 How's this? How's this? Great, thank you. I want to start with a really brief catch up. There was an incident in 2021. Maybe some of you guys heard of it. It's called a colonial pipeline. There's a ransomware attack. I guess I've heard. That prompted a series of regulations. Can you give us a very quick overview of the regulations that you have kind of overseen in those two years since then? Sure. As you mentioned, May 2021, early May, ransomware attack, east coast pipeline had systemic impact across the east coast. What we did in working with our partners in CISO was immediately put out a requirement that any owner and operator of critical infrastructure had to report any significant cyber incident because when this one occurred, company asked, hey, how many other pipelines have suffered this kind of attack? And we didn't have that answer. So we put that regulation out first. That came out in the very same month in May. But interestingly, and I think really importantly for our talk this afternoon is that reporting went to CISO, not to TSA intentionally because we're trying to centralize reporting. We're trying to make it easier on the owners and operators of infrastructure in the country. You can imagine if you have a reporting requirement to several different federal agencies, every agency is going to hear it a little bit differently. And so that introduces an element potentially of confusion. So having a report go in at the same time, one central location, then having CISO push it out to all of the affected agencies has really been my view of best practice. The other thing that we didn't know at the time but certainly now is part of the national cyber strategy is to harmonize reporting requirements across the federal government. And this was really the very first attempt to do that. And I would credit CISO for doing just a fabulous job of giving us in near real time reports of those incidents. And it's really, I think, worked out incredibly well. I have more questions, but if you have a follow on that. We've done several kind of pre-briefing chats and these two are so chummy. Sorry. No, no, no, it's, you know, government working. I want to ask you a really point of blank that was such a high profile, the most high profile. I work in news, I can say that definitively. The most high profile ransomware incident, and there has not been anything like it in any of the jurisdictions with the GSA. Is that why, these regulations and the partnership with CISO, is that why? I would love to be able to claim that. I can't. But one of the things that we did do as well, I mean that was the reporting requirement. What was important that we did right after that in July was issue some requirements for the owners of critical pipeline infrastructure. That's important. It wasn't all pipeline infrastructure, it was critical pipeline infrastructure. To implement certain measures to protect their systems, a future attack, not necessarily ransomware, but a future attack on their information or operating systems. As many of you might remember when we did issue that directive, because it was so specific as to what was required, we got a good deal of pushback on that, because the industry would say that, hey, you know, you're asking us to put things in place that are going to replace things we're already doing and actually we think it's to the point you want to get to better than what you're requiring. And we haven't fully considered the impact on our business model. And so what we did in working with CISO and the FBI and the pipeline hazardous material safety agency over in DOT and the Department of Energy was we had a series of roundtables with industry just to talk through this. And that result was we went from a very prescriptive activities based requirement to a performance based model which I think is our superior what we were doing before and a huge credit to our industry partners for working with us on that. So we made really a hundred and eighty degree pivot on our approach to this particular regulation and I think that's a forebearer of change we'll make to regulations in the future for TSA. So instead of saying hey, achieve these certain activities and report on those activities, we said hey, there are certain outcomes we want you to achieve. You come back to us on our operator and tell us how you intend to achieve that outcome. And then we'll work with you to approve that implementation plan. And then the follow on to that is, and this is really important, this is the stage we're at today, is come back to us also after your implementation plan is approved and tell us objectively how you are achieving those outcomes. So it's not just us how you're doing and implementing those particular measures that you proposed and we approved, but also how are those measures and the accomplishment of those measures contributing to the achievement of the outcome. That's really important. That's the stage that we're at today. And I'm really optimistic on how this is going to work because we've already seen some of the original initial plans and they look pretty good. So we're going to be working through that over the first couple of weeks. The U.S. did not have any kind of cyber regulation like this kind of infamously for years until this point. This is America. A lot of businesses don't care for government regulation. Is it the case when you speak with leaders of these companies, are they completely on board? Are there some that would like more regulation? Are there some that would like things to be done a little differently? Well, you raised