00:00:54
How's this?
00:00:55
[inaudible 00:00:57].
00:00:56
Closer.
00:00:57
Closer.
00:00:58
Probably going to apply for you guys too.
00:00:59
How's this?
00:01:00
Yeah.
00:01:01
Great, thank you.
00:01:02
I want to start with a really brief catch
up.
00:01:05
There's an incident in 2021.
00:01:08
Maybe some of you guys heard of it.
00:01:09
It's called Colonial Pipeline.
00:01:10
There's a ransomware attack.
00:01:13
You guys have heard, that's right, that prompted
a series of regulations.
00:01:20
Can you give us-
00:01:23
[inaudible 00:01:21].
00:01:25
... a very quick-
00:01:26
Closer.
00:01:27
... you give us very quick overview of the
regulations that you have overseen in those
00:01:29
two years since then?
00:01:31
Sure, so as you mentioned, May, 2021, early
May, ransomware attack, East Coast Pipeline
00:01:37
had systemic impact across the East Coast.
00:01:40
What we did in working with our partners in
CISA was immediately put out a requirement
00:01:45
that any owner and operator of critical infrastructure
had to report any significant cyber incident
00:01:50
because when this one occurred, company asked,
"Hey, how many other pipelines have suffered
00:01:55
this kind of attack?"
00:01:56
And we didn't have that answer.
00:01:58
So we put that regulation out first.
00:02:00
That came out in the very same month in May.
00:02:03
But interestingly, and I think really importantly
for our talk this afternoon is that reporting
00:02:08
went to CISA, not to TSA intentionally because
we're trying to centralize reporting.
00:02:14
We're trying to make it easier on the owners
and operators of critical infrastructure in
00:02:18
the country.
00:02:19
And you can imagine if you have a reporting
requirement to several different federal agencies,
00:02:24
every agency is going to hear it a little
bit differently.
00:02:28
And so that introduces an element potentially
of confusion.
00:02:31
So having a report go in at the same time,
one central location, and then having CISA
00:02:38
push it out to all of the affected agencies
has really been my view of best practice.
00:02:43
The other thing that we didn't know at the
time, but certainly now is part of the national
00:02:47
cyber strategy, is to harmonize our reporting
requirements across the federal government.
00:02:52
And this was really the very first attempt
to do that.
00:02:55
And I would credit CISA for doing just a fabulous
job of giving us, in near real time, reports
00:03:02
of those incidents.
00:03:03
And it's really, I think worked out incredibly
well.
00:03:08
Whoo.
00:03:11
I have more questions, but you'll follow on
that.
00:03:16
That's cool.
00:03:17
Okay.
00:03:18
We've done several kind of pre-briefing chats
and these two are so chummy.
00:03:21
Sorry.
00:03:22
No, no, no.
00:03:24
It's government working.
00:03:25
I want to ask you a really point blank, that
was such a high profile, the most high profile,
00:03:31
I work in news, I can say that definitively,
the most high profile ransomware incident
00:03:36
and there has not been anything like it in
any of the jurisdictions or the CSA, is that
00:03:43
why these regulations and the partnership
with CISA.
00:03:46
Is that why?
00:03:47
I would love to be able to claim that, I can't,
but one of the things that we did do as well,
00:03:52
I mean that was the reporting requirement.
00:03:53
What was important that we did right after
that in July was issue some requirements for
00:03:59
the owners of critical pipeline infrastructure.
00:04:01
So that's important.
00:04:02
It wasn't all pipeline infrastructure, it
was critical pipeline infrastructure, to implement
00:04:08
certain measures to protect their systems.
00:04:11
A future attack, not necessarily ransomware,
but a future attack on their information or
00:04:15
operating systems.
00:04:18
As many of you might remember, when we did
issue that directive, because it was so specific
00:04:23
as to what was required, we got a good deal
of pushback on that because the industry would
00:04:29
say that, "Hey, you're asking us to put things
in place that are going to replace things.
00:04:34
We're already doing that.
00:04:35
Actually, we think it's to the point you want
to get to better than what you're requiring
00:04:40
and you haven't fully considered the impact
on our business model."
00:04:45
And so what we did in working with CISA and
the FBI and the Pipeline Hazardous Material
00:04:49
Safety Agency over in DOT and the Department
of Energy was we had a series of round tables
00:04:55
with industry just to talk through this.
00:04:58
Net result was we went from a very prescriptive
activities-based requirement to a performance-based
00:05:04
model, which I think is our superior, what
we were doing before, and a huge credit to
00:05:11
our industry partners for working with us
on that.
