DEF CON 31 - All information looks like noise until you break the code - Pekoske, Lyngaas, Easterly

00:38:48
https://www.youtube.com/watch?v=rURD78O-P0o

Summary

TLDRThe discussion covers the cybersecurity landscape changes following the Colonial Pipeline ransomware attack in 2021. A significant regulatory shift involved requiring critical infrastructure operators to report cyber incidents directly to CISA, centralizing information and reducing confusion across federal agencies. TSA adapted its approach to be performance-based, focusing on security outcomes rather than prescriptive actions. The conversation highlights partnerships with industry, prioritization of vulnerable sectors like hospitals and schools, and the CHARIOT project, which aims at risk reduction in critical infrastructure. The emphasis is on effective collaboration, preparedness, and continuous adaptation to evolving threats, with a particular focus on enhancing security without overly burdensome regulation.

Takeaways

  • πŸ”’ 2021 Colonial Pipeline attack triggered major cybersecurity regulations.
  • πŸ“Š Centralized incident reporting to CISA aims to streamline processes.
  • 🀝 TSA switched to outcome-based security measures after industry feedback.
  • πŸ₯ Priority on securing hospitals and schools against cyber threats.
  • πŸš† CHARIOT aims to harden critical infrastructure through collaboration.
  • πŸ“ž CISA prioritizes building trusted industry relationships over regulation.
  • πŸ“ˆ Harmonizing cybersecurity reporting for consistency and clarity.
  • πŸ“š Emphasis on preparedness and learning from international allies.
  • πŸ› DEFCON event highlights government-industry collaboration opportunities.
  • πŸ” Ongoing adjustments to cybersecurity strategies reflect threat evolvement.

Timeline

  • 00:00:00 - 00:05:00

    The discussion begins with a reference to a significant ransomware attack on the Colonial Pipeline in May 2021, which led to widespread disruptions. In response, new regulations were introduced requiring critical infrastructure to report cyber incidents, centralizing reporting through CISA instead of TSA to reduce confusion and enhance coordination. Harmonizing reporting requirements is now a national priority as part of the cyber strategy.

  • 00:05:00 - 00:10:00

    Efforts were made to involve industry in the regulatory process following the Colonial incident, particularly for critical pipeline infrastructure. Initially prescriptive regulations faced industry pushback, resulting in a shift to a performance-based model. This change aimed to allow industries to determine how to achieve set outcomes, with continued oversight and feedback on implementation and outcome achievement. Such collaborative approaches are regarded as essential for TSA's regulatory future.

  • 00:10:00 - 00:15:00

    The U.S. has historically lacked comprehensive cyber regulations. However, recent actions and collaborations seek to change that. Regular communication and classified briefings with industry leaders enhance information exchange and preparedness against broader threats. These efforts have fostered better understanding and cooperation between the government and critical infrastructure sectors, adapting to evolving threats and vulnerabilities.

  • 00:15:00 - 00:20:00

    There is an ongoing focus on supporting sectors deemed 'target rich, cyber poor,' such as hospitals, schools, and water facilities, due to their vulnerability to ransomware. The government is collaborating with sector-specific agencies to provide resources and best practices to reduce risks. Coordinating efforts with entities like HHS and the American Hospital Association, as well as focusing on specific events (e.g., K-12 education), illustrates this strategy.

  • 00:20:00 - 00:25:00

    Various initiatives are discussed to address cybersecurity challenges, including the Cyberspace Solarium Commission's recommendations, which led to crucial legislative changes benefiting CISA and the broader cybersecurity framework. The focus remains on enhancing collaboration without becoming a regulator, relying on technical expertise and partnerships to reduce risks across sectors. Recruitment and relationship-building with industry and hackers align with this effort.

  • 00:25:00 - 00:30:00

    The emphasis is placed on recruiting expertise from DEFCON attendees to improve the U.S. cybersecurity landscape. The conversation highlights projects like CHARIOT, which aims to strengthen critical infrastructure resilience. Participants are urged to contribute their insights to help prioritize threats and develop scenarios for preparedness exercises, reinforcing the importance of partnerships in building national cyber resilience.

  • 00:30:00 - 00:38:48

    China's potential threats to critical infrastructure in the event of a Taiwan conflict are highlighted as key concerns. Recent intelligence suggests a shift towards disruptive capabilities beyond espionage. Preparedness and resilience, learning from Ukraine's experiences, are deemed crucial to mitigating these risks. Collaboration and quick action are necessary to ensure readiness and maintain public confidence in the government's protective capabilities.

Show more

Mind Map

Video Q&A

  • What incident in 2021 prompted new cybersecurity regulations?

    The Colonial Pipeline ransomware attack of May 2021 prompted new cybersecurity regulations.

  • What was a major regulatory change after the Colonial Pipeline attack?

    A major change was the requirement for critical infrastructure owners to report significant cyber incidents to CISA.

  • What is the significance of reporting cyber incidents to CISA?

    Centralized reporting to CISA is meant to streamline the process and prevent confusion by ensuring all agencies receive uniform information.

  • How did TSA change its approach to cybersecurity after initial industry pushback?

    TSA shifted from prescriptive activities-based requirements to outcomes-based performance measures, allowing flexibility for operators.

  • What sectors are prioritized due to their vulnerability to cyberattacks?

    Priority sectors include hospitals, K-12 schools, water facilities, and local election offices due to their vulnerability and impact of cyberattacks.

  • What is the CHARIOT project?

    CHARIOT is a collaborative project aimed at hardening critical infrastructure through risk reduction in information and operational technology.

  • Why is the US trying to harmonize cyber incident reporting requirements?

    The goal is to provide a consistent and clear reporting framework across federal agencies to enhance cybersecurity resilience.

  • What role does CISA aim to play in the cybersecurity landscape?

