Skip to main content

tv   NGA Holds 2017 Winter Meeting in Washington D.C.  CSPAN  March 3, 2017 4:08pm-5:25pm EST

4:08 pm
discovery. this telescope was the largest of its kind in the world. >> watch cspan's tour of san jose, california saturday at 12:00 eastern and sunday afternoon at 2:00 p.m. on cspan 3. more now from the recent national governors association winter meeting with a session on cyber security challenges for states. nga chair virginia governor has made cyber security his top initiative. this is an 1:15.
4:09 pm
good afternoon, everybody. i want to welcome you to our cyber security summit that we're having. my initiative as chair, meet the threat to deal with a serious cyber security issues we have. i'm really excited -- i'm always excited, but i'm really excited today to host this conversation and highlight all the great work that the nga has been doing, but before i do that i do want to mention a resolution that we have that we talked about at lunch today with all the governors. we have a resolution in honoring the memory of justice stevens. justice stevens as you know served the national governors association as the legislative director for the nga public safety and homeland security committee. he worked with me. he was also the point person for us on the council of governors. those are the five democrats and republicans appointed by the
4:10 pm
president to work with the intelligence and defense agency and he did a magnificent job. even during his very difficult times with his illness, he remained positive and continued to respond to the needs of all of the governors. he was a national voice and expert for our governors on issues ranging from cyber security to veterans to disaster relief. we cannot thank justin and his family enough for allowing us to be a small part of his life. he was an incredibly young man and the contributions he made will never be forgotten by the folks at nga. we expressed our condolences to his family and we honor his memory at this point. i would ask if we could have a moment of silence for justin. thank you. as you know, this past july i kicked off my initiative meet the threat, states confront the cyber security challenge to provide states the resources that they need to enhance cyber
4:11 pm
security. for too long cyber security has required technical initiatives. cyber security is critical to each and every governor. as you know governors in our nation have more data than the federal government. when you think of all the data we have through our state tax returns and medicaid and health care programs that we provide, the department of motor vehicles, we have a wealth of information that every single day people are trying to get in and get our information through cyber threats and cyber crimi l criminals. in the commonwealth of virginia we had 86 million cyber attacks. just recently a foreign actor attempted to get my personal e-mail from my state. this goes on every day. as a state with the largest
4:12 pm
naval base in the world, the pentagon and cia, we have a responsibility to make sure that we are leaning in to provide that front line defense to not allow anyone get into our system and take our valuable data. as i said in july, if virginia is in great shape with cyber security, it is meaningless if some other state doesn't do anything about cyber security. we have the same health care provider. they will use that smaller state and go through that health care provider to get a back door into the commonwealth of virginia. so our initiative and governor snyder and i have worked hard on it, we will make sure that all 50 states meet the basic protocols to make sure we have the basic levels of support so we are all protecting one another and one another's data. it's critical to protect our critical infrastructure, electrical grids, water system, they're trying to attack our 911
4:13 pm
dispatch centers. also for our businesses, it's kba important that we send a message to companies as we recruit them to our states that they know we are doing everything we can to help provide the protections for their own data. in addition, as i've talked about a lot, this is a tremendous source of economic opportunity. the jobs of the 21st century, number one is going to be cyber security. the commonwealth of virginia today, we have 582 cyber companies. right now today in the commonwealth of virginia i have 36,000 cyber jobs open. i would say to all the young parents here with us today, you're all too young, there used to be a movie called "the graduate" and the key phrase was what? plastics. i would say -- see, you're too
4:14 pm
young. but cyber is the key and as i say for parents the starting pay in virginia is $88,000 for these 36,000 jobs. as the governor of the commonwealth of virginia i'm forfeiting about $3.5 billion of state tax wages. that's why we have transformed our education system to do what we have needed to do, but these jobs are not going away and they're going to continue to grow. what we have done at the nga -- and i want to thank tim and jeff who have done a magnificent job. you run our cyber center at the nga. [ applause ] >> they are the governor's cyber warriors and they have done a great job to make sure we are protecting all of the assets. since the launch of our initiative in iowa, the nga has held several events around the country and provided resources to our governors.
4:15 pm
we have held roundtables throughout the united states of america on health care issues and what they need to do on health care and workforce development and infrastructure. we have brought in cyber experts, businesses both large and small. these discussions have kturned into memos. in october we held our first regional summit in boston. it was sold out within four hours. we had 26 states come. every state was allowed to bring four people. it was a great working session. we will have our final one for the other remaining 24 states that will be coming up in california in march. so we now have the cyber center set up. we'd ask that the governors continue to work with it. we have in front of every governor will be given a card. you will see that card. nobody else has seen your card.
4:16 pm
that is for you. that is we've gone through your state and you have different color codes to determine how your state is doing on cyber security. i will tell you even as chair, i have not shown your card. two governors are showing their cards over there. that is your choice if colorado wants to share with rhode island. it's important that you look at this checklist because we went out in july and said let's us put our checklist together. you see they are color coded. i will show my card up. i have obviously red, yellow and green. not to brag, but the commonwealth of virginia all green governor. these metrics are for you to use. if you have red and yellow, you
4:17 pm
need to do something about it. if you have red, you need to get in the game and do it and that's what our cyber team is here to work with you on as we continue to do it. by the time we finish up next july, we need to make sure everybody has those basic protocols and we have filled out and done the checklists that we need to take it to the next level. in front of you there is a slide. states are doing very well in some areas and not so well in others. the states are placing a tremendous emphasis on establishing the governing bodies to identify and implement policies, mandating cyber security training for state employees and have established a solid foundation for cyber crime investigations. on slide two, on the other hand there are some areas that states can improve on. governors need to ensure that their critical infrastructures are assessed and identified. you need to make sure that you are receiving timely and useful
4:18 pm
information on a consistent basis to make informed policy decisions and to ensure yourself that your state is doing the basics that are needed to align your state with the cyber security framework. it is imperative you have a strategic plan that outlines your state's vision for the next three to five years and a response plan based on your own individual risk assessments. implementing these four basic practices will help guide ou yon the path to securing your state from cyber attackers and we stand ready to assist you with your needs. now, i would like to turn it over to the great governor of the great state of arkansas, governor hutchison who is chair of the homeland security and public safety committee, the greatest chair ever of the homeland security and public safety commission. he succeeded me. that is a great compliment.
