The State of Cybersecurity Conference, Georgetown University 9/20/18

(bell ringing) – Okay we’re ready to go So we have now a fireside chat on the new DHS National Cyber Security Risk Management Center and I’d like to introduce Norma Krayem who is going to do the fireside chatting – Thank you Well Bob is a little disappointed already that there is no fire but I am very happy to be here with Bob today and really thank you to Georgetown and Comcast and Freddie Mac and the chamber for a wonderful conference And Bob, I think almost everyone knows Bob, Bob Kolasky is the director of the new DHS National Risk Management Center which was announced what two months ago – End of July, 45 days ago – End of July 45 days ago that would be six hours, 32 minutes and five seconds and Bob has worked at the department of Homeland Security for quite some time, we have worked together on many issues, and he really is a leader on critical infrastructure and cyber security issues, and really is a wonderful leader for this new organization Now everyone was waiting with baited breath to hear about the new National Risk Management Center, what it is, what does it do, what does it mean, and we are gonna spend some time on that But just I think 12 minutes ago, luckily for Bob, the White House has released its brand new cyber security strategy and there are so many pieces of that that we’re very excited to talk about today and certainly the center’s a piece of that So Bob why don’t you tell us a little bit about that and we’ll go from there – Yes so as Norma said around 4:00 the administration released the national cyber security strategy It is the first update of a full national cyber security strategy since 2003 and it is the over arching strategic document that will guide executive branch cyber security activities You know I think crucially a couple things, it builds off the national security strategy and uses the same structure so very much in the theme of you’ll hear from me, cyber security is a national security issue Cyber means cyber offense and defense as national security component pieces There are a number of pillars that are consistent with the national security strategy within the cyber security strategy, you know there are things that are directly relevant where DHS really plays a leadership role and things like protecting federal networks and taking new actions to modernize federal IT to get to networks that are easier to protect, that’s something that MPPD and DHS are in a leadership role protecting critical infrastructure, working with infrastructure owners and operators, building out increased risk management capability through public private partnerships Thinking about critical elements of that you’re gonna hear a lot of what I reference at the work we’re doing at the National Risk Management Center and those themes are in the national cyber security strategies so it’s always helpful to have high level strategic documents then drive down to programatic implementation which we’re doing with an MPPD and then there are other elements of the cyber security strategy that are things that I think as a community we’ve all recognized as important for a long time that cyber is a combination of offense and defense, that there’s a need to not just let adversaries, adversary nation states go unabated in their activities and we gotta figure out whatever we can do and be aggressive changing the context by which they are operating, conducting their cyber operations There are elements of that, elements of deterrents, elements of sanctioning, elements of offense, offensive activities or the willingness to take offensive activities that are incumbent in this strategy And so you know what I think that’s important You know that other thing that’s clear as we release this cyber strategy has become increasingly clear over the last several years as we got near peer adversaries from nation states, China, Russia, North Korea, Iran, you know we can argue how close to near peer they are, but we got nation states that have pretty sophisticated capabilities and we need the whole, the whole unified effort of the public and private sector, the national security apparatus, the elements of government to go after those threats and you know I think the cyber security strategy will help organize our activity – I mean is obviously is a big deal that it’s the first strategy that has come out in 15 years that is looking at a whole of government approach when we look at what offensive and defensive means for critical infrastructure and in that time as you’ve worked at DHS and people in the audience have been working to both I think talk to their C suite about what cyber risk means, why systemic risk is something that needs to be managed by the whole of the organization and the business is really important

We are seeing and all the companies in the room have been working very hard to manage their cyber risk but we have talked about that line if you will between what is expected of companies to manage their risk in the above the line And it sounds like this strategy is designed as well as this center to talk about what will the whole of government resources and the new Risk Management center do to help companies work on some of that So maybe talk a little bit between the new strategy in the center and what are you looking for in some of your new projects – Sure so you know I think that’s a good way to think about cyber risk as a whole in our strategic approach I hope it sort of gets that the below line stuff that all, you know to keep going with that analogy that’s the responsibility of an organization We need to build capacity so that there’s less below the line stuff you know capacity And certainly DHS, the federal governments there to help support capacity building efforts And so we wanna continue to elevate, do what we can to elevate the tools, the companies, let’s just run with companies, that companies need to