IATC - Time is up. You have three years, 3 months, 3 weeks, to protect your Stuff. What do you do?
Show transcript [en]
so hopefully everybody knows me by now but I'm Josh Corman I'm going to be helping with this twoh hour block of our second uncomfortable conversation for the day and joining me I'm so happy we I couldn't put it on the agenda because I wasn't certain we could pull this off but we have an official White House Office of national cyber director person thank you hi everybody you yes my name is aanne Isam I serve as director cyber Workforce uh with the office of national cyber director but um prior to that uh did a short stint um at a think tank as an associate policy uh director for uh cyber policy and emerging threats and uh
several years uh as a uh cyber security strategist and uh having a multitude of roles between special projects in aviation cyber security and as well as um pandemic response which we will get into a little bit more so when uh share a number of our stories uh when it comes to our time together at siza so okay so I'm going to embarrass you a little bit um the Cavalry has been now 11 years right turned 11 years old on August 1st so if you weren't here in the private private private meetings give yourself a happy birthday um one of our major Milestones was we got the First Congressional Delegation to deathcon uh and it was bipartisan it was
Will herd of Texas and Jim Lan of Rhode Island uh who is the founder of the Cyber caucus in the house and the two of them were very influential on things like cyers space commission Etc and the person who cut through all that bureaucracy to make sure we could actually get two sitting congressmen to Def con okay [Music] than like this is never going to happen you're like hold my beer okay so um baracy hacking is a thing though yes like yes yes and a much needed skill so please please get yours too um so we we have had several hats we've worn in several fors of collaboration and I was overjoyed to see how many Cavalry is
people entered the inaugural Office of the national cyber director uh this is something from the cyberspace alarm commission that um the bipartisan commission made a bunch of recommendations and have been advancing the law and one of the things they put in the law was having a senate approved permanent role in the White House to do cyber coordination across the executive branch uh for strategy for policy and really really really excited at how many Kindred people are in there making sure it gets a solid footing and moves forward and these people have been coming to hacker cons and participating and advancing our causes for quite some time so this is going to be a heavy topic I'm actually was going to pull it
up just so I can make sure I remind us how to stay on track because the one after us sounds similar so let me pull up what you came here for so this uncomfortable conversation is called times up you have three years maybe three months maybe three weeks to protect your stuff what do you do right I think we were inspired by some movie and I forgot which one now but uh we're going to have a focus on really short-term measures that we could use to reduce risk so yesterday we talked about in the context of more disruptions larger disruptions longer disruptions more life safety affecting disruptions from accidents and adversaries from crowd struck and Criminal ransoms on
change healthcare for the healthcare space this is increasingly disrupting our communities and our families it's not okay and it's about to get worse and it's uncomfortable to talk about how it's about to get worse with the Advent of hybrid Warfare but when uh myangelo said uh When someone tells you who they are believe them and the leader of uh superpower has declared intentions regarding Taiwan and marked on the calendar 2027 and as of this January and Declassified briefings to Congress the four heads of cyber for the US from uh Christopher Ray from FBI uh now moving moved aside or replaced recently former director of NS sa General nakason director Easter Lee of sisa and your bosses your big boss uh Harry Coker
from the office of national cyber director all told Congress about um that we have both found and evicted a campaign known as volt Typhoon from us critical infrastructure quite a few of the examples are about water and waste water so even before we knew about Vol typhoon if you go and watch last year's videos one of the Fantastic ones was you and spanking uh Steve lazinski we had update on those four Lifeline critical infar sectors of water we drink the food we put on our table oil and gas pipelines slash power let's just call it power uh and emergency medicine and all four have been disrupted and all four are going to be increasingly disrupted and yesterday we
had updates from each of them and what's happened in the last 12 months but also challenged each of them to say if you had a destructive attack not a ransom not down for seven days or S weeks but destructive attack what are the cascading effects on your family your community your country so instead of us just waxing poetic I wanted what does the White House think about this and what was the White House National cyber security strategy that was published last spring and how are we doing on it and what has worked well and what has not worked well and there'll be certain things an official spokesperson can say and there are other things that I will
say uh when we reach some of those limits uh but let's um let's bring the gravitas appropriate for this let's try to have the hard conversation simmer in that discomfort and um figure out what you can do so we're going to look for ways that we can left aoom and right AB boom take reasonable steps to identify and buy down risk and it might not be Shields up and do this best best practices it might be connections down right if you can't afford to protect it maybe you can't afford to connect it and these are not recommendations from the White House but I think given the finite amount of time we have less than 2 and a
half years it won't be January 1st per se it could be later it could be never it might not be China it could be Russia it could be Iran be North Korea any but if there is a conflict the next conflict will be a hybrid conflict and we are very prone to disruption so um this is meant to be a discussion we'll have a couple framing remarks from the White House folks from me a little bit of back and forth and we do have some shared experience as well in that um when the pandemic was declared I got uh approached by the first director of sisa to be the chief strategist for what became the sisa co
task force and we assembled a m massively multidisiplinary team of Physicians infectious disease experts hackers logistic supply chain people quants um data scientists to try to identify and buy down risk on the nation's hospitals and on the vaccine Supply chains associated with operation warm speed and I had the privilege to have someone I knew interest trusted before already at sisa willing to do our highs side work and we did not have infinite options on how to protect these soft targets so we we're going to show a few of those things the right moment on when we didn't have three years to harden the targets we had three months so in this case two and a half years is
a lot better than three months I'd like to have 10 years but we have the time that we have and we can do smart things in different phases uh as individual citizens for our homes for our communities maybe at the state level and I want to stay right up front in case this is not clear I am a really big fan of what the White House is doing what Congress is doing on Cyber what some of the executive branch is doing some are better than others they the the recognition of the problem is there it's bipartisan it's by cameral in the house which means so it's not just executive branch it's also a legislative branch by Camal means both
the house and the Senate so it's bipartisan and by Camal which is super rare there's some good parts in the White House strategy there's a lot of execution and accountability for the first time in a strategy there's a lot of progress being made all those things are great and the overwhelming majority of those will not manifest protective benefits in the time hor Horizon we're speaking of so we have a period where we are over-dependent on undependable things with increasing harm we have a period where a lot of what your teams are doing are on the right path we're rebalancing that we are more proportional and how much dependence we have and how how Dependable things are
this middle is very very messy so I expect the federal government and the Central and our allies abroad are going to do the right things and keep doing the right things and I think we have role we can play in this messy middle so any opening Salos from you just to add the fact that um as you mentioned earlier the need for Investments now we're going to see the benefits not even within a year hopefully within 2 years time it will it will take work hard work and it will take Collective effort um and that's the purpose also of the national cyber security strategy and then on top of that the national cyber Workforce and education strategy because
my um just quick uh uh anecdote and story is that I decided to also take a lot of the experience that I had with training and Workforce Development uh recognizing that I had a sliver of a operational uh window of working in the vulnerability management uh side of siza and literally getting like for the first time ever learning what burnt out would be for lock for Shell right and then the shoe was finally on the foot other foot to say oh my gosh this is like what my colleagues are dealing with on the on the front lines and uh to have a greater appreciation of well how do we ensure that we have enough folks so we're all
fighting the good fight but also still having a healthy amount of you know energy to keep doing the good fight this is a long Marathon um and uh that that you know we still continue to stay passionate um with providing the service that we do regardless of where we are whether it's on the industry side academic or you know state and local to to Federal like they're they're different pieces and uh as a result we cannot do this alone we on the government side may come out with policies that are also informed by all of your work but it only will be successful if the uh documents that we're creating and the engagements we're um I'm part of actually help create that
trickle down effect and if there's that part in the middle that is working or there's a disconnect this is where it's helpful to have these conversations and spaces that um most of us are typically not at to all engage in so yeah all right so there's a number of ways we can slice this we're going to probably do we have an audio problem okay we're going to probably um put a few Primitives out there to see the conversation but don't let us talk for too too long we want to start tting the mics and if I don't know if you have a second mic Runner but if someone wants to volunteer to be a second mic Runner I
don't have a I don't have you don't have a second mic okay never mind okay um so we'll do our best to track the order in which people have comments one thing we did not do in the last discussion with Andrea was maybe this is too much time in Think Tank land but the one finger means I have a new topic and the two fingers means I'd like to remark on the topic we're currently discussing so that might allow us to play a little bit of real time judgment calls on who to call on uh and we like people to keep the remarks somewhat short so we can get to as many people as possible we had a significant
demand last time also while I'm bringing that up um we talked about professionalization with the inter tuition and it was less spicy than I expected but very engaging um and one of the things that I will flag as a piece of tension that you may want to comment on today in our session here it's not so much about what we can do in the next for critical infrastructure hardening but it may be about how we best scale the talent we have available so one of the pieces of attention if I could put my left pan in my right hand um if we try to professionalize and separate charlatans from you know reputable trustworthy people um not to
be gatekeeping but like it's harder and harder to tell who's living up to a standard of care like Professional Engineers or Physicians if we try to professionalize to Market signals to the public how they can trust engagement with us what they can get from it how it's in our best interest that could narrow the field of talents absolutely and in our right hand a lot of the great work done on the office of national cyber director and you specifically you and your team specifically has been on Workforce Development how to scale it and that included recommendations for federal roles to drop the requirement for a four-year degree not to lower quality but what is the fit for-purpose
way to take the existing talent pool and maximize it while growing the overall talent pool strategically so our tactics you know could be in ttention but I think smart people can negotiate those tensions well so perhaps we get even better lens on that time permitting um from your published Workforce strategy yeah okay so with that aside um hopefully you guys can pay attention to whose hands come up first and when if it's one finger or two finger so the calary was focus on everywhere bits in mights me flesh and blood but during my time on the C task force together we realized wow uh there's 16 critical infrastructure sectors but they're not all equally critical um financial
services does a great job because they got a lot of financial punishment and they adjusted really well and their public private partnership is awesome Department of energy is got some things done really really well have a good public private partnership on the bulk of power but maybe not on the small medium rural municipals yet right um Healthcare maybe would be third but I think healthcare is in very very very bad shape very very bad shape on we're we're focusing more on your privacy than your life right we do almost everything for Hippa less for patient safety and that is changing but it's pretty far behind but then there's like you know on of these 16 things when
