 So, ladies and gentlemen, I want to introduce this next conversation which is going to be focused on public-private partnership and specifically on what the federal government has done and particularly is going to do to create the ecosystem in which the private sector can go about its business with confidence in their cybersecurity and clearly they have their own responsibilities, but the government clearly has a role to play in that as well. Joining me up here, I'd like to introduce Bruce Andrews, who is the Deputy Secretary, the US Department of Commerce position into which he was confirmed in July 2014. Before that he was the Chief of Staff at Commerce, he's a lawyer by training and Bruce spent some time in the private sector and on the Hill where amongst other things he was the General Counsel to the Senate Commerce Committee. Suzanne Spaulding is the Under Secretary for National Protection Programs Directorate at the Department of Homeland Security, which in effect means she is the person charged with protecting the nation's critical infrastructure and clearly that involves protection from cyber attack. She's also a lawyer by training who spent time on the Hill, in her case with the, particularly at least with the House Permanent Select Committee on Intelligence and she also spent six years at the CIA. So, very simple question to get us kicked off, which I'll ask to both of you. What is the administration doing to create a more cyber security ecosystem for the private sector? So, I can certainly talk to what DHS has been doing and then we'll talk about the initiative that the President presented, I guess a couple weeks ago now, the Cyber Security National Action Plan, CNAP, but at DHS and within the National Protection and Programs Directorate, which I'm trying to get renamed to Cyber and Infrastructure Protection Agency, which will tell people what we do actually. We have the overarching mission of strengthening working with the private sector and state, local, territorial and tribal and their interagency folks to strengthen the security and resilience of the nation's critical infrastructure. And in order to do that, we also have to strengthen the ecosystem in which that critical infrastructure lives. So, we work very broadly with the private sector across cyber and physical threats and hazards. In the cyber security arena, we take advantage of the relationships that we've been building since the inception of the creation of the department. Going back to IAIP, for those of you who remember that far back, Intelligence Analysis and Infrastructure Protection, and we build on the structures that have been created through the National Infrastructure Protection Plan or the NIP. So, the sector coordinating councils for each of the 16 sectors into which we kind of conveniently divided critical infrastructure. Those are a major way in which we convey information and work collaboratively to improve risk management capabilities and risk management decisions. We also work very closely with the ISACs, the Information Sharing and Analysis Centers and, of course, the administrations trying to broaden that aperture as well. And then, more broadly, we look and constantly assess what is the value add that government brings to this shared responsibility. What's our comparative advantage? And one of those clearly is classified information. How do we get classified information out to the private sector? We do have some cleared private sector folks who are our subject matter experts. They help us to understand better what it is the private sector needs. And so, then we have our enhanced cybersecurity services whereby we provide to consolidated service providers that classified information which they can use to provide enhanced services to all of their customers. That way we don't have to clear everyone in the private sector, which is a good thing. We also work very hard every day to get things declassified. We'd like to have less information that requires a clearance or a cutout in order for the private sector to use it. And every day we are working to get things declassified. And those cleared private sector folks help us understand, no, no, no, this bit of information needs to be declassified. That's the actionable piece of information. And we can take that back to the intelligence community and make that argument. And so we do that quite often. We have thousands of alerts that we put out every day on our portal for the private sector. We're getting ready to launch our automated information sharing under Cybersecurity Information Sharing Act, which will allow us to work with a network of networks. This legislation provides liability protection for sharing of cyber threat indicators under appropriate privacy standards and privacy scrub to make sure that actionable information gets as widely disseminated as quickly as possible in milliseconds. We need to be operating with the speed our adversaries are operating. And to encourage this, the liability protection is not just for sharing with the government, but for sharing with each other through these information sharing and analysis organizations. And that's the network of networks that I talk about that will really enhance the security of the ecosystem. The idea here is that while today the adversary can reuse the same infrastructure over and over and over again without getting caught, what we want to do is get to the point where when one node on the network of networks out there sees something malicious, it is immediately transmitted through this network of networks, and the adversary might be able to