>> democratic presidential candidate joe biden and his vice presidential pick senator kamala harris will be making their first public appearance is afternoon just days before mr. biden accepts the democratic nomination at next week's national convention, we will have live coverage from wilmington delaware on c-span and you can watch it live on c-span.org or listen live to the free c-span radio app today at 3:00 p.m. eastern, president trump host an event at the white house on reopening schools amid the pandemic you can watch live coverage of this event on c-span2 and also online as c-span.org. >> next protecting u.s. infrastructure from cyber and physical attacks, we will hear from federal officials and security experts hosted by the wilson center. this is about two hours. >> good afternoon i'm jame hardin, at the wilson center, former nine turn member of congress where i played a role in the founding of the homeland

security department, i call myself one of its grandmothers and one of his grandfathers, i'm not sure is on this call with me and the rest of you children are the successors and it's really wonderful today that we are having, i guess he's by phone, we've had a lot of zoom issues, phone conversation with the panel organized by the wilson center very own meg king who has our technology and innovation program and a number of the rest of you on this phone. the topic is what is critical, involving the security playbook for managing ten and everything in between, while it's not as much fun to see you all in some of the online it's not as much

fun to see you in person and if anyone can make a conversation interesting, interscience technology and information program. today as i said were joined by the nations chief risk officer, director of the department of homeland security cybersecurity and infrastructure, securing agency, leave it to congress to include security twice in your title, chris will talk about how the department has protected america's critical infrastructure in the past and what we need to do going forwa forward, chris has briefed me frequently as a member of the homeland security advisory committee, the homeland security experts group, it does not have security twice and even showed up last year at the hacking conference in las vegas. i was there to, i was a dinosaur in the room, this is the second tour of the department, he was

senior advisor to the assistant secretary for infrastructure protection and he was part of microsoft government affairs team after that, chris has an impressive command, i know this from talking to him about the threats that we face and has been at the forefront of tackling our election security challenges in securing our networks remain resilient during a global pandemic and when the workforce when all moved online from home and security is harder to verify et cetera. chris will give remarks in their berkeley phd and melissa griffith will interview him, then a panel of geniuses would be able in his pickup truck, the homeland security and centurylink's catherine will follow to dive deeper into the challenges posed in securing critical infrastructure, digital

and physical and just before turning this over to chris, how blessed i have been to have him in my life for a decade, she has taught me lots of stuff especially about all this, please welcome by phone the director. >> i don't know if you're seen me but i was able to do a couple of runaround's of the office, did the video come through okay? >> yeah. >> we see you but your mouth is not moving so you may be frozen >> all right let's try this

here. okay, i think i got it now, sorry it's giving us some challenges here. >> that is much better. >> that is much better. >> okay, here is what were doing, i'll give you a little bit of an overview, thank you congresswoman for the overview and will talk to you about the things that we are focused on right now and some of the developments in shifts that we

have seen in the critical infrastructure risk management space and just for short ham purposes i dropped the security, we made the argument that the second security was an appropriate modifier so we did not need cybersecurity with congress at the time thought it was important to have cybersecurity and nonetheless, better name than we used to have which is a national protection program director which if you can tell me what that means, i owe you 100 bucks, it was not a very descriptive name for an organization that is the nations risk advisor, primarily our authorities are voluntary, public-private and what that means more than anything i cannot make anyone do anything, we have to really understand where the risk is, is shifts the

trends in the best practices across industry and government to fill them down into something that is usable, shareable, actionable and get them out to our stakeholders as we possibly can. it should not be much of a surprise but the united states critical infrastructure community is quite large and in fact being the american go big or go home approach, 16 critical infrastructure sectors, i say that to be able to contrast to our partners in europe and elsewhere that in some cases i only had five national an critil infrastructure, eight is probably the most i've seen in europe, we have a larger footprint for infrastructure but we also view it more expansively and that's important and i'll touch on that a little bit later. but nonetheless, given the voluntary approach, we do see ourselves as the nations risk advisor, were not the nations risk manager but it would have

more of a compulsory authority where i could tell people to do things and then they would do it. but instead we ask people to do things jointly who we give them useful guidance that provides the value and we find in that approach where you do try to understand what our partners see we can get them to do things. really quickly, over the last several years, we have identified five key shifts in the way the critical infrastructure community is managing risks, the first aspect is that it is coming quite clear that risk is shared across all sectors, the second supply chain risk management is critically important, the third piece is

management is also evolving becoming more effective and forth is what used to be a security practice and has evolved a resilient approach to critical infrastructure risk management and that is evolving further into anti-fragility approach where you get better with each event rather than surviving the event, lastly we are seen organization take a much more enterprise level of understanding of cybersecurity risk management and that begins with percolating across organization, the shared risk across all sectors, it is something that you probably heard me or others say that as you tackle risks in silos, you will miss the bigger picture. what you're seen in the last couple of years and particular, adversaries particularly russia and china and a few others don't necessarily come in, knock it on

