 Okay, good afternoon everybody. I am Kate Charlotte. I want to welcome you to the Carnegie Endowment for a great event today I want to also welcome the folks who are joining us online over live stream. I am really thrilled to have two people here today People who are at the heart of what our government is doing in cyber security and cyber policy And I think we're gonna have a really unique Cross-agency conversation in my experience. It's not often that you have DOD and DHS here Together to talk about how what they're doing integrates and how they work together So we have Assistant Secretary Jeanette Manfred from the Department of Homeland Security and Deputy Assistant Secretary Ed Wilson from the Department of Defense You've got their They're more detailed extensive biographies very impressive ones But suffice to say they're really at the heart You know of what their agencies are doing in cyber policy, whether that's covering issues across nation-state threats to Reconceptualizing our approach to how we protect our country from cyber threats and you know instrumental as well in some of the strategies that we've seen coming out over the last several months a DHS strategy a DoD strategy and the White House us strategy for cyber policy And you know given the the challenges that we're facing in cyberspace It's it's so critical for DOD and DHS to be working together To have really integrated strategies and that that need is obvious But it's not always always so clear from the outside how and whether that's really happening You know sometimes it sounds like DHS and DOD are kind of competing for space or Sometimes it sounds like DOD with its kind of you know one component of what you do is is an offensive mission And and how does that tension work between the defensive and kind of protection mission that DHS has So today, I'm hoping we can kind of talk through some of these impressions debunk some of the myths and Or reaffirm them But hopefully debunk some of them And hear how your strategy is in a great how you're working together and maybe even get specific with some use cases To help everybody get really concrete about where where those Intercontactivities lie So I think I'll let me start with Ed To talk a little bit about DoD's new cyber strategy because that's still pretty fresh on everybody's minds The strategy does a lot of things that are new Including the military taking a more active role in cyberspace, but I was hoping you could back us up a little bit Talk a little bit about kind of the origin story You know what were some of the big strategic choices that you had to make in the course of developing the strategy What is the most different or new in your perspective and why you chose this direction? Well first, okay, let me say thank you to you and Getting down that we're bringing this event together. So I'm just the hats off to like you said it's it's not often Sometimes we're on stage, but not always together. And so that happened earlier today We were both at a similar event, but on different times. So this really is a unique opportunity. So thank you So when the do you recognize that we needed to update the strategy and it was a couple reasons why I think we can All point to the strategic environment and the threats in the landscape of the current threat environment We see today is very different than we published our first duty strategy back in cyber strategy back in 2011 and again 2015 some of the threats especially when it comes to the homeland in the recognition that the homeland is really not a Sanctuary like it used to be in many regards, but especially with regards to cyber threats And so the framework that we had to think through on how does the duty bring its unique capabilities forward in this context The other piece was we have a new unified command in the form of cyber command And if you were to look at the 2015 cyber strategy duty cyber strategy You would see us very focused on building capacity and trying to normalize operations whereas and now that we have a Fully elevated unified command in the form of US cyber command and we have a cyber mission force that is now up in terms of completing the build We can have pivoted to be a bit more As you say proactive in nature And so we wanted to signal that shift in the strategy both internally but also externally and so partnerships with DHS and the other departments and agencies as it related to homeland Security and defense and getting clear lines of authorities there, and we would support DHS in its capacity, but also Put in place the mechanism so that we could bring the capabilities and authorities forward And so really it's just like we do in any other domain. It's how do we compete? Really deter and if called upon when in any type of conflict to the full spectrum of conflict in cyber space Just like we do in every other domain of operations But given the current threat environment it was incumbent that we update that in addition the national defense strategy Which really focuses on lethality partnerships and allies And then as well as reform in the department that's signaled a very significant shift With regards to rogue actors and data competition and what we've seen in cyberspace across the missions is Nation states that are seeking to gain strategic advantage by operating below thresholds of response or traditional thresholds of response And so we tried to come at the problem and begin to look at new approaches that would Be able to allow us to compete in that framework without trying to bring hostilities into the cyberspace But really to reinforce the norms of behavior on the international front And so that was really the backdrop of why now that's we get that question quite often And it really paired well with DHS's cyber screed strategy that's on the street and then with the new national cyber strategy If you can't see the themes that were all between, you know, the top tier of the nation's strategy and our DB strategy We missed the mark, but I think you can see the echoes very strongly Well, maybe can you draw out one kind of aspect of that strategy, which is the defend forward Component which I think has been getting a lot of discussion You know, what is that, you know, I see it as DoD's mission is looking outside of our borders and so the role is to disrupt malicious cyber activity from closer to the source But can you talk a little bit more about that concept and how it plays in the strategy and then I'll be interested to get Jeanette's kind of reaction on on how DoD's strategy and some of these concepts mesh in with with DHS's We looked at the uniqueness of what the Department of Defense brings to this mission space across the US government And clearly the Department of Defense is focused externally on external threats to the nation And so if when you read our strategy, what you'll see is an external focus outward Facing that is threat-centric and so we look at the threats try to understand the threats And we typically have a unique