 Without further ado, Bob Lentz. Thank you all very much. Let me get this thing for somebody six foot nine. So it's a pleasure to be here. I wasn't expecting any applause, so that's pretty good. Now if you're trying to fill out the Meet the Fed question, if you haven't figured out that I'm a Fed, then I think you should probably leave at this point in time. But I couldn't really get any disguise, I think, to avoid that fact that I am a Fed. And I have been a Fed for about 35 years. And so I'm getting ready to retire very soon. So I'll be in your, at least most of your, worlds here very, very soon and enjoy maybe some of the extra freedom it might be with not being in the federal government, so it's been a great run. This morning I'd like to talk about cybersecurity, information assurance, information system security, you name it, computer security, I think there's so many names that have gone around in this business in my 35 years in it. Let me ask you a quick question. How many of you remember the National Computer Security Center? Just give me a, all right, good, that's great. So I was part of the National Computer Security Center and unfortunately I was part of it when it got disbanded, which was I think one of the biggest mistakes we made in this business line in the federal government. I think if we would have kept the National Computer Security Center in place and a lot of the momentum that was created by that, I think it would have been, would have been much further along in this business line because I think it provided a great deal of leadership. How many people actually attended the first National Computer Security Conference in Baltimore? Does anybody remember? Okay, oh yeah, nobody, hands are down on that one. But that was really the first conference, sort of like this. It wasn't as obviously crazy as DEF CON, but it was the first opportunity where folks got together and talked about this subject line. I do remember, since I was a little guy back in those days, not really understanding this business line. I was actually working in the NSA SIGINT organization and they said, hey, go over there and learn a little bit about this world of computers and networks and packet switching and things like that. And I walked over there very naively and then, you know, I got the bug. I said, hey, this is the future. And it was quite an exciting opportunity. One of the most interesting things that happened to me in the first couple of months in my job was that the boss asked me to go and brief a bunch of three-star generals, about nine of them, who were showing up at NSA and briefed them on this world of computer security. And I had the job of standing up there and talking to these three-star generals who probably never even owned a computer in their life and about things like Trojans and viruses. And they were looking at me like I was absolutely nuts. And so if you look back in the history of the National Computer Security Center in the 1980s to where we are today, I harken back to this past winter where we were dealing with a very serious problem in the Pentagon dealing with thumb drives. How many know about the DoD thumb drive problem? Oh, my God. Jesus. And there's a thumb drive right here in the computer. So I'm in violation of DoD policy. So we had this problem called thumb drives. Every week the war room in the Pentagon was, every day during the week, was activated to deal with this problem that we had across this vast network of the Department of Defense. And I remember the chairman of the Joint Chiefs of Staff, and he's the number one military guy, four-stars, a very busy fella chairing many of those meetings in this very classified war room with VTCs around the world going on. And I never thought in my entire career that I'd ever see the chairman of the Joint Chiefs of Staff utter a four-letter word. And it wasn't the four-letter word that you're thinking about. It was host-based security system. So I never thought, and then he uttered a three-letter word, which also shocked me, called public key infrastructure, or PKI, as you all know. So I said to myself, boy, have we come a long way in this business line from those days where I was talking to these three stars in the 1980s about viruses and trojans to now where literally the senior leadership in the DoD finally got it. The light bulb came on. And it wasn't the IT folks. The big change was the operators, the folks that are literally conducting operations around the world finally realize that they've got to take this seriously. And that has been the tipping point for this entire, entire business line. And so I think that's been the biggest change that's occurred over this journey that I've been on with some great folks in the department defense team. So anyway, with that just as an opening, as my introduction in the pamphlet says, so I'm the chief information security officer for the department, that's my job. Let me just give you a sense of what that job has really been like. So I think if you can figure out that I'm a little guy, okay, and I've been trying to push up against this big beast of all these folks that are focusing on operations, are focusing on getting the job done, and this security problem, just leave me alone, just don't get in my way. And so I've been trying to deal with that problem for quite a while with our team. But as I said, I think the roles have been reversed, and I think we finally, we finally get it. So I think if there's any message you take from this is that security practitioners like all of us in this room, I think now have the upper hand. I think when we little guys walk into the