 Ladies and gentlemen, welcome to New America. My name's Ian Wallace. I am a senior fellow here at New America and the co-director of the New America Cybersecurity Initiative. I'm conscious that 9.30 on a Monday morning is a demanding time to get a crowd together for any kind of think tank event. So thank you very much for coming and being here on time. And we expect other people will run in. But we have a lot to talk about, so let's get cracking. Firstly, for those people who do not know New America, we are a nonpartisan think tank. We've existed for 15 years. We cover full gamete of public policy issues, but with a sort of common theme of technology running through those and sort of reinventing America for the 21st century. The one thing that sort of is consistent through all of technology, of course, is securing that technology. And we believe that's going to be increasingly important. So our cybersecurity initiative has existed for two years. We are fortunate enough to be funded generously by the Hewlett Foundation, which gives us the flexibility to focus on those things that we think are important. And we're very pleased to be able to do that. Quick word about this event. This was stage was the venue for the rollout of the president's cybersecurity national action plan in February with Michael Daniel and his White House team, which of course, as you know, include the announcement of a commission on enhancing national cybersecurity. And we have, throughout the period of the commission's work, remained close to the commission and been sort of interested in what they do, not least because we were very pleased to see that several of the areas in which the commission was tasked, particularly state and local government, but also areas that depend on states and local governments for the policy, education, insurance, et cetera, are subjects that we have been working on and felt it was very important to keep track of and indeed support the commission's work. And so we've been talking to Kirsten, who you'll meet shortly, and looking at how we can have an event. And we are very pleased to have the first opportunity to talk to Kirsten since the publication of the report, hear what the president had to say about it, and perhaps most importantly, how we think it's going to be implemented going forward. We also have been in our state and local work has been working very closely with the National Governors Association, pleased to have Tim Blu with us, who again, will introduce in a moment. And he's very kindly agreed to sit on the panel and anchor this conversation in the broader context, not just focusing on the federal government, important though that is. Before we talk to Kirsten and Tim, I just want to give a little bit of a sense of how we'll run the day. We're going to have this conversation for 45 minutes, finishing at 10.15. And then run into a series of three panels, digging into a little bit more detail on some of the things that the report focuses on or indeed at least tease up for future conversations. Firstly, on education. Second, on regulation and legislation. And third one on the role of the states, specifically in what they do in enhancing national cybersecurity. We'll wrap that up all around about 12.15. A couple of admin points before we get going. If anyone needs a restroom, we're going to keep this rolling through. But if anyone needs to step out, feel free. Restrooms back here and back behind the stairs over there. Feel free to refresh yourself with coffee and food if you feel the need. And we will be live tweeting this and live streaming it. So if you want to participate, we'll be live tweeting from our at new am cyber address using the hashtag, hashtag WON, whole of nation cyber. OK, let's get cracking. Welcome, Kirsten and Tim. Kirsten Todd is the executive director of the Commission on Enhancing National Cyber Security position, which she's been in since the beginning of the commission in February 2016. Prior to that, she was president and managing partner of Liberty Group Ventures, in which capacity she supported, amongst other things, the drafting of the NIST framework, which is a very important part of this administration. Cyber security policy. Back in the past, she has done various roles in the executive and the legislature in the White House Domestic Policy Office, on the Hill, the Homeland Security Committee of the Senate, and she rolled in establishing the DHS. Tim is the program director of the Homeland Security and Public Safety Division of the National Governors Association, which is a big job in any circumstance. But this year, given Governor McAuliffe's decision to make cybersecurity, the key policy issue for his term in charge of the NGA has been a particularly important position. Prior to joining the NGA, Tim was with the FBI and spent some time also with the United States Treasury. So let's get cracking. Kirsten, I guess the first question to ask is to summarize a 100-page document. What does the report say? And how did you get there? There's a joke in there. I know, and I'm not quite sure what that is yet at 9.30, not enough coffee. It says great things Ian, lots of great things. I think as many of you know in the executive order, the requirements or the tasking from this president was very broad. There were eight issues that were called out. And one of the things that the commission was aware of but didn't truly address till probably August, September was how do we weave these eight issues in together in a thoughtful way that has broader themes. And in addition to the eight that the president asked for, the commission added on to others which were international and insurance. And what the commission ended up doing was we divided them into these six imperatives that are broader themes. And I would say that a first sort of broad brush approach to what we ended up putting forth were five ideas. I mean, the six imperatives look at the internet of today, security of today, innovation and the securing of the future of the digital economy, the future and the status quo in the future of the government, looking at workforce, looking at international issues. What's the role of the consumer? And again, how the government fits together. But when we looked at kind of what we heard through these six public meetings and through the RFI, one of the first things that came out pretty strongly was this idea of convergence. In a world where the physical and cyber are converging, it became obvious to us both what we were looking at but then also what we were seeing in day to day life that it's time to get serious about the security of the internet of things. And so we put forth in this report very strong recommendations for doing so. The second was looking at how to get the federal government house in order, the cyber house in order. So clarifying roles and responsibilities for government because we heard a lot from industry that it was unclear to industry what government was doing. And then also looking at what is the true collaboration mechanism between the government and the private sector before, during and after an event. We also looked at the consumer specifically and understanding that it's critical that the consumer needs to be educated and aware and takes responsibility for his or her cyber security. Also understanding that it has a role not just for personal cyber security but a broader cyber security as we saw with the recent Mariah attacks. But then also this longer term goal of understanding how do you move cyber security away from the end user? Move it up the chain to the manufacturer and the developer. As much as we can educate the consumer you can't expect all of that responsibility to rest on them. We talked a lot about workforce and we can go into that in a little bit more detail around the recommendations for both training the current workforce because often times it's not about that we need more people although that came, that was certainly part of it. But it's also ensuring that the current workforce is trained appropriately. And then finally, and this was one of the themes that we've talked a little bit, we'll talk a little bit about but kind of underlies a lot of this is that our number one cyber security research and development priority really needs to be about security and design. And that's a catchphrase right now it's already becoming one of these jargon phrases but I can go into more detail specifically around how do you bake security, privacy and trust into the development of interconnected devices? One of the interesting things that I'll just wrap up with quickly in was that when we started talking about IoT and critical infrastructure there was a sense of how do you encourage the security for life-saving devices? What we, like pacemakers things where life was critical driverless cars but what was clear over the course of the commission through Mariah and others was that if a baby monitor it's your weakest link which is a lesson that we continue to learn in cyber security. It's how do you secure the weakest link across the board to ensure security across all of these other issues? I wanna dig into workforce and R&D and what have you but before we do, one of the sort of implicit taskers or explicit taskers in fact was looking at this as sort of whole of nation cyber security hence our hashtag for this event. What did you learn from the meetings that the commission had and people that you spoke to about the federal government's role in working with others and indeed others role in working with the federal government in order to sort of take some of these issues forward? So I think whether you're talking about industry, state and local government, small businesses one of the things that we heard was this relationship between government and the private sector, government and state and federal government and state and local governments is critical and rather than just putting forth a recommendation that says we need to improve relationships between the government and pick your box, small businesses, whatever. It was really understanding what that means and one of the key findings from this was understanding that government is quite good at incident response and we have a lot of procedures, policies, PPT 41 just came out that talks about how do you respond to an incident. What we have not done as effectively is what does that collaboration look like before an event? And so we've taken, we propose something called NCP3 which is a collaboration mechanism that really looks at it kind of takes a page from the DOD playbook around deliberate planning, joint planning, understanding what does the government do well before an event or do well in planning and training and what does industry do well? And we have some specifics about it which I'm happy to go into more detail but it's understanding what that collaboration mechanism is and to simply say we need to do better at it isn't enough in this report. There's this tension or I would say balance reconciliation of strategic recommendations but then also being prescriptive where we thought that was really important and the commission was adamant about taking the time to reconcile those two, that balance. And so in a case like this where we've heard a lot around government needs to do more, we need to have better information sharing better relationships, the commission went a lot deeper into the specifics of what that looks like. And we may well come back to that before we do Tim. That's a good point to bring you in and just to say, to ask you, having looked at the report and done also quite a lot of meetings around the country, what do you think the nation's governors need from the federal government going forward in order to play their part in cyber securing the nation? Sure, thanks Ian. And it's interesting you asked that question because I think one of the state and local recommendations in the report was around the National Guard. So I would lead with that as an example. The states and the governors can use continued collaboration and clarification from the federal government. I think it's always important to understand what are the roles and responsibilities? How do the federal agencies see them? PPD 41 was a step in the right direction. I think clarifying the rules of the road between DHS, between the FBI, between the White House. I think continued clarification on how federal agencies are going to work together with industry and with the states in preparing for an incident, but also in responding to an incident as Kirsten pointed out. And then I think continued just collaboration, especially around information sharing and intelligence sharing. A lot of the state officials that we meet with, that's one of the continued questions that they're always raising. How can I get more of the key intelligence and information that I need to make informed, risk and threat-based decisions? And where can I get that from? And the answer is frequently the federal government. Certainly industry plays a key role there, but I think continued collaboration from the federal government. So I think clarification and collaboration would be the two key areas. Cool. I'm just going to tell us a little bit more about that sort of deliberate planning and sort of collaboration as set out in the report. Sure. So the proposal, one of the recommendations talks about this NCP-3, and this is an advisory board that takes a page out of the President's Intel Advisory Board. So industry is represented, the government's represented. And the idea here is to truly understand what government does well, what industry does well, what government needs, and what industry needs. And to get specific, I mean, it's along the lines of if I'm a company and I'm looking on my networks and I detect a threat, particularly if it's coming from a nation-state, to then work with the government because arguably the federal government knows nation-state threats and TTPs, techniques and procedures better than the industry and being able to share that information and truly understand what that threat detection looks like. But the idea that industry and government would be collaborating ahead of time is part of this critical element. The other part is joint deliberate planning like the Pentagon is important in understanding not just how you're going to walk through something, but understanding what the resources are that are available and how you exercise and execute them. And I think that's been one of the key issues is truly understanding how to utilize those resources, what resources become available in the case of an event, and then how the government and the industry will work together to effectively respond to an event and to work collaboratively to do so. Which leads on to a question about workforce. It's all very well having the right plans, but if you don't have the people to do anything about it, then that's going to be true at the federal level, just as much at the state and local level. What are you recommending in the report and how much confidence do you have that this most tricky of issue is going to be addressed going forward? So obviously workforce is significant and there are already a lot of federal government efforts underway, OPM and OMB came out with something this summer and there are a lot of different stages. I would say that workforce has a lot of different pieces to it that the commission looked at. The first is this problem, what we heard in our very first meeting was, so you're going to look at workforce, understand, we heard this from a panelist and we evolved this, but this was an important starting point, understand that the issue is not that we don't have enough people, it's that the people who we have aren't trained appropriately. So that is one premise upon which we worked. Then we worked off of the fact that a lot of people say there just aren't enough people in this workforce and so how do you train the people to be appropriate? That's all the very short term and to the point that I was just making about where the commission went strategic and where it went prescriptive, we get very prescriptive on workforce all the way down to the numbers. It's probably maybe the more specific set of recommendations that we have in the report. Combined with the fact that if we are simultaneously supporting automation, big data, machine learning, artificial intelligence, that there is this sense that ultimately what's going to happen is the need for the workforce will diminish because a lot of this is going to be automated. If you look at the Zumwalt and it talks about how you had hundreds and hundreds of sailors and now because it's so automated it's 167 sailors or if you look at Goldman Sachs that says we're going to reduce our workforce by 50% in five years. These are long-term goals. Now our states, our small businesses are not Zumwalt-like or Goldman Sachs-like but it gives us a sense of where this is going but is it going to happen immediately? Absolutely not. We're looking at a much longer term trajectory but it's an important goal that we're reconciling with what the immediate near terms are. So some of the things that we talk about in the report is training this current workforce through boot camp-like ideas, through exchange programs with industry and then also being able to create a cybersecurity profession that is ingrained in our culture the way being a teacher, a doctor, a construction worker, all of those things are and one of the ways that you do that is by educating on cybersecurity at a very young age and so what we talk about is if your first grader is getting an iPad to do work in school at that same time he or she should be learning about cybersecurity. He or she should be learning about all of those elements so that cybersecurity is a part of the culture so that it's not an auxiliary issue that's baked on in college when it's like hey have you ever heard about cybersecurity as a profession this is something that is growing and that's part of growing the workforce organically. So this is an interesting area in the report because we have very short term, medium term and long term solutions that are very specific. And we have a fantastic education program here so our next panel is gonna be focusing specifically on that issue, not least because many of the leaders actually sit with the state and local governments and I'd love to dig in more of that now but in the interest of time let's move forward and just talk about the technology and the R&D that you mentioned earlier. This is as we constantly tell people not just a technology issue but it is a technology issue. What are you recommending in the report in terms of investments in research and development and how will that be carried forward and flow down to other parts of the country not just the federal government. So it's an interesting point as you said it's technology but it's not I think early on when people would say what are you hearing what are some of the things that you didn't expect to hear or the issues that are rising to the surface and without a doubt it was human behavior and incentives. So it was understanding that cybersecurity is technology but at the end of the day the human behavior around security is what's critical and creating the appropriate incentives for appropriate human behavior and also business behavior is very important. Having said that what I talked a little bit about at the beginning with the role of the consumer in cybersecurity it's looking at what is the research that can be done on usability. So understanding how do humans respond to certain technologies so that doing the right thing is easy to do and doing the wrong thing is hard to do and so we talk a little bit about investment into the human behavior component but then again looking at what are the standards and appropriate policies in place to ensure that manufacturers are truly baking security into