get away with it once, but only once, because now everyone is alerted to be on the lookout for this, and all of their intrusion detection and prevention systems are queued to see that. That's making good use of those networks for known and discovered signatures. We're also working to develop and our piloting now a system for detecting things we've never seen before based on their attributes, based on reputational scoring, and that's where we need to get. All of it is built on trust, and we work hard every single day to retain that. Bruce, what is the comments up to? Commerce is very busy with this, and I think part of building a effective ecosystem is recognizing that this is really both a cross government enterprise, and you can see from the work that Commerce does, that DHS does, and I think our skill sets are complementary in that regard, but we work very closely in this. But at the Commerce Department, we actually have a number of different pieces that plug into this, being a diverse department, everything from NIST, which obviously plays a critical role, but also NTIA, Bureau of Industry and Security with export control, reform, and international trade administration. So we are very focused on how do we build the collaboration between the public and private sector to really build an effective ecosystem, because the reality is, unlike many traditional threats where, frankly, national security was always predicated on the government providing protection to the private sector or to private citizens, this is a very different model. We live in a very different time, and the only way that this is going to work is through a collaboration between the business community, the private sector, and the government, but also, and I think this is really important, is speaking a common language. So I'll start with the NIST cybersecurity framework, which is something that we are very proud of, which really is a great example of the collaboration taking place between the public and private sector, and creating a common language that not just the network engineers can understand, but really that works its way throughout. You can go from the CIO to the CEO to the board, and everyone having a common risk management language and a risk management framework to work with it. So we've been very pleased about that. The second is really looking at technical solutions, innovations, based on rigorous standards, and so the National Cybersecurity Center of Excellence, which I actually just cut the ribbon for last week out in Maryland, is something that we're very excited about, because it's the first, we have 22 private sector partner companies, that it's the first public private lab for doing research and development on cybersecurity and cybersecurity standards. So we are very excited about what the potential out of that is, is we look not just for the present, but really looking to the future. Now, NTIA is engaged in a multi-stakeholder process, looking at cyber vulnerabilities, research, and disclosure. That's something that's particularly important, is setting up a set of rules of the road, developed through a multi-stakeholder process, so that everyone has a common set of understandings. The public sector, the private sector, developed through a consensus based process, working together. One of the other things that we've noticed is the need for better data. What's so interesting about cybersecurity is unlike most other areas of our economy, where we have, if not tens, hundreds of years of, you know, for example, weather. We have 500 years of actuarial data built up through other types of risks that we face in our economy. But cybersecurity risk is really something that's new. And so getting accurate and good data so that business leaders, governments can make smart, effective decisions and investments based on high quality data. And then last, as I just want to mention, the Cybersecurity Commission that President Obama recently announced that our team at NIST is helping to manage. And I think that's something that we're also very excited about. And the opportunity to bring together a diverse set of leaders to talk about these issues, to raise the level of dialogue, and to come forward with recommendations is something that we think will be very beneficial to the public dialogue. Thank you. And we're going to have Kate Johnson and Kevin Stein from Commerce come and talk to us in a couple of panels' time, exactly about how that commission is going to run. But for now, having heard of all of that activity is going on, the obvious question is, how are you doing? Sometimes cybersecurity is presented as a race to stay ahead of the adversary. Is what's being done working? Do you need more information from the private sector? And what have the administration learned in its seven years that it feels now that it needs to take forward more aggressively, feed into the commission, and pass on to the next administration? Maybe if I start on the new. So what we've learned is, look, this is a battle that you need to remain vigilant. You need to remain aggressive. And frankly, we're going to continue to have this as technology continues to evolve. We're going to be in this situation where it's a challenge. It is a big challenge. And I think we're finding that there are different levels of preparedness. So we've been trying one of the reasons for the framework. And one of the things we've been trying to do is adopt or drive adaptation and adoption in the private sector. And one of the challenges, different companies, you don't want companies and organizations to begin taking