IATC - Lightning Talks: Thinking Different - David Batz, Steven Luczynski, Caroline Wong & Bob Wood

hello and welcome to besides Las Vegas I am the cavalry talk this is a panel on I totally forgot to look it up before the talk the panel with that fantastic introduction I'll pick it up and and take over let me just add thank you to our sponsors Amazon creativity very ver sprite tenable source of knowledge and of course if you would like to continue the conversation later follow the presenters on your list and then Bo will take over and introduce the topic alright thank you very much so we're gonna try something different for a besides talk we're gonna try and pack in as many people to do quick talks as we can that's kind of been the theme

of the morning we started it off with a couple of very very good technical talks got to get everybody awake this morning and now we're gonna move into something that's a little bit different so we've got four presenters up here who I'll introduce in a second and each one of them has kind of a new idea that they've been almost testing in the lab and they're bringing out now into the light of day to get some exposure to it so we're gonna do 15 minutes times four then go into a kind of a panel QA where we can pressure test some of the ideas and some of the theories and some of the theses that they've come up with and the

idea is we want to bring some new ideas into InfoSec we want to try some models that might or might not work we want to experiment because if we want to see something different we have to try something different and we need a diversity of perspectives and diversity of approaches to solve a increasingly diverse problem space in the Internet of Things at around the cybersecurity implications to human life and Public Safety so I mentioned we've got four speakers the first up will be Carolyn Wong she's VP of security strategy at Cobalt out in San Francisco she's standing up right there then we'll have Robert would present Robert is a head of trust and security for nuna healthcare

then we'll go to david baths david is senior director of cyber and infrastructure security at the Edison Electric Institute and then we'll have Steve Lozinski who is deputy director of cyber plans and operations at the office of the secretary of defense in Washington DC so hopefully without too much further ado we will get started here with some slides about good or do you need a couple more minutes okay Carolyn come on out yeah so I think we're still getting the slides up I'm really pleased to announce that they are mallanna themed slides I have a two-year-old and one of the things that I now know that nobody told me about being a parent is that when you

have a toddler your toddler wants to watch the same thing over and over and over and thank goodness she's chosen Moana because I don't know who of you have seen the Disney film but it's actually fantastic anyway slides are upcoming so the title of my lightning talk is significant soft skills it takes a village and the perspectives that I'm hoping to bring today is the one that says there's an awful lot that's very exciting and sexy about the newest threats and the latest attacks and how to technically solve a problem and perhaps there's a lot of folks in this room who have thought to themselves I understand the technical solution to this problem why won't all

these other people just cooperate because the thing about security is that it can't be done by one person and it can't be done by one team in an ivory tower in order to get it to work you basically have to talk to other people and help them understand what you're trying to achieve because a lot of times we're also trying to get other people to do stuff for us too whether that's convincing our employees to adopt safe practices and follow security policy maybe that's talking to the IT team or the system administrators about establishing secur configurations there there's a whole there's a whole list of scenarios that I could go into and actually Bob and I here's a little kind of preview

4:30 this afternoon we are gonna do an additional talk that's all about hacking office politics but what I want to talk about today is two specific scenarios one is about Incident Response and one is about budget justification these are two scenarios that you may find yourself involved with that involve a lot of talking to other people I myself have been in the field for 12 years now I started out on the global information security team at eBay and then went over to Zynga the farmville company and then transitioned to the vendor side so I've done some product management at Symantec some management consulting first digital and I currently work for a start-up that's based in San Francisco called

cobalt and so I've been in a variety of different roles and have had a variety of different perspectives the scenarios that I'm going to talk to you about today are real scenarios but I won't tell you obviously you know the secret stuff but I can tell you that these are situations that I've been in before myself so if we had slides you would see significant soft skills it takes a village and then you would see Moana and her village and then the following slide would say well which villages have I worked in and it would have listed all the places that I've worked and then the slide after that is the volcano monster and it says Incident Response so let me

talk about a personal experience that's kind of like Incident Response when an incident occurs and there are lots of different levels of incidents you know low severity being oh there's something weird going on that we need to look into and critical severity being the bad guys have won and we've lost something and we need to figure out what the impact has been we need to contain it we need to do short and long term mitigations and then you have to talk to all of these people about so I was involved in helping out with a rather large data breach several years ago 17 million records compromised and we found out a week before some people

