 Well welcome everyone let me introduce our two panelists that we're here with this afternoon Sue Gordon is the principal deputy director of national intelligence She got her undergraduate degree from Duke where she played basketball so for the blue devils yeah, and My colleague David Gekler Executive vice president general manager at Cisco in charge of networking and security has his undergraduate degrees from In computer science from Missouri and from Illinois and his MBA from Columbia and Berkeley So we're delighted to have them here the way we're going to run our panel is I've asked each of the panelists to make a five-minute opening statement and Then we'll ask a few I'll ask a few questions and then we'll throw the floor open for your questions But let me first set the stage by by talking about two things We're going to focus on cyber attacks on on energy infrastructure. We're not going to talk about cyber crime We're not going to talk about blockchain or crypto currencies. We're not going to talk about Russian hacking in the midterms We're going to focus on the energy infrastructure the second is is What what piece of how we're going to focus on the problem and this actually comes from a Perspective that I gained when I served on a national academy task force Shortly after 9-11 focused on developing a research agenda to counter potential future terrorism events and immediately that committee focused on Catastrophic attacks it determined quickly that in fact there wasn't a big way to address small acts of terrorism except through conventional Law enforcement means that you had to focus on the big things and it's the same thing here We're going to focus on catastrophic attacks. What do we mean by that? We mean a large-scale attack that does either sustained damage taking out a major part of their grid or or a power plant for a long period of time or Repeated attacks which create an ongoing Extortion threat so the ability of an attacker to come in and repeatedly take down the grid imagine You're going to take down the grid five o'clock every day For three months somewhere in the US. Well, that obviously creates a kind of threat to the US that could be then Used to extract other concessions Whether monetary or otherwise so we're going to focus on both of these Kinds of of attacks and I'm going to start off by asking Sue to make a five-minute statement Good afternoon. Thanks for coming back in Holy smokes what a gorgeous day and what a gorgeous venue. I'm John I'm honored to be here Dave. I'm honored to be in your presence. So what I thought I'd do is do you just a quick romp on foreign cyber threats a Little bit of the trend over the past five years and then get directly to the energy sector if that sounds all right, so I'm going to start with the good news and I'll try to end good good news And I want you to keep this in your head because in the middle of all this We're going to feel really awful about the circumstance in which we find ourselves So the good news is I don't think we've ever been better positioned with better knowledge of What adversaries are doing? And the capabilities they have then we are now I think we have effectively Convinced ourselves as this is a whole of country Issue not just a government issue and not just a private sector issue I think we can be better partners, but I think the partnership is awfully good So five years ago. It feels like a minute Here's what I would have said most of the cyber attacks that we see are denial of service or web page website defacement or Spear phishing attacks and even if I talked about the actors who are Perpetrating it I would say Russia is about the only one who has significant broad race technical capability and it was very hard to see what they were doing China was very broad You know quantity has its own quality But it was mostly a quantitative issue focused at intellectual property and economic But they were loud and noisy and kind of hand-handed about how they were doing it And that was really about it We saw some emergent capabilities, but that was really who was playing fast forward to now What we've seen is a remarkable Advance in both the numbers of players so those capabilities at five years ago were related relegated to a few Now are available for the most common cyber actors criminals. Everyone can do those things and The state actors one of the resources behind them have really morphed into significant technological capability and Blended operations and when I say blended operations It's not just a cyber attack, but a human and cyber attack in Combination that when we talk about the energy sector and where you want to get in order to produce real effects That starts to become interesting to you the other things that's happened is when we look at the intent of our adversaries Again, just a minute ago. It was about stealing information Mostly for some sort of intellectual property or technological advantage and now what we see is multiple adversaries interested in and able to position themselves for the purpose of Access Presence and Pre-positioning for attack and this is especially obvious in the energy energy sector and you know why it is put yourself in our adversaries mind in Terms of what you would want to do and why the energy sector is interesting. It's because you want to put US decision-making to a test by holding our critical infrastructure at risk in order to go Over in our activities by the way you hold us at risk and there is no sector That is more pervasive in its effect on everything from telecommunications to financial markets To medical to the fence Then the energy sector all of those require it so you can understand why this is an attractive Target to our adversaries within a few years Russia and China Will have the ability to conduct on-demand localize disruption of service including of control systems in Multiple sectors simultaneously. That's where they're going and Those other actors that I said were essentially non-players Iran and North Korea We already know that they