    CISA aims to be a collaborative non-regulatory partner to industry, focusing on building trusted relationships to improve security.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en
Auto Scroll:
  • 00:00:54
    How's this?
  • 00:00:55
    [inaudible 00:00:57].
  • 00:00:56
    Closer.
  • 00:00:57
    Closer.
  • 00:00:58
    Probably going to apply for you guys too.
  • 00:00:59
    How's this?
  • 00:01:00
    Yeah.
  • 00:01:01
    Great, thank you.
  • 00:01:02
    I want to start with a really brief catch up.
  • 00:01:05
    There's an incident in 2021.
  • 00:01:08
    Maybe some of you guys heard of it.
  • 00:01:09
    It's called Colonial Pipeline.
  • 00:01:10
    There's a ransomware attack.
  • 00:01:13
    You guys have heard, that's right, that prompted a series of regulations.
  • 00:01:20
    Can you give us-
  • 00:01:23
    [inaudible 00:01:21].
  • 00:01:25
    ... a very quick-
  • 00:01:26
    Closer.
  • 00:01:27
    ... you give us very quick overview of the regulations that you have overseen in those
  • 00:01:29
    two years since then?
  • 00:01:31
    Sure, so as you mentioned, May, 2021, early May, ransomware attack, East Coast Pipeline
  • 00:01:37
    had systemic impact across the East Coast.
  • 00:01:40
    What we did in working with our partners in CISA was immediately put out a requirement
  • 00:01:45
    that any owner and operator of critical infrastructure had to report any significant cyber incident
  • 00:01:50
    because when this one occurred, company asked, "Hey, how many other pipelines have suffered
  • 00:01:55
    this kind of attack?"
  • 00:01:56
    And we didn't have that answer.
  • 00:01:58
    So we put that regulation out first.
  • 00:02:00
    That came out in the very same month in May.
  • 00:02:03
    But interestingly, and I think really importantly for our talk this afternoon is that reporting
  • 00:02:08
    went to CISA, not to TSA intentionally because we're trying to centralize reporting.
  • 00:02:14
    We're trying to make it easier on the owners and operators of critical infrastructure in
  • 00:02:18
    the country.
  • 00:02:19
    And you can imagine if you have a reporting requirement to several different federal agencies,
  • 00:02:24
    every agency is going to hear it a little bit differently.
  • 00:02:28
    And so that introduces an element potentially of confusion.
  • 00:02:31
    So having a report go in at the same time, one central location, and then having CISA
  • 00:02:38
    push it out to all of the affected agencies has really been my view of best practice.
  • 00:02:43
    The other thing that we didn't know at the time, but certainly now is part of the national
  • 00:02:47
    cyber strategy, is to harmonize our reporting requirements across the federal government.
  • 00:02:52
    And this was really the very first attempt to do that.
  • 00:02:55
    And I would credit CISA for doing just a fabulous job of giving us, in near real time, reports
  • 00:03:02
    of those incidents.
  • 00:03:03
    And it's really, I think worked out incredibly well.
  • 00:03:08
    Whoo.
  • 00:03:11
    I have more questions, but you'll follow on that.
  • 00:03:16
    That's cool.
  • 00:03:17
    Okay.
  • 00:03:18
    We've done several kind of pre-briefing chats and these two are so chummy.
  • 00:03:21
    Sorry.
  • 00:03:22
    No, no, no.
  • 00:03:24
    It's government working.
  • 00:03:25
    I want to ask you a really point blank, that was such a high profile, the most high profile,
  • 00:03:31
    I work in news, I can say that definitively, the most high profile ransomware incident
  • 00:03:36
    and there has not been anything like it in any of the jurisdictions or the CSA, is that
  • 00:03:43
    why these regulations and the partnership with CISA.
  • 00:03:46
    Is that why?
  • 00:03:47
    I would love to be able to claim that, I can't, but one of the things that we did do as well,
  • 00:03:52
    I mean that was the reporting requirement.
  • 00:03:53
    What was important that we did right after that in July was issue some requirements for
  • 00:03:59
    the owners of critical pipeline infrastructure.
  • 00:04:01
    So that's important.
  • 00:04:02
    It wasn't all pipeline infrastructure, it was critical pipeline infrastructure, to implement
  • 00:04:08
    certain measures to protect their systems.
  • 00:04:11
    A future attack, not necessarily ransomware, but a future attack on their information or
  • 00:04:15
    operating systems.
  • 00:04:18
    As many of you might remember, when we did issue that directive, because it was so specific
  • 00:04:23
    as to what was required, we got a good deal of pushback on that because the industry would
  • 00:04:29
    say that, "Hey, you're asking us to put things in place that are going to replace things.
  • 00:04:34
    We're already doing that.
  • 00:04:35
    Actually, we think it's to the point you want to get to better than what you're requiring
  • 00:04:40
    and you haven't fully considered the impact on our business model."
  • 00:04:45
    And so what we did in working with CISA and the FBI and the Pipeline Hazardous Material
  • 00:04:49
    Safety Agency over in DOT and the Department of Energy was we had a series of round tables
  • 00:04:55
    with industry just to talk through this.
  • 00:04:58
    Net result was we went from a very prescriptive activities-based requirement to a performance-based
  • 00:05:04
    model, which I think is our superior, what we were doing before, and a huge credit to
  • 00:05:11
    our industry partners for working with us on that.
  • 00:05:14
    So we made really a 180 degree pivot on our approach to this particular regulation.
  • 00:05:21
    And I think that's a forbearer of change we'll make to regulations in the future for TSA.
  • 00:05:26
    So instead of saying, "Hey, achieve these certain activities and report on those activities,"
  • 00:05:32
    we said, "Hey, there are certain outcomes we want you to achieve.
  • 00:05:36
    You come back to us on our operator and tell us how you intend to achieve that outcome,
  • 00:05:42
    and then we'll work with you to approve that implementation plan."
  • 00:05:45
