 Good afternoon. My name is Michelle Mosey, the Senior Advisor Cyber Security at the National Security College. And today we have a very special guest here with us, Air Force retired Brigadier General Greg Twohill, the first Chief Information Security Officer of the United States government and current President of Six Terror. Thanks Greg for being with us. It's really great to have you here and to have someone with your deep and varied background across cyber be able to spend some time with us to talk through some of the major issues that are facing not only governments but industry today. So in leading with that could you talk to us a little bit about your perspective about the cyber threat landscape today? Well cyber threat landscape Michelle is very very difficult right now. It's very challenging in both the public and the private sectors because our risk exposure is so high. As we've continued to march forward with the advance of technology into every aspect of our society in our national economies in our national security our governmental institutions and even our societal institutions the societal fabric you know social media or education systems and the like everything I believe is digitized right now. So we all share common risk exposure in cyber and we have to be attuned to that risk and we need to be able to thrive and survive. Right so what do you think are some of the greatest vulnerabilities found within our systems and some of the policies not only in the U.S. but globally? Well let me let me start with policies first of all I having served at the high levels in the United States government I've worked very closely internationally with a lot of our partners across the the international stage and I think our policies from government to government when it comes to securing the people's information that the government does and putting together a regulatory regime in the different nations around the world are largely very much the same because we have very robust information sharing and particularly between the United States and Australia. Indeed yes. I think the real vulnerabilities come in execution of those policies and very often we write a lot of policies that don't get executed well and they don't get enforced well and frankly I'm one of those folks who believes that you need to keep it simple. I don't want to have a policy that is like a phone book and 600 pages long because people won't read it. You need to keep it simple you need to train your people to execute well you need to be able to audit and you need to follow through. Fantastic so we talk about training a little there with your people what do you think are some of the the most critical elements that we need to train people in terms of executing that policy? That's an excellent question and as you take a look at your risk exposure it's really cybersecurity is a tech not a technology issue as much as it is a risk management issue and when you look at risk regardless of what business you're in you look at people process and technology and coming together so as you are trying to manage that risk you want to invest so that your people process and technology are current that they're executed well and you gotta take a look at what's the value of my information do I want to treat everything equally? I think the answer is no you want to have proportionate defense your information has value and you have to understand what that value is and that's one of the great weaknesses that I see in both public and private sectors where folks are trying to treat information equally and defend it equally and that is a losing strategy right now. So in saying that about the different approaches certainly with all the media that we see today when there is intrusions into large banking or other large corporates how do you start to have that conversation with senior decision makers in the organization and balance that with the range of media hype that is out there? Once again another great question and frankly I have become multilingual when it comes to talking with executives and I have learned that as a technologist who really likes to get geeky with the cyber gear and the hardware and software that does not translate well in the boardroom all too often in the past folks were looking at the technology aspects and saying this is really complicated we're going to give it to the kids in the server room to figure out and manage that risk but really this is an enterprise risk issue and that conversation needs to be in the boardroom so when I go into boardrooms across America for example or in the highest levels of the US government I started changing that conversation into language that they would understand and using the terminology of business and every business is different critical infrastructure has different languages as well we technologists need to do a better job of articulating risk articulating the technical issues into the language of the business and I find that those who are able to do that successfully are the ones who are able to best manage cyber risk to acceptable levels and you're never going to get to zero you'll have to accept some risk but as long as you are in fact managing it as a part of an enterprise risk strategy you'll be more successful. Yeah I think I think that's actually a really great approach everything through the communication to speaking the language of the C-suite and the major decision decision makers but let's take it that next step forward when we start to talk about critical infrastructure there's a lot of private public information on critical infrastructure how do we engage the public in this discussion around cyber security general awareness and sort of trying to raise the bar of the public's ability to not only understand but be engaged in the conversation. Well when I was running the United States government's national cyber security and communications integration center I was managing the public private partnerships for cyber information sharing and the approach I took was that we are all part of a neighborhood there are really no borders when it comes to cyber I can reach out and FaceTime you from my home in the United States or I can reach out anywhere in the world now. So we're