perspective in the Department of Defense along with the intelligence community and other departments and agents But we do bring a unique perspective to it And so as we operate in red space, so to speak that external framework to be prepared We're gonna see and understand threats and maybe in a unique way And so as we do that and as we brought the cyber mission force up to bear, if you will Sense of readiness is we wanted to make sure that we were pivoting and bringing information forward to share across interagency lines But also that have been Ford construct is we want to see those threats forming to the best of our ability And if we have the opportunity and we have the choice now to make a decision Or whether disrupt or be deter along with the other instruments of power for the nation Not just cyber effects operations, but to bring those to bear alongside other Instruments of power from the nation as well as with our allies and partners And so that was really the construct that we thought through for defend board And it's the uniqueness of the Department of Defense That's what the department does is worry about national security threats those tend to be externally focused But what we're seeing is as I hinted at the homeland is not a sanctuary like it was like it is in many regards in the other domains of operation, but in this it's very unique in that We think we can offer some information intelligence, etc That we can share across interagency lines as well as if there's a significant Incident in the nation that outstrips maybe other organizations capabilities and capacity that we can bring to bear And we thought through how to do this is bring the bear in concert and work with DHS and other departments and agencies to be able to Respond to a significant event We think we knew that that was one of the roles of the Department of Defense was going to be asked to step up to now So I think you know what you heard Ed talking about in terms of looking at external threat actors that In some way want to take activity that we wanted to occur and and we see ourselves as very much, you know the the risk-based approach and threat being a component of that but also having an understanding of vulnerability and consequence and the the a lot of the conversations both on the policy and the operations side in In the past have been a lot about you know, what's my clearly defined role? What's your clearly defined role and how do we hand that off very clearly? So it's very obvious who's in charge when and it just doesn't work that way and That's a thing in a really important realization is there is there is not Perfect clarity that you're going to achieve and we're comfortable in operating with some some need for flexibility between between that because as Ed mentioned My theory is you know because we've achieved Strategic dominance in so many other areas is why we have adversaries who are finding ways to Hold us at risk in the homeland and and we talk a lot about the concepts of collective defense and understanding the risk to our country and and people sort of Working together with DHS and private sector and state and local But there we also have to have DOD in that in is that if we've got Adversaries who are seeking to hold us at risk in the homeland There's a lot that we can do to protect ourselves better to prevent those things from happening But we also need to be postured to have have some both strategic and for the tactical deterrence where where those actions are coming from and And and it works better if we're working very closely together and And so we try to think of it less about you know Let's define my clear roles and responsibilities and where we'll have this very clear handoff from you know My organization in one side of Arlington to his organization another side of Arlington and and and more about we understand What our authorities are they are complementary? They're not overlapping but but they that they're complementary so that brings that means if we're working together then we we kind of Combine our forces in the shape of a water bucket and that's an old cartoon reference for any of you in the 80s And and and we can be that much stronger. It's sort of the same. It's the same conversation that we're having with Critical infrastructure in the homeland is We we're all We all manage risk to the homeland. We think at DHS our unique differentiator is that we can sit and have a picture of what that actual risk actually is we can characterize that risk through Whether those are information sharing or that we have people sharing The the functions that they need for performing Or the intelligence that we're getting and we can pull all those together and we can have a sense of what the risk to the nation is and Then we can and we have these unique authorities where we can bring everybody together and say okay now We're gonna do about it. It's not all the government To manage that risk. We have to do that together But that's sort of where we see the the two of us working together and you know the better DoD is at their job the the better My job is and I think vice versa the better. I am at my job the more prepared and Capable doD is and and so what sometimes made people may see where you said, you know, there's there's tension as I think that's Creative tension. I think it's productive and you know working through these are really hard policy issues of You know, what do we want the presence of our military to be? What do we want to be young in cyberspace? You know internationally and domestically You know, we've had a long policy for a couple of decades now of having a civilian non intelligence non-law enforcement agency is my agency responsible for the Bringing everybody together to defend our homeland But that doesn't mean that we're the only ones that can do it So to our strategy, which has been out a little bit longer Largely because We had been asked for it for for quite some time, but it's also the first strategy for it's our first cyber security strategy It actually wasn't an update It takes very much that approach is it's very it's how do we understand risk to our country? You know, that's the first sort of killer is identifying risk and The secretary stood up the National Risk Management Center to focus on this our first order of business is identifying Articulating what we call national critical functions So what are those critical functions that people in our country depend upon whether that's the ability to process high-value Transactions in the banking sector or the ability to have energy or communication And so working through those with industry so that we take a Functions-based approach and then working with those elements of government and industry to understand what are the different tools we have to know who might be seeking to disrupt or deny those functions and Is it you know, whether that's largely a nation-state sort of capability right now So who's seeking to disrupt those how might they do that