Sources supposed consumers. This is about an hour. Expect complex. Thank you for coming up the first u. S. Regulations were drafted when than a century on the 1820s the one i remember it was steamboat of the coast guard that led to the whole safety regulations we see now. Fifty years ago we entered a period of deregulation. We found the balanced approach looks at the burden on companies. Listed needs and safety and security. I got this from michael dan eichler to give him credit and avoids Technology Specifics as much as possible. That would be an ideal system living ahead. We are going to talk aboutns the roy that agencies play to help showcase the approach tsa has putlo forward. As a Success Story i would say of this administration and the other women. Talk about what dhs is doing started, how things have played along the way this is an exciting time for Cyber Security. You know you are a nerd when you say things like that. It is an exciting time. If i dont know when we the regulations that began in 1820s and there iss a series of auto fields and telephones takes number 220 and 40 years to develop adequate regulations for newci technology. We are in your 25 of the internetor. One difference is unlike some of the previous efforts we have appointments or evenal eager to exploit things that we need unlocked and unopened. A different world. Our speakers today are wellplaced to discuss this further over their titles the full bio should be available on the website. And newberger Deputy Assistant secretary Deputy National security advisor for cyber emerging technologies. Its robert silvers under secretary of Homeland Security or strategy plans a true veteran of Homeland Security. All security agencies in any case hes been a while. Finally david the administrator of the transportation security agency. Which is one of the sector agencies that really good work recently. I was kidding the former admiral in the coast guard. So well have time at the end for a fewa questions. Do not be shy please write legibly on your card. With that let me turn to and. Thank you so much to be here. I was a great, such insights on cybersecurity is when thinking about new ideas is often where the first people we called to say what you think about x . As much as it sounds like the steamboat explosion in the 1830s which i will look into. Colonial pipeline hack is a transformative moment for cybersecurity in the United States americans from now on in the infrastructure we didnt have minimum require an infrastructure. It takes on this and the end of the story a moment because it occurred six months later. And we know there were attempts at legislation over the decade prior to require the water system. To put in place practices we have heard so many times. Consider, etc. The combination of what occurred in an sensitive intelligence and other Critical Infrastructure and be able to talk about the use of those emergency authorities. The way to bring in those companies and engage with them and they will talk more about the process and how it evolved and the visibility is providing not only regarding specific particular companies and across a given sector in reno the sector now for the first time theres visibility of resilience is appropriate to the threats we face. That model was then used sector by sector and i would like to show a you this start, the mastr charge and calling out to the Security Council who has been driving this work across the agency and the agencies purchased. This captures the strategy drive minimum and what they rely on. For example, the authority in the Industrial Base and it was in place of this sector. The sectors identified that were largely unused authorities that could use and require minimum resilience. The middle areas require some level of rulemaking essentially looking at existing safety and applying federal security in the amount is applied to a water system and the safety applies to those digitals and the final column where theres is no abily to impose minimum requirements and voluntary practices and you will see clearly the sectors like emergency sectors that are really a concern so i want to highlight the cross picture across all infrastructure in the United States and the first column where major progress has been made by the department of security and across the leadership in making movements as well as the water sector and justice. In the deeper dive on how this played out putting in places minimum resilience requirements for the sector. We distributed after the event so i can see people trying to take pictures of it and make it easier. You look at it and say oh my, there is a lot here. Its great to be here in great to see everybody and a lot of people have a webex and appreciate your comments in reference tocy this regulation o what we are seeing and we have the advantage in tsa in a strong walk that gave authorities to require transportation entities to address threats we saw on an emergency basis and other times limited notice so we did, the colonial occurring a little over two years ago, we have to think about it all thats happened in a relatively short period of time for the industry and the government and is not just tsa, as many ethnicities involved. Will we did initially was have the report in one of the first questions was how common is this attack in the pipeline sector . We didnt know because there was no reporting so the very first thing in the same month where this occurreden was requiring reporting, we defined cyber laws. And we decided we would like to have it across commercial sectors relates the reporting go aninto this so forth by our directive and Cyber Security and infrastructure by design and the responsibility in realtime transmit throughon agencies of e co sector so in the case of pipelines