the front door, what they understand are some of the dependencies between organizations and will exploit some of those trusting relationships, there is one event where the russian campaigns have launched a couple of years ago where they came in through the energy sector and not directly into the energy sector, they came in a construction contractor, and about target breached through an hvac contractor, risks are shared across organizations and part of that is because the commonality of the systems that we use far outweigh any of the unique specific sectors, control systems is another example, those things that make water treatment facilities, their equipment move intake and click, that has put very similar to

critical manufacturing, thinking about hard infrastructure in manufacturing or power generation, a lot of those controlled systems are consistent with unique applications on the edge across the controlled systems. the second piece as a mention supply change, three or four years ago we had supply chain risk management and it was not top of mind for most organizations, you get to hear on the next panel from folks who think a lot about it including catherine which was my long-term partner in crime but some of the work that we of done on the supply chain technology sector is really sprung up over the last three years through some of the work we've been doing. we should absolutely focus on

the folks on the panel. next management, this is particular come into stark relief over the next six months, it's been a heck of a year for vulnerability disclosure, what used to be ten or less years ago we used to have researchers or other organizations to find mobility to the public and release them to what happened in that situation and you actually give the adversary were many number of adversaries over the defender and will be rising out of industry with the research community with the development of a needed disclosure process and there's actually a brokering that has happened with the security researcher in the organization that i found this thing, let's work together to make sure we get past the

updates and their broadly provided and i can get my credit in the community discovering the attributes. in vulnerability disclosure is something that we do and put a key role and we manage and fund a project on our universities that handle a lot of the best facilitation of the researchers and defenders and we played a broker role. even in organizations more broadly we are seeing the researchers brought into the development process, were seen researchers brought in to operations and maintenance and there has been an absolute surge in the program like microsoft word i work that will offer money in some cases big-money,

$100,000 for at least one time with them vulnerability to researchers that would conduct the research in an appropriate manner but if they found something that they can hide over to the company and the good side or the goods back to volvo this, the good guys can pass for the bad guys can exploit. the fourth piece is the security to resilience for fertility cream . . .

you have to assume the bad guys will compromise your perimeter and, in this case, your networks, cybersecurity so how are you guarding or defending the crown jewels? there has been a significant amount of work and an emergence over the last year or so and to what is known as a zero trust concept where you assume the network fronts back and adversaries territory and you have to figure out how to basically how to have security medications in an untested environment. that resilience piece has the continuing involvement because effectively it turns into a whack a mole game. really excited about the research happening and the adaptions and this was a big push prior secretary nielsen springing forward in an incident

or in a response. how do you become anti- fragile? really all that is learning and real-time employing defenses that improve your posture, not just maintain your posture through an event. that is, i think, the next evolution of the security resilience shift. fifth and final risk shift that we have seen over the last several years is this cybersecurity and enterprise level. typically, historically security has been the domain of the security team, and thus the iso, but what i am keenly aware of is that the security team alone, without executive support in the funding and the push to become more innovative, will never achieve their objectives.

we haven't really expanded our outreach and efforts to not just the info sect team but the general counsel for lawyers and the boards of directors who really educate them that cybersecurity is in fact a business caressed, as much as financial risk and they need to treat it accordingly. this past fall or coming up a year now where did 2020 go? last fall we issued a cyber essentials product that pocketed good security practices into three primary areas: strategic, technical and tactical. the strategic bucket focused on two things, first, cyber queue security starts with leadership it will only have a successful program if your leadership buys into support and takes parts. the second piece of that is in the strategic side is you have

to have a security culture throughout the organization. anybody that touches the network or has the device on the network is part of the team and you need to make sure you are defending them properly but also they have the tools and resources to secure themselves. so, again, it's not just about the security team but getting the executive buy-in and that is important because once you have gotten awareness where you need awareness and principally i'm talking about capital expenditures and investments, what you've got that awareness and ability to set the organization budget then it will get the investments and through that investment that is where the real capability shifts and you close the gap on security where that really happens. i will wrap it up there before we shift to the fireside chats but five things we really have seen a significant shift in over the last several years is that risk is in fact shared across

sectors. the second is supply chain risk management is as important as a discipline and cybersecurity in itself. third, within cybersecurity vulnerability management is the place or one of the places you can make the most advances to secure the network. but relatedly it is about resilience and about zero trust approaches emerging and if the leadership is not bought in at the enterprise level then you will never get where you need to both on the investment side and capability development. if you saw that, looking forward to the fireside so i am not sure if it is going to the congresswoman or -- yeah, or melissa. >> thank you, director. we have the first question and they have a burning question for you.