and and then what protections can we put in place to? address that Ed also mentioned the sort of the response side of things is that we know that We will not be able to prevent everything So how do we get ourselves in a position where we can manage consequences before they become very significant? And and that means all you know alerts and warnings that are systems of how do we alert and warn each other both within the government? The government's industry industry amongst themselves It also means rethinking our emergency management doctrine and we have an emergency Matthew management doctrine that You know whether you're somebody in DC or you're all the way down at the local level, you know You know all incidents are local you have an understanding of what the incident command structure is You know what the Stafford act is you know when to call the National Guard These are systems that we've exercised both in real life and in exercises multiple times and and they work fairly well And and so but the the cyber challenge sort of adds some wrinkles into that most of the significance of incidents we think about Actually may start global not local and and and they may quickly overwhelm the resources of Somebody who may be trying to respond to it if you've got a public health or safety Consequence that you're trying to manage who's managing the the cyber aspect of it And and so we have to work those things out And we have to work those out and have them in fairly detailed plans Relatively quickly not that we're expecting any of these bad things to happen But I think our job is always to expect the worst and and plan for those We started with the national cyber incident response plan the public document if anybody's interested in reading it and sort of laying out at a High level some of these concepts But we really need to get into those those specifics and and have these questions answered When is the National Guard going to come in and assist and what are they going to do? What is the role of DHS and and when can you expect the federal government to come in and help? Because we're not going to be able to help for every single incident nor do I think that's our job And and so how do we how do we have this? Doctrine understood promulgated how do we have the training in place and and how do we have if there are any legal or policy Barriers to achieving what we want to do in the response. How do we resolve those before we actually get into So that's sort of where where we're coming from where we're already Working some of the stuff that we talked about in the election You know, we have a people partnership and we've ever had before and thinking about how we manage the risk to our elections We're thinking about the energy sector and and how do we work? together to to help to the energy sector and how does the energy sector help us and So we already have multiple examples now where we're working through some of these We dig into one of those the elections, for example, you know, what what have you asked of DoD? What has DoD? What kind of capabilities do they have to support you? so most of What we're focused on is preparing that If we do have a situation and to be very clear, there is no intelligence or anything that would suggest that we would be in the situation but we wanted to have All of the various different bureaucratic and legal agreements pre-negotiated settled We wanted to have a very clear understanding on if we did need to call on DoD resources to supplement DHS or others that we would have those those plans in place before we actually needed them and we've accomplished that and and then and then working through, you know, we have just we have different ways of looking at things we have different ways of in different tradecraft different ways of Mission and so bringing DoD personnel into our mission space so that they can sort of get a sense of how we see things and how we think about working with partners and managing this to the homeland and We thought it because so focused on elections again Not that the intelligence is indicating that we would need it But we thought it made a lot of sense to just leverage every resource that's available to the to the government and And to prep ourselves in advance of that happening. So that's what we've done. Ed, how's that playing out in DoD? I mean is this breaking new ground in terms of the processes you have to learn and work through or exercise? Really sorry, across the internet you should see but principally with the DHS, we really have been breaking some new ground to the point to information sharing that we've done in the past but not with as much focus Bring the DoD and we're going to be threat-based and so we're going to look at the threats that may be preventing elections through infrastructure and the line of influence So it really will be started. Let's look at the intelligence that's being collected so that we can understand the threat, understand what consequences may be forming It's been helpful to be able to say there's some confidence through the Department of Defense, we're not trying to do the DHS's job, let's be clear is what we want to make sure we support them and we don't want to wait for a significant event putting in each other because we didn't share information and now we're looking at an incident of significant consequences that we're wondering why this didn't happen and so we approach the problem that way in the Department of Defense one of the things, the culture that we have is to look at a bad day for the nation and plan and build in contingencies on how we would handle that and so as we began to look at if there was a significant incident for elections in particular and we needed to respond, the DHS respond, the FBI and the resources we have what would happen if that incident was greater than the ability to respond quickly if required When we looked at the problem, the natural step would be to look for the nation but also the Department of Defense to maybe bring some assets forward We operate a fairly large scope and scale to be able to bring the talent forward and so instead of calling it up kind of an audible at the line at the last minute is let's think through the problem and put in place the mechanism with tabletop and understand how that would happen What is the point of the tabletop? Speak my DOD language? What's the concept of operations look like? What are those assets to? I mean, what are the assets that DOD would bring to the nation? So using our normal process, we want to normalize it. We used what we call this disco, the defense support to civil authorities process to pre-approve the response options that DHS hopefully may need and so problem benefits are significant and we would bring and almost double the size of the responses that could be put on deck to be clear One of the reasons one of the things we did was to work under DHS, under DHS leadership So no DOD teams out on their own but to partner so that we could have more