General for National Security john carlin and google Vice President vince serf. This is an hour and 15 minutes. All right, well, good afternoon, everybody. I want to welcome you to our cybersecurity summit that were having. My initiative is meet the threat to deal with the cybersecurity issues we have. Im always excited. But im really excited, really excited today to host this conversation and highlight all the great work that the nga has been doing. But before we do that, i do want to mention a resolution that we have that we talked about it at lunch today with all the governors. We have a resolution honoring the memory of justin stevens. Justin stevens, as you know served the National Governors association as the legislative director for the ngas Public Safety and Homeland Security committee. He worked very closely with me as well as governor hutchison here. Justin was also the point person for us on the council of governors. Those interest five democrats, five republicans appointed by the president to work with our intelligence and defense agency. Justin did an absolutely magnificent job, even during his very difficult times with his illness, he remained always positive and continued to respond to the needs of all of the governors. Justin was a National Voice and expert for our governors on issues ranging from cybersecurity to veterans to disaster relief. We cannot thank justin and his family enough for allowing us to be a small part of his life. He was an incredible young man. And the contributions that he made will never be forgotten by the folks at the nga. We express our sincere condolences to justin stevensons family and we honor his memory. At this moment i would ask can we have a moment of silence for justin. Thank you. As you know, this past july i kicked off my initiative meet the threat states confront the cyberchallenges to provide states the resources they need to enhance cybersecurity. For far too long cybersecurity has been an Information Technology issue that required technical solution. Through our initiative have and will continue to highlight that cybersecurity is critical to each and every governor. As you know the governors of our nation actually have more data than the federal government. When you think of all the data we have through our tax returns through, medicaid and Health Care Programs that we have, department of motor vehicles, we have a wealth of information that every single day people are trying to get in and get our information through cyberthreats and cybercriminals. In the commonwealth of virginia alone last year, we had 86 million cyberattacks of the commonwealth of virginia. Just recently a foreign actor attempted to get my personal email from my state account. This goes on each and every day. As a state with 27 military installations, the Largest Naval base in the world, the pentagon, the cia, we have a responsibility when we have all of those assets to make sure we are leaning in to provide that front line of defense to not allow anyone to get into our system and take our valuable data. As i said in july, if virginia is in great shape and does a great shape with cybersecurity, it is absolutely meaningless if some other state doesnt do anything about cybersecurity. We have the same Health Care Provider. They will use that smaller state and go through that Health Care Provider to get a back door into the commonwealth of virginia. So our initiative, and Governor Snyder and i worked very hard on it, that initiative is to make sure that all 50 states meet the basic protocols to make sure we have the basic levels of support so that we are all protecting one another and protecting one anothers data. It is critical to protect our Critical Infrastructure, our electrical grids, our water system. Theyre trying to attack our 9 11 dispatch centers. All constantly being targeted. Also, for our businesses, its important that we send a message to companies as we recruit them to our states that they know we at the state level are doing everything we can to help provide the protections for their own data. In addition, as ive talked about a lot, this is a tremendous source of economic opportunity. The jobs of the 21st century, number one is going to be cybersecurity. In the commonwealth of virginia today, we have 582 cybercompanies. Right now today in the commonwealth of virginia, i have 36,000 cyberjobs open. So i would say to all the young parents who are here with us today, youre all too young. There used to be a movie called the graduate. And the key phrase, governor dayton, was what . Plastics. I would say see . Youre too young. [ laughter ] but cyberis the key. And as i say, for parents, the starting pay in virginia is 88,000 for these 36,000 jobs. As the governor of the commonwealth of virginia, im forfeiting 3. 5 billion of payroll pages, about 120 million of state wages. Thats why we have transformed our Education System to do what we needed to do. These jobs are not going away and theyre going to continue to grow. What we have done at the nga, and i want to thank tim and jeff, where are they . Who have done a magnificent job. Are they with us today . Stand up. Here are the guys who run our cybercenter at the nga. [ applause ] they are the governors cyberwarriors. And they and their team have done a great job to make sure were protect all the assets. Since the launch of our initiative in iowa, the nga has held several events around the country and provided valuable resources to our fellow governors. A week after the summer meeting we have held round tables throughout the United States of america on Health Care Issues and what they need to do in health care, workforce development, and infrastructure. We have brought in