knew but they were too afraid to tell our team and when I got involved it was one of those things where it was like for two weeks the entire security team is on 24 by 7 rotation so I was in the office luckily I got the daytime shift so I was in the office 7 a.m. to 7 p.m. one of my responsibilities was documenting the breach timeline so you know you ask this question what did the bad guys do and as you receive and discover more information about it you write it down so I was in charge of writing that down and then at 7 p.m. I would go home someone would take over and it was like

toothbrushes in the office and cots people were sleeping there so it was like an all-hands-on-deck type of scenario so in an incident I would constantly get these questions as I'm documenting this breach timeline you know our PR team wants to know what's going on and how do you explain something like you know a major breach to a PR team and that's gonna be different from well now the legal team wants to know what's going on well now the CTO wants to know what's going on well now the CFO wants to know what's going on and these are all different people who are gonna want to know a version of what's going on that makes sense to them and that helps them to get

out of panic mode so I'll give a brief example I was actually in the emergency room this previous Saturday I went in with severe abdominal pain which was suspected to be appendicitis I'm here and I didn't end up having my appendix taken out but it's a similar scenario where you're like okay there's something wrong and I know there's something wrong but I don't know what's wrong and I just need you to set my expectations but so the doctor said to me okay you know we've done a physical exam you know next we're gonna do lab work next we're gonna do a cat's and we're gonna go from there and that really helped me to set my expectations

they basically said I was it was like 2:00 p.m. and they were like if you end up needing to go into surgery that'll occur around 7:00 p.m. you're not allowed to eat any food and that was okay because at least I knew that there was a plan and that I was gonna be taken care of and I think that's similar to what we need to do when we're talking to people about a security incident that occurs one of my favorite resources on this topic is actually the NIST cybersecurity framework and this is because it's actually organized around an event happening so there were these five categories identify detect protect Oh identify protect detect respond and

recover and this is a great way to frame what's going on in an incident to somebody who's not necessarily a security person somebody who may have very little if any technical skills you can simply say to someone you know here is the stage we're in and this is what's going to happen next these are lightning talks so I'm going to move along pretty quickly the next topic is budget justification so you know we know that we need money and resources and tools and people and how do you convince someone that you need money to do that when what that means is that money's gonna be taken away from another project that might mean that money's gonna be taken away from a new

application feature that's gonna be built that might mean that money's gonna be taken away from a major upgrade whatever it is so I've talked to two CISOs I worked for one see so who is incredibly successful at this and one of the really good ways to do it if you're a seaso and if you're the type of C so who has C so friends that you can just call up and say so how much money are they giving you the best way that honestly I know how to get security budget is to call up your peers and ask them how much money they're getting and confidentially put that information onto a slide and present that and say look this is what our peers

are getting for trying to solve a similar problem this is what our competition is getting that being said there's a lot of other ways to go about it I actually have a security metrics book that I wrote in 2011 and I'm gonna give it away to the person who if you're staying for the Q&A session at noon ask the best question so security metrics are another way to go about doing that to what extent can you convince someone that you have a plan that you know what you're doing and then show them measurable progress against that plan next slide please so so people talk about this concept of risk tolerance right if you're in a

really heavily regulated business environment you know maybe you have a relatively low risk taller or yeah relatively low risk tolerance if you're working for you know an early stage SAS startup you know maybe you have a relatively high security tolerance but you can't walk into a room full of executives and say so what's your risk tolerance because that's a difficult question for someone to answer so what I'm gonna present on the next couple of slides is some ideas about how you can have a risk tolerance discussion with someone in a way that's a little more effective than going in and saying what's your wrist are it's on a scale of one to ten and what does that mean so

the first ones are pretty high level I'm actually gonna peek over Bob's shoulder because I don't have these totally memorized but know this is cool so the idea behind these is can you get someone who's buy-in you need to agree to a security related objective because if you can and you can say okay you and I both believe in this goal and we're gonna try and accomplish this objective can you trust me to execute on a plan that makes this happen oh and by the way can you can you pay me for the plan that's gonna make this happen so some of the high-level agreements that you might be able to use in your organization are

things like well security for us is a competitive differentiator people are not going to use our service if they don't believe it's secure so we can use this in marketing we can use this in sales another one kind of like I mentioned you know call up your friends who are doing your same job at a different organization and say well this is what they're doing and and and if we're not doing the same level of thing maybe we should talk about why achieve a defensible level of Duke hair that's certainly going to be very different in different environments and then you know sometimes the easy one but sometimes not comply with something that's regulatory something that's contractual or here's