    And then the follow on to that is, and this is really important, this is where the stage
  • 00:05:50
    we're at today is come back to us also after your implementation plan is approved and tell
  • 00:05:56
    us objectively how you are achieving those outcomes.
  • 00:06:00
    So it's not just us, how you're doing and implementing those particular measures that
  • 00:06:03
    you proposed and we approved, but also how are those measures and the accomplishment
  • 00:06:08
    of those measures contributing to the achievement of the outcome?
  • 00:06:12
    That's really important.
  • 00:06:13
    That's the stage that we're at today, and I'm really optimistic on how this is going
  • 00:06:17
    to work 'cause we've already seen some of the initial plans and they look pretty good,
  • 00:06:22
    so we're going to be working through that over the course of the next couple of weeks.
  • 00:06:28
    The US did not have any kind of cyber regulation like this kind of infamously for years until
  • 00:06:34
    this point.
  • 00:06:37
    This is America.
  • 00:06:38
    A lot of businesses don't care for government regulation.
  • 00:06:45
    Is it the case when you speak with leaders of these companies, are they completely on
  • 00:06:51
    board?
  • 00:06:52
    Are there some that would like more regulation?
  • 00:06:54
    Are there some that would like things to be done a little differently?
  • 00:06:56
    Well, you raised an important point, Kevin, is when you speak, and I would offer that
  • 00:07:04
    we speak frequently to our industry partners, to the companies that we regulate.
  • 00:07:11
    I would say that there's a more robust exchange of information as a result of this approach
  • 00:07:16
    than there was before.
  • 00:07:18
    One of the things that we did at the very beginning when we saw this threat that is
  • 00:07:22
    not simply a ransomware threat, it is much more significant than that, that we needed
  • 00:07:28
    to work really quickly to close vulnerabilities that we had across our critical infrastructure
  • 00:07:34
    in the country.
  • 00:07:35
    And so we felt it was important that we bring the chief executive officers of those companies
  • 00:07:42
    in for a classified briefing on the threat because we really wanted them to understand
  • 00:07:48
    this is the threat that we see from the intelligence community in the United States, which is incredible
  • 00:07:54
    in their capability to inform policy decision makers like Jen and me.
  • 00:08:00
    And so we brought the CEOs in for those threat briefs.
  • 00:08:02
    They were in the White House.
  • 00:08:05
    It was really the start of a very good relationship because they saw what we were seeing and the
  • 00:08:11
    CEOs knew that their CIO and their CISO was going to come to them shortly with a resource
  • 00:08:17
    request, maybe some procedural changes, certainly a request for more people.
  • 00:08:21
    And the CEOs knew what was behind that, what was the reasoning for that.
  • 00:08:26
    But you can't just do it once.
  • 00:08:28
    This can't be a one and done exchange of information.
  • 00:08:31
    And so what we've established, and Jen can speak to the processes that parallel ours,
  • 00:08:37
    but are very complimentary to what we do in terms of making sure there's good, robust
  • 00:08:43
    exchanges of information between us.
  • 00:08:45
    We have regular updates to the CEOs and then regular updates to the CIOs and the CISOs
  • 00:08:51
    of these companies as this threat evolves.
  • 00:08:53
    And one of the things that you always think about is, "Hey, I heard the threat.
  • 00:08:56
    I understand it, I see it.
  • 00:08:57
    Is it still present today?"
  • 00:08:59
    And this just reaffirms to them.
  • 00:09:01
    Yes, it's still present today actually in many ways it's more concerning today than
  • 00:09:04
    it was yesterday.
  • 00:09:05
    And so we need to really work very hard to close the vulnerabilities that we might have.
  • 00:09:10
    Yeah, I mean, jump in with a couple of things.
  • 00:09:14
    First of all, great to be here with you all.
  • 00:09:17
    Kevin mentioned that Dave and I are chummy.
  • 00:09:20
    Look, at the end of the day, this is what you want your government to be.
  • 00:09:25
    You want your government to be elaborative and cohesive.
  • 00:09:29
    And so I think it's a really good news story and one that has evolved in terms of how collaborative
  • 00:09:36
    we all are working together.
  • 00:09:38
    And I think it was a really good news story of how closely our teams work after Colonial
  • 00:09:44
    Pipeline.
  • 00:09:45
    I was not actually in government then.
  • 00:09:46
    I was still at Morgan Stanley at that point in time, but certainly saw it from the perspective
  • 00:09:50
    of being in the private sector and frankly being in a highly regulated industry.
  • 00:09:54
    A couple of things I'll say is it really was a watershed moment in many ways that certainly
  • 00:10:01
    led to the security directives that Dave talked about, but I don't think we would've gotten
  • 00:10:08
    what's called CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act if Colonial
  • 00:10:14
    Pipeline had not happened.
  • 00:10:16
    And it really is a watershed piece of legislation that frankly the Congress had been trying
  • 00:10:21
    to pass for more than a decade that was about mandating critical infrastructure report,
  • 00:10:28
    the CISA, if there was a significant cyber incident and we're in the final stages of
  • 00:10:34
    writing the rule, the notice of rulemaking should come out early next year and will hopefully
  • 00:10:40
    implement it by next year.
  • 00:10:41
    But it's really, really important.
  • 00:10:44
    Why?
  • 00:10:45
    Because you read so much about ransomware going up, ransomware going down.
  • 00:10:49
    My general belief is we just don't know.
  • 00:10:54
    We just don't have a really good handle on the scope and scale of the ecosystem of cyber
  • 00:11:00
    incidents because frankly, it's not mandatory for reporting across the board.
  • 00:11:05
    So I think for the first time we'll actually be able to understand what the scope is of