>> i actually have a two-part question and it is an observation and i thank you are a breath of fresh air. you are brief and every time you give it a not we can see you and we were just going to hear you but not we can see you and i think you are a great, great credit to the administration and the departments. my question is first, the recent hack of all the fancy twitter accounts was principally done by a kid of age 17 with two accomplices. that bends the question, do you have the people you need to stay ahead of 17 -year-old metaphorical 17 -year-olds? the second part of the question is i recall back in the old days when you were putting the department and doing intelligence reform we kept talking about the need to change and a need to know culture and share culture and obviously sharing is good, however sharing also means you need more

vulnerabilities so i guess do you have the people and is this need to share idea is still the tagline or is there some new one that i am missing? >> on the hiring piece, i had suspected it was probably not a nationstate but criminal. particularly, and cyber, i'm not sure if it matters you are 45 or 17 which speaks to the ways we need to involve our hiring practices. to the standard general schedule approach that is based on a system from 1929 but almost a clerical hiring approach for supporting it really prioritizes experience college postgraduate

degree and certifications but that is just not how cyber works. i have found there are some candidates that we are getting to come out of college and graduate program and then when you are experienced and there are others that i am getting 17, 18, 18 -year-olds that apply through practical operational effectively experience in security research and online white hackers because they can turn on a paper computer. we got to reconfigure the way and we've got to think about high's hiring and talent tools and maximize those approaches and that includes a diversification of a k-12 education system but also might, to your two year colleges.

as a trade almost in institutes rather than going to law school or something like that. but also along the same lines i think i've taking in stem education and as long as we factored in the security has to be has to be a part of technology in education and i think we can get away from this overwhelming or ongoing narrative that there are cybersecurity jobs open if we can make more stuff secure by design and appointment that we will need all those we will have although cybersecurity openings but that is just to put more pressure on the technology jobs and second piece on info sharing i was hoping a 2015 when the cyber information sharing act of

2015 when that past we never talked about information sharing and i was wrong but it refuses to die but the way i look at it is it is not so much the wheatley to share information but it is that we need to operationalize our partnerships. we need to make sure that the things we are aware of and where we are able to do is reducing risk. one quick example of why i think the 15 year approach we have taken, at least in cyber, is off is that we talk in generalizations and share what you've got so we can stop the next attack. the way it is general and people can't say maybe that thing is important and i need to share that thing, you don't make the progress or get as many people involved. but when you figure out a specific objective and you decide we are going to defend the 2020 election from foreign hackers, okay, that is something

i can scale my resources to address that issue. during need to work on that team? if we get state and local election assistance commission and the director of national intelligence, nsa, cia, cyber command, fbi, let's get everyone together and then you can, in a much more practical with executable manner, share information with a purpose that has the right context around it. that is where we are seeing the most progress right now and to a certain extent this is a model that we develop from 2018 to the midterm elections that we then use earlier this year with covid under what is now known as operation work speed, that of element of a covid vaccine. early march, march 15 i issued a paper to my team that said here are the things we will do to

support the covid response. it's not just about vaccine and therapeutic development but about ppe manufacturers, hospitals, group purchasing organizations and i called it the time project and i was watching late-night tv as i worked during the initial quarantine but it was just like the liam neeson character in the movie, taken. we were going to send a message very clearly to your adversaries you don't mess with us and if you do they will come and find you. we had work to do on the defense side and it is the same model we use for elections. we are using it right now in 20. that is why we have this fairly confidence spring in her step that we may significant progress in protecting our elections. here in the runoff to 2020 but just like those virus shifts i mentioned going from security to resilience there will be opportunities for bad guys to wreak havoc and we have to be ready for that and have analog

or backup systems in place that will allow the election to go on under the constitution law of 45 and we've gotten good education over on that last week or so for that is what we are focused on now. >> thank you. >> wonderful, thank you. that was very helpful to talk through these sorts of five different areas risk and they have seen those shifting. i had a couple questions for you being mindful of your time and thinking through the moments that we are in now. risk management or risk advisory given our present circumstances but the first relates to the election which you just briefly touched on in your answer to congresswoman harman. question, could you talk about the ways in which our elections are now more secure in 2020 than they were in 2016 and 2018? not just the priority of security at the strategic level but, as you put it,

operationalizing that in practice across various states across the u.s. >> yes, three top items come to mind appeared first and foremost what we have right now is a vibrant election of security community of practice. we got state and local election officials alongside federal government partners across agencies working toward the same purpose in working in established mechanisms and clear understanding of the roles and responsibilities. in 2016 no slight to the prior administration but as a matter of how things transpired and evolves. my team is a critical infrastructure leave a friendly win no how elections work. we do not know there was election within the federal government that have primary liaison response abilities. we had to figure that out on the flight and then build things that are sustainable and enduring here. again, this community of

practice that is working and it's one example. we've got information sharing and in an analysis center dedicated exclusively to election infrastructure. that spun off over the bridge from 17-18 and i had 50 states and 7000 jurisdictions get benefits out of that, that partnership. second piece is there is absolutely a night and day difference between the security awareness posture of state and local election networks. in the resilience measures that have been built in. we have intrusion protections that have been deployed across all 50 states and in state election directors and secretary of state networks. in fact, in some states we got them on all counties. florida because of the election is always florida but we've got our intrusion detection system on all 50 counties down there. we can take signatures that we derive from a number of

