Skip to main content

tv   Politics and Public Policy Today  CSPAN  May 9, 2016 6:08pm-7:01pm EDT

6:08 pm
for questions themselves. so let me switch to the counter-terrorism. post paris and brussels, what has become very evident is that there have been enclaves of isolated communities within those -- throughout europe really but specifically in brussels that have permitted the radicalization on a community basis of some members, certainly the ability to move in and out of these communities themselves. given the level of rhetoric in this campaign and the concern that we have seen growing throughout europe, what is it that we can do from the department of homeland security's perspective to counter the narrative of radicalization? >> let me say that i appreciate that's the question. it's a very important priority of ours. the countering violent extremism mission. last year we were very focused on the foreign fighter phenomenon. the phenomenon of individuals
6:09 pm
leaving the united states, traveling to conflict zones, syria most notably, and the concern that they became or already were radicalized with the intent of returning to the united states to do us harm. that, of course, remains a concern of ours, but increasingly we are concerned about the home-grown radicalized violent extremist. and we had an effort that was under the rubric of countering violent extremism, but we rebranded that effort very importantly and created the office for community partnerships because ultimately -- ultimately the owners of that effort must be the local communities themselves to be able to identify individuals who are on the path to radicalization and to intervene in that path. we, in the federal government, can facilitate and equip them to
6:10 pm
address this phenomenon. the -- director james comey has spoken on a number of occasions publicly about the fact that there are approximately 1,000 individuals under investigation in the united states now. there are individuals in every single state of our union who are under investigation. and they may very well not have travelled to an area of conflict, but instead become radicalized in their own communities. we were given funding by congress to equip local and state and tribal law enforcement and community organizations, whether they be non-profit, religious or other types of organizations, to build the lines of communication and to build the apparatus to reach those individuals, their families, their friends, and equip them with the tools to intervene. we are also, of course, involved
6:11 pm
in transmitting the counter-narrative. and the one thing that -- or at least one characteristic that really distinguishes isil in the radicalizing effort is their very shisticated use of social media. and we, in turn, are using social media to reach the very same individuals, to ensure that the messages that they need to receive in order to thwart their path to radicalization is in fact communicated. so this is a community-based effort that we in the federal government very much support, facilitate and equip. >> i appreciate very much your remarks on the efforts in the department for cybersecurity. and one of the things that is so daunting to the private sector is this array of stove-pipe regulation, for the fcc, hipaa,
6:12 pm
all sorts of real hard penalties associated with that. yet, when you go to the federal government writ-large there is no law that tells you how to be cyber secure. it's one of the things that a lot of companies really struggle with. if you could speak to the private sector for a second. what is going to get the cybersecurity moving at the private level? what are the things? is it a carrot -- is it a stick, the sharing of information? what do you think is the right recipe to engage? because, as you know, the private sector has 80% of the cyber assets. so how do we truly engage in a national dialogue with the private sector to make them more and more cyber secure? >> so, there is not a single standard for cybersecurity. in other words, this is the standard of care to which you must adhere and if you fall below that you may be exposed to liability, and if you satisfy that standard you are safe from
6:13 pm
liability. and there isn't that standard because of the dinahimidynamism environment and how quickly it would move. the standard of care may suit the current environment but the day after tomorrow it may be obsolete because we have learned so much. what we have done in the federal government is actually developed the nist framework twhich communicate the criteria that should be looked to to develop its cybersecurity ecosystem. if you are a big company, a medium company, if you are a small company, depending on the nature of the jewels that you carry as an institution, you
6:14 pm
look to the n.i.s.t. framework to understand the analytic architecture that you should follow in building your cybersecurity. i will say this, and this is my personal opinion as a participate in this arena but also very much a student in this arena. when i was a procesecutor, fedel prosecutor, the standard of care was quite evident. and we did not pursue accountability as a means of defining the standard of care. because in the criminal arena that would be terribly unjust. i will say, in this space, i do see federal lawsuits against companies for deficient cybersecurity, and i'm not sure that all of those lawsuits are
6:15 pm
just given the fact that we have a lack of clarity of what is really due care, standard of care. there are cases where the deficiencies are readily apparent. they are patent and, quite frankly, the protocols are irresponsible. but if one doesn't have that, frankly, level of -- of a lack of care, it starts, to me, to get very difficult to hold companies responsible. and i worry about the use of a stick to build a cybersecurity ecosystem rather than a means of communication and the provision of tools to develop it. >> thank you very much. we'll open it to the audience for questions. if you want to ask a question, please raise your hand and we'll get you a microphone.