an important point, Kevin, is when you speak and I would offer that we speak frequently to our industry partners, to the companies that we regulate. I would say that there's a more robust exchange of information as a result of this approach than there was before. One of the things that we did at the very beginning when we saw this threat that is not simply a ransomware threat, it's much more significant than that, that we needed to work really quickly to close vulnerabilities that we had across our critical infrastructure in the country. And so we felt it was important that we bring the chief executive officers of those companies in for a classified briefing on the threat because we really wanted them to understand this is the threat that we see from the intelligence community in the United States which is incredible in their capability to inform policy decision makers like Jen and me. And so we brought the CEOs in for those threat briefs they were in the White House. It was really the start of a very good relationship because they saw what we were seeing and the CEOs knew that their CIO and their CISA was going to come to them shortly. The resource request, maybe some procedural changes, certainly a request for more people and the CEOs knew what was behind that, what was the reasoning for that. But you can't just do it once. This can't be a one and done exchange of information. And so what we've established and Jen can speak to the processes that parallel ours but are very complementary to what we do in terms of making sure there's good robust exchanges of information between us. But we have regular updates to the CEOs and then regular updates to the CIOs and the CISOs of these companies as this threat evolves. And one of the things that you always think about is, hey, I heard the threat. I understand it. I see it. Is it still present today? And this just reaffirms to them, yes, it's still present today. Actually, in many ways, it's more concerning today than it was yesterday. And so we need to really work very hard to close the vulnerabilities that we might have. Yeah. I mean, jump in with a couple of things. First of all, you know, great to be here with you all. Kevin mentioned that Dave and I are chummy. Look at the end of the day, this is what you want your government to be. You want your government to be collaborative and cohesive. And so I think it's a really good new story and one that has evolved in terms of how collaborative we all are working together. And I think it was a really good new story of how closely our teams work after a colonial pipeline. I was not actually in government then. I was still at Morgan Stanley at that point in time, but certainly saw it from the perspective of being in the private sector and frankly being in a highly regulated industry. A couple of things I'll say is, you know, it really was a watershed moment in many ways. It certainly led to the security directives that Dave talked about. But I don't think we would have gotten what's called CERSEA, the Cyber Incident Reporting for Critical Infrastructure Act, if colonial pipeline had not happened. And it really is a watershed piece of legislation that frankly the Congress had been trying to pass for more than a decade. That was about mandating critical infrastructure report, ASISA, if there was a significant cyber incident. And we're in the final stages of writing the rule. The notice of rulemaking should come out early next year and we'll hopefully implement it by next year. But it's really, really important. Why? Because, you know, you read so much about ransomware going up, ransomware going down. My general belief is we just don't know. You know, we just don't have a really good handle on the scope and scale of the ecosystem of cyber incidents. Because frankly it's not mandatory for reporting across the board. So I think for the first time we'll actually be able to understand what the scope is of incidents and whether all the work that we've been doing across the federal government, across industry, across state and local, across the globe is actually leading to reduced risk. Because at the end of the day, that's what we're trying to do. We're not trying to create punishments. We're really trying to work with industry in a collaborative consultative way to ensure that we can help them reduce risk. And, you know, the last thing I'd say to Kevin's question is when I first came on board, which was in July, we did actually hear a lot of pushback from the industry groups about one of the directives. And I will tell you, we recently, Dave and I had a meeting with CEOs where they could not have been more complimentary about the evolution of working with them in a consultative way. I think part of that was the threat briefing. But part of that was just fricking listening. And that's why you see people like me and Dave, because we realize how important it is to listen, to listen to industry, to listen to the Hacker community because we sure can't do this on our own. I want to be clear here, when you talk about this threat briefing, are we talking, this was a bit of a colonial, are we talking more recent? No, we've done threat briefing certainly for pipelines. It wasn't related to the ransomware attack specifically. It was related to, hey, what is the overall threat picture for critical infrastructure, particularly for transportation infrastructure and energy infrastructure in the country. Same brief essentially, very, very similar to the rail sector, the transit sector, and now to air carriers and airports. So, you know, across the