too have Aspiration and reach affected by technological Availability that allowed them to be players as well So we know Iran has conducted attacks on the energy sector in Saudi Arabia both in the government and the private sector and North Korea we believe was responsible for the 2014 attack of a South Korea nuclear reactor so our Not only are our main competitors the great powers Advancing their capability, but many other states are getting to the point where they can conduct this kind of attack What's the good news the good news is we've seen challenges this like this before There are things that we know we can do to be better partnership is the key we need to share information more broadly The US government needs to share the information that it has on the intent of our adversaries Not just the fact of their activity because we need to make that available in so that the providers In the energy sector can make decisions of their own and Private sector needs to make more of the information that they have about what's happening to them in a Contextual framework available so that we can match those two things up But it isn't just information sharing the energy sector has some very old Non-resilient capabilities so we almost have to imagine an attack and think about what our response would be and if that response is the ability to Reconstitute that's great if our response is we need to choose when those elements of the infrastructure energy Infrastructure get replaced and be built in a more resilient way. That's the way we need to do it. So Our adversaries are advancing a rapid clip Energy sector is an attractive target because of the reliance the US has on it and their intent information sharing is key as well as good computer hygiene and I Cannot stress this enough You would be shocked how many people still don't do two-factor identification Don't patch their systems and our adversaries may have Sophisticated tools, but they don't need them if we don't protect ourselves and there are things that we can do To counter this threat because we have a history of countering threats And so I'm actually hopeful about it because of our awareness of what's happening So I just want to pick up on one point immediately you mentioned the possibility of simultaneous attacks Which potentially could come not only against one it could come against energy and other Transportation or some other do you really think there's sufficient capability to coordinate those among our adversaries? I think the interesting thing is what we're seeing in terms of you know, so you imagine attack vector So you do some sort of attack even spearfishing that allows you to get credentials and once you have credentials Your activity is basically transparent It allows an adversary to pre-position themselves And once you have that pre positioning you basically have it now Do I think it's easy to achieve? Massive-scale attack No, I do not do I think weather is a bigger problem for the energy sector and overcoming weather effects I do But if you look at the trend there on Do I believe that they will get there if we don't? Partner to have better views about how to protect ourselves. Yeah, I think they will I mean you could imagine a nightmare scenario right you take down the power grid to New York City at the same time you launch Perhaps a conventional terrorist attack of some sort using explosive weapons or something, but but I think that's a great Description of it is really hard to achieve predictive effects through cyber. I mean, that's what it is It is really hard to achieve predictive effects in part because it's hard to know exactly how the system was designed Right to know exactly what the coupling will be So the potential to do big things is limited to people who have big programs The potential to have disruptive effects is probably more broadly broadly placed Great David. Thank you, John And it is really great to be here to talk about this and I think that was a great overview of Kind of what this situation is. Let me pick up a little bit on where you ended Which is what are we doing? Like how do we defend ourselves? right, so I I'm I Lead the networking business at Cisco I think most people know that we know us as a very very large networking company And building networks is kind of the backbone of this like once we interconnected the world now our adversaries are taking advantage of that To go places where they can get to through these big interconnected networks I also lead our cybersecurity business and one thing people don't know about Cisco is we a lot of people don't know is We are also the world's largest cybersecurity company These two technologies have kind of been hand-in-hand at some level It is interesting to me that the networking industry grew up first and then we started thinking about network security And so, you know all of these issues of once you get in a network. Are you transparent? We're starting to think about all of these questions and security being something of How do we integrate these two technologies together to give us a much better chance of defending ourselves? And what I would say is over the last several years. We've been making significant progress on this I think you know this is a very very difficult problem anybody that's been in the cybersecurity industry for any amount of time like you said you at some point you get very Fearful about what's happening and the amount of attacking that's going on out there Just as an example across our global franchise. We block 20 billion attacks a day Our threats a day just give you a sense of the scale But we are now we really are now making progress on how do we integrate? cybersecurity Defenses directly into the fabrics of the networks we're building that give us a better chance to Constrain the operational space of our adversaries when they're in these networks Give us a better opportunity to find them once they're in there And so there's a lot of work going on in that space that I think would is is is very interesting to talk