 with the green light on so that folks watching online can hear what you have to say. First off to introduce myself my name is Ian Wallace I'm the director of the cybersecurity initiative here at New America. The cybersecurity initiative here is now getting on for four years old. We're supported by a number of funders particularly the Hewlett Foundation and the partnership with Florida International University who we work with on a number of different sort of cybersecurity issues and they're very pleased to do so. There are many things that I'm proud of in relation to our initiative but three of them in particular focusing on topics that other people are not focused on. Our fellows program and our partnerships with other organizations and this topic brings together all three of those strands very nicely. As we will discuss I think city cybersecurity is an emerging issue but it's one that probably hasn't had the attention that it deserves and part of this exercise is to draw a little bit of that attention and expose some of the work that particularly Natasha Cohen who you'll meet shortly has been doing in researching how the policy issues around this topic are evolving. Natasha is a self one of our cybersecurity fellows and it's testament to that program that we're able to do this work which also includes other fellows including Brian Nussbaum at the State University of New York in Hormonee and Emmaford Gawoo who's now based in Oxford but previously was working for us on on state and local issues but the the panel we have and partnerships I should say we're doing this event in partnership with the National Governors Association and they're very pleased to do so. So to introduce a fantastic panel I'm gonna talk to them briefly ask them a few questions have a moderated discussion and then open this up to questions from the floor. The panel we have to discuss this cover a range of different perspectives and I think we'll get a pretty rich sense of what the issues are. Sitting immediately to next to me we have Jacob Finn who is the policy manager for Meg Arsetti in Los Angeles covering his cyber security portfolio and LA is one of the cities that's been particularly active on cybersecurity and we'll hear a little bit more of that and what it might mean for others. Sitting next to Jacob we have Karen Jackson who now runs her own firm Apogee Strategy Partners but until recently was the Secretary of Technology for the Commonwealth of Virginia and has done quite a lot of pioneering work in how states interact with cities and more generally how cybersecurity works outside of the federal government. Sitting next to her we have our colleague and collaborator Michael Garcia who is the National Governors Association's liaison on these cyber security issues with governor's offices across the US and certainly in the last couple of years has been leading a pretty active effort on behalf of the National Governors Association to get cyber policy discussed outside of the Beltway. And finally as I mentioned earlier we have Ntash Cohen who my colleague here at New America who leads our state and local cybersecurity work currently focused on a paper looking at cybersecurity and particularly incident response at the city level. She has a background in the private sector and various other policy related jobs so brings a great deal of additional knowledge to this. So I say I'm gonna kick this off with a question teaching panelist and then we're gonna go into a moderated discussion. I remind you that this event's being live streamed so be careful what you say when we get to the Q&A and if anyone is interested in following this through Twitter the New America Twitter account is at New AM Cyber and will occasionally be capturing our great thoughts for the TwitterRT. So Jacob, actually Ntash, I'm gonna come to you first. Why is this an important discussion and why do we think it's important to bring together people from different governments, different perspectives to weigh in on the cybersecurity of cities. Thanks Ian and also thank you to the panelists for coming here to join us. Talk to each one of you before and really value you know your expertise so I think it's gonna be a great discussion and you know the importance of cities I think lies in the element that cities are our form of government that are closest to the citizens. These are the governments that are providing services directly to the citizens day to day. So there's a real emphasis on resilience and rapid recovery and a look at cybersecurity less from a wall perspective and more from a service provider perspective. There's also the fundamental aspect of citizen cybersecurity and I think we're starting to see that percolate through whether that's federal government, state government, but city government really that's the core of it. How do we provide a secure environment for our citizens both for what they do on the internet, what they do on their devices, services that are provided to them and ensure that they are provided without an interruption. And then I think the last point that I want to just draw to you on this is the range of maturity of cities because cities can be you know a small small city where the resources may be pretty strapped and they can also have medium large side cities that also have resourcing issues but have a very wide range of expertise of base and sometimes function more like a state which you know discussion that we were having earlier where some of the larger cities are in fact larger than many of the states. And so I think for that reason it's important to bring in the expertise of folks that work at the state level and you know not only for how states work with cities directly but how large government organizations can manage these kind of initiatives at the locals you know for some federal level government. So with that Ian I'll turn it back over to you. Fantastic. Well the obvious place to start when you're having a conversation about cities would seem to be someone who actually works in a city. So Jacob LA has been a sort of pioneer in this space and you know to pick up Natasha's theme LA is bigger than some countries and certainly has a great deal of complexity. Can you just give us a sense of what you've been doing in LA and to the extent that there can be lessons what lessons that might offer to other cities who are beginning to grapple with the cyber security challenge. Well first thank you very much to New America for having us. Mayor Garcetti asked me to send his best wishes to everyone here. Mayor Garcetti came into office in 2013 and the second executive directive that he signed basically akin to a presidential order is that cyber security be a public function of city government. So whereas our constituents pay taxes for their fire services police services EMS cyber security is also something that they should be receiving as a public function of government. That's what the executive directive the theme of it was. What the executive directive ordered was collaboration among city departments dealing with cyber security. I'll tell you today we have about 41 or 42 city departments maybe 40,000 employees who handle endpoints have a computer or email phone in some way and basically the 41 departments are split as follows. About 39 departments fall under our city's information technology agency under the networks of the ITA and then we have three proprietary departments departments that bring in their own revenue and sources. Department of Water and Power Los Angeles World Airport so that includes LAX and Burbank and then the port of Los Angeles and what was happening before this executive directive is that each of these four entities were were managing their own cyber security programs. In a way the information sharing was siloed. When Department of Water and Power for example saw a threat, an indicator on one of their networks they would handle it accordingly but they wouldn't notify the airport or the port or any of the other of Los Angeles's agencies. So there wasn't that communication and what this executive directive did was it created an intergovernmental body for information sharing or situational awareness and threat intelligence. I could go on a little bit more basically through a grant that the city received, urban area security initiative grants. We were able to build up an integrated security operations center one that would. And that grom was from where? Sorry? That grom was from where? Who provided the groms? The cyber intrusion command center which was the intergovernmental body. Actually if you don't mind maybe I'll read a couple lines from the executive directive that I think capture the purpose and what Mayor Garcetti was going for. So what the cyber intrusion command center is all city departments including proprietary departments will participate in a collaborative effort known as the cyber intrusion command center and it shall consist of all city departments led by the office of the mayor and shall incorporate assistance from the FBI, the US Secret Service, the Department of Homeland Security. The cyber security goals of this group are to facilitate the identification and remediation