Sources supposed consumers. This is about an hour. Expect complex. Thank you for coming up the first u. S. Regulations were drafted when than a century on the 1820s the one i remember it was steamboat of the coast guard that led to the whole safety regulations we see now. Fifty years ago we entered a period of deregulation. We found the balanced approach looks at the burden on companies. Listed needs and safety and security. I got this from michael dan eichler to give him credit and avoids Technology Specifics as much as possible. That would be an ideal system living ahead. We are going to talk aboutns the roy that agencies play to help showcase the approach tsa has putlo forward. As a Success Story i would say of this administration and the other women. Talk about what dhs is doing started, how things have played along the way this is an exciting time for Cyber Security. You know you are a nerd when you say things like that. It is an exciting time. If i dont know when we the regulations that began in 1820s and there iss a series of auto fields and telephones takes number 220 and 40 years to develop adequate regulations for newci technology. We are in your 25 of the internetor. One difference is unlike some of the previous efforts we have appointments or evenal eager to exploit things that we need unlocked and unopened. A different world. Our speakers today are wellplaced to discuss this further over their titles the full bio should be available on the website. And newberger Deputy Assistant secretary Deputy National security advisor for cyber emerging technologies. Its robert silvers under secretary of Homeland Security or strategy plans a true veteran of Homeland Security. All security agencies in any case hes been a while. Finally david the administrator of the transportation security agency. Which is one of the sector agencies that really good work recently. I was kidding the former admiral in the coast guard. So well have time at the end for a fewa questions. Do not be shy please write legibly on your card. With that let me turn to and. Thank you so much to be here. I was a great, such insights on cybersecurity is when thinking about new ideas is often where the first people we called to say what you think about x . As much as it sounds like the steamboat explosion in the 1830s which i will look into. Colonial pipeline hack is a transformative moment for cybersecurity in the United States americans from now on in the infrastructure we didnt have minimum require an infrastructure. It takes on this and the end of the story a moment because it occurred six months later. And we know there were attempts at legislation over the decade prior to require the water system. To put in place practices we have heard so many times. Consider, etc. The combination of what occurred in an sensitive intelligence and other Critical Infrastructure and be able to talk about the use of those emergency authorities. The way to bring in those companies and engage with them and they will talk more about the process and how it evolved and the visibility is providing not only regarding specific particular companies and across a given sector in reno the sector now for the first time theres visibility of resilience is appropriate to the threats we face. That model was then used sector by sector and i would like to show a you this start, the mastr charge and calling out to the Security Council who has been driving this work across the agency and the agencies purchased. This captures the strategy drive minimum and what they rely on. For example, the authority in the Industrial Base and it was in place of this sector. The sectors identified that were largely unused authorities that could use and require minimum resilience. The middle areas require some level of rulemaking essentially looking at existing safety and applying federal security in the amount is applied to a water system and the safety applies to those digitals and the final column where theres is no abily to impose minimum requirements and voluntary practices and you will see clearly the sectors like emergency sectors that are really a concern so i want to highlight the cross picture across all infrastructure in the United States and the first column where major progress has been made by the department of security and across the leadership in making movements as well as the water sector and justice. In the deeper dive on how this played out putting in places minimum resilience requirements for the sector. We distributed after the event so i can see people trying to take pictures of it and make it easier. You look at it and say oh my, there is a lot here. Its great to be here in great to see everybody and a lot of people have a webex and appreciate your comments in reference tocy this regulation o what we are seeing and we have the advantage in tsa in a strong walk that gave authorities to require transportation entities to address threats we saw on an emergency basis and other times limited notice so we did, the colonial occurring a little over two years ago, we have to think about it all thats happened in a relatively short period of time for the industry and the government and is not just tsa, as many ethnicities involved. Will we did initially was have the report in one of the first questions was how common is this attack in the pipeline sector . We didnt know because there was no reporting so the very first thing in the same month where this occurreden was requiring reporting, we defined cyber laws. And we decided we would like to have it across commercial sectors relates the reporting go aninto this so forth by our directive and Cyber Security and infrastructure by design and the responsibility in realtime transmit throughon agencies of e co sector so in the case