everything's critical nothing's critical and one of the things we tried to say is out of the 55 National critical functions across these some of them are the bottom of Maslow's hierarchy needs so Angry Birds is it which is technically you know critical infrastructure but nobody dies if Angry Birds goes offline you shut off water for 24 48 Hours very bad thing starts to happen so with a stratification of M Law's hierar needs food Water Shelter the things that keep us from being lower the Flies last year we started making the pivot with the Cavalry not to exclude the other things but to highly prioritize what I uh what some people call Lifeline critical infrastructure so
that's Water and Wastewater which is uh the public private partnership for that is the EPA envir Protection Agency Andrea matci pointed out that the Burning River in kayoga uh triggered the Clean Water Act in the formation of the EPA which had been the newest Federal agency until sisa or this one in between um we we are going to talk about EPA so make sure please remind me yep because this was a great part of the president's National cyers SEC strategy they got rebuffed almost instantly so the EPA is in charge of the public private partnership uh Dean our fantastic speaker from yesterday is in that industry there's not a lot of trust in the public private partnership
there's not a lot of traction yet in the public private partnership and yet all of us need water uh the food supply um you heard yesterday Si code says there isn't really an an ISAC for uh for food people disagree about that there was a special interest group in the it ISAC which is a different sector mostly for Consumer package Goods which means the factory like Pepsi Co bottles potato chips canned things things once it hits the factory but from the farm to the factory very very very little participation and when we were pointing out to Congress that there is no food IAC uh what would we do if we had actual intelligence to disseminate
to heat choke points in the hyper concentration of risk across food supply uh the it ISAC just declared themselves the food ISAC so we have one in NE um it has very limited participation so far and I I believe we still need a more comprehensive representational dedicated ISAC information Sharing analys Center for food and we have had some attacks and you saw some of that yesterday if you missed it go watch Si code slides there's been a number of ransoms some of the more high-profile ones you might have seen could be JBS Meats which is like north of 30% of meat for the for the Americas um there was a dole had some disruption there was Pam's Pride there
was a shortage during the pandemic my daughters noticed before I did of cream cheese for a bunch of reasons including some cyber stuff uh maybe you put this in food nag maybe you don't but the baby formula right so we have a heavy concentration risk increased digitization increased dis disruption from accidents and adversaries so the food supply is not so robust yet um the oil and gas pipelines for Colonial but let's talk Municipal so Department energy is a great sector risk management agency it works uh through Caesar and other things with their ISAC they have nerk and FK there's a lot of Engagement there's still room to grow there especially as we've increasingly moved to solar and if you've heard um Dr Emma
Stewart yesterday uh she is currently the chief scientist for the grid for Idaho National Labs and prior to that she was uh at nreca which is what uh stands for National Rural Electric National rural National Rural Electric Cooperative Association so all the smalls all the Last Mile and one of the unfortunate side effects of all these solar panels is all of the solar panels all of the inverters all of the batteries are made in China and many of them are beaconing back to China By Design so in the case of conflict which we hope we don't have in the unlikely event of a water landing uh we do not have alternative suppliers at the moment um so Municipal Power is is a big
issue so we have a big a head start public private partnership schools have been affected colleges have been affected federal agencies have been affected um but back to these lifelines um during the pandemic my team studied um a natural experiment of protracted pronounced disruption of healthc care delivery in the state of Vermont and we could see with another piece of analysis we did uh called uh we did some excess death analysis we could see that in the same state with the same population adjusting for Hospital type and size um the regions affected by Ransom achieve these excess death stress levels sooner and stay there longer than their peers in the Sate so we can measure minimum
maximum most likely loss of life connected to the protracted cyber disruption Dr Christian the MAF yesterday has published several peerreview journals since then on the blast radius when someone might scripts goes out what effect does it have on the community that has to take the Overflow and more recently he studied shocking uh survivability rates for heart conditions during a ransom shocking um please watch that tomorrow but we now know that this is not just about our privacy this is about worsen outcomes delay degraded denied patient care affects mortality rates especially for time sensitive conditions like heart brain pulmonary trauma Ian we saw that with um the you know pharmaceutical side of the house would change Healthcare and
then how that had a trickle down effect and uh impacted patients ability right to to get life-saving prescriptions and drugs and this wasn't just through um you know insurers and general providers this was also impacting uh veterans who would uh get their medications through the VA and they're Downstream sources so yeah there's like un unforeseen consequences but that was at least also like one major news story that had like real people real effects that finally was connecting to the public the severity and seriousness of what a cyber incident could do Downstream to the patient and I hope to talk a little bit more about Healthcare later but I'm going to do a very quick thing because we
announced a project yesterday called dis uh undisrupted 27 if you haven't heard make ask or a question we'll repeat it but undisrupted 27 is um realizes that we have excluded for too long citizens that that bear the brunt of these failures owners and operators of critical infrastructure that are Target rich but cyber poor in these communities and Municipal leadership like we've had a good Federal approach and Federal straty and we've pushed it down some of them have pushed back but we've really excluded the people affected by our cyber security failures um for too long so I'm going to show an example of what inspired this project it's a tiny example that we came up with during the
pandemic but I put some ugly slides to you after the pandemic uh task force was stood down I don't think the pandemic's over no matter what people have said but um here we go um this is a modified version what's called on wly map wly are really awesome and really confusing um so I only use the vertical the the horizontal still confs me but you basically start with things and what depends on what things and what not so I'm going to make a dependency chain here in their love language CU for many many years this group has done really good things with Healthcare but only recently we started making huge strides and it was because
of this ugly graphic that I'm going to animate a health delivery organizations Health and Human Services which is the sector risk management Agency for healthcare and Public Health in the US which is 20% of our GDP and every single one of you needs Healthcare and citizens we all want the same thing which is we want to keep people alive right theoretically that's what we want well one way you keep people alive is carrying capacity regionally so what is carrying capacity that's how many patients can you see concurrently okay so when you talk whenever I would talk to people even during the pandemic about the cyber security I'm sorry um even during the pandemic when we had
record high ransoms concurrent ransoms very disruptive ransoms when you talk to hospital leadership and you say we want to give you a couple million dollars to to to shore this up like if you gave us $100 million we would apply it to the three s's so their love language is the three s's so what do I mean by that in a carrying capacity they talk about space supplies and staff everything comes down to space supplies and staff so you might think a 100 bed hospital is your means because you have 100 beds means you have 100 beds of carrying capacity that's not true if you only have 80 staffed beds and you don't even have 80 staff beds
capacity if you only have supplies for 60 of those 80 staff beds so it's a constant theory of constraints what's the bottleneck for where do we apply our capital and at different times throughout the pandemic different things were stressed to different degrees so that's what they want to spend money on they said if you gave us a million dollars we wouldn't hire a security person we would hire more nurses we wouldn't buy an EDR solution we would buy another ambulance so they want space supplies and staff okay so I modified it in a couple ways because keeping people alive we were doing a very bad job at it at the one-year Mark of the pandemic
when all of you heard on the news that we had 500,000 half a million citizens in the US who had perished from Co you had also heard that though they were mostly 85 years old or older and mostly with four or more comorbidities so while it was tragic and these were our grandparents our parents our loved ones a lot of the country was numb to other things and mostly said yep people are going to die what they weren't paying attention to is on that one year mark my team studied a constantly published piece of U performance measurement called excess deaths so the CDC Center for Disease Control tracks excess deaths which is a running multi-year average of the number
of expected deaths versus actual deaths by state by condition by month so if in Lo if in Nevada you normally have a th000 heart attacks in the month of August as a running average it's expected and you have 1,200 then you have 200 EXs deaths now what we noticed in this number of excess deaths which is a significant number I think it was 250,000 if I recall EXs deaths in the first year is that these were not older people these were primar the fastest growing demographic was 25 to 44 year olds and you've heard me say this in previous years but these were younger people not only younger people these were critical infrastructure aged workers that did the
ports in LA to get our supply chains that worked in water and wastewater that worked in factories that worked um truck driving and as they succumb to sickness death disease alterations to Family Support structures more and more parts of society started to fall apart and as a hunch given our work on the Cavalry and C Med Summit I said I'll bet you these are heart conditions and Pulmonary where minutes or hours of difference between in life and death so it's not just keeping people alive our hypothesis was this is where minutes matter hours matter days matter heart rain pulmonary and it's true we're out in the data so we said to our guidance to hospitals hey
if you can prioritize the time sensitive conditions get rid of elective surgeries that have the potential to put strain on your ICU or intensive care units please do so so we tried to say time sensitive matters the second thing we started to realize is they didn't care about these disruptions to hospital equipment or hacking or anything like that but I realized just telling them to care about something that wasn't one of the 3 s's didn't work and then we talked about medical technology so an a a Neo native intensive care unit for babies in 1990 and a nurse could handle one acute patient at a time one to one in fact Bo has a great story of one of his first uh
contracting jobs in in in cyber security at a hospital helping the natal Intensive Care Unit fantas fantastic story but armed with modern technology we now have nurse monitoring stations that can handle one to many maybe 3x maybe 5x the nurse to Patient ratio safely why is that it's because medical technology is a force multiplier of your staff and finally it occurred to me that the unavailability of that technology is a force divider so you've got Circa 1990s capacity but 2020 level nurse to Patient ratios you went from a very safe to a very unsafe situation very very quickly and who suffers the most are the time-sensitive acute care like heartbrain pulmonary on the day that we published
our excess death research same day October first I believe it was the Wall Street Journal on a front page story of an alleg of a court case with an alleged victim the first alleged victim of ransomware which is a baby that lost their life in Alabama from 2019 please look up that story it's ongoing they had settled out of court and then they changed their mind and haven't so I don't know the current state of that but a modern ability to deliver care is we we're dependent on several connected Technologies and when they're not available to us for Imaging to know that there was an umbilical cord Raptor on the neck before the birth led
to a more challenging birth but a successful one and then in the Intensive Care Unit the lack of telemetry and remote monitoring affected the quality of care afterwards and doctors and nurses with messages to each other admitted that had their technology been working they never would have lost this baby so while the baby was successfully born perished later and this is still going through the court scene your first named victim and on the same day we published the first statistical proof of loss of life so we hoped that that was the end of the debate of is this a privacy issue for Hippa or is this a public safety human life issue because when these Technologies fail as it's the