transportation sector, we've been able to provide this level of visibility to the top owners and operators of these systems. And you're, you know, you've got this, what seems like you're saying is extremely effective partnership that works for you. What other sectors would you like to have that kind of if, you know, the red tape was not as much of an issue? I'm thinking, I'm reporting all the time on ransomware attacks on hospitals or diverting ambulances that are, you know, and bring care. There's schools that are still being shut down all the time. So, one of the things that we did last year when we were thinking about what are our priorities for the upcoming year was, what are those sectors we called target rich, cyber poor, to Kevin's point, who are we getting hit with ransomware in a way, in a pretty bad way that could actually have very significant impacts. And my mom is 90 and she's in and out of the hospital, right? And I am always very, very concerned, as I have in the back of my mind, all of these hospitals that have been hit with ransomware, you saw the recent one, prospect medical hospitals, I think, medical holdings where we've seen hospitals across the country that had to divert patients or change elective surgeries, it's really scary. And so we actually picked priority sectors that we knew fell into this. So hospitals, in particular rural hospitals, K-12 schools, and water facilities, because that's a sector that I'm particularly concerned about. And then we also have a big focus over this year going into next on local election offices. And we did it for a couple of reasons. So one of the roles, we of course were set up by the National Security and Cyber Defense Agency, but in statute, we also play this role of national coordinator for critical infrastructure security and resilience. What does that mean? It means that we sort of sit at the center of working with departments and agencies that have a role to be the sector risk management agency. So Dave, the sector TSA is the sector risk management agency for oil and natural gas pipelines, for rail, for aviation. And we have all of the other departments and agencies to ensure that sector risk management agencies and industry have the risk guidance, the information, the resources, the capabilities, the best practices that we all need to be able to reduce risk critical infrastructure that Americans rely on every hour of every day. So a really, really important role that we play and with respect to the target rich poor, it's why we've been working hand-in-hand with HHS. So my deputy, Nitin Nadarajan, who's fantastic, started out as a medic and spent a lot of time in HHS. So he's been working hand-in-hand with HHS and the American Hospital Association to put resources in place to reduce risk in hospitals. We've been working with K-12. There was a big White House event earlier this week where we had superintendents. Interrupted by a tornado. Interrupted by a tornado. But amazing that we were able to actually flip it a day. And it was so important to the First Lady that she actually rearranged her whole schedule to be there. We had all these superintendents so that we could work together with schools. We're doing the same thing with water and then again local election offices. And so part of this just goes back to the partnership. SISA has incredible technical expertise. We've got a lot of it here, so hopefully agencies have incredible technical expertise in those sectors that we don't have about rail, about aviation, about hospitals, about water. And so when you bring that together, along with our partnerships with industry, you really can collaborate to reduce risk. Do you feel like you have enough in terms of policy allowance to address those specific sectors, or would you like more? Yeah, I mean I feel like I'm always grateful to the Cyberspace Solarium Commission folks and Dave was on there as well. So some of you might know it was a commission set up by Congress several years ago. It was chaired by Angus King of Maine and Mike Gallagher of Wisconsin. It had senior leaders from across the federal government. You know, I often say, so the government sets up commissions all the time. And some of them like meet a lot and don't really get much done. In my 30 plus years in government I've seen two commissions that actually got shit done. One was the 9-11 commission. The second was the Cyberspace Solarium Commission that literally made 75 recommendations and more than half of them are in legislation. And CISA benefited incredibly from those recommendations that got put into law in 2021 and I benefited when I came in as director. And so some of the things that we would have wanted frankly several years ago, that my great friend Chris Krebs may have wanted the ability to hunt persistently on federal networks, the ability to work directly with our sectorist management agencies to actually put measures in place to keep sectors safe. The authorities we have to stand up the Joint Cyber Defense Collaborative. I feel like we're in and then CERCIA of course they feel like we're in a very positive place with respect to our authorities. I often get asked well do you want regulatory authorities and I always say no. This doesn't want to be a regulator. We work very closely with regulators but at the end of the day the magic of CISA is our ability through our technical expertise and our trusted partnerships to be able to work across the industry in a way that frankly is a little bit harder with regulators. So I think we're cool. I don't know probably most of you can't see