4:19 pm
thank you for your tremendous leadership. ladies and gentlemen, governor hit hutchison. >> thank you. great leadership on your part and he advised me since he had a perfect score that he will be grading on a curve all the states and that is good news for us. really a perfect example of leadership in a critical area that we all face and i just wanted to emphasize a couple of points based upon my experience as a governor, but also going back to my time frame as under secretary of homeland security when we looked at threats from a variety of arena and just in the last two weeks obviously we have the tens of thousands of attacks that commonly come with the state databases, but we had a specific denial of service attack that was effective in terms of shutting down our state
4:20 pm
website for a period of time. that happened within the last two weeks. it was quickly up. there was not any damage done and not any less of data, but then we had a small agency that did have a loss of data based upon an attack. there was not any personal identifiable information for any citizens on there so it was not a loss that cost, but that leads me to the concern that we should have in terms of governors, one is the potential loss and cost to the state. if you're in the private sector, you talk about it in terms of liability, but the data notification requirements for loss of citizens' data does apply to the states and most jurisdictions and it would to us and it would be a significant cost if we had a loss of consumer information based upon a cyber attack. so we have to concentrate on
4:21 pm
that side of it. in arkansas we have done our cyber security risk assessment that was just conducted by an outside group that made recommendations. we're going through an effort in data center consolidation, enterprise architecture that we unify under one agency our department of information services, setting up a cyber security office. we're making these steps, but i just -- i see some of my good friends with the southern states energy board and the oil and gas compact commission that we met with and one of the points of conversation was the protection of our energy grid. all of that is based upon the private sector and their protection of their networks from cyber attacks. but there is significant worry on the governor's part if the energy grid goes down because that impacts our response, our
4:22 pm
cost to the state. so there is a regulatory challenge to us to make sure that our private sector that is regulated that they are investing as they need in cyber security and protection as well. so i just raise that as an interesting point because of the liability and risk potential to the state not just for our own systems, but also the private sector and should be a nonregulatory environment. we should certainly encourage them to protect their own data as they are motivated to do. i just want to make those introductory comments. i wanted to recognize the vice chair of the homeland security and public safety committee, governor brown, who is doing an outstanding job in partnership with us. governor brown. >> thank you very much. it's truly an honor and delight to work with you and thank you for your extraordinary
4:23 pm
leadership on these issues. i was secretary of state before becoming governor and while i was secretary of state i received the news unfortunately that our state campaign finance and our business registry web sites had been hacked and -- thank you. my mother always tells me they can hear me without the microphone. the state campaign finance and business registries were hacked. the web sites were new and they were developed to make reporting easier and accessing services for small businesses much more accessible. we were able to react immediately, shut the web sites down and began a full investigation with law enforcement. in the end, we were able to rebuild our programs. we built stronger walls and made the system stronger, but not without a lot of expense to taxpayers and a lot of time and energy from state employees. since that cyber attack in 2014,
4:24 pm
my state has taken a number of steps to address system defishsies and increase our i.t. security posture. i initiated an audit that uncovered numerous structural security gaps and then as governor i issued an executive order to unify responsibility and upgrade capabilities. this legislative session, which we're currently in, i'm supporting legislation to establish a cyber security center of excellence. it will develop a state-wide cyber security strategy, share information between the public and the private sectors, coordinate incidents response, identify best practices and encourage development of a cyber security workforce. governor, we're excited about getting some of those good paying jobs that you go the in virginia to oregon as well. i think we can do this by
4:25 pm
bringing together companies in oregon like intel and hue let packard and oregon state university to do more than just upgrade our state systems. i believe that we have to build tools that the public can put their confidence in, even when doing something as simple as buying a fishing license and we like to buy fishing licenses in oregon. we've been fortunate to be one of the five states selected to participate in the policy academy on enhancing state cyber security. the academy has been a great benefit to my team on the ground and i certainly look forward to sharing lesson addres learned w colleagues and the states. thanks so much for the opportunity to participate. i look forward to hearing the rest of the conversation. >> thank you, governor. to help kick things off today we've assembled quite a panel. we're joined by the former assistant attorney general for
4:26 pm
the united states. john will be providing us an overview of the national security context around cyber security. john, the floor is yours, sir. >> thank you, governor. so i thought i'd start with imagine this. you get home from this conference and you're briefed that somewhere in your state there's been a breach. there's been a breachunsophisti. it looks like a low-level hacker. your i.t. folks say this is no big deal. it was an obscure part of our system and all they stole was around 500 names and addresses. small loss. and they say we got it. don't worry. the system is back. it's one of 1,000 things that you're briefed on on the day. it probably wouldn't reach you as governor. it would be someone else in your state getting this news. several weeks later they go back
