watch a special edition of american history tv and washington journal's coproduction of the hiroshima anniversary. we'll look at the strategic situation in the pacific theater leading up to the bombings. president harry truman's decision to use the new weapon, and the legacy of these atomic attacks. enjoy american history tv this week and every weekend on c-span 3. >> next, protecting u.s. infrastructure from cyber and physical attacks. we'll hear from federal owe fish and security experts ohiohosted the wilson center. this is about two hours. >> good afternoon. i'm jane harman, the president and ceo of the wilson center, former nine-term member of

congress where i played a role in the founding of the homeland security department. i call myself one of its grand mothers. one of its grandfathers that would be thad allen, or i think he's one of the grandfathers, i'm not sure, is on the call with me and the rest of you children are the successors and i think that it is really wonderful today that we are having i guess he's been phone now, a lot of zoom issues, with chris and a panel organized by meg king who heads our science, technology and innovation program and a number of a rest of you on the phone. the topic is what's critical, evolving the security playbook for managing ones, zeros and everything in between. while it's not as much fun to see you all or some of you on

line, chris is on the phone, it's not as much fun to see you in person. if any group could make a conversation interesting it's our science, technology and information program. today we're joined by the nation's chief risk officer chris krebs, director of the department of homeland security's cyber security and infrastructure security agency leave it to congress to include security twice in your title chris. chris will talk about how the department has protected america's critical infrastructure in the past and what we need to do going forward. chris has briefed me frequently as a member of the homeland security advisory committee, and the homeland security experts group, doesn't have security twice in either name, and even showed up last year at the hacking conference in las vegas. i was there too. i was a dinosaur in the room. this is chris's second tour at the department.

he was previously senior adviser to the assistant secretary for infrastructure protection and part of microsoft's government affairs team after that. chris has an impressive command. i know this from talking to him. of the threats we face and has been at the forefront of tackling our election security challenges and ensure our networks remain be resilient during a global pandemic and when the workforce -- even when the workforce all moved online from home where security is harder to verify, et cetera. chris will give remarks and our newly minted berkeley ph.d. public policy fellow melissa griffith will interview him. then a panel of geniuses with the abled thad allen in his pick-up truck, homeland security bob polasski and century link's kathryn condello will follow to dive deeper into the challenges posed in securing critical infrastructure both digital and

physical and just before turning this over to chris, let me say again, how blessed i have been to have meg king in my life for a decade. she's taught me lots of stuff, especially about all this. please welcome, i think by phone, the director, chris krebs. >> hey [ inaudible ] i actually -- i don't know if you're seeing me, but i was able to do a couple runarounds here at the office. does the video come through okay? >> yeah. >> okay. >> great. >> we see you but your mouth isn't moving. you may be frozen a bit but we can hear you. that -- all right. here's what i'm doing. >> okay.

okay. how is that? all right. let's try this here. okay. all right. i think i got it now. sorry. it's giving us some challenges here. >> that's much better. >> it's much better. >> came. all right. here's what we're doing. i will give you a little bit of an overview of what we do. thank you, congresswoman, for that overview. i will talk to you a little bit about the things that we're focused on right now and some of the developments and shifts we've seen in the critical

infrastructure risk management space. as pointed out we are the cyber and infrastructure security agency. for shorthand purposes i drop that first security. we made the argument that the second security was an appropriate modifier that we didn't need cyber security but congress felt it was important to have cyber security and infrastructure security. it's a better name than we used to have, the national protection and programs directorate which if you can tell me what that means, i'll owe you $100. it was not a very discryptive name for an organization that is the nation's risk adviser. primarily our authorities are voluntary, public/private partnership oriented and what that means more than anything is that i can't make anyone do anything. we've got to really understand where the risk is out there, the shifts, the trends, the best