room, they pay attention. They really do. This is serious business. This is mainline business. This is everything we're trying to do to be able to carry out our responsibilities. The other thing that I wanted to just, and I think all of you appreciate this, but one of the things is the chief security officer that really struck me in my nine years in this job since November of 2000 is how much of my job really is not about war fighting. In fact, I would say probably less than 50% of my job is making sure that we have network connectivity, a robust network for those folks that are doing tsunami relief over in Asia, earthquake, emergency relief, and operations and reconstruction like over in the Southwest Asia, or just dealing with operations in Africa and trying to help the farmers and medical personnel dealing with AIDS and other issues in Africa. We stood up a new command, an African command within the past two years, and its primary mission is just that, and trying to get connectivity and trying to get those operations up and running in a secure and reliable fashion really is the majority of the job that we have as security professionals. I know there's lots of DoD people in this audience. Probably don't want to raise their hand so they give away the Meet the Fed contest, but every one of them, I bet if you ask them, a good majority of them say a great deal of percentage of their time is not necessarily associated directly with war fighting, even though obviously trying to deal with operations in Iraq and Afghanistan take up a lot of time. That's really one of the big differences that struck me in my nine years in this job. So let me ask another question of the audience. As everybody knows, this is the number one most expensive platform in the Department of Defense. This is a billion dollar platform that we use to conduct national security around the world. So even though some of you may have seen this slide at Black Hat, so don't speak up if you were there for this trivia question. So when I had a chance about a year ago to fly on this carrier and take off, I had a chance to ask the captain. I said, sir, what is the most important thing on this carrier? Now, what do you think his answer was? Anybody want to give a shot? Yes, sir? Connectivity. Yes, sir? People. Information flow. Communications. So I think that's about right. I mean, if you put them all together, I'll give you the answer that he gave me which is relates to everything you just said. But I was actually surprised. I thought the answer was going to be, it's the airplanes. I got to keep the pilots happy and I got to keep those airplanes running because that's what's protecting this massive ship. I thought it was going to be the nuclear power plant that allows that carrier to go over 30 miles per hour when it's conducting flight ops. I thought it was going to be all the sensors and radar systems that are out there censoring around it to make sure that a missile doesn't come in and take it out. But it really wasn't. His answer was, it's the internet. So a lot of what you all said, connectivity, interoperability, it was the internet. And I said, wow, really? You're really not just doing that to kiss my ass. He said, no, it's really the internet. And so I said, can you explain a little bit more about that? And so he said, well, do you know what the average age of the 5,000 sailors, 5,000 on this floating city, the average age is, anybody want to give it a shot? Don't give it away if you heard it yesterday before. What, 19 and a half years old. That's the average age. And just imagine you've got 5,000 sailors, men and women, every one of them, obviously were like most of you, if not all of you in this room, they were born in the internet age and they have an appetite, a need for being connected. And he says, my number one job is morale and welfare of the ship. I've got to keep these sailors happy because when they go off on a deployment for six months, eight months at a time, they want to remain connected. And more importantly, you know, I've got to keep their skill base up. I've got to keep training up. They're awareness of things that are happening on the network. Of course they want to talk to their families all the time. But when we have serious situations like medical incidents where we have surgeries and things like that, I'm passing information, I'm connecting up to the main hospitals for assistance. I'm also getting operational information over this internet. Information regarding navigational data and meteorological data, et cetera, et cetera. So it is the internet, he said. That's my number one responsibility is to keep that internet up and running. And he's got about eight information assurance professionals on that ship, eight, that are responsible for keeping that network up and running. And the good news is when I asked him, I said, of those eight sailors that you have, how many are certified in information assurance? And he said with a very big smile, he said seven of the nine or eight, excuse me, are certified. And he said, I'm very proud of that. And the other one is working on their certification as we speak. But that's actually unusual. A lot of these ships will pull out to sea or other forces, the Army and Marines, et cetera, with not that kind of readiness. So going back to that sumo wrestler issue, and now that we have the four star, the operators, understanding the importance of this, training and education is a big deal. We are pumping more money into that part of our business line than we've ever pumped into it. The schoolhouses in the department of defense, the training programs of which, by the