their cybersecurity seriously after having some kind of negative incident. You want people to be proactive. You want them to get ahead of it. And it's it's a challenge. I mean, I do think that the level of recognition of this issue, compared to several years ago, you know, I'll give you an example and you mentioned Cleath. So when we work together in Senator Rockefeller's office, Senator Rockefeller and Senator Snow introduced the first comprehensive cybersecurity legislation. And the reaction to that legislation in 2009 was basically, oh, no, we've got it under control in the private sector. We don't really need you guys doing this. And the idea that a boardroom or a CEO level would be talking about cybersecurity was just something that wasn't happening. Now you look at where we've come, how far we've come, which is progress because you're having, you know, any CEO and any board of directors who is not having this dialogue about the importance of cybersecurity organization. And frankly, the investments you need to make. But to the point you made in your question, it is a constant race, not even just to stay ahead, but to keep up with the evolving technology, evolving risks and challenges. I would agree that we're we're beginning to make some get some traction and getting CEO attention. And I think there are a couple sort of watershed events. One was the ostensible firing, if you will, of a CEO in the wake of a major retail cybersecurity breach. I think that got CEOs attention personally. The other thing that I think got CEOs attention personally was the release of emails that was associated with the Sony breach. Interestingly enough, it was not the destructive nature of the breach, which is what got my attention, but got far less press attention. It was really the salacious emails of particular individuals in the C suite. And I think that really got CEOs attention. But we have some sectors in which they've been they've been really focused for quite some time now. I meet with my counterpart at DOE three times three or four times a year with about 30 or 40 CEOs in the electricity subsector coordinating council. They but they take this very seriously. That group is is is chaired by Tom Fanning of Southern Company, and they're very aggressive in this area. Financial services sector certainly has reason to have been paying attention for some time in there. It had others not so much. And so where we need to go in this, I think we continue to work hard to promote the the NIST cybersecurity framework we've established C cubed VP our cyber critical infrastructure community voluntary program to promote that. But it's a but what we need is a better understanding of how to do risk management in this arena. And that really requires we have traditionally in the risk management field, I think taken this formula threat factor of threat vulnerability and consequence to literally and we start always at the left hand side with threat and vulnerability. And it's so overwhelming that we don't really get to consequence. And particularly in the cyber arena, I think we've given the understanding of consequences and the interconnectedness and the prospect for physical consequences. And cyber consequences or physical events having cyber consequences short shrift, we have to start with consequences. And this is the message I bring to CEOs. You you have to call in not your IT folks when you want to think about what to do about cybersecurity call in your program people. I tell them in the government, we talk about mission essential functions. Call in your program leads your component heads, look at your mission essential functions and ask your team, which disruptions would would have a substantial impact on our ability to conduct these functions. And then which of those could be caused by cyber. Now you've prioritized your efforts. And then you look at how could we mitigate that. Some of that mitigation will be technical, but some of it will be mechanical or physical. I often tell my folks and CEOs remember that the most cost effective return on investment to address a substantial cyber risk might be putting in a hand crank. So we saw the the the the very serious cyber attack in Ukraine December 23, the first cyber attack, bringing down critical infrastructure upon which civilian populations depend. I've been amazed at how little attention that's gotten that that was an attack on industrial control systems that are not just relevant for the electric sector, but for every sector across our economy that depends on industrial control systems. And we have been trying to get the word out on that. But they brought that back up after six hours by falling back on mechanical redundancy, which they're still relying upon today. We had Tom Fanning here earlier. Understandably, he was not keen to get into great detail about black energy. But he was he was relatively upbeat about the security of the grade. Is that DHS's assessment as well? What I'm relatively upbeat about how hard they're working on this issue. They take it very seriously. They've instituted a lot of good things. But they are a major target. I mean, they are they are they have folks coming at them every single day. And this is a hard problem. This is a big challenge. And so they need to keep that their foot on the pedal and they need to keep working. And as you may have sensed from Tom Fanning, he is not one to slow down. He's got a lot of energy and he's pushing them in the right direction. Two more very quick questions before we open it up to questions from the floor. Bruce, since we have you here, we've had