6:16 pm
>> down here in front, please. please identify yourself, if you would. >> hi. hi. rick weber at inside cybersecurity. deputy secretary, you mentioned critical documents that you are working on within the administration, in the near future you'll be publishing them. are they on sharing within the government or the private sector and how will they relate to liability relief under the cybersecurity law? >> so, with respect to the question of liability, we already in the department of homeland security published a number of documents, and we, of course, i think, owe to the public additional education materials. i think that the documents that we are working on, and not to get too far out in front of the administration -- and i probably already have achieved that --
6:17 pm
but i think it really speaks to how we are organized within the government and how we will use our resources in the best service of the public interest. we have heard from the private sector who are we supposed to call if in fact we suffer a cyber event. we, of course, want to provide clarity in response to that question, and in an ever-increasing arena of change, we also have to be well organized and well coordinated within the federal government and within its institutions and our respective roles and responsibilities. and it is on that latter point, i think, that we are focused. >> up front.
6:18 pm
>> allen day, retired cia. was there anything in the 215 data that, had it been pursued, could have been used to head off the san bernardino attacks? >> so that's a question that pertains to an ongoing investigation and an ongoing prosecution, so i will refrain from answering that question. and as a former cia official, you should well understand my response. >> next. in the middle here. >> rich cooper, catalyst partners and a senior fellow with the gw center. have you been having
6:19 pm
conversations -- you talked about engaging with the private sector. have you been talking with insurance companies as to lessons learned, insights that they have? insurance companies seem to be a great arbiter of changing behavior in lots of ways. curious what types of insights you've had. >> so that's a great question and a great point. the allocation of risk is a phenomenal driver of behavior. we do dialogue considerably with the insurance industry. most importantly, to impart information so that we share what we know with industry so that they are equipped to understand, really, the dynamics that we face, not in terms of schooling, how they choose to allocate risks and build their
6:20 pm
models. but i do think that the insurance industry will be one of the key drivers of cybersecurity standards. >> in the back. she's coming. >> kim quarrels. further to the point on insurance. there are insurance products available, to your point, under w-secretary, of educating the private sector to coordinate with the insurance industry, already products where notification becomes an element of what they are required to do. and if that sharing occurs the notification process becomes part of the incident process and the incident response. >> yes. and that's why i do think the --
6:21 pm
the maturation of the insurance industry in the cybersecurity realm will help drive behavior, and i think it will help define the standards of care that are somewhat elusive now and seem to be developing through the crucible of the courtroom rather than the policy making rooms. >> yes. down here in front. >> i'm from new jersey, so i can really speak out loud. cindy faith, deloitte. i am interested in your vision with regard to the information sharing automated information sharing program from dhs which is sort of a machine-to-machine level of i.o.c.s and how you see
6:22 pm
small and medium sized businesses being able to benefit from that given the fact that there is a level of infrastructure and maturity needed to ingest this at the machine speed. >> so great question. just for everyone's awareness, we committed to developing an automated information-sharing structure where we can receive the cyber threat kaeindicators a particular format, a sticks and taxis format, did automated form. and in near realtime, essentially strip of it the personally identifiable information that of course carries with it very important privacy interests that are not germane or material to the
6:23 pm
cybersecurity goal and then to disseminate information in automated form throughout the private sector, something to which i alluded in my opening remarks. we have, in fact, built on schedule the first level of that automated information-sharing protocol. we have 24 companies already participating in it, and one of the questions is, as i understand your question, how do we build it so that we achieve accessibility for all, not just the big institutions that can afford the investment. and that is something that we are building towards and don't have just yet. and it's -- it's very new. and so we are working on it as a top priority. this is one of the areas in which we need to innovate. quite frankly. we are hoping, as a government,
6:24 pm