the design and the development of devices and what we heard a lot was first to market is often more important than secure to market and I think one of the greatest examples or demonstrations that we heard that industry is actually very open to this was one that we heard at a meeting but then also one that we heard in media. So at a meeting we heard from a senior level official at Intel to say give us standards because if you can somehow put bounds around this market we will all operate more effectively in our research and design and development because we know that we have constraints. If there's no constraint here and if it's just about getting the best flashy product to market first without any security concerns it creates this chaos. What we also saw as many of you may remember I think it was in September, NHTSA came out with a set of guidelines for driverless cars and you didn't see the automobile industry with their arms up and just freaking out saying how could they do this? They said there was an acceptance of that to say, okay we've got these not restrictions but guidelines and guiding principles and that's one of the things these elements are the things that we talk about and trying to use those as examples of best practices to move forward. So even in the short time that we've been talking you have set out an enormous agenda. At least part of- I knew you had a boring year next year so I thought I would just lay them all out for you. Things are very quiet in Washington right now. So in terms of taking this forward an important part of I guess success or failure is going to be how the at least federal government is organized to take this forward and at least some of your recommendations ones that receive the most immediate coverage I guess have been those where you've recommended changes, different positions and organizations. Can you just talk a little bit through that and what that could mean for others including sort of state and locals? Sure and so I mean what I would say is it's not so much about changing the structure but it's about solidifying and empowering the structure. So what we talk about is we elevate the current special assistant to the president to an assistant position to empower that role so that there is this authority in the executive branch. We look at- Just for those people who are not as familiar with it. I didn't use acronyms I just used. What is the significance of that sort of nuance change in role? It's a direct line so it works through the head of the National Security Council and it creates more of a direct line to the president and if we can make the analogy to counter-terrorism when the president has and then when there's a counter-terrorism or homeland security issue the president turns to Lisa Monaco who is his assistant for counter-terrorism and homeland security. Right now that portfolio of cybersecurity is also part of Lisa's role but it has other homes throughout government and so what this is is it's a position that allows the president and the president-elect to have an individual so when OPM happens he knows who to turn to to say how are we gonna look at this across the board and it constructs and aligns with what the OMB positions are so the new CISO, the CIO and we go into that and without getting into too much inside the beltway we structure looking at that structure. What's important and what we knew from the beginning and this is a really important point particularly now is that this commission was non-partisan from the beginning. In fact four of the commissioners were chosen by Senate and House leadership so it's both Republican and Democrats and if you look at the composition of the commission itself it's pretty well balanced between Republican and Democrats. The commission was written for the next administration not knowing if it was gonna be Democratic or Republican. The election was on November 8th. We pretty much went to press at the end of November for all intents and purposes and so what we tried to do in all of our recommendations but it's particularly important with the government is lay out a strategic plan for how, what are the important elements that government should be paying attention to in a proposed structure with enough flexibility so that whichever administration came in and however it chose to be organized and whoever was leading it would be able to take a look at these to guide even if some of those structures are going to change. I think what's important to be aware of is any administration could come in and determine that that role of assistant might not be the one that he wanted and looking at how to create the most effective structure for this issue. Which raises the kind of question of kind of what kind of response this has already had and is going to have and the report is hot off the press so people, not that many people had a chance to read it all the way through but to the extent that people have responded to it I think people feel that it accurately reflects the kind of the issues that are out there and proposes some way forwards. To the extent that there's been criticism of it it's been particularly around the fact that this report, we don't really know what the new administration is going to do may not have as much purchase with them as it might have had with the democratic administration and that it potentially is not as sort of forward-looking as some people would have liked. What do you, how do you respond to that? And secondly, what are the things that you think that if the new administration is going to just focus on one or two recommendations which ones would you direct them to? So I think to the first question about not sure how this will fare with the next administration I think any new administration that was coming in with the president-elect with whom the city, DC didn't have familiarity with, they would say that and so I would push back on that pretty hard because I don't actually think, I mean this is on the issues and I think everything when we look at a new administration they're looking to understand the issues and so the hope is that this is a pretty strong road map for doing so. What was your second question? The second one was if this new administration is going to have even more than most to get its head around as it arrives into office which are the ones that you think you really need to focus on those? And I'll ask the same question for Tim actually from a governor's perspective which do you think are the ones that you would like the Trump administration to focus on? So I think most importantly is the importance of cyber security. I mean we felt strongly about this with either administration that the president-elect needs to come in and say to his cabinet and to his senior officials this is a key issue for which you are all responsible. I think one of the obvious changes from eight years ago to today is that this is not an IT issue it's not siloed in a department somewhere that senior officials and we've seen the effects of when it's failed and when it's succeeded that senior officials in this government are responsible for the cyber security of their agencies. Cyber security is not a tangential issue that you're trying to reconcile other resources with it's critical to the core mission of every agency regardless of what the agency does and that education and that information up front is key to what this next administration needs to be looking at. I would also take a look at the role of technology as a key issue for how we're looking at policy because to your point, I mean it's about human behavior but looking at a technology focus within the executive office of the president because oftentimes right now when we're looking at the future of IoT and connected devices this is where we're going to see a lot of challenges and a lot of vulnerabilities and that is critical to looking at how we structure and make resilient our government infrastructure as well as our private sector and so I would say clearly it's making this a priority it's organizing around that it's ensuring that what we're doing in government allows for innovation and does not get caught up in legacy and we go into some specific recommendations on that but then truly appreciating and understanding that technology is not about the next new cool thing in Silicon Valley, this is a key to how our infrastructure is evolving and how the interconnectedness of the physical and cyber is creating and interdependencies that are only going to proliferate. Tim, which bits of the report do you think Governor Kulif and his colleagues would want the administration to fix on? Sure, I would agree with a lot of what Kirsten said but I would also add to that the whole of government approach I think that's one of the things I know that's one of the things that the governors are keen on is that cyber security cannot just be managed from Washington or from Trenton or from Albany or from Sacramento it has to be managed in every city and every state capital and in Washington DC it's a joint whole of government approach that must bring together industry, academia, state, local and the federal government so I really was happy to see the report I know they did a lot of outreach with state and local officials I think the importance of the report is that it raises this topic at a key time as the new administration is coming in making decisions of what to focus on raising the specter of cyber security elevating the importance around the issue how you have to organize for it not only do you have to have the right people in place they have to have the right authorities they have to have the right responsibilities has to be enumerated in a way that makes sense and that when the next OPM does happen and the president does turn to his cyber security advisor, that person understands the threat but also could have had the ability to change what could have happened before and has the capability to respond so I think elevating this issue and also promoting the fact that it's not just a federal government Washington DC issue Thank you I have loads more questions and I could sit here and ask them for a long time but I'm conscious there are other people in the room who will also have questions so we have about sort of 10, 15 minutes left can if anyone has a question they would like to ask please raise your hand we'll group a few questions in order to get as many in as possible we'll take one, two, three we'll ask the questions first and then we'll pass them on to Kirsten and Tim and if you could give your name and affiliation Joe Marks from Mexico, thanks for doing this two quick related things one, have you, has the Trump administration reached out to you at all in any form yet and do you know if they've looked at the report and then second, a couple of days before Thanksgiving the president-elect released a video with a few priorities one of which was a full review of what he called vital infrastructure for cyber vulnerabilities led by DOD and the Joint Chiefs which seemed to be a shift from DHS being the lead civilian agency do you have reactions or thoughts about that? Okay and I think we have one on this end and one in the front the importance of the microphone is this being live straight so no one hear your question as you have Thanks, Tim right out from the German Marshall Fund I'm wondering if in explaining to the next administration sort of the lessons learned and I'm thinking about a really interesting paper that Cam Kerry did of where Brookings sort of explaining the cyber internet working group and digital, conceptually do you think there's still a need because in my own work I've sort of discovered that there's still a gap in understanding between sort of how outer space fits into this you know the ride sharing business model to me is the best example because GPS is not the internet but obviously Uber and all those other things depend on the internet is there gonna be an effort to explain like okay what's the conceptual differences between these types of networks between so you can think about them and not say oh it's just cyber it's just the internet it's a constellation of things and you can see a need to explain that to the next administration. And right at the front comes up. Hi this is Rick Robert inside cyber security for Kirsten this is a consensus document it's presented sort of as a consensus document what were some of those issues that the commissioners could not agree on that you chose to leave out and for Tim the section on the National Guard I mean it's interesting in that National Guard's already doing quite a bit so what does this report allow you or would prompt the Governor's Association to start doing differently? So we'll start with Tim but I would also say in the final panel today we're gonna dig into some of those sort of National Guard issues with Tim but Tim and then I'll allow Kirsten to pick up with the other points. Sure so on the Guard you're correct that the Governors are using the Guard to varying degrees across the country. If you look at one state you've seen exactly one state I would suggest there's probably 56 different models for how the Guard is being used so we were I was happy to see the fact that the Guard was elevated in the report and called out as an important asset I think the recommendation specifically addresses Governor seeking state legislation to discern how they can utilize the Guard so that's one thing that we're focused on we're actually currently working on drafting a paper on how Governors can use the National Guard and hopefully that'll be out in the next month or so and that's one area of it but also working with DOD to clarify when and how the Guard can be used under what status, who pays for it all the different rules I think one of the feedback we've heard from some states is they wanna use the Guard they're interested in using the Guard it's a critical asset but they just wanna make sure that they're using the Guard in the idealized and perfect manner the way that the DOD and that the military sees it being used so that's why I was happy to see it in there President, you have a lot to chew on but we have from reach out and possible sort of focus refocus towards DOD sort of wider considerations of how the internet is used and what's not in the document in terms of what commissioners would like to see the cutting room floor and I could add to that I know you've spoken to the President about this but what kind of reaction are you getting from President Obama to the report that he commissioned? That's an interesting piece I'll just say so this is an independent commission that was called for by the President with the bipartisan, nonpartisan nature regarding the Trump administration we were obviously under the rules that we all became familiar with particularly with some recent news we were in the sequence of this had to be that we had to present to the President through official channels so the report was submitted on December 1st as was required by the executive order and then the chair and I met with the President on Friday and briefed him on the report and at that point because of those channels the next step now is for the current administration to reach out to the President-elect to the Trump administration to help set up the briefings which all seems to be the sequence that everybody's following but there just obviously are appropriate channels to follow so that sequence should be happening regarding the civilian agency I mean it'll be interesting I think it's a thoughtful approach that they looked at DOD and the joint staffs I don't think that that necessarily means they're not paying attention to the civilian agencies but having not spoken to them I don't know all of that but I do think it's important that all of these entities are engaged and so I actually see this reaching out in different forms those that we may not think are typical or what the logical step would be as a good sign of thinking creatively around okay is there a hybrid here but I don't think in any way that it means that DHS or the civilian agencies are taking a back seat at this point regarding the cyber networks we do have a recommendation in here about GPS and looking at some of the broader issues and so that is clearly something that hopefully when given the opportunity to brief the new administration there is the whole the realm because obviously the report is the report but the opportunity to brief would allow for greater context around why these recommendations were chosen what was put in what wasn't and why and so that's clearly a key point of understanding the infrastructure the cutting room floor question the consensus document it is a consensus document I wanna take the time because this is something that the chair has said publicly as well this was truly an extraordinary group of individuals there were 12 commissioners and absolutely every single one of them were invested from day one and contributed to this I think sometimes to the surprise of people when we would say I mean each one of them took a pen and this is truly a report that's written by the commission and so there was I think so to Rick's question because that's the process nothing truly gets eliminated there is always this intent on reaching reconciled and compromised language but what is I think a true feat in this is that compromised language doesn't lead to boiled down language and where the commission was very emphatic throughout this is we're not gonna put forth recommendations that say this should be studied further or establish this in a way that was always brought is being strategic enough as I said earlier so that it can be interpreted by a broad range of audiences but where appropriate being specific and so I mean I'll just say that one of the interesting discussions that might be of interest to this group to Rick's point but it didn't lead to anything not getting included was where power and authority for how government manages cyber security should exist and looking at does it exist solely within the executive office of the president does it exist with each individual agency and so what you'll see in here and I think it's probably why we go into a lot of detail is a very specific approach that allows for each of those elements to get addressed, to be addressed and to effectively look at cyber so to be truly honest I don't believe I mean I will think about this question a little bit more specifically Rick and I'll come back to you if I think of something really big but there was nothing that somebody said we need to be talking about this and then it got discarded and that I believe was a function of the fact that these 12 individuals were negotiating and really talking through each of these recommendations and everybody knew what was important to the other and so even in some cases you may see things that sort of feel like they're a little bit tangential but it was because it was important to a group of commissioners to include this in this document. There are clearly many more questions we could ask but I wanna take my opportunity as the moderator to last the ask question for this panel and that's around what happens next. So I guess for Tim it's kind of what are you going to be doing in the course of 2017 leveraging this report and looking at sort of how the state sort of take this agenda forward and kissing specifically on sort of work of the commission and the life of the report as we go into a new administration what happens next? Does this continue to be something that does the commission to disappear and this reports it's on the shelf or are you gonna advocate for it and work to get some of the things implemented? Sure, so the focus of our work in 2017 is gonna be to continue to build on our past successes in providing governors the resources that they need to prepare their states to protect the information that they hold to defend critical