a lot of complaints in the last year or so about proposals to implement extension of the Wastana arrangement, which is a multilateral export control regime. And the extension was to sort of cover surveillance and intrusion software. The concern being that legitimate cybersecurity researchers may be affected. Paul Nicholas from Microsoft mentioned this at the very beginning of the day. We now have some movement on this. Can you just update us on on whether the administration is in responding to those private sector concerns? Sure, which is, you know, look, there was a proposal put out and I think there is a recognition that there's both a important set of issues here on each side and really making a policy decision to make sure, frankly, that we're protecting innovation and the ability for research to go forward. And so an initial proposal was put out with the intent of putting it out for public comment. As you alluded to, the public comment came back very strongly, which is exactly how the process should work. And that's the beauty of a notice and comment process to seek input. There was obviously, Wasunar is complicated because it's a 41 country, you know, multilateral organization. But the comment was very strong and frankly, we are taking note of that. And so you probably saw Secretary Pritzker sent a letter back to the Hill last week, but making the point that we are, you know, taking the concerns and we'll move forward. You know, they were going to go back to Wasunar to look to rediscuss and renegotiate the agreement. I can't say, you know, what, how that's going to come out. Because obviously, a 41 country organization presents challenges and negotiation, but we recognize there are serious concerns and we're taking those concerns to heart as we move forward. Last question from me. One of the themes that we've been pursuing through the day is diversity and inclusion in the cyber security workforce. In different ways, commerce and DHS have activities in this space. The question, I guess, is the government doing enough? And if so, you know, what are the activities that you're engaged in to improve the number and quality of women and minorities in this space? So, yeah, so we are doing a great deal. It's never enough. So there's always more we plan to do, can be doing and will do. But we have concerted efforts underway. I'm speaking either next week or the next couple of weeks, to an organization that focuses on minority, bringing more minority minorities into STEM education and into STEM related careers. We work a lot with, you know, girls who code, women who code. There is a White House initiative around bringing women of color into STEM that we're involved with. So a lot of those kinds of activities. We recognized a few years ago that in our cyber security work force, we don't need all PhDs in computer science. And so we're recruiting at both colleges and universities, but also in community colleges. And in that effort, particularly, we're targeting more urban schools and again, trying to bring in a greater diversity of views and minorities into our work force. So there is a lot going on there. But there's always more we can do. Well, and I would just note, I mean, you know, I think we all recognize that we have a major deficit in terms of having the skilled people to face the cyber security challenges that we face as a country. And so what we're doing at NIST is leading the national initiative for cyber security education or NICE, which is one of the nicest acronyms in government. But it really is a recognition that we have to do more. And I think to Suzanne's point, not just to bring coders, not to bring engineers, but to bring a broad range and diverse group of people into the cyber security field, because this is something where, you know, in the government, I can just give you an example. You know, there is a deficit of cyber security professionals, but it's not just really in government. It's across the cyber security fields. And this I think is one of the most important things we can do is train and educate the workforce of the future for these very important jobs that are going to exist. Cool. I could keep asking questions, but I want to give people a chance. So if we could take a group of, say, three questions and then I'll bring them back to Bruce and Suzanne. Anyone have a question for Bruce or Suzanne? One down here at the front. And please give us your name, your affiliation and end your question with a question. My name is Frank Astrof. I'm going to decline the same affiliation, but I run a tech company. And I'm here with the other part of us. All right, so I made this comment or question two days ago moderators suggested. That's good again. When folks here, I just got late. One of the strengths of the US is in many areas, we are the technology leader compared to any other company in the other country in the world. Secondly, I've been in both government and private sector and most areas of technology, not all, but most the private sectors ahead of the government. Government tends to be slow. And then even the large government contractors the government buys from tend to be slow and bureaucratic as well. Is there, so this is a setup for the following question. I don't think there needs to be a separation between patriotism and private sector technology folks. What I'm wondering is, does there exist a safe space within government that leaders of technology companies that are working on genuine breakthrough things could go and speak confidentially and also not in front of their other potential competitors and talk about