about and I look forward to it David one one thing I'd like you to just comment on right now is talk about some of the work You're doing and using machine learning as ways to detect cyber attacks because I think in the aftermath of yesterday's Discussion about AI and ML be interesting. So I think there's there's there's two important aspects to that. So first of all We run a very large global estate that is constantly sending back telemetry of what's happening in the world terabytes of data hundreds of terabytes of data to a central group that we have that a group of about 300 people that collaborate all throughout the industry, but they basically spend all their time Applying machine and human intelligence to all of that data to understand where the threat actors are in the world And then they're constant. So you're using machine learning to analyze just enormous amounts of data What's happening in the world? I think we're something like 600 billion emails a day just across our franchise Hundreds of billions of web searches all kinds of data that's coming back and you're looking at that to understand Okay, where are the threat actors? Where are the places that people shouldn't go? That's all a very large machine learning Infrastructure and then and then we constantly push policy our rules back down into the global infrastructure that basically says Block this website. Don't open that email all the kinds of things to protect users That's one aspect of machine learning and John as you know one of the things we're doing now Which I think is a much more is a very interesting avenue as well is we're using machine learning to understand What's happening inside your network? So we're collecting all of the data that's going on in your network and we're basically Establishing through machine learning. What is the normal state of your network so that then we can figure out What is abnormally happening in your network and it's that abnormal activity that can be the adversary Which then gives you an opportunity to go figure out. Hey, there's something abnormal happening in my network I need to go investigate that and so all these are kind of more modern techniques. We're using We're using those same kind of techniques to understand We can look at the behavior of even encrypted traffic and figure out that there's malware and encrypted traffic without decrypting it Because we understand the the behavior of the traffic in your networks There's a lot of very advanced techniques that have just been developed in the last several years About how we can use all of this data science Inside networking to help us with this cyber security problem And this is one of the things it needs to come into the energy sector where you tend to have more operational networks more Unmanaged networks. We need to build those networks in ways. We can use all of these advanced techniques Okay, I'd like to talk something about Methods here because we have a wide range of different attack types All right, you have zero day kind of the Stuxnet attack that destroyed the Iranian centrifuges you could imagine such an attack potentially on the energy infrastructure which caused a power plant to fail You've also got the problem that you have these old skater control systems, which despite attempts to innovate them They're still not built on what I would call perfectly modern high security methodology We've also got equipment that's been in the field for a long period of time and this makes the Energy infrastructure quite a bit different. How do you see those attacks playing out? Where are the particular? Vulnerabilities that we have in the in the energy sector So I'll start and then then you make it right. No That's the advantage of going first it's like playing golf you can just go crazy So I think you said it about right So the first is just straight attack of the networks Everything from the business systems all the way into the actual Control of The equipment with the control systems where you do you change the ability of someone else to control it All right, so that's just that's just manipulation Move to the other place that you said is when you get in to be able to control equipment so you can take a Cyber attack and create a physical effect That was the kind of stuck stucks that That's a pretty sophisticated Move to be able to do that so those are the two that you're really looking at there are Many things that can be done on each in order to protect them. I mentioned just cyber hygiene Anything that's outward-facing and and John you mentioned it Information systems we are getting awfully good at protecting operational systems tend to be a little older a little more functional a Little more purpose built for the operation not for the protection of information and so Making sure that all those systems have the most modern protection I think it's almost one of the first steps to be able to keep that from happening the second one is I Cannot stress the importance of the humans involved in all these organizations You know we have done as a collective a pretty good job of learning to protect the electronic pads into our systems but our humans are still vulnerable and so Making sure that Workforces are aware of the threats that we work on their behaviors to make sure that they are and they have constant look at Insider threats who could provide the kind of information that takes something difficult to do to make it something easy to do And when I say blended operations, that's what I mean Combination of a technical attack and a human attack and so one of the surfaces you have to protect are your humans in those systems I mean, I think that's right right on the money. I mean, I think you have to start. I mean the you said earlier What people are trying to do is get credentials so they can get inside the system and once you're inside the system You're inside the system and then you can kind of figure out the lay of the land Understand how the network is built understand where the control systems are so how do you get