networks that the state owns but also to work with critical infrastructure owners and operators to be ready for when their networks are compromised. Additionally, one of the issues that brought up was workforce that's an issue that is continually on the minds of all the states that we work with how do we grow and preserve our state workforce to protect those networks but also how do we develop the workforce of the future so that's not just around cybersecurity jobs it's around the larger technology ecosystem how do we make sure we've got education systems and workforce pipelines that are designed to produce workers that are in demand. So the focus of our work will be to continue to help governors think around how they're organized to meet the cybersecurity threat as it stands today but also how are they prepared to meet the technology challenges and also opportunities of the future. I think from day one the commissioners felt that December 1st was not the end line the finish line it was the starting line and that this was all the phrases that were used this was not a victory lap tour for the Obama administration this was not about everything that had been done well it was very much about looking into the future and so now the commission is thinking through how do we execute on these. One of the things that I believe will happen and I think will be one of the elements about which we should be the commission should be most proud is that some of these recommendations particularly those that are looking at industry will be executed by the commissioners in their own entities in their own businesses when you look at workforce and that to me that's the true kind of put your money where your mouth is because it is saying not only did we propose this but we're actually we believe in it that we're gonna be executing it and this is meant to be a very actionable document so we're in the process right now of looking at what the next probably four to six weeks look at and getting the information out about this but then what is the next step if you look at the 9-11 commission there was the public discourse project which was an effort I don't think that something along those lines will be as specific to this report but I'm not sure and a lot of people have said well what comes next with all of this and the commission was so focused on getting to December 1st that what we've had over the weekend and now over the next week or two will be to think about what does come next and how to make sure that these are executed because these in a report do nothing that they have to be executed out in the real world and I think the first step is hopefully having the opportunity to be able to brief the Trump administration just one quick point is when President Obama came in there was no real background on cyber and they had the 60-day I don't think it was the sprint it was called the sprint it was 60 days to get up a cyber strategy on this so President Obama has done the next administration a great favor by bringing together some of the best and brightest minds for eight months to look at cybersecurity and to put together a roadmap so the hope is that this can be a starting place so this lag time is minimized as much as possible and that the new administration can take this and hit the ground running as quickly as possible Thank you both very much because as we've discussed in the past we at New America are very keen to be part of that ongoing discourse and providing our platform to sort of taking it forward but we're gonna sort of start that with the next three panels sort of digging into in a bit more detail education workforce sort of the role of the regulators at the state level and then the states themselves so if I could ask you to show our appreciation and invite Emma for the next panel to take their seats Thank you Thank you All right everyone, we're gonna keep it rolling You can grab your coffee and have a seat Okay, thanks for joining us, sticking around We are going to now turn to cybersecurity education and we have a tight schedule so I'm gonna keep the introductions brief On my right we have Frank Zaborowski who is with the Air Force Association CyberPatriot Program he is the director of CyberPatriot Operations and next to him is Kevin Carey who is the director of the Education Policy Program here at New America and finally Davina Pruitt-Mental who is the lead for academic engagement at NICE the National Initiative for Cybersecurity Education So I'll offer a little bit of framing and then we'll have a conversation up here for 25, 30 minutes and then we'll come to the audience for questions I want to read two quotes briefly from the commission report that I think highlight two threads of the question that we're gonna dig into The first one is effective cybersecurity depends on consumer and workforce awareness, education and engagement in protecting their digital experience This effort must be a continuous process and advance individuals' understanding and capabilities as vital participants in shaping their own and the nation's cybersecurity and then on the other hand we have cybersecurity offers a premium in pay over other fields in information technology yet a sizable gap between open positions and qualified applicants has persisted for almost a decade Both the quantity and quality of those applying for positions remain significant problems as does the challenge of ensuring training is up to date and effective It goes on to say the workforce shortage in cybersecurity is directly related to a larger problem too few high school and college students in the United States are developing the necessary skills for careers in science, technology, engineering and mathematics So on the one hand we have a mandate that cyber securing the nation requires a population that is generally more cyber aware and on the other hand we have a mandate that in order to fill the workforce gap we specifically need to equip populations with the skills necessary to do so Those strands need not be in tension but I want to dig in a little bit more later on as we talk about what the priorities are for cybersecurity education Davina, can you kick us off and tell us why although the federal government is important in this space this is really a state and local issue Okay, so the short answer for that would be because that's the way our educational system works that it is controlled at least the K-12 by the state and local I think you were hoping for a little bit more than that though, so I will mention so nice the national initiative for cybersecurity education which is led by NIST part of the Department of Commerce it's been around for a while since the cyberspace policy report in 2009 and then it reaffirmed the role of NIST with the Cybersecurity and Hensman Act in 2014 and the role there is to come up with a strategic plan for developing cybersecurity workforce and so the mission is to promote a robust network and ecosystem of cybersecurity education training and workforce development with that in mind we like to think of ourselves as a convening body that stitches all the different pieces of the quilt that are activities that are going on so to answer your question there are many federal activities in place as well as various state and local that are taking place and we try to organize so that we're moving strategically in one direction so for example, it was mentioned in the commission that NSA has their gen cyber camps so that's a federal effort OSTP has their computer science for all initiative that's going on that's kind of focusing on computer science and trying to weave in cybersecurity you have various other federal initiatives you have the two and four year institutions that are designated by DHS and NSA as Centers of Academic Excellence and at the same time you have state and local which are really the ones that put forth the efforts to get students and collegiate folks engaged in this workforce and so they're starting to develop curriculum or content to go in a disciplinary across the K-12 you have activities starting to crop up in terms of CTE programs career technical education pathway programs but all of them are going in different directions and so we wanna try to make sure that we're at least all aligning one to the nice workforce framework so the different seven categories and the 32 specialty areas in cybersecurity that they're also all aligning to feed into those centers of academic excellence in our two and four year institutions so again just a real brief example there are various computer science activities going on and so you have Project Lead the Way how many are familiar with Project Lead the Way? A few, okay it's in most of the high schools and middle schools throughout the US it's more of a sweet spot is engineering so they wanted to get into cybersecurity too develop some content they don't wanna go down the path of computer science because there are gazillion things going on in that domain so they started to develop it based on like pen testing, network plus, Linux, security plus that type of thing and the question was why if your sweet spot is engineering look at instead of the operating and maintain or the detect and defend look at the securely provision category of the nice workforce framework because that gives our students another option another pathway that they might want to pursue instead of just being kind of niched into an area so our role in the federal with the nice initiative is to try to holistically bring everyone together to move forward Thanks for that Frank, Davina told us about some partnership that she sees and oversees can you tell us a bit more about the role of organizations in this space what are you seeing that's working and why? I'm Frank Zaboroski with the Air Force Association and one of the things that we take a look at when we look at cyber is a national security issue and that's the technical workforce shortage and also protecting our cyberspace from actors whether they're criminal or foreign one of the things that we focus on are the soft skills so for instance an iPhone there's no class in school that shows you how to use an iPhone but I guarantee you that probably every sixth grader knows how to use an iPhone who's had any access to one even people in disadvantaged communities because a lot of people have these so it's soft skills that are learned so through the competition space that we use within the CyberPatria program what we're trying to do is from middle school and high school is to motivate students to go into careers and education in cyber security now with that said not everybody's gonna go to college and one of the things that we're trying to really work with our sponsors on and Northrop Grumman one of our bigger sponsors has done is create internships for instance how would you like to be a kid with a B average some computer science classes in school and if you can get a secret clearance you can work for Northrop Grumman for a summer job $12, $15 an hour at one of the rate facilities in the United States so that starts motivating students to wanna go into this line of work another thing is we're looking below middle school not so much for a competition space but also for an education space because when we spoke with educators Department of Education and other people what they tell us if a student is not interested in science engineering technology or even math by the time they're in fifth and sixth grade they're probably not gonna be a late bloomer they may be but they probably not so what we're trying to do is motivate students in the lower levels to learn a little bit more about cyber security and then move into the competition space now to get to your question about organizations what they can do it's just like little league baseball you don't have a baseball program in elementary school where does everybody learn how to play baseball in little league or soccer or any of those types of things so we feel that by approaching it from the soft side after school activities is that we can make a difference it's not just cyber patriot it could be any competition it could be any type of club that you would have set up but it's trying to get people into the mindset that cyber security is important and then by virtue of that is getting to move into the workforce to make up for these jobs that DeVita talked about that they're just not being filled the other thing that we emphasize in our program and I know Cyberwatch and a lot of the other ones emphasize our ethics what we do not wanna have happen is have an 18 or 19 year old end up at federal prison at 19 or 18 because they hacked a bank okay we do not want that to happen what we focus on is cyber defense now there's a lot of other entities that focus on ethical hacking they focus on capture the flag and different things like that which have their place and we understand that but what we're trying to do is create a nation where people are good cyber citizens and it's done voluntarily you can't force somebody to be a good cyber citizen it's something that they pick up and they learn so with those two things trying to interest people in the workforce also trying to have an ethical understanding and awareness of cyber security we think we can make a difference and I gotta tell you we've run post competition surveys where people have been in our program for four years and again I'm not taking this as hey cyber patriots the end all but what I'm saying is that the students who come into cyber patriot a lot of them are not on track to be gifted and talented you know advanced placement a lot of them are just regular kids and nobody told them about cyber security it's just a club at the school they got interested in it and when we look at our exit surveys for the kids who are coming out of high school what we're finding is most of them and I'm talking 77% and higher either get a job or they go into post-secondary education in a science technology or engineering field and many of them into cyber security so that's the soft side of it we applaud the work that NICE is doing and the other government entities we try to get it formalized but really we feel that this is a competition it's an education program it's supposed to excite kids just like that little league or soccer league that they can participate in elementary school and work their way through high school that's it before I move to Kevin since you mentioned them could you briefly tell us for those who don't know what a cyber security competition looks like? well cyber security competition in our regards there's different types in our regards what happens is for this year we had 4,000 teams across the United States there are 4 to 6 students each and a week before one of our online competitions we allow them to download a virtual operating system so something like Windows 7 they download it but what they don't know is how we sabotaged it so we're not getting into having activity going up against them but we've taken all the passwords out we've taken any security feature that Microsoft has in Windows 7 so if a student puts an antivirus on that operating system they get a point if they put a password on it and lock it down they get a point if they lock it down too much where you can't use your email they lose points and it gets more and more difficult we have back doors and things like that as the competition rules on but it's done in four online rounds once a month we run it on Friday through Sunday it's six hours but it's six hours that the team picks and it's continuous and then at the end we have the students who do well the top 28 teams across the country through the generosity of our sponsors we can fly them or have them transported to Baltimore and all expenses paid and they go up against a red team where they're actually using the cyber defense skills to go against penetration testers that we have available from our sponsors thanks Kevin the challenge of cyber security education isn't arriving on a blank slate it's not happening in a vacuum can you tell us how you see this issue interacting with in the broader educational ecosystem the challenges and trends that already exist there sure I think as was mentioned earlier it's always a challenge to implement any kind of educational idea nationwide just because of the sort of basic decentralized model of how our education system is designed so you know we have ninety-two percent of all the funding for K through twelve education in the United States comes from state and local governments about equally mixed between local property taxes and state funding the eight percent that comes from the federal government is overwhelmingly targeted toward specific vulnerable student populations mostly students who live in low-income communities and students with disabilities the omnibus federal elementary and secondary education act which was just reauthorized by Congress late last year actually prohibits the Secretary of Education from in any way directing curriculum in local schools he or she can't tell teachers what to teach in any way or capacity that's actually sort of somewhat elaborate set of prohibitions to that effect which reflects the you know political feeling among members of Congress that education ought to be controlled at the state and local level ought not be directed nationally so it sounded from the earlier conversation and you know again I know a fair amount of education and very little about cyber security I think that's my role here that the Commission was talking both about education for citizenship but also education for the workforce and so you know those I think are related but also like fairly distinct challenges if we're talking about education for citizenship in particular and we really do want to talk about getting to the curriculum so that you know an elementary school child for example interacting with an iPad would start to learn about cyber security I have a child in elementary school I'm sure she has not been so educated now I feel just one more thing that I've not done as a parent I'm letting her play with my phone all the time at the minimum you would have to work with people at the state level and probably at the local level because even at the state level states only really adopt academic standards and you know they could they could adopt standards around cyber security if they wanted to but all the curricular decisions are made by individual school districts and there are roughly thirteen thousand individual school districts in the United States of America obviously some bigger than others over a million students in New York City some school districts only serve a handful of students it does strike me there are a couple of opportunities however you know parents and people are always very interested in technology generally right and I think the idea of training people to their providing technological literacy to young children is an attractive idea something that people just think is kind of cool and kind of modern so I do think people will be open to that idea and it's also you know you should note that technology adoption is actually very decentralized in our schools so here's what I mean by that you know curriculum is a is a policy issue that happens at various levels the technology itself that people use is actually often made by individual teachers so you know for example my I have a daughter in first grade and you know her teacher uses a somewhat elaborate system of like thumbs up thumbs down for behavior so you like you sit quietly you get a thumbs up my daughter is very proud of that and then she marks it on her computer that shows up on an app that I have on my phone so my daughter pick up my daughter from school I can open up my phone and say you know I see you got three three thumbs up and two thumbs down she doesn't like that but the point being that's a decision the teacher made by herself she just decided