an industry standard next slide please thank you so the next set which are a little more in my mind descriptive and a little lower level our things that you can use to describe the value of security to a non security person who's buying you need can we sign up together to agree that it's important that we reduce the probability that attackers can cause critical applications to stop functioning and like most people would agree to that right and then you can come up with the plan and then you can show them progress against that plan can we agree that it's important and that we need to do the things that need to be done so that we are requiring fixes for

bugs for which well known attacks exist can we agree that it's important to prevent the same security defects or incidents from occurring over and over again I think these are sufficiently like normal humans speak for anyone to understand and believe that it's important yet at the same time detailed enough that you can write an action plan to make this and then you can explain while I'm asking for this much money because it's gonna help us accomplish this so the takeaways are check out the NIST cybersecurity framework great for messaging it does what a lot of frameworks and breast practices do you know it's a list of controls but they're categorized really nicely they're mapped all these other frameworks cert incident

management also is sort of just a standard go-to if you find yourself needing to create an incident response plan or in the middle of an incident and needing to know how to talk about it to different people and then security metrics I've got this book for whoever has the best question in the next session thank you alright so next we're gonna swap over to Bob and it looks like you're already ready already boom you beat me to the punch alright sorry about the the technical difficulties everything worked prior to coming here we swear we did test so we're gonna shift gears now or we're gonna talk about thinking about the big picture when you're when you're talking

about risk to stakeholders within an organization and I want to do that through the lens of healthcare data security so for those that are not familiar with healthcare or with me in general I work at a healthcare analytics company we handle a lot of data and so a lot of what we do touches a lot of things in the healthcare system at large and so the first things first is I want to have people remember this number 129 million seven hundred thirty-eight thousand nine hundred and thirty nine as kind of backdrop or context throughout this quick little lightning talk and that is the number of records that were exposed in 2015 and 2016 alone in the

healthcare industry and one of the great and not so great and unique things about healthcare is that simultaneously a healthcare data breach has the to affect not only individuals like a credit card breach might you might see fraud or illicit payments or something like that but it also has the ability to put strain on the bigger healthcare system through that same data breach so that information that is lost has the ability to affect multiple things like a ripple effect or shrapnel blast zone so you can think about you can think about this as an act from an economics perspective if a hospital has a data breach hospitals handle lots of data companies like ours handle lots of data and so economically

we are responsible for protecting the data that we are handling it all makes sense however we only have so much budget also makes sense and if and when that entity that's handling the data experiences a data breach or just unauthorized Mis handling whatever it is that exposes or puts that data at risk you start to see this ripple effect occur so the first thing that could occur in a hypothetical scenario hypothetical or not so hypothetical is potential Medicaid fraud or other types of fraud that adds hundreds of millions of dollars of just fraudulent overhead to the system that ends up trickling down and increasing costs for a bunch of other people the hospital does not

actually face those initial costs they face the cost of maybe reputational damage or maybe OCR HHS fines that's where it stops for the hospital people are still going to go there people still need their health care provided providers to do what they do but then bigger than that the individuals who are affected they might also experience really really obnoxious identity theft so one of the gnarly things about health care data of course is that it's it's a lot of information that you can't change unless you feel compelled you know get thrown into witness protection or you know go off the grid in some way there's a lot of information that sticks with you for life it is it is your life story

in a medical record and so the kind of identity theft and the kind of fraud that can a permit can occur on a personal level is very very severe and again the hospital doesn't necessarily face that particular cost so the security personnel at those hospitals are left identifying and arguing for budget to protect something that is far far bigger than them and we had noona find ourselves in this same kind of situation as do many individuals so the first thing in order to actually start protecting ourselves and protecting that data we need to find risks and so typically in the security industry it ends up looking similar to this as we bring in specialists with a

very particular set of skills and they come in and they find stuff they use tools they use their their their brains they use any number of means available to them and then they give you a long report or they give you a pile of vulnerabilities whatever that that output happens to be and you're left kind of scratching your head saying all right what do I do with these things now and one of the other things is a lot of that analysis ends up looking at the problem through a very narrow dimension through a technical technology focus dimension and so I want to challenge folks to start thinking a little bit more about the system that you're

operating in the business or organization that you're operating in and finding other ways to identify risks and a few of my favorites that happen to engage a lot of other stakeholders in your risk management process are things like scenario planning if you google that you'll find a lot of a lot of resources on that that is more about business contingency planning or the military uses this to stress test plans things like that tabletop exercises and wargames or just red teaming and you can red team in a number of different ways don't listen anyone who tells you red teaming is a pen test red teaming is more about adversarial alternative analysis and one way that we do this on

