 We're very fortunate today to have the commandant of the Coast Guard with us, so you all must know that at one time the United States had only one military service, and that was the Coast Guard. I think it was called the Federal Revenue Cutter Service. Revenue Cutter Service at the time. We decided we didn't need an army and a navy, but we did need revenue. And it was the Coast Guard that ensured that. And I think it's a bit of an insight into the unique qualities of the Coast Guard, because the Coast Guard is more than a military service, it's a law enforcement service, and that makes it absolutely unique in the American landscape. It gives it unusual authorities, it gives it important insights, and it's really a leader behind the scenes that most Americans don't appreciate and understand, and Admiral Sakunf is going to go through some of that today with his discussion with us about this unfolding dimension of cybersecurity for in the maritime domain. And he's doing some very creative thinking about that. We're very fortunate that he's willing to share some of this with us. Before I turn to him, let me just say, before when we have public events, we always give a little safety announcement. I'm your responsible safety officer. I'm going to make sure everybody is safe here today. If we have to evacuate this space, more likely than not, we'll go through this exit door behind me, the exit stairs right there. We're going to go downstairs. If it looks like it's best to go the back, we'll go across the street, and we'll meet at the National Geographic. They've got a nice courtyard in there, otherwise, if we go to the front, we'll go across to the park. And I will take headcount there, and then we'll try to figure out how to entertain you once we get there. So please follow my directions, OK? That's the one thing I ask. Again, I would say we're very grateful that you're here, this remarkable service, the Coast Guard, which is at its battle stations every day. And America is the great beneficiary of that. So would you please, with your warm applause, welcome the commandant of the Coast Guard. Have a good day. Thank you very much. Well, good afternoon, and just seems like yesterday I was here addressing a similar audience when we rolled out our Western Hemisphere strategy. And I'm going to come back to that later on in this discussion. But when I came into this job a little bit over a year ago, I recognized the fact that we operate in a number of domains. And obviously, we've been operating on the sea since 1790. But I remember back in 1982, and I was standing, I was a search and rescue coordinator, and a desktop computer arrived. And I had a game called Rats on it. And so we would play Rats on it, and we said, I'm not sure what this is going to do. It gets in the way, it disrupts our operations. I had a clerical staff of about seven or eight, and they all manned IBM's electric computers. We were state of the art at the time. But we were anything but when it came to networked and information sharing across a global domain. So fast forward now in 2015. If you show up for work today and your Android phone doesn't work, your iPad doesn't work, if you're working in a secure environment and you can't share networked information, then you might as well pack it up and go home. And so the Coast Guard has evolved since 1982 and obviously since 1790. But we never addressed how do we operate in this domain? So when I first look at cyber, cyber is not a mission. It's a domain that we operate. If you own an iPhone, an Android device, an iPad, any wireless device, then you operate in the cyber domain. We are one in all cyber operators. And so that is a fundamental skill set for every member of the Coast Guard. In order for them to be operators or maintainers, intelligence specialists, they have to be savvy in the cyber domain as well. So as we looked at how do you develop a cyber strategy, I look at it not just from a Coast Guard aspect, but really from a private sector, a public sector. How would you address cyber in the 21st century? And so we came up with three domains that are not unique to the Coast Guard, but to anybody who can spell the word cyber. And it really begins with you need to defend your cyberspace. So what does that mean for the United States Coast Guard? We have very distributed workforces and our weakest link in all of our systems. It's not our architecture. The Coast Guard operates primarily in the dot mill domain. We operate under dot mill. But we work across the dot gov, the dot com, and even the dot edu domain. So we work across a number of domains. But when it comes to protecting this domain of ours, the weakest link in all of this is my human resource capital. It comes down to what I call cyber hygiene. And we see that not just when the Coast Guard, but we see that throughout every organization. When I visited an LNG facility, and I'll get to this a little bit later in terms of protecting infrastructure, and I talked to that facility operator. They have fences, they have lighting, cameras, everything. And I said, it looks like you have an impregnable facility, but guess what? You're not. And they said, how so? I said, well, who do you have protecting your facility internally and externally against zeros and ones that may threaten to take down your facility? So it is a daily occurrence in the US Coast Guard where we have an internal patch that we need to apply because somebody took a shortcut. They are smarter than the guidance that we provide them that say you shall not do this. But folks go ahead and do that, and then they compromise our entire system. So as we put our cyber strategy together, I said, well, what workforce do I need? What subject matter experts do we need within the Coast Guard? Because we don't have a cyber specialty. But we've created just recently a cyber command within the US Coast Guard. Now, it's 70 people. It may not sound like a lot, but they can have awareness across our full operating domain in cyber within the Coast Guard. So daily they can look at where those potential leaks are, malware that may be introduced, and then go out and fix it. And so I can do that with 70 people, but I reprogrammed different specialties within the Coast Guard to create this cyber group of experts of 70. But I never built it into my program of record. And when I tell these 70 folks, I need for them to stay in this job for perpetuity. Don't do this job for three or four years like we often do in the military. And then when you get tired of that job, you take up another hobby. You really need to be specialized, and especially in this field of work, because it changes so rapidly that you need to have folks keeping pace with the changes that take place around us. I just think when Tom Friedman wrote the book, the world is flat. He wrote that book in 2005, and then a year later, he had to add a special appendix to it. And then he just recently wrote, the world is flat 3.0. But in 2005, the world Twitter, Flickr, and Facebook did not exist. So I mean, that's how fast technology is changing. And so if you think