of pipelines that was tsa in the pipeline has Safety Agency the department of transportation and others, department of energy and department of Homeland Security and transportation have a key interest as well as department of defense to this reporting was very important something we modeled is withdrawn from the pipeline sector to the real sector in the aviation sector and its proven his worth because we know the reporting present and everybody gets the same report so sound like a slightly different report or information can be different enough to cause confusion amongst the individuals receiving it. We required the companys. Of contact available to us so in thees report we had someone to call to get information if necessary and often times it was two or three people which was very helpful and one thing we did july so may, we used the requirement in july very specific measures that we required companies in the pipeline sector to implement as quickly as possible and its important to note when you issue this directive and every pipeline in the country but we looked at how the department of home and security insists and defines critical elements of the Infrastructure Sector which are more systemically critical with the operation of the sector and it was those owners and operators we chose to cover by security director. We issued the directive to fewer than 100 companies, very specific requirements the reaction from the pipeline industry, are you asking us to stop doingit the things we are currently doing . This will require significant investment in probably a change of the core business process. We look at that and have a lot of backandforth with the industry representatives and a series of formal roundtable discussions in the span ofti a year, we issued the director in july and did a lot of work on the requirements put in place so improvement in the preparedness from the cybersecurity perspective but we did a complete did with the help of the industry and came up with a performancebased regulation basically rather than saying to do specific activities we outlined four key outcomes to achieve and then said here are the outcomes, who want you to come back within a short period of time and give an implementationan plan tell us specifically what you do and what works for your business to be able to achieve the outcomes required. The outcomes were segments so think about that for a second, it was the lack of Network Segmentation and knowledge of the degree to which is segmented that caused the destruction we saw in may of 2021 so the first one was ensuring segmentations in these systems and the second was to put measures in place to achieve control of your critical systems. The third was to do continuous detection and monitoring put measures in place but if youre not monitoring costs to detect intrusions, its not helpful and the last was the pipeline sector, its critical to understand the technology, there are literally thousands in a pipeline and going across the country and many of these are controlled through electronics and many are not so the things said was need to give a prioritized plan established for patching systems and give that plan as part of your security so the industry has done an incredible job. From the agency for perspective, it helped in designing Regulatory Framework that i think works really well. Second, they invested a lot of money and time to be able to put first measures in place and to pivot to the performance based model. In addition to the u Implementation Plan was Cybersecurity Program and this stance to have the outcomes, we need to see objectively how you received the outcomes that would be the revisions of the plan. As you offer up measures and approve the measures, are we seeing the achievement of the outcome to the level we desire . If not, what do we need to change in the plan . Builds in a revisione process into the entire system if the other thing thats important to keep in mind is we require lability assessments and have a Response Plan because its one thing to beti able to prevent bt its another to build in resiliency so if the attack is partially successful, you can be as resilient as possible as a critical Owner Operator in the system to be able to respond. What we are going to do when we issue our directive coming up december is to have an additional requirement exercised with one of tabletop exercises. We did one at a range and found learning to be incredible, important to understand how you perceivele information whether when a cyber attack occurred, it would not be normally what you expect. How do you pivot from respond to the cyber incident to what will be a crisis depending on the extent and level of the impact from safety and Security Services perspective. There was significant value in that. Its one thing to have a plan, its different to execute the framework of the plan. We know we have aou plan and its unlikely is the same scenario but it gives you the framework and way to think about it. The other thing we have worked hard on his how we bring the federal agencies into alignment to be able to make an incident in the response to the incident as effective as possible. When this occurred, the ceo was across all agencies and often times asking the same question and sometimes in a slightly different way. What we do here and we did during this exercise was bring federal agencies into the exercise so youll Owner Operator could see the outcome and agencies here we had tsa in this exercise and i think that for them was reassuring there is going to be increased level of coordination and Everybody Knows it will not be perfect the first couple of times but there is definitene effort to coordinate forward and in closing what we have done is gone from this sector