patients that suffer so this is some of the data science we did and then while I thought we put ourselves in the right path because we passed the patch act for medical devices so there's actual FDA authority to make really robust defensible maintainable cyber security programs like seat belts for cars um and we're in the midst of a hot debate over how to regulate minimum cyber hygiene for hospitals it can't come fast enough because just before this conference last year St Margaret's Hospital shut its doors forever uh and it's not the first one to close its doors from Financial insolvency uh there have been over 200 of them in the last 5 years it's the
first one to publicly admit that their Ransom was a key contributor to their financial Ro so we started digging into that and over the last several years this particular tracker at a University of North Carolina every one of those dots is a hospital that doesn't exist anymore it wasn't bought it wasn't even prayed upon by a private Equity takeover it wasn't Consolidated it's just gone so the only thing worse than being down for 6 weeks or 12 weeks in a ransom event for delayed degraded denied care is being down forever people who live in that Community draw a radius around that if it's more than 4.4 minutes you may see elevated loss of life to heart
attacks if it's more than an hour or a few you might see elevated loss of life to strokes and as these hospitals close Dr Mark Jarrett pointed out he's the head of the healthcare and public health sector courting Council that there's a corresponding drop in income to the region as well as families move away as industry moves away because if you need care and you can't care what starts as a care desert turns into a desert desert and if this is one of the areas we do some of our concentration of risk for food or some of our aquifers or some of our most vulnerable power and utilities um this is a havs and a Have Nots Target R cyberport
problem so we know Colonial pipeline did severe damage uh maybe not was the intention we know not pety did 10 billion dollars of damage this was a nation state attack from Russia against an intended Target of Ukraine that escaped its blast radius and tensions and hit globally companies like MK and MK and ups and others Merc Pharmaceuticals took about a billion alone so they had an office in Ukraine and it pivoted and did a billion dollars including cyber physical harm so we know these can be a nation state can without even intentions do damage long-lasting damage to us critical infrastructure we mentioned change so even though we were focused on medical devices great success on the way to
relief we're currently having a huge fight on healthcare for hospitals great fight important fight on its way nobody was paying attention to these ball bearings is what we called them but these are the term of Art in US policy is called scky or systemically important critical infrastructure or siie is the term that Jenny trly refers of systemically important entities and this this is the idea that in any sector or any national critical function there's a handful of companies upon which too many people Depend and if they're disrupted they have an outsize asymmetric impact so one of the jobs of these sector risk management agencies in consultation with sisa is to identify what these scky entities might be and maybe give them
elevated assistance to identify buy down risk prioritize response in the case of A disruption we have an action plan we've rehearsed it and change Healthcare uh was one such entity where it's a common payment Gateway United Health Group um affected something north of 75% of the US hospitals uh for months which disrupted cash flow which made them not be able to payroll which made them have to take Emergency Loans there were Bridge loans from the US government and from chains themselves but this was heroin this also affected pharmacies so certain patients couldn't get time- sensitive treatments without paying out of pocket so the issue here is if we don't proactively identify our critical infrastructure our systemically
important entities adversaries will reveal them for us while we burn for weeks and weeks and weeks so Congress is really pissed off about this one and the White House has put out the National Security memo 22 which is trying to nudge better collaboration across the executive branch to make sure that these 16 sector risk management agencies help find them in a process that sisa helps toine that system looks for cross sector cascading risk failures okay so one of the reasons I wanted the White House here sorry it took so long to get through that first first part was it's one thing when hackers try to do secondhand thirdhand national security stuff can what can you tell us about
volt typhoon there's a couple slides if you want right so um what I can quickly and publicly share about uh Vol typhoon um if basically on like what's already been shared um on the Internet is essentially um as Josh had mentioned earlier will typhoon is a recognized and known campaign um coming out of uh uh China and uh has been targeting our critical infrastructure not only Across the Nation but particularly in Guam and so there was particular concern as to the fact that we have a nation state actor um with um you know uh a longlasting and multi-year campaign actually into multiple critical infrastructure sectors that are dependent on not only the that are dependent on by the locals but also
as well our defense industrial base and so this is where it becomes a key um also concern as to if there is a geop geopolitical uh regional conflict um with regards to the China Taiwan Straits what would that mean if our key part of our response in um the the region um particularly out of Guam and out of other um uh countries then become impacted because of A disruption to our critical infrastructure and then we are now busy responding to what is happening in our backyard versus having the opportunity to like allow our military to do their mission set which is to respond and deploy accordingly um to the the the the mandates that they have um
before them and also to protect our uh national interests and assets as well so this is this is also like a key piece where a lot of times um having conversations also publicly and sharing um and having that hearing in Congress to have our four leaders across various uh government agencies share and states that this is a huge concern um that that this is something that should be addressed not only by government but that this is also going to be a whole of nation effort with regards to how do we collectively bolster our critical infrastructure in a way that is not only going to protect us but also protect our um uh you know our um National Mission
sets and defense strategy RIT large so that was also like the culmination of uh a a number of also reports put out by first and foremost um like uh private sector industry security researchers identifying the issue publish publish uh publicizing um in great detail uh what is now known as like living off the land techniques and writing in specificity how those techniques um actually are uh not as complicated sometimes as it can be and you utilizes a lot of uh commonly exploited vulnerabilities um that are constantly not only out in the wild but are still prevalent in a number of our Legacy system software and Hardware um so it then really begs a question of
okay how are we are looking at those systems with large and having honest and candid conversations with the manufacturers plus the developers on um you know having you know the requisite patching but most importantly um uh building in the mitigations that we would then need to look at infrastructures that have devices that are 30 plus years and that are also very expensive to you know rip and replace um sometimes just even adding you the iot or like additional fancy new software on top it if you're adding like a virtual program like logic controller that's great but at the same time on the back end how are you resilient if you know you're electricity goes off and then you don't have access
to grids you have like the ability to do uh manual shut offs similar to um the uh uh story and case that happened out of with uh the Water sector uh and I'm blanking out on the locality uh in Florida oh uh Sr szmer szmer right and how it had to take uh a technician noticing the issues and then having to actually like manually uh alter the um the processes versus like being automated in itself so that's where a lot of the key uh critical pieces then really really come into play as to how do we um essentially ensure that we're looking at the broader sets collectively and not just looking at the vulnerabilities the threats Plus at the
same time what mitigations we need to be putting in place but there's also a Workforce component in terms of do we have the right Talent on the island do we have folks that are able to um come and support whenever and wherever necessary um there are all these like bolstering questions as to uh how does one ensure that our critical infrastructure entities which a lot of times s are privately owned Andor State and locally owned do not have the funding or resources do not even have the guidance or may not realize that um that there are these threats out there because they may not have like the intelligence you know capabilities and access to be prepared and have that as
part of their overall decision-making process and most importantly that can also help uh a Scizor or CIO to then also advise the board on why the budgets uh need to have certain security uh budget increases uh whether it's for Tool capability or for people that triggers anything yes so um essentially as uh Josh was mentioned earlier the um uh potential for China to invade Taiwan in 2027 later um is not also a relatively new thing uh if we look at their history time and time again uh there's been a constant tension as to uh Taiwan itself taipe having its own independence but Visa as well as China actually claiming um rights um to to the uh Geographic um significance of
the country itself so and in short a potential invasion of Taiwan would definitely have significant economic and political uh consequences but um as well as the attack similar to volt typhoon targeting private and public Technologies infrastructure um could also give China The Leverage and power uh that essentially we are trying to ensure from a global power dynamics perspective that there's that right size balance um and ensuring that our democracies continue to to thrive so it might be one more yeah and and I should be really clear these slides are made by myself at David etu for the RSA conference these are not official White House slides so I I just played slide roulette with anofficial
I'm sorry um it's fine and I I quickly skim through this as well so it's like at least the slides if you have it um and as also mentioned so the testimonies started in uh January 31st as Josh had mentioned with our four um you know uh um government leaders um between uh cybercom NSA uh oncb to FBI as well as siza but um there have been numerous uh hearings actually that have subsequently occurred to then drill down to specific areas uh with looking at a either a specific sector to then looking at Key concerns as to what sort of uh other approaches should Congress be thinking about should it be considering uh you know grants or funds that could then
trickle down from federal entities to support and help state and local governments with uh bolstering their uh infrastructure and or even as well how do we get the funding to these critical infrastructure entities to like then as well uh help modernize their infrastructure as much as possible uh to as well as how do we look at it from the people perspective um what sort of skills are going to be required and is it just a pay uh situation for bolstering salaries or are we actually looking at more holistically as to what are the root causes that may be preventing an individual from entering the field to thriving and um and being successful um and growing uh to as well
as uh last but not least wanting to stay um and uh if if anything be in that critical infrastructure uh organization knowing that um they're there for the mission um and that there's an opportunity to grow and at what point does that organization have that backfill ready to to come up and about yeah and um we do have some time based on this stated clock um we may even have more um even though he's a cyber guy Demetri alperovich one of the founder co-founders of crowd strike has written a book that's one of the leading books on on the brink of War it's been on all the morning shows so he's put in some time in the National Security Community
with some co-authors so his opinion is it would likely be later uh than 2027 but reasonable people disagree on the timing I think it kind of depends on who's in who's in the white house and other factors geopolitically but one thing that my co-presenter at RSA said David etu and he's written a nice blog post um or opet on this as well um is part of the theory here isn't just to say hey we're at War let's go hurt us stuff or you know it makes tactical sense in Guam right given the proximity but part of the game theory here which I don't know if the White House would agree with so I'm just speaking for the
private sector people here is these are rungs on an escalator escalatory ladder so I think they would prefer the US state out of it so as a deterrent hey we the term we have not used yet but probably should establish is called pre-positioning is the term they like I kind of hate that term but it's okay uh prepositioning so I think it sounds I'll explain why I don't like it in a minute the pre-positioning is they are there they're in the house they have the ability to activate if we so provoke them right so as a deterrent it's stay out of our business it could also be a brushback Pitch if you're a sports ball person
which I'm not but you know it could be hey uh we don't like what you're doing as a reminder here's a demonstration of capability in a local a couple places just to say hey reminder what we could do hurt public support for our participation in a region there's hearts and Minds campaigns in every one of these conflicts right Vietnam War lost support of the public it lost the ability to prosecute things overseas so it could just be a demonstration of force and it could be widespread chaos I think is I had a a clip uh teed up but the term used often in some of these briefings including Christopher A's at the first hearing was
