Who should be executed. Want to look at all the facts around the issue, the part that struck me we spent 18 million or 19 million in all the appeals and legal issues, Capital Punishment trial until you get to the point of execution. That is not that different from many states. For life in prison without parole life in prison without parole as a couple of million dollars. Dramatically cheaper. There is note n deterrent value o no deterrent value. Texas celebrated their 500th execution. They dont have a lower level of homicides, no lower rate of mass murders. The states that got rid of the Death Penalty then the states that got rid of the Death Penalty. The families were split. Some of the families desperately want to this perpetrator to be executed. But some of the other families, largely christian families that feel that the new testament in the bible is really about redemption and forgiveness, and if you execute this person it denies them the ability to keep working towards forgiveness. They really did not want an execution. Thats not unusual. For not making all the family members of victims find closure, if it costs 10 times more money and is no deterrent, it makes you wonder why we are still having Capital Punishment. It begins to illuminate why there is no country in europe that still has Capital Punishment. Outside of guatemala, there is no other country in this hemisphere that does Capital Punishment. Australia, new zealand, israel have gotten rid of Capital Punishment. The real focus with this specific incidents was that the kid was clearly bipolar and refocus executing someone with that kind of a disability was not in the spirit of what was intended. Host and yet you pay the political price, at least in the polls. Guest sure. I paid a bigger political price for the gun safety issues and the universal background checks, which became very heated. When you have over 3000 people who are convicted or accused of Violent Crimes trying to buy guns and you stop them from getting guns, that is something youre going to support. Whether it is Capital Punishment, universal background checks at some point, you just have to make sure you try to get people to hear the facts. When i go down the list of universal background checks and why we should expand it to all the gun purchases, republicans and democrats most of them say, i didnt know that. When i talk about how much money it costs for Capital Punishment and how there is no deterrence and it does not bring closure to the families of victims, people come back and say, that changes the way i think. Host John Hickenlooper is joining us for mill walking, where the nga summer meeting is gathering from milwaukee, where the nga summer meeting is gathering. Tomorrow, we will talk with michael harpster. He is with the fbi unit talking about child prostitution around the country. Then tough insurance rates with Kaiser Health news and Senior CorrespondentPhil Galloway galewitz. And we are heading now live to milwaukee for the final day of the National GovernorsAssociation Meeting will be getting underway shortly. It is expected to start any moment now. The chair of this years hearing l. Governor markel the next session that they will be dealing with is the closing session, the state and cybersecurity. The Washington Post talks about why waiting for promised to fix cybersecurity is a waste of time by brian fung. It says that the Commerce Committee approved a version of the cybersecurity bill that now heads to the senate floor. But the bill is a sign of how timid lawmakers have become on the issue compared to previous attempts. As the just watch governors gather and assemble here and their staff and get ready to start that session on cybersecurity. Most significant vulnerabilities, leaving personal information, intellectual property, and Critical Infrastructure like in the electric grid all at risk from malware to spyware to distributed denial of services to phishing to intrusion to industrial insurance systems are growing in number and in sophistication. As we have heard from many different security experts, unless we really improve our countries cybersecurity infrastructure, the question is not if but when. Not if but when there will be some major devastating coordinated cyber attack. Some Cyber Attacks have been nuisances while others have been massive theft. While there have been significant levels at the federal level to protect the government domains, the role of the states and the role of governors have not been explored as much. The question is what action should we be taking to protect stateowned Critical Systems and how can states asked partner with the private sector, owner operators of google infrastructure, what are the theonents operators of infrastructure, what are the components and the Risk Landscape . These are just a few of the questions we have to consider. We have invited matt devoe, a National Security expert who ,pecializes in cybersecurity counterterrorism, infrastructure protection, and intelligent with Risk Management district. He is probably the president and ceo of fusion xl c, which is a firm. Cybersecurity he has been an adjunct professional at Georgetown University since 2002. He teaches the flagship course, warfare and security. Ask you to join me in welcoming him now. [applause] im going to bring my water because i just spent the last week at the black hat security conference in las vegas. So im suffering from a little bit of vegas voice here. Im not here to talk about threats, although ice iceland on here although i threw this slide on here at to help you understand the activist organizations, you will obviously be missing the boat. The level of that view from the thread actors