way, that certification for those sailors for information assurance professionals is a commercial certification. It's not a DOD certification, it's a commercial certification. That was a decision that I made about six years ago. And the reason for that, a lot of people challenged me and said, Bob, that's crazy. If you get these folks certified in a commercial certification, what's going to happen to them after about two or three years? They're going to leave. They're going to go try to get the big bucks out of the industry. That hasn't happened. I mean, yeah, you get a little bit of leakage. That hasn't really happened. And I asked that to a lot of them. They said, hey, we love it. This is a great profession. Now, certainly after they get their 20 years in or 15 years in or some of them obviously longer, I can go and I can get some big salaries and things like that. But they really enjoy the thrill of going down to Africa, as an example. I got several emails from those sailors. So I met on that overnight stay on that carrier. These young sailors, men and women, who were telling me, hey, we just stopped off in Africa and, boy, the smiles on their faces when we saw our ships that were around this strike carrier battle group or strike force coming back after delivering medical supplies to a lot of the people in that region. And that's really what gets us moving, is that is really the core part of our job. So I think I just wanted to kind of put that in perspective because as the Chief Security Officer, as I said, the real way of understanding and getting yourself motivated every single day to work in the Pentagon is to relate and talk to those operators that are out there around the world trying to help protect all of us but also, as I said, to help deal with a lot of these very important incidents around the world. Now, the one theme of this presentation this morning that I at least wanted to try to emphasize is the fact that this cyberspace, this internet that we're dealing with, as we all know, is very fragile. But I think what we all have, I think, right now in this time, point in time in history, we have an opportunity to make a huge difference. This ecosystem is fragile, but it's amazingly resilient considering the kind of incidents that have occurring or are occurring all the time. But it's still becoming, as we become more connected every single day, this system, this network is something that we all need, not only for many of our jobs, but we all need for our own economic security with our neighbors, with our other nations that are with us. That is really what we're all about. We all have to band together to help protect this fragile ecosystem. So I think events like this at DEF CON and Black Hat I think provide us this opportunity to band together. Obviously, there's lots of very, very important sessions going on on threat and vulnerabilities, but I think if we all band together and move this rock up this massive hill that we've built, this race that we're under to try to deal with the threats, I think all of us will benefit in the long run. Not just folks in the Department of Defense, but all of us that are out there in the private sector dealing with issues related to the normal jobs that we have. And I think that's the second most important message that we're going to get across today. Now, what is this chart here? What this chart here is one that was done back in the late 1990s in 98 by Dr. Moschelli, who wrote this academic piece about the waves of the IT industry. And the reason why this chart is very important is it represented really a good roadmap as to where we are. As I said, when I took this job back in November of 2000, we were not connected in the DOD. We had weapons platforms and we had operations around the world that were not IP at all. We were completely disconnected in most areas. And so the number one job back in 2000 was to connect the network, connect DOD operations around the world. And that's what we've been doing. We've been under this race and I will tell you that here we are in 2009 and a vast majority of DOD operations is connected to this network. Now, that's the good news is we're leveraging this technology to be able to conduct operations around the world and all the richness that it offers. The bad news is it's very exploitable. It's very fragile. And that's why it's a significant challenge to all of us every single day. Because all those operations I just talked about right now depend on this network being available. It depends on that information flowing on that network to have the highest integrity. And that is job number one. And now the other point of this chart is the fact that as we've connected this network following Metclass law, the real sweet spot in Metcast's, excuse me, in Moshella's journal in his piece is the fact that the real sweet spot is content security. Now he wrote this in 1998 and he said, hey, when we have Web 2.0 and Web 3.0 services, he says that's going to be your real challenge. Connecting the network is the easy job. And he is exactly right. We are falling further behind. If you look at it positively, we are in a race to try to help make sure that all these great Web 2.0 technologies that every one of you in this room are leveraging every day are available to all those forces that are out there, all those men and women that are out there using the Department of Defense and more importantly, all those in our country who are leveraging that. And the last thing we want to do and we have this happen every day is someone that says we've got to shut down the network. We've got to shut down U2. We've got to shut