to move from a flint stoneian model to another level. that's a literary reference for those of you who don't know me. the notion of embarking upon a ten-year contract for the development of a product which, by the time we roll it out, is obsolete, has to really disappear, and we are now increasingly using the agile method of development, the waterfall development -- the waterfall method of development where we move in six-month or shorter sprints and produce product in that way. we've brought in -- and this is really the president's leadership -- digital services, people from companies like deloitte, other very
6:25 pm
cutting-edge companies, to really bring the most cutting-edge development models and thinking to the way we not only acquire but execute on contracts. so building the automated information-sharing framework for the otherwise disenfranchised and something that we are very focused on. >> unfront. up front. >> john gardeniere, gw alumnus and former naval intelligence officer. following up on your last answer, sir, i wonder to what extent you could address the topic of red teaming, and particularly outside the intelligence community of the government. to what extent can you use the
6:26 pm
dedicated hacker community or fraternity in some ways to help you understand and counter vulnerabilities. >> let me share with you an experience that i had that brought your question into my life. i was -- into my life as a deputy secretary. i was speaking at def con last year, which is a conference of hackers in las vegas, nevada. and there are about 20,000 attendees in the conference, and i spoke to a group of maybe about 700 or so, and i was actually the focus of my remarks was on the issue of distrust and how to bridge the divide. and i was not permitted to bring
6:27 pm
my personal or work phones into the hotel, whether on or off, for fear that they would be hacked. and i actually mentioned that at the outset of my remarks and told the group of people that i had brought a phone with me and that if anyone made it ring during my remarks i would pay them $1,000. this was at the outset of my remarks and all of a sudden everyone is opening their backpacks and their briefcases and they're pulling out equipment and working on things. it was rather stunning. they learned a few minutes later that i had brought with me a motorola flip-phone from the '70s, so i was -- i was secure in my inability to afford paying anyone $1,000. but i said, you know what we
6:28 pm
need to do, in the course of my remarks, i said, you know what we need to do? we need to actually bring some of you into the government, not just from a red-teaming perspective, which frankly we do already. we do in the department of defense does as well. and secretary carter spoke of that publicly. but also so that they understand -- they understand what we do, how we do it, and why we do it. you know, it's very easy to -- to distrust from afar, but if you are sitting next to somebody and you actually observe them and the intentions of their efforts and the policies behind their efforts and, in my humble opinion, the nobility of their efforts in government service, that's the best way to eliminate the distrust. and so we red team in the
6:29 pm
department of homeland security. there are red teams outside the department of homeland security, specifically in the cyber space. i think bringing in that community actually has other collateral benefits to which i refer. >> down front, please. >> we red team internally as well, by the way. >> deputy secretary, fred rosa with johns hopkins university and senior fellow here at the gw center. would you take a moment to comment on your sense for the maturity of the department's risk assessment process, particularly with respect to obviously there is a wide, scary dynamic threat spectrum much different than we have had in the past, and there is a day-to-day necessity to make decisions about establishing programs, allocating resources and so on, and they need to be
6:30 pm
risk driven. would you offer your perspective on that, please. >> so that's a very, very good question. i would say -- i would answer it in this way, in all candor. i think that we are more mature in our ability to assess risk with scientific rigor in some areas more than in others. and let me -- let me give, as an example, the -- let me harken back to the question that you posed with respect to extremism. the radicalizing of individuals in the united states. i, in my visit in the u.k., they
6:31 pm
have a very sophisticated architecture of intervention and developing and disseminating the counter narrative. and it is empirically based. they have analyzed the risk and the underpinnings of their efforts are scientifically based. i think that our development of that scientific foundation is not quite as mature, and we are working on it. frankly, our office of science and technology has funded incredibly important research projects, but we need to do a
6:32 pm