different sources, including formerly classified signatures from the intelligence community. we can put them on those centers and they alert and we can investigate and respond. we've also, as i mentioned in that third shift, really worked on vulnerability transforming the vulnerability of management prophecies of our election partnership last week. we released guidance on how to set up vulnerability disclosure program and have been working on that for about one year now. we are seeing behaviors improve we seen the patched times and the rate at which you are patching and the timeliness of it is cut in half. in this case being cut in half is a good thing. from 60 days-30 days. we need to get that but absolutely. last thing is we've done a lot of work on actually, two more things. we've done a lot of work on

really isolating where the risk is. the things that get slowdown to proportion are the voting machines that don't have paper records and direct reporting equipment. they have tribal leaders in general and how it connected they are susceptible to hacking. while true they are vulnerabilities in their system and they are for that is typically not an attack on the scale and certainly not a undetected manner. that said there are other machines that are centralized and highly networked like voter registration database and reporting they could have a scalable impact, still very confident that we would be able to detect any sort of manipulation to scale which is important thing to point out that even in 2016 answer to date no intelligence whatsoever that suggests a bad guy was in a position to effect change a

single vote or be in a position to do so. last thing on this front, and 201682% of the paper ballot backup and right now for 20 we are on track -- we were on track but we will exceed that and it would be over 92, 95% with the increase of the absentee ballot voting that is happening across the country so for us anytime you get paper into the system that is an opportunity to audit and auditing is a good thing. last piece that has changed so much and i think again i talked about it but we had that inner agency template that playbook for how to work together seamlessly between the intelligence community and the ic is over there willing to

detect bad guys who want to do bad things. department of defense is over there where if you disrupt that bad guys will do bad things the fbi is here looking to disrupt and prosecute and then we are helping protect. that is the name of the game right now and again i think we made dramatic improvements and probably the game that will be played by our adversaries will be more hack and leak or does infospace. >> wonderful. thank you. in addition to elections there is an area that has been of great concern to people watching the news and our country in general. there's another risk that was heightened in 2020 and it has to do with the pandemic and virtual systems. as you know here at the wilson center and everywhere in the united states there was a sudden rapid shift to virtual work and we rely on virtual infrastructure and a new pathway

for cyber vulnerabilities and cyber attacks. could you talk about what they have been doing in the space around digital networks and digital vulnerabilities because it's an area where unlike elections you didn't have several years to get your hands around the problem but it can hit quite rapidly in 2020 and on a very large scale. could you talk about your advances in that space. >> yes, three things happened. we were focused on three things is a better way to put it at first and foremost was really understanding the way and the risk landscape had shifted due to the relative importance or criticality of the number of different performers or organizations. typically when you think about the risk formula is some kind of combination of threat times consequence times vulnerability with a dash of likelihood on top. what we saw more than anything was an increase in threat or at

least focused on covid response but a dramatic shift in the consequence variable. what i mean is a year from now if you lost a company like or even better if you lost a hospital in new york city this time last year would not be the end of the world. what i mean is you could shift patients or transfer them to other medical care facilities. in the deepest, darkest point of new york city's response, if you lost the hospital due to a ransom where attack or something like that, no joke, people would die. we spent a significant amount of time understanding the impact to how what really is our most critical infrastructure list and understanding that and focus the assets against that. we also spent time and i thank you will have daniel cruise talk

about it in the next panel but thinking about supply chain lines again, that second risk shift, how did supply chain impact chains the way the critical functions were performing here in the u.s., whether disrupted with it coming in from somewhere in china but due to shutdown of exports you lost and so you couldn't move forward. understanding the risk shift in the developing programs and protocols around improving the resilience, but to my second piece of what i already talked about with project work speed is supporting the national effort to develop vaccine and therapeutics and bringing on them in our efforts and providing them services, including vulnerability scanning, remote penetration testing, incident response and partnering with the intelligence community but not just as

organizations because for the most part these are large organizations with well-capitalized defensive teams but also their supply chains and their supply chains grow in nature so that provides school work and in europe and asia to make sure that when we look at a supply chain from left to right to stem the stern that whether we were doing it or partners in the uk or the netherlands they understood what we were worried about and they can put their resources to protect in that part of the supply chain while at the same time they shared their stuff with us and we would protect their stuff here so really this is turning into a global effort to protect supply chains and for me another validation of liberal democracies coming together to protect what is necessary for just, you know, a good way to say it with humans in general which then further underpins our

election security efforts. last thing, that digital transformation shift as every organization out there in front of some kind of remote work or telework and in doing so they've invited a whole bunch of risk and that is why you go to that third risk shift and vulnerability management. if you use a vpn to make you are patching it. if you are using a remote tool like this, make sure you got it securely configured and using it in an appropriate way. we set up a few things including a digital transformation and telework resource hub on cisco . guv that gives nonprofit and private sector big and tips on how to use this and these are the things you need to think through. we should continue that digital transformation but i suspect any organization like google says