in cyberspace is grazer is greater than it seems on the course of the past 20 years. This is an initiative that have been working on. I was on one of the first cyber state responses at the National Government level. What we see now in the private sector, the statesponsored attacks are no less. You should be scared at this point. I will talk about putting that threat in context and some of the themes around managing cybersecurity. Although we had a picture that i just showed you with all those different types of threats, you have to put that in context with regards to what threats will be targeting you can more specifically, what threats will be targeting what resources within your organization. So i will talk about those themes and themes of management and Incident Response and others. And thinking about what is your most likely attacker. If you think about it from a state perspective, is it a nationstate . Is it an activist organization . Is it an insider that is disgruntled . If we are going to put these issues in the context of Risk Management, which at the end of the day is what this is about, you have to spend some time thinking about what is your most likely attacker . Even then, what is that attacker likely to target . One of the greatest issues i see is that we try to apply all threats to all problems. We try to say that all data is critical within an organization. And really, to manage this issue properly, we have to be beyond that and put it in a framework that we can understand and manage. The threat and impact, looking at the impact of the particular tech should also particular attacks also drive drive the resources. Would be a cash traffic impact because it is targeting a prickle architecture a critical architecture . Or is it an embarrassment to the organization based on data being released or Sensitive Information being released . Do this without thinking about the impact of these attacks. The third kind of critical component is thinking about for thinking about vulnerabilities. The vulnerability impairment is something that needs to be managed with regards to what systems are in use, how they are used and what is the vulnerability profile. When we look at the attack to take place even with the most sophisticated the space best of the statesponsored attacks, they dont have to bring their a game because we let them use their bnc teams. We need to do a better jobs in understanding those own abilities so we raise the bar and attackers are resource constrained just like we are p. M. So we will increase the cost of the attacker and they can attack less good as a result, we get some inherent additional security. And make it about protecting the most important systems. One of the greatest mistakes we often see is that we will sit down with an organization and say what is important and they say everything is important. You cant manage an environment where everything is deemed as important. You have to make a decision. You have to govern this issue just as you would govern other types of issues. So if you sit down and say, we have the detects of data or types of system, howl of the how many of them fall in the bullseye of what is critical . And have you gone through the houses of identifying what these data sets are, what the systems are and then either critical or not . Customers have had in excess of 50 different types of data. When you ask the individual players, they throw most everything in the bullseye. Then towards the end of the cycle, when we have actually gone through the process, there might be three or four systems that are in that bullseye. Levelafford the greatest of protection, the greatest level of monitoring. Those are the systems that youre trying to protect from having a Critical Incident or having the data be released. At you have to go through the process to understand that. Otherwise, your try to manage everything out of context. Just to put it in a scene that might be a little more understandable, i chose this picture based on the security profile that we see here. Because of the criticality of that position, we afford that level of protection. But but what if we try to do that for every member of congress or their staff . We would be resource constrained and we would be able to do it. It is the same thing in cyberspace. It is about making critical decisions and identifying those points that will be the highest threat, the highest impact are the most critical in the organization. Unfortunately, the model right now and a lot of organizations as we try to do this with every single use of data and to make future to protect everything, you do not protect anything at all. Examples include Critical Infrastructure. We hear a lot in the press about theft of intellectual property within an organization. That is a key issue. But even more so of concern to make him a based on my years of looking at these issues is Critical Infrastructure. Being able to degrade infrastructure and all infrastructure and now, if it is critical, depends on Computer Systems and network for the operation of that infrastructure. I do not know of any infrastructure. I will welcome one if you have in your state, that does not have a Network Technology or bypass in some capacity. A blended threat where they can increase the impact of a conventional attack, like terrorism, by using a cyber attack in parallel with it. So making sure that Critical Communications will be there and the ability to respond. Citizen and personal data is obvious a big issue and a high profile one. Because it attends to test it in it tends to attract a lot of headlines. It impact citizens at all levels. Theou talk to them about Critical Infrastructure, they may not understand