 not just from the very precise perspective of the Department of Homeland Security, but for a period from the broader sense of the governments in the United States. She's now based in the Department of Homeland Security and she is, I'm afraid at times, I have a difficulty keeping up with all the changes in the cyber area. But most of her work is designed to address national cybersecurity incidents in the United States, to prevent, to protect critical infrastructure and to ensure the U.S. government's ability to deliver key services and functions to U.S. citizens, which is of course a very broad, a very broad agenda. I'm sure Janet, in the course of her, a few words to us will tell us how she refines that down into a practical sense. A lot of you probably been involved in insecurity, whether that's cybersecurity or physical security, the policy around that for probably a while. And so I don't think it's very surprising for any of you to know that the think about critical infrastructure is being kind of key to our national economy, your national economy, as well as the ability to deliver critical services and functions to our citizens as being just a fundamental core role for any government to be able to protect and preserve that capability. And over the years, we've learned about how to protect and build more resilient infrastructure, protect them and build them up again quickly after natural disasters, after terrorist attacks, but increasingly we've had to think about it from a cyber perspective, which is far more complicated. As complicated as those are, this is tremendously more complicated. However, we do have the benefit of a lot of the work that was done and is still being done by our industry and state and local organizations to understand how to respond and recover from a natural disaster, how to harden their systems so that they can protect them from physical threats, thinking about emergency management across jurisdictional lines. All of those things have become core to our country over the past 20-ish years. And so we have that culture now built up of understanding that the federal government doesn't manage the majority of critical infrastructure. We do manage a lot of information about citizens. We do manage a lot of work to protect our citizens from physical threats and cyber threats. And we also do deliver some critical services and functions. And so we do have what I would consider critical infrastructure as well. And so what we've seen is on the critical infrastructure side and in government networks, in industry networks, taking advantage of the amazing potential that the cyberspace offers us. But what that has done is made it infinitely more complicated to defend it. And my organization is responsible for leading the national effort in the United States to build a more safe and secure cyberspace. And I say national because for us it's not just about the federal government. There's a lot of components of the federal government and we serve as a coordinator for all of those different efforts. But it truly means national and we've had to kind of mobilize industry from across multiple different sectors, governments, state and local level. Much of what is delivered is critical to our ability to continue our way of life is done at the local level in hundreds of thousands of small communities across the United States. And so we can't just sort of sit in Washington and issue dictates and tell everybody how this is going to be done. Even if they did have the resources to do it, they probably wouldn't anyway, just because federal government told them to. And so we've really focused on sort of this fundamental principle of needing to have a strong trusted public-private partnership in public between federal, state and local governments and then the private sector, both those that are regulated and those that are not. And then we built an organization which is mine a little over a decade ago that is not law enforcement, that's not intelligence, it's not a regulator. But what we do is we sit in the center of all of those and then we're given authorities to have protected conversations with industry and to share information back and forth with industry and be able to be their advocate within the government for information that they need, but also to be sort of on the front lines from the government to truly understand the business of that industry, to understand why they're making certain risk management decisions, how we can better inform those risk management decisions using information that the government has access to that they may not be able to get elsewhere. And increasingly, and one of the reasons why I'm over here is building a global cooperation and working with countries around the world like Ireland to build similar capabilities. And our national cert sits within my organization and we have, we've built it quite a bit over the years. We've built it both with resources which is important but equally important was building the authorities and the responsibilities that come with that and the ability to, and frankly the ability to have an industry that was is equally passionate and invested in this and them being able to organize themselves. You know, I talk a lot about collaboration between us and industry. We were talking about this earlier with some of Irish critical infrastructure. Just as important is industry collaborating themselves, breaking down their sort of natural competitive barriers in a large country like the US with a lot of companies that are competing for market space. That's not an insignificant challenge. I think many countries share similar challenges but what I think is most heartened me is the commitment and they've got to stay in business. They have to make money. I want them to do that but they also understand their part in being a national asset for our country and as well as particularly for a lot of American companies being global entities that have an interest in preserving the global system that is that we've all depended upon. And so sort of moving forward for us, we're looking to kind of continue to increase that cooperation. We have looking to help and continue to exchange information with other European partners, Asian partners, understand what they're seeing, what they're learning. Frankly, we learned a tremendous amount. We were talking a little bit earlier about WannaCry which was a ransomware attack in May that started in Asia and for hours there was nothing happening in the United States but because I had partners in Asia and Europe that were passing us information, we had a head start and not everything's always going to start in Asia, sometimes it's going to start in the US so I hope we can return the favor. But I think building that we just we know that