cyberexperts, businesses both large and small. These discussions have culminate in to memos that discuss the recommendations that each one of you and the other state policymakers can implement to assist you in your states. In october, we held our first regional summit in boston. It was sold out within four hours. We had 26 states come. Every state was allowed to bring four people. It was a great, great working session. We will now have our next one, the final one for the other remaining 24 states that will be coming up in california in march. So we now have the cybercenter set up. Well would ask that all the governors continue to work with it. We have in front of every governor will be given a card. You will see that card. Nobody else has seen your card. That is for you. That is weve gone through your state, and you have different color codes to determine how your state is doing on cybersecurity. I will tell you even as chair, i have not shown your card. Governor hickenlooper is showing his card to governor romando over there, i see that. That is your choice if colorado wants to share with rhode island. Governor dugard is not. Hes put it in his pocket. Hes not going to let anyone see. He is going to keep it. But its important that you look at this checklist. Well went out in july. Let us all meet the basic protocols and put our checklist together. You can see they are actually color coded. Im very proud. Ill show my card up. You obviously have red, yellow, blue and green. Not to brag, but the commonwealth of virginia all green, governor hutchison. I want you to know that. Yours might be too. Honestly, these metrics are for you to use. If you have red and yellow, you need to do something about it. If you have red, you really need to get in the game and do it. And thats what our cyberteam is here to work with you on as we continue to do it. By the time we finish up next july, we need to make sure that everybody has those basic protocol, and we have filled out and done the checklist we have needed to take to it the next level. You see in front of you a slide. As you can see from the results, states are doing very well in some areas and not so well in others. The good news is that the states are placing a tremendous emphasis on establishing the governing bodies to identify and implement cybersecurity policies mandating cybersecurity training for state employees, and have established a Solid Foundation for cybercrime investigations. On slide two, on the other hand, there are some areas that states can improve on. Governors need to ensure that their Critical Infrastructures vulnerabilities are assessed and identified and put the appropriate priorities on it. You need to make sure that you are receiving timely and useful information on a consistent basis to make informed policy decisions and to assure yourself that your state is doing the basics that are needed to align your state with the nist cybersecurity framework. And lastly, it is imperative that you have a Strategic Plan that outlines your states vision for the next three to five years and a Response Plan that is based on your own individual Risk Assessments. Implementing these four basic practices will help guide you on the path to securing your state from malicious cyberactors. And nga stands ready to assist you with your needs. Now i would like to turn it over to the great governor of the great state of arkansas, governor asa hutchison, who is chair of the Homeland Security and Public Safety committee. The greatest chair ever of the Homeland Security and Public Safety commission. He succeeded me. So that is a great compliment. Thank you, governor ruch chis son for your tremendous leadership. Ladies and gentlemen, governor hutchinson. [ applause ] thank you, governor mcauliffe. Great leadership on your part. He advised me since he had a perfect score that he will be grading on the curve all the states. And that is good news for us. But really, a perfect example of leadership in a critical area that we all face. And i just wanted to emphasize a couple of points based upon my experience as a governor, but also going back to my time frame as undersecretary at Homeland Security when we looked at threats from a variety of arena. And just in the last two weeks, obviously, we have the tens of thousands of attacks that commonly come with the state databases. But we had a specific denial of Service Attack that was effective in terms of shutting down our state website for a period of time. That happened within the last two weeks. It was quickly up. There was not any damage done or not any loss of data. But then we had a small agency of State Government that did have a loss of databased upon an attack. The good news is there was not any personal identifiable information for any citizens on there. So it was not a loss that cost. But that leads me to the concern that we should have in terms of governors. One is the potential loss and cost to the state. If youre in the private sector, you talk about in terms of liability. But the data notification requirements for loss of citizens data does apply to the states. And most jurisdictions, and it would to us. It would be a significant cost if we had a loss of Consumer Information based upon a cyberattack. And so we have to concentrate on that side of it. In arkansas, we have done our cybersecurity Risk Assessment that was just conducted by an outside group that made recommendations. Were going through an effort in data center consolidation, Enterprise Architecture that we unify under one agency our department of information services, setting up a cybersecurity office. So were making these steps. But i just and i see some of my good friends with the Southern States energy board and the