4:27 pm
to that someone five rungs down from you in your state and they say we got a request through gmail and a request from this guy says they're going to release the fact they took this information to embarrass us and they want us to pay them $500 as a form of -- we call it ransomware. they say i don't think this guy can do anything, it's a small amount, we're going to handle it or they're going to pay them $500. this is a real case that happened to a trusted retail company with a trusted brand and in that case what they did was work with the federal government and what they found out was it wasn't what it looked like. yes, it was a low-level crook who did want to make $500, but that crook was an extremist who had moved from kosovo to
4:28 pm
malaysia and was in a co-conspiracy to hack into this company and this extremist was in touch with one of the most notorious cyber terrorists at the time, a british citizen who had moved from london to syria where he was located in the heart of the islamic state. what he was doing with those stolen names and addresses wasn't to make a buck. what he was doing was kuling through them to see do any of look like they work in government. if they do, i'm going to put them on a list, a kill list, and then using this new method of crowd sourcing terrorism that we've seen in the islamic state adopt that result in us bringing more terrorism cases when i was head of the division that we've ever brought before in our history by using our social media to propagandaize and
4:29 pm
recruit young people, they took that kill list based after this company's information and pushed it back to the united states through twitter that said kill these people by name where they live. that's the current state of the cyber threat. it was the first case we brought that involved bringing charges of both terrorism and criminal charges. we were able to take effective action, but it wasn't easy. the reason we were able to take effective action was because the victim in that case worked quickly and efficiently to share the information. so what type of action was taken? first, that individual and his name is fareze, in malaysia was arrested pursuant to u.s. charges and thanks to corporation from the malaysians that had been obtained through the state department he was arrested on those charges and brought to virginia where --
4:30 pm
testing. this just goes to show the russians can reach us even here. >> i knew that was coming. >> we'll get to that threat. so he was arrested, convicted and pled guilt and is serving 20 years. hussein, who was in ungoverned space in syria that was outside the reach of law enforcement was killed in a publicly acknowledged military strike by central command. think about that threat. it's crossing five different countries. it's reaching into the states where you have the responsibility, even though much of it is occurring outside of your boarders. at the end of the day, the person responsible if something goes wrong will be you, no matter who else was involved in that occurring, no matter where else in the world that it came from, if it's your state and your system they're going to say the governor was responsible.
4:31 pm
the fact is the one thing we all agree on and you'll hear across the panel today and i'll go through a couple of cases that will show you where is we're not where we need to be. there is no internet connected system that is safe from a dedicated nation state add add va sear. there's no technology that builds that wall that's high enough or deep enough to keep them out. what have we seen? you've seen in the federal government a change in approach. when i was prosecuting these cases criminally there was a squad i worked with on the criminal side and there was another squad at the fbi who worked on the intelligence side. the whole time i was working those cases, i went on one side of that door, and it's not like i was banging to get in, oo e
4:32 pm
4:33 pm
eye -- this was on a scale we hadn't seen. this was prosecutors who were getting access for the first ti time. there are folks that should be sharing that information as appropriate with state authorities. that change and approach led to the first indictment of its kind. what they were doing was they weren't stealing state secrets. they were stealing things like a company was about to do a joint venture with a china company, you would watch the members of the army go into those u.s.
4:34 pm
based companies and steal the technical design specifications for the pipe. or to use another example, a solar company. they went in and stole the pricing information and they then price dumped their product to force the solar company out of business and when the company sued they stole the litigation strategy. so people ask why did you bring this case in the criminal system and that's why. it's theft. what we show, there's an attachment in that case, is that activity started at 9:00 a.m. beijing time. it went from 9:00 to 12:00. it decreased from 12:00 to 1:00 and it went up again from 1:00 to 6:00. they were working eight hour days. getting up in the morning and putting on that uniform and stealing from u.s. companies. so the idea of this is if we're going to change the behavior,
4:35 pm
the norms, we have to bring deterd deterren deterrence. if you let someone walk across your lawn long enough, they get an easement, the right to walk across your lawn. this was a giant no trespassing sign get off our lawn. it's the law of customary law. this was not acceptable. fast forward to the north korean attacks on so ny. what will it look like if a rouge nation attack the united states through cyber means? not once did we get it right. those in the national security committee had to see the movie over christmas for which i blame north korea, it's because that was the triggering event.