our team is we use a little game either from the tenth man we call it the 10th man if you've ever watched World War Z the movie you'll you'll get that reference or another method called the six hats which is basically people in a meeting take contrarian points of view and they they just poke holes and everything that one that one party is proposing and it's a way to really flush out potential risks too and I eeeh whether it's a project a plan a solution to a problem whatever it happens to be and so once you have your pile of risks you then need to actually go do something about it because having a big pile of risks or negative loss

events is not necessarily enough to fix the problem as we all well know so you have to take that pile of risks you have to go to somebody in your organization you have to do something about it and lo and behold business leaders care about the business probably not surprising but you know we also care about the business as security professionals we just care about it throw a little bit different lens as do they the CFO cares about the business through a financial stability lens engineering leadership cares about the business through you know the the success of the products that they're delivering things things to that effect CIOs in the stability of the IT infrastructure that they're rolling out

and so when you're trying to find ways to communicate with these different stakeholders you need to find the kinds of metrics or the kinds of language that they speak in the and what they are actually measured on from a success perspective and align your story around those success metrics and so if you're talking to somebody in engineering you may frame security risks as bugs if you're talking to somebody in finance you may frame it around expected loss and dollar values if you're talking to a board or other executives people who are responsible for the strategic direction of the organization you may frame it or map security objectives and stir your plan your project plan your road map

into balanced scorecard or roll it around KPIs that they're tracking at an organizational health level things like that all right and then we are gonna wrap up talking about storytelling so in order to actually get somebody to buy into something we need to tell effective stories to the stakeholders that we're working with we can't take the same we can't be one-trick ponies and we can't take the same exact story and peddle it across the entire organization because a CFO is not going to care if I walk in and start telling them that we have 30 high risk findings 500 medium risk findings and a thousand low risk that means absolutely nothing to a CFO and it means absolutely nothing to a lot

of security professionals it's just it's just a big number at the end of the day we don't actually know what is wrong with the organization and so first things first we of course need to collect all of our relevant risks and note the key and operative word relevant there if you're talking to a CFO you may not want to bring everything you know about to the table you want to bring the things that are gonna be relevant to this to the discussion you're about to have find your stakeholder pick your alignment lens so you know don't come in again using the same story with everyone that you're talking to find who you're talking to find what's important to them

and use the language that they are going that is going to resonate with them think about it as a social engineering exercise if you must but it's really about making sure that your argument is going to have teeth with who it is you're trying to argue or discuss converse with so we won't want to build a story around want those risks those relevant risks are how they could affect the organization so chain them into an attack tree for instance chain them into how it could potentially affect the organization what the organization stands for so at nuna we do a lot of work with CMS with the bigger bigger healthcare system at large we're not working with hospitals and very specific

health care providers we're working with a lot of back-end infrastructure and so to us one thing that's really really really resonates with our executive team is how how what we're building and how we're doing business might affect the overall health care system because we want it we want to help do our part to make the system better deliver lower cheaper more effective costs for ultimately the people who are consuming those healthcare services and if so if we can tell a story around risk that threatens those value those fundamental values that we're targeting then that's far more compelling and so this is somewhat related but make sure you connect the dots to the bigger picture again what the organization is actually

trying to achieve and step five I think is really really and something that a lot of a lot of people in our field fail to recognize or at least struggle recognizing as something that I that I also struggle recognizing consistently or applying consistently but is when you're talking to people you have to recognize that everyone has their own goals to service the organization that they're working with or business partners and you have to show empathy to what other what is important to other people and in trying to get your point across you have to be willing to give ground you can't walk in with a hundred risk events that you want to hundred potential negative loss

events that you want to mitigate you have to be willing to compromise and say well I understand that we can't allocate the budget to you know get rid of everything to make the world completely secure because that's just not realistic we have to be willing to have a management to me you know manager to manager discussion and talk about what's actually best for the business sometimes it's not always remediating everything because that might put a huge loss on use a bit or a huge strain on usability or you know infrastructure or just budget in general like there's a bunch of negative potentially negative effects or impact from somebody else's perspective if we were to get our way

entirely so be willing to give a little bit of ground and be empathetic to what other people are going through and partner with that person so that is where the empathy feedback loop really comes into play so be willing to partner with other people other you know your leadership peers in your organization and when you're talking the same language and ultimately when you recognize that you're both on the same page trying to make your organization better and more resilience or profitable more impactful whatever it happens to be then you profit so thank you very much [Applause]