interstate commerce, the oil and Gas Compact Commission that we met with an energy summit. And one of the points of conversation was the protection of our energy grid. And all of that is based upon the private sector and their protection of their networks from cyberattacks. But there is significant worry on the governors part if the energy grid goes down. Because that our response, our cost to the state. So there is a regulatory challenge to us to make sure that our private sector that is regulated, that they are investing as they need in cyberprotection and security as well. I just raise that as an interesting point because of the liability and risk potential to the state, not just for our own systems but also the private sector. Should it be a nonregulatory environment. We should certainly encourage them to protect their own data as they are motivated to do. I just want to make those introductory comments. Im delighted to hear from the panelists. Before we go that direction, i wanted to recognize the vice chair of the Homeland SecurityPublic Safety committee, Governor Brown who is doing an outstanding job in partnership with us. Governor brown . Thank you very much, governor hutchinson. Its truly an honor and delight to work with you. And governor mcauliffe, thanks for your extraordinary leadership on these issues. I was secretary of state before becoming governor. And while i was secretary of state, i received the news, unfortunately, that our state Campaign Finance and our business registry websites had been hacked. Oh, thank you. My mother always tells me they can hear me anyway without the microphone. The sites were hacked while i was secretary of state. The websites were fairly new at time and they were developed to make reporting easier and accessing services for Small Businesses much more accessible. We were able to react immediately, shut the websites down, and began a full investigation with Law Enforcement. In the end, we were able to rebuild our programs. We built stronger walls. And made the system stronger. But not without a lot of expense to taxpayers and a lot of time and energy from state employees. Since that cyberattack in 2014, my state has taken a number of steps to address system deficiencies and increase our i. T. Security posture. I initiated an audit that uncovered numerous structural security gaps. And then as governor, i issued an executive order to unify responsibility and upgrade oregons capabilities. And this legislative session, which were currently in, im supporting legislation to establish a Cybersecurity Center of excellence. It will develop a statewide cybersecurity strategy, share information between the public and the private sectors, coordinate incidents response, identify best practices and encourage development of a cybersecurity workforce. And governor mcauliffe, were really excited about getting some of those good paying jobs you got in virginia to oregon as well. I think we can do this by bringing together companies in oregon like intel and hewlettpackard with state, working with state and federal agencies. And of course one of our local universities, oregon state university. To do more than just upgrade our state systems. I believe that we have to build tools that the public can put their confidence in, even when doing something as simple as buying a fishing license. And we like to buy fishing licenses in oregon. Weve also been really fortunate to be one of the five states selected to participate in the nga policy academy on enhancing state cybersecurity. The academy has been a great benefit to my team on the ground. And i certainly look forward to sharing Lessons Learned with my colleagues and the states. So thank you so much for the opportunity to participate. I look forward to hearing the rest of the conversation. Thank you, governor. And to help kick things off today, weve assembled quite a panel. Were honored to be joined by john carlin who is the former assistant attorney general for the United States for National Security at the United States department of justice. John will be providing us an overview of the National Security contacts around cybersecurity. John, the floor is yours, sir. Thank you, governor. So i thought id start with imagine this. You get home from this conference and youre briefed that somewhere in your state there has been a breach there has been a breach and it looks unsophisticated. It came in through using an unsophisticated tool, and it looks like a low level hacker. And your i. T. Folks say this is no big deal. It was a relatively obscure part of our system, and all they stole was around 500 names and addresses, personally identifiable information. Small loss. And they say we got it. Dont worry. The system is back. So its one of, what, a thousand things that youre briefed on the day. Actually probably wouldnt even reach you as governor. It would be someone else in your state getting this news. Several weeks later, they go back to that someone five rungs down from you somewhere in the state and they say you know what . We got a request through gmail. And a request from this guy says theyre going release the fact that they took this information to embarrass us, and they want us to pay them 500. A form of sometimes ransom ware when it actually encrypts your system. Its a form of ransom that takes place with cyber attacks. They say i dont think this guy can do anything. Its a relatively small amount. Im not even going to brief this up. Weve got it. We handled it. Or they say theyre going to pay them 500. This is a real case that happened to a trusted Retail Company with a trusted brand. And in that case what they did was work with the federal government. And what they found out was it wasnt what