down social networking, et cetera, et cetera. That's the last thing that we want to do. And as a security officer, that's the last thing that I want to do. I don't want to be Dr. No. And so, as Moshele said, the key for all of us as security professionals, innovators, is to focus on content-centric operations. How are we going to be able to have this network be available and make sure that information can flow like for that carrier and have it done effectively? So I think this piece right here, I think, is a picture's worth a thousand words. I think this is a good example of... Now, this is another way of looking at it. So in the world of history, hacking has been around for a hell of a long time. And so, the geeks have now taken over. And of course, if we're going to be successful in that previous wave, we've got to deal with that part of the business line. And that's why I believe, and we believe, that working security in the Department of Defense and the National Security Community is an exciting, is a very rewarding profession, because everybody very much respects the skill set, the importance of those geeks. Because they realize we're not going to be able to conduct operations around the world if we don't have those geeks right there beside us every single day. And I think that is probably the biggest shift that's occurred in the department. Where have we been? This is basically where we've been the past 10 to 15 years. Plain Wackermill. And what's happened in the Department of Defense is a realization that this part of dealing with security ain't going to work. And we have to change that. And I think the good news is, the leadership in DOD in the past two and a half years, especially in the last year with this tipping point of things that have occurred around the world, have realized that we have to think differently with security. It's not just castles and moats. It's not just layers of defense and putting up firewalls and IDSs and things like that. It is much more complex. And we've got to change the thinking. We've got to work with industry. We've got to work with security professionals. We've got to work with the hackers. We've got to work with everyone to move away from this, trying just to put out fires all over our network. It ain't going to happen. And we have to come to that realization that there is going to be bad stuff happening inside the network. We have to figure out how to contain it. We have to figure out what's important and protect just the mission critical parts. We have to fight through degradation and learn how to operate when the screens don't work. So when that ship is pulling out the sea and that network goes down, what's my backup plan? Or if I start to lose bandwidth, what is my operational layers to be able to increase bandwidth against the most important mission critical things? So that's really the biggest change. Now, another way of looking at this, I don't know how many of you have read the book written by Rod Beckstrom called The Starfish and Spider. How many of you have read that book? Anybody? Well, I think you should probably read that book. It's a pretty small book. And it's not very geeky, but it's an excellent book that talks about what it's going to be like to operate the 21st century. And it really says in summary that the starfish really is the way we're going to have to operate. I mean, Al-Qaeda, as was said in the book, is really a starfish. They're decentralized. You cut off one piece, another one gets regenerated. The DoD has been like a spider, central command and control. You hit key nodes and we have to shut down operations. And so really what this paradigm shift that I talked about earlier means to us is we have to begin to conduct operations like a starfish. If we lose a key node over here or a key network over here, we have to be able to regenerate. But we have to know about that, not when it happens but proactively. But the other thing that I was telling Rob Beckstrom about in his book is that really the future means we have to leverage many of the attributes of a spider as well. Because what's the biggest attribute of a spider? It's web. The larger the web, it can sense things out there in the network and hopefully when nasty things are going to occur, the web can capture those. So combining the attributes of a starfish, technically, and the attributes of a spider, at a very high level and a simplistic level is where we need to go. And that's why I think that book by Rod and his partner I think is so important. So in summary, just with respect to this part of my presentation, as I said earlier when I started this business, we started off with communication security, Comsec, and we moved to information security and information system security and computer security and information assurance. And now we're at a point in time with cyber security. And why is that different? It's not just branding, it's not just name changes. It really means something very, very important going back to that paradigm shift. And what that means is that up till now we really are not taking into consideration in information assurance time and environment. We're not taking into account when there is a cyber attack, if it's a configure as an example, how quickly proactively are we able to defend and contain that particular type of event? We have to consider time. It doesn't do us any good if it takes us months to patch a piece of software or to be prepared for a particular kind of botnet. We have to consider that time element constantly. The other part we have to consider, especially in the Department of Defense, of all worldwide businesses and