to implement this technology in her classroom and tell all the students and the parents to use it that wasn't even anything that like her principal told her to use that was just the teacher in fact a lot of technology adoption in our K-12 schools is at the individual teacher level and there are like tens of thousands of teachers using this one particular program and so working actually directly with the people who are providing technological tools to individual teachers could be a way to have adoption at scale and not deal with the bureaucracy of governments so there's that if we're talking about workforce part of it and making sure that we have a trained workforce then we get more to the post-secondary level and again there are a set of challenges to address one of the kind of oddities of our higher education system is that there's essentially an inverse relationship between the amount of prestige and the amount of resources that we bestow to institutions of higher education and the extent to which they are labor market oriented so our very prestigious research universities which is where we send all of the best and brightest in a very very efficient system of sorting you were actually very good at kind of assorting for social capital and cognitive capital and training and all the rest of it getting all the students together in one places those are the places that actually care the least about the labor market they're very academically oriented they're very prestige oriented if you came to them and said you know the nation has a pressing need for X more people who can do this they just don't care that's not their job to care about that and then on the sort of flip end of the market where you have institutions that have the least resources that are charged most with serving a broad kind of a diverse group of students they actually tend to be more labor market oriented but sometimes to a fault right so if you if you're to get on our metro system here in in Washington DC or go on the subway in New York you won't see the advertisements for cyber security programs from the prestige research universities you'll see it from for profit colleges or nonprofit colleges that essentially are in a workforce orientation some of which can be very good and be very market responsive some of which are not so good and can be overly expensive and it is a very badly regulated part of our our education system there's there's not really much in the way of watchdog organizations that help consumers sort out the good cyber security program from the one that will just kind of induce you to take out a lot of student loans and then not really give you something where there's a lot of labor market value but there's a lot of work to be done there I noticed I was happy to note in the in the recommendations a call for working on apprentice focus programs we actually our Center for Education and Skills here at New America is very focused on expanding the idea of apprenticeship as a not a model for people who are going to get a bachelor's degree to kind of have a pathway toward a hyper a high paying job traditionally that's been limited to the trades kind of traditionally more blue collar you know frankly more white male jobs we think the model actually can be expanded to lots of different areas and this could definitely be one of them Davina in many policy areas the private sector plays a key role particularly perhaps more so here and can you talk a bit about the role of industry in the cyber security education challenge where are incentives aligned and where aren't they and what are you seeing and before I forget I wanted to just say that there is some good news with the with at least the cyber cyber security awareness domain so within the educational system a lot at least with the well I think it's with the public and private a lot of the e-rate funding is attached to one of the requirements is sort of internet safety uh... and along with that schools have adopted either in full or they have re redone the standards and those are called the SD standards international side for educational technology they have digital literacy standards and so within that you do see components of cyber security and there are a plethora of other standards that actually do address more of the awareness piece uh... and you know we could do maybe a better job in teaching that but at least those standards are in place where we do fall a little short is with the cyber security career awareness or the workforce skills so to to that and bridging it to your question with industry i think industry has a critical role in in in sharing with uh... with us what are their particular needs uh... and uh... are their certifications are there uh... you know how many but what are the roles in the skills and and are are uh... the nice workforce framework was built with uh... those industry uh... input as well as with the interagency uh... groups their their feedback and actually that workforce framework is uh... up for special publication uh... at nist and it's open for public comment until january six so if you would like to take a look at that make comments on it uh... so their perspective i think is extremely important because they're the ones that are hiring we want to know what the higher whether they be soft skills as was mentioned earlier uh... whether they uh... be in particular areas in the in the uh... that's mapped to the the nice workforce framework whether they need a bachelor's or a master's or a phd level or just certifications straight out of uh... of high school all of those that that input is is really valuable some of the branding that gets used to hook kids uses language rhetoric like cyber ninja cyber warrior and there are some concerns that that rhetoric is not broadly appealing to various populations of kids that we need to be interested so how do you balance the genuine desire to appeal to kids as quickly as possible to enter the space with the broader desire to make sure using language that in a sustainable way gets all kinds of kids interested in the thoughts on that i have a few thoughts on it uh... one of the things that uh... we did a cyber patriot was determined uh... along with our sponsors that there are few females within uh... the workforce and what we want to do is increase the number of females uh... that at least we're interested in going to careers in uh... education uh... one of the things we did is we tone down our materials if you look at our materials uh... we have uh... faces on there that are more than just male faces we allow all female teams to participate for free it's only a hundred ninety five dollars for a whole team to participate in our competition we took that on is when to make it an environment where it's attractive to young women then on the other hand when you're talking about cyber ninjas, cyber warriors uh... those sorts of things uh... one of the things that uh... we wanted to do was maintain that we're in the cyber defense and that you know this is more of uh... war of the ethical you know kind of competition and uh... space that's where that we're in and uh... if we had to name it something other in cyberpatriot today we probably would but that's our name and we're sticking with it anyone else want to take a crack at that? i can uh... add to that i can say one of the uh... one of the things that has been very fruitful is understanding that there's a broader range of career options in cyber security than just uh... one little peg so what we have found in there we have a great collegiate as well as a k-12 a nice uh... working group and subgroups within that and increasing the number of of women and minorities is is one of the the issues and uh... to diversify and you're finding more and more women in cyber security organizations popping up as well that are really tackling this issue so some of the things that we find are that more of the women gravitate to like systems engineering uh... more of the management uh... area uh... law and digital forensics uh... is another component so if you can develop programs that are around that sort of the ethical and societal need they are more geared towards that uh... the k-12 working group was was uh... very instrumental in uh... really pushing out to our two and four year institutions as well as a lot of the non-profits that do a lot of outreach to the k-12 entity to say hey there's a lot of research already been done in working in this particular area for trying to attract girls into other technology fields computer science engineering try to reinvent the wheel build on what they have already done and try to take it to the next level applying it to uh... this particular field so i think that's something that we can is useful i have one more for kevin and then we'll open it up to the audience so please prepare your questions kevin you talked about the challenge of changing curricula and you said you just gotta go stick to the state to the local area can you walk us through what that actually looks like it doesn't have to be from uh... cyber security you know point of view for if i say i think these things need to be on the curriculum who am i going to who has the power in that situation i mean i i would uh... for something as narrow as cyber security which i don't mean that the trajectory sense is just it's a big wide world there's a lot of different issues out there uh... it's unlikely that the state is going to adopt sort of a uh... or make an addition to a broad curriculum framework around something that specific uh... curriculum frameworks cover the you know the basics math uh... language arts history so study science you know different maybe kind of different areas of science uh... so i think your best bet is to uh... actually probably less the state level local level uh... when you think about some of the big districts here in washington dc uh... it's easier in the in the states that have large school districts uh... candidly i mean there and which is again a strange and kind of idiosyncratic way that uh... american education is organized states like illinois and and texas have hundreds of school districts states like florida and maryland just have a handful because they have large counties uh... organize their districts that way but you know if you were talking to just the montgomery county public school system you would be talking to you would be talking to people who have reach over a large uh... and diverse uh... uh... group of students so probably large districts are the best and then uh... talking to the people who have some purchase over science and technology and mathematics and that you know it would make it it's sort of a a related point but to kind of go along with what some of the other respondents have been saying uh... it's hard ultimately to through the education system put a strong on the scale in terms of what kind of career people choose uh... there's lots of careers out there and even if you're the kind of person who's inclined to do this there's probably like lots of choices other than being in cybersecurity uh... it's really just like a broad supply issue in the bottom line is there really aren't a lot of second chances in our education system when it comes to stem careers if you're not more or less on track in mathematics by the eighth grade your chances of actually having uh... a valuable credential in the stem career are essentially zero like just think of them as being zero you could probably find someone out there that found their way back into the field but but it's such a small number as to be insignificant so if we've lost them by age twelve we've lost them forever for the for the purposes of this conversation we can do but lots of great training programs at the community college level or at the high school level and and and we can work with the boot camps and do all that stuff but will be working with maybe thirty or forty percent of the overall population at that point we've probably already lost most of the students there so in some ways just providing support to the broader effort to improve the uh... mathematics and science education in the elementary middle school grades will just from a sheer number standpoint give you a larger uh... labor force to work with and then and then try to kind of find some of those people to go into this field one of the things uh... to piggyback on that is that uh... i grew up in nineteen sixties it was an elementary school and i'm a victim of new math and uh... new math was supposed to be teaching kids how to be scientists by the time that they were school so we catch up or high school by time so we catch up with the russians in the space program we all know how that worked uh... by seventies everybody said we're stupid and they say the current generation stupid and so on and so forth but one of the things uh... that i like about the organizational aspect of this what you said is motivating people toward these careers it's not like europe once you're put into a track uh... you you stay in that track you know this is freedom you know we have freedom of choice within the nation uh... just uh... give you a short anecdote uh... we had uh... and it some of these make your eyes water about just tell you why is that we have a student in their head student in san antonio texas who uh... you know it didn't know his father his mother was a drug addict he's raised between relatives and all that and he was going down the wrong path so he got involved it it was in particular with our organization with our competition would be anybody's and he found that he liked it and he did so much that he went and got himself a certification wasn't uh... going to college he walked into a forty thousand dollar a year job when he graduated from high school and what i think that we all need to take a look at in this room is that when i grew up in pittsburgh in sixties and seventies if you're a steelworker high school diploma and plus you had a middle class lifestyle you could afford a new car every five years you can pay your mortgage on your house your kids could go to college that is what cyber education and technology is doing today and i think with uh... not only the academic curriculum we're talking about but with organizations and also with parents and all the things that go with the social makeup of our society i think that uh... we can motivate people to have those middle class jobs that everybody is seeking and this is one of those things are standing out there and i think a lot of times we fail to address the amount of money that uh... the students can make if they do go in these fields even if they don't go to college very quickly absolutely uh... agree with that i think we also need to put in perspective too that uh... and there's some great studies out there the stem report is one of them it's a couple years old now but uh... from georgia town economic workforce development that looks at you know we can get these students really excited going into any of the stem careers and i'm all for that all for getting you know the summer camps after school programs get the cte pathway programs the whole whole nine-yard where we're really we need to also focus is we can get them in there in that freshman sophomore year they drop out or switch and from a stem degree program into something else so that's another area we need to figure out what's going on uh... because we can excite everyone we want but if we don't keep them in there to complete it or for some reason they're getting in and then they're leaving and going into another discipline something's happening there that we need to take a little stronger peak at as well thanks we have time for a few questions uh... please identify yourself and and your question with a question mark and i can take them all the ones any questions one over here oh just wait for the mic sir please georgia sachet georgia with hb information technologies with a defense contractor uh... providing cyber security services to department of defense uh... one of the things we didn't talk about here uh... our earlier panel was the role of employers in these educational aspects of cyber security and one of the issues that i think we have is the skills gap we do have a lot of uh... cyber security jobs are open we can't fill them because we don't have people with the skills but at the same time we have not been involved in the educational aspect of what they should have so uh... pilot that i did in peoria linole which i think is successful is a two-year associate degree in secure software development and it came from carnecke mellon university funded by homeland security for four-year we created a two-year version of it but we still have difficulty i'm having difficulty scaling it up nationally because i think this is a very important thing we can do employers are not quite coming up to doing that was getting involved in the educational system you have any recommendations for that i mean this is a broad problem interaction between education and the workforce employers are very good at articulating the shortcomings of the people who come out of the education system they're not as good at actually providing advice and engagement and support and resources on a sustained level uh... so there's a lot of work to be done there you know i think you have to think about technology as a vehicle for scale in education so uh... it used to be we'd have to go community college by community college by community college if we were going to kind of implement these programs but you know but a lot of programs are now online uh... there are a lot of good online programs we had a panel here a couple uh... couple months ago where we had the uh... the dean of the computer science department at george tech university which has created a very low-cost online one-year master's degree program in computer science now because george tech is like a top ten computer science department they're teaching a theory and stuff like that i mean i think that's what they think it's interesting that's why they're a top ten uh... they're not really teaching the nitty-gritty but the model is there i mean they've got you know it's an inexpensive program uh... they've got it worked out about how to engage with students online is not a low quality online program it is a high quality online program uh... where you have you can create a reasonably high-touch supportive model where students can actually engage with other students can engage with mentors uh... they're not just kind of left to their own devices uh... but keep the cost at an affordable level where what we're all what we're trying to go after is a a labor market includes make career professionals includes not traditional college students uh... people who are trying to make a job transition which means you know they don't want to spend fifty thousand dollars but maybe they'll spend ten uh... i think i think that's uh... uh... a scale opportunity that probably is where there's a lot of room for growth wonderful i know we have one more question but i uh... noticing that we are out of time so join me in thanking our panelists and welcoming the next panel we are next up we'll have rob monitoring a panel on regulation and legislation i think we'll give you guys and gals in the back about a minute to pick up some food and then return to your seats alright so as folks are finishing up in the back there i think i'll get started with the introductions uh... but first i'd like to say thank you one and all for coming this morning and watching on the live stream if you are uh... my name's rob morgis i am a policy analyst here in new america with the cyber security initiative uh... and i'm joined today by an outstanding panel folks who started far and there with ebb and wolf who's the part that partner in co-chair of cologne mornings privacy in cyber security group he also was one of the uh... initial dhs