00:05:14
So we made really a 180 degree pivot on our
approach to this particular regulation.
00:05:21
And I think that's a forbearer of change we'll
make to regulations in the future for TSA.
00:05:26
So instead of saying, "Hey, achieve these
certain activities and report on those activities,"
00:05:32
we said, "Hey, there are certain outcomes
we want you to achieve.
00:05:36
You come back to us on our operator and tell
us how you intend to achieve that outcome,
00:05:42
and then we'll work with you to approve that
implementation plan."
00:05:45
And then the follow on to that is, and this
is really important, this is where the stage
00:05:50
we're at today is come back to us also after
your implementation plan is approved and tell
00:05:56
us objectively how you are achieving those
outcomes.
00:06:00
So it's not just us, how you're doing and
implementing those particular measures that
00:06:03
you proposed and we approved, but also how
are those measures and the accomplishment
00:06:08
of those measures contributing to the achievement
of the outcome?
00:06:12
That's really important.
00:06:13
That's the stage that we're at today, and
I'm really optimistic on how this is going
00:06:17
to work 'cause we've already seen some of
the initial plans and they look pretty good,
00:06:22
so we're going to be working through that
over the course of the next couple of weeks.
00:06:28
The US did not have any kind of cyber regulation
like this kind of infamously for years until
00:06:34
this point.
00:06:37
This is America.
00:06:38
A lot of businesses don't care for government
regulation.
00:06:45
Is it the case when you speak with leaders
of these companies, are they completely on
00:06:51
board?
00:06:52
Are there some that would like more regulation?
00:06:54
Are there some that would like things to be
done a little differently?
00:06:56
Well, you raised an important point, Kevin,
is when you speak, and I would offer that
00:07:04
we speak frequently to our industry partners,
to the companies that we regulate.
00:07:11
I would say that there's a more robust exchange
of information as a result of this approach
00:07:16
than there was before.
00:07:18
One of the things that we did at the very
beginning when we saw this threat that is
00:07:22
not simply a ransomware threat, it is much
more significant than that, that we needed
00:07:28
to work really quickly to close vulnerabilities
that we had across our critical infrastructure
00:07:34
in the country.
00:07:35
And so we felt it was important that we bring
the chief executive officers of those companies
00:07:42
in for a classified briefing on the threat
because we really wanted them to understand
00:07:48
this is the threat that we see from the intelligence
community in the United States, which is incredible
00:07:54
in their capability to inform policy decision
makers like Jen and me.
00:08:00
And so we brought the CEOs in for those threat
briefs.
00:08:02
They were in the White House.
00:08:05
It was really the start of a very good relationship
because they saw what we were seeing and the
00:08:11
CEOs knew that their CIO and their CISO was
going to come to them shortly with a resource
00:08:17
request, maybe some procedural changes, certainly
a request for more people.
00:08:21
And the CEOs knew what was behind that, what
was the reasoning for that.
00:08:26
But you can't just do it once.
00:08:28
This can't be a one and done exchange of information.
00:08:31
And so what we've established, and Jen can
speak to the processes that parallel ours,
00:08:37
but are very complimentary to what we do in
terms of making sure there's good, robust
00:08:43
exchanges of information between us.
00:08:45
We have regular updates to the CEOs and then
regular updates to the CIOs and the CISOs
00:08:51
of these companies as this threat evolves.
00:08:53
And one of the things that you always think
about is, "Hey, I heard the threat.
00:08:56
I understand it, I see it.
00:08:57
Is it still present today?"
00:08:59
And this just reaffirms to them.
00:09:01
Yes, it's still present today actually in
many ways it's more concerning today than
00:09:04
it was yesterday.
00:09:05
And so we need to really work very hard to
close the vulnerabilities that we might have.
00:09:10
Yeah, I mean, jump in with a couple of things.
00:09:14
First of all, great to be here with you all.
00:09:17
Kevin mentioned that Dave and I are chummy.
00:09:20
Look, at the end of the day, this is what
you want your government to be.
00:09:25
You want your government to be elaborative
and cohesive.
00:09:29
And so I think it's a really good news story
and one that has evolved in terms of how collaborative
00:09:36
we all are working together.
00:09:38
And I think it was a really good news story
of how closely our teams work after Colonial
00:09:44
Pipeline.
00:09:45
I was not actually in government then.
00:09:46
I was still at Morgan Stanley at that point
in time, but certainly saw it from the perspective
00:09:50
of being in the private sector and frankly
being in a highly regulated industry.