this but Jen's arm she has what appears to be a temporary tattoo or is this a full thing? This one's real and these are temporary. If you think you brought it up here's a funny story. So we are recruiting for technical experts and I was like I'm so into it because we've hired like 1,330 people since I came on board I'm going to tattoo our temporary. I would do it if somebody had time. So I was like we made these temporary tattoos and they put it on like yeah let's go for it and it just doesn't work. It was like this morning let's do another one and it doesn't work. So we have the QR codes separately. My old body is going to be tattooed with these temporary tattoos. But we're hiring people so come see us we have real QR codes that work not on my body. This really was my lead in to let you guys make the pitch for I think a substantial reason why you guys are here but also I've been coming to DEF CON for almost 10 years. There are a lot more federal officials giving talks these days and this is for a reason I think. I would say the key reason is you have in the audience expertise that we desperately need. You have perspective that we desperately need. You heard about the work that we're doing I would want to make sure that the work we do is based on the very best information that we can gather. So we're here to really seek your advice, your counsel we have some mechanisms to be able to do that and then the other one is just clearly like Jen said we're here because we're hiring we need talent and I think I can tell you from my own experience working in the federal government I'm six years into being the TSA administrator the work we do together with the FBI with the Department of Transportation the White House is incredibly rewarding. I mean you have impact at a scale that is just challenging at times but the benefits are incredibly rewarding and we had a great booth here at DEF CON offered up a lot of decals offered up a lot of ways to approach TSA for positions but if you're interested consideration and I think too that in my career the ability to build a network is really important for your success throughout your career and if you come into government you build a network inside government when you return to the private sector if you do continue to keep that relationships and that network you have in the private sector very warm and I think that really helps the entire system work incredibly well so that's what we'd really like to encourage you to do is if you know somebody as talent that you think we could benefit by please encourage them to look up CISA, look up TSA look up any sector of risk management agency quite frankly because we all need the talent. We also announced earlier in this conference a project that Jen and I have together it's called chariot and so you know we wrestled with the acronym but we felt chariot is a transportation thing and this is a transportation project and we are at Caesar so the chariot and Caesar sort of go together but what chariot stands for is critical infrastructure hardening achieved through risk reduction information and operational technology yeah way to go thanks I've been practicing a lot but basically what it stands for it's a partnership between TSA between CISA between the Department of Homeland Security Science and Technology Directorate between the pipeline has this material safety administration and the Federal Railway Administration and also the Pacific Northwest National Laboratory and what we'd like to do is to to get more industry input and your input on hey if you looked at the rail sector or the pipeline sector how would you prioritize the risk as a hacker to those sectors and then the important part is I mentioned we need to have an objective way to assure ourselves and to assure the public what we're doing is having a beneficial effect what we're doing is making the systems more protected and making the systems more resilient so if attacked even partially they can get up and running in a relatively quick fashion and so what we'd like to develop our threat scenarios that then we can introduce into tabletop exercises because as you know better than I a cyber attack will manifest itself in a physical way and that requires a different response than a purely cyber response to get back up and operating and so if you could really help us with giving us sort of a risk prioritization and also helping us develop those risk those threat scenarios so we can play out those threat scenarios and we promise that what we will do in a future DEF CON is to provide you feedback as to how that went and I'm hoping that when I come back next year and I'll declare myself a new guy again next year so I can do the shots. It's not really my first I know nor Jens but you know to give you some feedback is to hey how did that go what did we develop out of it we had an initial roundtable yesterday on this got some really good results so I just ask you to think of Project Chariot it's really a way for you to really help us out and to help the country out and help everybody that lives in the United States to make them feel more protected and Jens point about the hospital system to make sure that the critical infrastructure that all of us depend on for ourselves and for our families and for our friends and our communities is back on its feet as quickly as it can if it's ever attacked. So a couple things about why we're here obviously recruiting is one but one of the really cool things that we've been focused on over the last year is creating a partnership with the hacker community to help us get