one does not get the full security benefit. For too long, cloud providers said it is up to the customer. The argument we have been making is to say that works in that environment. A chip has one company, operations and another, cloud providers, that is the place to draw the accountability we are talking about. If you are a provider in tech, you are responsible for providing a baseline of security in that tech. You may have some customers who have higher security requirements and they will use encryption because they dont want to use commercial encryption. That is a baseline. But it is on the customer. We think it is fundamentally false. This is the place to shift the responsibility. You talked about it in your example a moment ago, to the provider. Delivering a service and a secure service. I agree with that. One thing we have not spoken to is the high degree of conversation required to get this right. I remember an earlier engagement i had in my tenure talking to a major manufacturer of software that we were talking to. They said i love this newfound ability to collaborate with you, to answer your questions. He said what will be better is if you let me nominate some of the questions. He was right. We need to make sure this consultation helps us identify it through the lens they enjoy, when the innovation and generation takes place, it is the same. How do we understand the right goals, degree of consultation is taking place, where a government that will act on behalf of the citizens and consultation with those folks who have 90 of the work before them will be necessary to understand a request and get those questions out. I think we are in a process of evolution from the old highrisk space to a more mature one where it is treated more like other industries. That is a good thing but also challenging. So i give you credit for tackling it. I agree we will probably be there. But a couple of issues have come up. If everyone in the room has been following cybersecurity for a while, we see remakes of ideas, let me go over a couple. You talked about using insurance. The very first event i did on cybersecurity 20 years ago moves about was about how sick dutch insurance would drive us to secure networks. Im still waiting. [laughter] chris it was not a good idea then and it is not a good idea now. So hard on me. [laughter] but maybe we will ensure there are couple of things. The first is the moral hazard and the second is the tendency of some companies to declare it as an act of war. It is often a state actor who is responsible and therefore they are excused. And we would only inshore for catastrophic events. Im not quite sure what a catastrophe in cyberspace would look like. Maybe you could just touch on where do you think the insurance avenue will lead us if we pursue it . Lets step back for a minute and be of gnostic of what we would imply, the insurance lets think about what insurance typically does. It is not just transfer risk from party to party b. It differentiates between risk and addresses that risk by imposing expectations about how it becomes a good risk so they can in fact have rates that are preferable, technology that drives those rates. It is upon the practice that essentially gets everyone to a better place. So they can raise most if not all. Now how does that work in the cyber market place . There is no expectation people are going to buy it so there is no diversified risk. Theres not enough information to do the actuarial analysis because of sector one. And they can assess and address that risk. Three, a high degree of hazard in that space that often goes to the darkest possible corner of the road and risk. Four, it is not in the tort industries that you can for yourself into that and say i can help you apply that risk down by doing the equivalent of smoke alarms or fire detectors, or fire retardant materials. All those are within the realm of possibility for cyber, weaved is not organized it. And achieved the beneficial effects. It could be viable but we have not taken care of the underpinnings to make it such. The government in the private sector together can consider how to create a viable insurance marketplace. Not to transfer risk, but to achieve the proposition. Anne to add to that, why you are right 20 years ago. Why we are still thinking about insurance at the top. One is my husband and i bought a 100yearold home. We could not get Home Insurance without putting in place a smoke alarm. Because of the idea that you cant detect a threat, it will lead to this. Second, when our teenage son joined our family car insurance, you will know what the impact of that was. Because the data shows what teenage boys do. Or potentially could do. Insurance has the opportunity to incentivize good and punish negligence. Incentivize the good. So we now have a good understanding of which practices drive down security risk. Insurance can say put those practices in place, your premium price will change. Or have a look and say, were you the entity during those best practices, and if you were, we will treat you differently. So that opportunity to incentivize