practices that are happening across industry and in government, distill them down into something that's usable, shareable, actionable and then get them out to as many of our stakeholders as we possibly can. shouldn't be much of a surprise to anyone but the united states critical infrastructure community is quite large and, in fact, you know, being kind of the american go big or go home approach, 16 critical infrastructure sectors. i say that to be able to contrast it against some of our partners in europe and elsewhere that in some cases only have five national critical infrastructure sectors or eight is probably the most i've seen particularly in europe. we have a larger footprint of infrastructure here, but we view it more expansively and that's important and i will touch on that a little bit later. but nonetheless, given this voluntary approach, we do style ourselves as the nation's risk adviser. we are not the nation's risk

manager. the nation's risk manager would have more of a compulsory authority where i could tell people to do things and then they would do it. but but instead, we ask people to do things, gently, we give them useful guidance that actually provides some value and we find that -- in that approach, where you do try to understand what our partners need, we can get them to do things. really quickly, over the last several years we've identified i think five key shifts in the way the critical infrastructure community is managing risk. the first aspect is that it's becoming quite clear that risk is shared across all sectors. the second is that supply chain risk management is critically important. the third piece is vulnerability management is also evolving and becoming more effective.

fourth is -- it used to be a security practice, it's now evolved into a resilient approach to critical infrastructure risk management. that's evolving further into antifragility approach where you get better with each event rather than just surviving the event. and lastly, we're seeing organizations take a much more enterprise level understanding of cybersecurity risk management and that really begins in the c suite and then percolates across the organization. back to the top, shared risk across all sectors. it's something that you've probably heard me or others say that if you tackle risks in a -- in silos you'll miss the bigger picture. and what we have seen over the last couple of years in particular is that adversaries, particularly russia, china, and a few others, don't necessarily

come in knocking on the front door. what they understand are some of the dependencies between organizations and will exploit some of those trusted relationships. there's one event -- the russians -- a campaign that the russians launched a couple of years ago where they came into the energy sector but not directly into the energy sector. they actually came in through a construction contractor. when you think about target, target was breached through an hvac contractor. so shared risk -- risk is shared across organizations and in part, that's because the commonality of the systems we use far outweighs any of the uniqueness within specific sectors, control systems is another example. so those things that make water treatment facilities, their equipment move and click and

tick and work, that equipment is very similar to critical manufacturing, you know, thinking about hard infrastructure and manufacturing or power generation. a lot of those control systems are consistent with unique applications at the edge across these control system spaces. second piece, as i mentioned, supply chain risk management. three or four years ago, supply chain risk management was not top of mind for most organizations. you'll get to hear a little bit on the next panel from two folks who think a lot about it, including kathryn from centurylink, one of my longtime partners in crime in critical infrastructure risk management. but some of the work that we've done on the supply chain risk management side is really sprung

up over the last few years through some of the work we've been doing at cisa. you should absolutely pay attention to the folks on the panel. next, vulnerability management. this is particularly come into stark relief over the last six months. it's been a heck of a year for vulnerability disclosure. what used to ten-plus years ago where you would have researchers or other organizations that would find vulnerabilities they would race to the public and release them and what would happen in that sort of situation is you actually give the adversary or any number of adversaries the advantage over the defender. so really arising out of industry in the security researcher community with the development of a coordinated vulnerability disclosure process where there's actually a brokering that happens now, where a security researcher that discovers a vulnerability and say, hey, i found this thing.

let's work together to make sure the systems get patched, the updates are broadly provided and then i can get my credit in the community for discovering this and you can attribute the discovery to me. that, again, coordinated vulnerability disclosure, is something we do, we play a key role here in cisa and we manage and fund a project that handles that facilitation of the researchers and the vendors and we play a broker role and we can help amplify once patches are available. and even in organizations more broadly we're seeing the researchers brought into the zwomt process. we're seeing researchers brought into operations and maintenance. there's been an absolute serge in bounty programs where organizations like microsoft, where i work, will offer money,

in some cases, big money, a hundred thousand dollars, for at least at one time, for a windows 10 vulnerabilities to researchers that would, you know, conduct their research in an appropriate manner but if they found something, they could turn it over to the company. they'd get the money and the recognition and the good aspect of all this is the good guys can patch it before the bad guys can exploit. the fourth piece is this security to resilience to antifragility. back at my last tour here at dhs i was in an organization called infrastructure protection. it's all security all the time. it's not necessarily true because resilience was one of our top priorities. but there was, you know, the thought was that it was only about security and guarding at the perimeter.