rain Chaos on us critical infrastructure which would be destructive in nature not a ransom and I don't think he has a microphone but I'll repeat his answer so Dean if we were to do one of those water hammers you know raise the pressure aggressively on one US water and wastewater Community to the point where pipes are bursts valves are broken what's the meantime to repair that are we talking a couple hours of downtime couple days of downtime how how long might it take to fix physical damage underground uh you got to locate it that's you know it's going to take a while it'll you're probably at days for a single a single uh hammer yeah
um what if we bricked all the controllers well right then now you're in a whole different ball game right so in a lot of these facilities we we have manual controls where we can go back to switches and stuff but we don't have anybody that's ever done that anymore so um this is where what people will tell you versus reality are two very different things and that's where the the heads are in the sand and that those people just don't exist anymore so back to my talk where it was all about the people you know we just don't train people to do this anymore we rely way too heavily on the technology um and then we don't really
train the people on the technology either so it's kind of a vicious circle um but yeah you're you're at days and then the cascading failures that we talked about if you're at days then the people that are required to work on this stuff are also fighting problems at home so do they actually report to work to get the stuff fixed and it starts a cycle right and I I want I'm curious also just to follow up on Josh's question hypothetically um what would the impact be if let's say a state or region or whatever it may be um has also experienced first experienced a natural disaster there's recovery occurring there and then shortly thereafter a quick span recovery is
still not complete water's not back up and running maybe electricity at minimum or or still not in certain pockets and areas what would the additional you know impact could be if uh a um adversary was still in the system working and decides to you know execute yeah if if somebody's in the system it's going to take us a long time to find it um that we just don't have the resources right none of these utilities have the resources even the big guys don't have the right people um or the right Technologies in place to to flip the switch and kill everybody um kill every all the access um and it's back to the technology thing where we're you know
we're dealing with technologies that are 40 years old all the way up through something that was bought yesterday so there's no there's no compatibility Matrix that we can just say oh yeah this piece is is what we got to deal with um yeah I mean that the more you pile on it it doesn't just get worse it gets exponentially worse right I I think you know without leading the witness too much just to make sure we keep some of this flowing but I do want to get to some of these nuances as we start brainstorming in this session and and the next one we've been talking about volt typhoon let's you know what happened about I
think it was like a month later um in response to some of the unpleasantness between Israel and Gaza uh a activist group I'm going to say activist and scare quotes a activist group out of Iran uh punished a Israeli manufacturer of industrial equipment uh and by proxy its customers um so the Republic reporting was Pennsylvania I aware of much more than Pennsylvania um but people using this Israeli made Water and Wastewater device uh were hacked I'm going to use hacked in scare quotes because the hack was a password of 1111 and we might Gran and we make you know dank memes and we might make fun of it and bring out the fail whale but
that's the current state of play in this owned privately owned and operated massively uh Federated target-rich cyber 4 owners and operators of of water and wastewater in the US and I think you said some sort of stat yesterday that if we pay $100 a month it probably cost $200 to deliver you that $100 a month so these are not they're not making money so I'm going to come back to Dean a few times but that was a activist group out of Iran and not in 2027 for some sort of Taiwan strategy but a a near realtime reaction to conflict with the US Ally we're also watching and helping from afar the Ukrainian situation with Putin and there are lines you get
crossed that do or don't trigger um retaliation so we are able to be disrupted and it shouldn't comfort you that we're just kind of waiting for someone to decide to disrupt and again I don't think someone's going to start a world war iiiii with the US casually by just riging chaos on us critical infrastructure but if there is a conflict it will be a hybrid conflict and on the escalatory ladder somewhere north south of nuclear or tactical nukes but north of conventional include this especially for hearts and minds of the population to support such conflicts so um this is in the mix I hope this isn't too heavy I told you it was going to be
heavy um okay so I just mentioned there are other countries at play that we might need to be concerned about and a fantastic very fast read or audiobook is Ghost Fleet by August Cole and Peter W singer they've written a a sequel to this which is kind of better in certain ways but no one read it because it came out during the pandemic um called burn in I think burn in somebody validate that um but this is the fictionalized telling of the next World War and it was so straightforward and so matter of fact and so plausible that this is now required reading at West Point and many parts of the four branches of military
five branches now is uh space space hor space force six right y all right sorry coard yes okay so we have uh this is a a very quick read I'd encourage you read it because you're going to be reading it like this would never happen this would never happen oh my God this would totally happen so um you might find it a nice way to uh pass the time on a vacation or weekend okay and as a reminder Rome was sacked mostly by disrupting the aqueducts the water and as we saw yesterday with some simple exercises the cascading failure of shutting off water even for a short amount of time can be pretty bad no
water no hospital no air conditioning no cooling of data centers for cloud stuff no uh laboratory work no lots of things so Dr Christian nef is not here at the moment but he's one of the co-founder he spoke yesterday he's also one of co-founders of cyber men Summit and a hacker named quati uh we ran an exercise in DC recently where we said if you shut off the water what's what stops working first second third so an emergency disaster position and um who runs the fellowship there scared me it's hard to scare me I know a lot I anticipate and know a lot of these things she scared me um because I knew about half the disruptions and
the half the order and then she reminded me that no matter how bad the hospital gets to do its basic functioning and how quickly it's under a day it's basically dysfun like most things don't work right I'm not going to gloss over that cuz I saw some faces no water no surgeries can't scrub in uh hospitals are filthy places no sanitation you need water to do sanitation scrub so pathogen spread can't flush the toilets more than once can't do air conditioning can't do laboratory tests to tell what blood work you need done for what disease you have and how quickly can't feed your patients can't keep them hydrated so there was a pie chart put up there about I think you
had one as well Dean about how much water is consumed for which purposes within a hospital you're they can go pretty well without power because they have generators on the roof they do not have water towers on every roof and even if they did the water consumption rate is incredibly high so things start to fail and then if you're starting to feel like well maybe we could handle that we'll just go to another hospital in town well if the town's Out of Water they're not going to work maybe we'll go nearby well if it's something like a class break on all these shared pieces of equipment that's not going to help so I think water was the one that scared me
the most we've had the least attack density compared to hospitals but you can take out more hospitals just by doing the water so back to this constraint and this is where we're going to get into solutioning we want your ideas uh many of you saw the Apollo 13 movie but it's based on actual events right they were running out of oxygen they only had the thing the time they had before they passed out and the equipment they had on board to repurpose and we get really creative when we have to so that was a really compressed timeline we had Y2K and if you haven't seen Whitney yet make sure you get your uh Y2K inspired uh stickers for the
crowd strike um but this is an actual advertisement from Best Buy when I was working at my first job trying to prepare the systems that in inter networking for background routers and switches could [ __ ] power plants or hospitals or what whatnot and a lot of people think this is a nothing Burger but part of the reason it was a nothing Burger is because people did the hard work to prioritize to put the Cobalt programmers and the testing regiments and the scenarios and the tabletops together to make sure these things didn't happen so we had a date that we knew was coming and we Marshal resources and prioritized accordingly so similarly uh during the
CIS Co task force we're not going to do too much story telling backwards looking here when I got there everyone knew that operation warp speed had these uh candidates that were going to get unprecedented amounts of money in protection and there were classified briefings and um you were one of the ones that did those for the teams Steve linski as well Spanky um bunch of civilians without clearances did the the low side stuff um but I was given a list of not just the operation warm speed candidates but 23 so the list grew but it was initially 23 supporting actors that we knew we had to protect as well but then I was given a list of a thousand
tiny obscure suppliers that no one knew how to prioritize and a couple days uh infectious disease expert in a physician former Hospital CEO we made a little rubric called the ball bearings thesis and we came up with not just 1,000 but 4,000 when we looked at their peers and we found 66 of them that I call ball bearings which were small unguarded weak links in the supply chain that if disrupted could lead to mass casualties or massive delays the bad news is whether it were hospitals we were trying to keep afloat during record hike usage under record high ransoms or these ball bearings almost all of them were what we started calling Target rich and that they're interesting
to our adversaries but cyberport Target rich but cyberp this is trying to use policy speak and Beltway speak for Wendy nather pioneering work on the idea of the security poverty line living below the security poverty line so these are interesting targets and have no resources or talent to do anything so we had to get creative so my friend made this poster to make fun of us but um I said guys stop uttering best practices they don't have any security people stop talking about the N cyber security framework stop talking about implementing zero trust architectures screw best practices what are the bad practices so at cisa.gov right now you can go see cisa.gov bad practices there
are three there were two on day one we made the third and the sentence structure goes like this the use of end of life unsupported operating system in service of national critical functions and critical infrastructure is dangerous it materially elevates risk to Public Safety economic and National Security this dangerous practice is especially egregious in Internet facing Technologies second one was the same sentence for hardcoded well-known default users passwords BL and then eventually we added one for single Factor remote Administration tools I believe the rumor was that Oldsmar was hit with default password of team viewer for example so bad practices if you can't do anything avoid these negligent things now since I wouldn't call them negligent
but they couldn't disagree with the idea that's a nation's risk management adviser that these are in fact dangerous so rest of regulators and Industry and insurers have now Incorporated these bad practices into the way that they adjudicate second thing we did is I tried to publish get your [ __ ] off showan but you can't say [ __ ] in a government document apparently and you can't say showed in overtly cons that's just one so we said get your stuff off search so the SOS program sending out an SOS so the idea is your assets are showing see what your adversaries can see using free tools like Shan S iio thinkful I think was the the
third one so assess what your internet attack service looks like number two reduce your elective attack service shut off the stuff you don't need remote activity for number three Harden the things you do need and what does that mean well we have a free daily nightly scan it's called cyber hygiene for anyone in CR infrastructure sends you a report of all the known cves on your network that are visible now oh we can't patch them all so what does it mean to harden it okay well they started winding and I don't mean whing I was empathetic to this but they started saying we can't patch them all and they couldn't so I said how about let's just
focus on the what is now known as the kevs the known exploited vulnerabilities so what can you do in 3 months right avoid the bad practices assess your intern attack surface shut off the things you don't need Harden the things you do fix the kevs first the kevs are ones that have been known to hurt FB or the the government agencies so known victims known exploitation it's not comprehensive but out of a given calendar year of CBE less than 3% ever get uh exploited ever and these are much shorter list than that so this is the prioritized list of the prioritized list so some combination I get your stuff off search and kevs might help be the difference between