operations is we have to consider the environment. Because one day we might have partners or devices on that network that we trust, but then it could be within minutes we say, no, we're seeing some of things on the network there that we don't really see as being normal. We have to take them off the network, at least temporarily. So we have to consider the environmental considerations of people, routers, all sorts of devices, data in a way that allows us to be much more proactive, thinking like that starfish. And so that's why risk management in this world of cybersecurity is so, so important. Now on risk management, let me give you a couple vignettes in my role as the CISO about risk management in the Department of Defense, just to give you a sense. Fallujah. Most of you remember during Iraq, Fallujah was probably one of our most deadliest operations. We were losing a lot of soldiers there every single day, mainly because of IEDs. I had a commander call me up and say, Mr. Lentz, I've got a question for you. My information assurance guy told me I can't use this particular cell phone, this radio, to be able to manage my operations in Fallujah. He said it isn't on the approved list of wireless devices. You can't do it. And I said that doesn't make any sense. He said it has encryption in it. I said the bad guys, this information is so perishable by the time I be able to give the new coordinates to my troops that are in deployment, the information is gone. It doesn't, it isn't any good anymore. So why do I need to care? I love this little commercial device. It's perfect. It's small. It's flexible. It's got good connectivity. I really need this. You know, why can't I use it? And I said, well, I said you and our DOD, we have a policy. You the commander has to make that risk management decision. But you have to have all the information available to you to be able to make that decision. You can't be arrogant about it. You can't have a soldier come in and say, hey, I now have all the answers and you just have to trust me and you just use this. Or you don't want an industry guy to come in and say, let me tell you the greatest plate toy in the world and it solves all your problems. And then what ends up happening is that person takes that radio and let's say for instance in this particular case, that particular wireless device was vulnerable to spoofing or in this case, vulnerable to jamming. And just imagine how we all were driving around in our car with GPS and all of a sudden we lose the signal, the GPS signal at the worst possible time and you say, should I turn right or left? I can't remember. Is it just two streets up or four streets up? I can't remember. I don't have a signal. That's what's going to happen if you use that particular device because it doesn't take much for an adversary to go out there and jam this radio. That's what our policy is telling you right now. And the last thing you want to do is send your troops in Fallujah down the street thinking it's safe and I'm trying to tell you to stop because I have good intel that says something is bad in front of you and I can't get through to you. So you need to have all that risk management, all that security information to be able to make that judgment call. And that's what risk management's about but our job as security professionals, everybody in this room, our job is to make sure they get that information and we can interpret it because I don't expect that kernel to be able to have the kind of security smarts that are in this room. I've got to put it in English. I've got to get them to understand it. I've got to do it quickly in cyber time. I have to get him to make that very fast decision ahead of time. So let me give you another example of arrogance. So I had a chance, probably the highlight of my entire career was back in the 1990s. I had a chance to visit 80s. Excuse me. I had a chance to visit with Frank Rowlett. Now how many people here know about Frank Rowlett? Okay. Now turns out he is considered by historians as probably the most famous American when it comes to cryptography and security and we actually named a trophy after him and so I had a chance to go down to Florida to his home. He was 89 years old, 88 years old to meet with him and to tell him that wanted to give him this award and he said, well come on in and visit with me and his wife answered the door and so I had just a private conversation with him in his room in his study for not five minutes but literally he wanted to talk forever. We talked for two and a half hours and we talked about everything under the sun. The one thing he told me was that back in World War II when he was sitting there breaking the Japanese code the Japanese people who were running their communication systems were very arrogant. They told their commanders that you had unbreakable communications. Unbreakable. It can't be touched. There's no way the Americans can get into that system and you're good to go and he said we had their lunch. We were inside, we were reading just about everything and that was perfect and we were waiting for just the right times to be able to use that information because we didn't want to use it all the time because they might figure out that we're into their network or in this case their communication system. So Admiral Yamamoto who was the number one warfighter for the Japanese their George Washington so to speak was flying to Midway on an airplane and they read the code, they knew where he was going to be and when he was going to be and they put out the orders Frank Roulet said to shoot him out of the sky and they did it and it was because of the