of cyber threats to ensure incidents are quickly and efficiently responded to to ensure awareness of best practices to provide uniform governance across the city, etc. Sponsor independent security assessments and it is required that every single government entity in Los Angeles contribute to this effort. It's not allowed that any if a government if a entity in our city knows something related to cyber cyber threat that they keep it from the CICC and that working body was what led to the development of our integrated security operations center. There's a lot that I'm sure we will pick up some threads which or some others will pick up some of those threads but just for now I want to go and bring in some of the panelists. I'm going to come first to you Michael. The NGA has been very active in cybersecurity in the last few years and to state the obvious many people who live in states live in cities and therefore governors have a real interest in city level cybersecurity. Can you just give us a you also personally get an opportunity to travel around the country and see some of this and can you just give a sort of NGA perspective on what you're seeing around the country as as mayors and others get to grips with their cybersecurity challenges. Yeah no thank you and first off you know really look for his conversation I think I really want to kind of dig into what you're getting at. So I'm a senior policy analyst at NGA and just for a quick background for those of you who are unfamiliar with NGA we're really two organizations in one so we have our office of government relations which advocates on behalf of governors to the administration, Congress and the federal agencies if you will. And I sit within the Center for Best Practices which is really a mix between a think tank and solace agency where we go visit state officials to help them with policy issues that they're having. So we have five divisions with an NGA, health, education, economic opportunity which is really workforce development, energy, environment and transportation it's all one division and in my division is Homeland Security and Public Safety. So in my division I focus on cybersecurity among our issues but I'm privileged enough to go to states and work with folks just Karen to help them out with cybersecurity challenges of the day. So I get to meet with state chief information officers, state chief security officers, adjunct generals, Homeland Security advisors, folks like that who touch on security which nowadays is really everyone. The nasty approach that we take that is really a whole state, whole government, really a whole ecosystem approach. You'll notice that I really didn't mention any local representatives or agencies and that's for a purpose. Really what we've seen and I can really only speak to since I've been there, I've been there now for about three and a half years. States are really primarily focused with really getting their own house in order, developing cybersecurity strategies, developing statewide different response plans and really and I think key and foremost is governance. I'm sure Karen talked about this but a lot of states were forming cybersecurity committees, task forces, things of that nature just to get a grabbing of what they can do and this isn't to say they weren't thinking about locals they're actually really concerned about locals and the thing that whenever I ask them how are you engaging locals is that well we don't even know where to begin. There's not enough capacity and I think the key word of this conversation is capacity and really it's workforce development. I personally believe that workforce development is the key crux main challenge that we'll have in your near term, medium term and long term when it comes to cybersecurity but as a result you see some states are doing some really innovative things when it comes to reaching out to locals and trying to engage them. I'll touch on four very briefly and then we can kind of delve into any of them that you all are really interested in. So first off in Michigan they create the Cyber Civilian Corps which is really akin to a volunteer fire department for cybersecurity. So basically they have 50 private individuals who are infrared security professionals who have been vetted by the state of Michigan and they're deployed all throughout Michigan and who could be activated when the governor declares a state emergency and they can assist a local entity, a private entity, academia, so on and so forth. I do not know if they've been activated so I can't really answer that question but I can here we go but I can definitely we can talk more about that if you guys are interested. Secondly we're working very closely with Indiana right now through a project that we call a policy academy which basically we're working a year long initiative with them to help them with a particular issue. What they're really interested in is creating a risk assessment tool for locals specifically really small estates not necessarily LA size but those counties where the IT security person is just literally one person and that's just 25% of their job. So how do you assist those individuals just grappling what's on their network, how they assess the threat and then what they can do to mitigate that threat. So that's one thing that they're developing and hopefully they'll be wanting to share that while I'm with the rest of their state counterparts and I know a lot of them will be very interested in that. Thirdly and it's one that I think is really interesting is that Missouri in partnership with University of Michigan is working on a public vulnerability disclosure program and they're using open source code to identify known vulnerabilities within locals, academia and private sector and basically reaching out to those individuals is saying hey by the way you have this known vulnerability, you should probably patch it up. Now they're not actually going out and patching that known vulnerability but they're starting that conversation and forging those place ships and on the website they have a lot more information on it and we can kind of talk about that as well. And last but not least and on this note it's just plain information sharing. You see a lot of states who are creating integration centers which are really eye sows where the state is reaching out to locals, locals reaching out to the state and just sharing their information and other forms of information. I know California has the calcic that Governor Brown signs a comporter back in 2015-2016 timeframe and I know that's really a good way that states been using to really start forging those partnerships with their locals. So a lot of interesting thing going on at the state level reaching out to locals and I really think that having that partnership is pretty key and crucial when it comes to this. We can delve into each one of those forum we probably will do in a moment but since we have Karen here who can speak to actually doing this particularly doing it in a under administration that's been heavily focused on cybersecurity as I'm sure she'll tell us. What lessons did you draw from your time in Virginia about the way in which states can enable cities to be more effective in supporting that cybersecurity and not just in Virginia but around the country. What are the things that you saw that deserve more attention and potentially more resources? Thanks for having me here. Obviously I'm going to echo what the other two panelists have said. I think just from from a starting point it's obvious how confusing this landscape is. You got ice owls and ice sacks and you got city led initiatives and state led initiatives and federal led initiatives and just trying to sort through the who the what the where and the how can be immensely confusing. We've had a lot of conversations recently about election security at the federal level, the state level and the local level and I think it was Natasha you mentioned that as you move these initiatives down you have to realize that ultimately the citizen is in the local level. So if something happens to them they're probably their first touch point is going to be somebody in the locality. I have to admit most of those that have bubbled up to our attention when we were still in office and I serve Governor McCall during during his entire term and he was the chairman of the National Governors Association where we launched the cyber initiative with NGA called states confront cyber challenges called meet the threat. And so what we quickly learned was that everybody along that chain has to figure out how they respond and how they react when there's a problem. But it's not just about waiting until there's a problem to to react. You have to be proactive in how you guard your own networks, how your networks interconnect with other people's networks, how do citizens interconnect with you. And so some of the lessons that we learned was that, you know, and I think the biggest takeaway really truly is that you can do everything that you can do to secure yourself. But when you start to interconnect with other people, if they're not doing what they need to be doing to keep themselves safe, whether