capacity to address more problems if if called upon You know, the best case will be we've gone through all this preparation and there's no issue That's the best case. We used to be on that with the Department of Defense That's fine But we don't want to be caught flat footed if called upon and so that's the Secretary of Secretary Mattis was very clear that it's indisputable As we started with information sharing that seemed to be the most lucrative in terms of any intelligence The information that we may have is making that available through the right processes Classifications and all that But to make sure that they weren't holding anything back and that we were much more proactive in sharing Not that that didn't go on but with a focus and a purpose So this is in a way kind of a model of a contingency plan being prepared for a specific, you know date and event Maybe we could talk a little bit about the financial sector for one. That's a little bit more kind of long-term Area of cooperation and the ways that might be a little bit different than than like a disc of preparation But a more of a day-to-day cooperation Yeah, I think and and we have actually, um, you know work this in other Sectors, although in so far we have not had to actually take advantage of the DOD assets But it's always now it's a part of our kind of planning early when we start to see an incident start to unfold Um, you know this we've got all the lawyers. They know each other's phone numbers. They know what these forms look like and And and so it's um, it's sort of now part of our own kind of concept of operations of how does this fill in If we need them But but then there's there's also the which is financial sector energy sector others That is is it's less about, you know, surge support and it's it's more about we both have a role in In sort of defending our country. We're focused domestically DOD overseas and you know, one of the things that We talked about a lot in the in the financial sector really just because there's a lot of credit although electricity communications Uh, it a few others have have done this as well Is back to this critical functions piece is for many years We would have these conversations with industry that were a bit circular and um, you know, they would say DHS I need your information is not relevant timely I want it to be more timely want it to be more relevant and I would say, okay Well, what would help you to make it more relevant and timely and say well, you know You know, would you go way down into the weeds and something that's very unique to that organization? Or it would just be sort of another level of well, you know, I just Can you just get me some more stuff from NSA? I'm like, oh And um, and and so it's it's what we what we finally realized kind of collectively between us and industry is that um We in the inside the government were collecting based off of threat and uh adversaries and and and what they were doing um, and um, and we were doing our best to turn that around to things that we thought would be useful for others to incorporate into their risk processes and and take action on and um, sometimes it was sometimes it wasn't And what we really realized is we needed a greater understanding of how our domestic Systems actually worked the businesses the the the functions of those systems because um In it does sound a bit simplistic and this isn't to say that people in government didn't understand this But we didn't have that as sort of the driving sort of framework for how we thought about What the government was doing to provide information to help the defenders In the private sector state and local and frankly even other agencies And so we've really had this focus on let's everybody take a step back And and let's understand what the critical functions are for for your industry And who are the stakeholders that are involved in in developing those and and deploying those and and sustaining those And that creates a very different picture than our 16 critical infrastructure industry verticals Which is you know that is an important organizing construct But what you start to see is you know managed service providers that Have a niche for providing services to the financial sector You have um, you know, you have a I think you just have a much better layered approach To thinking about how the the the systems in our country actually operate With the people who actually provide those or have some some some role in in assuring their provision And and you can believe that's the way our adversaries are looking at it too They're you know, they're not just saying gee, I wish I could just get in jp morgan. I guess I can't I'm done They're going to look for a lot of different ways to try to manipulate those those functions criminals Obviously have a little bit different interests. They're trying to monetize Information or other or other things But you know when we're talking about what my our perspective is is trying to keep our country safe and our citizens safe and Systems functioning. It's it's really where you've got an adversary that's going to spend a lot of time trying to understand how those systems work And so that's what the the financial sector created an organization called the FS arc the financial systemic analysis risk center And I see FS arc so much And and it was specifically to focus on this and not a bunch of banks CEOs got together And they said we need to invest in this both for our own financial for the financial stability our responsibility But then we need to partner with with government and so I co-chair and indicators and warnings commission committee with them And and and working through and again, it's not just me. It's bringing to to bear it all of the government So it starts to say, okay. Well, if we're going to if we're going to invest in the government To to collect information We're doing it for operational purposes, right? We're not just doing it because it's interesting And so it's got to be based off of this understanding and that's what we're doing with the financial sector is taking that picture of Here's what they've identified as sort of key functions and risks to their industry And then and then we bring DoD The intelligence community others kind of And we're piloting piloting a couple of let's actually take a couple of areas And and and share some indicators back and forth see if that can enrich what we understand in the government side See if that enrichment we do inside the government can turn around into something that's even more useful for them I would say early science are pointing to yes And and and so it's it's that it's It's not easy. It's not transactional It's not, you know, I produce a feed you consume that feed and I beg you for feedback every time I see you It's it's much more of a collaborative Understanding and and in process that That I think is is going to bear a lot of fruit and you know, every sector is a little bit different You know and so there's there's slightly