00:09:54
A couple of things I'll say is it really was
a watershed moment in many ways that certainly
00:10:01
led to the security directives that Dave talked
about, but I don't think we would've gotten
00:10:08
what's called CIRCIA, the Cyber Incident Reporting
for Critical Infrastructure Act if Colonial
00:10:14
Pipeline had not happened.
00:10:16
And it really is a watershed piece of legislation
that frankly the Congress had been trying
00:10:21
to pass for more than a decade that was about
mandating critical infrastructure report,
00:10:28
the CISA, if there was a significant cyber
incident and we're in the final stages of
00:10:34
writing the rule, the notice of rulemaking
should come out early next year and will hopefully
00:10:40
implement it by next year.
00:10:41
But it's really, really important.
00:10:44
Why?
00:10:45
Because you read so much about ransomware
going up, ransomware going down.
00:10:49
My general belief is we just don't know.
00:10:54
We just don't have a really good handle on
the scope and scale of the ecosystem of cyber
00:11:00
incidents because frankly, it's not mandatory
for reporting across the board.
00:11:05
So I think for the first time we'll actually
be able to understand what the scope is of
00:11:11
incidents and whether all the work that we've
been doing across the federal government,
00:11:16
across industry, across state and local, across
the globe is actually leading to reduce risk.
00:11:22
Because at the end of the day, that's what
we're trying to do.
00:11:26
We're not trying to create punishments.
00:11:29
We're really trying to work with industry
in a collaborative, consultative way to ensure
00:11:34
that we can help them reduce risk.
00:11:37
And the last thing I'd say to Kevin's question
is when I first came on board, which was in
00:11:42
July, we did actually hear a lot of pushback
from the industry groups about one of the
00:11:48
directives.
00:11:49
And I will tell you, we recently, Dave and
I, had a meeting with CEOs where they could
00:11:54
not have been more complimentary about the
evolution of working with them in a consultative
00:12:00
way.
00:12:01
I think part of that was the threat briefing,
but part of that was just fricking listening.
00:12:06
And that's why you see people like me and
Dave because we realize how important it is
00:12:11
to listen, to listen to industry, to listen
to the hacker community because we sure can't
00:12:17
do this on our own.
00:12:19
I want to be clear here.
00:12:20
When you talk about this threat briefing,
are we talking this is related to Colonial
00:12:24
or are we talking more recently?
00:12:26
No, we've done threat briefing certainly for
pipelines.
00:12:28
It wasn't related to the ransomware attack
specifically.
00:12:33
It was related to, "Hey, what is the overall
threat picture for critical infrastructure,
00:12:38
particularly for transportation infrastructure
and energy infrastructure in the country?"
00:12:43
Same brief, essentially very, very similar
to the rail sector, the transit sector and
00:12:48
now to air carriers and airports.
00:12:51
So across the transportation sector, we've
been able to provide this level of visibility
00:12:56
to the top owners and operators of these systems.
00:13:05
You've got this, what seems like you're saying
is an extremely effective partnership that
00:13:10
works for you.
00:13:12
What other sectors would you like to have
that kind of, if the red tape was not as much
00:13:16
of an issue, I'm thinking, I'm reporting all
the time on ransomware attacks on hospitals
00:13:22
or diverting ambulances that are hampering
care.
00:13:24
There's schools that are still being shut
down all the time.
00:13:27
Yeah, so one of the things that we did last
year when we were thinking about what are
00:13:32
our priorities for the upcoming year was what
are those sectors we called target rich, cyber
00:13:38
poor, to Kevin's point, who were getting hit
with ransomware in a way, in a pretty bad
00:13:44
way that could actually have very significant
impacts?
00:13:48
Though my mom is 90 and she's in and out of
the hospital, right?
00:13:53
And I am always very, very concerned as I
have in the back of my mind all of these hospitals
00:13:58
that have been hit with ransomware.
00:14:00
You saw the recent one, Prospect Medical Hospitals
I think, or Medical Holdings where we've seen
00:14:06
hospitals across the country that had to divert
patients or change elective surgeries.
00:14:12
It's really scary.
00:14:13
And so we actually picked priority sectors
that we knew fell into this.
00:14:18
So hospitals in particular, rural hospitals,
K through 12 schools and water facilities,
00:14:24
because that's a sector that I'm particularly
concerned about.
00:14:27
And then we also have a big focus over this
year going into next on local election offices.
00:14:32
And we did it for a couple reasons.
00:14:34
So one of the roles, we of course were set
up to be America's civilian Cyber Defense
00:14:39
Agency, but in statute we also play this role
of national coordinator for critical infrastructure,
00:14:45
security and resilience.