you could have something doing part-time cyber work, and then come back four or five years later and pick up where they left off, they've missed the train. So this strategy helps me drive the human resource capital that I need to stay conversant in cyber and to stay one step ahead rather than three steps behind this ever-evolving domain that we must operate. So protecting our cyber domain within the Coast Guard, very internally focused, is a key requirement for me as the commandant. The second area within the strategy is enabling operations in the cyber domain. And let me just give you an example of just over a week ago, we were able to interdict six go fast vessels over a 36-hour period over an area the size of North America. These go fast are not much bigger than the stage that I stand on. And I don't have an armada of ships out there. Trust me, I wish I did, but I don't. But I was able to vector aircraft and ships across an area of North America. I'm talking all of Canada, all of the United States, right down to the Panama Canal, distributed over that area. And we were able to interdict all six of those vessels and remove over four tons of cocaine within a 36-hour period. That would not be possible without our ability to operate in the cyber domain. And it's not just the Coast Guard operating in that cyber domain. In this case, it's the entire intelligence community. It's our international partners as well. And then how do I get real-time information into the hands of operators in advance of an adversary that clearly does not want to be found by the Coast Guard? On the flip side, we certainly use cyber for search and rescue. We encourage mariners on all vessels, especially going on international voyages, to carry a beacon. And if you're in distress, I will find you. But I will not find you if there is a disturbance in the cyber cloud, if you will. And so it's a key enabler for us to go out and save lives at sea. We have an armada of ships, if you've been following the news, heading out the Straits of Juan de Fuca, as I speak. Yesterday, we had protesters and kayakers hanging on anchor chains. As Royal Dutch Shell awaits the final permitting process for them to drill in the Chutch Quay Sea in a very remote part of the world. Now, what if something happens up in the Chutch Quay Sea? One, I'm sending an armada of Coast Guard ships up there as well. But if I need to send in reinforcements, if I can't operate in the cyber domain, we could see a catastrophic failure, loss of life, a major oil spill. And when I go back five years ago, during the Deepwater Horizon oil spill, I was the federal on-scene coordinator for that for seven months. And the public imaging of this really wasn't a home run for the Coast Guard at day one. And so we worked with NOAA, and they developed an application. It was called the Emergency Response Management Application. And you could use all of the elements of GPS encrypted photos. You could provide about five layers of information. And then we decided, hey, let's put this out on the internet. So people could navigate through it, not wait for the next CNN newscast, but they can manipulate this information and assimilate what is happening with this oil spill and not hear it from me because they don't trust me, perhaps. But we put it out on the internet, and within 12 hours we had 200,000 hits. As well, that's not too bad. The next day, it was 2.5 million. And then the public trust level went up as transparency of information went up as well. But again, I would not be able to enable that operation if I wasn't able to fully enable the cyber domain as well. So it applies in disaster response. It applies in search and rescue. It applies in law enforcement. So it really applies across each and every one of our skillsets as I look at where and most importantly how the Coast Guard operates in the 21st century. Now the final piece, the third, so we do things in threes just like sermons. So we protect our infrastructure. We enable operations. Then we protect outward looking our national critical infrastructure in the maritime domain. Now why would we be interested in this? If you go back to the Maritime Transportation Security Act of 2002, it provided sweeping authorities for the US Coast Guard to enhance physical security at all of our facilities that do international trade. There's over 3,500 facilities in the United States and the vessels that call upon them. And so facilities were required to generate facility security plans as did vessels and there was grant money, fences went up, cameras went up, twit cards were issued, but within that security vulnerability is cyber as well. Now if you look back about three months ago there was a work slowdown on the west coast through the ILWU and I happened to be flying over LA Long Beach right at the height of this and there were 46 container ships at anchor offshore. Now about a third of those container ships were destined to New York, the containers themselves and then those containers were destined for Bremerhaven, Amsterdam and to the EU to feed their just-in-time inventory. The other third of those were destined for the Rust Belt, the manufacturing floors of the United States. And so when you look at a port slowdown and then a ripple effect of that in terms of our global economy, this was a manmade slowdown in our maritime commerce. But every second Intel Corporation produces 5 billion, with a B, 5 billion transistors per second. Now say maybe .001% of those transistors has malware. That still means you have over a million transistors with malware that have now been introduced into the cyber domain. Now if you go to a container facility, many of these operate on SCADA network systems. About 90% of that terminal is run on automated systems, very dependent on a GPS signal as well. And 90% of our world's commerce, our nation's commerce, goes through these very same seaports. So you've got 90% commerce, 90% automation. What if there's a slowdown in the maritime domain due to a cyber event? And we might ask ourselves, well what is the likelihood of that ever happening? Well, it's great, I can't make this up. You know, we have Sony, now we have what's happening with OPM. And in many cases, this is just not providing good cyber hygiene at some of these facilities that now make them vulnerable to infiltration by folks that may want to cause that unit harm. I look at the potential that the United States sits on right now. We sit on 20% of the world's natural gas and we are just now building the infrastructure to export LNG. And a market niche that the United States has right now is in the Asia Pacific market. At a point in time when the Panama Canal expansion project will be complete next year, it's 180 feet wide at its expansion point. It will take ships initially up to 160 feet wide. It will take LNG carriers through the Panama Canal. A huge growth potential when you look at what is currently a trade imbalance for the United States where we can reset some of that balance. But when you think of the United States producing now exporting LNG, and what is modern warfare