getting roped up into a casual indiscriminate widespread initial access campaign well the White House liked this I don't can't remember if you were there yet or not um but there was presidential memorandum number five not Mambo Number Five but presidential memorandum number five and they said to sisa we like these bad practices can you please build upon them we have this NIS cyber security framework with over 100 controls it's 10 years old and it was voluntary and the oig reports and other reports show that everyone's volunteered to ignore it office of Inspector General office of Inspector General so they said if that's too much and too hard cons sisa look across all 16 sectors and come up with a
cross- sector crawl stage of crawl walk run and they're not just like the Holy Roman Empire was not holy nor Roman nor Empire uh the CIS cyber performance goals unfortunately are not cyber performance goals performance is a number goals are outcomes but what they did do which is better than nothing is say out of the entire n cyber security framework here's 38 controls that every single sector should do as an owner and operator critical infrastructure this is the Baseline and the idea is yes you are all beautiful and unique snowflakes and all snowflakes have the same melting point they didn't say that language but sisa came up with this and the the legislative intent or the executive
intent in this case was each of the sector risk management agencies should start with the CIS cpgs and then add their sector specific wisdom on top so you normally see like 38 from sisa and then say in electronic records in healthcare play an outsized role in the harm to patients when disrupted so you would expect to see them add something like that and then in parallel we had the executive order order 14028 which is a response to solar winds which introduced one of our creations of es bomb or software materials and said anything sold to the federal government should probably have a softare bill of materials and that includes Veterans Affairs and military hospitals which are one3 and 1 third of
all care for Americans so two-thirds of all care for Americans at a minimum and the patch Act passed in a law so when we try to say these things it's even without a budget even without a ciso even without a zero trust program can you avoid the bad practices remove remove your in attack surface that's elective Harden the stuff that isn't elective and if you can't do these things maybe you should disconnect right so on top of this and this is where I would love your help um some of this which was initially voluntary all these things were voluntary um including it said right there in the presidential memorandum to sisa this is a voluntary list of cross
sector performance goals then President Biden came out the the first ever through the opposite National cyber director presidential National cyber security strategy with five pillars and if you haven't read it draw your attention in Pillars one and three you can read it all but one and three for this group one says starts with critical infrastructure every other presidential strategy for cyber was mostly focused on government networks government agencies so this said uh we need to preserve the trust and safety of the public in our critical infrastructure so there was a higher prioritization on those and then pillar three was really scary for the private sector and I loved it uh it said uh we need to look at the
incentives because it's not that we don't know what to do it's that we don't incentivize it so I think the one of the things Kemba said was voluntary free market forces only take you so far there is a time in place to use government power that time is now uh we are going to use a light touch but no lighter than necessary to maintain the trust and safety of the public and that was scary but what they said whether it was office National cyber director under acting director Kemba Walden and um under the National Security Council and an newberger the unified message was if you're a regulator with unused or underutilized regulatory authorities use them now and
the general approach was start with assist of cpgs as the floor and add sector specific wisdom and uh if you are missing regulatory authorities we will help you go to Congress and get them so this was the no kidding now I didn't know about VA typhoon yet but it's possible the White House did and this approach was to say voluntary is over start using some of these things I see a hand um okay just to tie this thought off because I think this is important what was the first agency that week if you remember to exercise that strategic intent of asking for the cisa Cyber performance goals for their sector you remember I can't remember if it was HHS
EPA oh EPA my bad right so what does what does EPA do EPA deals with water water and wastewater so they probably did the minimum viable product in my opinion real fast which was they didn't say our sector must Implement all 38 what they said is you do an annual sanitation survey required by law during your annual sanitation survey please inventory which of these 38 sisa cyber performance goals you do didn't add any sector specific ones didn't say you must do these or that we're going to audit them we just want to know which are in place a data call do you remember what the response was from the sectors and from the states weed your ass they said how dare you and
there were several lawsuits faster than you can blink so I'm going to put this back into Focus before this question NSA had published a very obtuse cryptic living off the land warning to the sector about a particular campaign unnamed on water and waste water and things like that and you should go read it again now that we know about Vol typhoon and the president's strategy is saying voluntary you only take you so far we time to act you have regulatory Authority go ahead and use it and we might see disruption when cascading failures across strategic military installations or as a escalatory rung on the ladder of War and the response from the private sector is
how dare you I'm not I'm I'm certain we are not in our best possible resilience position so part of the reason we're having this Workshop in these two days is and this new project of undisrupted 27 is if we don't find a way to to to to an alternative way of a federal top- down push from the White House and the executive branch to inform influence Inspire our local communities we are going to stay as prone as we currently are and also just to quickly just add a little um color and context to why the national cyber security strategy was formulated the way it was was because we've been hearing time and time again from Fighters like yourselves boost on
the ground then also your leadership respectively owners and operators across the board and critical infrastructure saying we are trying the best that we can with limited resources and also we don't have the time to go do a complete analysis to understand where our dependencies are and things of that nature and so um as uh Josh had rightly said like having government agencies like siza do the brunt of the work to do a complete sector analysis see where those cross functional interdependencies are then come out and say okay we understand now and hear you that you may not have time to implement the best practices because best practice may not be enough just tell us what the loow
hanging fruit are okay three bad practices can you at least do that because those are the things that keep happening time and time and time again if we nip that then at least we can focus on the next big set of other three four problems and just build off of that iter iteratively um and then with the national cyber security strategy looking at it from a multi-prong approach how do we help owners and operators how do we help state and local how do we shift the dynamic incentivize those markets right um particularly the manufacturers and developers but um most importantly there was a call to finally say enough is enough um we are all consumers but we
cannot expect the use and users to have also the solutions um we need to also tell the actors that responsible for creating these products and also shipping these products and services out to do better and to be responsive so recognizing that uh you know it's not just the National Security and Homeland defense apparatus that we're trying to like tackle but addressing it from multiple areas the public safety Plus at the same time Economic Security what are the other levers that we should be considering and baking in because it is so intertwined into our today Society okay I think we had a question coming or comment a corant as opposed to a Corman rants hi so you're calling for more regulatory
action in some ways but like Supreme Court just tore down the ability to do that the Chevron decision well the the removal of the Chevon defs like how do you square those two things given oh how I wish andw was aggressive the anti-regulation the current Supreme Court is okay let me try to parse that I'm going to slightly reframe it not to distort it um and I could have a whole talk on this I wish and inition was still in the room because she will definitely speak with authority on the Chevron so first off you said we're we're calling for more regulation um I'm not saying that right now I'm not um I'm saying in part of the response from the
pandemic from increased disruption to water food Healthcare oil and gas Colonial not Peta the US government Central Federal approach both in Congress and then eventually in the white house where you serve said we have to preserve the trust and safety of the public they have had actions I have helped with some of those actions a lot of hackers in this room did table reads for that strategy in fact hackers on the hill which we do every year right before shukan last year we did a bonus one called hackers in the White House and 50 hackers went in and talked about these things before it published that's what they're going to do cuz legislators is going to legislate
and executiv is going to execut you know Branch stuff um that's what that's what they do we're hackers we're volunteers we're citizens we live here what I announced yesterday with this whole undisrupted 27 project with with Craig Newark and IST is in recognition that those things are cool maybe they're they're going to screw some stuff up and make some stuff better but they're going to take a while and upon the revelation of this urgent time frame something has to be done in the middle it's going to be a messy middle what you're bringing up is fantastic and that's why I wish um in your MRI was here and I'll try to have shorter answers so we can get to more
questions but the chevron case anybody been watching this um it's really really bad and not as bad as you think it'll be immediately very very bad though in my opinion so my casual I'm not a lawyer I'm not one on TV from just observing this is generally speaking when you make a law the regulator was given the benefit of the doubt when things were ambiguous so a vague law that can be interpreted by HHS or EPA or doe um defer deferral of judgment went to the expertise that worked for those Regulators they would hire and retain those it got a return recently at the Supreme Court in cases uh this has been a long-standing Doctrine what now says
is um you're going to have to uh you can't do that um so now it has the potential to go to court now when you go to court they are going to look at the expertise of the regulator that will be in play and admissible but court cases take a long time and people with a lot of money will use a lot of lawyers to lawyer you to death a not a Dos an OS a legal denial of service so that is not very efficient so in a world where we knew that Tai goes to the regulator under the Chevron Doctrine Regulators passed laws that gave future proofing and deliberate valuable ambiguity in their wording to allow for
guidance to evolve over time so you don't have to go to Congress every single time now that that's overturned it's on its head and all the laws that were written with deliberate ambiguity are now going to be challenged left right and sideways if Congress adapts that's a huge if and some of our friends in this room don't believe anything good can come out of Congress ever again they're sometimes Congressional staffers I still believe and I still work and this this movement has helped pass two two laws two in the US um that said um you can write laws with less ambiguity they just become more brittle so think about this like a like a a
hacker or a software engineer you don't want super specific and brittle which would be if they're super specific then it's harder for the Chevron thing to hurt us anymore so you want to have as much specificity and Evergreen as you can and future laws unless this gets a happy medium will be more specific and prescriptive but therefore they will also be more brittle so I think we always had a trade-off between valuable ambiguity and exploitable ambiguity and the rules just changed so any laws passed on the Assumption of Chevron are now way less effective and will be made way more litigious I don't know if you would agree with that assessment it's a very stute question you bring up so guess how
comfortable I am that we have a 10year 15year Horizon for this strategy to actually bear fruit and I just told you that b typhoon's coming in two and a half years and not only do we have the Chevron Doctrine undermining any authorities we currently have makes us in a worse position but we're also having an election and we're we've already had political appointees leadership figures that were getting pretty good at their jobs already retire Eric goldstein's been fantastic and he's no longer at s right and there's more and more and no matter who takes the White House they you know political appointees serve at the pleasure of the president so different president might mean to LIF different
political appointees and it takes a while to get them confirmed a while to find the bathrooms a while to find their footing so we are going to have maybe a 2-year loss of momentum from political leadership no matter who takes the white house so I looked at this part of the reason we pushed for this project is once again the Cavalry isn't coming at least in the window that of which I'm referring to so I like a lot of these top down things some of the pushes are bad some of them are good but I think they're engaged so my my confidence building is that we have really talented really smart really connected people in the White House