00:14:46
What does that mean?
00:14:47
It means that we sort of sit at the center
of working with departments and agencies that
00:14:52
have a role to be the sector risk management
agency.
00:14:55
So Dave is the sector, TSA is the sector risk
management agency for oil and natural gas
00:15:01
pipelines, for rail, for aviation.
00:15:04
And we work with him and all of the other
departments and agencies who ensure that sector
00:15:11
risk management agencies and industry have
the risk guidance, the information, the resources,
00:15:17
the capabilities, the best practices that
we all need to be able to reduce risk critical
00:15:23
infrastructure that Americans rely on every
hour of every day.
00:15:27
So a really, really important role that we
play.
00:15:32
And with respect to the target rich resource
poor, it's why we've been working hand in
00:15:36
hand with HHS.
00:15:37
So my deputy, Nitin Natarajan, who's fantastic,
started out as a medic and spent a lot of
00:15:44
time in HHS so he's been working hand in hand
with HHS and the American Hospital Association
00:15:50
to put resources in place to reduce risk in
hospitals.
00:15:54
We've been working with K through 12.
00:15:55
There was a big White House event earlier
this week where we had-
00:15:59
Interrupted by tornadoes.
00:16:00
...superintendents...
00:16:01
Say it again?
00:16:02
Interrupted by a tornado.
00:16:03
Interrupted by a tornado, but amazing that
we were able to actually flip it a day.
00:16:07
And it was so important to the First Lady
that she actually rearranged her whole schedule
00:16:10
to be there.
00:16:11
We had all these superintendents so that we
could work together with schools.
00:16:15
We're doing the same thing with water, and
then again, local election offices.
00:16:18
And so part of this just goes back to the
partnerships.
00:16:22
CISA has incredible technical expertise.
00:16:24
We've got a lot of it here, so hopefully you're
meeting our CISA colleagues.
00:16:28
But those departments and agencies have incredible
technical expertise in those sectors that
00:16:33
we don't have about rail, about aviation,
about hospitals, about water.
00:16:38
And so when you bring that together along
with our partnerships with industry, you really
00:16:42
can collaborate to reduce risk.
00:16:46
Do you feel like you have enough in terms
of policy allowance to address those specific
00:16:54
sectors or would you like more?
00:16:56
Yeah, I mean I feel like I'm always grateful
to the Cyberspace Solarium Commission folks
00:17:02
and Dave was on there as well.
00:17:04
So some of you might know it was a commission
set up by Congress several years ago.
00:17:09
It was chaired by Angus King of Maine and
Mike Gallagher of Wisconsin.
00:17:14
It had senior leaders from across the federal
government.
00:17:17
You know, I often say, so the government sets
up commissions all the time, and some of them
00:17:23
meet a lot and don't really get much done.
00:17:26
In my 30 plus years in government, I've seen
two commissions that actually got shit done.
00:17:32
One was the 911 Commission, the second was
the Cyberspace Solarium Commission that literally
00:17:37
made 75 recommendations, and more than half
of them are in legislation.
00:17:43
And CISA benefited incredibly from those recommendations
that got put into law in 2021.
00:17:50
And I benefited when I came in as director.
00:17:53
And so some of the things that we would've
wanted, frankly, several years ago, that my
00:17:58
great friend Chris Krebs may have wanted,
the ability to hunt persistently on federal
00:18:03
networks, the ability to work directly with
our sector risk management agencies to actually
00:18:08
put measures in place to keep sectors safe,
the authorities, we have to stand up the Joint
00:18:13
Cyber Defense Collaborative.
00:18:15
I feel like we're in, and then CIRCIA of course,
I feel like we're in a very positive place
00:18:20
with respect to our authorities.
00:18:22
I often get asked, well, do you want regulatory
authorities?
00:18:26
And I always say no.
00:18:27
CISA doesn't want to be a regulator.
00:18:29
We work very closely with regulators.
00:18:31
But at the end of the day, the magic of CISA
is our ability through our technical expertise
00:18:37
and our trusted partnerships, to be able to
work across industry in a way that frankly
00:18:43
is a little bit harder with regulators.
00:18:46
So I think we're cool.
00:18:49
Okay.
00:18:50
I don't know, probably most of you can't see
this, but Jen's arm, she has what appears
00:18:57
to be a temporary tattoo or is this a full
thing?
00:19:01
You have multiple-
00:19:02
This one's real and these are temporary.