that was tsa in the pipeline has Safety Agency the department of transportation and others, department of energy and department of Homeland Security and transportation have a key interest as well as department of defense to this reporting was very important something we modeled is withdrawn from the pipeline sector to the real sector in the aviation sector and its proven his worth because we know the reporting present and everybody gets the same report so sound like a slightly different report or information can be different enough to cause confusion amongst the individuals receiving it. We required the companys. Of contact available to us so in thees report we had someone to call to get information if necessary and often times it was two or three people which was very helpful and one thing we did july so may, we used the requirement in july very specific measures that we required companies in the pipeline sector to implement as quickly as possible and its important to note when you issue this directive and every pipeline in the country but we looked at how the department of home and security insists and defines critical elements of the Infrastructure Sector which are more systemically critical with the operation of the sector and it was those owners and operators we chose to cover by security director. We issued the directive to fewer than 100 companies, very specific requirements the reaction from the pipeline industry, are you asking us to stop doingit the things we are currently doing . This will require significant investment in probably a change of the core business process. We look at that and have a lot of backandforth with the industry representatives and a series of formal roundtable discussions in the span ofti a year, we issued the director in july and did a lot of work on the requirements put in place so improvement in the preparedness from the cybersecurity perspective but we did a complete did with the help of the industry and came up with a performancebased regulation basically rather than saying to do specific activities we outlined four key outcomes to achieve and then said here are the outcomes, who want you to come back within a short period of time and give an implementationan plan tell us specifically what you do and what works for your business to be able to achieve the outcomes required. The outcomes were segments so think about that for a second, it was the lack of Network Segmentation and knowledge of the degree to which is segmented that caused the destruction we saw in may of 2021 so the first one was ensuring segmentations in these systems and the second was to put measures in place to achieve control of your critical systems. The third was to do continuous detection and monitoring put measures in place but if youre not monitoring costs to detect intrusions, its not helpful and the last was the pipeline sector, its critical to understand the technology, there are literally thousands in a pipeline and going across the country and many of these are controlled through electronics and many are not so the things said was need to give a prioritized plan established for patching systems and give that plan as part of your security so the industry has done an incredible job. From the agency for perspective, it helped in designing Regulatory Framework that i think works really well. Second, they invested a lot of money and time to be able to put first measures in place and to pivot to the performance based model. In addition to the u Implementation Plan was Cybersecurity Program and this stance to have the outcomes, we need to see objectively how you received the outcomes that would be the revisions of the plan. As you offer up measures and approve the measures, are we seeing the achievement of the outcome to the level we desire . If not, what do we need to change in the plan . Builds in a revisione process into the entire system if the other thing thats important to keep in mind is we require lability assessments and have a Response Plan because its one thing to beti able to prevent bt its another to build in resiliency so if the attack is partially successful, you can be as resilient as possible as a critical Owner Operator in the system to be able to respond. What we are going to do when we issue our directive coming up december is to have an additional requirement exercised with one of tabletop exercises. We did one at a range and found learning to be incredible, important to understand how you perceivele information whether when a cyber attack occurred, it would not be normally what you expect. How do you pivot from respond to the cyber incident to what will be a crisis depending on the extent and level of the impact from safety and Security Services perspective. There was significant value in that. Its one thing to have a plan, its different to execute the framework of the plan. We know we have aou plan and its unlikely is the same scenario but it gives you the framework and way to think about it. The other thing we have worked hard on his how we bring the federal agencies into alignment to be able to make an incident in the response to the incident as effective as possible. When this occurred, the ceo was across all agencies and often times asking the same question and sometimes in a slightly different way. What we do here and we did during this exercise was bring federal agencies into the exercise so youll Owner Operator could see the outcome and agencies here we had tsa in this exercise and i think that for them was reassuring there is going to be increased level of coordination and Everybody Knows it will not be perfect the first couple of times but there is definitene effort to coordinate forward and in closing what we have done is gone from this sector to the real sector and