going to look like in the 21st century? Do we have adversaries among us today at a national level? Forget about the non-state actors, but at a national level. And I think we can all answer that question. And so right now who has the natural gas market niche in the EU and in parts of the Asia Pacific region? It's not us, it's Russia. And so what if we're now taking some of that market share? And what if tensions escalate between us and Russia? Does Russia conduct electronic warfare against our military? Or might they want to conduct electronic warfare against our critical infrastructure? So that is another example where we need to protect our infrastructure. And there's a case not that long ago. A mobile offshore drilling unit, they rely very heavily on dynamic positioning systems. And this mobile offshore drilling unit, it drove off the well site because malware was introduced into the server because employees aboard this modu thought they could access anything on the internet and malware was introduced. And now you have this mobile offshore drilling unit, think the deep water horizon because it's in 7,000 feet of water, drifts off fortunately the blowout preventer kicked in and it shut it down. But we've seen examples where this has happened in the maritime domain as well. So protecting this infrastructure, absolutely critical. And again, the Coast Guard has very unique authorities when it comes to that. So let's look at this mobile offshore drilling unit that that's driven off. Now right now there's no requirement for them to notify the Coast Guard. And so we've done a lot of outreach and are continuing to do so with our maritime stakeholders that if you see or more importantly sense something, say something. We have area maritime security committees at all our major ports. Just last, not even a week ago, I met with all of the stakeholders in the ports of New Jersey and New York. We had the commissioner of police there as well, over 300 people in attendance. And so we talked about cyber and in fact their awareness that if they see something notify that sector commander. What that sector commander in turn will do is notify our Coast Guard cyber command who in turn will notify within the Department of Homeland Security, we have the National Cyber Center, Communications Information Center, it's the end kick. It's easier to say the acronym than it is the long name. And the Coast Guard has what standards at the end kick as well. And what this does, it looks at the various sectors in the United States. A sector being maritime financial energy. In this case, we have an anomaly in the maritime sector and say it's, in this case, maybe it's New York. And then suddenly now it's in LA Long Beach and now it's in Oakland and now it's in Tacoma, Washington. And what we're seeing play out is a synchronized attack against our maritime transportation system. And so now the end kick has this awareness is that we are under attack and we better alert our financial systems, our energy sectors and others. And so this is right now an awareness. And then what do you do now that you have awareness? The Coast Guard is also integrated into US Cyber Command and I have a Coast Guard flag officer that works over there. And so there's a very strong lash up with DOD. And at this point it comes down to assigning attribution. Who did it? Now who did a piece is really challenging for us quite honestly. Maybe you can pinpoint a transmitter from where that signal was sent. But you can't verify that somebody sitting under the roof of that transmitter was in fact the sender. Someone could have remotely accessed that transmitter from another remote device and set up that other transmitting site as the perpetrator, whereas the true adversary remains unknown. So assigning attribution is not necessarily a black and white regime. And then once you do assign attribution, then what do you do about it? And so when we looked at the Sony attacks and I was involved in some of these discussions and they go up to an extremely high level when it comes to what do we do about it? And so if you look at mutual assured destruction, if we counter attack what might somebody come back with us? When will they look for that other chink in our armor? You know it may not be going toe to toe with dread knots but looking for the weakest link in the chain. And so when you look at cyber, where are the weakest links in the chain across our entire cyber domain? And that's a bit challenging for us to be able to determine with absolute certainty that we know where every one of those weak links are. Recognizing that the biggest weak links are the many operators that we have in that cyber domain that don't exercise good cyber hygiene, if you will. So those are the challenges, those are the opportunities but as I stand here as the comment on the Coast Guard I said, well I can't do this alone. And so when we rolled out the cyber strategy we work closely with the Department of Justice. FBI has a key role in cyber. We work closely with the Department of Defense and US Cyber Command. We work very closely obviously with our department and then within NPPD who ultimately holds the cyber watch, if you will, for the Department of Homeland Security. So this was not a go off into a dark room and come out with a cyber strategy but let's cross walk this as a template that others may look to follow this very same template of how do we approach cyber in the 21st century but recognizing that this is a domain that is going to be as natural as breathing as I look at the future of the Coast Guard and not the Coast Guard of 1982 nor the Coast Guard of 1790. So with that I really look forward to opening it up to question and answer and again I thank each and every one of you. I especially thank you for opening the doorway here so we can provide seats to others and I know we have folks out in the audience as well. So Jim I'm gonna turn it over to you. Thank you. Thanks. I'm Jim Lois, I work here, here's the drill. You get to ask questions, I'll kick it off. You people over there since we didn't expect you I may not see you because of this podium so send up a flare or a shout or throw something but this is a question and answer period. I'm gonna start with, I have a couple questions and you brought up something that I was gonna ask about and I was a little surprised. In the olden days sometimes it was hard to cooperate with some of the regional or local authorities like Port Authority of New York and New Jersey or NYPD. What's your, just to pick two. What's your strategy now for dealing with this? What's the reception you've gotten from the big ports from the guys you have to work with? How's that going? Yeah, Jim I'll go back even bigger than that. Two weeks ago I was in Oslo, Norway at a door shipping conference. We had the entire EU represented every major shipper. We had about 3,000 people and we talked about cyber as they asked me what do I see as an evolving trend on the seas and they oftentimes look to the US Coast Guard because many times we help set those standards that are then applied universally and