finally and they are engaged and they're willing and able to use the powers that the elected the populists gave them they had been previously unwilling to do so they will get some things wrong they will get some things right but I think they're on the right trajectory I'm much more concerned about about what we do during political turnover during VA typhoon season under an unsustainable trajectory even if neither of those two things were happening and then yes it's made worse by Chevron Doctrine overturning I'm not going to let the Chevron getting overturn super hurt me and I am heartened a bit because one of the laws we worked on was the patch act and it's
got some very specific things in it so it did say you have to be patchable have a coordin disclosure program have S bombs have threat models have a vulnerability Management program so that level of specificity means Chevron doesn't hurt that one very much but other stuff it could hurt a lot that was maybe too long an answer I'm sorry I'll try to keep them shorter all right so you already do you agree with or disagree with any of that you you have a lawyer training as well true but at this point I'm um a practicing lawyer and yeah and I not your official capacity an AR official capacity so no comment okay so you talked about esom which is
something formal enough to actually have an acronym um and it's you know internal software dependency something I definitely think we need we haven't done enough of you also but vaguely mentioned things about maybe supply chain some other dependencies we have billing systems crowd strike obviously was one that you know we all we all found out what was dependent on that really quickly is there a formal structured methodology that we're considering similar to sbob for external dependencies for actually surfacing and and finding and making more transparent the things that we are dependent upon so we don't find out after the fact all right you could probably give better language on part of part of my answer um
so there's a historical thing called section 9 that was classified for financial services which identified the systemically important entities for financial services and functioning of the economy it wasn't super popular um but there was an intention the cyberspace sarum commission which is bipartisan uh with private sector collaboration came up with called systemically important critical infrastructure siky and again Jen easterly and others like calling it s instead systemically important entities I think siki is the program s is the entity within it there's been different things that Jay Healey really smart guy who was in and out of uh government in sisa and oncd he called them OC and pisy like big fish and little fish you know it's the big
ones that are too big to fail kinds and the little fish were the small unguarded Target Rich cyber that no one knew existed until somebody something really bad happens so generally speaking um the private sector hates this idea for a couple reasons one is they don't want to be on a list it might get them more accountable it might hurt their insurability they think it might obligate them at some slippery slope in the future so no one wants to be on the list even though that's their private good the government's there for the public good so it's a really important really necessary program that got a lot of lobbying pushed back a lot from every
single sector um two um no one wants to work with sisa initially sis is getting better it's a young agency a little over 5 years old but when this was first introduced it was like a year old and um when you spend all your time and money with government Affairs and lobbyists trying to kiss up to HHS you don't want to have to also kiss up to another agency now and the and the siblings didn't want to work with s either like we've been here before you go away right this is our this is our lane get out of our Lane right so the legislative intent is that all 16 of those have a leader called the sector
risk management agency they have a public private partnership with the sector coordinating Council and they have an ISAC that's the design of those 16 but when sisa was introduced it's supposed to be a horizontal across all 16 as a national coordinator um to look at cross- sector risk things like that so that was a hot mess it remains a hot mess but the thing the White House recently did which I'm hoping you can give some more official language around is ppd2 was the organizing docent from the Obama Administration presidential policy direc of 21 that established the 16 sectors and there was no sister when it was born there was an nppd those 16 things uh had a lot of
ambiguity as to how you do governance and risk management after the C task force after action reports and a lot of advocacy we convinced them that it should not be a light rewrite or refresh it should be a heavy rewrite and they had a lot of courage and decided to change a lot of stuff to look at more cross sector risk risk and after the inter agency squabbling it's it backed down to something much less aggressive um but that is now called NSM 22 and it's been published so Network National Security memorandum 22 replaces pbd 21 and it still has 16 sectors people thought we're going to add space uh and drop something else um so it's still fairly similar looking
but in it it establishes sisa formally it establishes them as the national coordin across all 16 sectors and it gives obligations for each of those sector risk management agencies to do things including but not limied to nominating their systemically important entities within a framework with sisa and then sisa would operate cross sector cascading risk so I had floated an idea while there of a five tiered service disruption model that said no matter what your National critical function is we can map and model how many events per year they're cascading effects so imagine a level two outage of water caused six level five outages of hospitals so we wanted something where we could do that and by looking at those
either retrospectively we could describe what had revealed itself to be a systemically important entity like change has done so but proactively you could also just use a methodology to ask the community which top five top 10 top 15 things if shut off would lead to outside harm and I can guess right right now for example there is no siky list yet that's published for healthcare and after change Healthcare House and Senate Republicans and Democrats have been screaming at HS there's a nasty letter from widens placing the blame for what's happened at the feet of secretary Basera HS did this happen on your watch we hold you responsible please prioritize coming up with this there's no published list
but I can tell you right now that epic and cner would have to be on it so I think we kind of know some of these bigger players that if disrupted would have a really really big harm but it's not been a lack of capability or technique or methodology it's been a lack of will so I I I tried to leverage the change Healthcare scenario to raise public outcry and support and Congressional will and white house will to to make this happen so I'm told that while there's no due dates in the National Security memorandum 22 the next document to drop for public comment is called the national plan and in that if they aren't giving them deadlines and
scrutiny we can publicly comment to put pressure on that so it's a unpopular idea for lobbyists and trade associations and a critically necessary thing for your family I don't know if I answer your question but NSM 22 is a good start and the national plan when it drops please read it was that close to correct yeah yep if anything also just um uh a lot times when documents are also being refreshed and updated it is to provide additional Clarity and um and most and most importantly be very explicit as to the roles and responsibilities so in the past there even though there are multiple documents that actually stated who is responsible for what and and how the different
efforts would happen cross functionally across the board with uh government coordination they're still at times where conversations being had with regards to who really had the pen and the charge on certain issues so in in light of that this is where looking holistically the development of the NSM 22 was meant to help serve that to say okay at minimum let's be very clear as to who's owning what who is working with who how are these different government agencies going to be responsible not only for greater Federal coherence and coordination amongst ourselves but most importantly when we're out and about engaging with you as our stakeholders that you also have uh a keen understanding of how our systems work
who you can talk to for what purposes and how the collaboration may occur so if you find out that certain information that now is anonymized and is being shared for example with siza it's more so to help with the broader landscape analysis to then say okay this is these are the critical areas you should be thinking of um and supporting the various sector risk management agencies with providing the technical guidance and advisement two more quick things just because I'm getting all riled up on this again it has been years of debate on siki three more things gen um representative Lin a lion for help for cyber security Coach Co uh he he founded the uh cyber caucus in the house he's
very bipartisan from day one he was the co-chair of the the cyber space commission he was the first sitting Congressman to come to Defcon 25 because of your help with Will herd absolute Champion caused the office of national cyber director to be born uh his outgoing Amendment which is usually honored as a gimme was to give sisa the overt authority to come up with siki finally and it was killed faster than you could Blink by the trade associations they had a letter by many trade associations contct themselves before it even hit the Federal Register it was Dead on Arrival so I thought that was frustrating and noteworthy but interesting and if you really want to
get into it read the letter and you'll see how weak sauce it is point two given the years we've been debating can this be done that's that's 4,000 vaccine supply chain entities down to 66 took us 10 days we had a methodology for number dependencies scarcity impact emission support it took us 10 days so in a crisis 10 days gave you something useful and usable could it be improved sure 10 days the third thing is there's debate on this but I don't believe you can do sikis for a sector I think the atomic unit of siki is a system is called a national critical function there's 55 of them and these are way more tractable so in a
hospital inside setting healthare in public health has four protect sensitive information which in the case of healthcare is Phi second one is called maintain access to medical records so that's the availability of emrs and ehrs third one is called provide medical care which is do you get timely access to Patient Care when and where you need it and the fourth one is called support Public Health which is more like Regional capacity planning I think if you were to ask someone in healthcare what's the most important 10 players for each of those functions you would get answers immediately even if they're bad answers and Dean's been back there Dean if I had to ask you what's
the most important you know suppliers or vendors don't answer it but if I had to ask you manufacturers or suppliers in a water and wastewater you know for plc's for equipment for chemicals I bet you can come up with a few yeah yeah so it's not that we don't have methodology it's not that we don't know it's that we haven't wanted to do it and I think while we fail to do it we burn when change Healthcare stuff happens all right we have 30 minutes left and we've had almost no questions so there so it's I have I I suppose I have more comment than question hopefully that's allowed uh because I have the mic
and I'm doing it um but I think to the to the point of incentivizing right people are in general more likely to do something if there's a positive output or a positive thing to them than than a smack right ensue legislation it's going to take however long it takes but there are other partners in this and I come from the disaster World um and and some of the partners we use for these things are accreditation bodies and um uh insurance and reinsurers yeah some of the ground the gains we have made in disaster preparedness and and in my mind this is all the same thing in my mind there's not a difference between the kind I
don't care what caused the horrible thing to happen um in my mind there are actually no natural disasters they're all man-made disasters because we rely on things that we shouldn't rely on and then either technology or Mother Nature smacks them and they break right um but I think that this idea of accreditation bodies so police departments fire departments 911 centers Health Care they are accredited and you start to push some of these things in there and now they have incentive hospitals have emergency preparedness people mhm because ja says they have to the first step was they had to have them the second the increment to that or the it iteration of that was now they have to
have qualified no one knows what that means but they have to have them to be accredited and they have to be accredited to continue to get CMS money which is your insurance money right so there's a huge incentive for them to have that and it's not legislative in the common sense and insurance is the same way we see in people like homeowners taking action because their insurance company says hey if you want to have insurance you need to do these things you need to have this kind of roof or you need to trim all the bushes away from your house and people do that because they're easy metrics to meet for the most part and it lets them
keep their insurance so I think that there's a piece of this incentive portion that that can happen in a much more much more quickly the insurance companies are kind of a pain in the ass to deal with they have they have a very powerful Lobby and they don't like things until it benefits them financially and then they're all about it but these accreditation bodies have a huge pull and they they are sometimes very easy to work with as long as people can understand the problem because for the general like I call them the mom and pop organizations the small water companies the small Public Safety agencies they see these as somebody else's problem right these are things