this dope well good good morning so I am here today to talk about something that's pretty exciting and that is cyber mutual assistance and in next slide Oh

so cyber mutual assistance is about mutual assistance for the electricity sector in North America this is a program that is sponsored by the electricity sub sector Coordinating Council now when I say that you'll say Dave that sounds swell what is what is that thing that you just said it was this is the electricity sub sector Coordinating Council it is it's fundamentally it's a place where the electric grid owners and operators meet and interact with their government partners from across the United States it's a place where they can function have liaisons to talk about events or recovery from events that have a regional or multi regional effect across the United States if there was a bumper

sticker for what is the electricity sub-sector Coordinating Council it's about unity of effort in unity of message and their meetings definitely do not look like this ever so what it what it really looks like is we've got 31 CEOs from across the United States different types of utility business structures from investor owned utilities to cooperatives to municipal or public power so the the CEOs the leaders from these organizations meet with their counterparts in the federal government which consists primarily of representatives from the Department of Energy the Department of Energy is the sector specific agency for the electricity sector along with the Department of Homeland Security oftentimes there will be representatives from the FBI DoD occasionally other three-letter

agencies and the the focus is to to bring about unity between both the industry and the government so that this would never happen that the government would throw parts of the industry under the bus when there's large events so we want to we want to avoid those types of things this is a satellite picture of Hurricane Felix which was a number of years ago but it is it is emblematic of an issue that the electricity industry has been involved with for nearly a hundred years and that is mutual assistance so when a hurricane hits Texas or hurricane hits the East Coast we've got wildfires in California you've got floods in the Midwest what happens is that utilities

that are under duress under stress they're being attacked by non intelligent actors like hurricanes they call for help in utilities who are not being attacked by hurricanes come alongside those utilities and help they they they they put up power poles they string conductor they function to assist the utility that is having the problem so in 2015 the industry was involved in a very large exercise called Newark grid x3 and the grid exercised three consisted of hundreds of utilities from across the United States in in an exercise where in theory there were active shooters there were explosive substations were getting blown up there was malware it was just a disaster it was terrible um but it was both a

cyber attack and a physical attack simultaneously in the executives there was a no there was a portion of the exercise that were senior executives that sit around the table and they said they said we have a problem right now today we have a model for utilities helping utilities in the face of physical events hurricanes or even explosions that sort of thing we have a model to address that we don't have a similar model for the cyber this surely shall not stand and so the council met again totally not like that they pounded their fist on the desk and they said we need us essentially a cyber mutual assistance program to provide fundamentally for the cyber surge

capacity where we're in a situation where given utilities being overrun by a cyber attack other utilities can come alongside and provide assistance all good well what is the assistance really meant to serve fundamentally cyber mutual assistance is about the delivery of assistance for for energy it's not about helping a company send out bills on time or get a little webserver restarted it it's not about that it is about the delivery of essential services that our customers and really when we think about in this country in North America in general we have a real problem culturally and societally if we do not have electricity so that's what cyber mutual assistance is about the delivery of electricity or energy for

our customers now unlike conventional mutual assistance where you've got literally bucket trucks that are driving hundreds or thousands of miles for superstorm sandy we had out literally thousands of crews from a the United States and Canada go to the East Coast to help put back together the East Coast that was really severely impacted by superstorm sandy within the context of cyber mutual assistance I'll tell you generally bucket trucks are not really a good way to transport people but frankly probably the first thing that you're going to want to do is not send people from utility a to utility be probably the first thing that you're going to want to do is you want to pick

up the phone you want to pick up a computer webinar you want to have the asset owners talk to other asset owners about what's going on what are the indicators of compromise what have you done that's worked what have you done that has not worked what what was the specific target of the malware or the problem that you're experiencing so the first thing that's going to happen is a convenient function of subject matter experts regarding the event and to talk about what can be done to to address it and approach it so one of the one of the one of the things I don't know if your companies are like this electric companies are not like super eager in

general to talk openly about vulnerabilities or exploits I people are nervous people don't like airing out their their dirty laundry right we get that so cyber mutual assistance is predicated on every utility company that participates they sign a nondisclosure agreement so that under the under the protection of the non-disclosure agreement entities can have adult discussions with other entities about what happened where were we vulnerable what really happened to us we think that as a general matter these discussions cannot happen without certain protection legal protection regarding those those discussions the next thing we've got we've got the money up here cyber mutual assistance is not charity so in the event that things happen like people travel from location