better job of integrating those research projects into our operational workings. and so i would say it depends in what area of our vast mission one is speaking of. we're better in some areas than others. we're very -- we're very mature in the border security arena, something that we have been very dedicated -- quite dedicated to and, frankly, countering violent extremism is a relatively -- relatively new phenomenon as compared to, for example, a border security. >> so with that i believe we have concluded this part of the session. deputy secretary, thank you very much for your remarks. >> thank you. thank you all very much. >> continue with the mission. >> thank you. [ applause ]
6:33 pm
thank you, and now we're going to move into our panel on public-private sector coordination on cybersecurity. we've got an amazing group here representing a whole host of different actors that have to be part of the solution set. i will just literally give titles and let -- and if they want to expand during the q & a in terms of their backgrounds, that would be great, but i want to maximize time.
6:34 pm
starting to my right. i'm rarely on the far left but starting on my right is eric goldstein, who is a senior adviser at the cyber division of the department of homeland security. next to him is an old friend of mine, general reynold hoover, a major general in the national guard and is also very active in our active defense project that we're doing here at the center. kiersten todt, who is leading the president's commission as the staff director for cybersecurity. so thought it would be really insightful to get a sense of where the commission plans to go. scott aaronson, who is at e.e.i. and has done a ton of work on public-private partnership and grid security and cybersecurity, and i think the sector as a whole has really raised its game in terms of cybersecurity. given the recent cyber attacks in the ukraine, think there could be some very valuable lessons in terms of the
6:35 pm
implications here in the united states. last and certainly not least is scott kaine, at delta risk. he is a newly appointed ceo there, so congratulations on that. and thank you for helping sponsor our event. >> sure. >> what i thought i would do is jump right into questions. we want to save time for the audience to engage in a q & a as well. kiersten, i thought we'd start with you. since the president recently concluded there was a need for a commission to examine cybersecurity issues, obviously the scale and scope is quite broad, but what are the priorities that you guys are looking at? what is it you hope to accomplish, and what is it you hope to accomplish in a relatively short order of time? >> right. so i think that the short order of time, as i have said, works to our benefit. i've said it's the marathon within the sprint, the sprint within the marathon. either way it's fast and
6:36 pm
requires a lot of effort, but the end result is a report that's going to be delivered to the president on december 1st, and the key here, as the president outlined and as the commission has repeated, is this is not intended to be a culminating document of the president obama's administration. quite the opposite. it's intended to be a document that looks forward and that hopefully the new administration that comes in can use as a transition document on cyber. and the general strategy approach to this commission is looking at the digital economy and it's looking at the role of the government as well as the private sector in the digital economy. how these two elements and entities work together and what they can each do in order to look at creating a secure digital economy three, five, ten years down the road. and our -- sort of the way that i would define specifically what we are looking to do is to set forth in december a series of short-term, practical recommendations, one that, as
6:37 pm
soon as that report is done, can actually be used and implemented immediately for ways that can help and secure what we're trying to do as well as long-term ambitious recommendations, so that we're ensuring that innovation is a part of this. when we look at those and look at the different themes, that they're both possible, and how we do that is measured by taking best practices, lessons learned that are out there. what we're working with right now is looking at what are the models for how we're going to draft the recommendations. it's a combination of what's already out there, best practices, lessons learned. it also could provide an opportunity for things that are working but don't have a lot of visibility and to raise the platform and the visibility of them on a national level. and then not most importantly but i think very -- very importantly is the innovation, being able to pull an innovation around this country on these initiatives and efforts in a way that, again, puts forth a digital economy that we're looking at three, five, ten
6:38 pm