they anticipate being in the posture till next summer. some folks might come out the other end of covid and say maybe i don't need all that real estate and those big shiny office buildings and people can work from home. i think there would be a lot of people like that so this is a service for us and we are not going anywhere anytime soon. >> the last question we have is moving away from this digital space into a more physical space you mention supply chain management and supply chain risk. we also know working at the pandemic there are many failures in the supply chain and many concerns whether it was what you needed to make a respirator or vitals for hospitals and many limitations with security secure there. we know we can produce everything we use domestically within our own market, across every ecosystems, could you give us a sense about what you are

doing to understand supply chain and specifically how do you differentiate between something that is prickle and something that is not because many of these things would be considered critical prior to march and are now have seen is much more critical spirit and this goes to again the second shift that four years ago, look, supply chain risk management is nothing new but i think the amount of focus we are putting on it right now for a couple reasons one and it is becoming blatantly painfully with our train trade partners and dependencies don't have our interests or don't have share similar values and good at the drop of a hat use that tension against us. i made it a top priority here when i came over to put security or supply chain risk management on top of our security list. with five security's here and

they don't speak ill of our other things we do but you should aspire to be contributing at least five. first is federal networks, second is election saturday, third is [inaudible] and fourth is control a system security and fifth is china supply chain and 5g which that proxy for that conversation. in general, we set up in about two years ago now, yeah, the national risk management center is the hub of the activity for supply chain security and they are two years old effective saturday so happy birthday to the national risk management now set up in new york city but that is the home for our supply chain risk management task force. catherine is a big contributor they are. the at least, in part, was there

were iterations out there that do a very good job of supply chain risk management. the problem is there's a high barrier and treated it successfully elsewhere and so what we want to do to a certain extent was democratized supply chain risk management and bring everybody so that you can do it well so how and why do you do it well and let's distill those best practices from across the number of organizations and pull it together and share that out along with implantation guidance as far as we can. in part, that helps these organizations do it well by sending it down their supply chain in a meaningful way but also says identifies those areas where we don't do this part well and we have challenges and this is a challenge so how do we overcome that and additional legislative authority for the organization. you know, that has been brought into really again acute

awareness over the last several months with covid and as i talked about some of the issues that we have seen whether it is this widget or that widget or even just a lack of workforce but what we are undertaking right now within the task force is okay, right now with covid we understand a few things that have with a lack of diversity for certain components and just-in-time delivery doesn't work when the global logistics chain is being disrupted. one of those really critical infrastructures that need to overcome that and need to overcome the security threat and again fourth shift become a more resilient, anti- fragile organization and how do we

overcome that? part of it could be through restoring and part of it could be going to our other strategic allies and help them but ultimately we really, truly need a more diverse global marketplace for dependable components, trusted componentry and 5g is the absolute best example. on the china front if 5g is the greatest technological development for critical infrastructure over the next decade why on earth would we put the control plane for that infrastructure in the hands of an adversary that time and time again remind us of who they are and what they think of liberal democracies. to me, it is a nonstarter. one of the best ways to overcome that is helped lead and innovate on trusted alternative for us and our partners across the globe.

hopefully that gives you a bit of a sense of where we sit across the risk management spectrum and it's been as i sit here a good conversation and good way to work through some of these things. >> thank you so much. please join me in thanking director krebs for giving us, not only an update on the evolution of how they thought about risk across five different categories, but also an update on the current risk management or risk advisories challenges that cisa faces in terms of the pandemic and the election. we will go ahead and pick it to the panel section so thank you for joining us. doctor krebs, thank you for overcoming our own digital system problems at the beginning of the call. >> it's been great. goodbye now. >> we are going to pivot to our panel. we are joined by three experts with very different portions of

the u.s. ecosystem can talk about risk management and critical infrastructure and different vantages that will make for a productive conversation. before i introduce them i do want to put a call out to the audience who is listening in from various parts of the u.s. if you have questions that you would like to ask our panelists we will be fielding some of those questions at the end. please, go ahead and e-mail them to our e-mail address spip@wilson center .org. please e-mail questions and then we will field some of those at the end. these panelists have been introduced by congresswoman harmon but i will briefly remind you on who they are. we are joined by the assistant director of national risk management of the management center. thad allen is a senior executive advisor at hudson analytics.

and kathleen senior director of national security and emergency preparedness. thank you for joining us. to kick off the conversation today one of the focuses behalf for this conversation is not just where we have been but what has been the evolution of critical infrastructure protection to date but where are we going and what is the future of critical infrastructure protection so i would ask all three of you reflect from your vantage or you sit in the ecosystem on an area where you think u.s. has made the most progress to date and critical infrastructure protection and an area where you think the biggest challenges still remain. we will go ahead and program orders so we will start with you, bob. >> sure. thank you for having me, melissa. good to be here. we worked together closely from time to time. it's good to see them. i have to speak after my bob --

boss and he's more eloquent than i but i will reference his remarks. i think in terms of progress and it is manifest by the fact that we are in a partnership in the structure and the trust that has been built in terms of our ability for industry and government and across government to work together and challenging risk issues is in the consistency of the framework and authorities and how we know we work together and express what has been put in place and using them consistently over the time has built a lot of stresses on the system. we lived through a lot of high-priority issues whether it is incident like the food pandemic in dealing with hurricane annette had to deal with that and people that we have to deal with and the emergent challenges. we have a group of people who know how to get together, think about risk and share information