4:36 pm
we took it seriously as a national security event because it was attacking our values and the right to speak freely. we couldn't have responded to it without the immediate corporation of the victim who passed information quickly and had the infrastructure in place to do it. that's what allowed the naming of north korea in 28 days. as governors you would have the same concern that that company did, which is until we named north korea all of the media reporting was about what did sony did wrong. it was all blame the victim reporting. as soon as we were able to say who did it, the narrative changed to say you in federal government, what are you doing to protect us against north korea attacking one of our companies? that changed the conversation. that was helpful for the business of sony. it p be helpful for businesses in your state and to you. from there you saw us put an
4:37 pm
executive order on the books that allows the sanctioning of those who commit bad actions against your state through cyber means. we had that with terrorists and those who proliferate weapons of mass destruction, but we didn't use to have that tool available. in some ways we were lucky it was north korea because they had so many other bad things that we had a legal tool to sanction them. until april of that year we didn't have one when it came to cyber actors. you've seen us apply this approach to figure out who did it and make it public and impose a consequence against the iranian affiliated actors who attacked 46 financial institutions effecting hundreds of thousands of customers and we made public that they hacked into the critical infrastructure of the bowman dam in new york. what they were able to do, they got into the control systems of the dam and they were able to lift up the slus control systems
4:38 pm
so they could have caused flooding if they desired. that dam was down for maintenance at that time so it wouldn't have worked as intended, but i hope you won't let your bridges and dams crumble as the cyber defense should should be keep beiing them out. there were four main actors that were talked about as national security threats outside of the terrorist groups who have the intent to cause cyber harm. you saw that back in 2012 declared on behalf of al qaeda, he called on jihadists across the world cause as much damage as you can against western institutions in the name of terror. they have the intent, but not the capability. the four major players with the capability were iran, north korea and china. you saw us take public action against all three heading into the summer before this election. you have seen us take action against all four in terms of the
4:39 pm
russian attempts to undermine confidence in the integrity of our electoral system. what you've seen, though, in many of these instances is that the harm wasn't necessarily directly against the critical infrastructure. it wasn't necessarily the most sophisticated attack. what does everyone remember about sony? what they remember is the stolen e-mails. what do people remember about the election? it was stolen e-mails from a server not connected directly to one of the campaigns along with other activity. these are vulnerable spots that will be there somewhere in your state's system and as we get more sophisticated and as we're thinking about resillance and plans we need to start assuming they can get in because they can. and then figuring out in terms of your corporate governance, if
4:40 pm
they get in what will they do that will cause the most harm and what do we value the most and how quickly can we get back up and running to the citizens of your states that matters to them most. what we've found is that we're just at the beginning of this conversation where people are really treating it like the risk that it is. if you think about it, and i'll stop here, but over a relatively short period from 20 to 25 years, we've put everything that we value and moved it from analog space to digital space and connected through the internet and we do so systematically across the board making those decisions without thinking through what the risks were. so now as a country and much of the world is playing catch up knowing the ability to cause harm outweighs our ability to protect ourselves. we're at a critical moment right now baecause we're in the midst
4:41 pm
of another transformation. it's the internet of things. it's already begun. whether it's pace makers in our hearts that are internet connected so a 12-year-old could hack and kill, to drones in the skies. they were -- it's not because there were bad people designing them, they were designing them to see whether they worked, but they weren't focusing on if would they work if a bad person was trying to take advantage of vulnerabilities. we've seen the recall of 1.4 million cars from the road because it was shown you can hack into them and turn off the steering system because you could get in through an internet connected entertainment system. by 2020 70% of cars on the road are going to be internet connected vehicles. essentially computers on wheels. so whether it's pace makers in our hearts, drones in the skies,
4:42 pm
or the cars on the street, we're in the midst of a massive transformation, much will be good towards the internet of things, but we can't make the mistake of not building in security by design on the front end. >> let's hear it for john. [ applause ] >> thank you, john. i thought i was excited about cyber security. let me turn it over to adam to kick things off. adam is with the university of southern california and he heads up their communications leadership policy institute and in that capacity, adam directs the center's emergency response initiative. >> thank you, governor. we have two distinguished panelists this year. you have their full bios in front of you.
4:43 pm
we have a highly respected engineer who did invent the internet. now he's at google where he as a unique title in corporate america. he's the vice president and chief internet evangelist. >> thank you very much to have me hear today. it's a privilege to be with such an honored group. i worked with john in the fbi and, yes, he's that passionate about cyber security and everything else that he does. vince and i talked briefly and we decided i would set up where we are right now in the states, what the governors challenges are and vince would talk about solutions. if there's one thing i've learned working in cyber if the father of the internet suggests that, you say that sounds like a great idea. where are we right now? when we look at governors and as
4:44 pm
john just talked about the threats that we're facing, they seem insurmountable, but we have to break them down and how can we deal with the technology that we have that connects us that our constituencies want from us in order to canaccess our information as fast as possible and at the same time balancing the risks that come with that. as governors you face a very unique challenge. john alluded to it as did the governors in that you not only have to we'orry about protectin information technology, data, you also have to worry about protecting operational technology. that's the controls that run our critical infrastructure. you have a bigger challenge than some ceos of the largest corporations in the world do that may only have to protect -- and i put only in quotes -- the information technology. you have both of those challenges as you're dealing with the cyber risk within your
4:45 pm