manage cyber security risk But to your point, companies are taking those increasingly seriously, there are more tools out there, there’s more than this framework has helped in a lot of ways to really go out increasing the overall level of baseline capability of cyber security in a lot of different places Yeah the National Risk Management Center fundamentally does sit at the sort of you know go with the pyramid of this sort of place where perhaps there’s not incentives to go further or the risks that belongs to a company is owned actually by somebody else or there are other elements to the risk so there’s a cross sector element, there’s a cross organizational element there’s shared things that perhaps you know can’t be controlled by companies making their own risk management decisions or the companies don’t have the incentive to make the investments or it’s impossible to sort of do company by company investment And there are a lot of different elements of which the government should have strategies to intercede to you know what I call shared risk right now So the center, a lot of our activities will be looking for those areas of shared risk and inspiring, catalyzing, planning activity around the public and private sector, the whole interagency to go after some of that shared risk – So in the vein you talked, you have talked, the secretary, the vice president associate of the New York summit about the tri sector cross sector risk That’s really one area that I think people would like to hear about and the second is really about supply chain risk And we could probably talk about either for hours, but you know take both briefly and talk about what you’re doing there and what you may see the outcomes could be – So one of the pieces of feedback we got that led us to establish the National Risk Management Center and as we established the National Risk Management Center was the need to have focused efforts on where there were again sort of I’ll keep going with pockets of shared risk that are worth putting concerted focused efforts And two of our early priorities based on, that are consistent with what you just asked are working with the tri sector and working with the particularly with the comps in IT sector and ICT supply chain so I’ll take both of those in that order The tri sector that you referred to Norma is communications, electricity, banking and finance And over the last several years senior folks representing big companies in those sectors have tried to push us to convene mechanism for those three sectors to work together because of the idea that they’re shared risk, electricity, electricity depends on communications, finance communications depends on electricity finance, you know that sort of thing and that there’s a need to help each other to have confidence All three of those industries wanna have confidence that the other parts of the industry are taking this seriously and then they wanna see areas where what they can do can help reinforce resilience across those three sectors So they were driving and they’ve been driving through a number of calls to create a tri sector body, we are on the cusp of chartering it and it will be, it will have representatives, it will be charted and chaired by the Department of Energy, the Department of Homeland Security, the Department of Treasury as well as the leadership of the three sector coordinating councils And then we’re gonna work issues together, in some ways it’s a simple as that The first three priorities that we’ve come together around are doing a better job of feeding sector understanding

into intelligence collection requirements and getting intelligence collection and setting up processes so that intelligence, what we know about threats can get in the hands of those that big companies in those three sectors, representatives of those sectors to take action to mitigate risk Secondly is cross sector playbooks where there’s actually sort of doing the planning of okay if this scenario happens how is it going to play out? How is what I’m gonna do impact what you’re gonna do and work through that sort of stuff and let’s put it in the plan, let’s exercise across the sectors And you know the third area is really identifying what are the most critical functional pieces within how the electricity sector operates, how the grid operates, how communications is delivered where everyone knows each other sort of critical notes and they can prioritize their resilience activities around that So that’s what we’re trying to do with that It’s an advancement in the critical infrastructure partnership structure that we’ve set up because it’s really starting to get focused on some concentrated areas, risks that transcend sectors and working it through that way so that’s that In terms of the ICT supply chain task force at a basic level and I don’t wanna go sort of too monologue, this is supposed to be a discussion At a basic level what we’re trying to do is bring the IT comms companies together with the government, define elements of supply chain risk in terms of hardware software shared services and start to break down where the component pieces exist, how to get more trust into the system, you know to make sure we’re not introducing things through foreign ownership adversaries, you know certain kinds of foreign ownership, adversaries or small businesses or unknowns into a supply chain and as we learn from each other through that how then we get that word out to help help people be better buyers You know within the federal government we wanna we feel like we have a long way to go in our own supply chain to be better purchasers of software and hardware but how can we translate that into the critical infrastructure committee as well – Okay so in the case of the tri sector model that seems like a very specific and focused example where the you know the sectors have been working together anyways and you’re helping to convene, but if, for other