a to location B to help others out the expectation is that the receiving utility will cover the labor cost transportation cost hotels meals all this stuff it's not charity and then finally justice down there people were nervous about well it might if I help somebody out and things don't go perfectly am I going to get sued so the answer is no is that unless unless somebody in a wantonly willful manner is engaged in misconduct or gross negligence there they're going to be held harmless so sort of a Good Samaritan provision there now so we've got three things going on here including cute puppies well because fundamentally cyber mutual assistance is a voluntary program it's voluntary so a utility can

sign up for it they can even receive I'll call for help they can help if they want to if it does not make sense they don't have to there is not an affirmative obligation for them to provide any particular resource or assistance it's voluntary so you may have noticed in my first slide there's a little asterisk regarding electricity one of the things that has just happened very recently in June is that the electricity sub-sector Coordinating Council agreed to expand cyber mutual assistance to include those natural gas utilities who might be interested in participating in the program so we think that that's really good news because there are a lot of interdependencies between natural gas and electricity and

in particular the amount of generation that is derived from natural gas has been growing dramatically over the last few years so a lot of interdependencies and we think it's a it makes a lot of sense for a good partnership now I would be singing you a song if I just said well life always has blue skies with puffy clouds and unicorns that is not actually reality up there are some challenges so it's let's talk about what some of those challenges are fundamentally within the context of cyber mutual assistance let's say that an entity is being attacked regarding a very specific set of equipment that they have the other utilities are really going to be asking themselves the question am i next

is is the attack that's happening here gonna happen to me cyberattacks as a general matter tend to be no notice events normally we don't see a cyber storm hovering off the east coast with a three to four day warning they say okay the cyber is gonna hit New York now that's not normally how the cyber happens not normally so we can't really schedule these we can't warn people generally three or four days ahead of time unlike hurricanes and then finally that the the typewriter is there to depict the keyboard as a general matter utilities are not very keen on the idea of people who they've never seen before showing up into their control system and clacking away on the

keyboards probably that's not going to happen but that having been said we've got some pretty exciting metrics right now as of yesterday we have 121 utilities from across the United States and Canada a because there is the North American grid but the utilities that are that are participating include investor-owned utilities co-ops public power federal power marketing administrations ISO rtos and transmission only providers so when we look at the the utilities that are directly serving customers our calculations indicate that if we if we put all utilities together that we serve approximately 80% of customer meters in the United States are served by utilities that are part of cyber emotional systems so that's pretty exciting thank you all right I get to back clean

up with everybody my name is to Basinski as beau mentioned earlier and my talk is about taking a more proactive approach to cyber security and of course I knew what Dave was gonna say so I had to throw some hurricane pictures up there but I think that worked out rather fortunately so I'll build on some of the his good ideas as Bo said I work at the Pentagon I'm currently in the Air Force is given me some good insight I think we're the Galactic Senate is not what he's doing I am absolutely in the heart of that and I get to see that so I bring that up in the sense of it's given me

perspective and that's what has led to the thoughts and where I participated in this work also the big giant caveat flip-flops beard I'm not in uniform nothing I'm saying has anything to do with my current job it's all my personal opinion so I will not talk about anything in DC I have no opinion on current events and well we'll go from there so walking away what would I want you to take out of this my presentation we cannot just sit around and wait for a major cyber attack to happen attack to happen and I'll get into what I mean by that here in just a moment our government needs help surprise if we wait around just for the government to

come up with a solution we're gonna have a lot of problems down the road if we do get a major attack and I think that's where we I'm gonna say we a part of your community the smart technical folks the big thinkers anybody that can come up with a good idea and used to chime in and be a part of this solution and that's what I want to talk to you about today so on the slides at the end of 2016 on the left you've got hurricane Matthew on the right you've got just a quick heat map of the mirai botnet and I put those up there as a way to give you an analogy and how I

think about and what I'm going to talk about a solution and the idea is one of them the hurricane that is not man-made so it's definitely different than the the Mariah attack but they do have some similarities we see how they come across towards us a little bit and like Dave said not always with a lot of warning for a cyber attack we think we know how they're gonna move towards us and we can prepare for them we can put things in place to get ready to mitigate their effects across a wide area and that's how our government is preparing for a major cyber incident we are waiting we're preparing and we're gonna have a