in the system? You attack the people that are operating a system you try and get their credentials and I can tell you There's one very very interesting thing about the cyber security space is It is this whole concept of you have an adversary so you have somebody across the table from you, you know If you were on the defending side It's a constant cat and mouse game So there anything you do to defend yourself you have a human on the other side that has a profit and ego a Political motive to defeat you and then they're going to go to work to defeat you And then you have to find a different way to defend yourself So the number of different ways and the amount of creativity in the attacks is just incredible You know, how can I basically? Deceive you or social engineering in a way that I can get your credentials Can I send you to a website? Where you view some advertising that you click on and once you click on it now you're owned Can I send you a spearfishing email? Can I there's just like tons of different ways that I can try and deceive you to get ownership of Your system so that's I think that's at the top of the you know The hierarchy of the ways to protect is how do I how do I educate the people? How do I put systems in place so that I can decrease the probability that their credentials are going to get to somebody else? And then as you said John, you got all kinds of other attacks denial of service attacks where you're attacking the Infrastructure itself I'm going to send so much traffic to this infrastructure. It can't respond or I'm going to exploit vulnerabilities software bugs, you know The whole world is driven by software software has defects in it if I can figure out a defect That that changes the behavior of a software system and nobody else knows about it. That's a zero day so I can then basically trigger something to happen in that software stack that that causes a different behavior and Of course those are very very valuable and you will see Very sophisticated actors will save their zero day attacks for high-value situations They won't just use them. You don't just use them up for anything So and then there's you know even more sophisticated attacks supply chain attacks So you use certain software in your enterprise if I can attack the the supplier that then you walk in and use as a system I can get in that way Most software most products that are built software-based products that are built in the world today are a Conglomeration of a lot of different pieces of software whether it's open source or third-party vendors If I can compromise one of those pieces of software that then gets built in a product that walks into your organization I can attack that way So there's like a myriad of attacks and then you you got to the point of the actual physical device itself If it's something that's in the field a long time You know is it running the most modern software can you update it? And so you get the ability to actually go after the physical device itself so I think this point about human behavior is really an insightful one because So many attacks begin with some sort of phishing kind of attack or or a Human individual can overcome even what you might think was the ideal security, right? I mean in the in the centrifuge case That's an operational system There was an air gap between that and the rest of the system But of course an operator walked up and plugged an infected USB key into the operational system And then it's infected right right and as long as we have humans in the in the way So here's a here's a survey I always like to take money to talk about cybersecurity How many people have a different password on every single account they have? Okay, that's pretty good how many have at least 12 letters and numbers in them How many use two factor for everything? Oh, we're getting there. Okay. See this is more knowledgeable than most Just to show John that the phishing attacks work Fishing attacks work Okay, I mean the big attack we added Stanford started with a phishing attack and the problem you have in an environment like this one Is every year you have 3,000 people walk on campus with their computers many of which are already infected, right? So they you have a natural walk-in at this and they've gotten so sophisticated that they're coming from your colleagues Absolutely, of course They're very good They're very good. Sue made this comment earlier that we've gotten good at parts of the of the of the Technology stack. I mean three four years ago browser based attacks were the way that people got credentials A lot of that technology has gotten hardened over the software has gotten much better And it's forced it back now to email Overwhelmingly being the primary attack vector the initial attack vector is email. So be careful what you click on right so So talk of some about denial of service because obviously a very strong denial of service thing that could actually cross into the operational Infrastructure would have a significant impact on this and denial of service is a hard thing It's a really hard thing to stop because it can become from a plethora of different sources So one of the things that we've seen in terms of protecting against denial service is you're you're pushing your defenses further Further out and you're working so you're working That is happening to a service that is further out from your Networks right and so it's denying a gateway But it's not not denying your service and so you can very quickly recover to a different path into your service So I think that's one of the most effective things that we've seen Against denial of services pushing away the defense so that you have more paths in if that gateway service Yeah, I think we're seeing you know the The scope of the denial of service text just keeps going up I mean, I think they're now over a terabit are the largest denial of service tax There's you know, it's hard to defend against that much traffic coming at you But we're seeing another interesting thing John and denial of service