we cannot protect our homeland without having that global cooperation. And I just was appointed to this position in July and this is already my third international trip. And the department is absolutely committed to not only becoming partners with other countries but helping other countries learn from both the good things we've done and frankly the mistakes that we've made and please don't repeat those and where we have been successful to use those and apply them into your own internal structures as it makes sense. I'm just trying to position your organization in the context of the US government and industry. You're not a regulatory body. What are you and how do you actually get your point of view across to industry and to the rest of government? Well, we're not a regulatory body. Much of our critical infrastructure is already regulated. They may not be regulated for cybersecurity but they do have regulators and the US system is familiar with the Irish system and we have independent regulators that are not a part of the kind of the traditional executive branch. We do have some that are regulated within the executive branch. So some of what we do frankly is help them and regulators have conversations to be honest because we do see in the financial sector and electric sector chemical facilities a few others where regulators have taken steps to regulate cybersecurity and so we're able to sometimes help because I do think there is some value in regulations just because I'm not a regulatory agency doesn't mean I don't think that there's some value in there but they have to be done smartly and particularly for something like cybersecurity. It can't be done in a compliance check the box sort of way and so that's some of it but a lot of it is really over you know about I want to say 12-15-ish years now we've been kind of going down this road. It takes a long time. Hopefully you know it doesn't take others as long but what we were able to do is and it's actually started early in the or it's actually started in the Clinton administration it's been carried through is this notion of having these voluntary public private partnerships for critical infrastructure protection as being kind of foundational and having organization and once DHS was established we were established as that entity and so what we do is we find where we can provide them value and much of that is being able to understand what their business drivers are how they make their risk decisions what information is useful to them to inform their risk decisions and then we work to get that information either for the stuff that we have access to or stuff that our intelligence community or law enforcement has access to and we turn that around and provide that to them over the years as we've built more capability you know we're able now to you know I have teams I have my own hackers that go and actually try to get into both federal systems and critical infrastructure and we have a lot of critical infrastructure that voluntarily wants us to do that that obviously takes a lot of we I have some of the most creative lawyers I think that I've ever seen I love my lawyers I love my lawyers I think I might be the only person that ever says that they they've frankly trailblazed a new area and and frankly cyber law is one of the emerging disciplines that is very fascinating particularly international cyber law I'm not a lawyer but but what they what they were able to do is work with industry entities and and and think about how can we create a legal framework because like I said Congress gave us some really great authorities to protect information to protect conversations but then what we needed to build was like mutually agreed upon legal frameworks and so now you know after you know dozen years we've done thousands of assessments technical assessments with entities and that now builds our understanding and you know one of the things I've talked about a little bit is because we've created and we've also created sort of an information handling it's all unclassified but it's a it's called traffic like protocol I don't know where that came from but it's you know sort of as you can imagine white green amber red and it's widely adopted now in the international cert community but what it does is it's it's completely trust based there's there's no enforcement but we've not had after a dozen years we've had maybe one or two that have decided to to leak it to the press but what it allows us to do is share information and if I label it as amber or red I'm telling you you cannot share it to the press you cannot share it outside of your organization an industry abides by that and and so that makes me then feel more comfortable because I can share now draft things things that I'm you know not quite so sure about I could I could really use some industry input on and we can we can share products back and forth and similarly they can label a product as red and I can't share it with another organization within the government and and if an organization comes to me and says I'd really like to know more about what happened with that entity I go back to that entity and say you know look the NSA or the FBI or somebody wants to have some more they think that they might be able to add some value here most of the time frankly they say it's fine but let's you know remove certain pieces of the information that's not necessary um so it's kind of years of of being able to to to have those protocols in place that are now becoming kind of international standards among um the the computer security incident response team community um and and and abiding by it and and on both sides because I'm opening myself up frankly when I'm giving them um them these these products and I'm trusting that they're not going to give it to the press um and uh and and they don't and so um I think it takes a lot of hard work I have um you know most of my most of my folks are um you know either hackers or security engineers um but I have um a whole division whose sole job is um customer engagement and managing relationships uh and and helping to understand and to translate what industry understands how their business work how they make those risk decisions back into our processes so we can sort of advocate on their behalf and then provide something of value because if I'm not providing anything of value the fact is that we can have all the trust in the world but they're not going to be particularly interested in working with me um unless I am a regulator then they have to but um but yeah that's sort of um variety of things that we've done to to try to build that community and it's not perfect I'll be honest you have to sometimes have some hard conversations um but we've had them and um you know sometimes you agree to disagree