  • 00:11:11
    incidents and whether all the work that we've been doing across the federal government,
  • 00:11:16
    across industry, across state and local, across the globe is actually leading to reduce risk.
  • 00:11:22
    Because at the end of the day, that's what we're trying to do.
  • 00:11:26
    We're not trying to create punishments.
  • 00:11:29
    We're really trying to work with industry in a collaborative, consultative way to ensure
  • 00:11:34
    that we can help them reduce risk.
  • 00:11:37
    And the last thing I'd say to Kevin's question is when I first came on board, which was in
  • 00:11:42
    July, we did actually hear a lot of pushback from the industry groups about one of the
  • 00:11:48
    directives.
  • 00:11:49
    And I will tell you, we recently, Dave and I, had a meeting with CEOs where they could
  • 00:11:54
    not have been more complimentary about the evolution of working with them in a consultative
  • 00:12:00
    way.
  • 00:12:01
    I think part of that was the threat briefing, but part of that was just fricking listening.
  • 00:12:06
    And that's why you see people like me and Dave because we realize how important it is
  • 00:12:11
    to listen, to listen to industry, to listen to the hacker community because we sure can't
  • 00:12:17
    do this on our own.
  • 00:12:19
    I want to be clear here.
  • 00:12:20
    When you talk about this threat briefing, are we talking this is related to Colonial
  • 00:12:24
    or are we talking more recently?
  • 00:12:26
    No, we've done threat briefing certainly for pipelines.
  • 00:12:28
    It wasn't related to the ransomware attack specifically.
  • 00:12:33
    It was related to, "Hey, what is the overall threat picture for critical infrastructure,
  • 00:12:38
    particularly for transportation infrastructure and energy infrastructure in the country?"
  • 00:12:43
    Same brief, essentially very, very similar to the rail sector, the transit sector and
  • 00:12:48
    now to air carriers and airports.
  • 00:12:51
    So across the transportation sector, we've been able to provide this level of visibility
  • 00:12:56
    to the top owners and operators of these systems.
  • 00:13:05
    You've got this, what seems like you're saying is an extremely effective partnership that
  • 00:13:10
    works for you.
  • 00:13:12
    What other sectors would you like to have that kind of, if the red tape was not as much
  • 00:13:16
    of an issue, I'm thinking, I'm reporting all the time on ransomware attacks on hospitals
  • 00:13:22
    or diverting ambulances that are hampering care.
  • 00:13:24
    There's schools that are still being shut down all the time.
  • 00:13:27
    Yeah, so one of the things that we did last year when we were thinking about what are
  • 00:13:32
    our priorities for the upcoming year was what are those sectors we called target rich, cyber
  • 00:13:38
    poor, to Kevin's point, who were getting hit with ransomware in a way, in a pretty bad
  • 00:13:44
    way that could actually have very significant impacts?
  • 00:13:48
    Though my mom is 90 and she's in and out of the hospital, right?
  • 00:13:53
    And I am always very, very concerned as I have in the back of my mind all of these hospitals
  • 00:13:58
    that have been hit with ransomware.
  • 00:14:00
    You saw the recent one, Prospect Medical Hospitals I think, or Medical Holdings where we've seen
  • 00:14:06
    hospitals across the country that had to divert patients or change elective surgeries.
  • 00:14:12
    It's really scary.
  • 00:14:13
    And so we actually picked priority sectors that we knew fell into this.
  • 00:14:18
    So hospitals in particular, rural hospitals, K through 12 schools and water facilities,
  • 00:14:24
    because that's a sector that I'm particularly concerned about.
  • 00:14:27
    And then we also have a big focus over this year going into next on local election offices.
  • 00:14:32
    And we did it for a couple reasons.
  • 00:14:34
    So one of the roles, we of course were set up to be America's civilian Cyber Defense
  • 00:14:39
    Agency, but in statute we also play this role of national coordinator for critical infrastructure,
  • 00:14:45
    security and resilience.
  • 00:14:46
    What does that mean?
  • 00:14:47
    It means that we sort of sit at the center of working with departments and agencies that
  • 00:14:52
    have a role to be the sector risk management agency.
  • 00:14:55
    So Dave is the sector, TSA is the sector risk management agency for oil and natural gas
  • 00:15:01
    pipelines, for rail, for aviation.
  • 00:15:04
    And we work with him and all of the other departments and agencies who ensure that sector
  • 00:15:11
    risk management agencies and industry have the risk guidance, the information, the resources,
  • 00:15:17
    the capabilities, the best practices that we all need to be able to reduce risk critical
  • 00:15:23
    infrastructure that Americans rely on every hour of every day.
  • 00:15:27
    So a really, really important role that we play.
  • 00:15:32
    And with respect to the target rich resource poor, it's why we've been working hand in
  • 00:15:36
    hand with HHS.
  • 00:15:37
    So my deputy, Nitin Natarajan, who's fantastic, started out as a medic and spent a lot of
  • 00:15:44
    time in HHS so he's been working hand in hand with HHS and the American Hospital Association
  • 00:15:50
    to put resources in place to reduce risk in hospitals.
  • 00:15:54
    We've been working with K through 12.
  • 00:15:55
    There was a big White House event earlier this week where we had-
  • 00:15:59
    Interrupted by tornadoes.
  • 00:16:00
    ...superintendents...
  • 00:16:01
    Say it again?
  • 00:16:02
    Interrupted by a tornado.
  • 00:16:03
    Interrupted by a tornado, but amazing that we were able to actually flip it a day.
  • 00:16:07
    And it was so important to the First Lady that she actually rearranged her whole schedule
  • 00:16:10
    to be there.
  • 00:16:11
    We had all these superintendents so that we could work together with schools.
  • 00:16:15
    We're doing the same thing with water, and then again, local election offices.
  • 00:16:18