states. so one of the things that we did is along with the national association of cios did a survey and 49 states and territories responded to the survey. so where are we right now? the first thing is as governor hutchison said, the good news is that across the states gove governance in cyber security is in place. it's part of the fabric of states. it's discussed frequently. one-third of you are getting monthly cyber briefings. that is a very important statistic to look at because as we increase those communicati communications, we can start to come up with what is -- what are the risks and how do i prioritize them because i can't
4:46 pm
deal with all of them at the same time. the second thing that we see right now is there is a confidence gap between the governors and the cios. what the survey found is 66% of the governors, elected officials and appointed officials feel confident that their state is poised to deal with external threats. only 22% of your cios believe that. the important thing about that is we've also seen in those states where the governors have made cyber risk a strategy, they are involved in reviewing the progress towards that strategy. that communication gap, that confidence gap, closes. so it's something to take away with when you're talking about cyber risk in your state, what's that conversation that you have with the cis or the appropriately titled person in
4:47 pm
your state. how frequently are you looking at reviewing that strategy and those briefings that you're getting? right now also when we look at it, the conversation is about what is coming next. what i'm going to set up is two key points and vince is going to continue to talk about those. the two things that we see that are extremely important to you as governors of our 50 states and territories is resillancesy and access management. so what do we mean by that? john gave us a couple of examples of resilientsy, but you are going to hear more conversations about the cyber risk and the good thing about this topic is states are already used to being resilient. so resillansy is how quickly can i identify the problem and mitigate it and recover. if you think about that from your position at a governor, you do that with natural disasters and terrorist attacks and with a
4:48 pm
train derailment. you are used to responding. you have tools and skill sets within your state government that do this on a daily basis. the same thing with cyber. whether it's the private sector, state or federal, those that can identify the problem as quick as possible can mitigate it and recover from it will do better in the marketplace, if you're a private sector, will do better with our constituency if we're in the state government. very very important. as governor hutchison said in the beginning is what is our response plan? have we practiced that response plan? you're going to hear we have a response plan. we've practiced it. where it's been practiced is on the technical side of the house. the technical folks have practiced that. cyber risk is a business risk. so you need to do those simulations or from my days in
4:49 pm
the fbi, we would call it war kb gaming, working with our military brothers and sisters, of simulating who is going to respond. what are the roles and responsibilities? just like you do with a natural disaster or a man made disaster, you know the roles and responsibilities. here is the difference between a natural disaster and a cyber incident. we mean when we talk about cyber incidents, something we talked about up here beforehand is we're talking about a breach. we're talking about someone getting into your system, as opposed to something we call cyber fraud, which is when someone uses the internet to commit fraud. by the way, vince, i met you yesterday at the panel. you seem like a great guy. do you think you could send me a couple of hundred dollars for my trip next week. that's cyber fraud. that's when someone uses the computer to commit fraud. what we're talking about is those cyber incidents that have an impact on your operations as
4:50 pm
a state, whether it's information, disruption of service or corruption of data. when those occur, the differences between service, or corruption of data. so when those occur, the differences between those types of events and the things that you're used to dealing with as crises as governors is speed. they happen faster than anything you've ever dealt with before. the second thing is, there will be incomplete and inaccurate information coming to you. and the reason for that is, it takes a while to figure out what this technical issue is. is it nefarious? where has it occurred? what is it affecting? and you're still going to be required to make those business decisions, do those press conferences. so the more that you can prepare and practice those types of business decisions, or even simply discuss those types of business decisions, before a cyber incident, is something that we're seeing becoming more
4:51 pm
and more effective when we deal with cyber risk. and the other thing is, is that when the two things i said was resiliency and access management, and i'll turn this over to vince. here's the thing about access management. you should only have access to what you should have access to. sounds really simple. i made a joke to vince before this panel that, you know, since he invented the internet, does he have access to everything at google? he said, no. he has access to only that which he can gain access to -- that he is allowed to have access to inside google. how is that done? i have some type of encryption key, i have some type of token that i can say this is me coming in from this place. in the states, we can't implement that across the board or give that to all of our citizens. so we need to think about how can i a authenticate you are who
4:52 pm
you are from my state and you're not coming in from somewhere else, whether you're a nation state actor or criminal actor as john said. that's pretty much where we are right now. we have the governance across all states which is a good sign. we have a look at the topics of the resiliency, now it's about the impact and access managem t management. so vince, tell us how to solve it all. >> wow. that's a tough act to follow. mary's summary is wonderful. does anybody have a change of underwear? [ laughter ] let me start out by thanking everyone for allowing me to participate today. this is a topic of real concern to a lot of us, including me. let me start out by making a simple observation. the root of all of this problem, it's the software, stupid. that's the root of the problems.
4:53 pm
we don't know how to write software that doesn't have bugs. we've been trying for 70 years since computers have been available. and we've not succeeded in figuring out or in building tools that keep us from making stupid mistakes. those mistakes get exploited. to make matters worse, the buggy software doesn't even get updated even when we know there's a problem. sometimes the updates don't get to where they need to be. so this is a very pernicious problem. it's a very hard one to solve. a a former academic, one of the things that i would urge is that pursuit of better tools for writing software. we want the software programmers to detect when they're making bad mistakes. for example, referencing a variable which has never been
4:54 pm