and come up with solutions and go after the problem. i would like to go after the problems before they become the front page before they become an incident but things that will make us more secure but sometimes it isn't until the incident happens that we get an opportunity to address that. when i think about progress i think people are proud of is the trust that has been broken in the collaboration and then using that trust to make the country more secure around that. i start with that is something that i always highlight and there are times in 2016 election we didn't have those structures but we used the same playbook to build the structures to work with secretary of state and private vendors and having the opportunity to build a critical infrastructure sector on the fly felt very similar to how communication companies and energy companies and banks et

cetera. the area where i think we need to continue to make more progress is, you know, actually continuing to blend those capabilities together to more quickly solve problems. more quickly field capabilities, i guess. we've got to have identification problem solution but can we come together more quickly to field things that will make the country more secure and blended authorities to stimulate innovation, to allow industry into the conversation and to we can put these resources toward making infrastructure more resilient if we can share information and come up with solutions but field solutions but i like to talk more about that going forward. >> wonderful. thad, would you like to take it away?

>> yes, thank you. i apologize. i'm on the hinterlands of pennsylvania here. i would like to expand on what bob said because he is on the right line of effort that we need to be dealing with look at what has happened in the world today we are dealing with greater levels of complexity whether it is the scale of scope or the novel virus that we have not dealt with before. increasing scale and complexity and the complexity becomes a risk aggregator and it's important to understand is becoming more well-known to everybody. when i talk about complexity and talking about complexity that starts to break down legal frameworks and standard operating procedures, training, tactics, procedures and any structure that has been created to model how we will respond to these things and refining that they don't scale very well and were dealing with a large event. that is been exacerbated by the fact that technology has accelerated faster than we can

keep up with and just the inability to keep up with the international legal frameworks of cybersecurity and so forth and there are a testament to that. this notion that you have to dress complexities as a risk aggregator and other ways we can do something that in my view, the expectations of the american people, they have to be coproduced and the only way you coproduce an outcome is you introduce an effort that what bob was describing is a transformative unity of making a unity of relationships. if you have a model in a way to think about it and then you have a previous encounters of planning or exercises or table talks or just working a problem set will allow you to address it. i think whenever you talk about challenges to have a structure in the country, you have to think of coproducing outcomes and how to organize those outcomes and that is through

unity of effort. i would agree with bob we are making a lot of progress there. one area i would like to throw out for discussion later on, it connects back to what chris krebs was talking about, we live in a digital world we are all digital citizens and i am not sure what the level of maturity is for our government or citizens to operate in this environment but one thing that connects all critical info structure together is the electoral magnetic spectrum through which wi-fi signals and everything passes. it is a new domain that touches everything we will have to manage it as a domain. right now we handle spectrum on a basis through the federal communications commission and we have auctions to deal with spectrum like it is a property right but it's an enabling domain that connects all critical infrastructure together. i think we will have to get our arms around that to solve these problems because that is the connective tissue that ties everything together.

thanks. >> thank you. catherine. >> one, again, thank you for inviting me. i absolutely agree with bob and thad. let me give a slightly different dimension. we talked about process and being able to collaborate and i am at the point where the thing that i find where i believe the week the u.s. had done the most progress is taking it down a level from the analytical thoughts. i think people should have a rough sense that things are critical in that we do rely on things but i have to get [inaudible] fraction is focusing on functions or services rather than things. post 911 made of put the garden gates around the building and that is important, and i am not saying it is not but it in my mind is an academic reach and an

intellectual reach that we are now focusing again on the functions and the services because decoupling, if you will, whether it is not been able to decouple this is make us think differently about what is it we rely on and whether or not we rely on it or not, i think also makes the plans and makes the arrangements so that you know what you do need to focus on. now, i think that even in those environments where we have operated of like on the guns and garden gates and let's take care of that thing and that building and that manufacturing and even in those domains the interconnectedness of those capabilities is that manufacturing thing will rely on lots and lots of other things and if we do focus on what is important in that factory does need 5g spectrum which is in

connected to the wireline which is then supported the power which came from distant regime and this generation and you then start to unpacked what it is that needs to be assured. i think going forward the fact that we are moving in this direction is both the most progress and also the most challenging. i think there is a knee-jerk reliance and we need gas for my car and if you will evacuate a hurricane but where does the gas come from and how did you get to the station and what powers the station and you know, to unpack all of that is, in many respec respects, i think, intuitively obvious but only once you stop to think about it. i think the average person doesn't and they don't necessarily have to do so but during covid right now i think

people are thinking about their supply chains a lot differently because it has become very personal. the effort to focus on what are the most important function services and what supports that plus having been able to unpack that and to do the deeper analysis that you can focus efforts on the resiliency of the anti- fragility of those things. the most progress and the most challenge and it's all in the same breath. >> thank you. i want to take a step back and talk about something all three of you reference which is this question is what is critical. we have an entire panel in two hours dedicated to critical infrastructure, critical function, critical services and i don't thank you necessarily take the time to think about what is critical and what is it for the energy sector and main providers and is at the downstream or upstream dependency of those providers so they include things like crowd