    And so part of this just goes back to the partnerships.
  • 00:16:22
    CISA has incredible technical expertise.
  • 00:16:24
    We've got a lot of it here, so hopefully you're meeting our CISA colleagues.
  • 00:16:28
    But those departments and agencies have incredible technical expertise in those sectors that
  • 00:16:33
    we don't have about rail, about aviation, about hospitals, about water.
  • 00:16:38
    And so when you bring that together along with our partnerships with industry, you really
  • 00:16:42
    can collaborate to reduce risk.
  • 00:16:46
    Do you feel like you have enough in terms of policy allowance to address those specific
  • 00:16:54
    sectors or would you like more?
  • 00:16:56
    Yeah, I mean I feel like I'm always grateful to the Cyberspace Solarium Commission folks
  • 00:17:02
    and Dave was on there as well.
  • 00:17:04
    So some of you might know it was a commission set up by Congress several years ago.
  • 00:17:09
    It was chaired by Angus King of Maine and Mike Gallagher of Wisconsin.
  • 00:17:14
    It had senior leaders from across the federal government.
  • 00:17:17
    You know, I often say, so the government sets up commissions all the time, and some of them
  • 00:17:23
    meet a lot and don't really get much done.
  • 00:17:26
    In my 30 plus years in government, I've seen two commissions that actually got shit done.
  • 00:17:32
    One was the 911 Commission, the second was the Cyberspace Solarium Commission that literally
  • 00:17:37
    made 75 recommendations, and more than half of them are in legislation.
  • 00:17:43
    And CISA benefited incredibly from those recommendations that got put into law in 2021.
  • 00:17:50
    And I benefited when I came in as director.
  • 00:17:53
    And so some of the things that we would've wanted, frankly, several years ago, that my
  • 00:17:58
    great friend Chris Krebs may have wanted, the ability to hunt persistently on federal
  • 00:18:03
    networks, the ability to work directly with our sector risk management agencies to actually
  • 00:18:08
    put measures in place to keep sectors safe, the authorities, we have to stand up the Joint
  • 00:18:13
    Cyber Defense Collaborative.
  • 00:18:15
    I feel like we're in, and then CIRCIA of course, I feel like we're in a very positive place
  • 00:18:20
    with respect to our authorities.
  • 00:18:22
    I often get asked, well, do you want regulatory authorities?
  • 00:18:26
    And I always say no.
  • 00:18:27
    CISA doesn't want to be a regulator.
  • 00:18:29
    We work very closely with regulators.
  • 00:18:31
    But at the end of the day, the magic of CISA is our ability through our technical expertise
  • 00:18:37
    and our trusted partnerships, to be able to work across industry in a way that frankly
  • 00:18:43
    is a little bit harder with regulators.
  • 00:18:46
    So I think we're cool.
  • 00:18:49
    Okay.
  • 00:18:50
    I don't know, probably most of you can't see this, but Jen's arm, she has what appears
  • 00:18:57
    to be a temporary tattoo or is this a full thing?
  • 00:19:01
    You have multiple-
  • 00:19:02
    This one's real and these are temporary.
  • 00:19:04
    But since you brought it up, here's the funny story.
  • 00:19:07
    So we are recruiting for technical experts, and I was like, I'm so into it because we've
  • 00:19:12
    hired like 1,330 people since I came on board.
  • 00:19:16
    I'm going to tattoo.
  • 00:19:17
    They are temporary.
  • 00:19:19
    I would do it if somebody had time.
  • 00:19:21
    So, oh my God, like we made these temporary tattoos and they put it on, like, "Yeah, let's
  • 00:19:27
    go for it."
  • 00:19:29
    And it just doesn't work.
  • 00:19:31
    It was like this morning, "Let's do another one."
  • 00:19:34
    And it doesn't work.
  • 00:19:35
    So we have the QR code separately.
  • 00:19:36
    My whole body's going to be tattooed with these temporary tattoos, but we're hiring
  • 00:19:41
    people.
  • 00:19:42
    So come see us.
  • 00:19:43
    We have real QR codes that work, not on my body.
  • 00:19:47
    This really was my lead in to let you guys kind of make the pitch for, I think, a substantial
  • 00:19:51
    reason why you guys are here.
  • 00:19:54
    But also, I've been coming to DEFCON for almost 10 years.
  • 00:19:57
    There are a lot more federal officials giving talks these days.
  • 00:20:00
    And it's for a reason, I think.
  • 00:20:01
    Well, I would say the key reason is you have, in the audience, expertise that we desperately
  • 00:20:08
    need.
  • 00:20:09
    You have perspective we desperately need.
  • 00:20:11
    I mean, you heard about the work that we're doing.
  • 00:20:14
    I would want to make sure that the work we do is based on the very best information that
  • 00:20:18
    we can gather.
  • 00:20:19
    And so we're here to really seek your advice, your counsel.
  • 00:20:23
    We have some mechanisms to be able to do that.
  • 00:20:26
    And then the other one is just clearly, like Jen said, we're here because we're hiring.
  • 00:20:32
    We need talent.
  • 00:20:33
    And I think I can tell you from my own experience working in the federal government, I'm six
  • 00:20:38
    years into being the TSA administrator.
  • 00:20:42
    The work we do together with CISA, with the FBI, with the Department of Transportation,
  • 00:20:47
    the White House is incredibly rewarding.
  • 00:20:49
    I mean, you have impact at a scale that is just challenging at times, but the benefits
  • 00:20:58
    are incredibly rewarding.
  • 00:20:59
    And we had a great booth here at DEFCON, offered up a lot of decals, offered up a lot of ways
  • 00:21:07
    to approach TSA for positions.
  • 00:21:10
    But if you're interested, please give it consideration.
  • 00:21:12
    And I think too that in my career, the ability to build a network is really important for
  • 00:21:18
    your success throughout your career.
  • 00:21:20
    And if you come into government, you build a network inside government when you return
  • 00:21:24
    to the private sector, if you do, you continue to keep that relationships and that network
  • 00:21:28