heck of a reaction to it and that's where I think there's a problem because that is that is just waiting to get hit and that's where we need to make some changes so the more proactive stance if you would please so again building on just the analogy that I mentioned before state of Florida that's where I grew up hurricanes near and dear to my heart having dealt with that mom and dad are still there so I carry and I watch very closely and then just a quick depiction of this is how the internet gets to the country and that's just the submarine cables there's lots of other ways but just the idea that even though I say

there are some similarities in the analogy that I'm building here it's the differences that we need to key in on the fact that we don't know how a hurricane is gonna get here to some extent we know and we know who owns how a cyberattack is going to come in to our country and get through get through our borders we don't really know the mechanics and the physics of a hurricane we're figuring that out we know how codes written we know how all of that works going through the fiber-optic so we can do something with that and then more importantly what I pointed out earlier we can't do anything to change the mind of a hurricane but we

certainly know there is a human behind a cyberattack no matter how automated it is somebody put that into action so how can we get that and affect it in the way that we want and that's where I say instead of waiting right now I can get punched and I can have amazing doctors and they'll clean me up and they'll eventually make it stop hurting I'd rather not get punched I'd rather deflect that ever coming towards me even better instead of waiting for somebody to swing at me I'd rather show and demonstrate my ability that they do not want to pay the price if they actually even try to swing at me if you want to call that deterrence

that's fine I I stay away from that only in the sense of that brings up nuclear deterrence and we're gonna go down a path that there's no amount of booze in the bar that we can finish that discussion there's too much there so deterrence coercion co-opting whatever it is I want that not to happen I don't even want to have to deflect it I'd want to prevent it completely so that's what I'm talking about and then as I mentioned before when I say a significant cyber attack something we have not seen we've had some big things but we have not seen the big giant high end major where you expect your government to get into action and fix it

and you expect your government to actually be good at fixing it on any given day but that is your expectation so when I say cyber attack not just your your random servers or some services bad but I'm talking about the big one and so again I you know perspective of being in government and working on the civilian side of the department offense and how we deal with the inner agency I think you know everybody knows previous administration the policy was businesses you're on your own we're not going to contribute their critical infrastructure key resources that's where the government's going to come in and help out because those are the things you need to live water electricity the

financial sectors included in that all of those types of things and that guidance hasn't changed even with the transition of administrations and again perspective wise I think everybody would agree we're struggling a little bit in the government want to cry Pecha everything that's going on the Russian election hacking things are not that great so those are not even at the level that I'm talking about of the major cyber incidents so if we're bumbling along at those relatively easy incidents not easy by any means but certainly easier than what I'm getting after then how are we gonna perform when there's something big when all the bureaucracy shows up to help out trips over itself in trying to do that

and tries to introduce it you know hey who are you what can you do Oh what are you doing DHS that's not what we should be doing we should have an established system that all of that is ironed out so we can react to the bigger things and if we're not busy doing the bigger things maybe we got time for the somewhat smaller things so it's a good balance from there and that's where I'll take you through slide if you would please so bear with me for a moment a little bit of an eye chart but the way that I will describe this I'll use again another analogy if you've ever heard of joint interagency task force South that is a

government operation that goes against the drug trafficking that's coming up through the Gulf of Mexico and if going across the top of the chart FBI DHS and DHS includes customs and borders ATF immigration you have all those elements and DoD's in there with the Intel community and so now everybody is able to use their assets and what authorities they have to execute their part of the mission and work together very closely to the point that they're in the same room they know each other they are not just talking they're not just sharing info but they're actually executing operations an example DoD has the ability to look at things far away intelligence reconnaissance aircraft ships we can move things around very

quickly and easily but I can't go arrest anybody in the Department of Defense except for some special circumstances but I can take the customs and border guy the ATF I can take the FBI guy and I can put them in a place that when the drug runner shows up then I can go ahead and move in and arrest them State Department's they're working with other countries in the region so that all the diplomatic parts of that gets solved so that is an example we won't get into the merits of the whole drug war and things like that but the idea that the government is working together operating and not having to come back for permissions and getting the job done so

that's the idea that I want you to have in your mind as I go through this and I say in cooperating in the same room getting the job done now let's put that in the context of a major cyber event as I mentioned before again you've got FBI up at the top of the chart they can do their law enforcement job arresting when needed they can work internationally outside the US to make the same arrangements and that's been done before DHS is handling things internal to the country and then DoD like you would expect they're staying outside the borders and they're looking downrange and trying to prevent things from getting here you have the rest of the