that's a private sector partner or another governmental partner, a university doesn't matter, if your networks are interconnected, their problem becomes your problem. And so it's not just incumbent on you to worry about securing yourself. It's truly incumbent on you to help everybody, whether it's in your supply chain, your contact chain, your sphere of influence, if you're a government, it's in your best interest to try to help each and every step along that pathway become as secure as they can be. We've had, it's been mentioned about the size of the IT staff. I would hasten to say that LA staff, we had about 100,000 state employees, so we were slightly larger. But governors particularly have to make a choice on whether they have to make a decision. It's not necessarily a choice because you can do both. And that's what we opted to do, is are you going to focus on securing your own infrastructure? Or are you going to try to combine that work with also looking at the economic development benefits of building cyber securities and industry within your state? What assets do you have to bring to bear? How are you going to use those? Workforce was mentioned, there's going to be a massive shortage of cybersecurity workers, if there already is. Virginia, when we left office was about 36,000 IT worker, well, cybersecurity workers specifically down as of January. So we were down 36,000 employees. You can't churn out workers quickly enough. We were looking at veterans, we were looking at students, we were looking at mid-career changers, we were trying to find anybody that had a proclimity that wanted to go into cyber and try to get them into a program that would work. And so specifically with our cities and municipalities, we actually activated our National Guard. We decided that it was important enough for us to bring in the resources that we had to bear to help those that may not be able to help themselves. And so having the ability to bring the National Guard in to do engagements with their communities, they would self-identify. We didn't force anybody to do it. It was a self-selection process, gave them additional eyes, gave them additional hands to try to help them know what they needed to do better. We all know cybersecurity is not inexpensive. And so for some of these smaller jurisdictions that maybe they have one person full-time, or maybe they have the kid that comes in on the weekend or a volunteer that helps them take care of it, you have to try to provide them with as many resources as you can. Because going back to my first statement about you're only as safe as your weakest link, they connect back to the state. And they connect back to the state in a lot of ways. We also went on a pretty heavy public awareness campaign. Cyber security became a part of every conversation that we had, whether it was economic development or whether it was IT, just in general, it became part of the conversation. So you're looking at elections. What are you doing about cybersecurity? You're looking at economic development. What are you doing about cybersecurity? You're looking at doing autonomous vehicles. What are you doing about cybersecurity? So it became a natural part of a conversation that just wasn't there before. And we found that people then started to become more comfortable with the conversation. But they also knew that they had a lot of learning that they still needed to do. So I think we brought bringing in the guard was a big thing that we did the elections. Obviously, we were knit hand and glove with federal agencies, state agencies, as well as the locals, trying to make sure that that process was done seamlessly and safely. And really truly just integrating the cybersecurity into the conversation so that people felt comfortable asking questions and trying to figure out what they didn't know. If you look at smart communities, which I think we're going to touch on a little bit. The idea of connecting depends on which estimate you want to look at 20 billion devices by 2020 that are going to be connected. All of those are vectors for potential near-duels. And so you look at that. Each one of those is connected to a network that's connected to somebody else's network. And so there's a lot of education that has to go on, both at the citizen level as well as all levels of government to make sure that we're we're capable of handling the threat when we have a workforce issue and when there's a lot of people around the globe that are laser-focused on trying to do do bad things to good people. So I'll stop there. There are several fantastic things that the threat is one, but another is resources that are available to mayors and city managers. States clearly want certain resources bringing in their own expertise is clearly another but we shouldn't forget as we sit here in Washington DC that federal government does have a role to play in supporting cities directly. You've been doing some work on this Natasha. Well what contribution can, should, may in the future the federal government play as cities start to grapple with the emerging channels, challenges of smart cities and increasing amounts of data etc etc. Thanks Ian and I'm going to touch on some themes that we've already heard from the other three panelists which I think is great because it's obviously a discussion that that feeds into itself and we're all talking about you know similar similar issues. I'm going to break down the federal government's assistance to cities in the three categories and and just give a break overview as to what the government's doing now. I'm not going to touch on every single program because we'd be here all afternoon but I'm going to I'm going to give some some highlights and the three categories are quick note pause while we have cell phone there we go and and the three categories are resilience, security and as a function of security recovery and on the security side that is the the actual defense of networks. First of all a wide apparatus for information sharing a lot of which flows up through the NKG at DHS and down through the ISACs and ISAOs, the information sharing analysis centers, information sharing and analysis organizations and when you're talking about state and local organizations particularly the multi-state information sharing analysis center the MSISAC that has a network of sensors around the country both in state governments yes but also now in city networks as well and many many counties and cities that are members of the MSISAC so receive you know the information that are that is shared through those channels. Another one is you know for the defense itself is funding and now we already heard from from Jacob that you know LA has been able to use some sources of funding from the government one of those being the the UASI funds through FEMA and DHS which part of the Homeland Security Grant program that has actually this year required there to be cybersecurity spending as a function of that grant and to engage the technology folks within the state in the council or the panel or however the state decides what the bid is going to be back to FEMA for those grants there are other grants from DHS such as the founding of ISAOs at the regional level that have been used by cities that you know we had a great conversation about that a couple weeks ago which is great to hear right because you know they it's great that the grants are out there it's even better when we hear them actually being implemented in a way that obviously sees benefit for cities so you know I'll definitely let Jacob talk about that a little while and then looking at recovery so when I know after an incident actually occurs the there's a couple of different teams that all have resources for cities to use after they have an incident and that includes the NCIC itself that has a team that can go out and either do direct incident response and help them with the recovery or provide advice into how to manage the event themselves the MSISAC also has a team that does similar work either onsite or virtually FEMA as well can be deployed to help with with an incident a lot on the coordination and there's a team right now an upcoming report from Rand where they're actually looking at that so what what is the role of FEMA as as events are starting to get you know larger more more systems are being networked for realizing that you know these events can spread and then also you know on the other side there's the FBI and the Secret Service that are there to really figure out what occurred how it occurred and to take the law enforcement side of that investigation while the folks on the DHS side really do the asset management and recovery from an incident and then on the resilient side so the preparing for incidents a large number of federal resources that are devoted to exercises and that can be you know DOD led exercises DHS led exercises there are a number of states that are using the National Guard to do actual testing on systems whether that's critical infrastructure or state systems themselves unfortunately it's very state by very state by state basis the legalities of how you activate the guard whether that's for state service or federal