attacks is this concept of the edge of the network is becoming much smarter So there's a lot more devices on the network, you know It might be surprising to everybody to think about how many devices in your home are connected to the network I mean most people think oh, there's four or five. There's my laptop my phone but there's your speakers televisions cameras thermostats like there's tons of stuff and What we're starting to see is now denial of service attacks Where the adversaries are taking over those devices and basically just using them as sources to send Attacks so now you may be getting you know We see these botnets of hundreds of thousands of devices that can be turned on to one point And it's very difficult then to understand where the traffic is coming from it's not coming from all one source So lots of innovation across all the different ways to attack and ransomware continues to be Yeah, ransomware continues to be an approach. We saw the want to cry from north from North Korea We've seen ransomware attacks on municipal energy Providers so ransomware, you know, not only not only hospitals not only businesses, but we've seen it go all the way So ransomware is continues to be in an approach that our adversaries are using So Sue you touched on the fact that you you in foresee Attackers getting in and waiting to the right moment. So two questions come up One is detection right and the others forensics. How do you clean? How do you clean out the system? I mean when we we had a massive attack ten years ago at the University We actually had to take all our email systems offline for 24 hours Shut them down clean out all the outgoing file all the outgoing cues because they were using our cues to launch a digital attacks Now if PG&E tells everybody in California, they're gonna go offline for 24 hours. We'll have another kind of problem Yeah, you've done the you've done the work of the attacker. Yeah, you've done the work of the attacker, right? Yeah, so what about this detection response issue? I'll let you go first, you know, I think detection Can only be described as painfully slow and making progress on detection I mean to you know, there's lots of industry numbers out there somewhere between a hundred to two hundred days to detect that somebody's in your Infrastructure a lot of the detection comes from third-party or law enforcement agencies. It's not people figuring out they have the problem themselves You know part of this is Is pretty clear have a plan before you connect anything of what you're gonna do You know do the planning do the tabletop exercise How are we going to respond don't wait until you have an issue to figure out how we're gonna respond? I think there's a big part of this that Sue and I were talking about earlier You've got to spend time with people that are in the cybersecurity industry You've got to have relationships of people behind the scenes that understand the threat environment It can help you if you don't have people that can help you bad things really bad things happen But some of this John goes to We've got to really start building networks differently so that we can constrain the impact I mean networks. I mean basic IP networking is build a big flat network And once you access the network you can go wherever you want. That's the whole concept That's let that's what led to the huge productivity gains of connecting everything Well, you know that turns out to be a problem if you're an adversary and you stole credentials And now you're on the inside and if the network is a big flat network, and I can go wherever I want That's the big problem. We need to deal with is how do you prevent this lateral movement? And how do you prevent from hopping on one part of the network to a different part of the network to a different part of the network and These are some of the techniques. I think that we are now Automating and networks of things like segmentation of you have credentials for a certain swim lane in the network And that's all you get So if you're if you're connect, you know if this lighting in this auditorium is connected to the IP network that's in here We're going to segment that so that that lighting nothing can talk to the lighting and the lighting can't talk to anything else And so if that becomes the attack vector Then the adversaries on the inside of the network and they can't go wherever they want so and I think for the energy sector as they do start to Connect everything and we do go to a smart grid and we do start to IP enable this whole infrastructure We need to make sure we're thinking about the most sophisticated techniques of building those networks to give yourself the best chance of Constraining the operational space of the attacker Figuring out how to find them once they're on the inside and once you found them have some kind of automated Response of what you do to to contain their damage. So I think there's some other things that we're doing from a governmental level The first is this is a continuous Fight for lack of a better term it isn't it isn't Sitting back waiting for an attacker to come and then respond to the attacker I think what the government has recognized is that we need to be constantly Understanding where the threats are coming from being able to technically identify them and then very quickly respond to them before they actually Achieve their effect. So that's a if you want to know what the intelligence community does we spend a great deal of time trying to understand That the second thing is this conversation Here you have the intelligence community sitting and talking out loud about the threats that we see and one of them is because in an open Society like ours knowledge is useful We're doing a much better job from a US government perspective about Being very articulate about what we think behavioral norms are and what is acceptable or not whether that's theft of intellectual property for economic gain or whether that is What we consider a red line would be in terms of physical activity of against our