years down the road. >> thank you, kiersten. eric, why don't we go to you in terms of trying to get a sense of where we are, what's working, what's not. can you shed some light on where the nccic fits into some of the public-private partnership initiatives and then we'll turn to general hoover and then we'll hear from the private sector. >> absolutely. i should begin by noting that cybersecurity in the u.s. government is, of course, a team sport. so we have law enforcement agencies that of course have to identify, attribute, interdict our adversaries, we have the military defending d.o.d. networks and combatting our adversaries in cyber space. my agency, dhs, our role is to protect. our role is to actively protect federal civilian agencies and help the private sector and help state and local, tribal and territorial governments better protect themselves. with that, we're pushing forward very urgently on a few lines of effort, the first of which is congress was kind enough to pass the cybersecurity act as this
6:39 pm
audience assuredly knows, last december. as part of that act our national cybersecurity and communications integration center, or the nccic, was established as the u.s. government's information sharing hub to exchange cybersecurity threat information between government and the private sector. this past march our secretary certified that our capability to share information in realtime between government and the private sector is operational. what we need to do now is build the base of companies and agencies participating in this activity. the act of last december really removed a lot of the disincentives that were stymieing sharing between the government and the private sector, for example, the possibility of civil liability, foia exceptions, et cetera. we now feel the disincentives have been wiped away by the new act. we at the nccic now need to figure out what are the positive
6:40 pm
incentives. how do we in the government show added value from cybersecurity information sharing such that companies will see benefits to their security and to their bottom line to participate. i would also note, building off the point on the president's cybersecurity commission, we see ourselves as having a significant role in promulgating best practices across the nation and figuring out how should companies best evaluate their relative cybersecurity posture and measuring progress thereto. and of course our foundational document is thenist framework. we need to figure out how they use the framework to show measurable reductions in the cybersecurity risk. we're focusing in the private sector for increasing our capacity in these two key areas. how do we demonstrate to the private sector the value of
6:41 pm
cybersecurity threat information sharing and promulgate and measure the effectiveness of best practices being adopted across the private sector and in particular across the nation's infrastructure. >> general hoover, when you think of the national guard they embody the citizen soldier. we can all look back to major crises and recognize the role that the guard plays in mitigating the consequences of these sorts of attacks. where do you see the national guard fitting into our overall cybersecurity equation? and what more can or should companies and state and local authorities know about the guard's role here? >> sure. so i think there is a couple of things. first, the days of putting a lot of money into cyber to build a wall are over. we all have to kind of get our arms around the -- >> you mean we can't firewall our way out of this one? >> no. the firewalls are a think of the past because, you know, a company, a private sector, or the federal government, will spend millions and billions of
6:42 pm
dollars on building the wall, and it only takes one person on our side of the wall to do something really stupid to take down your system. so i think, as we think about cyber and what cyber means from whatever perspective you're looking at it, it really needs to be a whole of government initiative, and it needs to be a public-private partnership, and we need to think about active defense, and we need to think about risk management in the cyber arena. we think that the guard is uniquely -- in a unique position to support that effort through our citizen soldiers out there, and as part of that -- as part of that we have -- we're fielding cyber protection teams in all the fema regions, in each of the ten fema regions, both on the army and air side. we should have those teams in place by fy '15. or '19. these units are in state active-duty status, so they're under the control of the governors in all 54 in the straights and district of
6:43 pm
columbia and territories they will be available. they're there to augment the d.o.d. commission and the army cyber command. more importantly, they are an unique asset. as we think about what's the future for cyber and how do we do that in partnership, i think the guard has a unique opportunity to bring to the table. >> i want to pick up on those points in a bit. scott, how many companies went into business thinking they had to defend themselves against foreign intelligence services, nation-state threats? how do we translate the nouns into the verbs? what is it e.e.i. and the companies you represent doing to try to make this real? and do we need to -- is it about consequence, is it about perpetrator-actor? what are your thoughts? >> there are a bunch of things that general hoover said that i want to pick up on. you heard the word "partnership" over and over. that's exactly the way that we're looking at this.