use the same remark that allows the tailoring of specific measures the companys business model, some are brandnew because they recognize the need to do more than what they might have done in the past and it allows to account for technology we dont need to change the regular tray framework, it provides flexibility and recently in march we issued directives, the same framework to airports in the country, same idea. Not all but the ones most critical to the aviation system. Id like to emphasize how born the partnerships were to success and would notes be able to work today were it not for the partnerships in this sector than the real sector and now the aviation sector. We have as a government much more awareness of where the threat is and how its developing separate from the weuntil receiving, what people e seeing on their systems and we have those relationships and its really quick and barely just debated in the notification process so we made a tremendous amount of progress in a short bit of time. Offering to do something that ended up being one of the most important things we did and when we first started looking at this issue, we offer the ceos of the companys cover, the opportunity to come into the white house and get top secret level brief so the ceos of companies understood what their cio was like we do ask them about and they didnt need to understand, just the threat and the intent of the threat would be Going Forward so that was incredibly important. One of the directors out there, they knew we were going to ask a lot and the second robs work in the department, rob is working to harmonize reporting and we will talk about this in the second but it is helpful because when you look at the progress, they vary quite a bit to the extent we can bring standardization to the while allowing flexibly for types of reports that will likely come in and it reinforces to owners and operators Critical Infrastructure that we are really trying to partner with them because we view it, we are all in this together and need to Work Together to increase resiliency and improve protections we have. House interesting and we will come back. What Companies Might expect moving forward but rob, over to you. The American People expect the government to protect them in cases where there capable themselves, think about foode safety, national defense, American People are in a position to be in those kinds of work themselves and the same goal for this modern era threats whether it be very sophisticated and ruthless ransomware or the most sophisticated agencies. What we saw with Colonial Pipeline and gas lines and North Carolina and gina, the American People ask what can be done to text me from that as well and thats why we have gone into action or work to protect the market people is a mix of the voluntary programs and mandatory programs and the majority of our work is under the voluntary bucket andar growing in success and sophistication. The baseline standard tod which any Company Delivering essential services to people needs to adhere and its not a new concept. First and cyber regulations over the financial sector, the energy grid and others for a long time across the ministrations, i think youre seeing thoughtful systemic approach, lets do this in a holistic way to make sure there is coverage everywhere there ought to be covered and it is rational and according to consistent standards so industry knows what they are stepping into. In that regard, it puts a lot of focus ensuring were other approaches failed and the regulatory approach is required, we are doing it in surgical tailored ways to gather with industry and that means we are doing things like setting common frameworks and regulations and this goal which by the way, are not mandatory controls saying you need to have that particular control on your it or the other in the outcome based that companies should drive toward but they can pick the way and have flexibility within the context of the business and how to get there. Make it more efficient, less burnham some way but also allows x fermentation from companies to figure out the best ways to achieve the security outcomes which at the end of the day, is all about. We are also taking steps to make sure only thosei. Entities that need regulated are regulated, selecting only the highest risk entities for certain regulations or multitiered themes of the highest risk higher or Small Businesses because we are mindful of the impact of Small Businesses dont have to undertake such great burden. We are looking at harmonization opportunities, it is imperative upon us as we undertake these steps to make sure we are doing it in a way that makes sense when you look across thepo different actions we are taking soha for example, Congress Last year passed legislationet that calls to issue relation to mandate Incident Reporting to impact Critical Infrastructure companies and they are now doing that will making process. That mandate from congress falls in to a sea of other Incident Reporting mandates from federal regulators or state regulators, International Regulators that can be overwhelming for a company that already has a lot going on in 48 hours after falling victim to a cyber attack that incumbent upon us to make sure we minimize paperwork requirements so one thing we are doing and expect to report to congress in the next month or two is cyber Incident Reporting council which is key federal agencies including independent regulators and as easy and fcc and ftc, we are closing in on proposed model timing triggers, structure regimes that a Victim Company has to have minimum amount of distraction as a gift to federal government if they need to protect the nation but not more so we are undertaking all of these industries as we deliver protections