service and even within a state what they're allowed to do depends you know largely on that state and so that's definitely something that is still in development and in motion but we're seeing it happen more and more often the DHS apparatus also does a large number of testing whether that's through NKIC that that does a lot of the hardcore you know penetration testing risk assessments or the cybersecurity advisor program that also does assessments with state and local governments and those assessments are are free right so that that's a huge resource that cities can take advantage of no matter if they're you know small or large so you know that that's the overview of what the federal government's doing I think you know there's some areas that we'd like to see improvement particularly in funding having cybersecurity tied to the federal funding process on Homeland Security funding ties it to counterterrorism and that's something we can delve into later I'm not going to go you know doubt the rabbit hole on that but that's definitely something that I think we should pick up at some point in talking about you know how the federal government helps state and locals and how we can improve this process going forward as you know folks are maturing in their governance structures and their processes their procedures at all three levels of government thank you very much Natasha and we'll definitely dig into sort of some of those resource questions and I sort of mean resources sort of large but before we do I'd like to just dig into sort of what threats we think we're talking about we often talk about the cybersecurity challenge without actually being very specific about what it is individual actors in the system need to worry about coming back to you Jacob you know as as you advise sort of mega city on what what his priorities ought to be and and work with others in the city what what among the the various different threats out there are you most concerned about I'm thinking sort of you know balancing sort of the challenges of increasingly smart cities elections as we've heard interruption to services ransomware attack in in Atlanta theft of data you know cities hold a normal amount of personally identified information what is it that what is it that you think mayors ought to be focused on and where are they getting the information about how to balance those threats I think the number one issue that cities are speak to Los Angeles to begin with are focusing on is employee security so the human error part of the equation it said that some 90% of attacks on businesses and governments are due to human error to a employee clicking on a phishing email and allowing malware and viruses into their networks we have made that a number one priority for the city so by requiring mandatory training for our employees across across the city by taking part in national cybersecurity awareness month and educating both our employees and the wider community on best practices for surfing the web and navigating the internet email security and end point protection so number one I would say is the human factor number two you started to touch upon it is smart cities and Los Angeles as you know looking towards the next 10 years is planned to become this smart city metropolis in America and we are plan you know in the next 10 years we're going to have probably a Super Bowl and the world cup and the Olympics in 2028 so we as we move towards a smart city based on transportation you know updating our transportation and rolling out 5g and small cell small cell technology one of the things that the mayor and our city planners need to focus on is the security of new application of new technologies that we roll out and I should have said this time myself but I'll turn it into a question for you when we talk about smart cities what is it that we're really talking about what is it what is it that la things it needs to protect sure it's anything connected to the internet when we're talking about autonomous vehicles in the future or e-vehicles we want to meet goals for example by 2050 to become carbon neutral when we do that we're going to be rolling out new technologies that need to be secure i mean the answer anything that remotely touches on the internet needs to be secure and i'll get into the private sector at some point too but as more and more companies put out the smart refrigerator and the smart toaster and all of these devices that are connected to the internet we need to be sure that when we adopt these technologies for the city we're doing it based on best cybersecurity practices Aaron sitting from where you used to sit now i'm sure you are advising people based on that experience what what do you think of the the threats that cities are least focused on that that could be coming to fight them sure so i i think where we left off was i agreed with the whole idea of the human element being one of the things that we have to continually care and feed because there's generally someone somewhere who is going to click on the next greatest offer that appears in their inbox and so we constantly have to work on that and quite frankly the hackers are taking advantage of that because they're becoming much better at the way they present themselves and so that's going to continue to be an issue we're still going to have to continue with things like ransomware other near do well is the denial of service attacks but those are those are starting to be something that we have seen and can start to get our heads around i think the things that we really have to look at is the physical security now we're starting to talk about the internet of things whether it's driverless cars a lot of these devices that are going to be involved in smart cities are are durable goods they're not it purchases and so we really have to start paying attention to how those devices are secured i know in virginia a lot of our durable goods are purchased by the department of general services if they're it services they're purchased by our it procurement department one has cyber security standards one doesn't and so as we start to become more and more networked those two the purchasing of those two at least for this from the standards perspective are going to have to start to converge that's uncharted territory we did have you know you start to look at what we're seeing with chips that are being brought in in devices in manufactured devices that we purchase that the states purchase that the federal government purchase localities purchase them and we're going to have to truly start applying some significant pressure to the suppliers to make sure that they whether it's a device or whether it's something you know large like a traffic camera or traffic light anything that's purchased we're going to have to make sure that those manufacturers are applying good solid cyber security and i'm not i've never been a fan of this but practicing good cyber hygiene both on their side as well as doing some potentially doing some stand-up and testing before we go live with some of these products to make sure that they're secure and they are secure so i think that's the next big wave that we're all going to have to deal with we've kind of gotten pretty good at dealing with the ones and the zeros but when you start to think about some of those zero durable goods that are purchased anything that touches the network is fair game that includes health equipment which is particularly frightening but the grid financial systems but it's the things that we don't think about the h back systems and others that we haven't spent a lot of time securing they were really going to have to apply a strong eye to now it's wrong it's almost too late so that's that's a lot to worry about if even the federal government and the companies who have significant resources if you're um in relative uh the mayor or city manager or staff of a a medium-sized city even um how um how um how uh do we all right good just a little bit of interference which will uh which we'll do it um how do we Natasha um expect uh mess to to get the information they need to to manage those threats and what resources are out there Michael perhaps you can come in on this um are available to to people in positions of authority yeah so you know I think when we're talking about cities we have to remember two two things that they're going to be always the targets and the targets of opportunity um and they're the targets because you know they have valuable information they're close to citizens they hold hold citizen data um they have a high need to recover those those services um and the visibility of attacking them is is pretty great um because you know they they're gonna have to inform their citizens and so they they need those resources and they need those resources you know pronto um they have you know cities have partners that span across the federal government span across states the private sector and nonprofits and we're talking about the federal government I talked about some of those before whether that's resiliency or recovery um you know you can rely on some of those resources to help with with those efforts uh when you're talking