that happen in the big cities and why would anyone ever do anything bad to my water company out here in Podunk or to my Police Department have had those conversations they just there's this cognitive dissonance piece that clicks in and they're like yes bad things happened but they happened to you not me and so using these peer groups to put that pressure in there and not just pressure but guidance um help I think could move that forward and much more quickly than the legislative pieces because takes forever and if I it's possible if I watch this I'll feel like we messed up in suggesting that these should be Federal I think I'm saying the federal stuff is not going to
help us let me say it very overtly right now the federal stuff is not going to help in the next 2.5 year Horizon of which I speak you will or we won't so we need to we need to manage the messy middle I would love to get to know you better because so far some of our best new teammates are disaster science people Emergency Management people and we're increasingly benefiting from listening to your experience there are a couple edge cases where they are different such as um every single one of your insurance policies has an exception for acts of War of which volt typhoon would be um and yes there is natural disasters like hurricanes but we have a hurricane
season and hurricane alleys these things are coming 365 days a year so there's a lot we could borrow and learn and I want to learn from you so I hope you get involved in that project um and please let's focus the next this my fault next 20 minutes on what we can do for our household our city our community Etc so you I think you were next like but okay so and this is me being a little bit naive having been in Academia for a long time the thing that strikes me about everything you've said just now is that we need people we need people in desks or on the infrastructure working on this and we need them there quickly right
more quickly than we can by regulation or by carrots and sticks and all that those people are out there I mean you you look at any of the the young people sort of hack aboard things people are having trouble finding people who know their stuff are having trouble finding work at the low level because entry level positions are problematic it it strikes me that supercharging this entry level these entry level positions to do this is one of quickest ways of getting runs on the board but getting that money through by using carrots and sticks is just going to take too long what are ways that can be done maybe even at a federal level grants you know scholarships things like
that where so we can get all of these I don't want to say kids but you know mean I've taught enough of them um you know into these jobs through these organizations that don't have the funds to do it for themselves they don't have the funds to run out the mentor programs they don't have the funds to do all that what can be done at the federal level to do that did you bribe him I'm no this is in fact I actually want to talk to you later and learn more of your background because that was that was a great setup in a alute for me um especially mentioning earlier yeah that um as an extension of the national cyber
security strategy um there is uh a mandate uh by the president that there would be the development of a national cyber Workforce and education strategy to answer that very very same problem that we keep hearing time and time again how are we going to talk about having a safe secure digital a resilient digital ecosystem when we are missing a core fundamental piece of the larger problem we're constantly talking about processes we're talking about technology and yet we are missing the people that drive the rest of the tech the development of the technology and creating these Innovative processes services and tools to then also sustaining them maintaining them um also updating whenever possible and it's not just also the core cyber security
technical expertise but then if you look at it concentrically like the support networks that come around it the risk and compliance and governance aspect and then as well as well do you have the budget teams as well and your acquisition and procurement folks in alignment to your HR uh staff um and recognizing that they need to also work more closely with their hiring manager and um get trained up in what does it mean to be a tech recruiter we are having the very same problem in federal government when it comes to how do we recruit the best talent and yet at the same time we keep hearing time time and time again that there is a barrier to
entry coincidentally we're also having problem with early career applicants um we may say in generically most of the job descriptions particularly for the standard it specialists in infosec the 2210 series that you um um it is preferable to have a degree but then at the same time if you have a degree but you don't have their requisite experience then how are you supposed to compete and be able to get a job conversely we have a number of phenomenal candidates career Changers um like myself and as well as um veterans and many others who have gone through non-traditional paths actually have a ton of work experience relevant work experience but because they do not meet the minimum education requirement and
that is typically the focus and a checklist for HR staff that have hundreds and thousands of times of resumés to go through and it's just a quick means of um screening it's it's we're missing the the opportunity to look at a person holistically and um and giving that growth opportunity so the rest of us as we progress get more senior decide to be a technical expert but with senior subject matter expertise or we decide to become a leader in a manager that who we have backfilling and coming behind us at the same at the same time but then at the same time how are we equipping all everyone to also become more developed strong leaders to to back end so I say
in short we're um promoting a skill-based approach that is why um both our national cyber director as well as a number of government agencies have been promoting um the use and working closely with office of personnel management who uh the acting uh director right now Rob Shriver did say at an event earlier this year for a White House convening that their OPM is going to look closely at the 2210 series and removing the minimum education requirement so that way we can look at it from a skill-based approach which is by the way a mandate by the um Administration that we should be looking at all jobs across the board particularly for Mission critical areas on how do we bring that talent and to
answer some other questions there's the registered apprenticeship executive order that is a pathway in um not only for federal uh government entities but also for um owners and critical infrastructure owners and operators if they need the funds um those funds actually are typically doled out through their respective State uh Workforce Development agencies uh so having that close collaboration and this is where as Josh rightly said there's some things that we in federal government can do but really once the money goes out it's out in the in in the space and it's you don't know who to go talk to then that becomes a huge issue and problem of we have not done our jobs and then also
conversely um how are we then promoting and advertising that the money is out there but it needs to be applied for and um obtained to help get more uh Scholarships in place for students um whether it is the traditional pathway or even looking at community colleges which are doing a phenomenal job of turning candidates out and being Workforce ready all the things so um there are many opportunities but I would say if you want um quick plug check out um the white www.house.gov cyberwork force uh there are a number of uh uh resources that we've put together in collaboration with our federal departments and agencies um that also have access to resources that are out in the community that will help
job Seekers that will help Educators that are interested in how can they um be a part of the the the solutioning and as most importantly also um employers um because they have a responsibility as well particularly with the job advertisements yeah there are um this is one of those categories where it's a yes and this strategy is pretty comprehensive pretty strategic there are other programs we didn't even mention like scholarship for service like um there's some stuff in the a bill that comes in and out about maybe giving scholarship money for two and four year degrees to people to work in food resilience and security none of those things and none of those things are going to happen in the next
two and a half years so some real rapid fire questions as we go to some of these two fingers is do you have a mentee if not why not who could you pair up with Iris spoke yesterday about working with high schools do you know if there's a way for you to engage and maybe start training up or doing some sort of cyber challenge for the high school kids the collegia kids if not why not these grants that exist that no one's using cuz they don't know how it's could you maybe educate yourself and if you're not a hacker maybe you're a librarian could you help understand how to take the grant money available and
have your local community able to tap into those right we need all heroes all willing and Ally uh willing enable allies to connect the dots between some of this Federal intent that's going to happen slowly and what we can do right now and if you can't do it yourself just know that one of the things we're pushing and encouraging um from the office National cyber director is Regal ecosystems recognizing that there are Pockets whether it's at the local state or Regional level or national um communities where you have a an AC uh academic a number of academic institutions to nonprofits to uh the employers uh as well as Civic Society at large collaborating together to solve
the problem um themselves and actually saying no no we have our own homegrown organic solution that actually works for our community and our culture and for us we come in and we say that's great what has worked what hasn't worked and what is the potential of scaling that and sharing it with others so they can both replicate it and also almost importantly avoid the pitfalls so it if you can't do it yourself just know that there's an opportunity for you to get plugged in um to a number of organizations a lot of whom are also here around bsid bides included to then um as well as the The Villages that you'll see at Defcon all
right I saw a lot of two fingers can each of you get 30 seconds um Ray I really want you to speak cuz you've got a multi-year pilot with in in Michigan I mean there are things we can do locally and just even if you just have people watch next year's last year's talk or okay so we're going to do that but first we have an important announcement all right so Mr bats uh you were a naughty boy this year and you uh you put a repeat request in for your outrageous speaker request which is not that outrageous so you're beginning to bore me oh you can Ask Josh how bad it is to bore me it's not a good idea but
in the meantime i' because you've been so amazingly helpful and so wonderful and this taking over is as you know stepping up and and helping to run this track this year I've given you a freebie so there are cookies available for those who wish to indulge but ask me for cookies again at your peril a thank you okay okay fiber cookies I'm guessing these are going to be Community cookies uh okay there's a photo okay um all right while while we're waiting for the microphone and the cookie photo opportunity um okay so we're back so we got you then you um my original question is again less relevant But to answer the the other thing you asked do we do Mentor
programs with local schools where I'm at we do uh and we do do some programs where we expose them to bad firmware we've seen on batteries and we let them find their way into those systems so I was excited to hear recently that there is a provision in the ndaa currently that will allow the National Guard to uh have civilian counterparts in the the event of an issue uh or an incident uh I'm excited about that because as Josh said I ran the Michigan cyber civilian Corps for six years and we had the Michigan cyber civilian Corps we had qualifications you have to have a certain you had to pass a task you had to have certain qualifications to be in
we just made that up because we had to have a floor and it got us where we needed to be um and uh I I'm just very happy to see that I'll talk to you more about it please yes all right there was one over here as well or too okay so um I've been involved in politics at the local level and my Universal frustration at National level stuff I'm hoping you can avoid which is it's great that you're talking to us but if I was to go to my local city council which is a fairly unknown City but it should be uh because it's the home of Google and I also try to say to
theity Council who you know that you should care about this I don't have any talking points that are consistent right we can help yeah and so the thing is is that I'm glad that you it sounds like you do but I think that's a really strong point is that if we want to do a Grassroots movement you have to be able to say here the talking points in a way that makes me as a speaker in 3 minutes knowledgeable and able to be at least the first level to re Source y okay the second thing is have um I remember when ObamaCare rolled out and there was a disaster in the website and there was an
all hands on deck getting everything out the door is there any conversation about building up such a team only in under a less stressful situation that would be able to go out to rural Iowa to restore water functional it you know if they need to do you have a do you have a the Strike Team that they had to put together on the Fly for [Music] ObamaCare I'm going to synthesize a few of these right so we've uh identified that uh nice and C CAE are really great but probably a six-year Plus Solution that working with high school kids is probably a 10 12 year Plus Solution uh and things need to be done sooner uh the