employees uh... and is just generally a lawyer who understands how technology works uh... next to him is heather hogsett uh... she's the vp of technology in risk strategy at bits uh... and previously was at the nga focusing on cyber security amongst other things and right next to me is david mushington who's currently a professor practice uh... university of maryland but in the past he's held a number of government roles including the d-o-d we'll kick things off with you evan uh... just can you start us off by uh... giving us a sort of thirty thousand foot view regulation legislation at the state level uh... how does it differ from complement and oftentimes complicates uh... federal efforts uh... in the same front and is there a sweet spot for states every spot for states is a sweet spot i guess but uh... i'll give my my thirty minute uh... three thousand foot view of states but let me start off just something to do with uh... with uh... with with my my disclaimer nothing i'm saying uh... represents opinions of my clients or is on behalf of any companies i may may represent because i do a lot of data breaches that involve states have done about three hundred of them every single one of them is a little bit different and so sort of my my opinions are are are based on that but uh... so so when you think about the state regulatory model you sort of have to think about sort of the three buckets of of pre-breach breach notification and then what happens post incident and i'm going to focus really on the first two for states and in terms of pre-breach what what do what do companies have to do from a state state regulatory perspective because as uh... uh... there are federal requirements but there also are beginning to be state requirements the most interesting one is sort of what companies are supposed to do when it comes to security this is an area states haven't typically been involved in but now starting with california who who always seems to be leading the pack including on presidential elections except for this one um... they they've actually put together uh... a requirement for these uh... sys controls where you have to have the twenty sys controls in place if you're if you're a uh... if uh... if you're a company doing business in california uh... there also are when it comes to special data handling state level requirements for example some states have about uh... one one-third of the states have have some some of these sort of special security requirements uh... massachusetts california and avada are the ones that sort of come to mind uh... new york is is is solely focused on the financial services sector and i'm sure we'll hear more about that later uh... there are states that are increasingly regulating uh... social security numbers so if you if you if you're a company that handles social security numbers uh... specifically have to handle the disposal of them using their states are regulating that area and then also uh... dealing with uh... with with payment card information states are and there's about sixteen states now that that have regulated the use of of uh... of payment card information in addition to what's required under the federal statutes uh... there's some other area states are beginning to get interested in biometric uh... and dealing with the disposal of HIPAA data are sort of the newest areas we're seeing state statutes come out but really the the big piece that states have had sort of the uh... what i what i would call sort of where they've they've they've decided to to to invest their time into is the state data breach notification process and there are two forty eight different state state data breach laws right now uh... the only thing they have in common is their differences i would describe it as because every state defines not only what what personally identifiable information is is a little differently some of them include uh... so security number and addresses and names but they also deal with what access and an exfiltration have a different definition of of of what that means and then lastly or more importantly to companies that are going through this they have a different notification process so this means every state some states like new jersey you need to get permission before notifying any of the victims in the state of new jersey from the new jersey police department they're very friendly organization and sometimes uh... require some some some uh... specific detail in some states are very difficult in terms of the level of detail of the incident itself like vermont has has historically from from our experience been required a lot of information on the incident so when you go you know when you're acting the middle of an incident you have to start notifying uh... individuals you have to deal with these forty eight different state approaches which which can be you know complicated it's an area that there's been a long discussion of a federal preemption in but but but so far that hasn't happened and probably not likely over the next four years but but we never know and then and then there is sort of a um you know uh... sort of the last thing i'll say and then i'll turn turn it back is is states are beginning to think about you know the consumer issues and and building ftc like or federal trade commission like approaches to protecting their citizens from unfair business practices and that's a new area that i think we're going to see more and more statutes and and that's what's happening at the state uh... there is sort of you know the the great westward expansion in cybers also occurring at this at the federal level where you have uh... the defense sector which is sort of since two thousand thirteen been been starting to regulate the companies that are in the defense industrial base through a specific laws and uh... and a contract called the defar safeguarding rule and and we've also uh... seen uh... different versions of of of of the energy sector thinking about this as well but i don't want to go into too much detail it's good and we'll talk about the financial sector here in a second but i also wanted to to press you a bit uh... evan and and you do a lot of work with companies in in response and you outlined a bunch there that is potentially problematic because of the disparities in the way that the states are regulating going after things are there particular sectors that are either particularly good or particularly bad when it comes to uh... and i know that's potentially false binary but deal with it for a second uh... when it comes to uh... the way in which they are regulating uh... a certain sector certain industry i mean uh... i guess obviously all companies i work with are great and and i've never had any uh... nothing but stellar approach to compliance but i i do view the world as sort of the haves and the have nots uh... and and i i've been using this example for a few years now and it's beginning to break down i used to say the haves are those that do data security information security as a system engineer at mitre corporation for a while and i sort of felt like i was part of the haves world when i was a data scientist and and i was a lawyer and definitely part of the have nots even though we have a very robust information security approach at my at crow and mooring uh... we are not an i t company for for that's not not our bread and butter and and that's really been changing now cuz i think some of the have nots have realized beat the uh... both going through incidents and boards uh... and and their board focus that the data security information security is everyone's problem not just if you're a large i t company to specifically answer your question you know i think the defense sector the financial services sector and and and the energy sector really have been realizing that there there are are are different aspects of of information security in data security that they need need to think about i'll just give you you know maybe to two examples from uh... outside of financial services sector i think the defense sector you know post the events of two thousand four two thousand six when when there was a significant set of attacks against uh... against many defense companies realized that that when they need to protect their their information systems in their data it just isn't the thirty two big tier one defense integrators it needs to be the thirty thousand members of the supply chain and they very much took that approach to to managing the security and within the energy sector they realized that it's not just their business system that you need to focus on you need to focus on all of the infrastructure and and through a lot of really good work through work with uh... with the the regulatory and really on their own voluntarily thinking about things like information sharing i think the energy sector realized that what i what i'll call this is a sort of uh... the power of the pack not just my last name is wolf but because there is sort of a herd protection here that if companies stick together they can actually do a lot of a lot of uh... uh... reduced risk in a lot of ways we've seen this coming out of the critical infrastructure protection sips standards that that the energy sector relies upon and and with their information sharing efforts and so i think you know in this sort of franken sort of frankenstein approach to cyber security there are really good examples coming out of a few sectors where they've done it well and just to be clear i'm not going to answer the sectors that i don't think are doing it well fair enough which is a good segue potentially to talking a little bit about the financial sector uh... sector that's doing it well i was going to pass judgment uh... so heather in september new york proposed and i believe the comment period ended uh... few weeks ago uh... a new financial sector regulation for cyber security the regulation has been met with praise uh... in from some and grumblings from others uh... can you take us through a little bit what's being proposed and what do you think of this model uh... that the new york uh... financial sector is trying to sort of adapt and create sure so by way of providing an intro to this uh... as ron mentioned i'm now with the financial services round table it went in its technology policy division called bits part of this i work for governors at the national governor's association for the last seven years i have a deep appreciation for how governors and state legislatures approach the issue of cyber security i think they focused a lot of time and attention on really trying to ensure that they are really helping protect their citizens uh... and they recognize that it starts with them and so they're using that you're seeing tim blue from the national governor's association here today they're using that to really highlight how deep of a challenge this isn't how much we all need to be engaged in it understanding where states are coming from everyone recognizes that i was a challenge so i think everyone is now stepping up to try to do something on cyber security whether it makes sense or not so i think the challenge that we now face is particularly for industries like financial services or like energy that are very heavily regulated to begin with uh... you have a plethora disparate cyber security requirements that frankly are getting to the point that if they are not harmonized against something like the nist cyber security framework uh... which was a multi-sector effort that really brought together stakeholders from a wide range of industries and backgrounds government private sector uh... if it's not harmonized off of something like that you have the problem that everything starts to conflict and people are spending so much time and energy simply based on compliance that they are no longer able to spend the time and attention they need on securing critical networks and systems and the information that everyone cares about so i brought with me a visual and you probably won't be able to see it but this is a spaghetti chart this is from the government accountability office so we did not put this together GAO put this together this is for the financial sector specifically across the top you've got about fifteen different federal and state regulatory agencies along the side are eight additional federal entities that have some role in cyber security and i i put that up there because it shows you the number of people that are involved and are not coordinating their efforts but i'll have the same goal in mind so from just the twenty sixteen perspective for us at the financial services round table we've been tracking almost thirty different either proposed or new cyber security requirements facing the industry NYDFS came out just a couple months ago with uh... was the first really state regulator to come out with a comprehensive set of regulations for cyber security so for any financial firm operating within the state would need to meet a certain set of requirements uh... many of them sound like basic cyber security things so you need to have a cyber security program with a written cyber security policy that covers things like identity and access management third-party risk management how you're managing your vendors in your supply chain uh... have an incident uh... detection uh... system in place and have an incident response plan uh... you need to have uh... uh... a CISO a cyber information security officer specifically required so it really is it's very comprehensive and this is the first date to really put out regulations like this uh... on its face you would argue why shouldn't you do those things those are really a comprehensive cyber risk management approach uh... yes the challenges it starts to get very prescriptive and takes a one-size-fits-all approach that does not work for you know you've got very very large international firms and then you have smaller mid-size and regional banks that this has to apply to and it starts to conflict with things like the NIST cyber security framework which many i think many of you in this room may have had a hand in helping pull that together it's a really important document that helps you think through uh... all the way uh... from you know little nitty-gritty systems up to your board how you can talk about the risk life cycle and our members have really worked to pull together a set of metrics for their own board reporting many of them report on cyber security risk matters quarterly at this point to their board and have implemented the NIST framework and then one of the other major financial regulators there are three of them that come together under what's called the FFIC they put out a different tool called the CAT the cyber security assessment tool which was also very comprehensive and goes down to the control level so you had NIST, you had the CAT tool now you have a new proposal coming out from MNOIDFS and then you have yet another one that came out from some of the same FFIC agencies that put out the CAT tool proposing an even additional set on top of that so the question simply becomes where does this end and we do run the risk of you know the level of detail that firms are required to report to regulators is quite extensive we at the federal level have seen several similar to the opm data breach we've had regulators who have had data breaches so it's a real concern and a risk that the more you require information to be reported to different places in different formats you're taking the eye off the ball for your critical security professionals to perform their job they're focusing on compliance instead and you know it's a national security concern you're creating honeypots of really sensitive information for a critical sector of the economy for attackers to really go target so what we appreciated from the commission report that came out with Kirsten here earlier talking about was they actually highlighted this challenge in their report and called for all federal agencies A to follow the NIST framework but then also for all federal and state regulatory bodies to really go back through the existing regulations and look at any new regulations that come out and harmonize that to the NIST cybersecurity framework one of the additional things that they highlight a lot in that report is the need for public private sector collaboration and I think that that's really the area that we're in today is you have such a quick pace of technological change that is in some ways making security better and faster and cheaper but regulations need to be able to keep up with that and oftentimes government policy tends to lag so I think the more we can create forums for public private sector collaboration and education the better off we'll all be with that and I know that was a little long so sorry for that there's a ton to unpack there quick follow-up for you though and Evan and David feel free to jump in on this what you described you describe one of the problems with the financial sector regulations in particular as it taking a one-size-fits-all approach what Evan described at the beginning there was this sort of Byzantine amalgam of regulations that everyone has to sift through how there's there's not necessarily contradiction there but there's definitely a tension between creating regulation and legislation that sort of is harmonized across state borders and not pursuing a one-size-fits-all approach what can you do or what could states be doing better to sort of manage that tension I mean I would say I think when you're talking about dictating to a firm how they secure their systems you need to take a risk management approach so I think and that's what the NIST framework tried to do is really to set out here's the framework for how you should think about these issues in the life cycle then how you apply that specifically to a firm there's some flexibility to make sure that you are you know you're gonna know your systems best and you're gonna know the information in them so you need to do a risk analysis about what are the most critical systems to protect and then compare that to what protections you may have what mitigating controls you may have and where you're accepting risk the data breach issue you know it's again it's the same point that where you have so many different competing requirements like the definitions that are used across states may be totally different and when you're in the immediate aftermath of a breach and you're trying to notify people making sure that you are complying with each of those different 48 definitions or whatever it may be you're spending so much more time on trying to make sure that you're meeting all the multiple steps that you know New Jersey or Maryland or Virginia or New York or whoever may have that you're not able to actually get the information out quickly and efficiently to those who need it I think that the thing I would stress is the way to solve this I think is there's something at the federal level called CPAC it's the Critical Infrastructure Partnership Advisory Council thank you which allows for regulated entities and the regulators you know because there is sort of an adversarial relationship there right you know regulators need to have an independent oversight function and you don't want them being too cozy with industry but at the same time regulators need to also understand what the firms are seeing and how the technologies work from a day-to-day perspective and without a forum for dialogue to allow that to happen particularly from a national security standpoint I think we're all doing ourselves a disservice so that's something and I'm not sure CPAC actually Evan may know applies to states and locals but I think it's for like that where you can have a dialing go okay we get it we understand your goal we actually share the same goal what you're proposing doesn't work for this reason here's how we would suggest doing it instead I think