 Good afternoon. And I trust everyone enjoyed their lunch. I'm going to get going because we haven't got too much time, and I assume that other people will join us in due course. But I want to introduce and welcome to the conference Jeanette Manfra. Those people who are inside the sort of small DC cyber policy bubble will know Jeanette, but others may not know her so well. She is a career civil servant, but for the time being, at least, is the acting deputy undersecretary for cybersecurity communications in the National Protection and Programs Directorate, which is a very long-winded way of saying she is the most senior person in DHS solely doing cybersecurity. So for those people who this means something for, she is covering the slot that Phyllis Schneck most recently took. And, as I say, as the administration begins to sort of find its feet, what we're increasingly seeing, I think, if we're reading with tea leaves correctly, that DHS is going to have a pretty prominent role in some of the initiatives that Tom Bossard hinted at when he spoke at CSIS last week, which was the first beginning indications we have of the agenda of the new administration on cybersecurity. So I want to cover a number of topics, not the least of which what this administration is going to be looking at to the extent that Jeanette can talk about it to this point, but also cover some of the areas of continuity, things which the last administration has started, which will continue, but maybe didn't necessarily get the coverage they deserved as we moved across into a new administration. First of all, Jeanette, I'd just like you to tell everybody a little bit more about your career. One of the things that we've been doing in New America is trying to provide role models for people who want to get into this space. What does your career look like? What have you done in your last couple of jobs that has taken you to where you are now? Sure. So I think I was probably always destined to have a career in technology, despite as much as I tried to avoid it in my youth. I grew up, my father was a programmer. We always had computers around the house. At Commodore 64, plugged into our TV. And I always thought, no, I'm going to do the arts and the hard science route. And so I continued to, while I had a love for computers, growing up around them. And with my father, I decided that I didn't want to follow in my father's footsteps, which is probably ironic for a lot of people. Usually it's kind of the opposite. And in college, I decided to join the Army. And they did a great recruiting video about how fun it was to be in the signal corps. And you got to run with radios on your back through the forest and all sorts of other kind of really cool things. And I was really motivated to do that. And then I turned out that it's really I'm just a land administrator, which is fine. But I learned really there both the tactical deployment of communications and information technology and how value that is to support the mission. And so I kind of went from there and then merged into more the intelligence side of things. And once I got out of the Army, I was looking what I wanted to do. So I decided I'm going to take all this, apply it to international relations, and understand how this all sort of fits in understanding the sort of the emerging way that countries have to negotiate the internet and all of this technology. And as I was graduating, a company came to me and said, hey, we're starting this new Office of Cybersecurity and Communications at DHS. Do you want to join? And that was in 2007. And so I said yes. And I've been with that office in various forms. I was able to serve at the National Security Council for a year as the director of critical infrastructure cybersecurity and served as the last secretary, senior counselor for cybersecurity. Worked closely with, at the time, under Secretary Suzanne Spalding to really build the capabilities for the National Protection and Programs Director, which is the larger director that our cybersecurity mission fits in. So and then I was asked to take this position. So here I am. So let's cut to the chase. You find yourself as the acting deputy under secretary. We have essentially two data points in terms of what this administration is going to look like. As I mentioned, we don't have the EO, but we have had Tom Bossett talking last week about some of his priorities. We also have a budget proposal, which suggests, if successful, that more money will be coming to DHS, which is consistent with some of the other things Tom said. What's that money going to be used for and how do you see work of DHS, both protecting government systems and critical infrastructure evolving over the next few years? That's a lot. I think, you know, not to get too specifics about how the money would be used for the President's budget request, but very pleased the recognition that DHS has this capability and recognizing that the need for more resources to fully realize our authorities and capabilities, focusing on protecting the dot gov. That is a core capability and core competency that we need to continue to improve upon in DHS. We have learned a lot over the past 10 years, and as we've learned, our environment has evolved as well. In some ways, the way government does IT is exactly the same now as it was 10 years ago, unfortunately, and we're working to try to change some of that, but you see a lot of innovation that both in sort of pockets of procurement and leveraging commercial technologies to meet the user requirements. So we want to look broadly at how do we get ourselves out of defending the indefensible, I think is what Tom Bossert said previously. And it can't be, the cybersecurity solutions will always be somewhat, we'll say, kind of jammed into an imperfect architecture because we need to be able to modernize our systems. We need to rethink the way we procure and operate IT and to the extent that we have operational technology within the federal government. So really looking at the two together, IT modernization and then everything we've learned and on how DHS deploys systems and tools and capabilities to other agencies. I think we've done a couple of different models and I think we're seeing a lot of success in our continuous diagnostics and mitigation program where we are working with the agencies, understand their environment, understand their requirements, but we have a large contract through GSA and that leverages the purchasing power of the entire government where each agency sort of isn't off doing their own thing. We are able to deploy these tools working with the vendors and with the agencies