arrogance of those individuals giving him that information and confidence and that can happen in a business the CEO or an ambassador at an embassy. Don't worry you can use this particular device or this laptop and it's perfect and they go into an area that could potentially be very harmful to anyone and we shot him out of the sky and it was the turning point historians have said for the war and at the same time they went out and developed the number one piece of crypto not anybody know what that crypto was called Sagaba so not only did he help break that communication system he helped build one and I said well sir if there's one piece of advice you want to give me what would be that piece of advice he said the only the best piece of advice I would give you goes back to that Fallujah example is be honest be completely forthright with as a security person in terms of the information that you're giving to that decision maker I don't care if it's a low level decision making process in a small network or a high level one to a senior executive make sure that you're giving him all the information and don't be arrogant if you're not sure about something tell him you're not sure about something because that's the most important thing we had their lunch because of that arrogance so don't make that mistake so that was the number one message I got out of Frank Roulette in a short time after he died and so he's one of the heroes in this business and so to that day I think every one of us in this room has to realize that when you're building a piece of security or you're managing a network make sure you tell them all the information they need them to have in their hands to make decisions on operations so the shift in strategy that I've talked about here in the first moments of my presentation I think are represented here but I want to just highlight the fact that the bottom line is is that for us all of us security professionals we have to be able to successfully enable this shift or we're not going to be successful we're not going to keep up with the threat we're not going to be able to keep up with vulnerabilities that are escalating every single day and we have to realize that we have to move in this arena if we're going to be able to develop and operationalize this resilient cyber ecosystem that all of us depend upon every single one of us and so I think that's the bottom line message that I wanted just to get across to everyone and how we in the Department of Defense have a deeper appreciation of that over the past few years and another way to look at that is in this chart this is one that I actually used when I briefed in the DOD and outside the DOD to national organizations involved in this world and what this chart really represents is two things that are very important the vertical axis of information sharing if you can see that I know in the back of the room it's probably difficult but the vertical axis is the information sharing axis and going back to my earlier point if we cannot assure the protection of that information that vertical axis is not going to move very high and we're going to have impact on operations and so therefore it's absolutely critical as security people that we continue to make sure that we can work with industry and work with academia to have the best solutions possible to allow that vertical axis to move as fast as possible at the same time what are the defensive skill sets and techniques and procedures that we have to put in place to move higher up down this horizontal axis and it's all about deploying a capability that is going to be interoperable against common standards it's going to be policy based against those standards and it's got to have to be resilient because we realize as I said earlier that the bad guys are going to be inside this network all the time we can't prevent that we have to learn how to contain it and we have to be able to learn how to conduct operations with that threat and we have a long way to go climbing this mountain and we need all of you in this room to help us do that and so this is just another way of looking at this strategic shift that we're moving towards in the world of cyber security so let me just now dive just a little bit deeper into some of the trends that we see in this area that are I think at a technical level which I know every one of you are in this room and these are just sort of the high level seven bullets of these technical areas that we're focusing on in the Department of Defense working with academia working with industry and a lot of the nonprofits and many of you probably in this room the first area that we're working on is strengthening the network underpinnings and this involves continuing to work on topics that I know we've talked about before like DNSSEC focusing on border gateway protocols focusing on the transition of IPv4 to IPv6 focusing on IP address exposure and focusing on cloud computing protocols I know at IETF in Stockholm this last week that was a central part of discussions if we aren't working as an example on this area of cloud computing protocols we're not going to be able to move up and that vertical axis very effectively and also when we're talking about cloud security are you going to walk into your boss's office and say hey you can go ahead and use that cloud and have total confidence in that information that's the kind of risk management challenges that we have that's why it's very important that we focus on these network underpinnings to be successful another core area is assured software and systems now we have a lot of effort I really do feel we are starting to turn to corner