6:44 pm
we can't do this alone. we don't have intelligence gathering capabilities. we don't have law enforcement. we don't have a national security mandate. but we are a target. what we look at it in terms of partnership, there is a north-south partnership. government and industry working together. i am privileged to serve not just at e.e.i. but for the coordinateding council which brought 30 ceos together with senior government officials to do things that are advancing the cause of security, looking at deploying tools and technology that the government has. the way i put it, the government has some pretty cool toys. we want those on our systems. improving the sharing of information, making sure the right people are getting the right information at the right time. i talked about north-south, government and industry. east-west is incredibly important across the sectors. we, the electric sector, because everything runs on us, are often
6:45 pm
looked at as the most critical of the critical. don't have water or telecommunications or transportation and pipelines, we cannot operate. there are many ways to attack the electric grid short of attacking the electric grid. so tools and technology, information sharing, partnerships, response and recovery. so much we get, like you said, general hoover, we can't firewall our way out of this. what you want to do is make the adversary build the ladder but we understand security is not just protect, protect and defend but it's also responsibility and recovery. what can we do to make sure that bad day doesn't become a catastrophic one. how do we put the risk in a box and ensure that we have a short outage as opposed to something more catastrophic. >> scott, i don't want to belabor this point, but if everything is critical, if we
6:46 pm
have 16 designated critical infrastructures, does that mean nothing is critical? how do we get to the point where we rack and stack, prioritize? the energy and electric, it is the most critical because without the lights we would not be able to be here today. so how do we start thinking about that? >> i think people are. there genuinely are different terms of art. life line sectors. strategically valuable -- strategic infrastructure sectors, the national infrastructure advisory council knocked it down to five. electricity, not energy broadly. electricity. transportation, water, finance, communications. and i think there's a lot of wisdom in that recommendation. i will say the three sectors -- there is not a knock on the others, but that have probably become the most mature because they have been the subject of attacks for so long, are going to be electric, finance and communications. and i can say, just because of
6:47 pm
counterparts that i have in each of those sectors, those partnerships are developing at a really rapid rate, to the benefit of the security of each of the sectors. >> so looking at interdpenency as well. >> sure. >> looking at it from a private sector perspective. you have to provide wholistic responses. where do you see things playing out today, and where do you see your greatest focus being in terms of making sure you are meeting your clients' needs? >> from a personal perspective i have been fortunate to be in the private and public sector side. what i would say is the real issue is in the mid-market. the mid-sized companies on down need help. they don't have the resources nor the assets. my company is privileged to work for the department of homeland security to monitor and do vulnerability scanning of critical assets for mid to small
6:48 pm
sized companies. small banks, county governments and so on. what we typically find is that my guys, within four hours, they're in the door and owning the keys to the kingdom. you hear the soft underbelly concept, but it's the truth, which is, if you were to take a look at where the most risk is that exists out there, the big companies have the assets, they have the resources, they have the funding, and by and large, from what i have seen, i know eight of the top ten banks work effectively with the government, with the intel sector, with the department of defense, dhs. there is always that issue with classified information, wanting to be brought over to the private sector and there are the issues with scrubbing and so on, but the real issue, from what i see as relates to public-private is that the public sector is trying to keep up with monitoring the security and risk associated with the mid-tier companies out there and they can't keep up. and so the program that we have is we work on behalf of dhs and we are not able to go after the list of all the banks and energy
6:49 pm