00:19:04
But since you brought it up, here's the funny
story.
00:19:07
So we are recruiting for technical experts,
and I was like, I'm so into it because we've
00:19:12
hired like 1,330 people since I came on board.
00:19:16
I'm going to tattoo.
00:19:17
They are temporary.
00:19:19
I would do it if somebody had time.
00:19:21
So, oh my God, like we made these temporary
tattoos and they put it on, like, "Yeah, let's
00:19:27
go for it."
00:19:29
And it just doesn't work.
00:19:31
It was like this morning, "Let's do another
one."
00:19:34
And it doesn't work.
00:19:35
So we have the QR code separately.
00:19:36
My whole body's going to be tattooed with
these temporary tattoos, but we're hiring
00:19:41
people.
00:19:42
So come see us.
00:19:43
We have real QR codes that work, not on my
body.
00:19:47
This really was my lead in to let you guys
kind of make the pitch for, I think, a substantial
00:19:51
reason why you guys are here.
00:19:54
But also, I've been coming to DEFCON for almost
10 years.
00:19:57
There are a lot more federal officials giving
talks these days.
00:20:00
And it's for a reason, I think.
00:20:01
Well, I would say the key reason is you have,
in the audience, expertise that we desperately
00:20:08
need.
00:20:09
You have perspective we desperately need.
00:20:11
I mean, you heard about the work that we're
doing.
00:20:14
I would want to make sure that the work we
do is based on the very best information that
00:20:18
we can gather.
00:20:19
And so we're here to really seek your advice,
your counsel.
00:20:23
We have some mechanisms to be able to do that.
00:20:26
And then the other one is just clearly, like
Jen said, we're here because we're hiring.
00:20:32
We need talent.
00:20:33
And I think I can tell you from my own experience
working in the federal government, I'm six
00:20:38
years into being the TSA administrator.
00:20:42
The work we do together with CISA, with the
FBI, with the Department of Transportation,
00:20:47
the White House is incredibly rewarding.
00:20:49
I mean, you have impact at a scale that is
just challenging at times, but the benefits
00:20:58
are incredibly rewarding.
00:20:59
And we had a great booth here at DEFCON, offered
up a lot of decals, offered up a lot of ways
00:21:07
to approach TSA for positions.
00:21:10
But if you're interested, please give it consideration.
00:21:12
And I think too that in my career, the ability
to build a network is really important for
00:21:18
your success throughout your career.
00:21:20
And if you come into government, you build
a network inside government when you return
00:21:24
to the private sector, if you do, you continue
to keep that relationships and that network
00:21:28
you have in the private sector, very warm.
00:21:30
And I think that really helps the entire system
work incredibly well.
00:21:34
So that's what we'd really like to encourage
you to do is if you know somebody who has
00:21:40
talent that you think we could benefit by,
please encourage them to look up CISA, look
00:21:45
up TSA, look up any sector risk management
agency, quite frankly, because we all need
00:21:50
the talent.
00:21:51
We also announced earlier in this conference
a project that Jen and I have together, it's
00:21:57
called CHARIOT and so we wrestled with the
acronym, but we felt, okay, chariot is a transportation
00:22:05
thing, and this is a transportation project,
and we are at Caesars so the chariot and Caesar
00:22:12
sort of go together, but what CHARIOT stands
for is Critical Infrastructure Hardening Achieved
00:22:20
through Risk Reduction Information and Operational
Technology.
00:22:25
Whoo.
00:22:26
Way to go.
00:22:29
Thanks.
00:22:30
I've been practicing a lot, but basically
what it stands for, it's a partnership between
00:22:36
TSA, between CISA, between the Department
of Homeland Security Science and Technology
00:22:41
Directorate, between the Pipeline Hazardous
Material Safety Administration and the Federal
00:22:46
Railway Administration and also the Pacific
Northwest National Laboratory.
00:22:51
And what we'd like to do is to get more industry
input and your input on, hey, if you looked
00:22:59
at the rail sector or the pipeline sector,
how would you prioritize the risk as a hacker
00:23:05
to those sectors?
00:23:07
And then the other important part is I mentioned,
hey, we need to have an objective way to assure
00:23:13
ourselves and to assure the public what we're
doing is having a beneficial effect.
00:23:20
What we're doing is making these systems more
protected and making these systems more resilient.
00:23:26
So if attacked even partially, they can get
up and running in a relatively quick fashion.
00:23:32
And so what we'd like to develop our threat
scenarios that then we can introduce into
00:23:37
tabletop exercises, because as you know better
than I, a cyber attack will manifest itself
00:23:43
in a physical way, and that requires a different
response than a purely cyber response to get
00:23:48
back up and operating.