that, but if you talk to them about losing their Social Security number, then deficit in a personal context. And then Financial Transactions and data, we see all of the discussion in the pass from statesponsored attacks and stealing intellectual property, but is much activity as there is in that environment, there is also criminal activity that takes place and there are actors were making hundreds of millions if not billions of dollars engaging in cyber crime. Have Financial Transactions and Financial Resources that are available, those attackers will targeting will be targeting the systems as well. Hasher key point that really emerged over the past several years or has been driven home by the recent attacks over the past three to five years, is that we have to shift away from a Perimeter Security mentality. We have been told for 20 years that security was about protecting the perimeter to put in a framework that we understood. To protect the persons in this room, we put yours on the outside good but the reality that come in cyberspace, Perimeter Security has been broken and will continue to be broken. So we have to inc. About side back cyber attackers being able us we have to think in terms of cyber attackers being able to get interior internal information. The key is what will be the impact of the successful breach and how do you manage that when that takes waste ca. The organization is at risk. If that puts the defense in context again of the Critical Data if i can have the curry motorbased mentality keep everybody on the outside, how do i protect the information on the internal network . What technology should i implement . They are looking for that silver bullet. Theres no cyber cyber bullets in the space as well. There are enabling technologies that support increasing technology. But there is no one technology or a grouping of technologies that will solve this problem for you. It really is about management at a higher level. But there are these things i like to call sober concepts that can guide the discussion that i call silver concepts that can guide the discussion. Ananizations dont have Accurate Technology of what operating systems they are running or what their vulnerability profilers. So there is a for file is. So theres a lot that they can do to raise their self awareness raise their security profile. Pound for pound, especially against a lot of the attacks that we are seeing now am a spear fishing and the like, i think you get more value out of training and awareness programs than you do out of anything else. If employees make fewer sistakes, it introduces les risk into your environment. Mitigation and management, not only of security in general, the mitigation of attacks as they take place, how do you respond . How do you measure your response . If you keep having attacks over and over again, how do you know youre Getting Better . Threat intelligence and information sharing, we have gotten better at this. But the issue is that a lot of fact that a breach took place is treated as Sensitive Information and we are not sharing. That means we are also not sharing with the attackers did. The tactics, techniques and their procedures are not being shared. We have to be better at sharing that data because it helps enable all of the inert all of the organizations. I worked with 70 companies and see the attacks are taking place across all 70 companies. A best practices that are being put in place to mitigate those can serve as a conduit for sharing that information. Any the same types of mechanisms as well among next amongst your organizations and with avid sector earners and with the federal government can training and awareness, we mentioned, again, pound for pound, raising awareness of what spearfishing was an emailis message that i received from a colleague at georgetown, a very famous counterterrorism expert, asking me for feedback on a particular project he was looking on working on. The problem was that the message didnt come from him. In the spreadsheet, if i had opened it, would have allowed an external attacker to take in the control of my computer. I didnt click on the attachment because i have a high level of awareness to be suspicious. Bruce never mentioned this project to me. He usually does not interact with me over email. It is usually in person or over the phone. So there were things that were interesting. When i hovered over the from and was coming address from, it was pretending to be his personal email address at yahoo. But if i looked at my address book, it was one character offering his email address. So they spoofed and did a good job. But there were several warning signs. You can train employees on these hangs. You can train them on how to particular confirmation and have better behavior associated with the use of technology. I throwg metrics this up as the metrics that we use with talking to boards of directors and ceos. I know a lot of you have private sector experience to recognize if i walk into a board of directors and say that there will file it is currently negligent. Working you draw the line of to establishing best practices . A large majority never get to best practices. They want to have a diligent profile. Theyre putting the right programs in place, the right reduction strategies in place to have shown that they are exercising due care. Its about it its about protection as well. You have to deal with incidents. We will always stop the bad guys and i any program in place for dealing with the consequences of a successful attack here in you have to have programs successful attack. You have to have programs to do the fact that that there will be breaches and deal with them. How efficient was your response .