but over time what we've seen is an absolute embrace of this concept of defense in depth. it's not just the perimeter you want to secure, but you have to assume that the bad guys are going to compromise your perimeter and in this case for cybersecurity, your networks. how are you guarding and defending the crowned jewels? and so there's been a significant amount of work and an emergence over the last year or so into what's known as a zero trust concept where you just assume the network front to back is adversary territory and you have to figure out how to, you know, basically how to have security communications in an untrusted environment. that resilience piece has to continue evolving. it effectively turns into a whack-a-mole game. excited about some of the research that's happening and

this was a big push of springing forward in an incident or in a response. how do you become antifragile and really all that is is learning in realtime, employing defenses that improve your posture not just maintain your posture through an event. and that's i think the -- the next evolution of this security resilience shift. and the fifth and final risk shift that we've seen over the last several years is the cybersecurity at an enterprise level. typically, historically, security had been the domain of the security team but what i'm keenly aware of is that the security team alone without executive support and the funding and the push to become more innovative will never achieve their objectives.

and so we have really expanded our outreach and efforts to not just the infosec team, the board of directors to educate them that cybersecurity is a business risk as much as a -- as much as financial risk is. and they need to treat it accordingly. this past fall, coming up a year now, where did 2020 go? last fall we issued our cyber essentials product that bucketed good security practices into three primary areas, strategic, technical and tactical. and that strategic, the strategic buckets were focused on two things, first is, cybersecurity starts with leadership. you're only going to have a successful program if your leadership buys in, supporting and takes part. and the second piece of that is on the strategic side, you have

to have a security culture throughout the organization. anybody that touches the network or has a device that's on the network is part of the team and you need to make sure that you're defending them properly but also they have the tools and resources to secure themselves. so, again, you know, it's not just about the security team. it's about getting the executive buy-in. and that's important because once you've got awareness where you need awareness and principally i'm talking about capital expenditures and investment. once you've got that awareness and the ability to really set the organization-wide budget, you'll get the investment. through that investment, that's where the real capability shifts and you close the gap on security, where that really happens. i think i'll wrap it up there before we shift over to the fireside chat. five things that we've really seen a significant shift in over the last several years is that

risk is in fact shared across sectors. the second is, supply chain risk management is as important of a discipline as cybersecurity in and of itself, third, within cybersecurity, vulnerability management is the place -- one of the places where you can make the most advances to secure the network. but relatedly, it is about resilience, it is about defense and depth and lastly, if the leadership is not bought in at the enterprise level, then you're never going to get where you need to both on the investment side as well as capability and development. just a few thoughts out of cisa. looking forward to the fireside. i'm not sure if it's going to congresswoman harmon or melissa? >> thank you so much. we have gina harmon who has the first question. we'll start there.

>> i actually have a two-part question and an observation, chris. i think you're a breath of fresh air. i think you know you're brief and every time you give it and now we can see you, we were just going to hear you, now we can see you, i think you are a great, great credit to this administration and to the department. so there. so my question is, first, the recent hack of all the fancy twitter accounts was principally done by a kid of age 17 with two polices. that prompts the question, do you have the people you need to stay ahead of 17-year-olds metaphorcal, 17-year-olds, and the second part of the question, i recall back in the old days when we were putting the department together and doing nctc is doing intelligence reform, we kept talking about the need to change a need to know culture into a need to