government going around the charts starting at the bottom right there you've got the other branches with Congress and their oversight you've got the regulatory bodies depending on the type of incident you've got Treasury if it's at the financial sector Health and Human Services and also the Department of Energy you also have at the state level and what they can bring in with the National Guard and their capabilities and so that is how we're structured right now to react in the case of some type of major cyber incident so with that in mind what ought to come to your mind I'm guessing because as I went through this this is something that came to mind is that okay

well then we're already doing that what are you talking about Steve we are doing that separate op centers they talk and they try to practice but this is not something that is already set up already established and that's where I think the benefit comes from of combining them building off the previous model so that they're together and they can operate more effectively hey you just want to start another government agency Steve that's more money no I'm with you on that too without naming any names I would say it's probably fair it's fair to say that there's some government entities that aren't always as effective as we thought they would be when we set them up so how do we maybe get rid of

those combine them put them into something that actually works and if it's this is the foundation for and that combination helps then then that is helping get after the problem and like I mentioned before the main difference here is we don't have to wait we can actually affect and show human on the other side of this major attack don't bother doing this this is what the u.s. already has established this is what we're already capable of doing don't even bother taking that swing because you know it's not gonna be worth the and that's where I think we get after this problem because it isn't just a government only problem and I've purposely focused up at this point you

might you might be wondering hey why am i hearing this talk part of it because the tendency in my opinion is that we look into the government for the government answers and all the subject matter experts the bottom left there that inner circle industry academia that is where a lot of the expertise resides that is where the people own the pipes that bring the Internet to us and so there's some advantages we can take of there to take advantage of there and that's what we need to capitalize on an example of this I just read recently there was an article in Wired magazine in April Garrett Graff and he talked through the takedown of the GAMEOVER

Zeus malware and this was a combined effort I can I feel proud that I had my presentation written before this happened there so I can I want to claim it even though I can't but it was the FBI's pittsburgh field office organized Microsoft McAfee CrowdStrike Dell SecureWorks multiple countries all of that coming together with the way that I would say that I've been thinking about this problem and how we've been going after it with this mindset and that's where I threw down in the bottom left corner the idea of allies and partners this can be expanded outside of our country that's just one more element of this complex problem to get after so with that in mind it only brings up more

questions probably in your mind and that's those are the things we're coming to a talk like this being able to say here's my big thoughts I have no details I have nothing but more questions after putting this thought into it so the biggest thing that jumps out in my mind is that's a great idea can we divert traffic can we look at packets can we do whatever it takes to take them out we're away there are huge privacy is the first thing that comes to mind there are legal issues there are regulatory issues competition all of those things I don't have that answer how do we do this is this an of people that are focused only

on the energy sector is it the electrical grid is it oil and gas is it the financial institutions so there's a lot of elements there the telecoms let's say they're in this group as I described it they can't be in every single one of these is that a regional approach is its state who runs it is it military or civilian so there's a lot more that goes into this that needs to be thought about and includes who's gonna pay for it so if this is a giant elephant and a wicked problem that we have to get after and we're gonna eat this elephant one bite at a time I would say we're just barely getting

the plates we haven't even bought napkins and forks and all of that so it is a matter of starting to get the thinking starting to get the dialogue going to get after this problem it's a leadership problem it's trust how do I put somebody from my company from my US government agency in a room and I'm going to talk with you and if I don't do that on a daily basis I'm not gonna build a trust and after a year of doing this I'm not gonna let you keep going there and costing the money and the salary that I'm paying this is something that gets after across the government because this is well beyond any election

cycle this has to be done over time to build the confidence to build the capability hopefully you never actually demonstrate it but when you need to you need to know it's there so that is the difficulty of this and that's why I say it's more of a leadership problem and the trust being the main part of that this work it was part of a student project and we had this going and the summer in 2016 leading up to great discussions across the government very receptive very well received briefed it up through the cyber director at the national security council administration change so I'm leaving government and things like this are lingering out there good I'll say good ideas I feel like

it's a good idea you'll tell me otherwise but just the idea of how do we continue this going forward we as citizens can talk to our elected leaders we can think through these problems you can go back to industry you can go back to your government jobs and if you see places to do this type of cooperation or have this type of dialogue that's what I would ask of you all to try to grow these ideas get rid of this one because it's terrible and come up with something better that's awesome I'll gladly chip in and help on that so that is what I'm hoping for your questions and critiques at the end and I appreciate your time