there's a lot of opportunity in this day and age for more of that kind of engagement so I guess to answer the question CPAC is a FACA exempt advisory committee to sound like a DC lawyer for a second so when their meetings are not subject to the Federal Advisory Committee Act and they can meet in private and have certain a lot of protection associated with that it doesn't really follow through to the state so but there is some benefit there I guess just because every cyber panel needs to have a cyber by analogy moment I'm gonna sort of answer your question with with with sort of my analogy of where the state data breach laws need to go in the future and I'm going to use sort of the transportation sector because I think the federal government has been very effective since the advent of the car and our sort of highway system at regulating the components of the transportation sector and still allowing states to to sort of manage their own equities in in their states well where you know we don't have a federal speed limit yet we have you know speed limits managed at the state level we have you know roadways and cars are manufactured at by you know up to a federal standard and so we have in the case of the transportation sector the federal government involved when it's a safety and security issue for individuals and and organizations across the country and that's both you know personal safety and also but I would call regulatory liability issue I mean we couldn't have an organization like FedEx or if we had every state managing the liability of the transportation sector within their state and so we do need to evolve to a system where there is is more of a blended responsibility between states and the federal government it's going to take us a little while to get there I know there's been a lot of talk of a federal day to breach law unfortunately I don't think it's quite that simple of just federal preemption in the space I think that would actually I mean it would obviously solve a lot of problems but it would create a lot of ancillary problems and so I think we need to and we will over time as we understand sort of how these breaches work and really what is the damages and this is what the courts are dealing with right now is every time you know everyone in this room has a no longer ask a question who's received one of these letters because everyone has but you know the new question is how many people understand what the impact of a data breaches to your to yourself have you have you been personally impacted has there been any sort of loss of money have you has your score your financial score been hurt in any way and that's a question that sort of everyone struggles with including the courts with the exception of the Ninth Circuit that seems to have their own opinion on this and so that's where I think we're going to have to think about is you know not not really what are the you know what what are the rules but what are the effects and the consequences and so that ends our cyberbiology component of the talk. Thank God. No offense. So we talked a little bit about yeah David. I think that it's worth it's worth acknowledging that the reason we have 48 states state different state laws on data breach for example is it states some of which are tired of waiting for the federal government to let to legislate in this area and some states are actually innovating in this and I think that one thing that we should understand is you know there's a there's a euphemism of states as laboratories of experimentation for a democracy. We should look across the 48 states and try and examine which states have innovated the most so that if we contemplate any federal action at all we should try and learn from what the states have been doing and I think that goes to a bunch of other policy areas not just cyber. How does that apply? How does that apply to the financial sector in New York if at all in your opinion. Well I think the thing with New York is not what they're trying to do because I think much of what they propose is already in place in a number of firms due to existing law like the Gramm-Leach-Bliley Act and other regulations. I think it's just the application and the level of specificity and whether they realize it or not I think there there is dialogue with industry now happening on that you know they need NYDFS to their credit said we should coordinate with other entities and we should put this out for comment and have sought comment. Some of what they propose may actually undermine innovation which may enhance security for instance there's a requirement to encrypt all data regardless of where it stands or what's in it everything needs to be encrypted. Well there's actually newer forms of security like tokenization that people are exploring which may be more secure than encryption not to you know shouldn't also forget the fact that with quantum computing and machine learning very soon many of the encryption codes that we have today may no longer work. So to put something that specific in a regulation sort of can quickly become outdated and have the unintended consequence of stifling innovation so I think the states to David's point though you know the states were getting tired of the federal government's inability to act and in many sectors that's true I think there are for those like financial services and energy who by their nature are regulated from day one I think it's somewhat more complicated but setting that aside you know the states really have sought to protect the consumers and protect their industry because if something goes wrong it is in their state they're the ones that have to respond to that and you know I have a deep appreciation for for governors and the state mechanisms that are there to really protect their citizens respond to this and they are trying to do what's right so I think everyone's head is in the right place it's just sort of being cognizant of what came before you and what's happened to your left and to your right. To your point about the sort of dynamism of best practices and then you update that and then sort of juxtapose that with the rigidity of bureaucracies and therefore regulation as you mentioned one of the potential cures to that ailment that has been proposed here in DC and elsewhere is the concept of cyber security insurance in lieu of or in complement to regulation. Coincidentally cyber security or insurance writ large is regulated at the state level and David I know that you've been working with DHS lately with the Safety Act sort of RIA and I know that you've been thinking hard about the way in which the federal government liaises with the states especially around insurance regulation. Could you talk a little bit about what's going on there and whether it provides a decent model for the way in which the two sort of federal level and state level interact. Well just a quick acknowledgement that insurance is one of those things that have been proposed as a source of solutions for cyber security risk management for many years but it's systematically underperformed in that we don't actually have broadly exploited or deployed insurance vehicles or mechanisms for critical infrastructure or industry to buy low cost efficiently provided insurance coverage for cyber breaches or broader integrity risks to critical data or critical systems. Now there's some reasons why that's true. I'll just focus on one right away which is the most commonly cited one which is the absence of actuarial data on risk exposure in the absence of a robust data set that can show you which risk mitigation behaviors will have the highest return. Absent that writing policies or pricing policies for cyber security risk insurance is very difficult so you get niche policies you get very slow growth in the amount of insurance policies that are written in this area some progress especially recently but not the broad insurance market that many people envisioned in the earliest days to allow critical infrastructure than private markets to take care of cyber risks without a substantial level of federal assistance. Now there are some areas where I think some progress is possible and one is that the safety act as was mentioned safety acts is very old program in the cyber domain area anyway which means it's more than ten years old. What it does it provides a liability cap to people who in non-cyber areas I should say because it's being used in a cyber area is embryonic in proposal. It provides liability caps for those who undertake measurably useful risk mitigation behaviors plans equipment design and equipment purchase and deployment in areas for counterterrorism. So the NFL is using the safety act for stadium security and for active shooter programs and evacuation programs regarding its particular fixed facilities. Other critical infrastructure are using it as well. In order to gain safety act protections or liability caps one has to show that one has an actual measurably useful program for protecting citizens and assets from exploitation. Translating that to cyber would mean that you would have to have a concept or a protocol for evaluating real cyber preparedness from non real or perceptive or P per plans perceived plans actually don't mitigate risk and that's where the in a sense the rubber hits the road. What are the characteristics of a real cyber security program that can mitigate risk against different classes of threat. After all most of the niche risk insurance that's written has huge carve outs for incident cyber events are not covered. Many of those carve outs covering nation state level threats. So if one thinks that cyber insurance is a way to mitigate that class of threats probably not in the current in the current context. So what could the federal government do about that. Now I was reading a paper by a friend of mine Rob Kanaki and the council on farm relations. Sorry a competitor not a competitor. This morning that that proposed preemptive preemptive federally backed insurance for critical infrastructures based on sort of being an insurer or backstopper of last resort. I was read out this morning. He continued that proposal by proposing something that is actually in the commission report which is a sort of in cyber incident data analysis and repository that would in in return for qualifying for this sort of insurance one would have to provide access to incident data and sort of root cause analysis on any cyber incidents which distributed across sectors and across time would build an actuarial data set that would allow better and broader insurance products to be sold to critical industries. That strikes me as something that the safety act which up until very recently is concentrated on physical security risk expanded into cyber could perhaps give us some progress on something that's been long cited as sort of the critical market based solution for an area where we can't really regulate quickly or easily or efficiently. That is increase availability of critical infrastructure data on actual breaches actual cyber incidents as a way to build up a data set upon which risk calculations can be made. There are a number of areas where that might be applied but to bring this back to the states. The states do regulate in many areas non-cyber security for safety or environmental protection or for emergency preparedness and for disaster recovery many of which resemble risk classes that cyber security might overlap with. How about the states at least seeking to I might add in those areas regulation leads to mandates and one of the differences I have with this report is that it continues the current administration's focus on voluntary measures as a way to deal with strategic critical infrastructure problems. I think that is an approach that is probably reaching the end of its useful life and that we need a different balance between voluntary measures and mandates. The states in many other policy areas have already bitten that bullet. Voluntary environmental regulation at the states is not exactly the leading approach. Voluntary safety regulation is not exactly the leading approach in much critical infrastructure oversight at the state level. In cyber security I think it's an open question whether that should be the approach that the states adopt. Absent federal legislation that is much more pervasive than what we got this year when CISA was passed. So for the purposes of insurance critical infrastructure cyber risk management perhaps the states might use access to an insurance vehicle to as a quid pro quo in a sense for those who seek insurance providing critical data and then you get right back to the creation of a data set that might be used by insurance risk pools to try and get at a conceptualized market mechanism for buying down risks. Again this is not regulation as much as it is framing a market opportunity for risk mitigation by the states in you know leveraging experience they have in other areas. Go ahead Evan. Yeah sorry if I could say that like a two-finger comment because I agree with David and I'm both pro-safety act and pro-insurance since I actually actively are working on a few safety act applications that are cyber right now and have for a while and and also have you know of the 300 data breaches I've done a good percentage of them have been covered by cyber insurance. So I think I think you know actual data is great and will help the insurance companies make more money and which is good and offer more policies and then they'll be able to insure more companies so I'm good with that sort of whole OODA loop. But the other aspect of the insurance cyber insurance market right now and this is especially true for financial services sector and and other sort of of the sort of core critical infrastructure sectors is during the underwriting process companies are required to review their infrastructure their policies procedures that are actually required to do things to make sure that they are ready for cyber insurance and that is critically important because I think what we've you know the cyber problem isn't that much of a technology problem as it is a attention to the problem problem and by that the more we can get boards and CEOs and that's why the creation of a CISO is so important so more focus you get on it the more and the more money you spend on it the the more likelihood it is for companies to be able to better manage their infrastructure and better survive sort of modern-day cyber assault so we what we're seeing coming out to be very specific what we're seeing coming out of insurance companies is reviewing policies procedures making sure that companies have and into the single most important thing a company can have in its response plan make sure they have core governance you know do they do annual pen test these are all things that are happening during that underwriting process and that's sort of you know good good for everyone and that's why I you know I do think in the I think they said there's about a two to four billion dollar addressable market right now in the cyber insurance field that's fantastic and as more companies go through this you know I think we'll we'll see it we'll see it improve but I'm I said I'm I'm pro insurance so we could quickly yeah two to four billion in the 17 trillion dollar economy when you have critical infrastructures that are are have tens of billions of dollars of turnover trillions of asset and assets are risk and hundreds of millions of citizen customers is minute relative to the size of the problem so much as I you know I think you know everything should be tried I think that for insurance to really flower in terms of meeting its potential we need we need to change and that change if it's not going to come from the federal level means needs to again back to the experimental laboratories of the states perhaps a state constellation to states and private sector but there's a lot of public-private partnership potential here to put together these mechanisms that can move the needle a little bit more so that we can talk about tens of billions of dollars worth of insurance being written versus two to four which to be honest in an economy our size is a little embarrassing in 2016 we could quickly I was yeah so insurance is really one avenue but I think the other thing here which is almost quicker is you know for a number of our CEOs and the boards that are actively engaged in this is you need to start thinking about security as a business enabler this is critical to the functioning of state economies so whether it's working from the governor's bully pulpit working with local chambers of commerce I think just that educational role that like hey if you're the owner operator of a business are you connected to the internet probably do you want your business to continue to function probably well you should probably do some basic due diligence on cyber I think it's kind of a basic thing just from a personal standpoint if you're a business owner that like there are some good easy steps you should do and I think that states have potentially the best opportunity to help local businesses with that I mean the vast majority of our businesses are small and medium enterprises they're at the state level they're at the local level that is a perfect opportunity and it falls short of any you know even for states to pass legislation or regulation takes a long time so I think this is a much quicker hit that would get us all again closer to the only precautionary principle there is then we're going to continue to end up with this tobacco road approach to cyber I'm not saying that's necessarily bad but and I agree that it's the fastest and quickest way to get people going and my brother's a doctor and has his own IT system the first thing I did when he when he started practices got him out of the IT practice and said you know go go hire someone to do this you're a good doctor not a good IT manager and so I agree I just I am concerned about sort of what that looks like five years from now when we have every state and local just to create create our tension on the panel that's a way of approaching it from more of a like this is enabling your business as opposed to like here's a specific cyber requirement that you must do like putting it more the onus on the individual and the individual responsibility piece is one that we haven't touched on too much here it was highlighted in the cyber commission report so I'll leave it that so we could talk about insurance and risk management for literally days one quick thing to tie it up David and then we're going to move to questions from the audience I just know that much as I think jaw-boning people into better individual cybersecurity behaviors is always useful and I do want the states and everyone else to do that I would note that we have been doing that for a long time to large portions of the American population and more broadly and we don't have the use case for where that succeeded so much as we should do that we need all these other things as well and I personally think that if you have it which is shipped broken shifting the risk to individual users expecting them to personal behavior and heroism to make up for the problems in devices like these is really not a going to scale very quickly or very well so quickly because we've already run over let's take a couple of questions from the audience we're going to take them all at once we'll go right up here in the front you terrific panel I my name is David I'm from the National Governors Association and it seems to me we've there seem to be two types of regulation there's the proactive one such as the NRC regulation that says you have to do all of this and if you don't we will de-license you and you will be out of business then there's kind of the retroactive looking regulation which is more like the FTC where they say okay you got to do reasonable stuff but if you screw it up and and you and you don't