sectors who are in the room, what does it really mean to come to the center? And what types of resources and things do you plan to offer? Because I do think there are a lot of people in the room who have worked collaboratively with DHS over time and they’re trying to distinguish what the center will do versus what maybe other pieces And I think whether it’s other pieces at DHS or other pieces in other agencies so talk about that – Yeah so I will correct one thing from that introduction from the gentleman at the podium who called it Cyber Security Risk Management Center, it is not a cyber security risk management center, it is a risk management center I’m here, we’re at the cyber security session, we talked at the cyber securities summit, but it’s, the reason that distinction matters is we really wanna focus on things that present strategic risks to the national critical infrastructure, and I don’t mean to correct you that it was your fault, I just wanna make this clear that cyber is a lot of the means that that’s gonna happen, the ways that strategic affect of critical infrastructure can be caused but cyber’s not the only means and – So you’re getting that cyber and physical together – Yeah and we’ve been very – Any risk? – We’ve been very active on you know the preparation in front of Hurricane Florence in seeing if there was anything that might’ve happened because of that hurricane that’s now a tropical depression that could cause real significant critical infrastructure impacts And so going to services that we offer in kind of how to think of us as a center, I like to say we’re a planning and analysis center, we’re not an operation center you know, most of you have been in the room of a place like the NKIK or other things where you see pizza and TVs and liaison officers – You see people working very hard first, and the pizzas are only there because we’ve made them work for 24 hours – Yes But that’s not the image you should have with the National Risk Management Center That is a place where we do planning and an analysis that we hope to have the ability to regulate projects, bring people in more regularly and we have from outside, bring the inter agency together to do workshops, to put things together, but it’s not a 24 7 center around that So it’s a planning and analysis center, service, things we do, we are one of the leaders in the federal government if not the leader in modeling critical infrastructure impacts of an incident happening whether it’s a hurricane bearing down on North Carolina or whether it’s a cyber attack that could take out operations of these critical infrastructures, you know things we saw last year What would be the cascading impacts of that kind et cetera? We think that kind of modeling is useful in the middle of an incident but that model is also useful for planning purposes and so that’s something that certainly

we wanna do Helping prioritize critical infrastructure for a lot of different risk management decisions is something that we do within the National Risk Management Center and we’ll work with industry and inter agency partners to do And then really I hope putting together planning teams to go after kinda the biggest, go after a big set of challenges of areas where we think as a country maybe we’re taking on a little too much risk – So there’s definitely a lot of opportunity in again cross sector we’re seeing, but they’re all, there’s certainly a lot of sectors right now in the economy that maybe they’re used to being, managing privacy issues or maybe they’re were traditionally regulated for safety and some security We do have a lot of sectors where that cyber physical broader risk management structure really needs some help And when you think about the sector specific agencies, we’re trying to see, we’ve talked about transportation, we’ve talked about health, you know there are a lot of different sectors that are trying to figure out how to manage and aggregate risk And so I know you want companies or entities to come to you with ideas, are you working with some of the other agencies to look at whether these sectors or others and then, well answer that and then I wanna talk a little bit about international issues as well – Sure so you know all this depends on working together, sharing information, actually getting to the point where you’re talking about where at risk lies vulnerabilities, concentrations of things, does require, requires at a minimum trust in authorities And so on the authorities side you know the critical infrastructure partnership advisory council authorities have gotten us to place where we’ve set pretty robust structures, coordinating councils, public private partnerships, the SSAs rely heavily on that to get most of the significant critical infrastructures owners in any one sector to the table So that allows us to have a shared discussion on vulnerabilities and risks and potential solutions without worrying about competitive information or your know competitive issues or without worrying about you know getting the details of what’s in those discussions and then we rely on sort of the protected critical infrastructure information authorities so that people can actually submit, businesses can submit information about their own vulnerabilities without worrying about that being FOIAble or subject to sunshine laws or that just by acknowledging a vulnerability that you’re somehow liable because you’ve acknowledged a vulnerability and not mitigate it So that helps authority wise Trust I mean I think trust is something that we’ve worked really hard with DHS and MPPD to build over time and it’s consistency, it’s seen value in things, it’s following up on what you say you’re gonna do and it’s not breaking you know, it’s not breaking the commitment you make And you know I think generally we’re at a pretty good place with the critical infrastructure community, I think you know with the sector specific agencies we work regularly