really part of a cyber neighborhood and we've got to take the approach of being good neighbors and what I did while I was in federal service in the United States was foster a cyber neighborhood watch where we are sharing information and within the United States we set up a construct where we were taking information that the federal government was getting through our research and development our intelligence sources and our own experiences and we would share that with our critical infrastructure providers with the general public and the like and we would go through multiple paths of information sharing and on the same token we would solicit information from citizens from private sector critical infrastructure partners and the like I don't believe that you can overshare information I think we need to continually have that conversation and be good neighbors. Fantastic so I guess let's turn the conversation a little more to some of the threat actors who are out there certainly in the roles that you've had you would have seen different approaches from criminal groups and state actors could you tell us a little about maybe some of the differences in approaches or are they all operating from the same toolbox? Well frankly you can just go online and order tools off the internet and go like to a YouTube or other platform and take a draw down a training video on how to use some of these tools and we're seeing organized crime syndicates leveraging vulnerabilities and hardware and software but I'll tell you as we take a look at the vast majority of cyber incidents that are out there there are two major issues that we have to be cognizant of as we go to manage our risk first of all over 95 percent of the cyber incidents that my teams in the United States computer emergency response team or us cert would respond to were what I would call a self-inflicted wound. Folks were not properly patching and configuring their devices arguably that particular threat vector could have been prevented had folks instituted things like proper cyber hygiene keeping things current and by things I mean hardware software and people so over 95 percent you can buy down your risk just by paying attention to get doing the right things the right way in the business world we call that do care and due diligence the bad guys that are nation state actors have tool kits that are pretty sophisticated but rarely do they actually have to use them because often we leave our own back doors open by not properly hardening our workforce by not configuring our systems by not properly using the tools that we already have many organizations go out and buy lots of hardware and software that is really quite good when properly configured and used but we don't read the instruction books very well and we don't execute and when I was in my official capacity I would tell my folks we need to execute or be executed if more people would pay attention to the details I think we will buy down our risk and then we can manage ourselves and make sure that our infrastructure is better protected that's I think that's a really interesting point and I'm all for educating people and training them and actually raising the bar to make it difficult for the more nuisance type activity that goes on which seems to cause a lot of the damage because we don't have that as you say cyber hygiene but as we move forward into the brave new world that is and with technologies coming online every day and we move into the internet of things much more interconnected world cheap easy lots of devices online we put more onus on the individual to actually start uh well they have to look after that so is there a role for manufacturers and or governments to actually start to look at standards for making this kit and not so much taking the responsibility off the individual but helping manage it further up the pipeline I don't think it's just a role I think it is a responsibility and as we take a look at how everything is interconnected this becomes a uh issue for national prosperity national security public health and a whole host of things so I don't necessarily think that the environment where buyer beware should be the rule of the day I think there should be responsible manufacturing I think it needs to be secure by design I think that we need to have that information sharing so folks can understand where strengths and weaknesses are so as manufacturers are actually going out and producing products we don't want to stifle innovation we want to help we want to help accelerate innovation but I want to make sure that things are secure by design I want folks to think like a hacker as they are developing their requirements and building their products the hardware and the software I want them to think like a hacker about the the person who's going to use it I want people to think like a hacker as we put together our training and education programs so that we can keep our people current but also our processes current and our technology current I want to make sure that our architectures are flexible and resilient so that we have segmentation such that we can take a punch and keep on going when a person makes a mistake or you know we have a hacking incident we don't want to put all of our eggs in one basket because our livelihood our national prosperity our national security in every single country around the world now depends on a secure and trusted platform and frankly I'm one of those folks who has a zero trust model I'm very suspicious and I want to make sure that I in fact do have that segmentation so that I can take a punch and keep on going yeah I think you've actually summed it up really well everything through from training to a cyber community to actually building for secure by design because there's a role in this for everyone there's a role for government there's a role for industry and there's a role for the every man on the street in order to enable that economic prosperity not only for Australia here but certainly for our big partners and globally because as we know we are interconnected more now than ever so on that note I would like to thank you very much for spending a very short time with us and talking through some of the major issues thank you thank you Michelle