00:23:50
And so if you could really help us with giving
us sort of a risk prioritization and also
00:23:55
helping us develop those threat scenarios
so we can play out those threat scenarios.
00:24:01
And we promise that what we will do in a future
DEFCON is to provide you feedback as to how
00:24:06
that went.
00:24:07
And I'm hoping that when I come back next
year, and I'll declare myself a new guy again
00:24:12
next year so I can do the shots.
00:24:13
It's not really my first.
00:24:15
I know, nor Jen's, but to give you some feedback
as to, "Hey, how did that go?
00:24:21
What did we develop out of it?"
00:24:23
We had a initial round table yesterday on
this.
00:24:27
Got some really good results.
00:24:28
So I just ask you to think of Project CHARIOT.
00:24:30
It's really a way for you to really help us
out and to help the country out and help everybody
00:24:36
that lives in the United States to make them
feel more protected.
00:24:40
And Jen's point about the hospital system
to make sure that the critical infrastructure
00:24:45
that all of us depend on for ourselves and
for our families and for our friends and our
00:24:49
communities is back on its feet as quickly
as it can if it's ever attacked.
00:24:54
A couple of things about why we're here.
00:24:58
Obviously recruiting is one, but one of the
really cool things that we've been focused
00:25:03
on over the last year is creating a partnership
with the hacker community to help us get ahead
00:25:10
of the ransomware problem.
00:25:12
This was also part of what we learned from
Colonial Pipeline is we really need to be
00:25:20
able to rely on partners who are seeing malware
before it actually gets activated.
00:25:29
And so there's some fantastic researchers
out there.
00:25:32
There's threat intel people.
00:25:33
There's some industry folks who have been
giving our team in the joint Cyber Defense
00:25:39
Collaborative essentially tips.
00:25:42
And so it's part of what we call our pre-ransomware
notification initiative.
00:25:47
And so we've been getting tips.
00:25:49
We take those tips.
00:25:51
When malware is laid down, it could be anywhere
between five to 48 hours before it's actually
00:25:57
activated and data is encrypted.
00:26:01
And so we then use our field force.
00:26:03
So one of the other things we've been building
over the past two years are cybersecurity
00:26:07
advisors across the country.
00:26:10
So we have them in every state of the nation
I think at this point in time.
00:26:14
And they then take these tips and then they've
been reaching out to let people know, "Hey,
00:26:18
it looks like you have something on your system.
00:26:21
You need to do something about it right away."
00:26:23
And we've done it now 600 plus times to schools,
to also internationally.
00:26:30
And we've really been able to make an impact.
00:26:32
And again, the thing that I love most about
this is it's all based on trust.
00:26:37
I mean, it's the most important currency is
people reach out to us because they trust
00:26:42
us with the information and they believe we're
going to do things about it.
00:26:46
So going to do something good with it.
00:26:47
And so again, that's really what this community
is all about, is how do we use our skills
00:26:54
to make a difference, to make an impact for
the betterment of the nation.
00:27:00
Speaking of that, you've got a four-year term.
00:27:02
I won't ask you to speculate right now on
whether they'll keep going, but if you want
00:27:07
to you can.
00:27:08
What would you like to see the ransomware
defense landscape look like five years from
00:27:16
now?
00:27:24
I mean, no more ransomware.
00:27:25
So look, I appreciate you asking the question
because I have long thought that we cannot
00:27:33
keep doing the same thing that we're doing
and expect a different outcome.
00:27:37
And it's one of the reasons my teammate Eric
Goldstein, who heads up cyber for CISA, and
00:27:44
I wrote this article earlier this year, which
was really trying to get at what is a more
00:27:48
sustainable approach to cybersecurity?
00:27:51
One that can actually make a difference.
00:27:54
And we talked about four things.
00:27:55
One is this concept of cyber civil defense.
00:27:58
One is our persistent operational collaboration.
00:28:02
One is corporate cyber responsibility, but
the one that we think can make the most difference
00:28:06
in driving down the threat impact is secure
by design technology.
00:28:14
We now live in a crazy world where we've normalized
the fact that technology products come off
00:28:20
the line full of vulnerabilities that can
be exploited by threat actors.
00:28:26
And so we've accepted this and it's frankly
perverse, and we really need to change the
00:28:32
paradigm where technology companies are not
just focused on speed to market and cost and
00:28:39
cool features, but first and foremost on creating
tech that is safe and secure.