about states and state efforts uh you know Michael highlighted some of them um you know I'd add add a couple to that right you know you have Arizona that has an Aboriginal Isow many city governments are members of that so that they can get additional information that's cross sector um San Diego also has a regional Isow a number of cities are are building these or states are building them um to share information between their private sector partners um and public sector partners the state and the city and so can you just explain a little bit more detail what what an Isow is what it does how it can be helpful sure so in information sharing and analysis organization is an organization that's a nonprofit that exchanges information and whether that's through um a relatively informal means where you have you know SSO council um that comes together and meets or if that's a more formal ret intelligence platform that is used to share information or or automated indicator sharing um it can really span those different areas uh but it the basic premise is that it enables the exchange of information for security purposes between the members of that Isow and whether that's a topical Isow or Isak it's focused on one particularly industry or regional focus where it's exchange of information that the advantage of a regional focus is that you have that person to person um collaboration so you can actually bring people together to meet face to face and it's much more comfortable for folks to share information when they know each other um when we're talking about you know other other resources universities a lot of cities have you know higher education resources that they can help with um whether it's workforce development or partnerships an example from from a state that I think would be a really a great model for for cities to look into is Vermont is starting a partnership with Norwich to to have uh students start to to staff their security operations center um so that that's been done in some other places but that that's now you know building a contract in that area um we're talking about nonprofits whether it's the Isaks or Isows or um other you know educational institutions within the state uh private sector as well you know the state's cities can reach out to their private sector partners for you know help on on security whether that's through a managed security service provider or you know incident response but it you know when it comes to incident response I think something that we've heard again and again from both the private sector folks and the public sector folks is that it's important to build those relationships and those partnerships before an incident happens um you know so you want to build those those partnerships at least you know at the minimum of contract or conversation at the high end you know actually working with folks actively whether that's you know the National Guard and making sure that they have um you know the basic stuff log-ons so you know something happens in an incident they're they're not you know trying to build you know spin up accounts right after an incident they they're familiar with the systems they've sat there they've worked with people they they know who they are and can really have that dialogue when when an incident occurs Mike one of the things that um I know um states have begun to explore is um sort of picking up Natasha's theme um rehearsing for incidents and and preparing um what what sort of lessons do you think um can be learned there that that cities like LA can can and you know relatively uh big cities but also smaller cities can can learn from the the journey that states have been on in the last few years yeah no I think that's really spot on because I think going back to the resources one of the primary resources are the various and numerous amounts of fairly one exercises that states and even locals can participate in and we actually and we're part of um DOE's grid x exercise that occurs every two years so grid x4 just occurred and I think one of the greatest lessons learned that I saw was not making assumptions and this was really between the state federal and private sector industry but it wasn't necessarily the conversation was well I thought the state was going to do that well I thought the process is going to do that and it was just this you know who's on first base kind of ordeal and it was actually really interesting in that people assumed and to Natasha point they're making those business card contacts during the incident and not beforehand and they didn't necessarily exercise for externalities and it's really thinking outside the box right going back to an island port that was one of the key recommendations we have to make sure that we're thinking outside the box thinking but what's the next threat out there that we're not thinking of and I think that's one thing that cities and states can learn from is that how can you make sure that we're leveraging each other's resources we're not duplicating efforts and that we are redundant as well I would we advocate states that they should definitely be playing with their locals to see what resources they need but at the same time it goes back to capacity issue in that running exercise is very difficult and that's where the government plays a really key role is hosting those exercises so I'm curious to hear more from you really and see if you all play any exercise and you know what you all expect from state government because I know I mean you guys are larger than many made states and the states of cells are struggling with that as currently but take it to LA run it's a sort of regular cybersecurity exercise yeah I'll tell you every year we participate in trainings and exercises with the U.S. Secret Service for example they come in and we'll do a tabletop exercise and we'll choose some critical asset maybe it's the port of LA or southern California a gas plant and what the steps what steps would basically the the the stages of the incident notifying law enforcement of working with our state and federal partners on resolving an incident and then also working with the private sector holders of critical infrastructure as well so we do incorporate them in a yearly exercise and and just I'm going to open this up to the full soon but just two more questions from me one is just to sort of pick up on this theme of collaboration and coordination obviously it is much better to learn from other people's misfortune than your own and but also there is an element of pooling resources to deal with threats that individual cities can't deal with on their own Karen you may have a perspective on this but I know Natasha's thought about it what what progress have we seen in pooling of resources to to help cities deal with some of the challenges that that they face sure and I want to give a shout out to the National Governors Association actually because they have a cyber resource center that has lots I don't know how much anymore we kind of lost track of it but there's lots of information there that would be applicable to whether it's a city a county a town a state you can see copies of executive orders you can see all different types of of resources and I'm not going to try to categorize them any further than that that are available and so that's a national treasure trove that you know everybody should feel free to get in and dive around because I think the thing to realize is you're not in this alone there are people there that can help you there are people there that will come to your aid I know our chief information security officer meets regularly with chief information security officers from around the state it's a voluntary meeting we don't force anybody to attend but obviously those that come from the new municipalities we we basically have handshake um reciprocal agreements that if something happens to you you can certainly call IRC so and and so there is this network at that level that whether it's formalized or not there's a brethren that are always willing to step up and to help each other and that goes nationally as well there's the national association of state cios that works in this space of what as well national association of cities everybody is is recognizing this is an issue so I think the main thing is to realize you're not an island there's plenty of of information out there and don't be afraid to ask and there are these resources that are available that most of them or a lot of them are free and as you mentioned you know get the card make the contact before you have a problem because they're there to help you avoid the problem just as just as much as they are to help you want something to curse because you've been thinking sort of about taking us even beyond that to collaboration between cities what do you think the opportunities are for the future for bringing together pooling resources in order to meet some of these threats yeah and I think you know it's not just collaboration between cities which I'll touch on in a minute but it's also you know from the state perspective something that we're already seeing and then ways that we can take that further or you know county to county