    you have in the private sector, very warm.
  • 00:21:30
    And I think that really helps the entire system work incredibly well.
  • 00:21:34
    So that's what we'd really like to encourage you to do is if you know somebody who has
  • 00:21:40
    talent that you think we could benefit by, please encourage them to look up CISA, look
  • 00:21:45
    up TSA, look up any sector risk management agency, quite frankly, because we all need
  • 00:21:50
    the talent.
  • 00:21:51
    We also announced earlier in this conference a project that Jen and I have together, it's
  • 00:21:57
    called CHARIOT and so we wrestled with the acronym, but we felt, okay, chariot is a transportation
  • 00:22:05
    thing, and this is a transportation project, and we are at Caesars so the chariot and Caesar
  • 00:22:12
    sort of go together, but what CHARIOT stands for is Critical Infrastructure Hardening Achieved
  • 00:22:20
    through Risk Reduction Information and Operational Technology.
  • 00:22:25
    Whoo.
  • 00:22:26
    Way to go.
  • 00:22:29
    Thanks.
  • 00:22:30
    I've been practicing a lot, but basically what it stands for, it's a partnership between
  • 00:22:36
    TSA, between CISA, between the Department of Homeland Security Science and Technology
  • 00:22:41
    Directorate, between the Pipeline Hazardous Material Safety Administration and the Federal
  • 00:22:46
    Railway Administration and also the Pacific Northwest National Laboratory.
  • 00:22:51
    And what we'd like to do is to get more industry input and your input on, hey, if you looked
  • 00:22:59
    at the rail sector or the pipeline sector, how would you prioritize the risk as a hacker
  • 00:23:05
    to those sectors?
  • 00:23:07
    And then the other important part is I mentioned, hey, we need to have an objective way to assure
  • 00:23:13
    ourselves and to assure the public what we're doing is having a beneficial effect.
  • 00:23:20
    What we're doing is making these systems more protected and making these systems more resilient.
  • 00:23:26
    So if attacked even partially, they can get up and running in a relatively quick fashion.
  • 00:23:32
    And so what we'd like to develop our threat scenarios that then we can introduce into
  • 00:23:37
    tabletop exercises, because as you know better than I, a cyber attack will manifest itself
  • 00:23:43
    in a physical way, and that requires a different response than a purely cyber response to get
  • 00:23:48
    back up and operating.
  • 00:23:50
    And so if you could really help us with giving us sort of a risk prioritization and also
  • 00:23:55
    helping us develop those threat scenarios so we can play out those threat scenarios.
  • 00:24:01
    And we promise that what we will do in a future DEFCON is to provide you feedback as to how
  • 00:24:06
    that went.
  • 00:24:07
    And I'm hoping that when I come back next year, and I'll declare myself a new guy again
  • 00:24:12
    next year so I can do the shots.
  • 00:24:13
    It's not really my first.
  • 00:24:15
    I know, nor Jen's, but to give you some feedback as to, "Hey, how did that go?
  • 00:24:21
    What did we develop out of it?"
  • 00:24:23
    We had a initial round table yesterday on this.
  • 00:24:27
    Got some really good results.
  • 00:24:28
    So I just ask you to think of Project CHARIOT.
  • 00:24:30
    It's really a way for you to really help us out and to help the country out and help everybody
  • 00:24:36
    that lives in the United States to make them feel more protected.
  • 00:24:40
    And Jen's point about the hospital system to make sure that the critical infrastructure
  • 00:24:45
    that all of us depend on for ourselves and for our families and for our friends and our
  • 00:24:49
    communities is back on its feet as quickly as it can if it's ever attacked.
  • 00:24:54
    A couple of things about why we're here.
  • 00:24:58
    Obviously recruiting is one, but one of the really cool things that we've been focused
  • 00:25:03
    on over the last year is creating a partnership with the hacker community to help us get ahead
  • 00:25:10
    of the ransomware problem.
  • 00:25:12
    This was also part of what we learned from Colonial Pipeline is we really need to be
  • 00:25:20
    able to rely on partners who are seeing malware before it actually gets activated.
  • 00:25:29
    And so there's some fantastic researchers out there.
  • 00:25:32
    There's threat intel people.
  • 00:25:33
    There's some industry folks who have been giving our team in the joint Cyber Defense
  • 00:25:39
    Collaborative essentially tips.
  • 00:25:42
    And so it's part of what we call our pre-ransomware notification initiative.
  • 00:25:47
    And so we've been getting tips.
  • 00:25:49
    We take those tips.
  • 00:25:51
    When malware is laid down, it could be anywhere between five to 48 hours before it's actually
  • 00:25:57
    activated and data is encrypted.
  • 00:26:01
    And so we then use our field force.
  • 00:26:03
    So one of the other things we've been building over the past two years are cybersecurity
  • 00:26:07
    advisors across the country.
  • 00:26:10
    So we have them in every state of the nation I think at this point in time.
  • 00:26:14
    And they then take these tips and then they've been reaching out to let people know, "Hey,
  • 00:26:18
    it looks like you have something on your system.
  • 00:26:21
    You need to do something about it right away."
  • 00:26:23
    And we've done it now 600 plus times to schools, to also internationally.
  • 00:26:30
    And we've really been able to make an impact.
  • 00:26:32
    And again, the thing that I love most about this is it's all based on trust.
  • 00:26:37
    I mean, it's the most important currency is people reach out to us because they trust
  • 00:26:42
    us with the information and they believe we're going to do things about it.
  • 00:26:46
    So going to do something good with it.
  • 00:26:47
    And so again, that's really what this community is all about, is how do we use our skills
  • 00:26:54
    to make a difference, to make an impact for the betterment of the nation.
  • 00:27:00
    Speaking of that, you've got a four-year term.
  • 00:27:02