00:28:46
I mean, let's be real, right?
00:28:48
There's a multi-billion dollar cybersecurity
industry because technology companies have
00:28:54
never had to focus first and foremost on security.
00:28:57
The incentives were all misaligned.
00:29:00
And so we're really trying to work with our
partners across the government.
00:29:05
We did a workshop earlier today with our teammates
at the National Cyber Director's Office to
00:29:10
really catalyze what I call a secure by design
revolution.
00:29:14
And I would ask everybody, if you haven't
seen the stuff that we put out, we put out
00:29:19
a white paper, it's on our web page, please
go to cisa.gov/securebydesign and take a look
00:29:26
at that because we want feedback, we want
to refine this.
00:29:30
We want to bring in more partners because
at the end of the day, we want to ensure that
00:29:35
we now have a market signal coming from customers
that we all care about security for our persons,
00:29:42
for our personal, for our family, for our
communities, for our businesses.
00:29:48
And I think frankly, Kevin, if we're going
to have a real dent in the ransomware system,
00:29:53
we need to start with ensuring that technology
is safe.
00:29:57
Sorry, do you [inaudible 00:30:01]?
00:30:01
No.
00:30:02
I would like to pivot this conversation now
to the threat landscape that both of you see.
00:30:09
We had chatted a little bit ahead of time,
and I had assumed the two giant threats that
00:30:17
I feel like I'm hearing about all the time
or ransomware often from Russian-related criminal
00:30:22
groups and a barrage of Chinese espionage.
00:30:27
And I hope you don't, this is not a breach
of confidence to say you were kind of quick
00:30:32
to correct me.
00:30:34
I think I had maybe underestimated the extent
to which maybe China...
00:30:39
I'll let you define that, I don't want to...
00:30:43
Yeah.
00:30:44
So I've talked about the two epoch defining
threats and issues that I'm concerned about.
00:30:51
One is AI.
00:30:52
I mentioned AI because you can't have a conversation
without mentioning AI, so that's done, right?
00:30:57
Yeah, did it.
00:30:59
And then let's talk about China.
00:31:01
I think at the end of the day, if you look
at some of the information that the US government
00:31:09
has put out over the past six months, and
then you look at what is happening across
00:31:15
the geopolitical landscape, I hope that people
are taking seriously a pretty stark warning
00:31:22
about the potential for China to use their
very formidable capabilities in the event
00:31:30
of a conflict in the Taiwan Straits to go
after our critical infrastructure.
00:31:35
And I think we've seen a change, and frankly
you saw it in some of the products that we
00:31:40
put out earlier this year, a cybersecurity
advisory that talked about Chinese state-sponsored
00:31:46
actors living off the land, so not malware,
but actually using the native processes of
00:31:51
a computer to hide in those systems.
00:31:55
And it wasn't for espionage or data theft,
which we've been seeing arguably for decades.
00:32:01
It was more likely for disruption and destruction.
00:32:05
And if you read the intelligence community
Annual Threat Assessment, there's a pretty
00:32:09
stark warning that talks about in the event
of a conflict, China will almost certainly
00:32:14
consider aggressive cyber attacks against
US critical infrastructure and is almost certainly
00:32:22
capable of disruption or destruction when
it comes to oil and national gas pipelines
00:32:27
and railroads.
00:32:29
And so I really, what we've been talking about,
Kevin, is we need to take this warning very
00:32:34
seriously, and that's why we've been talking
so much.
00:32:37
And Viktor Zhora and I, my counterpart in
Ukraine, talked to Black Hat about the importance
00:32:42
of resilience, expecting that there will be
disruption and planning and preparing for
00:32:48
it now, identifying your high value assets,
doing the exercises to be able to put in place
00:32:53
manual overrides, manual controls to be able
to operate in a degraded state, and then ensuring
00:32:59
that you can recover as rapidly as possible
to mitigate risk.
00:33:04
So think about Ukraine as really a shining
example of not just cyber resilience, but
00:33:08
also operational resilience, dealing with
all the barbaric kinetic attacks.
00:33:13
And then very importantly, societal resilience,
which I fear we have lost as a nation.
00:33:18
If you look at the reaction to Colonial Pipeline,
if you look at the reaction to the high altitude
00:33:24
balloons, at the end of the day, we need to
be pretty pragmatic about the potential for
00:33:31
these attacks, be prepared to meet them with
resilience and frankly, with unity as an American
00:33:38
people.
00:33:40
And I think too, that...
00:33:48
time is not our friend in this quest.
00:33:51
We need to move very, very quickly.