on software security now where are we somebody asked me at Black Hat where are we in this area what grade would you give us I'd say we're probably on a 1-10 scale maybe a 2 and that's probably being optimistic now the good news is people now realize that software security has to be done effectively and they're focusing on it every single day there's more and more discussions more and more conferences there's more investments by industry including by Microsoft in the software development process and so I really am more optimistic than I've ever been but also there's a realization in the department of defense that we have to focus on system assurance in this regard and what that really means is when we're designing a system from the beginning let's realize that we can't have single points of failure because the software can be fragile and so that's a realization that we're trying to bake that in from the beginning another area is managing the attack surfaces and I think everyone in this room appreciates that we have to really move to moving target defense if we're going to be successful so we are investing a lot of resources into keeping trust zones small or making these trust zones small and manageable we're deploying more and more stateless technologies and multi-domain thin clients throughout our network we're deploying systems and we want to focus more resources on systems that frequently refresh it goes back to that cybersecurity theme of considering the environment and time so that when there is a compromise we can refresh it very quickly we're focusing a lot on virtualization technology we're focusing on hardening key components like the browser like the servers like the scanners we're employing diversity techniques throughout the network to make the job of the intruder more difficult and we're also focusing on morphing vulnerabilities and reconfiguring enclave boundaries in this attack surface area identity assurance is another area identity management and protection that we're focusing on if there's one area that I believe is probably our most important area is identity protection and management we have to be able to get to the COD we have the largest PKI infrastructure in the world and we have to make it easier however because these commanders are having difficulty using it so it's got to be easier to use and we have to leverage federated identity management throughout the network we have to improve the managing the directory content because that really has been the number one problem since PKI was started to be deployed in the 1990s we also have to have a convergence between the physical and the logical layers relative to identity management and assurance so that when I walk into the Pentagon with my Pentagon badge and this isn't it I can get into that Pentagon with the same badge that allows me to get onto my network and I got to be able to use multi-factor authentication that is with biometrics to do that it can save money which is of course what it's all about in today's economy but it also can increase security if we do it right and most important is we have to focus on authorization access controls because we have to have better fidelity of roles to be successful so Bob Lentz is logging on to that network I might have four or five roles and if I'm a doctor in a hospital I'll have multiple roles but maybe one of those is I can't go in and get that particular type of medicine that's somebody else's role we have to have that finer grain of identity program management and for us to be successful in cloud security identity management is absolutely going to be essential and we're pouring a lot of money into that area it's probably the third highest investment that we have in the department in identity management approving cyber awareness in terms of fusing people data, devices, applications all together is a very core priority of ours at a band monitoring at the edge forensics when I was over in Iraq last summer I was just shocked about all the hard drives they're just stored up in these various tents and compounds because of certain incidents that have occurred and they have no capability really easy capability to do forensics on the fly so we need more capability in that area automating security counter this is a good news story tremendous tremendous advances in this area that are so critical for us to be able to tie devices and people and content and data together more effectively so when you go around to see these in the demo areas you'll see CVE and you'll see common weakness enumeration you'll see oval languages being advertised as part of a common standard of industry and that is helping enormously with this risk management challenge that we have we also have ESCAP if you're familiar with that the security content automation protocol which is really critical for that interoperability features of having devices talk to devices which goes to the speed problem and finally mission-based architectures realizing that no defense is perfect and we have to be able to fight through cyber degraded operations we have to be able to restore trust quickly in contested networks or networks that have had spillages that is absolutely critical so this is an area that is getting a lot of attention and I think if there's one thing we're not doing right now in the national security community and also in DOD and even with industry is we're not focusing enough on the far out challenges we're focusing on these near term challenges these one to three year challenges and not the leap year not the 5, 10, 15 year challenges and that's a huge, huge priority that we're trying to shift in