    I won't ask you to speculate right now on whether they'll keep going, but if you want
  • 00:27:07
    to you can.
  • 00:27:08
    What would you like to see the ransomware defense landscape look like five years from
  • 00:27:16
    now?
  • 00:27:24
    I mean, no more ransomware.
  • 00:27:25
    So look, I appreciate you asking the question because I have long thought that we cannot
  • 00:27:33
    keep doing the same thing that we're doing and expect a different outcome.
  • 00:27:37
    And it's one of the reasons my teammate Eric Goldstein, who heads up cyber for CISA, and
  • 00:27:44
    I wrote this article earlier this year, which was really trying to get at what is a more
  • 00:27:48
    sustainable approach to cybersecurity?
  • 00:27:51
    One that can actually make a difference.
  • 00:27:54
    And we talked about four things.
  • 00:27:55
    One is this concept of cyber civil defense.
  • 00:27:58
    One is our persistent operational collaboration.
  • 00:28:02
    One is corporate cyber responsibility, but the one that we think can make the most difference
  • 00:28:06
    in driving down the threat impact is secure by design technology.
  • 00:28:14
    We now live in a crazy world where we've normalized the fact that technology products come off
  • 00:28:20
    the line full of vulnerabilities that can be exploited by threat actors.
  • 00:28:26
    And so we've accepted this and it's frankly perverse, and we really need to change the
  • 00:28:32
    paradigm where technology companies are not just focused on speed to market and cost and
  • 00:28:39
    cool features, but first and foremost on creating tech that is safe and secure.
  • 00:28:46
    I mean, let's be real, right?
  • 00:28:48
    There's a multi-billion dollar cybersecurity industry because technology companies have
  • 00:28:54
    never had to focus first and foremost on security.
  • 00:28:57
    The incentives were all misaligned.
  • 00:29:00
    And so we're really trying to work with our partners across the government.
  • 00:29:05
    We did a workshop earlier today with our teammates at the National Cyber Director's Office to
  • 00:29:10
    really catalyze what I call a secure by design revolution.
  • 00:29:14
    And I would ask everybody, if you haven't seen the stuff that we put out, we put out
  • 00:29:19
    a white paper, it's on our web page, please go to cisa.gov/securebydesign and take a look
  • 00:29:26
    at that because we want feedback, we want to refine this.
  • 00:29:30
    We want to bring in more partners because at the end of the day, we want to ensure that
  • 00:29:35
    we now have a market signal coming from customers that we all care about security for our persons,
  • 00:29:42
    for our personal, for our family, for our communities, for our businesses.
  • 00:29:48
    And I think frankly, Kevin, if we're going to have a real dent in the ransomware system,
  • 00:29:53
    we need to start with ensuring that technology is safe.
  • 00:29:57
    Sorry, do you [inaudible 00:30:01]?
  • 00:30:01
    No.
  • 00:30:02
    I would like to pivot this conversation now to the threat landscape that both of you see.
  • 00:30:09
    We had chatted a little bit ahead of time, and I had assumed the two giant threats that
  • 00:30:17
    I feel like I'm hearing about all the time or ransomware often from Russian-related criminal
  • 00:30:22
    groups and a barrage of Chinese espionage.
  • 00:30:27
    And I hope you don't, this is not a breach of confidence to say you were kind of quick
  • 00:30:32
    to correct me.
  • 00:30:34
    I think I had maybe underestimated the extent to which maybe China...
  • 00:30:39
    I'll let you define that, I don't want to...
  • 00:30:43
    Yeah.
  • 00:30:44
    So I've talked about the two epoch defining threats and issues that I'm concerned about.
  • 00:30:51
    One is AI.
  • 00:30:52
    I mentioned AI because you can't have a conversation without mentioning AI, so that's done, right?
  • 00:30:57
    Yeah, did it.
  • 00:30:59
    And then let's talk about China.
  • 00:31:01
    I think at the end of the day, if you look at some of the information that the US government
  • 00:31:09
    has put out over the past six months, and then you look at what is happening across
  • 00:31:15
    the geopolitical landscape, I hope that people are taking seriously a pretty stark warning
  • 00:31:22
    about the potential for China to use their very formidable capabilities in the event
  • 00:31:30
    of a conflict in the Taiwan Straits to go after our critical infrastructure.
  • 00:31:35
    And I think we've seen a change, and frankly you saw it in some of the products that we
  • 00:31:40
    put out earlier this year, a cybersecurity advisory that talked about Chinese state-sponsored
  • 00:31:46
    actors living off the land, so not malware, but actually using the native processes of
  • 00:31:51
    a computer to hide in those systems.
  • 00:31:55
    And it wasn't for espionage or data theft, which we've been seeing arguably for decades.
  • 00:32:01
    It was more likely for disruption and destruction.
  • 00:32:05
    And if you read the intelligence community Annual Threat Assessment, there's a pretty
  • 00:32:09
    stark warning that talks about in the event of a conflict, China will almost certainly
  • 00:32:14
    consider aggressive cyber attacks against US critical infrastructure and is almost certainly
  • 00:32:22
    capable of disruption or destruction when it comes to oil and national gas pipelines
  • 00:32:27
    and railroads.
  • 00:32:29
    And so I really, what we've been talking about, Kevin, is we need to take this warning very
  • 00:32:34
    seriously, and that's why we've been talking so much.
  • 00:32:37
    And Viktor Zhora and I, my counterpart in Ukraine, talked to Black Hat about the importance
  • 00:32:42
    of resilience, expecting that there will be disruption and planning and preparing for
  • 00:32:48
    it now, identifying your high value assets, doing the exercises to be able to put in place
  • 00:32:53
    manual overrides, manual controls to be able to operate in a degraded state, and then ensuring
  • 00:32:59
    that you can recover as rapidly as possible to mitigate risk.
  • 00:33:04