ahead of the ransomware problem right this was also part of what we learned from colonial pipeline is we really need to be able to rely on partners who are seeing malware before it actually gets activated and so there's some fantastic researchers out there there's thread and tell people there's some industry folks who have been giving our team in the joint cyber defense collaborative essentially tips and so it's part of what we call our pre ransomware notification initiative and so we've been getting tips when malware is laid down it could be anywhere between 5 to 48 hours before it's actually activated and data is encrypted and so we then use our field force so one of the other things we've been building over the past two years are cyber security advisors across the country so we have them in every state of the nation I think at this point in time and they then take these tips and then they've been reaching out and people know hey it looks like you have something on your system you need to do something about it right away and we've done it now 600 plus times to schools to also internationally and we've really been able to make an impact and again the thing that I love most about this is it's all based on trust I mean it's the most important currency is people reach out to us because they trust us with the information and they believe we're going to do things about it so we're going to do something good with it and so again that's really what this community is all about is how do we use our skills to make a difference to make an impact for the betterment of the nation Speaking of that you've got a four year term I won't ask you to speculate right now whether they'll keep going if you want to you can What would you like to see the ransomware defense landscape look like five years from now Well I mean No more ransomware So look I appreciate you asking the question because I have long thought that we cannot keep doing the same thing that we're doing and expect a different outcome and it's one of the reasons we my teammate Eric Goldstein who heads up cyber for CISA and I wrote this article earlier this year which is really trying to get out what is a more sustainable approach to cyber security one that can actually make a difference and we talked about sort of four things one is this concept of cyber civil defense one is our persistent operational collaboration one is corporate cyber responsibility but the one that we think can make the most difference in driving down the threat impact is secure by design technology you know we now live in a crazy world where we've normalized the fact that technology products come off the line full of vulnerabilities that can be exploited by threat actors and so you we've accepted this and it's frankly perverse and we really need to change the paradigm where technology companies are not just focused on speed to market and cost and cool features but first and foremost on creating tech that is safe and secure I mean let's be real right there's a multi-billion dollar cyber security industry because technology companies have never had to focus first and foremost on security the incentives were all misaligned and so we're really trying to work with our partners across the government we did a workshop earlier today with our teammates at the national cyber directors office to really catalyze what I call a secure by design revolution and I would ask everybody if you haven't seen the stuff that we put out we put out a white paper it's on our web page please go to sysa.gov forward slash secure by design and take a look at that because we want feedback we want to refine this we want to bring in more partners because at the end of the day we want to ensure that we now have a market signal coming from customers that we all care about security for our persons for our personal, for our family for our communities, for our businesses and I think frankly Kevin if we're going to have a real dent in the ransomware system we need to start with ensuring that technology is safe I would like to pivot this conversation now to the threat landscape that both of you see shattered a little bit ahead of time and I had assumed the two giant threats that I feel like I'm hearing about all the time are ransomware often from Russian related criminal groups and a barrage of Chinese espionage and I hope you don't this is not a breach of confidence to say you were kind of quick to correct me I think I had maybe underestimated the extent to which maybe China I'll let you define I don't want to I've talked about the two epoch defining threats and issues that I'm concerned about one is AI I mentioned AI because you can't have a conversation without mentioning AI so that's done and then let's talk about China I think at the end of the day I think at some of the information that the US government has put out over the past six months and then you look at what is happening across the geopolitical landscape I hope that people are taking seriously a pretty stark warning about the potential for China to use their very formidable capabilities in the event of a conflict in the Taiwan Straits after our critical infrastructure and I think we've seen a change and frankly you saw it in some of the products that we put out earlier this year a cybersecurity advisory that talked about Chinese state-sponsored actors living off the land so not malware but actually using the native processes of a computer to hide in those systems and it wasn't for espionage or data theft which we've been seeing arguably for decades more likely for disruption and