what they're doing to make sure that the government is aware of what really is the leading edge on stuff. Thank you. Anyone else when I get a question in while we have the chance? I think there's one up at the back. Peter. Peter, I'm Global Affairs columnist at Reuters. I was just wondering, I mean obviously the sophistication of cyber attacks continues to increase. I'm wondering if the volume of sort of malicious, non trying to steal stuff that do damage attacks is rising within critical infrastructure or whether it stayed roughly static? If the volume of non-destructive, did you say? Destructive. So two questions, one on attacks, and I guess, Suzanne might want to start on that one, and one on the mechanisms through which I guess government can leverage the technology in the private sector. Do you want to go first, Suzanne? Do you want to take the second one? Sure. So no, I mean this is what made the attack in Ukraine so remarkable, really, and attention-getting is that we really did cross a Rubicon there. That is the first destructive attack against critical infrastructure upon which civilian populations depend that we've seen. So are we seeing an increase in destructive attacks? I mean we've now seen one. So yes, I guess that's an increase. But we are definitely seeing lots of malicious activity targeting critical infrastructure, including industrial control systems. We have not seen, you know, the manifestation of destructive attacks against critical infrastructure prior to the attack in Ukraine. Is that... We can compare to that. And I would just say to your question, NIST is by definition a safe space. And that's one of the things I love about NIST. And I do think one of the points of the new Center of Excellence we've set up for cybersecurity is to give a place for public, private collaboration and for a dialogue to take place. And our cybersecurity lab at NIST, I mean these guys are fantastic, they're incredibly talented scientists, but they're also, NIST really is unique in its ability to have this public, private, you know, dialogue and ability to have collaboration together. So I would urge you to connect with our folks because I do think there's a good opportunity there. Well, I think we'd have to work, I think they'd be protecting conversations. As you know, there are a bunch of government structures, but I believe we have different things in place for the consultations they take place. But I'm pretty confident that we can structure it in a way that, you know, it wouldn't be, it wouldn't be on the public records. And I would just say, we work very closely with NIST and with Commerce and we are taking advantage of the wonderful Cybersecurity Center of Excellence to develop some technology for our continuous diagnostics and mitigation program and others. But we also have, there are structures out there, as Bruce says, to provide the private sector with a safe space in which to have these conversations. DHS has the Protected Critical Information, Protected Critical Infrastructure Information Act, which allows us to get information from the private sector that we can't share with regulators, we cannot hand it over under FOIA, we cannot hand it over under civil litigation, etc. And it is designed to foster very candid conversations between the government and the private sector. So Bruce is right, there are plenty of mechanisms for having those conversations across the government. I'm afraid we're going to have to wrap this up right now, because I know Bruce for one needs to get away. One last question before we wrap. We have the commission going forward. What is the one thing and the one message that you would like to sort of push forward to Tom Donilon and Sam Parmosano as they get to grips with their commission that you think they should really focus on as they work out what are the key things for their report at the end of the year? So you will hear later today, I think, that they are looking at near term things as a particular focus for the next incoming administration. And I think that's very smart, but I also encourage them not to lose sight of the 10 year horizon. It seems like it's too far out and technology changes so fast, but we are all focused on the near term. And one of the benefits of a group like this is that they can step away and rally around and encourage some things that can happen now that won't bear fruit now. It's very hard for Congress and policymakers to do that. But this group can say 10 years out we should be here. Start with these things now that won't bear fruit in your in your first term. And I think that could be really important. I know we got a rush, but the next thing I would say is on the Internet of Things think really hard about how to turn that into an advantage rather than just a huge attack space. We have to change our thinking on that. It can help us solve our challenges. And I guess I would I completely agree on looking at the long term time horizon. I also think helping to drive really tangible recommendations that can be used by policymakers. But I do think this is a complicated area and frankly getting a consensus among Congress, the administration and then implementing those can be very challenging. And so I think having a diverse but highly respected group come forward with consensus recommendations that will help I think to really focus policymakers and hopefully be able to work in a collaborative way together. Thank you very much. This has been short, but it's been fantastic. Thank you very much. Undersecretary Suzanne Spaulding, Deputy Secretary Bruce Andres. Thank you very much.