working across the community and with industry so these are the technical challenges and opportunities that we see in this area of information assurance and cyber security and let me close now with the most important part of our business line that's the people just like on that carrier that I alluded to earlier the people is really what drives this network if you talk to any red teamer I know there's probably a lot of them in this room they will say that a smart person on the network is the thing that they have to deal with and have to worry about all the time and the good news is a smart person on the network well educated and well trained especially if you've got black belts on the network reconfiguring the network and installing the right kind of security improvements that's job number one and that's why if there's anything that we need to be focusing on at the national level which has gotten a lot of attention thanks to the president is this area of education training and awareness and the good news is I have never seen in my entire career a more concerted effort by at the national level industry level to focus on this area of education and training and awareness any one of you in this room I think who want to seek positions in the government or in industry get scholarships to take advanced training the opportunities are there the resources are there we are shifting significantly from first gear to fourth gear and putting ourselves in overdrive in this area now what does this map represent in front of you as you stare at it these are the what we call the national centers of academic excellence now there are over 106 of these across the United States and these institutions are doing absolutely phenomenal things for information assurance and cyber security just to read you just a few some of them are actually in this room I'm sure the university of advancing technology I don't know if UAT folks are in this room doing phenomenal stuff in terms of creating interactive gain animation and putting security into it the university of Nebraska at Omaha they were the ones that actually have been running the past year cyber exercises and were bringing in international folks in with us and they're actually managing the game of how we deal with defending a network and attacking a network the folks from the university of California Davis and University of North Carolina in Charlotte are focusing on software assurance doing phenomenally important things in software assurance the University of Washington students are focusing on some great areas with the national collegiate cyber defense competition one of the things that I'm most impressed with is the University of Mississippi State University is focusing on training forensics training for wounded warriors so these soldiers that are coming back from Iraq or Afghanistan and have serious serious handicaps dealing with them they're offering free forensics training Mississippi State to them and what's that resulting in is they can leave after they finish from Walter Reed or Bethesda or you name it and they can go out there and get a true profession very well paid profession even with their handicaps and that's another great program New Mexico Tech is focusing on doing training with Native American children phenomenally important works and the list goes on and on these 806 institutions are just doing phenomenal things and I expect this list to grow every day so I encourage you to find out where these institutions are and join them, assist them or help us even increase this list there's also a number of cyber competitions and challenges that are going on some of them you may have read about we have the US cyber challenge which is focusing on high school students college students and that's going to get a lot of attention here shortly we have the what we call the digital forensics challenge just a couple years ago there were just a few teams willing to join that now we have 700 up to 700 teams joining in this digital forensics challenge and if you want more information on that we can get that to you as well we also have scholarship programs the National Science Foundation scholarship for service program is a phenomenally great program we go meet those folks it's just amazing how passionate and how good they are at cyber security and the same thing is true for our DoD information assurance scholarship program so in closing the bottom line is is that this profession that we're all in in my opinion actually exceeds the importance of the green movement that's going on dealing with things like solar energy and things like that if we have a cyber green movement starting out of this conference and we can have it propel itself throughout this country I think in the next several years we can begin the process of helping us strengthen this very fragile ecosystem called the internet so that every one of us can be able to conduct business with confidence so I think if there's one final message I say to you is that if you're interested in seeking the kind of jobs the kind of partnerships even if you want to stay in the private sector there are plenty out there the infusion of resources in cyber security is amazing and the types of positions the exciting positions that are out there I think are rewarding and are plentiful and I look forward maybe next year when I'm here to hopefully hearing from many of you who have been successful in getting those kind of positions so I'd like to thank you again and I'll stay around to answer a few questions but I'd like to really just say again I appreciate your service to this very very valuable field, thank you very much