that the American People expect to protect when it comes to the power supply and the ability to transport themselves by air or rail or otherwise so thats the strategy. Thank you. That was helpful. Rob, i think youve covered at least three of my questions but let me start with one, you said you select companies in the highest, all three of you can talk on this, how do you determine whose highest risk . We started doing this long ago and not this administration, the ten biggest and forget everyone else, that didnt fly. How do you do it . I use the real sector as an example, if you look at the weakest freight railroads, he wouldnt get all the ones that are critically important because sometimes the rail systems are important to get onto the regular system as part of what we looked at, the largest systems for sure, how they typically carry and are there last operators we need to include . Thats where a lot of great work with department of transportation comes from and is trying to get everybody that had an interest on this level to have this discussion with the industry and make sure we have the right criticall operators. And that is fluid and somebody who becomes critical based on what they do, depending on what cargo they might be carrying, they might fit into this category, you know how to rewrite everything youve done, it covers the definition. You referenced this in an interesting way, several individuals made products that came out last week across National Security agency and the fbi talked about chinese carbon and infrastructure in the United States and clearly u. S. Military is the same rail and Aviation Systems to move material as Large American Companies do. There is an overly of what we call Critical Infrastructure and Critical Infrastructure in the u. S. To mobilize and move material but Critical Infrastructure secure and resiliency makes National Security more secure and that is key to this work. Elbow to the next. I have a friend whos was in the audience last week and said the Cyber Response incident, a lot of the work has to deal with State Government and state regulation. T tell us how you deal with this. In many instances state regulation comes into play because the company in course of the cyber incident, every state has personal data, you have to tell the residents and attorney general of the state, it is relatively rare from their state authorities will get involved in response they have Law Enforcement investigation in the context of their state Attorney Generals Office but it is the federal authorities to offer f the support to the entiy to help them understand what has happened to them and offer tools and support to get back on the feet for the context of the fbi or secret service engage in Law Enforcement investigation into the perpetrators. Him and restructure operations where states are mostly involved from the perspective of protection of personal data and weather. Companies have engaged in with unfair trade practices in how they handle that personal data. There are some exceptions where there are some state regulators that do come in more from the Infrastructure Protection angle is cap rather than the rule of practice. Dave your clients run across multiple states. In multiple countries sometimes two. Rail systems using deathly aviation. The State Government and transportation state airports are owned by municipalities are owned and operated by authorities by state organizations or by the states themselves. In addition with the state comes in often is in setting rates like the natural gas industry. The owners and operators need to go to the states the ability to change the rates one of things we have done as provider directives to the state legislatures. They see that when a Company Comes to them for a Rate Adjustment based on things we are requiring our security directives they see that directive beforehands requirements. Okay. Maybe now would be a good time to start handing out cards for questions i have more questions dont worry about it. If you want to add the question go right ahead. I forget one of you said one of the tasks was to bring federal agencies into alignment. Im not quite sure whato to as, how do you do that . How is it going . Outlier is why dont you talk about bringing federal agencies to start with that. So, traditionally the National Security council we call our National Security principals meeting, as our traditional National Security agencies to talk by the department of defense, states come intelligence. The department of justice. What is different when we think about Critical Infrastructure and events a critical structure agencies are really on the front line from a national haperspective. Like tsa like apa like hhs security guidance and like. As we have been working present by calling to say cybersecurity is going to improve our Digital Infrastructure so secure at home, secure atpa broad. Its that the intelligence communities in some cases and some may have been made an intelligence briefing before learning about what elements of a water system are most important to securing that water system . Just like david today actually improving cybersecurity on the ground for Critical Infrastructure with the rubber meets the road and many other things you highlighted today across states, across internationally. How do we ensure the leadership of the companies about him . A big part of government working together has been to say what is common across . Likely performance goals what sector specific outreach. The particular elements of risk in a given sector we know we point to secure. Think i would add to is that in many cases if you look at an industry sector or coat sector Risk Management agencies. Sample and aviations tsa sector Risk Management for security. Same with