collaboration and a couple of things I want to talk to first are what's already you know going on right now which is you know the availability of state level contracts for it services or it products that you know local governments can take advantage of because states you know by themselves or with other states have no purchasing power that is way beyond what a local government would have and so the pricing there is going to be very difficult different and so having contracts that local governments can take advantage of but that's for incident response or for products can really you know lower the burden on a local government to have to do that on their own or to you know pay for services or products that are much higher premium I also call out the program from Michigan where Michigan paid for a cybersecurity expert to do analysis on counties that wanted an assessment so we're able to you know use that power from the state you know a little extra budget there as a pilot to provide those services down to the you know the county or the local government level and something else you know encourage folks to think creatively you know especially when you're talking about smaller cities smaller local governments they probably don't have the money to employ a chief information security officer but what you know multiple counties or multiple small cities may have the opportunity to do so so to think about how to share not only resources but personnel in this shortage of personnel time could be be very you know an interesting platform to do as well looking you know looking at a regional perspective sometimes states necessarily won't have the opportunity to all have the exact same expertise but how do we you know through that development of exercises through you know getting to know each other and making plans that are strategic in nature be able to share resources at a at a more regional level anything to you want to come in on yeah I just want to say if I may add and I just kind of wrap it up this this year this this November there's going to be 39 gubernatorial elections there's going to be 19 for sure that our term limited so we're going to looking at at least 19 new governors that means there's 19 states that have their governors and all electrical down where you have to reeducate them on cybersecurity now some are going to come with different backgrounds but there's obviously going to be a learning curve and I think that's where you have cities where they have mayors in place where it's going to be incumbent upon them to make that connection saying hey I'm here for you here's what we've done here's what we did in the past that worked well here's something that maybe we can learn do differently but I think that's going to be crucial going back to kind of threats for me I think that's the biggest one which is making sure that we get everyone up to speed because the threats and the threat actors are going to still be pounding one final question before I open it up to the floor it is noticeable for very obvious reasons that the state and local cyber security conversation has been sort of diverted in the last couple years into a conversation about election security we don't need to have that discussion now other people are discussing that but question for you whether you think that is going to be a net positive or a detractor from dealing with some of the other cyber threats is this going to be something that kind of raises awareness gets people engaged or is there a limited amount of resource and a danger that people understandably focus on that at the expense of some of the other things we've been discussing and I'll take first crack at that and I think you know I think the answer is both you know for and some states it depends on the the actual governance structure that exists within the state if the election infrastructure is very closely tied to the infrastructure for cyber security within the state that could be great for both sides and you know enforces collaboration and it's a way of increasing that communication between the local governments and the state governments local governments and the federal governments in other states that may be two very separate forms of communication and I've you know already started to hear from folks that are saying you know we heard about this or they heard about this but we didn't and having that push and pull between the you know the infrastructure that are you know support elections and the infrastructure that supports IT within local governments and the state but overall I think it'll be a net bonus you know it it increases the communication it increases the conversation around these threats and it's at the fundamental level it's cyber threats there aren't different threats that are you know they're slightly different but not really in terms of what's facing a local government the election infrastructure you know private sector company the high end of the threat yes maybe it's different but at the the lowland the targets of opportunity it's it's all the same and so having that conversation making sure you know as you were saying earlier Karen people are having this conversation it's part of the discussion I think that's a benefit for all of us yeah no um I agree completely with that I think it's really a net positive in that you're having conversations with stakeholders that weren't in existence before that's happening now now we have really robust conversations you now have election infrastructure designated as critical infrastructure I know there's a lot of debate with that going beforehand as to the merits of that but I think now people see the merits and the benefits of having it as that and as a result to the touchpoint we see this as all interconnected I think where I get frustrated is that everybody's talking about just election infrastructure don't forget that a malicious actor can target a transit system like what happened in San Francisco where they ran somewhere at it and you couldn't use the transit system if you do an election day then folks can't go to vote so all the critical infrastructure is interconnected and I think the more we have those conversations and the more we view it as a whole ecosystem and I think the better so really I think if it's been a net positive sorry I'm going to add just a little bit of that I think ultimately it will be a net positive I think the last experience that we had though everybody at the last minute decided they need to be a part of the election conversation and so a lot of our elections officials I think felt like stop helping me because they were so consumed with people who wanted to come and help with the presumed situation that they were having a hard time actually carrying out the functions that they needed to for an election so I think that's the we have to avoid the let's just pile more stuff on because more has got to be better because I think that becomes a real issue Virginia actually decertified a whole host of voting machines because there was no paper trail we were very fortunate that we did that because we ended up with quite a few recounts had we not taken that step but to your point we had to work very creatively with the vendors of machines that did have the proper security to make sure that those localities and those machines were in place prior to the election because they didn't have the money just lying around to replace voting machines so you have to look at budgets and you have to look at how things fit together I think going forward you know we have to we can't get this can't be the bright shiny object that everybody focuses on security around elections is physical security it's accuracy it's cyber security it's a whole host of topics and if we get fixated on just the cyber security elements we're going to miss something else and so it has to be viewed as part of a much bigger portfolio of cyber I mean portfolio of security where cyber security is one ongoing effort just like everything else because the sanctity of the election you know all of this is built on trust for governments whether it's federal state or local your citizen has to trust that they're participating in a system that will protect them and it will protect their rights and voting is no different than protecting PII you know on any other given day but I think we have to be careful not to chase the bright the bright light because if we focus too much on that we're going to miss something somewhere else and that's those are equally important to what can happen cyber anything else you want to add yeah I'll just say the role of mayors and local officials now in this space is encouraging voters to still go out and vote and trust the system and that's something for example that Mayor Garcetti has really pushed and making sure we're engaging a local youth community and registering new voters that's from the city the city's role in doing so I would also the answer to that question might also depend on the jurisdiction that the way Los Angeles works specifically is we do not run our elections we provide those functions are part of the county and the state so it might also have to do with who you ask we are