Should i start over . I think i will. Its a pleasure to seek people here again break the last panel we had was primarily the kinds of vulnerabilities and risks for providers the providers are experiencing. This subsequent panel health, how can to mitigate and reduce the chance systems and services can be hacked or otherwise made less available for people who need them. We are going to talk about how to apply frameworks, Cybersecurity Framework. Platforms available we will talk about the kinds of issues or problems different segments of the industry confront when dealing with these problems so segments like different provider segment, different user segments like Public Safety and different segments such as small and mediumsized businesses which are providers that came up in the last panel so those are the things we will be talking about that more on the perspective how as opposed to what they let me introduce our panel to have catherine from mti a. Catherine medications policy specialist, welcome, catherine. Thank you. We also have brian daley joining us virtually, assistant Vice President for technology and standards and its good to see you again. We also have christian lori, the Risk Management sector is 20, Emergency Management work meter at fairfax county, department of Emergency Management security. Welcome. We also have a director of engineering and i think youre here virtually. We have harold price, thank you for coming and finally, kevin, chief of Security Division and Information Technology laboratory National Institute for standards and technology. So thank you for joining us. I will say i am going to go through the question at a brisk pace so if anybody has anything to say, please jump in. We have a lot of questions so that is what we will be doing and as the previous panel, specific people direct questions and i will announce that. The first question directed at christian from cisa and in excess of question, what are we talking about here. The question is when we use the term cyber Risk Management, what does it mean to you . You are from the Risk Management center so what is it mean to you in your daytoday life . I just want to make sure the mic is working. This is our bread and butter. Hopefully it covers it in a little more detail. Risk management and cyber management in my view relates to a sense of decision and practice identifying things that matter most to you and put assets for things you want to protect at risk and making decisions to manage or mitigate or transfer or except that risk. Risk management understood as a process, ongoing organization and we are talking about Digital Assets and networks and things like that but to emphasize the overall take away and when we talk about cyber fist, it is a process and something organizations need to do deliberately and proactively with care but also on an ongoing basis. Im going to add something to the question, i have asked, what does it mean . Now im going to ask why is it important for entities participating in this segment . One of the benefits of cyber Risk Management is it helps, proactively identifying things that could go wrong and how you would respond to them and plan against those who pretend they will come up, that is the worst case to put your head in the sand and assume nothing will go wrong. Something will go wrong. It could be in error, it could be a cold, it could be a malicious actor trying to attack, something will go wrong if you havent played around that and made decisions how to manage that risk and account for those things going wrong, you put yourself at greater risk so thats how i framed it. It allows you to plan for things to go wrong. Thank you, christian. Next question is directed to kevin stein and catherine and shamus. Let me start with planning cyber Risk Management and Cyber Attacks help protect communication sectors as well as segments of the sector delivering emergency alerts. I think dynamic and technologies involved externally driven rules and requirements organizations and evolves in their risk tolerance. These systems have a desirable target especially during an emergency. I think from broader risk assessment, one dimension of risk to manage, you see organizations in reference to this framework including a broader sector they use the framework to establish management programs and continuous process. The supply chain risk information partnership. We were created show supply line and risk information with small phallic medications and providers so part of our work we communicate a lot the community and try to hear their concerns so we can work with the United States government to provide resources, Lessons Learned best practices to these can securely invest in the network. We were starting out hearing from these entities we are so small, not a target, we dont need to do the same work the larger providers have to do. Unfortunately i dont get up as beasley because they are being targeted. Either they themselves experience in attack, they seek competitors or they stay on top of the news and seek bankruptcies and follow and other types of Cyber Attacks so they have this understanding they are the target whether by going to Cybersecurity Framework or another framework that provides similar guidance. Part of the shift we have seen is when you speak with practitioners and defenders, they understand the threats they are facing. We are still experiencing some disconnect between staff and leadership to make this a priority and allocate resources necessary to either invest in staff or