have to report to us what you're doing but if you screw it up and we find out you weren't doing basic stuff we're going to penalize you and I wonder if that the FTC approach is a way to avoid the policy compliance issue where you're having a lot of your security people focusing on reporting requirements having them focus on the security but there's still the incentive to implement basic security measures because if you do get if something goes wrong then the regulators come at you after the fact and said well now we're going to penalize you a lot harder than we would have otherwise so I'm going to take two more questions and we'll answer them in our final statement so if we could go right here in front and we'll go back to Sean in the back there. Hi my name is Karate I work for a major cloud provider managing a cloud bank so this is very near and dear to what I do every day. My question is as with respect to underwriting and insurance has anybody thought about using like the flood model of FEMA how they underwrite insurance and then also possibly talking with such a small business association if there's all these small and medium enterprises out there and they they give money out to these businesses that they actually guide them using score and independent basically organizations to provide prescriptive guidance as opposed to prescriptive and things of that sort. And then one last one in the back in front of you in there. Thank you Sean Kanoka I'm an independent attorney. We've heard discussion of finance sector energy sector transportation sector. I'm curious if the panelists feel there are other sectors or critical infrastructures that aren't getting the attention they should be either at the state level or in the new presidential commission's report. Last time I checked there were 16 critical infrastructure sectors by DHS or any sectors that might not be listed as critical infrastructure but should be perhaps Twitter. So we've got three questions. I'm going to ask each of the panelists to respond to any but anywhere between one and three to to wrap it up. We'll start with David the proactive check listing versus the penalties in the FCC approach FEMA flood model for insurance critical infrastructure. I'm less familiar with the FTC versus NRC of contrast that's an interesting contrast. I would say that one problem with retroactive is that that can mean that you actually can proceed with very few actual performance based regs against which you would then judge retroactive performance. And that's a question. Do we need fewer regs in cybersecurity or do we need fewer best practices in cybersecurity against which people would have said intuitively. I think that's not what we need more of. So I guess that pushes me towards NRC which is very very restrictive, very prescriptive and probably not optimal either. So I'm not sure where where you should fit on that continuum on the flood insurance point. I'm this might be the first time I've heard flood insurance praised as a model for for national national policy. I'm not sure that well, you know, as a flood insurance policy holder in Florida, I'd say I appreciate that. But flood insurance is a model for cyber is not something especially given the incentives issue we have with flood insurance in this country. I'm not sure that that's an approach I'd say a bit more for cyber. I guess I think it favor more one based on actual data on measurably useful procedures for risk mitigation and holding people account people and entities accountable for risky behaviors once we identify what they are and writing insurance based on that. I think scaling in sort of the way I discussed earlier is probably a better way to go. Last point quickly, sectors that we haven't talked about yet that aren't in the report. I think this is given recent events, not treating the nation's election systems as a critical infrastructure in some way through a federal policy that takes that seriously is a serious admission in this report. I'm sure there are reasons why the report shows not weigh in on that issue. I think that the states run elections in this country, states, local, territorial and tribal jurisdictions do. And we in recent events we've had the federal government assist the states in cybersecurity of those infrastructures and keynotes. I think that's something that we need to do more of. There's a lot more lessons learned to be had in there that don't fit in this panel but would fit somewhere else. Other sectors not getting attention. I mean, we sort of think about it as the main three and then you start out funnel out from there. So the main three for my perspective would be energy, financial services and telecom. And my telecom friends might argue with this, but everything that we're seeing from a cyber threat perspective travels over their pipes, if you will. So is there more information sharing and collaboration potentially with them in particular that would be helpful here for everybody. Some of them are trying to monetize that, which I think is kind of part of the issue. But that's a big one for me. I mean, as you start to look at innovation and things like self driving cars, the transportation networks and all that I think become an increasing importance in water systems, all that from a health safety perspective. But I mean that the election system is an interesting one. I know governors are talking about this with the federal government probably about two years ago that there are potential threats. But I think the challenge there is states do each run their own and the state secretaries of state that oversee that are oftentimes independently elected. So you've got like a whole different network of communications that need to start happening. The flood insurance, I think the issue with insurance is and what NAIC at the national level for states is trying to do is start to collect more of that data. It's just the industry's in its infancy yet. And so it's finding ways to collect more information on those threats and what happens. This is something that the FBI actually is looking for more information on as well from firms. But the issue in part is, you know, those who put information in don't often see anything coming back out of it. And there is still the concern that if you're a private company and you are providing some of that information that is going to come back to bite you if you don't have some additional higher-level safe harbor kind of provision in so doing. The last one on the proactive versus retroactive regulations. That is an interesting way of thinking about it. I'd have to look more deeply at the NRC and FTC models. I have heard some folks in our industry at least sort of highlight FTC as a better approach in some ways. Not that I think it's totally on the back end because my understanding of much of what we deal with is throughout the life cycle and regulators when they come in on the back end are looking through and you have to show the documentation for everything you have done previously throughout that life cycle. You would get dinged on the back end if you fail to do something. But it is still sort of more risk-based and less prescriptive. Thou shalt do X. It is thou shalt ensure that X is protected. Which I think is a better approach to doing that. Evan, quickly if you can. Yes, so on that first question, I actually start off with my career as a geologist at the Nuclear Regulatory Commission. So I think their approach to regulating nuclear facilities is fantastic. I think if we're looking at what role regulations play, we really need to look at a multivariate analysis. And in short, I think it needs to look at a few factors. First of all, what is the goal of the regulation if we look at how we're regulating just sort of protection of data or protection of networks versus increased reporting versus actually decreasing the likelihood of there being an incident. Those are all completely different sort of end points. And we really need to think about what is the goal of the regulation? And if we're just trying to drive up increased spending or increased reporting, we can do that very simply. If we're actually trying to, as the financial services sector has been for a while actually cut down on the amount of incidents that occur, then that's a different regulatory model. And I think not all sectors are good to be in the same way. And this is where, without making the multivariate analysis, it seems more complicated. We have a waveform that we need to look at each sector because each sector has a different maturity point. And then to answer both questions, the both the flood insurance and the sector question at the same time, this really is a question of what are companies asked to defend themselves against? I still argue and have for since I was at DHS that I work with a lot of pipeline companies, all of them would be devastated by a single scud missile attack. Yet none of them have a scud missile defense program because we understand that the Department of Defense will protect all pipeline companies from inbound scud missiles and that's not a reasonable expectation. But yet they have to defend themselves against foreign nation states on a daily basis. So, but we can't say that the federal government is gonna take on that whole threat themselves. There needs to be some company's responsibility of whether it's certain controls they need to implement or things they need to do. But there needs to be sort of the shared model of responsibility. And I think that both ties into what an insurance program looks like because there is a federal component to this and an individual company component to it. And it also varies by sector. I've long been concerned about the vulnerability of our national monuments and icons as one of our critical sectors, but I'm not really concerned about their cyber impact right now. So I think she got it right in terms of the sectors that probably had defense and transportation as in other two sectors that are pretty important in my perspective. And that is a great way to end. We ran a little bit long, but join me in thanking these three for a great discussion. Thank you to that panel. Now, as you'll have picked up, one of our themes today is the importance of state in public policy. So either we'd wrap up with a panel of people who actually work in states or work with states. And so if Dave, Dave, if I could ask you to come here. John, if you want to take the seat of the far end, you can. Okay, well, well, we're just getting settled. Let me introduce the panelists. We have immediately to my right, Dave Wynstein, who is the chief technology officer of the state of New Jersey. Previous to that, he was the chief information security officer of New Jersey and did various other jobs in the state. And before that, he did three years at cyber command. Hey, if I could ask people to be a little bit quiet, feel free to step outside. Next to him, we have Yejin Cook, who's the director of government affairs at the National Association of State Information Officers. Previous to that, she was at the National Association of Counties. Tim Bluth, who we've already met is the program officer for Homeland Security and Public Safety at the National Governors Association. And finally on the end, we have John Gilligan, who's the interim CEO of the Center for Information Security, who amongst other things, oversee the multi-state ISAC, which is a major information sharing organization between the states. First of all, I want to sort of thank everyone for sort of hanging on, particularly the panelists to this stage. I think we've had a very rich conversation, but there's a lot of strands we can pull on. I think the most effective way of kind of using this panel and summing up is to ask everybody from your various different perspectives, what are the states doing well and what could the states do better? And feel free to range widely, but in terms of kind of focusing the discussion, you know, what can they take from the commission report and what will it be important to take forward? And let's go down the line, Dave. Thanks Ian. So just to kind of set the stage, I think it's important to recognize at the outset that states are indeed a very target rich environment for malicious cyber actors, okay? Whether it's the public sector networks, the executive branch of state government, for example, that I oversee in New Jersey or critical infrastructure networks, there are a lot of very attractive venues for malicious cyber actors. And in many cases, I can tell you from a firsthand experience that state governments know of these threats to include threats ranging up to nation state actors well before the federal government knows about it. So from that perspective, we've gotten better over the last few years at identifying threats, at detecting threats beyond just the perimeter. So it's one thing to be able to identify a malicious IP that's beaconing to Hong Kong or some other malicious place, but actually hunting within our networks to identify the so-called advanced persistent threat or anomalous activity, we've gotten better at that over the last several years. And likewise, we're getting better at sharing it, right? We're sharing it with the private sector, we're sharing it with partners like the multi-state Information Sharing and Analysis Center, with the federal government and with other states. I think where we need to get even more better is in the incident response realm and operationalizing the public-private partnerships that states have developed over the last several years, not just with critical infrastructure partners, but also those small to medium-sized businesses. I can tell you that in the state of New Jersey, we're uniquely positioned as a state government to interact with businesses in a way that the federal government could not possibly scale across the nation. And that's not a derogatory statement by any means, it's just the reality of the way we're organized as a local government entity interacting with key players across all sectors in the state of New Jersey. So, generally speaking, getting better at detecting threats, getting somewhat better at detecting the more advanced threats and sharing those threats need to get better at incident response, need to get better at operationalizing our public-private partnerships. The agent, Nassio produced this fantastic report for over a number of years, which gives you an interesting sort of set of data. What have you learned from those reports talking to the state-level CISOs about not only what is working and what needs to work better, but also what is changing over time and what is failing to change over time? Sure, thanks, Ian. Well, as Ian mentioned, we do produce this report every two years in conjunction with Deloitte, and I think you'll find in there a lot of great information about the trends in state cyber. The major findings from this report are that the governor-level awareness is on the rise, which I think it signals that CIOs, chief information officers, are doing a better job of communicating the threat and justifying their need for resources. As many of you know, state and local governments, unlike the federal government, have to balance their budgets. So what does this mean for us? Financially, we know that state governments are spending about one to 2% of their IT budgets on cyber security. So what are we doing well? I think what we're doing well is collaborating with our natural partners, and we are leveraging our existing resources to make the best efficient use of what we have. What we could do better is to communicate our challenges, and there are a number of them, communicate our challenges to those people who can make those financial resources available, such as state legislators and governors. Our job is not to go out, our job is securing the state network and all of its components, as Dave has already mentioned. NACIO, we represent people like Dave, state CIOs across the nation and U.S. territories, they all suffer the same problems. In this report, you'll see that our top challenges are insufficient funding and lack of people. We don't have the people to do what needs to be done because state government tends not to be the most attractive place for young professionals and those graduating college, but we recognize that as a challenge. And just to quickly conclude on that question, what we are doing well, collaborating with our federal and state partners and those like MSISAC, and what we could do better is to communicate and justify the need so that we can get more of those resources to do a better job at securing our state networks. Tim, you've thought about these questions in great depth, I've no doubt. What, from your observation, have you been surprised if you like that states are doing well and what are the areas, not just that states need to do better, but you think needs a little bit more attention drawing to it? Sure, so I've been really pleasantly surprised, this built off what Yajim was saying, I think the level of not just gubernatorial awareness around the threat, but I'll call it enterprise wide awareness. When we bring up this topic, when we're out meeting in states, I'm always really surprised to see budget officers at the table, governors, legislative councils at the table, legislators at the table, not just the CIOs or the emergency response folks, which is, I would say where the discussion was at, maybe three or four years ago, you would either talk to the CIO or you'd talk to the National Guard or the emergency response and they had sort of thought through on the CIO side, how do I protect the networks and then the emergency response side? What do I do if there's a physical consequence? What we're seeing now is they're thinking about how do I budget for cybersecurity? How do I grow my workforce? How do I protect the university networks but also tie my universities to the jobs of the future? You're seeing governor's offices really focused in on this, asking the right questions. Who's in charge? Who has authority? Who has responsibility? What is this cost? What's budgeting look like? So I'm pleasantly surprised at the level of attention and awareness around that. One area I'd like to see more attention being paid, I think it's, you're seeing it in some states, I'd like to see more is on risk based strategy, not being as reactive, not just saying we've got a cyber threat. Man, we've got to throw some people at it. We've throw some money or some time at it, but really taking an in depth look and saying, what are the cyber threats that my state faces? What are the assets that I need to protect? What are the quote unquote crown jewels? What are the assets I have within my state that I can deploy? Maybe I have got a great research university or a federally funded lab. What are those? And then how do I devise a long term strategy that meets those threats that deploys the assets and also thinks about where do I want my state in five to 10 years? Finally, John, you've been at this cybersecurity business for some time based on your experience at a federal level and now working very closely with the states. What do you think states can draw from the commission report particularly as well as what you've been impressed by and what you'd like to see more of? Okay, thank you. What I would echo many of the comments that have been made by the fellow panelists, the perspective though that I would encourage is that I think when you look at the state and local governments, what you find is an array of performance. There are some that are doing extraordinarily well and so we in managing the MSISAC, the Multi-State Information Sharing and Analysis Center find that some of the states and some of the local governments are just doing outstanding work. Our job then is to help harvest that and then share that with others. However, as was mentioned, there are many organizations that