computing, open source software. we want to hear from each of y you, in your mind when someone says critical, critical function, critical info structure, critical services what are the types of things that come to your minds? have they evolved and what pieces are you still missing? whoever would like to take it first. >> let me just tack on what catherine said and give you more background to answer your question, melissa. what we did last year working with industry and government was to define the 55 critical functions. those are the functions that are so critical to national security, national economic security, national competitiveness, community well-being that if they break we are in trouble. the functions, t5 is a long list but if you look at any one of the 55 [inaudible] there will

be, i can guarantee you. that is publicly available and has things like generate electricity and extract reserves and run identity management services, communicate wirelessly, conduct elections and those functions are critical and what we are trying to assess constantly is how those functions are produced. are there geographic components? some of them exist virtually because there's not geographic components and some are where you can point to and they get delivered through a data complex system tear or the houston shipping channel and some of them, every area has a known watch. you can look at how they are produced and how they grow and what areas are the independent and what software helps produce those and you see at the

functional level how they are together and then within that u-value that and then you say is the scenario hopping and will the area essentially fail or degrade it at the national level and then you can prioritize which companies contribute to the function, which software, which hardware across, obviously things like control system are important to function and you mentioned outsourced software and computing and so what we are trying to build out is based on our understanding and functions that matter the architecture of how they are created and then whether there is a scenario by which some are in the architecture they can break and then test data across the functions and you get to systemic failure at this point. that is how we are thinking about it. i make the comment that 55 seems more than 16 but it has mere the things that really matter to us because there are only a few

geographic components of superstructure around the country that have a function to fail but there only certain hardware components that are so ubiquitous that you can cause a functional failure and we looked at covid and there aren't a lot of things that have caused national infrastructure to be a sniffing interest because of covid, only really the health infrastructure but other things have withstood resiliency. that is how we are thinking about it and allows us to propagate that down to where you can manage risk. >> this is bad. i would like to add onto what bob said. when you're talking to the american public that a hard time understanding the interdependencies and all this comes together because it's so very complex and if you add together the elect traumatic spectrum as he talked about earlier, gets very, very calm located. when i think of critical infrastructure may be a better way to think about is what is

the supply chain that produces an outcome that is critical to a national well-being. we are finding out it's not a set of sectors as bob said but a chain of production that produces an outcome that benefits the general welfare and we want to have supply chain assurance for those outcomes and in particular, it could be held or something else but i think that is a better way to talk about it because what you are looking at is what enables human beings to walk around and function normally and not only in the united states but globally. i would say when i think about critical functions i think about those functions that are critical well-being to citizens and how you produce them and that goes back to my original comments about complexity and when legal framework starts breaking down or technology exceeds policies and laws and stuff like that, how do you pull

that supply chain back and make it work to produce the outcomes expected of the american people. or an example, bob is familiar with this. he probably knows where i am going already. there's something we take for granted in this country all the time and that is included in the functions of the bob talked about. that is the provision of time and how we sink a nice time and how do we tie financial attractions and how do we synchronize cell phone tower operations and how do we phase electoral production, power production and the fact of the matter is the gps system for the united states provides three things: position, where you are, navigation and time. what time is it. time now is being parsed down to the nano seconds for the purpose of timing financial transactions and everything else. you would be amazed to understand what has to be sink and eyes in terms of time to make things work right in this country. it brings us to the

vulnerability of gps that what would happen if we did not have a shared position navigation and timing that provides. public service announcements and i chaired a space-based timing advisory board to the executive command management across government but just an example, a type of function not generally recognized by the public but that affects everything they've got, gps chips are ubiquitous in almost any type of personal items we have right now to industrial control systems and so forth but that would be an example of a service or a function that is critical and affects everything in the country and affects all these outcomes and affects the general welfare. >> catherine, would you like to weigh in? >> i think the original question was, you know, [inaudible] and i'm all over the pnc. you know my company and that sector is all over this.

your point is well-made that that does the average person realized that to be able to, i don't know, do transactions at the grocery store that there is a timing element of that debit card going into the contactless and i think that is fair but i do think the partnership that has evolved certainly the critical infrastructure sector and dhs and other departments and agencies is, sort of, creating an environment with a thornier questions can start to be addressed. i think one of the things that we get is what is essential and what is critical is in the eye of the beholder? i think that point is well understood that the average consumer is trying to get away from hurricanes and he wants gas in his car to get out of danger. on a simple level that is the service that allows them to thrive. certainly, you have higher needs

and, to have shelter and water and all those things got mashed into the critical functions. i think though what we shouldn't start to overstate it. i think one of your original questions was is it core software things that are now critical? is a cloud critical infrastructure? these are all amazing capabilities that help enable resiliency and good services in the national way but i think once again it came down to, and we saw this in covid, did i need logistics so that stuff could be [inaudible] and yes, i did need that critical function. did they use open source software? did they use cloud structure? undoubtedly. does that mean all open source kregel infrastructure is critical? not necessarily but does mean