the network if theres a particular piece they need to seek out. Well be back next Public Safety sector so im going to add to the question for you in addition to talking about planning, make an entity stronger in these risk, from how to live the Public Safety entity planning can make safer and secure in somebody who has to plan resources, what was planned. I will start with the wife. We hope for the best and plan for the worst so as part of that we need to understand we need to be able to alert the public and a timely manner and make sure we have a plan in place to do that taper taking cyber into consideration. Do i have the base to do that . To have the path to end this . There are processes we can explore and utilize and position ourselves to ensure we can get the message out to the public and that is the real challenge. The message we want to send, we dont want to lose faith so there is a fine line, we get in as fast as we can to get the message out but we need to make sure no one else can send a message and multiple people have touched on the. The challenge in this case, we rely on the system so our local inflation technology, they are the ones who try to mitigate Horizontal Movement and would utilize so we are trying to figure out how to keep it secure and send the message. Thank you. We will go onto the next question participants. I will tweak it a little bit, we currently have cyber Risk Management plan you are using to reduce risk for Communication Services you provide. Nobody on the panel want to say no. I know nobody wants that because i know some of you pretty well so what i will say is it you say yes, can you tell us about the plan, the elements in your plan, the extent you are able to check that . If, why is it know and you may have good reason so im not going to be judgmental so lets ask the question, i will start with brian and what you have to say . Let me do a quick check audio. Thank you for the opportunity to participate on this Important Panel first off my answer is yes so we do maintain robust level security Risk Management plan with at t and it covers all Medication Services provided and that includes emergency alert. He may be familiar, we use a network to broadcast the alert. We receive alerts which comes to us through a security protected interface and once its in our network it follows our cybersecurity Risk Management plan. Our plan follows the framework and the notification. We have on multiple occasions a copy of at t Information NetworkSecurity Guard which provides a description of cybersecurity practices. They are not specific but it does make it clear we have to implement security controls sufficient to ensure confidentiality. We dont believe cybersecurity Risk Management plans are designed in a narrow area of application is appropriate use of resource because we do have broader Risk Management plan that covers all operations. Our chief Security Officer doug establish requirements as well as comprehend programs to make sure security is at t Computing Network environment. Security program make sure Information Access access will network facilities. Employee commercial will to protect the mobile network. Evaluations make sure controls are maintained and functioned according to policy. We do have Corporate Community plan to provide project management make for we Disaster Recovery security for at t and focusing on all aspects of operation below the reliability of security closely fully understand the aspects of the network fragments of local operation clearly anything from the but will suffer allow customers to gain more visibility and attempt to access the systems. On successful and reducing service in the old days, engineers for logs and things with Greater Alliance so the number of people who need to access the system, why you put your device on an unprotected network is reduced. We are trying to do that get more his ability to the operations. I will say and probably have an opportunity to talk about this later, majority of Radio Stations by numbers, coverage are small to very Small Businesses trying to provide tools for people thinking about this and the requirements they want to make an thank you for the opportunity to be here today. There is zero support on a regular basis, it is a one and done all. How to change it or anything about it. That is at the level that is important to raise awareness of the need for cybersecurity at that level of customers trying to do our little once they become aware and make them aware. Industry, im wondering if have anything to say. Yes, thank you for including us in this conversation. Harold made good points in the case of the company i work with. We are all the way down to places like fairfield, iowa. In the situation have a total of two people at that operation and neither of them have technical background so that case we are dealing with a situation where there is a contract engineer and the contract engineer has expert operation. This would not be what we call strong suit so to do things we are talking about are talking about bringing in someone completely outside of our normal sphere of operation to put things in place. Top. It like technical background in an operational stand in these small broadcast environments. There has got to be some comfort so they can understand the requirements and why it is a benefit to them and probably differentiates from the folks participating in this conversation because in most instances when we talk about commercial Service Providers and the like we got both keyed, and