and then ultimately we will both have agency-specific dashboards but also a DHS dashboard where we can start to see what does the risk profile of our IT across the government really look like and doing such in a continuous monitoring way where we're constantly seeing and checking devices and I think that will be the first time that we'll have a truly data-driven approach to understanding what's on our networks, how are they operating and then of course the next step will be kind of enforcing the security rules that we need but we wanna do that in a way that doesn't sort of push us back into the kind of the traditional way of the government doing IT. We wanna do it in a way that capitalizes on all the news or the cloud, mobile, everything else that we want to modernize government, we wanna make sure that our security accounts for that and we think that we can do that, it's a big ask but that's a lot of what we'll be looking at is what have we learned, what's the right strategy to achieve that and how can we deploy that quickly and are there governance changes within the federal government that we should be looking at what's the role of DHS, et cetera. So I should have mentioned Tom Bossard is of course the assistant to the president for Homeland Security but he has a cybersecurity background which I think is kind of relatively rare and but in talking about this, one of the two of the things that he mentioned is one, proposing greater accountability for leaders in government but also suggesting there are times when it's not within the control of an agency themselves to deal with some of the bigger threats and suggesting a sort of a further move to a managed services model with DHS being key to that. What sort of timeframe do you think we're looking at to get the federal government to the point where the dot gov is protected in the way that you think it should be protected? I think, I mean, I would like to have a strategy done in the next couple months and a plan to implement it in the next two years. I think we can do it and I think we have a lot of support from the administration leadership and between us and the private sector, we have the tools. The complication is in the federal government. You have to be able to scale pretty massively and we have a lot of decentralized networks and so that is always sort of the challenge in implementing these sort of cross domain solutions. But I think we can do it. I think we have cabinet heads similar to the private sector where they understand that this is their risk to manage but there is also, there's a broader enterprise risk and being able to understand both individual entity risk as well as the enterprise risk is I think something that DHS is capable of doing and then being able to work with the agency to deploy those tools to protect against those highest value assets. I think that was also an important lesson that we learned is and again similar to what we asked the private sector to do with the cybersecurity framework. It's about identify where your highest priorities are and mass your resources to be able to both protect those but also make them more resilient so that you can get them back up and running quickly and understand what your contingency plans are for. So it has to kind of all come back to let's get a little off track of your question but it all has to come back to what are your essential services and functions that you have to perform whether your government agency or private sector in order for you to do your business or your mission. What systems and data are you dependent on in order to do that and then how do you best protect and make those more resilient. And I think that's where we're going to continue to focus on. It's, there's a lot of critical systems in the government and we need to focus our resources and that's how I think that by having that prioritization conversation both within the government and with critical infrastructure that's how I think we can move faster. So you mentioned that critical infrastructure and of course DHS has essentially two sort of side missions, the dog guard there's also this big role in supporting the protection of critical infrastructure much of which is in the private sector and the administration has spoken a lot about sort of working in sort of new ways with the private sector. But actually quite a lot of the sort of thinking behind this relationship has been done over the last few years. For the benefit of people here can you just give us a sense of what DHS's role sort of now is presidential policy director 41 and the national cyber incident response plan and how that is going to frame the way that you're engaging on protecting critical infrastructure. Sure, so I think there's for critical infrastructure there's two main areas. One is the protection and the preparedness role and one is the response and the recovery. I think the PPD 41 which was published at the end of the last administration outlines mechanisms by which law enforcement intelligence community and Homeland Security work together to address a response for a significant cyber incident and we're putting that into practice developing all the plans and executing that through exercises and having had a chance to do it in real world so hopefully we'll wait for a little bit for that one but making sure that we all have mechanisms to ensure that we have the appropriate conversations. We have a significant incident. How do we need to pursue any investigative angle? What's the intelligence community assessment and what are their equities in this and from a DHS perspective, we're looking at systemic risk and how we can sort of stave off any potential from this becoming larger than one entity if it hasn't already done that and also ensuring that we're getting those systems back up and running and every cyber incident has to manage all of those equities whether they're in government or without and this is sort of the structure to do that and the National Cyber Incident Response Plan which we issued just a couple of months ago was worked with the private sector and state and locals to further define rules and responsibilities among those communities for cyber incidents. So that's the cyber incident response side and the protection and the preparedness I think there's kind of underneath that two areas that we started focusing on and want to continue to do that. One is sort of a large protection of everybody and which also I think has a deterrent effect and that is largely in our automated indicator sharing program. So building a neighborhood watch if you will where everybody is sharing indicators we have the liability