different models that you that you have to use with with each of them But but I really think kind of coming at it from a top down. What's the business? What's the mission? What do we care about as a country? And then how do we derive those indicators and warnings? And how do we work collaboratively to continually enrich our understanding? And then again kind of seeing it back to ed is is how do we get ourselves in a position where we can We have both a deterrence by denial, but and also deterrence through other actions Whether those are are cyber and do you see that that DOD role and A collaboration like what you're talking about with FSR Are we just starting to scratch the surface of that or is it? I mean, what's the trajectory? I think of the DOD involvement We've been really in the second cycle of combined analytics together. So identifying threat That we would want to share And I would just heart to back Jeanette did nice job of we want to understand the threat we want to understand the consequences that may come of it from those Threats, but also other risk And so what can we do about it? And then how can we bring the weight of the government in a combined sense to bear against the really tough problems? Because at times industry, I'll have a better game out there other times the US government may have And we may be able to work through our allies and partners as well Industry as well at large To be able to bring to bear the right sets of capabilities. And so I think in the first Couple of instantiations on the Pathfinder that we're running in the financial sector Feedback early feedback preliminary feedback is very positive So much so that everybody's committed to the next round of Pathfinder. So we're looking now we wanted to do some very Simple combined analytics information sharing and then look at how we can scale certain solutions Because if we're just running very serial Pathfinders, that won't help We need to think through the problem understand the problem and then see how we can scale using the weight of the government to bear tonight You're living and breathing this mission of protection and resilience for critical infrastructure So looping it back to the beginning when we're talking about a more proactive DoD posture, you know How you know, how do you think about that? I mean, do you worry about the blowback of that? How do you think about preparing for a more active doD and the consequences of that for us critical infrastructure? Well, you know, I think we've thought about this a lot. I'm not shy in the interagency process I think we've had a lot of hard conversations Um, but they were necessary conversations one of the things that I think is frustrating me in the past is an unwillingness to really dive Into some of these hard things and I think others may have been previously frustrated by this as well Um, and as the government I think has really matured around the space It's it's allowed us to be able to say is well, let's actually game this out. What what could actually happen? Um, I was on a panel with Rob Joyce last week or earlier this week October cyber awareness month So a lot of panels. Um, but um, you know, we talked about this this notion that somehow it's like doD Wild Wild West is is just not true And I'll let Ed speak to that. I'm working to hear that specifically You know, we we we did have those exact conversations is how do we make sure that we are as a government having that risk benefit conversation and You know, I don't I don't always want to be afraid to do something because we're afraid of what X consequence might be I want to be able to articulate what those consequences are And then I want us to have a conversation and say is this the right thing for the government to do do We agree and I believe that we've built the tools to do that and I believe we've removed some of the bureaucracy In in in sort of allow us to have that in the appropriate space Um, and you know, what I tell industry all the time is uh, if if there's concerns about things like blowback or unintended consequences That just calls for what we've just been talking about is the more insight that we can have into How our systems are connected how they work where the dependencies are the the better we'll be able to make smarter decisions um, but um, we do also we have to be able to um I'm a former army officer, so I hate to say this a little bit we we do have to be able to take the fight to the enemy a little bit and um, and and so, you know That's you know, I'm not saying that we got to go off and And sort of start wars anywhere. Nobody's trying to do that But uh, it's it can't be sort of exclusively focused on on just all the work that we're doing in the homeland We do have to have a complimentary it just has to be very Um It's it's easy to have consequences that we may not have understood And so we have to have a very well scoped and very well coordinated Conversation and it also it's not the only tool that we have in the toolbox. There are other Tools that the u.s. Government has just because it's a cyber problem. It doesn't mean it needs a cyber solution So with the head to the and And then but with the with one question with a new um Kind of the new authorities that adds operating under um for Cyber operations. Do you feel like you have the right amount of you know of say and to and insight into what's going on to identify some of those areas and and Consideration I believe I do I believe that I've had much more cooperation and collaboration with with do d in the past few months and some of these things that we've ever had before I would echo that I think we Very proactively trying to be good partners across the interagency I think when you look at the new directive that's out just so for those that may or may not be familiar We recently have rescinded what was described as ppd 20 presidential policy directive 20 Which laid out the authorities in the process for execution of cyber effects operations, whether that's defensive or offensive And so in its place, we've issued the administration has issued a new directive And why do the directive I think Jeanette really hinted at it is we were struggling to make decisions as whether to use cyber effects operations in concert with the other Instruments of power and so we're a bit in it a lot of inaction And so the new policy Really strives to make timely decisions from the u.s. government Across interagency channels in a very transparent fashion with regard to assessment of risk And understanding the risk levels if we were to execute an operation And so the new policy I think has been successful It's only been in place for a little over two months now and we are conducting operations In concert with it. I think that's a great sign of success Of the feedback so far from all of the interagency partners have been very positive. And so that's a good sign second that's been very very clear that he wants to ensure that we're being transparent with the interagency