they put the hierarchy there, aware of what the situation is and how to address it. In our case we have a department, we do have procedures in place and they are focused around this and they focus on networks segmentation. Those to coordinate of effort to get blood in place to understand is will sub also i would ring up, in my other role as head of the Education Committee the broadcast of engineers interested in making sure we get the information out and help these situations to create awareness for books. I heard similar and we will refer close little later but there are ways to do this without hiring fulltime equivalents to do that and we will talk about this but im wondering about Resources Available to help with and so forth. We will save the four another moment. There intervening. I am wondering the key elements and what they are doing but in a more general sense, what are the most foreign elements to include . We will start with kevin. Thanks, i definitely appreciate this, we recommend using this framework as a start to establish the Risk Management plan. We are in an update process now and it is highlighting the important governments, the strategy and expectation and the possibilities laid out for cybersecurity and its considered more broadly across the enterprise. Following up with identifying the current risk and understanding current production capabilities in the right response and once its detected in having the capabilities in phase two recover and restore assets that might have been impacted. Establishing a plan and outcome that is important, there standards and Resources Available and others in the industry and resources to help implement to realize the capabilities and practice. Thank you, kevin. Ill ask the same question in christian. One thing i would ask the process of identifying risk we deal with reorganization and how to scale a solution and one thing we keep coming across one organization of any size dependencies that are not easy to identify so comes from the supply chain but it really is earlier points, it is the whole Business Continuity when it comes to electric power for facilities. Minimally fact and selfsufficient it may be people can get their own roads. My overall recommendation is Organization Take the broadest possible view certainly can cybersecurity context a specific set of concerns and things like that but in terms of the overall risk, it is broader than that. Next question. Instead of talking about cyber Risk Management plan, its cyber Risk Management extract and the question, how can cyber Risk Management focus on planning preparedness . How can it contribute to protection, infrastructure and reliable learning im going to over and start with harold. Cybersecurity on another slice. It comes down to the context, the greek planning stage. Like a good number of society should i have my Radio Station informative . That is there Resources Available. You need to hire an alltime so they maintain it. Resources available, based on the agenda i googled for security. Scott is popped up on the screen early in the morning. It is incomprehensible for people doing it, there scholarly papers with titles to long and how do you find it and why does it pop up as 25 if not 21 . You have to be proactive and they should follow the frameworks. They will need to discuss why they are good, you do need the system how can you make it relevant to small operators . Than necessary, not as hard to do as one might think but has to be done. Rule making saying you have to have apollo, it is okay but needs to be scanned into simple language. Give them thing second to get the awareness and start to plan. That is the real thing, good thing to make a. To turn now for the same question. I agree the systems target some of the potential challenge with this implementation bears full of entities in this opportunity but also challenges implement it and managed. Lets move on to the next question. How can cyber Risk Management planning the infrastructure the next question is about preventing or mitigating the effects that will occur so in what ways can cyber Risk Management help prevent or mitigate the consequences . Or sport three score mecca recovery for them, doing the planning upfront early and often someplace, i think part of that planning goes back to the earlier questions from the panel, having the Risk Management plan plan and prioritize their efforts aligned with your missions and make sure they are responsive the landscape as well as your organization but internally and externally. When you do experience this, you are more prepared and part of that is not just prepay in place. The next question we touched on a little earlier, what other challenges communication providers might face in particular smaller midsized providers when they considered developing and adopting, how well or if mid sized providers and communications in these challenges. One of the things that is a challenge in one thing we can addresses how we interface with the most individuals for understanding and what they are dealing with. In reality i expect examine the will find out because we might populate from those individuals who arent necessarily the most educated folks putting information in, if there is a blank buildout that shows Outdated Software they might not understand why it needs to be checked and put in, producing okay, thats it. Thats one of them. I think we need to go back through and designed this when we are dealing with it so we eliminate those possibilities so it is not automatic. Its