with them and seen what DHS has tools that we can bring to bear to augment a lot of sector specific agencies aren’t fundamentally security agencies So we have security tools to support their efforts and their security obligations – And I think that’s a really important point and maybe within the scope of the new cyber security strategy and the Risk Management Structure Center, what we want is that collaborative partnership between DHS who understand security and cyber with the SSA What we’re seeing sometimes in other agencies is they are wanting to build additional capacity in their own agencies on some of these issues and I think from the private sectors perspective we want and need a seamless approach to managing security and risk And so as much as this strategy helps the agencies work together that’s important And for people who aren’t familiar with PCII authority, the Protected Critical Information Authority infrastructure information thank you, it’s a great program at DHS where you can work collaboratively with them and you get the protections he talked about Federal, FOIA, state and local sunshine laws, and protection against regulatory reach back And that may be something as you talk about this center and how people work with you for more people to understand because I do think people wanna work with the center, as you talk about what it means that’s important, but those authorities to help protect companies I think people are trying to understand because they’re being besieged from governors and mayors and other people who all wanna help – Yeah I mean at a sort of bigger level if that keeps being a limiting factor, we have to recognize those limiting factors and you know in the ambition that I think Secretary Nielson has given us, let’s identify those limiting factors and let’s go after those limiting factors and you know

that’s not all within the remit of the Department of Homeland Security but you know, let’s have the dialogue with congress and within the executive branch of hey things still are limiting our ability to collectively work together And I don’t wanna be scared of those things, I wanna say okay this is what we can do until we change some of the rules and I think most business I talk to like, I can only, you know this is the amount of legal risk I’m willing to take and doing things that I think are smart decisions Please help me get to a different place – So I think that would be the call to action For those in the room start making your lists, you can give them to Bob on the way out, oh you’re welcome I’m sure they’ll appreciate that Yes So are there specific projects as you look ahead, and there are these very core specific things, Secretary Nielsen has sort of tasked you to do, you’re working your way through those, there’s a lot of other things you want What are your probably next few priorities? – Yeah I mean we are aligning the work we’ve been doing, supporting election infrastructure Secretaries of state, state election directors making sure that our elections are secure, the actual voting process in the run up to 2018 election, that’s front of mind I remain, we remain concerned over foreign influence over elections and propaganda and our adversaries trying to sow discord and things like that you know That’s a strategic risk right now that you know, we’re doing some work with an MPPD that we’re aligned with on that I don’t wanna, I don’t wanna diminish the importance of that over the next few weeks And then going into the 2020 election, but then sort of to the core National Risk Center business processes the thing I’m most excited about us doing quickly is working with industry and our inter agency partners to identify a set of national critical functions which are the things that critical infrastructure produces that are absolutely essential to national security economic security or the functions that are come through And putting that identification together for the purpose of doing risk prioritization and that’ll get us broken out of the little bit of the sector by sector model What are the big cross cutting functions when we’ve been talking about last position navigation timing services and so many of the sectors rely on that and it you know, there’s potential that something could happen that would degrade P&T services away that’s too much national risk And as we identify those and then have conversations you know we put in the structures to get industry and government together to talk about where our priorities should be and then we’re gonna pick a list of priorities working together and then that will really guide sort of the 2019 part of our agenda But what we wanna do differently, like there’s a need to be sensitive for national security reasons and some of this, but I want enough community wide discussions that you get a sense of where our priorities are consistent with the strategic direction we’ve been given – Now having you almost you go from the inverted funnel, I mean you think about national critical functions, it’s the basics, the lights stay on, you can get money, you have clear water right How do you, obviously these are things you’ve been working on for some time, so do you have a set list and you’re gonna be talking to people about adding to that and then prioritizing from there? – We have an idea of what a list would look like but really as part of the stand up we wanna and we’re planning a workshop in October and I’ve been talking to a lot of different people, we want sort of a final set list, not a final in that it won’t change, but a set list that really guides our activities and so yeah we’re in the process of working through a set list – So that’ll be the next conference that will roll out the list of national critical functions no I’m just teasing – But and part of the reason for this thinking is those of you who do work closely enough with ops centers or living close to the day to day recognize and we certainly