pipelines. Tsa for security, Rail Administration tsa for security. But when you think about in this for me is really embellished from a coast guard career. Safety responsibilities responsibilities in the sameus agency. What we saw was things we did for his safety purpose often times have security impact. What could happen if you wanted to free the reverse is true so what we have done really closely coat sector Risk Management agencies to the point without the regular frameWork Together. We sought their input in advance. When we did the industry roundtables we did them together. We wanted the industry to say we are working together and importantly were both willing to learn. I do not operate a pipeline. I not operate a rail system. But hee really want to learn frm the operators who do things in a smart way but still achieve the minimum baseline protection requirements that we want to achieve. I think bringing the agencies together is critically important. I think that is one of our real strengths over the last couple of years weve not had a single situation i am aware were something we have done has been either a surprise to her Partner Agencies whicher everything very tclose consorts with the fbi, with dod the department of energy so none of us are surprised we can all contribute to it. And then when decide to issue a regulation for comment the industry knows have recorded amongst ourselves. Issues that come up and be happy together to look at issues in a cross between the safety and security issue. To answer this internationally important as well. Aviation Side International civil is Mission Organization faa and tsa are u. S. Reps there. So coordinating domestically reflects the work we do to coordinate International Aviation cybersecurity. The context of an incident think theres a brass tax need the federal government to have its agencies talking amongst themselves on the back and so that we are not burgeoning and Victim Company with multiple knocks on the door asking questions. That is our duty. Think of gotten better as a federal government in that regard Victim Companies often see no background says that the fbi in the dissecting regulator all exchanging their notes on it. There is a common factual picture. Without having those parties have to go and get the information in a burdensome way. I think you will see when the cyber in issues its report to congress we are going to reaffirm the commitment federal site coordination. As dave was pointing out the broad systemic regulatory axis also bound to the heat of incident level ass well. If i could build on that to be the heat of the incident is really, really important. Three going to gain and hopefully hold public confidence. That together you are not the operative system before the agency in the federal government the public holds accountable for assuring their safe and secure operation. With the most senior person in the affected entity. In a senior federal official they can speak for the other cities. So theres not a question asked of onece of us yes answers in a slightly different way or even worse disagrees with. Do not have the coordination we need to have a need to get through this incident. What started off we are trying to build the key to resiliency ista when you are impacted how quickly can you back yourfe fee . Thinking back on your feet. One question that i have asked previous administrations is on the charge we have taken down. What authorities do you need . What authorities do you want . Are some authorities where you see the shortfalls . This is a congressional question. Where more authority and where would you Like Congress to take action . Sue the first, raj you want to go first . Whats one area we are really focused is on implementing the authority that Congress Gave us cyber Incident Reporting act. Lets talk about the new mandate for Critical Infrastructure into reports cyber incidents. We are engaged in a major rulemaking process to meet that mandate. Also are working with congress to like support from a resourcing perspective make sure we have the resources needed to bring that mandate into fruition. Xo echoed robs last comment 1000 . The resourcing something we need begotten resourcing report reliever resourcing report budgets are constrained it is challenging situation sometimes. With respect to the authorities, i was a human tsa perspective and you see we are on the lectin, we are in very good shape in fact i would offer the authorities we have is a pretty good model. And really iron mike i hold my personal responsibility to exercise those authorities when needed and exercise them appropriately in full cognizance of congress as we do that but thats a key figure authorities that you have. We are in really good shape. Think i will say a twopart answer. Certainly youou see here major move she used every authority we have used every authority we have weathered under emergency whether its interpreting existing safety authorities to ensure we can make Critical Services a secure and resilient as possible for the American People. One other effort is order from two yearsth ago as well. Using procurements to meet a given standard. We develop that standard applying our Lessons Learned and solar wind. When conversations department of education. We show exposure tomorrow and send model of thinking about which of those sectors potentially education. Like potentially, you see the list they are. Feel voluntary efforts are inadequate . And for those who approach congress at the right time discusses. Going to pick up some the questions we got some great questions. Couple of them on espionage might say that for the end if we have time. There are several good ones on the topic of discussion. Let me start the first. How you feel that regular class coming