set, which gets you a random number, which you then do a computation on and branch off in some cyberspace where you don't belong. there are all kinds of cases like that. what i want is a piece of software that is sort of the -- this is a metaphor -- sitting on my shoulder here while i'm typing my code, and it says, you just did a buffer overflow. look at line 27, you screwed up. i need a piece of software to do that for me. we don't have one of those, and it's going to take some serious research to get there. by good fortune, governor mcauliffe, i've been a citizen of the state of virginia since 1976. and we have some places here that can be helpful. how about the defense advance research projects agency? how about the national science foundation? how about george mason university, the university of virginia, virginia tech? so we have some horsepower in this state that can tackle some of those problems. and by the way, i will bet that
4:55 pm
every single governor at this table has similar stories to tell. there are academic institutions, we should challenge them to work on that problem. now, if i'm going to speak in general terms about how to solve this problem, there is a generic formula for dealing with this kind of situation. first, nostrum. if you can find a technical solution that prevents the problem from happening, use it. the probably, of course, is that there are not always technical solutions to these problems. so what's the next thing you do? well, i'm going to call it post-hawk enforcement. it basically says, if we catch you doing this stuff, there will be consequences. we won't catch everybody, but at the very least we need law enforcement and the judicial system to say, if we capture you, there will be consequences. then there's the third
4:56 pm
mechanism. i'll call it moral persuasion. it's just wrong. tell people it's wrong. now, that sounds wimpy, doesn't it. but i want to remind you that the weakest force in the universe is gravity. but when you have a big mass, it's powerful. when there is social agreement that certain behaviors are unacceptable, then you have a certain amount of mass that you can use. so moral persuasion shouldn't be ignored as a potential solution to the problem. so those are the only three mechanisms that i can think of that will work. now, i have one other not so wonderful piece of news, and that is that i believe, not everyone agrees with me, but i believe that there is a kind of ir reducible inconvenience with good security. that we are going to have to ask people who are looking for
4:57 pm
protection to cooperate with us. the users, you and me, we have responsibilities just as much as the programmers, and the companies, and the institutions that use computing. we have a responsibility, too. mary already mentioned one of them. if it's available to you, two-factor authentication is powerful stuff. in 20 10, my company was attacked by what we believe was the chinese level attack. they got into some of our software. we did not like that very much. we instantly responded with several things. we encrypt all traffic across our data centers. we encrypt traffic from people's laptops to our servers. we also issued two-factor authentication factor tokens. nobody in the company can get into the company's re souss without the second factor. and even when i'm inside the
4:58 pm
company, inside the firewall, i still have to use that two-factor authentication. if i try to access a system for which i do not have authorization, the second factor inhibits me from getting there. so i'm a huge fan, we make that available to the public, but it has been very hard to get people to accept additional responsibility and inconvenience for exercising two-factor authentication. there is something else some of you may have seen, sometimes when you go to a website it will say https, that's hyper text secure mode. what happens there is an inkripgs key gets generated that's shared by your computer or your tablet or your mobile and this serving site. so there's an exchange that's invisible to you, but it has a variable that nobody else has, and that secures the communication. that's invisible when you don't
4:59 pm
see it. the problem with that it doesn't strongly authenticate you. all we know is we have an encrypted tum for the communication between the two parties. but the two parties may still not know who's talking to whom. there's another thing you can do. if you get a piece of phishing e-mail, that's spelled with a p-h, not an f, don't click on it. anytime you receive something from somebody, that you don't know, and it has an attachment or hyper link and it says click here, this is really fun, don't. if it comes from somebody that you know, but you're not sure what the conditions are, there isn't enough context in the message, this is from the ceo, this is important, it's about next year's salary and there's an attachment or hyper link, don't click on it. forward the message to the party that appears to have sent it and say, did you send this? p.s., don't click on anything. the whole point here is to
5:00 pm
expose the fact that you're getting e-mail that's fake e-mail coming from someone and let them know that they may have been compromised, that their mail system may have been compromised. those are just examples of things you can do to improve the situation. now, there's another thing which has been pointed out several times. and that is that the attacker, and the victim could be in quite different jurisdictions. it could be across state boundaries, it could be across national boundaries. which means, this is everybody's problem. it's not confined to where the attacker is, or confined to where the victim is. which means we have to have agreements about what to do when we discover that there is an attacker out of our jurisdiction. we need international agreements, and we need national level, federal agreements, interstate agreements, so we can cooperate with each other. and i don't know how to overemphasize that, because in the absence of that cooperation, this is going to be really hard.
5:01 pm
and so we may need extradition kinds of rules, and also information sharing. adam, i have a long list of questions and answers, but i have the feeling that the better thing to do would be to let other people ask the questions. so i'm going to stop there. and thank you very much for your attention. [ applause ] >> thank you, vince and mary. i'm also going to ask the governors explain what the university of southern california's initiative is about. it's not just engineering. it certainly includes engineering, but this problem is far broader. so it includes the usc school of communications, and it includes usc school of public policy, leading research into cyber policy and implications and recommendations, and last but not least, the school of
5:02 pm
business, which is bringing in corporate partners and introducing return on investment and other valuation metrics in cybersecurity. other schools, law, medicine, and even social work are also involved. our premise is that things are going wrong, we all know that. our focus is what happens next. what happens in the field of emergency response and recovery, after things have gone wrong. whether on a large scale or on a small scale. as we move in relatively few years into a world of which we have a magnitude of maybe 10 billion devices connected to the internet, things are going to go wrong in very unexpected and very startling ways. if a hurricane comes, you know there will be high winds and floods. but when internet things fail, you have no idea what's going to happen. and that's if you know what's happened. first, first responders.