constantly working with our county and state officials on election security but again it has to do with jurisdiction I'm going to keep this conversation running until about 445 with people's permission because we lost a little bit of time in the middle so that gives us 20 minutes to pick up questions from the floor so if you have a question please sort of indicate and there are microphones sprinkled around the room for people who need to who want to ask a question anybody I have plenty of questions so anyone have any questions they'd like to ask if you use a microphone just in front of you if you could press the button say who you are and where you're from and then ask your question my name is Colleen Johnson I'm from Sarah Brenna cyber risk management firm I had a question for Jacob of Los Angeles I was wondering how having Hollywood as a unique part of your constituency impacts your efforts to build a cyber security program as a public program and if you know particularly with the perspective is you know the American movie industry being considered a trophy you know a cyber attack trophy Hollywood is obviously the American epicenter of production that's in Los Angeles we regularly engage the industry and one of the things I haven't touched upon yet is the LA cyber lab and so before I answer your question let me take one step back and just do a quick background on that in August of 2017 so last year Mayor Garcetti met with a group of information security professionals from about 30 different private sector companies in Los Angeles that are headquartered in LA and it was a it's a cross sector approach we have companies from the entertainment industry academia healthcare tech critical manufacturing etc represented on an advisory board that works with the mayor and the city government to exchange information to work on workforce development programs and engaging stakeholders so one of the communities as part of that is entertainment we work very closely for example with 21st Century Fox and Creative Artists Agency just to name two one of the things that they are really concerned about is supply chain supply chain security of their products they movie industries for example they film a movie and what it goes to the distribution phase the production phase and one of the things they're concerned about are the leakings of films so we are working very closely with them to engage them and provide them with the resources they need to strengthen their community that answers your question yeah thanks I was hoping we could return to a topic that we touched on very briefly before the intermission as it were Karen you had mentioned some of the workforce development you'd mentioned it as well a second ago it seems to me that state and local governments are in a good position to make a virtue out of a necessity and really implement some innovative solutions they're incentivized to deal with the scarcity by innovating and I have on occasion seen some areas either in their own workforce or working with local stakeholders encourage things that we haven't seen other places and we've really seen states and localities being some of the genesis of that I'm curious what sorts of programs you've seen what you've been involved with what you've been interested or invested in bringing up in your own systems as well I'll take first crack at that one there's a lot going on in education it's really exciting in Virginia we actually passed a law it was done through the legislature that computer science would be taught beginning basically in kindergarten and continue all the way through the K-12 experience I think the thing that is going to be the game changer industry relevance you've got to have industry experience and relevant hands-on experience before you can even compete in these arenas right now Virginia of Michigan has done this as well has created a cyber range which brings together a virtual world that includes curriculum that includes red blue games hands-on experiences and it's available to all educators throughout the entire state Michigan's the same way as we are and what that does is it levels a playing field each individual school doesn't have to go out and create a X type of lab in order to be able to do this they don't have to necessarily have the number of professionals teachers that understand how to teach cyber because there's a whole ecosystem educational ecosystem wrapped up in this virtual environment that they can plug into and so it saves them the pains of having to create unique curricula industry partnerships they're hungry for them we've actually launched and this is more on the veteran side of the house but AWS, Microsoft, Cisco and a whole host of others have come together to provide free training for veterans that are exiting the services that is a very unique model they don't have to go to a four-year institution they don't have to really participate in any traditional educational experience they can simply go through the program that consortium was set up believe in 2013-20... well 2014-2015 and it's still in use today we're seeing much greater participation in things like cyber patriot national cyber challenge and again it comes down to resources having the resources for the teachers having the teachers be able to be trained and we've got to start these students at as early an age as possible so a lot of these competitions that are outside of a typical school day are where we're hitting the biggest success I hate to say it traditional education is slow to change we can mandate we can do a lot of things to try to force that but it's a slow process and so we've done life journey and I'm going to cut this short but there's a group out there that partner with the national I think it was NSA to do something called life journey the child or the person gets online they can explore cyber careers they can pick one that looks like them or feels like them take it for a test drive play some red blue games sans institute is doing something similar so we've got to find a way to engage and keep kids engaged until the until the traditionals catch up because there are well-paying jobs that can be attained with just certifications there are others that require an associates degree there are a lot that require a bachelor's degree but we've got to make sure that wherever that child decides to jump off the educational process and into a into a work a day environment that they have the credentials to do that so I don't think we're done seeing hackathons datathons girls who code all of those are providing very very solid resources outside of the traditional educational space and I think people are finally recognizing that cyber is a career that is real so many for so long it was NCIS and other shows on tv and nobody knew how to get into it but I think that conversation has changed so we're seeing parents be more proactive and we've got to spend a little bit more time on our guidance counselors so that as they're channeling these kids into their career choices they make sure that cyber security and and the it fields generally are part of that part of that conversation chicken what's la doing to build its workforce yeah I'm glad Karen brought up the cyber range because we were recently the Los Angeles cyber lab was awarded a three million dollar department of homeland security grants a couple weeks ago to become the Los Angeles ice out regional information sharing and analysis organization that is cross industry and what some of that money is going to go towards is developing a cyber range where we basically the isoc is sitting on all of this threat data that we collect from across the city from all of our assets we want to make that threat data available to researchers undergraduates graduate students to come in we have for example students from CSU Dominguez Hills right now who are interested in building dashboards for our cyber threat analysts what would be really cool and ideal would be for them to build a threat model for us so that we can understand what the cyber threat is to the city that's for example one thing that we'd like to do with that money we're working with the local universities around Los Angeles to place students in cybersecurity jobs nice in a nest had a recent statistic there's about 10 to 20,000 unfilled cyber security jobs in the Los Angeles Long Beach urban area so we really are working with career centers to introduce students to these positions in cybersecurity and LA we could go on and talk about sort of workforce for that for the rest of the evening and Laura who just asked that question is surely have a report out on cyber security workforce issues which I recommend to everyone but just to stay sort of directly on topic conscious of our time before we finish I'd just like to ask a question about public policy we're a public policy think tank we're focused on coming up with ideas to improve the way in which we're governed at all different levels looking at sort of what you know what are the both the opportunities for various different levels of government either you know federal government to help states and cities or indeed states to help cities or indeed what are the