companies that need our help to scan because we have to wait for some dhs supervision to support us to go out in the field. and so what i have always thought was, if you look at the overall risk where the public sector, i think, can assist the private sector is in the mid-tier. instead of just assuming that one individual from the government with supervise say contractors in the private sector to take care of their own, there needs to be some type of deputyizization. there are not enough folks with the amount of talent needed in dhs to do the job of keeping watch over those companies. if it's the national guard leveraging assets already in the field, i think it would do a great service to this country in that, if you take a look at who you're going to attack, it doesn't take much to figure out you go after the easy ones that are plugged into the big ones, and before you know it we've got a much bigger problem. >> and we've seen incident after
6:50 pm
incident after incident highlighting precisely that concern. including even, if i were to rack and stack the critical frur infrastructures, i would say finance and banking are at lot of moneys. the bank of americas, the citsi, the morguens, they have the resources but not everybody banks there. the community banks that own a lot of assets, the brokerage houses that manage millions of dollars on a daily basis have no infrastructure in place or no support to do anything. mi while they worry about the audits, they're not adequately protected. the program dhs has today is helpful, but i'll tell you, there's a lot more folks that need help that's a resource issue, getting the cavalry out there to support it. if you u were to ask me, the one point i was hoping to make today is from a public/private perspecti perspective, the big teams, d.o.d., dhs at a high level, the energy secotor, they do as gooda
6:51 pm
job the as you peexpect. there isn't a problem picking up the phone and calling their counterpart on the other side. the mid-market, there's a very vulnerable exposure in this country. whether it's dhs, the national guard, there needs to be a stepped up effort to support them and they're begging for it. >> i might note even the most critical of our sectors, s.w.i.t. allegedly had its credentials compromised. >> sure. >> it's getting down to the supply chain third-party vendors as we know with target and many others. >> of course. s.w.i.f.t. is as secure ahs the come. >> underground. >> it's a hard target to get but they got it. the end of the day, the mantra is if they want you, they'll get you. at the end of the day, it wasn't a technology issue. it was someone making a phone call that didn't get received
6:52 pm
and went ahead without an approval that caused that mess. >> i want to pick up on that, but kiersten -- >> wean we're lohen we're looki security and initiatives we often think large companies and where the resources are. is to look at the small and the medium and the large businesses because when you talk about supply chain and just in general where critical infrastructure resides, it doesn't always reside at the largest level. if you're a small water company in the middle of the country, you are critically and arguably more critical than a lot of the big companies at that point which is another reason we were having a conversation earlier why the national forward is this tremendous resource with the citizen soldier to look at how it bridges the day job with the government and we have this access point here around education, awareness and knowledge that we could probably be -- we certainly could be utilizing a lot more effectively when we're talking about where our cyber efforts are going to
6:53 pm
be both in the public and the private sector. >> i just want -- go ahead, scott. >> i was just going to add the other thing, too, is not only private sector, but on the public sector we see quite a bit on the small agencies and departments that need help as well. whether it's fed around -- the term of the day -- the national security model is common in the private sector. instead of hiring staff, i'll outsource security. five years ago it was a bad word to do. nowadays much more receptive to doing it. while there may be mid-sized companies in the private seconder that could use the help, at the minimum do an assessment to tell them what their problems are. the private sector there's a need for the faller smaller age and departments to consider looking at the private sector to help manage security. clearly you have to have certifying processing body to ensure whoever this managed
6:54 pm
security service provider is can ensure they meet the standards necessary to support the government but i think it's something that the feds ought to consider in that the big -- again, the big folks have what they need. the smaller folks are tries to do what they can. i think the private sector might be helpful in that regard as well. >> reynold, you wanted to pick up. i'm not sure the big phoenfolks >> i was trying to be nice. >> all your points, there's another level we're just missing and it goes back i think to my opening comment about really what is cyber? cyber is whatever you see it as -- you know, when you think about the elephant, everybody has a different view of what the elephant is, right, to describe it. there's another segment out there, maybe many of you in the audience are just like me who lost your data from opm breach. right? so cyber to the individual at home on their computer working on their bank information got hacked or their private e-mails
6:55 pm