sectors like it . That is, but a few questions for how do you regulate costcutting sectors . Gently and critically structured . What celtic that a point which is harmonizing those involved. Find in many sectors we have those authorities as long as the authorities are harmonized the dated share you achieve thewe objective. Thats they were looking pretty clear implementing and what additional risk remains we feel they prove as inadequate. I would cutut out. Tagging to cross sector framework is important not to tell you specifically how to deal with giving a framework. Just got this technology modifies. We try to link to the framework and they cybersecurity their living documents. It cuts across sectors. Interest to understand the cross sector was art. I am cognizant with sectors. There are other tools nontraditional regulations that we look to, to address risk and a system where it be on where to do it. So for example the committee on Foreign Investment in the United States which covers deals, covers transactions, investments, acquisition that involved foreign capitol. It is now routine to impose cybersecurity requirements as a condition for allowing guilt. Similarly, that is not the whole landscape by dell risk in certain contexts. Of measurement rules the federal government extraordinary leadership in this area that we have the power of the purse. Many of the major it providers are significant vendors of u. S. Governments. We have expended a lot of money on technology we are in meaningful customer they want to cater to want to win our business to meet a whole host of cybersecurity requirements we would not have the to just impose on by regulation. They want the business they will do it and most have. So we are looking at the tools and numbers that they had going to go out of order that is okay. The identify outcomes much easier to get good ideas but this question kind of falls and what we have been talking about. Tsa is developing a cyber framework. How is it going to address or incorporate thirdparty security contractors . I should touch on thatri would e big part of his. s in the midsize do not have the resources to develop the protections we need. So the Larger Service providers in the larger structure and operators to his apartment at their level. And with the Department Transportation infrastructure Settlement Funding for this. We are providing input to the grant applications based on if you want a grant here is the framework you need to conduct your cybersecurity operations tailored to the size of the entity that might be. Always. That is really important point to make a key point in the National Cybersecurity as well. Cybersecurity is. Difficult doverall vendor cybersecurity s one of the corners of the landscape. Its hard to protect the four corners to start understanding first, second, third tear down the line is daunting at a minimum. I think theres been great progress. A lot of leading regimes have a thirdparty security component to them. The od, the pentagon has rolled out the maturity scheme up there plenty of others as well. There also technologies in the commercial Services Sector is coming up with Solutions Like thirdparty objective risk Rating Services and others that are helping Companies Come to grips with the very hard task know its a very hard task most federal regulators endeavor to be reasonable work with the regular season understand the challenges that there are. Even as there are challenges there are many things. So we are Encouraging Companies to do those things. So maybe building on that one of thee highlights of the National Cybersecurity strategy some people are recommended in the cloud infrastructure. Im not be surprising that appears in simple draft. Im not sure its the right approach though. What is the right approach . Or only some outside providers for the small and medium enterprises. Theyre going to be dependent on the big cloud guys. Voting for them, what is the expectation for them . And say three things quickly. What is for small and medium entities in some cases moving to the cloud is a lot easier than maintaining cybersecurity of the network. Trouble recruiting and maintaining people. However its often troubling for us to see cloud providers sell security separately. She be the expectation of buying Cloud Services a baseline level of security. Thats part of it. I get in the car, signals are there the airbags are in there, because that way. I think a specially built Bare Minerals the traditional challenging cybersecuritys whos going to be responsible for for this what entity providing the services. Our expectations the government private sectors or by enclosure buying secure but the final piece is as a procurement we have issued various Cloud Security guidelines how you configured to be secure online. I think thats the model we are thinking of this moment in time. This is a fun one. Maybe none of you want to touch her. It is when i think about it a while. How are you going to do agencies i can help it sorry for the agencies that regulate the critical independence. How does that fit into this general approach . Rob you have to deal with this. I do. And i think the answer is we ebring them to the table as appropriate. Our National Security Council Meetings were independent agencies are present in humans correcting them what to do part of that conversation likewise part of the Incident Reporting counseling agencies are part of that because they want to know what were doing they are doing to the symptoms Common Ground people consumption want to go towards that is a goodnt thing d they make those independent decisions. There is also a forum hosted by the scc of independent regulars form and comment dave and i had all spoken out over months. Most are regulars and accrediting