globally and when I mentioned cyber there was silence in the room. Everyone put their iPhones down and I heard whispering among the CEOs to their staffs and saying what are we doing about cyber? So people realize that this isn't a chicken little, the sky is falling but this is first of all what are we doing to educate our workforce? And then second, what are we doing to grow the competencies within our workforce so that we can defend our network and have situational awareness of what's happening around us? So we're seeing that internationally and we're certainly seeing it at the port levels who have gone through great lengths to literally harden their defenses, their fences, the lighting, the cameras and everything. In fact, if there's a hole in the fence or someone sneaks onto that facility there is a requirement for them to notify the Coast Guard that there has been a security breach. The reason they notify us is that if there's more than one of these events it might be part of a coordinated attack. So the other piece we have to come to grips with is well this is now the invisible intrusion, the virtual intrusion as well. And sensitizing industry that it's in their best interest to work with us so we can elevate this to a higher level if this is part of a much broader coordinated attack against our infrastructure. So I would answer that question with one word, incentivize. Good, thank you. Let me do another one which is when you look over the last few years you've seen the other services experiment with organizational models, Navy merged intel and communications at one point they're all playing with different ways to organize for cyber security and cyber warfare. How are you thinking about that? What models did you look to? Who's experience did you draw on? We really drew on the Department of Defense that the US Cybercom model because cyber unlike many of our other operations we usually define them geographically. Well this is global. And so you have to have global awareness. And it really is it's an operating element but it's also a mission support element. So for the Coast Guard right now it fits most naturally with naturally within our what we call our J6 component of the Coast Guard which is not unlike where it fits within other organizations as well. How do you think the organization will evolve? There will be more people, more training. What's the mix of civilian versus uniformed? What are you thinking about for the future of this? Creating it on the fly overnight and it was much quicker for me to reprogram enlisted billets or just designate some of our enlisted and officers that had the aptitude that said you are now assigned to Coast Guard Cyber Command. And now that you're assigned there this is going to be your career path for four years to come. Certainly it lends itself to civilianization. It's an evolving trade craft if you will. And if anything on first impact every entity says I gotta have cyber. We need to be able to leverage partnerships before we go too far out and think we have to do it all ourselves. And so I look first of all in our department of Homeland Security how do we leverage that partnership within DOD? How do we leverage that partnership as well? So I'm looking at this as a very incremental approach as other entities build up their cyber capability and build upon those partnerships rather than trying to be all things to all people with a fairly lowly funded organization such as the US Coast Guard. We had Admiral Ruff had here a couple years ago and he was still CNO right at the end of his tenure. And he said that one of the things he ran into was a couple of the things you brought up. The first was creating a career path so that it wasn't, you know some guy was in the cyber unit and then he went to be a CIS admin on a ship. The other thing he ran into was maybe the people who would be attracted to cyber might not, and Mike you can correct me if I'm wrong here might not fit the normal Navy pattern and maybe you'd have to loosen up a little bit on some of the, you know like routine sea deployments and things like that. What have you found when you went to the workforce and told them, hey guess what? This is your career. Did they volunteer? Did you select them? How's that going? I would say they gravitated towards this. When I saw this as the big thing coming their way. As an opportunity. Their concern was, you know this would be the flavor of the week and that they had just driven down a dead end road from a queer standpoint. My biggest challenge is I look at these very bright young individuals. They are going to be subject to headhunters from across the enterprise. My sailor of the year in our Coast Guard headquarters grew up in the Ukraine. He's an E6 in the Coast Guard, hands down one of my top cyber operators right now. And I asked him, well what if I send you off to just be an information technician specialist? And he goes, well I have other offers, I really like what I'm doing and I get to use the best stuff, the absolute best stuff in the US government. So I'm going to keep this guy around. And the same thing, we have young lieutenants as well. They really have a passion for this, not just an aptitude but a no falling passion for it. And if you have those two combined then you've got all the winning ingredients for an A-class team. So I'm very optimistic in terms of the human resource capital we have. What do you think your biggest shortfall is? What would be the one thing if you had a magic wand you'd want to get? Well, I think any service chief would say we're flushing money and we haven't found a good way to allocate it all. No, you're thinking of the Air Force. Yeah, the reason I wanted this strategy is we need to build out a program of record. It's a human resource capital, there's architecture when you acquire new systems. You need to think about cyber when you're acquiring new systems and then you're fielding those. You need to look at those systems. Who else do they interoperate with? And if they interoperate with others outside your domain, what cyber safeguards do they have in place? So you start looking at this, it touches every aspect of what we do every day in the Coast Guard. Let me see if anyone out and we've got one right in front. Could you identify yourself and do me a favor, please keep your questions succinct, I know you will, but identify yourself succinct question and then I've got more, so. Sydney Freeper, breaking the fence. Are you recommending, at this point, the administration a package of legal authorities for cyber about notification and so forth, similar to what you already have, but this one's right, keep on making an analogy, but I haven't used exactly, because they outright the words, and this is our package, this is our plan, this is what we want Congress to enact ultimately. That's a great question, I'm glad you posed that because I just need awareness that a facility has a vulnerability. I don't even want to identify who that facility is. I clearly do not want Coast Guard officers and petty officers accessing those systems that may have personal