So that you know, the DOD is not capable of assessing all risk, especially when it comes to blowback risk potentially across for the rental structuring Out pursuing those types of operations, but it is the department of defense's job We have the unique role to be prepared If called upon and so the new authorities really try to strike the balance and put in place the deterrent structures to really deter behavior malign behavior In the norms of behavior in cyberspace The accepted ones that are out there from the united nations and so as a result of that Then you do need to be consequences of time. And so that's where we've tried to balance and put in place With to be directed. And so so far so good I think we're moving along well There's been a very good partnership across the interagency and that's really one of the key components here Is clear communication of expectations of risk So that we can make timely decisions as a whole of government Not just in cyber effects operations, but across the whole of government and all the instruments of power and that it's in a synchronized banner And so that's what we're beginning to see is that we bring to bear the weight of the nation when required Thanks for the great conversation. I think I want to open it up to questions now So just a reminder When I call on you wait for the mic Please introduce yourself and your name and organization and Focus on questions not statements So let's see we will start over here with Jan I am Jan Taylor from the British Embassy here in DC. So you've both talked a bit about How you're working better together now and I think kind of cross-government integrations are probably a lot Countries would recognize Is there a single factor or change you can pinpoint in what kind of Made the biggest difference in terms of working better together and what do you think the biggest challenge is doing to overcome in your partnership are? For me, I think it's actually getting to specifics Um, you know specific cases and and and not try to solve all of these complicated policy issues in the abstract Some of them aren't even that complicated once you actually get down to business of trying to figure out And and having a you know having a bit of an open mind But at the same time, you know being very clear About you we want to be very clear about authorities and and what's appropriate and in ensuring that there's Sort of no crossover because you know the policy still remains around having this sort of civilian focus But to me that's been that's been the biggest thing is let's stop talking at a high level About very kind of abstract concepts Let's take a few key issues where we know we want to work together on and let's just work through it and And and and be open to adjustments The you know the first plan is never the one that you know is the the final one and And then and then getting the actual operators and analysts together And and and really starting to have conversations at that level Because they're going to identify a lot of things that are both good and bad That you may not get by just you know sort of sitting in in high level meetings Yeah, and I would just compliment that I think by starting small In a willingness to work together across all of the organizations and involving multiple You know the right people in the room working together with sleeves rolled up A lot of time we can dispel some of the myths that are out there associated with these big thoughts sometimes on the policy Fine and if we could just start small We have the capability one to try it as a pathfinder with the understanding We're working through any challenges we may have and then to think through it bring back the lessons The best practice is Cycle it which is what you see us doing on the financial sector to try to maybe scale it one notch Understand that the techniques that we're using scale And then we have a decision to make on the back end of that do we want to go bigger and so I think this It's a confidence building is really what we're doing is by starting small On very pragmatic problems that we sometimes we let the policy framework at times get in the way And so it builds confidence builds trust And then we can get moving get some momentum behind us and then bring those solutions to bear And then we've got some big decisions to make at times is to do we want to scale these solutions What do we need to totally rethink because it's okay when we start early like this if we're starting small Is we're trying to some of these things are new we've never some techniques. We're using are very new and innovative It's okay to try a pathfinder and say this isn't let's let's stop this Let's try we've got to come at this a different way. That's okay And I think a willingness to accept a very very small level of risk early on it But the understanding that you're addressing something that maybe hasn't been done before that's okay And so that's when we build confidence together as a team Great down here in the front Thanks, Patrick Tucker with defense one for secretary wilson. Um, I have a question for both of you But for secretary wilson. I have an understanding of what Uh concept of operations for offensive cyber operations are I have a concept of operations for defensive operations? What is a concept of operations for defending forward? What does that look like in real terms? Uh, and for secretary monford to see you again, um, you've had now A long time of of girding up the nation's defenses for Interference in elections elections are next week if there was one area that you consider to be The weak spot that's left the area of improvement for next time. Um, what would that be? So in defending forward, I think first is understanding the threat and so day to day Like we do in other all domains of operations We try to understand the threat that may be emanating from nation state or a non-state actor And so we've heightened awareness of what those threats look like so defending forward first We want to understand the threat and then to begin to put in place options that are available If we choose to disrupt that threat if it increases in risk and we're accepting an unattainable amount of risk Is to be able to bring options forward For the leadership of the nation to be able to act if we see those threats Rising to a level that are untenable So when we say defending forward is trying to disrupt or deny A degrade and attack that may be emanating from external to the united states Which is really inherent in everything we do is a department defense So we say defend forward. It's really bringing the traditional structures of the department to bear in cyberspace Do I have to answer? So cyber fix operation so if we were to if we had to develop say we saw a threat We saw a rogue actor nation state out there that was beginning to Formulate an option and we could see imminent indicators indications and warnings that there was an issue and that there was maybe through intelligence collection We were