protection now for industry and we have the policies worked out within government to ensure the appropriate protection of privacy, et cetera where we are just getting as many indicators as possible shared amongst as wide a group as possible. We're near about a hundred entities that are signed up for that and that doesn't mean just a specific entity it could be information sharing analysis organization that represents a broader community and so I think that's very important and I think the more people that are sharing and the more people that are ingesting that and protecting themselves one we're not only all improving our protection but we're also having a deterrent effect by making it harder for the bad guys to use the same techniques over and over again. So that's sort of one area and that's not the only program but that's sort of our main one. The other one is really trying to understand the systemic risk within critical infrastructure and understanding what you could call high value targets and where is the potential for the greatest consequence from a cyber incident and we took some initial steps in executive order 13636 which asked us to identify that exactly that set of entities and so now that we have that begun what is the, we need to have a conversation with both those entities but also other parts of the internet and communications technology community about what do we do? Are we providing additional services and products for those entities? We should be developing contingency plans with our government partners with those entities with other elements of the community and that's where we wanna go forward is now that we have this joint understanding of where that potential for consequences how are we working to mitigate those consequences and they may not be a cyber response. There's a lot of things that you can do to mitigate consequences that don't necessarily involve a computer so we wanna ensure that we're talking with emergency management professionals and others and so that's where we'd really like to prioritize our efforts and that's where we intend to prioritize our efforts over the next few months. That's an enormous agenda and in order to achieve that's particularly against the sort of problem set that you're up against. You need to be, DHS particularly, the government would generally needs to be as effective as you can. Suzanne Spaulding talking earlier said that one of her regrets of her time in government was not being able to take forward the reorganization of the DHS's sort of cyber responsibilities. We're now in a sort of slightly different congressional place. What's the hope for in terms of how you would be organized in order to take this forward in due course? Well, I think we made a lot of progress even if we didn't get the name changed which we very much wanted and I look forward to working with Congress to get that name changed. I think we can get that done. I also think the work that was done identified a lot of what I was talking about initially. What are our core capabilities that we need to develop and where do we need to be allocating resources and how have the sort of strategic, the broad strategic shifts in the cybersecurity environment? What does that mean for us at DHS? So I think we really laid a lot of groundwork and there are some organizational changes that we would like to make but I think that we can get that done. The other part of the component of course is once you have the structure is the people. Workforce is something we're gonna talk about later today but just in terms of how you see the workforce in government, what are the things that you're most focused on in your current role to ensure that the people who you have working this issue are the people that you want to be have working this issue and that there are other people coming in behind them. So I think workforce is a huge challenge for us as it is for a lot of people I think. I think we have, well first we've been given some really great authorities by Congress both in terms of our mission but also in terms of our workforce where we were allowed to develop an accepted service for cybersecurity professionals and so we're working to implement that and that allows you to do things, recruitment and other sorts of incentives. But we also, last year maybe the year before just using existing authorities, we actually have quite a bit and we wanted to push the envelope, are we using all these authorities, retention incentives and things that we could put in place right now and so we did a lot of that which is actually having quite a bit of an impact. It's reducing our attrition rate significantly and so I think most people come to DHS and they stay at DHS because they just really love that unique mission but when we spend a couple years training forensic analysts, they're very qualified and they're often spirited away by the private sector and I think a lot of what we did over the past couple years and Under Secretary Spalding was a big lead for this was we shouldn't resist that as much. There's a benefit to everybody if for people to have a career in both government and industry and so thinking about workforce a little bit differently and so we have our cyber core scholarship for service which has been a great feeding mechanism for us and where the government is paying for school and they owe whether it's DHS or any element of federal, state and local government some period of time for a couple of years depending on how much we paid them for and then they can go out in industry and we want to continue to push looking at other partnerships that we can have with industry. We see other countries doing a lot of this and so I think that's sort of generally, are we keeping up with the market? What can we do more to keep up with the market in terms of recruitment and retention and then what are those sort of unique partnerships with industry and others but also just generally a cultural recognition that it's okay to spend a few years with us, go to industry and when your kids have gone to college maybe you come back to us and so that's kind of a big cultural shift but I think that's where we need to go and because people do love the mission and then we want to make sure aside from all those other things, are we providing them the same sort of tools that they could get in industry? Are we removing the bureaucratic hurdles that are keeping them from being able to be as agile and nimble as they would like as a cyber security professional? So that's one of the other sorts of things that we know we can do better on and we have a lot of good partners on the management support side of things