identifiable information, financially sensitive information. I do not have a need to know, and they have a right to privacy in protecting that information, but if they are subjected to a coordinated attack, if you will, a hack that then threatens our national security, I need to have awareness of that. Now, when we report up, I have no need to report which facility is it that's under attack, and so nothing will disincentivize a for-profit entity of being named in public that now their systems are vulnerable. Look what happened to Target when they were named. So I'm very mindful of what the impact of that would be to shareholders as well. So anonymity is certainly a key component of that, which means I wouldn't need legislative authority, but really more operating policy of bringing that information forward. Okay. We've got one in the back and then one in the front, two in the front. Good afternoon, sir. Mo Smolskis currently with Blue Star Strategies, but during, I'm in the middle of my application process, yes. So heading back to New London hopefully. I'll see you right afterwards. And my question is, you talk a lot about the cyber hygiene piece and for those of us who may not be cyber people specifically, are there plans in place for the Coast Guard to enact trainings or other sorts of things to kind of push this idea along? Cause all of us are obviously using computers and everything and we'll be involved at some point. We need to do more with our training. So ironically, much of this training is online. So it really needs to be physical and our workforce needs to have an appreciation of what a compromise does, one in terms of the impact to our operations and then in real cost of what the real cost is of applying a patch because someone failed to exercise poor cyber hygiene. And so what's poor cyber hygiene? You plug in your iPhone into your server at work to recharge it. Well, you've just compromised that system, but we see that happen from time to time on a near daily basis. So clearly we have more work to do when it comes to training. Okay, we've got a couple up front. Jacob, why don't you grab the one on the back and then we'll... Thank you. Dianne Divas with Inside GNSS. We cover navigation. So my questions are navigation related. We've seen structured interference to the GPS signal and conflict zones, interference with US maritime facilities. Can you tell me please what the Coast Guard strategy, how it incorporates GPS and protection of the GPS signal and the mobile drilling platform that you mentioned, that the cyber incident. Was that related to navigation software or some element of navigation? That was related to a navigation system. And so right now, in some ways you have a single point of failure with the GPS signal. Commercially off the shelf, you can acquire a GPS jammer. It runs on a very low energy, a radius of maybe 30 feet. But you can compromise a GPS signal using these devices. We've seen this occur in law enforcement applications where an individual may think there was a transducer on their vessel and so they would try to jam that signal. So that is a vulnerability. It's that same GPS timing system that runs our financial sector as well. So when you start looking at resiliency and redundancy, there are some true vulnerabilities there. Going back to the Modu incident, many of our mobile offshore drilling units not just rely on GPS signals but they'll also put transducers on the sea floor. So it provides them at least a secondary backup should they have a disruption in the GPS signal. And how does it fit into your strategy? Is there a GPS or a protective element in the strategy? Yeah, ours is truly a strategy in the sense, the next piece is the many tentacles of how do you implement a strategy? But when you start looking at protecting infrastructure, critical infrastructure, single points of failure, that would certainly be a key area of focus. The GPS signal when it comes to protecting critical infrastructure. GPS is a key enabler. It affects navigation, affects financial sector, it affects a number of domains, the air domain as well when it comes to transportation. So GPS really does cut across the board. Ours looks just maritime, but clearly there's a need to take that to them, no pun intended, to a higher level. Hi, Steve Caldwell, former director of GAO for maritime security issues. Admiral, you mentioned the international nature of this. Obviously we know a lot of the global fleet is not US flagged, a lot of the world's biggest ports are not under your jurisdiction. You mentioned this Norway event where you spoke about cyber. And then I know recently the IMO, Maritime Safety Security Committee had met to discuss some of these issues. So I just wondered, will you think the trend is going in terms of say global acceptance or consensus that cyber is indeed part of the ISPIS code? Good question. Right now I don't see an appetite for bringing cyber into the ISPIS code. That being said, I see industry, as I said earlier, very incentivized in the absence of waiting for an international standard is to seek out what those standards are, working in many cases with the private sector to harden their cyber defenses and minimize their vulnerabilities. So this will probably be led by industry first and they're not looking at IMO, at least not currently, to incorporate cyber into the ISPIS codes. I'm gonna try a question, we can get somebody, we've got one in the front here, but while the mic's coming up. If you had to sort of prioritize, what problem do you see more pressing for you? Do you see the safety problems or do you see the law enforcement problems? I mean, you're gonna say both, but which one gets the most attention for you? Which one gives you the most heartburn? There is no one answer to all of that because it really does cut across every one of our mission sets. And so if I were to answer that, I would say, well, I would much rather arrest people than save lives. But I wanna do both. In fact, it's the same ships that are out there arresting people right now that I divert to go save lives. And then if there's a mass migration then I divert them to go do that. So this really cuts across every one of our mission sets and it just depends which one is the most critical at any given point in time. But this can compromise our ability to do what our Coast Guard does 24 by seven. Great, we had one in the front. Coming up, this is Lawrence Karoo from International Energy Partnership. Secretary, Navy Secretary Mavis is making a big push on energy for his ports. And I think aren't you involved in all that kind of stuff too? Exactly. Yeah, I mean, this is a big problem. It's a big opportunity as I see it right now in the energy sector. And we've actually incorporated this into our Western Hemisphere strategy because there's a big chunk of that talks about facilitating commerce. And as I mentioned, the LNG, the export potential that the US has right now by most estimate by the year 2020, the US will be a net exporter of energy. In the last year and a half, we reached that break-even point where we now