5:03 pm
an emergency most people dial 911. okay. the police arrive, then what do they do? in los angeles and new york, they're very large police departments that have experts in these areas. but in medium and small jurisdictions around the united states, there are no experts. so helping to develop programs for the police departments and firefighters and other first responders who are not experts. in fact, we're looking to the states in arkansas, governor, we understand that you are starting a cybersecurity center of excellence. maybe that's a model which can be spread to other states. but every home and business in america is not only at risk of being attacked, every home and business in america is also at risk of being an unwitting enabler of cyber attacks. at our usc round table planning initiative, he never wanted to
5:04 pm
open up an e-mail that my company's been taken down by a refrigerator. he can't do that. vince said we need people in millions of homes around america who know how to respond and recover. and as he pointed out, in the home, it's the kids who almost certainly have more knowledge than the adults. at vince's suggestion, we are working on cybersecurity merit badges for girl scouts and boy scouts. people laughed when he first suggested it, then they stopped laughing. thank you. chairman mcauliffe, last night you said you were taking vince's suggestion to the next level to achieve universal cybersecurity in virginia. this is why the usc want to partner with you. in the 50 states and
5:05 pm
territories, you run the laboratories of democracy. and it will be at the state and local level where you'll be testing and experimenting with the response and recovery as you always do and it will be at the state and local level where best practices that will emerge that can be identified and replicated. so my colleagues and i look forward to working with. >> thank you very much. let's give our panel a great round of applause, if we could. [ applause ] i'd like to have a couple brief comments from the head of the national guard who is with us here today. i want to thank him. but i notice we have a lot of tags in the office, the head of our national guards all over the united states of america. if they could all stand. and let's give our tags a great round of applause. [ applause ] i think i speak for every
5:06 pm
governor, we could not do our jobs if not for our national guards. i want to thank all the tags and all the guard folks, what you do to help us be successful. >> we love that you love the guard. that is good for us. if i could just say that, you know, this cyber domain is obviously taking up a lot of bandwidth. i want to take -- is that the right word to use? i would say that thank you for starting, and this emphasis on cybersecurity, and the council yesterday with secretary kelly is a huge thing. it is our role as national guard members, is we fight wars and protect the homeland and build partnerships. those are the three fundamental things we do. in the cyber world, there is really no difference in whether it's flying airplanes or fighting in the cyber domain. what we're seeing in the pentagon and around the world is the four countries you mentioned, russia, china, iran and north korea, they want to fight us in this area where they
5:07 pm
don't have to fight our tanks and our soldiers. they want to keep doing these kinds of things and compete with us in this area. so we're going to see more of that. and you governors in the 50 states, territories and district of columbia, all have some cyber capability that's in the military. and some of those 36,000 jobs, governor mcauliffe, will be filled by men and women who have been trained in the military that admiral rogers and the services can simply not pay enough to stay and do that. it's my hope and the general's hope that we can find a way to partner and let those individual cyber warriors and experts continue to use and use their expertise across the way. but one point i want to make. i talked to admiral rogers about that, just yesterday. i think it's important that we have so many people that are sort of responsible for these things, that we have to think about this as a country, through dhs and cyber command and all of
5:08 pm
your state cybersecurity apparatuses to figure out so that as mary said down the road, when the event happens, we exactly know how it is that we're going to respond. and frankly, the military folks that you have in your national guard are really the only folks that under your authorities can work off the department of defense network and help respond in some of these cases. so this is a huge benefit for the national guard and for all your states, territories and the district. we want to partner with you and be part of the solution, sir. thank you very much. >> thank you, i appreciate that. all of the states and some of the things we've led on virginia, you've got to start our children early. you've got to start doing this k through 12. we've redesigned all our high schools in virginia. we now have computer science in the core curriculum courses now. we offer for free cyber ranges in the summer for students to come to one of our camps and spend time learning how to be a cyber warrior.
5:09 pm
we pay, especially for our veterans, if you're willing to come in, we will give you a scholarship, we'll pay for you to get your cyber degree so you can come work for the state. we have 14 centers of excellence now. i will tell every governor, i think you need to ask every one of your community college presidents, are you working toward becoming a center of excellence on cyber. if you're not, you're not going to have the training, and i would ask every one of your institutions of higher education, four-year and two-year, hopefully they're leaning in on that. i don't know if anybody has a question. >> i would let you choose who to -- how to manage this. one of the things we've been working on, on setting up this national cybersecurity center down in colorado springs is the vacuum in terms of educational capacity, to not just -- i mean, we governors are on a steep curve. we recognize that. but mayors, county
5:10 pm
commissioners, elected officials all over the country, not that they need to learn how to write code, but that they can allocate resources and have priorities. and then you cobble in with that -- again, the large companies mostly have at least a board member, if not a senior executive who is a cyber expert. but the smaller companies, and by small companies, i mean up to $50 million, even larger than that, don't have that capacity. and so what are you guys -- what's your analysis of how we can most efficiently, and the lowest cost, effect that void of education and knowledge? >> it's vince again. i can't look and talk into the microphone at the same time. this is very annoying. >> you don't ha of to be close to it. just speak close to it. watch this. you stand over here, it still
5:11 pm
projects. [ laughter ] >> all right. oh, that works, thank you very much. i hate these conversations where you're looking in the other direction. so here are a couple of observations. in addition to having a well-educated cyber work force, it occurs to me that we ought to have a cyber fire department. i want you to think about this for a minute. imagine your house is on fire, and you're standing in front of the house with a garden hose, and you realize, i need somebody with a bigger hose and more water. so what do you do? you don't call the police department, you call the fire department and they come out with a big hose. think about what they do. i want you to be careful, because this is a metaphor that has some brokenness in it. i'll get to that momentarily. the fire department comes out. and they break the roof in, they pour water in, do all kinds of damage, but they put the fire out. and we let them do that because we know that if the fire isn't
5:12 pm
put out, the rest of the neighborhood is in danger. so we accept the damage that might be done. now, here's where the analogy starts to get a little weak. let's imagine that adam is running company "a," and mary is running company "b." and there exists a cyber fire department, that's you, governor. so adam would never do this, of course, but he notices that he could call the cyber fire department and tell them that mary's company is on cyber fire. and so you come roaring out. you know, with all horns blazing. and disrupt her business for the next three days, while adam is making all kinds of money. it's clear that that isn't quite right. so we'll probably have to have a rule that says, if you want to call the cyber fire department, it should be mary that calls the fire department and not adam. so as i say, the analogy may not be very good. but we really need to invest in
5:13 pm
people who are skilled in the art of response, and also attribution. here i want to raise all kinds of red flags. it's easy in this space to pretend to be somebody else. the last thing in the world you want to do is to generate a cyber response, or response to a cyber attack against the wrong party. this could be really bad news, especially in an international setting. so think about the people that we train and pay to be part of our first responder teams. maybe we need a cyber fire department, too. so that's one thought that comes to mind. >> governor, to add to what vince just said, when we're looking at educating small to medium whether it's businesses or agencies within governments, without a doubt, what we're doing right now in the united states, and what we should be suggesting is, we need to look at the framework. to all of us and to the governors, we get it.