got hacked. i mean, it's an issue for them as well and that's why when we think about this cyber defense or active cyber defense, it has to be a partnership. and it has to be a whole of government approach and it has to involve the private sector because we're all in this together. and we're all facing the same things and that's, again, we take it back to the guard. we have airmen and we have soldiers who in their day jobs do cyber for a living. and then when they go for their drill weekends, they put a uniform on, we think that they're pretty uniquely qualified to partner in that state status sto support the governors, support d.o.d., army cyber, air cyber in the mission but it is a huge whole of government, public/private partnership but down to the individuals sitting at their computer at home who's online banking or using a smart appliance that all of a sudden starts talking to you on their
6:56 pm
cell phone when you walk into their house. >> reynold, i want to touch a little bit on the threat, no all hacks are the same, not all hackers are the same, not all intentions are the same, not all capabilities are the same. it comes in various shaped sizes and forms. in terms of understanding threat actors, how would this group prioritize and rack and stack where we ought to be thinking about from a capability standpoint and also from a likelihood standpoint? then a little bit on the ttps, tactics, techniques, procedures. we speak to be chasing ransomware, ddots. issues seem to come into flavor and out f flof flavor. the threat actors and ttps they're engaged in, how would
6:57 pm
they rack and stack that. >> one interesting characteristic of most of the major cyber security breaches from opm on down over the last several years is those adversaries have exploited known vulnerabilities and common ttps in order to actually breach the organization or degrade data. even ransomware, the way ransomware is infecting host computers is through the same kind of vectors we've been seeing malware deploy for years. so at dhs, we're actually taking a generally threat actor agnostic approach because what we've seen is even our most sophisticated adversaries are breaking in using common, using operating systems, exploiting users who click on spearfishing e-mails, exploiting unauthorized privileges for privileged users. so at dhs what we're trying to evangelize is if organizations deal with the basic blocking and
6:58 pm
tackling of cyber security, that's going to force our sophisticated ard ver sars to invest in more complicated attacks and if we can devote our cyber security human capital to combatting those sophisticated attacks and deal with the rest by doing basic cyber security hygiene, that will put us in a much better place. >> eric, i want to pull on that because i think you're spot on. i mean, at the end of the day, at the time of a breach, in most cases you don't have the attrition or the smoking keyboard we're all looking for so you don't know who's behind that clickity-clack, dealing with a nation state, a criminal or disgruntled employee or someone with an ax to grind of some sort of another. if we can get to the point of limited resources the government has to a high end threat spectrum, everything else below that of the private sector, we can probably calibrate our efforts a little better.
6:59 pm
>> that is certainly the direction we're trying ing tin. first of all, certainly with the private sector, we have been and will continue focusing on the critical infrastructure that could lead to either physical manifestations or significant degradation of national security or national economy. certainly we are trying to segregate those asset systems that could lead to the most deleterious effect but of course as scott noted the inherent interconnection and interdependencies across sectors and within sectors make that very challenging so we now need to go really to the subasset and subsystem level and actually understand what are the vulnerabilities internal to our critical infrastructure that could lead to these effects? within government, we're taking really a new approach to how we prioritize our cyber security inter interventions. in the past we've taken agency by agency approach and treated each agency relatively equally.
7:00 pm
we're transitioning to a new approach as promulgated by the president's national security action plan. we're focusing on the highest validate to sets, system, assets within government if degraded the opm databases, of course, being one example, if degraded would lead to especially severe consequences. we're doing this because as scott noted kpre ed correctly, any given organization is inherently finite so we have to focus on the most significant consequences first. in so doing, we'll reduce the likelihood of those most significant or catastrophic events from happening. >> scott, and kiersten, i'll pull you in in a second. scott, this gets to many conversations we've had in the past in terms of actor consequence impact. let's use this also as an opportunity to enlighten some folks on some of the less


info Stream Only

Uploaded by TV Archive on