produce more oil than we import, and that trend will increase. Now it's a very volatile industry and we understand as the price of oil comes down, there's less exploration as it comes back up, all of a sudden we're in another wave of exploration. But when I just look at the fracking, shale oil, the potential of that, at least for the next 30 years, if not longer. So I need to make sure that the Coast Guard is postured for this growth sector in the maritime industry that is gonna be very cyber dependent going forward. So all of these are interrelated. I thought the point you made about large, unfriendly nations heavily dependent on oil exports for their revenue, being potential opponents was particularly interesting. Hypothetical. Yeah. We have one over there. Zach Biggs with James. Admiral, you were talking about the process of building that force of 70 and how you looked for people with aptitude when it came to cyber and were able to move them around before building a broader program. What were you looking for when you're looking for that aptitude? I know there's been a lot of discussion of how do you find cyber talent? How do you identify it? What was the measure, the metrics that you were using to try to figure out who would be good in those roles? You know, that's another great question. In 1973, when I went to the Coast Guard Academy, I was issued a slide rule. And then a year later, pocket calculators came out. So I didn't have the right questions to ask. So I surround myself with the people that know how to ask those very same, smart questions. One of them sitting in the front row with me right now, we're Admiral Marshall Lytle. He's my chief information officer. So it's folks like him that I'm indebted to, not him, but he reaches down. And to be an effective Admiral, you've got to be able to connect at every level in your organization. And so I'm indebted to folks like Marshall that are able to take the pulse of our workforce and find this great talent that exists within our workforce. And then when it doesn't, how do I recruit it? And then how do I retain it? So I'm in the recruit-retain business right now, but we've pretty well defined what that skill set is. And then we were just fortunate that we already had that within our organization. We have a question up front, but why the microphone is coming up. Hold up your hand, please. While the mic is coming up, I used to know a four-star general who was the head of a combatant command. And he said something very similar to what you just said, which is he liked the ability that networks gave him to, and I'm gonna put words in his mouth, bypass the chain of command and go up and down the chain and talk to enlisted people and the whole bit. And in talking to the people between him and the enlisted ranks, they hated it. So how does that work in the Coast Guard? How's that changing your organizational culture if it's changing them at all? I've done everything I can to flatten it and to be transparent. So I have an outward-looking Facebook page, Instagram, Twitter, and so a number of our Coast Guard men and women follow me on Facebook. And I'm open to these very frank and open dialogues of what they're seeing in their world, because otherwise, that may be my blind spot. Otherwise, I'm the emperor with no clothes. So the good news is my workforce will call me out if I'm the emperor with no clothes. Kind of a frightening thought. It is. James Leitner, Academy Class of 61. So we were lucky to have slide rules also. I teach at Hawaii Community College. I'm wondering what the community colleges can do to be able to stimulate interest in cyber. It's especially attractive that they don't have to be rotated every two years. They're doing a lot. We have a number of centers of expertise, and that's the talent pool that I need to look at. I'm gonna be looking at them, excuse me, as are a number of others. This is clearly a growth industry for our young minds of today that thrive in this environment. So their growth potential, hiring potential is enormous. But I'll be waiting in line among others to bring those folks aboard. I think we had one in the front. Oh, no, we got one in the back. Yes, my name's Matt Campbell, I'm with IBM. Admiral, you do have an existing and ongoing intelligence life cycle, non-cyber, if you will. I'm curious to know if you view the cyber intelligence life cycle as in systems and groups that enable that as being a modification of your existing groups or something entirely different. It's really interwoven when I look at cyber and Intel. When I look at the systems that provide the archiving of information, more importantly, it's not the archiving. And that's kind of a dangerous term when you talk Intel because if it's archived, that means it's stovepiked. And then it's not shared across the interagency. Ironically, just before this meeting, I chaired the interdiction committee within the Office of the National Drug Control Policy where we look at how do we share information at the state, local, federal, tribal, international levels when it comes to combating transnational crime. And so cyber is a key enabler in doing this. We work very closely with the national intelligence community that have identified collaborative systems to be able to cross map much of this information, even our ability to share this with international partners. So the two are intricately woven. One is the information, but the second is the domain and the systems that provide that level of awareness. And that is the cyber domain that does it for us. On that note, so Coast Guard does collect intelligence and they have an intelligence mission. Where does the cyber strategy fit into that? Does it affect collection? Do you see the people you're working against using things like encryption? What's the environment for the other side that you have to deal with? Well, certainly it's going to be a much more challenging environment when you look at encrypted devices. But as a member of the national intelligence community, I use that case that I alluded to earlier. The fact that we can track down six ships right over an area of several hundred thousand miles and then vector aircraft and ships to interdict and then arrest and ultimately prosecute those individuals. All of that is enabled by intelligence. So cyber is the key enabler. Do our adversaries exercise good cyber hygiene? They'll look at this strategy as well and recognize they would look at that exact same model. We need to protect our cyber domain. We need it to enable our operations and we need to protect our critical infrastructure. So this template, if you will, for a strategy, yes, it applies if your private published sector. Unfortunately, it also applies if you're one of our adversaries as well. So you do not want to be found in the cyber domain. We had one in the front. Sydney Freeberg again. And well, one thing you've talked about is cyber hygiene, the importance of keeping people from doing dumb things that let bad things into the network. But when I talk to folks on the DOD side, I hear over and over again, you can't count on