00:33:52
That's why we've moved so quickly and so has
our industry partners.
00:33:56
I mean, there's literally, we need to be ready
now.
00:34:00
And the more we can do to make sure that we're
not worrying about how ready we are, we know
00:34:08
how ready we are, and we know how we can manage
any kind of attack on US systems in a way
00:34:16
that protects our ability to respond and in
a way that protects our population and that
00:34:22
allows our population to have confidence in
its government and have confidence in its
00:34:28
industry leaders that they've done everything
they can to be ready for this.
00:34:31
So preparedness is the name of the game here.
00:34:35
Jen, you mentioned speaking with Viktor Zhora
your counterpart in Ukraine, and not just
00:34:44
in cyber and all kinds of ways that the US
government has provided really substantial
00:34:48
assistance to Ukraine, an ally, being bullied
by a much larger antagonistic nation to the
00:34:56
United States.
00:34:58
There are some ways in which you can map that
onto China-Taiwan, but we have a more fraught
00:35:03
diplomatic relationship with Taiwan.
00:35:05
Does that impact the ability to share cyber
threat information, things like that in such
00:35:13
a [inaudible 00:35:14]?
00:35:14
Yeah, I mean, it's something we're frankly
thinking really hard about, and I've been
00:35:18
really encouraged.
00:35:19
So we signed a memorandum of cooperation with
Ukraine just about a year ago, and we very
00:35:27
purposefully put a lot of resources into how
we could help build capacity, both in terms
00:35:35
of threat hunting kits, how we share very
detailed threat information, how we do exercises,
00:35:44
a cyber incident response plan, working with
other international partners like the Canadians
00:35:51
who are going to do forensic training with
them.
00:35:53
And so really deliberately putting a lot into
these lines of effort.
00:35:59
And we have gotten probably as much out of
it as the Ukrainians have because what they
00:36:04
have learned over the past year and a half,
obviously, but 10 years since Crimea, I think,
00:36:12
has incredible teachings for us as we think
about both capacity building with Taiwan,
00:36:19
which is something that I do think, to your
point Kevin, we can map some of that.
00:36:25
And we certainly do share information with
Taiwan cert now, but we would want to figure
00:36:30
out how to help from a capacity-building front
to ensure that, again, the lessons that we're
00:36:37
learning with respect to Russia's aggression
over Ukraine can be applied.
00:36:42
I think it's really important.
00:36:44
Yep.
00:36:46
We are nearly out of time if you guys... oh,
we have five minutes.
00:36:48
Do you have any closing remarks, anything
you want to share with this audience while
00:36:53
you've got them captive?
00:36:56
Sure.
00:36:57
My closing comment is really just thank you.
00:36:59
Thank you for the welcome that we've received
here over the last couple of days.
00:37:03
We've had about 30 TSA people here and really
appreciate all the work that they have done
00:37:09
and all the education you have provided to
all of us.
00:37:13
So really thank you and I look forward to
continuing to develop a very good relationship
00:37:18
with DEFCON, so thank you very much.
00:37:20
Awesome.
00:37:21
So thanks Kevin for doing this.
00:37:23
Really appreciate it.
00:37:24
And thanks Dave.
00:37:25
Dave has been in the department for a long
time.
00:37:26
You were like the Vice Commandant of the Coast
Guard and the acting deputy secretary.
00:37:31
And Dave, I had not been in the Department
of Homeland Security.
00:37:34
I was in DOD most of my career, and then I
was in the private sector.
00:37:37
And so Dave's kind of been my Sherpa since
I got to DHS and has been a really great friend
00:37:44
and teammate and colleague.
00:37:45
So I do want to thank you for your leadership
and your partnership.
00:37:50
And yeah, I mean, this is such a great community.
00:37:53
That's my favorite time of the year.
00:37:55
I love the energy, I love the community.
00:37:58
I believe in what this community does, and
I really, really think we can make a difference
00:38:04
for the nation.
00:38:05
So for those who are interested in working
at Team CISA, please come chat with me and
00:38:11
my teammates, but really come work with us
because we really want to collaborate, leveraging
00:38:18
all the skills you have and all the skills
we have for the better of the nation.
00:38:24
And the last thing I'd say is I'm also doing
the next talk with my friend Scott Shapiro,
00:38:30
who's a professor at Yale who wrote a great
book called Fancy Bear Goes Phishing.
00:38:34
We have renamed the talk Beers and Bears.
00:38:38
So go get your beer and meet us back here
at 5:30 for a great talk.
00:38:44
Thank you.