all mediations are but i think the critical [inaudible] but i think that for dhl, fedex, u.s. postal service, amazon they would say their use of their cloud and their open source software that was critical not the whole thing as a category. once again, as you start to unpacked and on appeal what is critical is essential and what really do have to protect and i think it comes down to what is it that you are trying to do that is important and on you to unpack your own architecture. you can follow the stream to better assure it. >> i think that goes back to a point that was made earlier both fight director crabs and all three of you in slightly different language, this whole of society, unity of effort, once we have identified what is critical, whether it's a

function, and for structure is is question of how do you protect it and ensure its resiliency and one of the more challenging things about dhs is its size and the fair diversity of players that you are dealing with. another challenge is that a lot of this is voluntary where in other countries that may be less the case where there is a much more robust, legal framework that requires certain things of industry across the board. could you talk about, from your vantage, the maturity of our whole of society or unity of effort in a particular sector, maturity of that model and what the lessons that you can pull from other areas to expand across that country and more broadly? >> are we sticking to the same order? [laughter]

>> in the voluntary requirement statement that you just made is the idea that somehow were placing requirements and more will happen better. i want to push back a little on dad. departments only make requirements if they are smart and enable innovation and don't get locked into a supplied culture. i was hoping catherine would go first because the communication sector, as much as anyone in here, has a history of grappling with the balance between voluntary and what needs to happen in a regulatory environment that would stifle innovation and innovation that needs some rules to come behind it to make sure that innovation does not create to musk risk. there's a good dynamic tension there and what we are learning that again, i look at what we just lived through or what we are living through in the pandemic and the communication has withstood the challenges of the pandemic and i think the way

we shift the weight we are communicating that we are all being decisive and we want certain precision and all that so i think there are lessons there around it and i don't want to suggest is that what we need more national security requirements on top of industry to do more than they would do but then there are areas where for whatever reason additional requirements might make sense because it drives additional investment and it allows risk outside of the control of the firm to be managed around that. what we are trying to do is identify where risk is not being managed up to a level of national security interest and try to that gap in partnership with industry and across the sectors but not the way you do that is to put a bunch of different rules and demands on you that don't make sense but the healthy tension of learning

but the reason i returned to the beginning is i think we can come up with sort of the source and then talk through what is the best way to close those gaps rather than assuming, what is right government introduction to help close those gaps and it's not necessarily rules but getting out of the ways to clearing rules or stimulating investment or things like that. >> yet, bob, i appreciate that. i'm currently working with the business executive financial security on some changes to be recommended in the term before the next phase of covid and one of the interesting things with the former fema director is this tension between in the supply chain the more efficient you get the less resilient you are and so there will be this trade-off between how resilient you want to be and there's a cost

associated with that and part of the community of effort and unity of purpose and moving forward so one of the boundaries related to the trade-offs between efficiency and resiliency or however you call that moving forward and just like it's been -- bob knows as well but everybody has spoken today knows very well that it's been a long hard slog to get them to understand their role in managing cybersecurity so i think unity of effort will be based on a public, private conversation of a trade-off between efficient supply chain and resiliency and how you allocate those costs. in some cases if it is critical enough there will be a mandate by government and then it will have to be passed on to the consumers for their cause. the 1990 mandated response equipment and certain things could be done there were federal issued regulations that sprung

up with that response industry that was passed on of price of goods to the consumer. you've got to get in and talk about that spectrum and find out what the most efficient allocation of capital will be moving forward. thanks. >> hello. communication sector here. [laughter] i think it is fair to say we do have a fairly long-standing relationship with government dealing with security risk resilient issues. it was understood decades, decades ago that you can't weather a storm if you can't communicate or whether a storm if you don't have help. our has a deep relationship. i think over the course of time we've ended up having sort of, i will call it three paths to progress. we have a path to progress that says government comes to us and says we think we have a big problem and maybe that is pnt issues. that is a big problem with is

not something that [inaudible] can fix alone. you take the problem, risk assessment and then you sort of figure out is there a way to mitigate the risk or something that we all have to do and then hopefully over the course of time you end up the risk mitigation. ...

>> about a five-year pspan. it takes that long to sort of assess the problem, measure the problem, come up with a

solution, create a plan, test it, make sure it actually works. that's not irrational. but i think the two points that have been made are really -- [inaudible]. there are certain things that you can do as an owner operator that makes sense, generally things with security, resiliency or continuity of your service are generally noncompetitive so there's not like a huge, you know, bridge there. but there are certain requirements that are so far beyond what you can deliver as a business, that then you do have to have the discussion with your government partner, you know, we would love to do this for you, but then all of a sudden, you know, internet service is going to jump by a factor of 12, and the average citizen can't afford to pay that. we're happy to do it, but are you going to pay for that? this is not just comp. it is all the sectors. there will b