perimeter defense alone. You have to assume that someone will do something dumb or that someone bad will do something very smart and that the adversary will be in your network to some degree all the time. And the question is managing rather than preventing and being aware of your internal health of the system, not just saying, we will stop them all at the frontier. So to what degree is that kind of internal defense, active defense, layered defense part of your strategy and you're thinking with a relatively small number of people to do it with? The real challenge is you end up with single points of failure. You could have 99.9% compliance. And then one individual, look what a Snowden did to to our credibility in a level of that compromise. One individual, this is malicious. So those are the real challenges that you face. I mean, part of that's in our screening process of who you bring into your organization and who do you issue a cat card to that provides them unfettered access to our domain. So we need to think a little bit longer and smarter about how we do that. But the truth of the matter is this is an organizational failure, these are single points of failure. And I'm a relatively small service with 88,000 active civilian reserve and Coast Guard Auxiliary. But all it takes is one out of that 88,000 that can potentially harm our enterprise in a significant way. And that is a real challenge for all of us. Caroline Howard, sir, Coast Guard Auxiliary. I was wondering in regards to the strategic needs in the cyber domain, how you plan to stay abreast of rapidly innovating new technological developments that will render old ones and old plans obsolete. So innovation is a cornerstone of my vision for the Coast Guard. The fact is we've got a lot of people that embrace this new technology and they're in it as well. We need to think a little bit about how we develop the future of the Coast Guard. We do industry exchanges with the maritime industry, for example. So the industry we regulate, people spend a year in that community and then they come back to the Coast Guard. But we need to look at the same thing within Google, Intel, Excel, some of the others and look at doing professional development, exchanges, industry training with the industry so we can stay current with what's evolving in that industry as we're looking at best management practices, what better place to look at and then to be able to plug our folks to do internships within these organizations, recognizing their very mindful of their proprietary information. But I think that's the next step that we need to look at is how do we develop the next generation of Coast Guard because in years past, all the great ideas came from the military. The internet came from the military. Well, the IT world has flourished and some of the best minds are out there as they're looking at new applications. So I think it would be to our benefit as we look at how do we then do industry exchange with this very tech savvy industry that I'm still trying to fully comprehend. This is a little geeky so I apologize but I spent the morning with a bunch of CFOs from big companies and one of the things that they think about when they think about cybersecurity is mobile devices what we used to call BYOD bring your own device and this indicated it created what one of them called I think he was quoting Keith Alexander sort of an unprotected flank for their enterprise. So when you think about mobile devices do you let people use them? Can you stop people from using them? Where do they fit into what you're doing with this strategy? Well, certainly if you're working with anything that's classified in nature you check your device at the door and we're very attentive to checking those devices at the door. When I've been deployed on ships and we have information on a late breaking case we have the ability to shoot email off the ship but just like an electronic warfare you set emission controls so people can't transmit off the ship, can't email their significant other hey we're chasing down to go fast right now because I have no assurance that that information's just been compromised and we are constantly monitored in our transmissions and I get a weekly report and I see where that failure to exercise good cyber hygiene is lacking. The next step is seriously holding those members accountable. So I get red in the face. I said, you know, boy am I upset and then I cool off by the end of the week until the next report comes out on Monday and then it keeps my blood pressure high for the rest of the week but until we actually started looking at holding individuals accountable for what are really flagrant pages I think it'll be very difficult to change some of this behavior. When you say accountability, what do you mean? I love mobile devices. I was in an exercise where it was out in a desert area and we were able to see 10,000 cell phones move all in a coordinated fashion and that was a really useful hint as to what was going on. When you talk about accountability it's very hard to tell 10,000 people, hey turn off your cell phone, not impossible. What do you do when you say accountability? Do you go to the commanding officer? Do you go to the lower than that? How does it work? It really needs to be handled at field unit level. The commanding officer in all likelihood is not going to have awareness that a leak originated at their unit. It'll probably be at our cyber command or through others, NSA in particular that provide me a weekly report saying this unit divulged this information and then they pushed it into a non-secure internet provider. So first, our folks need to be aware of the fact that you will not do this. I can't hold somebody accountable if they're not aware of what the ground rules are. So the first piece of this is we need to lay out the ground rules and this gets back to the question back that we had earlier. I mean it really comes down to training and then retraining and if you're going to be operating on any one of our systems, there used to be recurrent training in there as well but I'm not convinced that doing online training and then passing the test at the end of the day provides you that full sense of appreciation of what would happen if you compromised that system. Okay. We've got time for one more. Well, we have time for three more if you're willing. We have time for four more and that's absolutely it. Okay. Go ahead in the front there. Hello, my name is Les Olson. I'm with Computer Sciences Corporation out of Falls Church, Virginia. My question is, have you heard of and do you plan to use the Navy cyber safe program? Have you heard of that? I'm looking at the person next to shaking his head vigorously up and down. Yes. So the answer is yes. Very much so. And so with that the cyber awakening for the Navy, I just want to, do you plan to use kind of that model that the Navy is looking to integrate for cyber security? All that good stuff though. Yes, nice. Love it. Thank you. Oh, your dinner. We got one over there and then we got a couple in the back and that will be it. Hi, my name is