see it just the pounding of things that are going on in cyberspace on a day to day basis and you know we get to read the intelligence of things that people might be trying to and it’s just hard to navigate all of that until you’ve got a, okay these things might be going on but these are the things that I think are the most important and if we can align unfortunately what we think, if what we see is the adversaries seeming to understand the things that are most critical that helps direct our activity And so the prioritization isn’t just for planning but it’s also to understand you know how to make sense of the million dots of information that you know, that’s good that we’re creating those million dots of information and going back to what the center is and what it isn’t, the end kick exists to get every single piece of information you could possibly get where you can help the end kick you know prioritize how that information might be then leading to a change in the risk environment – I’m gonna ask you one last question and maybe go to questions from the audience, what if you had, what are the top, I didn’t warn Bob about this question

by the way, what are the top two things you would want every company in this room to think about and then come to talk to the center about – Um – You could pick one or five (laughter) – Your risk, what you’re doing about your risk Now I mean so to some extent right, and I used this analogy when we were talking in preparation for that, the center wants to be a place where we’re really having the conversations kind of at the chief risk officer board level that so you know of where is cyber risk existing in your systems that you think you need help managing and where is there cyber risk that you think might be out there or other risks that you think that might be out there that perhaps you need somebody elses help to manage and I think it does require you know the board level conversations and thinking about risk and but you know the word that’s most important in what we’re trying to do is management and I’ve set the goal for reduction like I think we should be held accountable for five years from now have we reduced cyber risk? Management suggests there are a lot of strategies for reducing cyber risk but the ultimate goal hopefully not just managing the risk or transferring it or accepting it, let’s go at reducing risk And so I hope corporations are really thinking about what they can do to reduce their exposure – I’ll say this and then definitely go to questions, I think there’s been a dramatic change in awareness and understanding at the C suite level, even in the last 24 months and more on the systemic operational level as to what cyber means to companies It’s more than just the data side and sometimes you hate to joke that it’s you know you’re lucky if only your data was stolen But we think about the operational impacts to the economy national and homeland security, I do think that people are starting to understand that more So the center can help bring that greater awareness at a higher level and think about what resources makes sense for companies then they can ask your for help, I think that will be a huge change So we’re gonna go to some questions, the one thing I would ask everybody is to say your name and your organization before you ask your question Thank you – [Romy] Alright thank you Romy Siport from Freddie Mac I’m just curious to get your thoughts around the, the approach, the classical approach to risk management which is you kind of define your risk appetite, where you, below the appetite how you accept risk or even I just heard you talk about transferring risk so that’s, those are some of the classical practices of risk management How do think the center is going to transform some of those thinking as you’re analyzing the data and as you hopefully sharing that data back with the, with the private sector – That’s a hard one Let me start by – It’s a soft one – No I recognize you’re describing those as classical approaches and I’ve read enough risk management literature to agree with you, but the federal government those are not classical approaches within the federal government of risk management right That the conversation of risk transfer and risk acceptance and that sort of stuff is stuff that’s been really hard for us to be explicit about in a lot of areas And the reason I bring up that point is one of the things I hope we can do is align risk management models in thinking a little bit more so that we can explain how we approach risk and you explained risk and we can really start to sort of understand that because we’ve got his different theory of our responsibility of risk management we might be you know creating inefficiencies there and so you know I don’t know that you’ll ever hear me say hey we agree to accept that risk explicitly, you know I don’t have to sign a statement because I’m a public company to say that, but sort of having the implicit discussion that you know, the things that we didn’t put at the top of the list are things that where we’ve agreed to accept a little risk or that there are other risk management strategies out there other than going hard at putting security in a system so I think one of the things hopefully we can do as a center is create a little more synergy between what I think are a couple different risk management theories – Aren’t you over also trying to help companies or entities to understand where their risk fits in in a broader world? I mean I do think everyone is responsible for their own risk But putting my old federal government hat on sorry, you know you’re thinking about what the nation looks like for risk and it’s not just one company here, one company here, it’s the aggregated risk together, you probably have a different view of that than companies – Which may come to different risk decision making because of that – And if you explain that though to companies I think that’s really where maybe that disconnect between your definition and theirs could be bridged