    So think about Ukraine as really a shining example of not just cyber resilience, but
  • 00:33:08
    also operational resilience, dealing with all the barbaric kinetic attacks.
  • 00:33:13
    And then very importantly, societal resilience, which I fear we have lost as a nation.
  • 00:33:18
    If you look at the reaction to Colonial Pipeline, if you look at the reaction to the high altitude
  • 00:33:24
    balloons, at the end of the day, we need to be pretty pragmatic about the potential for
  • 00:33:31
    these attacks, be prepared to meet them with resilience and frankly, with unity as an American
  • 00:33:38
    people.
  • 00:33:40
    And I think too, that...
  • 00:33:48
    time is not our friend in this quest.
  • 00:33:51
    We need to move very, very quickly.
  • 00:33:52
    That's why we've moved so quickly and so has our industry partners.
  • 00:33:56
    I mean, there's literally, we need to be ready now.
  • 00:34:00
    And the more we can do to make sure that we're not worrying about how ready we are, we know
  • 00:34:08
    how ready we are, and we know how we can manage any kind of attack on US systems in a way
  • 00:34:16
    that protects our ability to respond and in a way that protects our population and that
  • 00:34:22
    allows our population to have confidence in its government and have confidence in its
  • 00:34:28
    industry leaders that they've done everything they can to be ready for this.
  • 00:34:31
    So preparedness is the name of the game here.
  • 00:34:35
    Jen, you mentioned speaking with Viktor Zhora your counterpart in Ukraine, and not just
  • 00:34:44
    in cyber and all kinds of ways that the US government has provided really substantial
  • 00:34:48
    assistance to Ukraine, an ally, being bullied by a much larger antagonistic nation to the
  • 00:34:56
    United States.
  • 00:34:58
    There are some ways in which you can map that onto China-Taiwan, but we have a more fraught
  • 00:35:03
    diplomatic relationship with Taiwan.
  • 00:35:05
    Does that impact the ability to share cyber threat information, things like that in such
  • 00:35:13
    a [inaudible 00:35:14]?
  • 00:35:14
    Yeah, I mean, it's something we're frankly thinking really hard about, and I've been
  • 00:35:18
    really encouraged.
  • 00:35:19
    So we signed a memorandum of cooperation with Ukraine just about a year ago, and we very
  • 00:35:27
    purposefully put a lot of resources into how we could help build capacity, both in terms
  • 00:35:35
    of threat hunting kits, how we share very detailed threat information, how we do exercises,
  • 00:35:44
    a cyber incident response plan, working with other international partners like the Canadians
  • 00:35:51
    who are going to do forensic training with them.
  • 00:35:53
    And so really deliberately putting a lot into these lines of effort.
  • 00:35:59
    And we have gotten probably as much out of it as the Ukrainians have because what they
  • 00:36:04
    have learned over the past year and a half, obviously, but 10 years since Crimea, I think,
  • 00:36:12
    has incredible teachings for us as we think about both capacity building with Taiwan,
  • 00:36:19
    which is something that I do think, to your point Kevin, we can map some of that.
  • 00:36:25
    And we certainly do share information with Taiwan cert now, but we would want to figure
  • 00:36:30
    out how to help from a capacity-building front to ensure that, again, the lessons that we're
  • 00:36:37
    learning with respect to Russia's aggression over Ukraine can be applied.
  • 00:36:42
    I think it's really important.
  • 00:36:44
    Yep.
  • 00:36:46
    We are nearly out of time if you guys... oh, we have five minutes.
  • 00:36:48
    Do you have any closing remarks, anything you want to share with this audience while
  • 00:36:53
    you've got them captive?
  • 00:36:56
    Sure.
  • 00:36:57
    My closing comment is really just thank you.
  • 00:36:59
    Thank you for the welcome that we've received here over the last couple of days.
  • 00:37:03
    We've had about 30 TSA people here and really appreciate all the work that they have done
  • 00:37:09
    and all the education you have provided to all of us.
  • 00:37:13
    So really thank you and I look forward to continuing to develop a very good relationship
  • 00:37:18
    with DEFCON, so thank you very much.
  • 00:37:20
    Awesome.
  • 00:37:21
    So thanks Kevin for doing this.
  • 00:37:23
    Really appreciate it.
  • 00:37:24
    And thanks Dave.
  • 00:37:25
    Dave has been in the department for a long time.
  • 00:37:26
    You were like the Vice Commandant of the Coast Guard and the acting deputy secretary.
  • 00:37:31
    And Dave, I had not been in the Department of Homeland Security.
  • 00:37:34
    I was in DOD most of my career, and then I was in the private sector.
  • 00:37:37
    And so Dave's kind of been my Sherpa since I got to DHS and has been a really great friend
  • 00:37:44
    and teammate and colleague.
  • 00:37:45
    So I do want to thank you for your leadership and your partnership.
  • 00:37:50
    And yeah, I mean, this is such a great community.
  • 00:37:53
    That's my favorite time of the year.
  • 00:37:55
    I love the energy, I love the community.
  • 00:37:58
    I believe in what this community does, and I really, really think we can make a difference
  • 00:38:04
    for the nation.
  • 00:38:05
    So for those who are interested in working at Team CISA, please come chat with me and
  • 00:38:11
    my teammates, but really come work with us because we really want to collaborate, leveraging
  • 00:38:18
    all the skills you have and all the skills we have for the better of the nation.
  • 00:38:24
    And the last thing I'd say is I'm also doing the next talk with my friend Scott Shapiro,
  • 00:38:30
    who's a professor at Yale who wrote a great book called Fancy Bear Goes Phishing.
  • 00:38:34
    We have renamed the talk Beers and Bears.
  • 00:38:38
    So go get your beer and meet us back here at 5:30 for a great talk.
  • 00:38:44
    Thank you.
Tags
  • Cybersecurity
  • Ransomware
  • Regulations
  • Critical Infrastructure
  • CISA
  • TSA
  • Collaboration
  • Incidents Reporting