to the real sector and use the same remark that allows the tailoring of specific measures the companys business model, some are brandnew because they recognize the need to do more than what they might have done in the past and it allows to account for technology we dont need to change the regular tray framework, it provides flexibility and recently in march we issued directives, the same framework to airports in the country, same idea. Not all but the ones most critical to the aviation system. Id like to emphasize how born the partnerships were to success and would notes be able to work today were it not for the partnerships in this sector than the real sector and now the aviation sector. We have as a government much more awareness of where the threat is and how its developing separate from the weuntil receiving, what people e seeing on their systems and we have those relationships and its really quick and barely just debated in the notification process so we made a tremendous amount of progress in a short bit of time. Offering to do something that ended up being one of the most important things we did and when we first started looking at this issue, we offer the ceos of the companys cover, the opportunity to come into the white house and get top secret level brief so the ceos of companies understood what their cio was like we do ask them about and they didnt need to understand, just the threat and the intent of the threat would be Going Forward so that was incredibly important. One of the directors out there, they knew we were going to ask a lot and the second robs work in the department, rob is working to harmonize reporting and we will talk about this in the second but it is helpful because when you look at the progress, they vary quite a bit to the extent we can bring standardization to the while allowing flexibly for types of reports that will likely come in and it reinforces to owners and operators Critical Infrastructure that we are really trying to partner with them because we view it, we are all in this together and need to Work Together to increase resiliency and improve protections we have. House interesting and we will come back. What Companies Might expect moving forward but rob, over to you. The American People expect the government to protect them in cases where there capable themselves, think about foode safety, national defense, American People are in a position to be in those kinds of work themselves and the same goal for this modern era threats whether it be very sophisticated and ruthless ransomware or the most sophisticated agencies. What we saw with Colonial Pipeline and gas lines and North Carolina and gina, the American People ask what can be done to text me from that as well and thats why we have gone into action or work to protect the market people is a mix of the voluntary programs and mandatory programs and the majority of our work is under the voluntary bucket andar growing in success and sophistication. The baseline standard tod which any Company Delivering essential services to people needs to adhere and its not a new concept. First and cyber regulations over the financial sector, the energy grid and others for a long time across the ministrations, i think youre seeing thoughtful systemic approach, lets do this in a holistic way to make sure there is coverage everywhere there ought to be covered and it is rational and according to consistent standards so industry knows what they are stepping into. In that regard, it puts a lot of focus ensuring were other approaches failed and the regulatory approach is required, we are doing it in surgical tailored ways to gather with industry and that means we are doing things like setting common frameworks and regulations and this goal which by the way, are not mandatory controls saying you need to have that particular control on your it or the other in the outcome based that companies should drive toward but they can pick the way and have flexibility within the context of the business and how to get there. Make it more efficient, less burnham some way but also allows x fermentation from companies to figure out the best ways to achieve the security outcomes which at the end of the day, is all about. We are also taking steps to make sure only thosei. Entities that need regulated are regulated, selecting only the highest risk entities for certain regulations or multitiered themes of the highest risk higher or Small Businesses because we are mindful of the impact of Small Businesses dont have to undertake such great burden. We are looking at harmonization opportunities, it is imperative upon us as we undertake these steps to make sure we are doing it in a way that makes sense when you look across thepo different actions we are taking soha for example, Congress Last year passed legislationet that calls to issue relation to mandate Incident Reporting to impact Critical Infrastructure companies and they are now doing that will making process. That mandate from congress falls in to a sea of other Incident Reporting mandates from federal regulators or state regulators, International Regulators that can be overwhelming for a company that already has a lot going on in 48 hours after falling victim to a cyber attack that incumbent upon us to make sure we minimize paperwork requirements so one thing we are doing and expect to report to congress in the next month or two is cyber Incident Reporting council which is key federal agencies including independent regulators and as easy and fcc and ftc, we are closing in on proposed model timing triggers, structure regimes that a Victim Company has to have minimum amount of distraction as a gift to federal government if they need to protect the nation but not more so we are undertaking all of these indus