Darlene Schrader and I'm an intern for Congressman Will Hurd. I was viewing the OPM hearings earlier with the Homeland Security and I was wondering how efficient are your 70 person team at finding all the problems once there has been a hack that occurs because you can't have 100% hygiene when it comes to cyber security? We're good. We're very good at monitoring our systems. We certainly don't have the capacity to go out and monitor everybody's other. So I mean, this is very internally looking. First of all, looking at our systems. The next piece of this is going to be, what are those standards? Yeah, what are an independent research lab, best management practices that then we could then transmit to industry as not mandatory, but these are best management practices. We did something very similar with IMO when it came to piracy. It wasn't required, but if you had a privately armed security team on your ship, there's a good likelihood that pirates will never get on board that ship and the ships that carry these, there were over 200 attacks against those ships and guess what, not one pirate gained access. So if you do something very similar, what are those best management practices? And then how do we disseminate that to industry as well? But they're certainly very eager to hear what those are. Oh my goodness. Why does this always happen at the end? Why don't we get the two Jacob right by you? I will say that if you look at the, how the cyber security industry is changing, one of the things that will be different a year or two from now is that there will be much better technology for detecting intrusion threat activity, not based on signatures, finding the threats that are better hidden than what we've seen in the past. So this might be an area to watch. Go ahead. Admiral, very good remarks today. In December, the Coast Guard published in the Federal Register a call up for information from the industry in helping them prepare a cyber security standard. How was that going and what are the next steps? We've had two outreach events and with each one we've had an excess of 300 people show up. When you do, and this is not a notice, advanced notice of proposed rulemaking, but this is just bringing industry to the table to understand their concerns, but this is, again, a very lively area of discussion right now. So with that announcement, we hosted two meetings here in the DC area. We need to continue this outreach as well. We had one of these events just recently, a week ago in New York with the Aeromere Time Security Committee. We had 300 people show up for that as well. Do you have, we're at the witching hour. Do you have time for a couple more or? Can we take two more? Okay, well we got one there and one there and that's it. We got one over here for a while. I can't see him. Oh well we'll get him, that's all right. Admiral, we talked today about resiliency and you mentioned GPS as a single point of failure. How does the proposal that's out there to revamp the Loran sea sites into Enhanced Loran or A-Loran fit in? Are you looking at that in terms of your cyber strategy? How does that all fit in with what you're proposing, what you're talking about today? That would really be part of a national strategy because really some of the critical element of a Loran signal, which is very difficult to jam, is the timing system that comes with that Loran signal. Now we have intentionally kept several of those Loran transmitter sites in place in the event they needed to be reactivated. Technically we could have taken all of the transmitter sites including those antennas down. So we're looking at this but really not for Coast Guard but really as an instrument of national policy and certainly we would be an enabler but not something that would be uniquely Coast Guard owned as Loran sea chain was prior to it being taken down. We've got the, thank you for being patient. Thanks Admiral Z. I appreciate your unobstructed view from the bridge up there. Will Watson Maritime Security Council. We know that Coast Guard's got a very robust presence at the IMO and that you work closely with the international commercial maritime community and a lot of these kinds of programs but unfortunately that's a particularly slow process. Is the Coast Guard working directly with any of the major flag states, Panama, Liberia, Marshall Islands, et cetera that flag most of the vessels that call on US ports on these issues? Working, that is a work in progress and so that was my interest in going out to North shipping in Oslo last week. I will attend IMO this November in London to continue this dialogue as well and see if there is not interest in moving this into the ISPIS code but as you well appreciate, things don't move at the speed of light. So I look at industry, it is going to take this upon themselves and not necessarily wait to be regulated but this is really good self-regulation if you will to protect their financial interest. Another element and I think this may come into play at some point in time. Will you need cyber liability insurance? So if you're shipping from point A to point B and either the terminal is not accessible or your vessel has had a terminal disruption because of a cyber hack, that will be the next perhaps area to look at. Do you need cyber liability insurance? Something to think of as well. So if you start looking at financial incentives to do that, I think industry may take this on in advance of being provided best practices from high and low. Okay, last one, we had wine over there. Admiral, I'm John Wirtman. I'm the past chair of the Coalition of Geospatial Organizations. About a year ago, General Dempsey was over here at Brookings and he spoke about cyber security from a DOD-wide perspective. He was asked if he ever envisioned a scenario under which a conventional response might be needed for a cyber attack. How do you think about that in this new age of cyber warfare? I think it would be very difficult. I think for the reason that I alluded to earlier, because the ability to assign 100% attribution to an adversary short of a very overt attack from a state or non-state actor to say we are going to infiltrate your system. So that's, you know, in response to an attack. Clearly, if you look at what's happening within ISIL and their ability to exploit social media to recruit activists, a great concern, what is our ability to compromise that recruitment effort? So when I start looking at how cyber is being used in different applications, but if we're using it in an offensive capability in response to an attack against us, that 100% attribution may be a little bit difficult. The other piece to look at, and we have not thought this through, of what do you do about the ability of ISIL to do recruitment in social media, and they've been able to do so to great effect and to protect their identity in doing this as well. So I see this as a very challenging domain, especially if we're looking for a conventional response to a cyber event. Proceed with caution. Well, this has been a great session. Thank you so much for coming to CSIS. Okay. Thank you.