your question you get how do you get it started I think this requires funding uh grants provide structure structure provides the ability to uh Marshall uh people if there was for example a a Gates Foundation grant that supported uh helping those cyber poor companies uh that are critical get their bad practices dealt with the 38 issues and so forth I think that's the kind of thing that could make a difference in the time frame you're talking about but it requires work of course everything does I me I'm G try to two finger or one finger I came in late I don't know oh okay uh all right I'm going to assume it's a one just for so I don't lose this
this this uh one is new two is addon uh I don't know okay before I before I lose this time time Riz and let me just quickly respond to a couple of these um things the the right answer changes depending on how much time you have the add the addition of the time Horizon always messes with stuff so one of the reasons I liked this idea of saying it's like y 2K is we could work backwards just like we had to for other things if you only had 3 months what would you do and and we've not done this here maybe it'll happen in BO and Carl's session next but I was hoping one of the
things that would happen here is if we knew an attack was coming a month from now would it be that controversial to say the water and was facilities connections down like if you don't need to if you can't afford to protect it you can't afford to connect it it's Draconian it's abrupt it would have inconvenience costs it could be it could actually cause some harms but when you know it's coming like in a month you the the things you might do might be quite different than if it was coming in 10 years or 3 years or whatnot so I think we should be willing to play with our time apertures thank you and I think it has to be multi-level in
parallel I love what her team's doing love it it's going to take a while to bear fruit what I also like though is once they've done the public education Awareness stuff it means it activates us to do this I like the idea of Grants so to both of your points there's a lot of Grants and there's a lot of cookie cutter things but there's not been much local Embrace of those so maybe one of the things this project or this group can do is cultivate and make an easy button or a package a care package that says did you know there is money from the infrastructure act you just don't know how to do it one of the things I heard
the most coming out of government is yeah there's tons of free money not being claimed and the only people who claim it or kind of people who professionally do Grant applications all the time so sometimes even when there is a grant there's still a barrier or a gap that we don't cross so I'm not saying we all have to be technical threat hunters for our local water facility but maybe it's not inventing a new thing it's taking the free sisa tabletop crisis Management in a box and bringing it to your local community so you don't have to create the curriculum you're just bringing the self-service tabletop crisis simulation or maybe it's introducing or hosting your local FBI person plus your local
cyber security advisor like we have Regional capacity too that no one knows so I would say I think we have lots of materials in the Arsenal what we haven't realized is no one's going to pull those together but us and if we can experiment locally and get a program that works we can scale it 50 Statewide so for example there are actually a number of uh univers universities and community colleges are collaborating together it's not it's not a lot right now but it's it's starting to glow grow and Bloom the idea of a cyber Clinic um where you you know similar to medical school and law school where you aord you you provide provide students the opportunity to get
Hands-On learning and real life work experience and practice under supervision of a professional so then this is where it kind of hits like the two for one where there are uh local um organizations like small businesses or a nonprofit or whatever it may be that or even state and local governments too um because there's a project that's happening currently in Indiana where the state government has given um uh funds and also is leveraging both the clinics that are within Indiana State University and Purdue to have that augmented support to help um look at what are the uh assessment needs and uh how to address the gaps that are in uh State uh and local infrastructure but then most
importantly it's also then conversely giving students an opportunity to get that work experience so you end up having these really innovative ideas where it's like okay how can we give folks an opportunity to learn and at the same time potentially get that experience to do the job then also that will be your local incident responder team eventually and if they decide to for example like you said join the National Guard and become a cyber Protection Team Member but they also have a day job at the same time win-win all all around right so how do we how do we start and I that is an excellent point the talking points these resources because we've been it's been a it's it's
been actually like a year uh to the state since the national cyber Workforce education strategy and we're still doing Road shows and we're trying to get the word out as Josh said like this is where the money is this is how you access it and also here are the other local resources that are in your backyard that you may not know it so again please check out the website not to defer you to a website but just like in case you're trying to understand like what it means when I say ecosystems and how to access different things maybe that are in your backyard white house.gov cyber Workforce but also happy to answer questions after okay go
ahead uh so for over 5 years I wanted to get involved with different students at you know all the way from elementary School up to High School College Community College uh the difficulty I've had is I don't know exactly how to start because it seems very overwhelming um and when I've reached out to and had like connections at different universities the professors who were already teaching sort of cyber security curriculum told me like oh yeah come in and just put together whatever you want and just talk about whatever you want and I'm like that's like I I don't have right I have a day job I can also be a professor so I don't know if there's
something you're providing that can bridge that we yeah can I can I actually point to um sorry M Miss Jessica do you mind if I point to you to share your experience because you're a living breathing walking example of how you're juggling all of that plus your day job oh you're so sweet what's up girl um I love this topic so this this year actually I put together at the inaugural cyber day at the Philadelphia School District we had um Juniors and seniors that came and also they have a after post high school program that's non-traditional instead of going to college they have like you know like the six-month Boot Camp or whatever cyber analyst being one of them so I actually
just kind of just reached out to different people and like in the school districts I started with their siso cuz uh you know I'm in executive as well so I was like hey what are you guys doing um so that's just kind of how I got started because it is definitely overwhelming um we'll say cyber.org if you're familiar with them they have already have a curriculum put together specifically for for high school students and and entry level um also I would suggest getting involved with the local nonprofit um I do blacks and cyber mentorship program so you can hit me up for that hit them up black girls hack women in cyber I mean there's a lot of
great nonprofit grassroot organizations that like that really are starting to Target K through2 because it is different it is different then you need clearances you know they're they're miners all that good stuff but um I'd say definitely start there because uh those nonprofits usually already have that connection thank you while you're W that's awesome while you're walking over there um at the Collegiate level there's the national CCDC competitions you can start chapters those have curriculums and programs you're just basically starting a chapter um when you're talking about grants just to like people in the room there is a resource called local infrastructure. org which is a partnership of Balmer Bloomberg Emerson uh um kesy and one other and
it's a resource for small and midsize cities to capture the infrastructure dollars and and you know figure out how how to file for Grants and apply for Grants um and if you're talking to your communities there's also a lack of grant writers out there that make it very hard for communities to actually apply for these grants so I think there's other ways that people could put their hats on to um help and and do things but just so people don't reinvent the wheel I would take a look at that um and there's probably links and resources on there there's webinars for cities on on sort of how to do this there was a cyber security one last year uh which is on
YouTube and you can watch that but um just wanted to mention that since we brought that up sorry what's the website name again just site name local infrastructure. org thank you all right this is probably the last microphone comment so we can close out clean Le I just I wanted to comment real quick that don't think that like all these vulnerabilities and things are going to be solved by a cyber security professional right no the majority of the vulnerabilities are are fixed through replacement of Hardware software things like that that others can do they need help and so maybe instead of five cyber Security Professionals it's two technicians an electrician and and a cyber security professional so yeah I
don't want the problem to sound like overwhelming that we need to develop this giant army it's it's a a big big Village you know on that point we didn't get to it in our two hours but I'm hoping I can back brief with Carl and Bo they maybe they can absorb some of this but I actually think most of our fixes for this 2 and 1 half year time frame are not cyber so take wa I'm going to end on a teaser um if your water and wastewater in your town this is just a dark note but uh if your water and waste water is disrupted how long can your household go with without water and if the answer is
you don't know that's something you can do when you get back on Monday or something so do you have life straws do you have iodine tablets do you have a rain barrel these are pretty costeffective cheap ways to make sure that even if the water is not clean you can have clean water for a bit you get a bottle of water right now it doesn't fix Society but it might make you in stay in the fight a little bit longer to help your community and a lot of these aren't adding cyber it's removing connectivity a lot of these aren't buying vendor products it's doing a tabletop with your mayor or your city planner so back to the top we are over
dependent on undependable things and one solution is depend less analog backups right it's not super easy but in this time Horizon I think it's going to be removing complexity not adding it we will also do the great stuff that ion and team are doing we'll also reap the benefits of some of these public policy programs at the federal level but um I didn't want to say this last but I think I have to say this the free cyber hygiene scanning from cista scales infinitely there's no incremental cost really for taxpayers to use it if you're in critic lure it's free out of these 7,000 hospitals are now 6,000 hospitals I last I left sisa there were only 200
using this out of the 15,000 water and waste water I think there's like under 100 so this is free to tell you what any adversary can see and against the KE list so some of this isn't that we even have to build the next Workforce we might just have to become marketing and Lead gen for cist free services right so let's not cyber our way out of this let's look at how to be resilient and undisrupted by 2027 scan that you're talking about is this only tailor for like it systems or is there something that can be utilized against the systems they use in like the operational environment like plc's and stuff like that it's your internet attx
service it's a simple lightweight skin for what you can see from the outside there are other services that cost more not you cost more but cost the government more to provide that can do things like validated architecture design review called Vader which can look at your segmentation isolation between OT and it there's threat hunting there's cyber centc there's a lot of programs but the one that's infinitely scalable that's a no-brainer people aren't using yet so and uh and just a quick um quick quick quick short story is that um used to work at the administrative subpoena program in sza and that was meant to be response for specifically um um not just it but also operational technology that
was connected to the internet so by the way that slide that talked about the stuff off search that was directly tied in supporting the administrative subpena program because what was happening was um Congress gave SS the administrative subpoena authority to go talk to internet service providers to say hey we are seeing your stuff online but we couldn't identify who the owners were of those devices and we could tell that they were part of that Kev list the you know the known exploited vulnerabilities catalog and the only way the ISP providers who could tell us who owned us was if we had a subpoena otherwise they would say oh we couldn't talk to you you're not doj you don't have a warrant
so forth so regardless but that that essentially is another reason of if we could Point people to say join this is a scanning services and and by the way I misspoke it you if there's plcs on show they'll show up so OT is in scope if you let it be but ideally pleas please don't okay um please join me in thanking our two fabulous presenters here [Applause]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51