space in the pen come together to discuss these kinds of issues including patient issues like this are completely unity increased synchronicity of action all respects there is not. Are the right people talking to each other . Absolutely should be. May be related to that and then we are running out of time. We will keep this one short but it is a good one. How will digital manufacturing be handled . I think as we look at software increasing as the center of the economy coding is basically a narcotics. Risk letters sdk stad for most of you do Software Development china. Hotdog. [laughter] going to do about it . Think about the Software Industry in each of the building talked about software is at the heart in some way. What is the approach we should be for digital manufacturing customerho. I can kick that often. The first part as i mentioned earlier the Critical Software build requirements are part of the second or two years ago. Heres my Software Needs to be filled and deployed. I would note the speed at which cybersecurity deploy so that we have made progress and awareness on those issues. The second piece is hold the thoughts. As a connected device labeling program lets apply what we have learned before cyber to have a government standard government label applied in a voluntary program to companies that meet a standard one that is coming. Thats a model thinking of essential five manufacturerstw d consumers but we are brand smart tv smart laugh and say blessed has integrity label on it may not be the wisest decision. It is usually important issue. Its hugely in has a lot of corners to it. One you like the open Source Software ecosystem incredibly innovative and grassroots. We also saw in the log for jay vulnerability came out about a year end half ago open Source Software the deep dive on the issue. How is a community we can do better. Whether it be in resources to maintaining student recommendations to the Academic Community to improve their focus on security secure coding practices context. Its a very interesting thing a lot of really good schools and colleges, universities you get caught sight degree or certification without ever having to secure coding components in any of your courses. Which is not good. And that needs to change we need to not just about more coders and a new generation of coders we need new generation of coders who know how to code securely. The board recommended every Academic Institution jake cybersecurity a required component of any curriculum or degree program. There are a number of Things Software builds the materials are going to increase transparency into the components of software so consumers can understand what is an Artificial Intelligence is going to be a lot of benefits to be able to run ai across code bases detect potential vulnerabilities or attentional malicious injection otherwise. I think you are right to ask the question. There are a lot of efforts underway to address efforts led by the administration. Thats great think it went quick last questionnaire at a time and sorry but its a good one. The term systematically important keeps changing its in section nine cant make up what this is. Well ever be clarified . Will be harmonized how will that be communicated . Dave that might go to you first. Think it will be clarified lets face it as we roll out the requirements we learnti every te we reach a certain issue that comes up. He is to benefit from that learning and not be afraid to change it some of the court definitions. For example based on harmonization efforts what defines a reportable cybersecurity incident . We set this up front the industry we reserve the right to learn and to adjust some things along the way to make our process ever stronger. Hopefully get to point snap the line youre satisfied with it you build in some flexibility to handle the things that come up do not require full rewrite. I worry if we ever definitively answered questions like that will never get to come back to an event csis i dont know. I dont know. I do know we have plenty of work to do with entities, with industries that we know are really, really important and our focus is on getting that work done. Any final thoughts . Owing to close by saying theres always a big picture policy and then theres implementation on the ground. I think what has been so key is through the on the ground implementation led by robin dave the first time across sectors like the pipeline, like our rail like airports and airlines we have a common approach with those companies. We have a way to understand the level of resilience and we learn of new threats and say are we safe . Do we have confidence in american can fill this Critical Services are safe . The on the ground implementation and the teams working that over the past two years huge amounts of things in making that happen. There has been a measurable improvement which makes it different stress from a National Security perspective and from a daytoday confidence in her country and infrastructure. Looks great thank you. I thought this is of the session i not always say that last. [laughter] of the things, we covered a lot of ground told us what companies can expect this will be a very different environment moving forward. In part because the claimant cybersecurity been so much worse they gave us some good insights in how the policies being shaped. Please join me in thanking our speakers today. [applause] [background noises] [background noises] him unfiltered view of government funded by these Television Companies and more including comcast. Are you thinking this just a Community Center . No it is way more than that comcast is part of the 1000 committee centers to current wifi enabled so students from lowincome families
vimarsana.com © 2020. All Rights Reserved.