disruption and if you read the intelligence community annual threat assessment there's a pretty stark warning that talks about in the event of a conflict China will almost certainly consider aggressive cyber attacks against US critical infrastructure and is almost certainly capable of disruption or destruction when it comes to oil and national gas pipelines and railroads really what we've been talking about Kevin is we need to take this warning very seriously and that's why we've been talking so much and Victor Zora and I, my counterpart in Ukraine talked to Black Hat about the importance of resilience expecting that there will be disruption and planning and preparing for it now identifying your high value assets, doing the exercises to be able to put in place manual overrides, manual controls to be able to operate in a degraded state and then ensuring that you can recover as rapidly as possible to mitigate risk so think about Ukraine as really a shining example of not just cyber resilience but also operational resilience dealing with all the barbaric kinetic attacks and then very importantly societal resilience which I fear we have lost as a nation if you look at the reaction to colonial pipeline if you look at the reaction to the high altitude balloons at the end of the day we need to be pretty pragmatic about the potential of these attacks be prepared to meet them with resilience and frankly with unity as an American people and I think too that time is not our friend in this quest we need to move very very quickly that's why we've moved so quickly and so has our industry partners there's little we need to be ready now and the more we can do to make sure that we're not worrying about how ready we are we know how ready we are and we know how we can manage any kind of attack on US systems in a way that protects our ability to respond in a way that protects our population and that allows our population to have confidence in its government confidence in its industry leaders that they've done everything they can to be ready for this so preparedness is the name of the game here Jen you mentioned speaking with Victor Zoro your counterpart in Ukraine and not just in cyber in all kinds of ways the US government has provided really substantial assistance to Ukraine an ally being bullied by a much larger antagonistic nation to the United States there are some ways in which you can kind of map that on to China Taiwan but we have a more fraught diplomatic relationship with Taiwan does that impact the ability to share cyber threat information things like that in such a direct I mean it's something we're frankly thinking really hard about and I've been really encouraged so we signed a memorandum of cooperation with Ukraine a year ago and we very purposely put a lot of resources into how we could help build capacity both in terms of threat hunting kits how we share very detailed threat information how we do exercises a cyber incident response plan working with other international partners like the Canadians who are going to do forensic training with them and so really deliberately putting a lot into these lines of effort and we have gotten probably as much out of it as the Ukrainians have because what they have learned over the past you know year and a half obviously but ten years since Crimea I think has incredible teachings for us as we think about both capacity building with Taiwan which is something that I do think to your point Kevin we can map some of that and we certainly do share information with Taiwan cert now but we would want to figure out how to help from a capacity building front to ensure that the again the lessons that we're learning with respect to Russia's aggression over Ukraine can be applied I think it's really important we are nearly out of time if you guys, oh we have do you have closing remarks anything last thing you want to share with this audience while you've got them captive? Sure, my closing comment is really just thank you thank you for the welcome that we've received here over the last couple of days we've had about 30 TSA people here and really appreciate all the work that they have done and all the education you have provided to all of us so really thank you and I look forward to your relationship with DEF CON so thank you very much Awesome, so thanks Kevin for doing this, really appreciate it and thanks Dave, Dave has been in the department for a long time you were like the vice commandant of the Coast Guard and the acting deputy secretary I had not been in the Department of Homeland Security I was in DOD most of my career and then I was in the private sector and so Dave's kind of been my Sherpa since I got to DHS and has been a really great friend and teammate and colleague so I do want to thank you for your leadership and your partnership and yeah, I mean this is such a great community this is my favorite time of the year I love the energy, I love the community I believe in what this community does and I really, really think we can make a difference for the nation so for those who are interested in working at Team CESA please come chat with me and my teammates really come work with us because we really want to collaborate leveraging all the skills you have and all the skills we have for the better of the nation and the last thing I'd say is I'm also doing the next talk with my friend Scott Shapiro who's a professor at Yale who wrote a great book called Fancy Bear Goes Fishing we have renamed the talk beers and bears so go get your beer and meet us back here at 5.30 for a great talk thank you