– [Brian] Brian Brown So I guess you can hear me okay Excellent panel, thank you very much So I guess I have a little bit easier question, so Norma this is kinda toward you as well So as a company, what’s the legal implication of your cyber risk right, cause cyber security costs money, and lawyers cost money, I mean I know your firm is very reasonably priced with your rates – Well they’re worth every dollar I’m sure – We are worth every dollar that you pay us and more – [Brian] And a lot much more than that, but what’s the legal implication thereof and obviously what’s the business implication, what’s the dollars and sense and sort of ROI and I will now sit down, thank you – Okay point number one all the questions were supposed to be for Bob No just kidding No I am here Well let me say this I’m not gonna give you legal advice today I do think it is important to understand that the broader world believes that cyber is part of your normal risk And it depends on what sector you’re in and where you fit and if you’re regulated or not but the awareness, there’s an expectation that you have the awareness and then how you manage and mitigate that risk is really dependent on your regulatory structure and your other requirements I think the piece that’s important cause I don’t know what sector that you’re in, the cross sector components are really important to understand, your supply chain and other things And so that’s usually when we talk to companies about how you look at your risk and what should you think about, we run through things like that, we talk about resources that DHS and other people can have, we’ll ask about your insurance, but things like that I’m happy to talk about that more afterwards – [Audience Member] Norma and Bob congratulations on this new post and good luck I know it’s quite a challenge you’ve undertaken I just had a question about something, you rewrite CPAK and PCII and I just ask for an update on the PCII, a couple years ago DHS had initiated a process to update those rules and I’m just curious as to whether that is now gonna get restarted given the focus on trust and authorities – I think that you know there was a sort of pause in regulatory activities at the transfer of administration and you know looking at what we were doing I think the PCII update certainly is something that remains a regulation, a regulatory framework the we wanna push, regulatory’s the wrong, rule making framework that we wanna push because there’s nothing sort of regulatory there so you know it gets wrapped up a little bit in that pause but we will be following up and we will be building off the presses and the comments we’ve already taken and the feedback we’ve already taken You know one of the big things we wanna do with the update of course is provide as much clarity as possible in cyber security information and how to take advantage of the fact that collecting cyber security information of vulnerability is the machine speed it’s a different process than the original use case for an original use case for a PCII – Yeah good point Well we’re excited to hear that Next question – [Scott] Hi Bob Scott Sharon from Awesome We heard today quite a bit about the example of the elections and how DHS is working at the state level to tackle that and when I look at the critical infrastructure areas in many cases the customer for that critical infrastructure is also state and sometimes local entities How does your new organization work with state and local governments in their procurements of critical infrastructure to ensure that they also are aware of some of the risks that you’re aware of at the federal level – Yeah I think the supply chain is a perfect example of as we work to better provide ability for us to make within federal government to make risk based decisions at things we’re procuring in the supply chain as that information gets out to owners and operators there’s an example, certainly there’s an example for state and local government to take advantage of what we’re learning of our own procurement decisions So that’s one example, in terms of functional identification and prioritization I think that you know, part of what’s inferent in a lot of what we’re talking about you Norma you answered that question is know where your own risk is We can help, we have capability to help understand where risks are and that will then push that kind of thinking down you know we’ll work explicitly with state and local governments depending on the nature of the risk that we’re prioritizing while still an election infrastructure, lot of that’s owned to keep going with this, owned by state and local governments and so that’s the case we’ll work directly then there are other things where hopefully our work and what we’re doing through the center will inspire you know a better functional understanding of risks at different levels – Well I think we may have taken up a little bit more

of your time than we had planned today but we, we were very excited really to hear about the center and the new cyber security strategy, I can’t wait to read it, personally I hope it’s 150 pages in font three, that’ll be weekend reading for me personally – If I can’t get somebody I’ll have to pay a lawyer to explain what’s in the strategy – I know I know, see you can explain what’s in the strategy? – Is there anything else you wanted to mention or share before we just really thank you for your time – I mean you referenced half jokingly that we’ll come back and talk about function but we want, we wanna do a lot more of talking about what we’re doing in the center in forums like this so we can get, we can explain, we get feedback and you know, we’re open for business and look forward to working with many of the people in this room – Well thank you Bob Join me in thanking Bob for talking about the new center (audience applause)