to look at how can we, we don't want an analyst having to spend months fighting over a contract. We need to be able to do better on that stuff. I have a lot more questions but I know that other people will want questions so we have about five minutes time for your questions so at the back in the corridor, yeah, middle, sorry. Yes, and if you could say who you are and where you're from. Thank you, I'm Tom Ryzen, I'm freelancing with Aerospace America. A quick follow up on the workforce culture, obviously any more cyber security professionals but President Trump has kind of a frayed relationship with Silicon Valley, how has that affected your ability to recruit people as opposed to might be more interested in going to the private sector? Is it too early to tell if that's had any impact on recruitment? I haven't seen any impact, no. Rick. Hi, Rick Weber at Insights Cyber Security. Jeanette, can you talk a little bit about the much anticipated executive order it does the earlier drafts talk about section nine which are the most affected or the most catastrophic sectors that you're talking about in terms of working with them. So how do you see the executive order fitting into what you want to be doing and prioritizing your efforts? Well, I'm not gonna talk about specifics of the executive order. I would just say that in our conversations with the White House and the policy development process we're sort of very much aligned in terms of what our priorities are and what theirs are. I'm just looking for kinds of nest cyber there's a hand just down here. Hello, Parni and Najafi from FireEye. So you said that the response to cyber attacks are not necessarily cyber responses. So what kind of response you've seen that are more effective than cyber responses necessarily or if you can explain a little bit about that. Sure, I think what I was referring to was you may not for contingency planning. So if you are only, this could be broadened to any sort of response. If you're only thinking about the tools that you have with your network and your computer you're missing out on a lot of other tools. So if our solution to having a backup capability having a backup capability for a water system that's dependent on their IT system is to just have a backup IT system maybe we should also be considering having personnel trained to manually flip dials or operate the system. And that's more what I meant is don't sort of restrict yourself that it's a cyber problem therefore it has to have a cyber solution. We should be thinking about the entire range of tools that are available to industry and government. And do you think that that kind of mindset is beginning to become accepted across government? I think so. I think one of the benefits of recognizing cybersecurity is kind of its own discipline and mission area if you will is that you kind of brought it out from the secret corridors of just smart tech people. And so I think that was a benefit to recognizing it as a unique mission space but we also have to be careful that it doesn't get siloed off on its own and it's not recognizing the interconnections with say emergency management or other mission areas because a lot of what we're dealing with whether it's people call it a cyber attack but it might be espionage, it might be sabotage, it might be somebody misconfigured something. There's so many things that a quote cyber incident could be that to have it siloed off in its own discipline without any connection to other risk management processes in the organization is dangerous I think. So one of the things that we've heard a lot about and we haven't spoken about to date is the relationship or the potential to change the relationship with the private sector. The, it remains to be seen sort of exactly what the EO has in one thing and another but one of the areas that you kind of briefly spoke about was sort of information exchange and I think one of the areas that we see is sort of ripe for the work to be done is how that building on the legislation that was passed in the last Congress. How do you see sort of capitalizing on that to improve the flow of information? Cause I think people have almost mentally moved on from information sharing but there's actually still quite a lot to be done. What's on your agenda as far as that's concerned? So I think we have made a lot of progress with information sharing, that's true. And I think one of the things that we talk a lot about is the notion of comparative advantage, just an international economics term where countries eventually specialize in what makes the most sense for them from a trade perspective. And I think we have a similar in cyber security and industry doesn't have all the information and everything that they need to defend themselves but neither does government. And so how are we each specializing based off of our authorities, our capabilities in what makes sense for each of us? And I believe it's very complimentary. I think the US government can go place and do things that industry can't and probably doesn't. And I think the same is true on the industry side. So how are we understanding what that quote comparative advantage is and how are we institutionalizing that in our intelligence production cycles and our information sharing processes within the government? We've learned a lot in terms of information sharing on the counter-terrorism side and I think we've learned a decent amount on the cyber security side but we need to continue to recognize that critical infrastructure is a very unique partner and the measure of our success isn't how many more declassified products I can get out to the private sector that we should continue to push on that. It's about do I understand what this is going back to the highest consequence? Do I understand where the potential for highest consequence and are we both allocating our resources to best protect and recover should anything happen to those? And that's how I think we need to be thinking in terms of refining our information sharing is understanding that risk, looking inside the government about how we best organize ourselves to provide that information that the private sector needs in order to best protect against that. So that's kind of our big challenge. I think we've made some progress with a couple of sectors and I wanna continue to capitalize on that. And we look forward here at New America in helping you in that process. Thank you very much. It is a challenging time to be sitting here as a government person while the government finds its feet but I think that has been extremely helpful. So thank you very much and we join me in thanking Jeanette Manfred.