either because of the lack of just awareness but in many cases a lack of resources really have not been able to make significant progress and so in those cases, they're sort of in what I would consider an equivalent to what we see across the nation in small businesses in particular and medium-sized businesses who are just either not large enough or don't have the resources to be able to apply the type of rigors and the type of technical solutions that you would ideally like. So I think that's what we see sort of this sort of a spectrum of capabilities and my comments then I think would lead to, Ian, you asked what should be done, what perhaps in the report is able to be taken. I think in the Center for Internet Security, one of our fundamental principles is to make best practice common practice and so one of the things that we have been spending a lot of time really since inception is trying to identify what are the specific and measurable efforts that will make a significant difference in cyber security and so as a result, we have developed a set of controls that these were developed out of partnership with the National Security Agency and a wide variety of organizations and the controls basically align with the risk patterns that we're seeing nationwide and so we are very strongly encouraging organizations. California now has adopted the critical controls as sort of a baseline for security. We call it sort of good hygiene. As another example, just last week, Department of Defense indicated that over 90% of the intrusions into defense networks and industry network supporting defense are as a result of lack of basic hygiene so all of the things that we talk about in terms of policy and risk management, et cetera, are good but ultimately they have to get down to what specifically you're gonna do and so I think that's where I would recommend things like the critical controls which include fielding, for example, another one of the areas that we work is configurations for standard software packages that allow them to be more secure as was mentioned in the previous panel. Software that is delivered today by our vendors is insecure, fundamentally insecure and we have had a federal acquisition regulation for a long time now that says you will use the NIST checklist which includes a lot of the Center for Internet Security standards but they're not and so I think there's a lot of fundamental basic good hygiene, good practice things that in addition to what's already being done I think would help move things forward. So just playing off that a little bit, Dave, you are the Chief Technology Officer having previously been the Chief Information Security Officer in New Jersey. Building off the commission's focus on research and development, what do you see as opportunities for states like yours in terms of using technology and the rounds of authentication and other things that are brought out in the report that could make your job easier and have impacts for the people who live in your state? Yeah, thanks Ian. And I think John hit on a great point which is that we really need to focus on getting back to basics and the blocking and tackling of information security and cybersecurity at the state level, particularly when we're talking about government as an IT enterprise or a business enterprise. For us there's a lot of opportunity in that realm and it really gets down to basic vulnerability management. We have tens of thousands of endpoints across state government, both in Trenton and across the state, across dozens and dozens of agencies, some very big, some very small. We need to get back to the basics of making sure that the software we're procuring is up to certain security standards and that we're continuously updating that software to make sure that it's patched to the latest vulnerability, to the latest, patched before the latest vulnerabilities. So there's an awareness piece to this certainly that we need to have both the threat intelligence coming in and the vulnerability advisories coming in to be able to disseminate this information and share with the right parties, but we also need to embed this thinking into the culture of our governments, whether it be within the IT department or on the business side. And my perspective as a former CSO who's now overseeing all information technology for the state of New Jersey is that we will never as a state have sufficient IT resources to manage this problem. And unless we equip the users, the people actually operating the end points who are generally not security practitioners with the information they need to lock down these systems, then we're gonna continue to be vulnerable. So the basic principles of vulnerability management is a huge opportunity for us within the state of New Jersey and I think across many states in the nation. Tim, just sort of playing off that. Can you give us some examples that you've seen in the course of last year of states who are doing really great work in sort of key areas? Dave, as we know, has done great work in setting up the information sharing within New Jersey. But what other examples can people draw on as good practice to take away and look at in implementing some of the report's recommendations? Sure, I'm not gonna miss the opportunity to applaud Dave's work in New Jersey because what they started there with the New Jersey Cybersecurity and Communications Integration Cell has really become a trend. I can't tell you how many states we talk to, we go work with who say, they've heard Dave speak, they've looked at New Jersey model and they wanna stand up their own integration cell of some kind. So that's one thing we're seeing nationwide. They're taking different forms, which I think is exciting because what works for New Jersey isn't necessarily what works for Oregon or for Utah. But that's one thing I've seen and there's probably four or five states currently, I know that are looking into it. Some of them are information sharing, some of them are just policy integration centers, some of them are academic centers for research or R&D. So that's one thing I'm really happy with. I would encourage everyone to look at Iowa's cybersecurity strategy, sort of things I pointed out that we need more strategies. Well, Governor Branstad asked his team to put together a comprehensive cybersecurity strategy. They did so, they had it vetted, they worked with private sector partners with the federal government, announced that strategy and that's really driving a lot of their cybersecurity decision making. And then on the last issue, and I'm not gonna call it one to any particular state, but I think around the response planning. Dave brought this up earlier, we've seen Michigan's on version two of their published cybersecurity response, disruption response plan. A lot of the states that we're working with are taking that as a model and beginning to draw out their own plans, accepting that it's inevitable that something's gonna go wrong in cyberspace for them and this doesn't have to be an end of the world scenario, it could be relatively minor, but something's gonna go wrong, so they need a plan. So there are a lot of states working on drafting those plans, sharing those plans, and then I would say most importantly, exercising those plans, so the first time they get used isn't when something happens. So just three sort of small trends, examples I'm seeing. John, what's your thoughts on that? I mean, you're another organization that sort of sees across a widespread, what are the things that maybe don't get seen quite so clearly from DC that we could learn from and other states can learn from too? Yeah, again, I'd echo the comments that have been made thus far are all good ones. What I would add is, and I think this does tie back to the commission's report, is the potential of providing a capability for in the state and local governments, for those organizations that either don't have the resources or the technical talent to be able to provide security, to have a cost-effective solution that they can get. Now, DHS has funded the Center for Internet Security to provide, we sort of call it basic cable. We provide a managed security service for a subset of all the states, and we found that enormously valuable and that's been helpful. But that same concept doesn't have to be CIS, it could be others, it could be done within the states. And it's parallel to the commission's report that's suggesting something similar at the federal government level. It's saying we ought to consolidate our network management. Obviously the reason for that is so that you can overlay security on top of that. And so I think that concept is probably the only way I see that we're gonna be able to really make rapid progress and to deal with the quote have nots that really are gonna continue to struggle in this domain is to provide something that's cost-effective, you benefit from the scale of large organizations. That's one of the things DHS pays us a certain amount of money, so we have scale, we can do this. But other organizations could do something similar. And one of the things that we have had a lot about in sort of talking to states is this challenge of consolidating legacy systems and one thing and another. And one of the things picking up on John's point, there's clear opportunities in consolidation and what have you. One of the things we've also heard is that there may be a role for the federal government in helping states sort of do this. What opportunities do you think there are for the next administration into help states help themselves? I'm glad you asked that question. It gets to, I'll eventually get to my point which is about federal security regulation and harmonizing those exciting, I know. Take a little breath before we talk about that. But consolidation is a big priority for our CIOs as Dave can tell you because managing legacy systems, managing these old things little bit by little bit by little bit is a waste of, it's a waste of resources when it could be. When we're looking at an enterprise that is the ideal situation we wanna have. We wanna have enterprise wide security solutions and visibility. Dave can speak to probably his specific experience in that but when we survey our CIOs, we ask them to list their top 10 priorities. For the past five years, security has been number one. And second place is usually cloud services or consolidation. We are, again, think about the background in which we work. We are resource limited. We are almost kind of a self-funded organization because we're a charge back organization. So we have to make use of those things that we already have. And in order to leverage our resources, we seek consolidation because it allows us to see more than just the little pieces, fragmented pieces that are kind of in existence today. So how can the federal government help us? Well, of course you can help us with grant funding. We would love that. Anybody who wants to find a few million dollars in the federal budget, come talk to us. But another specific thing that the federal government can help us with is harmonizing, disparate federal security regulations. Somebody on Heather on the previous panel mentioned kind of the array of regulations to which the financial sector must abide. Well, our CISOs, day formally being one, I think you can understand that there are several security regulations that our folks have to comply with that make the vision of consolidation a little bit tougher. I know we don't have a lot of time to get into all of those today, but just know that our CISOs have to not only deal with their own state kind of regulations, they also have to deal with IRS 1075, FBICGIS, child support regulations, CMS, I mean HIPAA, all of those things we are dealing with on a day-to-day basis. Yes, these all map to NIST, but that doesn't mean there aren't problems along the way when we are thinking IT, it tends to be a little bit of a barrier. So if we could work on the grant funding and harmonizing security regulations, I think we'd be really excited people. Just to piggyback on that, that's a great point, and there is a key distinction here that there's really a natural symbiotic relationship between IT consolidation, particularly for organizations that are heavily dependent on legacy systems and enhanced cyber risk management and ultimately enterprise risk management. We in New Jersey certainly, and I think a lot of CIOs share this opinion, we believe that we could drastically reduce our cyber risk by moving off a lot of these legacy systems. Not only is it cheaper, not only is it easier to defend, but the technology is simply better. We talk a lot in the IT space about everything as a service, so we have software as a service, we have infrastructure, platform as a service. We're getting to the place in the security world where we're starting to offer, as enterprise IT service providers, cyber security as a service, and that cuts across all three of the other as a services, so SAS, PASS, and IS. Security has to be built in to the service offering, and we can get to that if we start upgrading our systems, consolidating and moving away from legacy platforms that are really hard to manage, really cumbersome to manage and expensive. The myth that old technology is safer because the hackers don't know how to break in is just that, it's a myth. There is really no data to support that, so we're working hard in New Jersey, and I know other states are, and NACIO and MSISAC, as well as NGA have been big partners to really consolidate our infrastructure footprint and upgrade these legacy systems. So I know at least one of our panelists has a hard stop, so I'm gonna very quickly check if there are any questions from here, and if not, I'm gonna end with one question and we'll come down the thing. As a wrap-up, in the first session we heard about the report for the president, the commission report, and how that's gonna be taken forward. In the second session we heard about the role of states in building the national workforce from education, from the K-12, right up. In the third session we heard about the role, the often underappreciated role of the states as regulators, and here we've heard a little bit about the role of states in looking after citizens' information and the critical infrastructure within the states. Given the perspectives that you guys face, what's the one request, suggestion, desire you have for the incoming Trump administration as it applies to sort of cyber security at the state level? And we'll start with John and we'll work down towards David. I only get one. You can have as many as you like, but I don't wanna keep you from dinner for too long. So to me, the one area that it's not addressed in the report and it's absolutely critical is the federal government is probably the only organization has significant clout to really deal with the fundamental insecurity that exists in the products that we buy, NRIT products. And so through both as a bully pulpit and then I think really setting expectations. So when I was a CIO, I wanted to get warranties on software and I went to my lawyers and the lawyer said, this is why you can't do that. That was a number of years ago. We need to move to that point where if you buy software, you buy an IT system, you buy internet of things device that you have an expectation of a certain level of security. And I think the federal government is the only place where that can start. I think beyond that, I think the recommendation that was in the report to, in effect, it was in the Homeland Security Report to simplify. We have too much. Organizations are struggling trying to figure out, what do I need to do? And they get lots of advice and support. They need education in some cases, but then they need to know some simple things. What do I do that'll actually make a difference? So I think, and again, I emphasize, we think that sort of fundamental things like cyber hygiene is really where you ought to start and grow from there. And there's lots of other things, but those would be the two that I would suggest. Thank you. I think my one main suggestion would add on what I said this morning, which would be helping to clarify roles. I think when you ask a lot of the folks that we deal with who's the right person in the federal government or what's the right agency, for the same question, you could get four or five different answers. So I think in the process of continuing to elevate the cybersecurity discussion at a national level, encouraging the federal agencies to identify where their lanes are and to communicate that effectively across the country would be helpful. And that can be both in law enforcement, in response, in information sharing, and then in regulation as well. I think there's just not enough clarity on who owns what piece of the cybersecurity policymaking and then not enough communication when those decisions are made. I think one thing that we would like to ask, wouldn't be money or people, I think that we would like to ask for recognition that IT enables digital government. What people expect of Amazon, they will soon expect of government. And we would like to ask the Trump administration to consider states as partners, not top down, not paternalistic regulation, abiders, but we are really your partners. We implement your programs. And if you could recognize us as a partner from the get go, I think we would have a much successful nationwide and state cybersecurity posture. Thank you, and to round up David. So as we move into this next administration, I think there's a real opportunity for the federal government to recognize that they can't afford not to leverage state governments for the purpose of threat intelligence and for the purpose of public awareness campaigns. As I said at the outset, we are a rich target environment. We have a lot of intelligence that the federal government could leverage if it were shared properly and if those processes were in place. We are natural interlocutors with the private sector community in our respective jurisdictions. And lastly, I would say there is an often neglected conversation about the vulnerability of municipal and local critical infrastructure assets, whether they be water treatment plants or small electrical facilities. As we progress in the internet of things world, these critical infrastructure assets are increasingly interconnected with larger critical infrastructure assets. Right now, states are not very mature as it relates to helping to secure those municipal level and state level assets. We need to mature in that space and do so in close partnership with the next administration. So thank you very much. That's a perfect way to end. I'd like to just cap this off by thanking this panel, thanking our previous panels and panelists, by thanking you, particularly those people who've stayed with us throughout the morning and those people who've been watching on the live stream. We very much appreciate you being with us. I would also add that this is an ongoing project for us in New America. In the course of 2017, we're gonna work on a series of reports looking at cybersecurity at the state and indeed the local focus probably less at the municipal county level, city level, focusing on what the states, cities do themselves, their role in protecting citizens, their role as regulators and legislators, and fourthly, their role as enablers focusing on education, economic development, what have you. And we're very keen to engage with anybody out there who is working on these issues and keen to engage in sort of public policy discussion around them. As I said earlier, we're also gonna continue to engage on the commission report and how that goes forward and working with the new administration both in relation to the federal level and the state and local level. But for now, once again, thank you very much and we look forward to seeing you again soon. Thank you.