5:14 pm
the nis framework. truly, when companies say small to medium sized companies, when i was in the fbi, where do i start. that's why the nis framework was written. it's 42 pages long. anyone can read that, whether they're a mayor, a town official. and the thing about the nis framework is, you can self-assess. it is not the be all and end all, it is not a robust cyber assessment as governor mcauliffe said he just did in virginia. but if people were to understand just that, we start with the nis framework, i think then what they can do as executives, and what we say is ask intelligent questions. 85% of the issues that happen on the internet are about cyber hygiene. they're about changing our passwords, doing patches as vince talked about. we have state universities in the united states that a student comes in, and as a freshman gets an e-mail account and they never
5:15 pm
change their password for four years. those kinds of things i agree with you, you don't need to be a technical expert. you don't need to know a lot about this topic. but if we take the nis framework and we were to say, password discipline, patch management, when you go back to your technical folks and talk about patch management they're going to roll their yas, but what patch management is is the vulnerabilities in the software that vips was talking about, we're patching them. if your front door was not locked and you knew that, you would lock it. i think that would be someplace that we could start and then bring everybody to the same level of understanding with cybersecurity. >> thank you, mary. those are very good prescriptions. i just wanted to add one or two other points about this. so the first one has to do with better measurement of security implementation. i used to be the chairman of the
5:16 pm
visiting committee on advanced technology at nis, and i still report to chuck ramine who runs the technology lab with nis that has the cybersecurity group in it. the one thing that's missing from our tool kit is the ability to measure how well you implemented that framework. because as mary points out, it's a relatively general document. sometimes you could implement what it says and still not be secure. or you can implement what it says and don't interwork with everything else. so there's still work to be done. but even getting started is important. i'm going to scare some people with this, but i am so proud of google, because of what we do with regard to backup and resilience. once a year, for an entire week, we do a disaster response exercise. in that exercise, we shut off the primary systems and run on
5:17 pm
the backup. we're serious about backup. this is not a desktop exercise. this is live operations with the backup systems. and you have to be pretty damn brave, and pretty confident to do that. and we make ourselves do that, because that's the real test. when things go south, and they will, if your backup systems can't be trusted to run because you never really depended on them, then you don't have much. so i lay that at the feet of the people who are responsible for designing and building these systems, to show you, governors, that you have real resilient backup. >> let me move to governor mead for the last question. i remind everybody, this is between the 55 tags in their cocktail hour. so you determine how long you
5:18 pm
want to answer this. we're having a party, so i just lay that out there. >> thank you for the nice setup, mr. chairman, i appreciate that. [ laughter ] two quick questions, though. one is, you talk about the unavoidable inconvenience. i walked around state offices, and i'll see the computer monitor and below it the password. because people, you know, it's so many characters, i can't remember it, i have to write it down. so the first question, and then i'll ask the second one quickly, what about biometrics? retinal scans. is technology going to catch up with this? and question two, general, for you, are you comfortable that we have a system in place? we've seen a couple of incidents where state one was attacked in such a way, and then the next day you see state two was attacked. are we sharing information with one another from the military, law enforcement, john, to
5:19 pm
prevent, you know -- we'd hate to see 50 states in 50 days get attacked in the same way. first question, technology, is there good news on the way? >> so, there are indeed indeed examples of biometrics. some of you may have already signed up for a system called clear. you can cut into the front of the tsa line if you have a clear account. and they use two fingers to -- fingerprints to identify you. and if your picture pops up on the screen, you're in. now, this sounds pretty good, except for one problem. if somebody's able to penetrate the system and get the digital summary of your fingerprints, and then inject that information at the right place in the system, they become you. it's one thing to change your password, it's something else to change your fingerprints.
5:20 pm
that's harder. or your eye scan. so i favor a mixture of biometric and something else, the two factor authentication would be absolutely cool for me. two fingerprints and a token that generates a one-time crypto variable, for example. that's actually pretty powerful. >> i'll talk fast because i don't want to be between these tags and their beer. honestly, sir, that's a great point. to be honest with you, no, i am not confident that there's a good system that relays every cyber incident in every state with every other state. there probably should be. i'll look into it and see what we do from the national guard piece. admiral rogers may have a better answer for you tomorrow when he sees you. i can't tell you that we do. >> i agree that it's not fast enough, or on scale right now.
5:21 pm
and what will happen sometimes is the technical indicators will get shared. so that will be the bits and bytes of an intrusion. what won't get shared and won't get discussed will be how they got into your system and what they were looking for inside the system. so it might be very valuable here in wyoming that someone next door, someone's targeting their health system, and they're doing it for ransomware. and that type of color is not getting shared at scale right now. >> let's give our panel a great round of applause. [ applause ] >> they're looking forward to getting all 50 states up to where we need to be. i thank everybody for being with us today. and tags, let's go. . >> that was great. thank you.
5:22 pm
5:23 pm
♪ ♪ ♪
5:24 pm
♪ ♪ former trump presidential campaign manager, corey lewandowski, offered his insights recently into president trump's white house, what it took to get there, and how the presidential campaign operated. he was in his home state of new hampshire, and he sat down for a discussion at the new hampshire institute of politics. see his remarks saturday at 8:00 p.m. eastern on our companion network c-span. here's a preview.

16 Views

info Stream Only

Uploaded by TV Archive on