able to discern that this is an aspect We would As a department of defense our job is to be prepared to disrupt or deny or degrade that capability Before it has an effect on Us our allies and partners. So when we say defend forward if we see that type of threat in the cyberspace domain Actors using the cyberspace domain to threaten Will hold at risk the united states our critical infrastructure A way of life That's the job of the department of defense is to bring to bear the weight of the department In cyberspace in this case to be able to strike if required The checks and balances now are in place. We have authorities that are in place with clear guidance Is to how we bring those options together if needed? And then if we're directed to execute those options to bring those in concert with the u.s. government So we understand the risk associated with that in a coordinated manner and it may be the last choice A cyber effects operation may be the last choice. We want to go on There's the marshes There's sanctions There's attribution indictments. I mean there's a lot of run-up that may happen in this space But we always want to have the option of a cyber effects operation in many cases for our really high threat Situations, that's the job of the department of defense in this domain. I mean, that's what we mean by defending the board elections You know I what What I've been I would hesitate to sort of sort of try to focus it in on one thing What I think about a lot is Looking back to the 2016 where I really believe You know everybody did the best that they they code with the information that they had And but I look at a sort of we had three main areas where There were Places where we wanted to do better and the first was visibility having more visibility into state and local systems and You know, we've had a unique program for for years actually within grant funding and organization Part of the grant funding organization called the multi-state information sharing analysis center They've really stepped up. They've created the election infrastructure ISAC And in in just two years, we've gone from this is a sector that While we partnered with state and locals, it was typically the state and local cio community and more traditional partners Really had very limited interaction with the election side We have gone from where we had sensors and in every single state and some of those may or may not have been Covering election systems to now where we have 90 percent of our election systems are covered by these these sensors And so that's that's two years. That's a phenomenal amount of change and Ability now that doesn't mean you can see everything right But what that does do is is really increase if I do get An indicator from one of my intelligence or do d partners I can I can push those against the sensors and that can alert us and say, okay Maybe we've got something to investigate. It doesn't necessarily tell us that you know The russians are coming What it does tell you though is that you may have some some malicious activity to be on the lookout for And the other piece of that was Sharing information with us We have so much visibility. I mean state and locals are sharing everything that is going on and And there's a lot of things that these are just it systems and it systems do break They think we all know that But they are they're reporting a lot they report ransomware if they've got it may have nothing to do with You know anything particular than a criminal organization But the amount of reporting that's coming into my organization is just phenomenal I don't have a good metric yet In terms of the increase But so that that really just provides us so much more Visibility into to what's actually happening Um, and then the the other piece of the sort of the second bucket that we've been focusing on is Communication If I do have intelligence that somebody is targeting An organization we have long had a policy about We tell that the the target Who may or may not be a victim We don't know yet, but we tell the target and that's it We're not in the business of running around telling everybody who's who who's being Who's been a victim or are compromised by an actor And we hold very that's it's a very sort of sacrificing policy for us because that's our it's all about trust and But we did need to work through how do we ensure that the lead election official Has the information if somebody is being targeted or or the victim in in their state? How do we ensure that they have that? And and so so we work through that we work through communication protocols We know who's on point to receive information from us if we get it from the intelligence community And the intelligence community is mobilized completely to really try to understand any threats that are possible to go under the election To our election infrastructure And then the and then the last piece is Really about crisis communications is how do we ensure that we're communicating to the public? When and if you know something were to be happening, even if there's just somebody's claiming How do we how do we ensure that we're communicating consistently to the public and everybody has the same set of facts? So I want to continue and we and we have you know addressed all of those. I think very well Um, I want to continue to build on those and in leading up to um, you know the 2020 elections I think we're very well postured for um for next week But you know, there's there's always more that we can do we've got um over 1100 jurisdictions that now participate in Our information sharing a collaboration program We've got all 50 states that participate in some way, but but of course there's always more that we can build off And we'll continue while we are very focused on the state and local election infrastructure we're going to Focus and we have built some with the with the vendors and the private sector Community we've built those sort of structures to start talking with them We are going to probably focus more in in how do we work with and create all of these mechanisms on the information sharing And others that we've done for them with the private sector And in campaigns are always welcome to take advantage of our services Um over here third row fourth row Thank you very much. My name is serene peter. I'm from the russian embassy. Yeah Uh Thanks a lot for a very nice presentation of the rise of cooperation Intergovernmental cooperation, but as far as we understand All these cooperation require Requires uh resources. First of all, uh human resources and specialists in cyberspace And all in cyber security last week New america foundation published a report saying that both government and Private sector got serious gaps in human resources Uh Namely if i'm not mistaken, they were saying that right now it's something like about 300 000 vacancies in this sphere and the rise is going to be to the million vacancies in the nearest future In this context new america suggested to establish civil