opportunities where we've seen really good policies happening in isolated areas that can be elevated and brought to bear in other parts of the country Natasha sure and I'm just going to highlight one there's obviously a number and what I'm going to highlight is is the funding aspect and looking at how cyber security efforts are funded particularly you know I'll just focus on the federal government side you know tying it to Homeland Security grants has been beneficial in the past because it's a grant you know vehicle that already exists and it ties itself to that concept that cyber security is an element of security I think there's a couple of fundamental problems with the way that it's currently done and one of those is it's tied to counterterrorism kind of counterterrorism is obviously a threat it's one that we face every you know every day in this country I would it would hazard a guess that you know and talking to a number of folks that specialize on this it's not the primary cyber security threat and so tying the preparatory efforts and the funding efforts that we have in this country for cyber security assistance to state and local governments to a counterterrorism threat takes away from the actual priorities of what we should be doing to prepare as a country in a federal manner for cyber security threat and so separating that funding out and tying it very closely to both the threat profile and also to the national priorities of what we need for recovery what we need for security what we need for resilience would really help to put that roadmap out for state and local governments in terms of where they should you know where they can be going where they should be going and how to directly tie their efforts to the kind of funding that is available in a much more clear and and directed manner Michael was the policy opportunity or indeed policy that you'd like to highlight I think policy opportunity going back to the other conversation about smart cities is really public safety technology and I think there's two instances and one is that states are rolling out next generation Nile One which is basically IP based Nile One systems where the callers can send data files to responding officers so think of texting audio visual things of that nature now Nile One truly is a local jurisdictional issue however when it comes to next generation Nile One is states that are rolling it out so that's a great partnership right there and how the states can engage locals because there's been instances where people are now attacking Nile One systems and that's going to be the government's worst day when citizens can't call for government help so that right there is a great opportunity and secondly public safety law enforcement is getting a wealth of information whether it's through these Nile One calls whether it's through body worn cameras or any other kind of application that they have they now have to manage that data and protect that data so once again there's an opportunity for state and local governments to focus on that particular issue Karen I think there's there's a lot of public policy implications around cyber security I think at some point we're going to have to normalize across the U.S. because right now what's happening is it's an evolution of a patchwork quilt every state is doing something different from everybody else whether it's supply chain management I know there are some bills that have come through on supply chain for the federal government slow to be adopted by the states but if states can adopt like processes and procedures that are going through the federal government like much like Natasha mentioned about the the contracts that are shareable if we can do the same with policy and reduce the patchwork nature of the policy so that we're much more unified it's going to make it easier for everybody to adhere especially those that are providing goods and services if they don't have to look across you know however many jurisdictions states federal government it's going to be so difficult that there's going to be very few that will ever be able to qualify across we've seen California we've seen Europe come out with GDPR and other things that are quite sweeping I think it's going to take us a while to get there as a nation but I think having that kind of of aspirational goal that it's unified whether it's information sharing or whether it's you know policy around securing devices we've got to get to the point where we stop seeing the boundaries the hackers don't see boundaries and so the more that we can unify ourselves under under more clear and more succinct type policies it'll be better for everybody so when do you see the openness for that resting um I think you know the federal government is going to have to step up now preemptions a whole different conversation that we could have a whole different conversation around at some other point but I think I think there's going to have to be a leadership that says you know here are minimum standards I know there's a lot of people working on such as NIST working on smart community standards and others but we're going to have to have those standards and policies just like NIST develop the cybersecurity framework those at least provide a baseline starting point that we can have those conversations and so there's going to have to be leadership I believe at the federal level but to the extent that the states have already taken a leadership role the more of a more of the states that can adapt adapt to and adopt those same policies procedures and otherwise it's going to make it much easier for everybody and it's going to be you know possibly you know with NGA's help if the states will go through and adopt start to adopt it then it's going to happen from a grassroots level you know whether it's states or localities once it starts in two five ten adopt it then it's much easier for the rest of them to fall into place and so I think the federal government needs to step up and start they have they have the biggest buying power of anybody maybe if the on states all join forces maybe we'd have larger buying power I'm not sure but they also have a lot of areas of very distinct interests such as DoD and the products that they buy for them they have a special interest in them being secure so I think there's going to have to be leadership from the top and then the states are going to have to find their way to participate in that but I would think that putting together a group much as was mentioned before that involved city leadership as well as state leadership as well as federal to evolve those policies would be a much smarter way than doing it in any one vacuum and perhaps you know you would like to host those kinds of discussions around that multi-level but I think that's you know the collaborate it's going to have to be collaboration but there's going to have to be leadership and somebody's going to have to take first step Jacob I'm going to give you the last word so it's a two-part question what would you what enabler would you most like to see in order for you to do what you need to do for the people of Los Angeles and what is the thing that that you have learned perhaps the hard way that you think could be most useful for for other cities around the United States sure I will so first policy would be separate funding that is not tied to counterterrorism I agree with Natasha the second policy that I would like to see a push towards is mutual aid agreements between cities we in Los Angeles for example have that expertise when it comes to cyber incident response and when Atlanta for example was hit with a ransomware attack in March our CISO was the first one out there to make sure that Atlanta CISO was able to respond and recover from the incident I want to see more official mutual aid agreements between strong cities that have expertise in cyber security but also cities and smaller smaller jurisdictions that really don't and same thing with state to state support federal to state support I think there needs to be a stronger framework for mutual aid to do the second point what's something I've learned what do you think LA has to teach the rest of the country be ambitious of course obviously dream it it's something that we want that you want to be true but so that's actually a tough question keep in mind obviously the cyber security impacts of every policy that that you do whether it's a physical policy like transportation and traffic how do we help homeless homeless in our cities I think you always need to think of every policy issue from a cyber security perspective because there's always some type of nexus that could could occur so New America of course has an office in California so I look forward to continuing this conversation perhaps in LA in due course but for now we could continue this conversation but I'm very conscious of people's time so thank you for those people who stuck with us online particularly thank you for the people in the room who stuck with us through the interruption it just remains for me to ask you to join me in thanking our fantastic panel Natasha Cohen Michael Garcia Karen Jackson and Jacob Finn thank you very much