energy sector. So what you're seeing in our competitors and adversaries is Holding below the line that they think would elicit massive response And in that time that they're holding below that line I think we have the opportunity to do exactly what Dave says. It's just Preparing that way, but it isn't a static thing Good offense will be good defense unless good defense is continually imagining what the next offense will be designing itself better So this is we're just in a perpetual Dance that will require us to be pretty vigilant So can can we get sufficient? Firewalls and boundaries between the larger IT infrastructure and the back end Or do we really need to say look there should be an air gap between them because we can't guarantee That somebody won't cross that boundary So this I'll speak and then you you talk about real design. So Gosh, I love air gaps. I We've seen too many of our adversaries work and how clever they are and anything that is outward in a net open facing There's a path to it and and I don't like that but There is business that must be conducted and So there will always be things that have to be Connected and so I don't think the moat approach is going to be sufficient Given the way we need to move information and To affect energy to this distribution So I think it's going to turn out to smart design of our systems in order to give us the best chance rather than just being a Like able to rely on air gaps even though I love them You must love them But in an adaptive energy grid, I can't imagine that we can go to the moat solution and air gaps No, I don't think it's hard to say you can control the demand side of the march of technology Right, right. I mean people want, you know, I'm not an expert on the energy industry But people want cars at home. They have electric cars They have you know solar panels on their roof the grid's becoming two-way You're not just going to say well and as soon as you start doing all that stuff You have to push a communications network out all the way to the edge So at that point you've got the problem But I will say John that I do think we are this is the area where I'm hopeful is that we are Fundamentally changing the way we build networking technology where you know When it gets down to its most basic form you have internet protocol packets They're flying along along wires and what we are now figuring out ways to tag every single packet So we know what privilege it has and then we can enforce that in the hardware of the networking device So we can implement Segmentation without it having to be air-gapped So these are some of the techniques now that we're building into networks that if we can get them deployed Broadly there you know nothing is foolproof in the security industry because exactly what Sue said you have this adversary They're gonna figure out a way around it But you give yourself a better chance to be successful you slow down the other side you make the cost higher That's what we're constantly trying to do you know in baseball if you got four strikes five strikes six strikes before you were out Your batting average would go up and that's what we're trying to do Okay, you wake up tomorrow There's a major breakthrough in quantum computing the guys in the Valley have built a 2000 qubit 2000 real reliable logical qubits real cute. Yeah can now factor large integers in short amounts of time and RSA which is our primary encryption technology is all of a sudden vulnerable How long is it going to take to fix this problem and and is there a good? Is there a better solution to get us there faster and the whole energy sector then Among others the whole IT sector So far if I were glib I would say that's the race that we have to win. Yeah, that's right, right that that's exactly what I was going to say And and then if it's someone in Silicon Valley that solves their problem, I would like them to remember The United States call you first But I think that's right now There are all sorts of things that are being imagined right now in terms of quantum resistant encryption and so and so you know in the great glorious way of of our Industrial base none of us put all our eggs in one basket And so you do see quantum resistant encryption coming alive and you imagine those techniques it will allow us Should we lose that and should that become manifest that we will still have the way I Just think that's exactly it I mean the good news is people are thinking about the problem now right there's a lot of very very advanced You know people that think about cryptography and how are we doing privacy on the internet? They realize that hey the quant you know quantum computers are real. I mean they're not thousands of qubits yet And that's gonna take a while, but we need to start thinking about this problem now And you know they're decomposing the problem is where is the problem? Is it the key itself? Is it the storage of the key? Is it the exchange of the keys? And I think looking at the whole system and seeing what what part can be defeated by quantum And so there's a fair amount of work starting up on that which is promising good, okay last question Silver one magic one time if you could do one thing To improve the cyber security of our energy infrastructure Systems, what would you do go first? She says I Would make sure as we start to interconnect all of these systems because we do have to interconnect them We're using the absolute most advanced modern techniques of how to do that which will give us the best chance and Have some defenses built in I would have the private sector and the government continue to share the best wisdom that we each have and Then we've got it Good good good answers. Thank you all and please join me in thanking our panelists Oh George has a question Rock on yeah rock on yeah hitting back hard at the at the people who tried to hit us That's what I was alluding to I think by setting these norms by establishing the ability to fight continuously before it's here I think we're on that path. Yeah Thank you. Thank you