cyber security corpse Which going to be carbonated by dhs It will include 25 000 civilians who on voluntary basis are going to use their free time to help regional authorities in cyber security So In this regard, uh, what is your evaluation on the human cyber resource gaps in in the government? And do you think that uh, the idea of new america is useful and can be can be fulfilled Thanks a lot. I could spend the rest of the time talking about workforce issues. I'll try to be really brief. Um, It is a real challenge. I also think it's a real opportunity Is this way i've talked about it a lot is um, it's hard to know the actual gaps the numbers A lot of people use different sort of Metrics to characterize what is a cyber security job I've heard anything from 300 000 to 1.5 million and and so there's a uh, there's a lot of different numbers that that people are using There is a clear gap. I think it's um The notion of cyber security as a as a discipline is still fairly new It's sort of a mesh of a variety of different disciplines that have been existed longer and we're coming together and and and so we've worked For years now, uh, if you're not familiar with the Miss uh, the the nice cyber the nice framework National initiative for cyber education that kind of lays out Here's here's sort of different elements of what it needs to be a software security professional We work with the department of labor to characterize that um The notion of having uh, so so that's all I think we need to continue to do that and the more that we can adopt That internationally the better um, and uh, because we have a very mobile workforce, obviously and uh, so in terms of Of having a a civil Like a civil defense corps We have talked about this a lot. Um, and I think it's I do think we need something like this The the department actually long time ago was actually authorized to create something called net guard Kind of a cheesy name But um, it it did sort of it contemplated something along these lines And so we're looking at different options around, you know, where you've got with the military You have people after they leave active service. They um, they they sign up for Well, they don't sign up. They're told they have to in the reserves of the national guard for a period of time Is is maybe something along those lines Where we have a scholarship for service program. Um, perhaps we create some sort of alumni type Network where people agree and I don't think I'd want to mandate it But you know where people agree to say, you know what I'll be available to be called up And we would continue their training. Um, these are all These are all ideas. These are for all of you feverishly writing These these are all just sort of concepts that that we're thinking about but but I do think there needs to be something there I also think we can leverage our existing National guard and we're working through How we do that, but I've heard a lot of people come up with different ideas. We dhs I think we're the right place to sort of think about and build such a capacity So but we're still in the early stages of conceptualizing that Maybe just would add just a couple of quick thoughts. So in the department of defense We have a couple of uh, well three really flavors of A bill of workforce. The first is this general highlight is military And I guess what most people think about when they think about the department if that's our officer then listed members What we see today is we don't have a recruiting problem We have plenty of volunteers that have their hand up that want to come in and be involved in this mission set So we have very focused programs on how to train them and grow and develop that talent in the military Retention wise in the military. We're doing pretty well We have a couple of areas that we try to focus on and we we have incentives and those types of activities Just like we do in all other specialties across the military As janette highlighted We do have a long tradition and an advantage in some ways of when people do leave active duty You know officer or the most and we have some options available for them And so in many cases if they're moving off of they'll go in an active reserve status But they also have a choice to be able to join the active reserve or the national guard Army in Air Force National Guard And so in the spirit of having a Kind of a civil service, but we do that for military purposes national security purposes We leverage the talent all that talent goes out into The society at large in the industry typically It is put to bear for the nation But we can also leverage that back into the military And so that's been a long tradition of that and then on the civilian side We've established what we call the cyber acceptance service so that we could be more agile and more flexible And how we hire and bring on on board civilian talent And then also set up pay scales etc some flexibility and how we do that And that's been the early indicators. It's just went into play a little over a year ago And so the early indicators that's been fairly successful. We're in the process again We started very small We scaled once and that seems to be going well So the next step is to scale across the whole Department of Defense In 2019 later in the fall And so we're learning the lessons trying to wrap those in but Carbos was very very helpful in terms of giving us the authorities to Establish the civilian cyber acceptance service. So I think all the ingredients I think we need to share best practices I think one of the challenges is a nation. It's not just about recruiting each other's talent I think we need to think of the problem at the national level about how do we grow the talent Coming out of middle school and high school so that they're equipped Students and they're coming into the workforce or equipped whether they want to go to a university or not But how do we get them excited? And there's a couple of ingredients that typically work well is Introduce them to the concepts and training a little bit education on top Put them in with some mentors and introduce them into some competitions and make it fun And we see the programs that do that with those three ingredients are pretty successful I would point to things as a former Air Force officer Like the cyber patriot program and our force association and some others like that I think there's some ingredients that generate a lot of interest From young people and I think we need to grow that denominator of people that are interested in coming into the cyber security workforce Not just the military but broadly and increase the denominator if you will People that are introduced into the workforce So it pains me to leave so many hands In the air but we're out of time So I want to thank you both Very much for coming for sharing your time for getting concrete with us and some of the examples And and sharing your last cyber month event. Yes with with the group here. So please Join me in a round of applause