cha share culture. obviously, sharing is good. however, sharing also means that you have more vulnerabilities. i guess do you have the people and is this need to share idea still the tag line or is there some new one that i'm missing? >> so on the hiring piece, i had suspected it was probably not animation state, th animation -- a nation state and criminals. it speaks to the way we need to evolve our hiring practice. through the general schedule approach that is based on a system from 1929 almost a clerical hiring approach for supporting prior administrations or the government in and of itself, it really prioritizes experience and a professional

setting, college degrees, post graduate degrees, certification. that's just not how cyber works. what i've found is there are some candidates that we're getting that come out of college and do a post -- get a graduate program and then one year of experience and then there are others that i'm getting 17, 18-year-olds, 18-year-olds that apply for jobs that have six years of practical operational effectively experience in security research. they've been online, white hat hackers since they could turn on a computer. what we've got to do is reconfigure the way that we think about hiring in that talent pool and maximum those approaches. and that's got to include a diversification but also more to your -- two-year colleges in

thinking more about technology as a trade almost, in trade schools and institutes, rather than equivalent of having to go to law school or something like that. but also along those same lines, i think by baking in more s.t.e.m. education as long as we've factored in that security has to be part of technology education, i think we can get away from this overwhelming or this ongoing narrative that there are "x" million cybersecurity jobs open. if we can make stuff more secure by design and deployment, we're not going to need all of those -- we won't have all of those cybersecurity openings. but that's just going to put more pressure on the technology job on the front end. second piece, on info sharing, so, you know, i was hoping in

2015 when the cyberinformation sharing act of 2015, the cisa act, when that passed, we never talked about information sharing again. i was wrong. it refuses to die. but the way i look at it is, it's not so much that we need to share information, it's that we need to operationalize our partnerships. we need to make sure that the things that we're aware of and able to do are actually reducing risk. one quick example of why i think the 15-year approach that we've taken at least in cyber has been slightly off is that we talk in generalizations. we talk about, you know, share what you got so we can stop the next attack. when it's general and people can't say, oh, maybe that thing is important, i need to share that thing, you don't make the progress, you don't get as many people involved. but when you figure out a specific objective, when you decide we're going to defend the

2020 elections from foreign hackers, okay, that's scopable. i think scale my resources to address that issue. who do i need to work on that team? let's get our state and local election officials, let's go get the election assistance, the director of national intelligence, cyber command, fbi, my team. let's get everybody together and then you can in a much more practical executable manner share information with a purpose that has the right context around it. that's where we're seeing the most progress right now and to a certain extent this is a model that we developed for 2018 that we then used earlier this year with covid under what's now known as operation warp speed, the development of a covid vaccine. early march, march 15th, i issued a paper to my team that

said, here are the things that we're going to do to support the covid response. it's not just about vaccine and therapeutic development, it's about ppe, manufacturers, hospitals, i called it project take in but it was like the character in the movie "taken." we were going to send a message to our adversary. we had work to do on the defense side and it's the same motto that we use for elections in '18, we're using it for '20. that's why we have a fairly confiden confident spring in our step that we've made significant progress in protecting our elections in the lead-up to 2020. but just like the five risk shifts i mentioned, security to resilience, there are always going to be opportunities for bad guys to wreak havoc.

and we have to have analog or backup systems in place that will allow the election to go on, the vote must go on under the constitution, under the law. i think you've gotten a good education on that over the last week or so. and that's what we're focused on right now. >> thank you. >> wonderful. thank you. i think it was very helpful, director, for you to talk through these five different areas of risk and the ways that cisa has seen those shifting. i have a couple of questions for you being mindful of your time and thinking through some of the moments that we're in now. so risk management or risk advisory role given our present circumstances. the first relates to the election. can you talk a little bit about the ways in which our elections are more secure in 2020 than they were in 2016 and 2018? not just the priority of security at the strategic level,

but as you put it, operationalizing that in practice across various states across the u.s. >> yeah. so three kind of -- three top items come to mind, first and foremost in -- what we have right now is a vibrant election security community of practice. we have state and local election officials alongside federal government partners across agencies working towards the same purpose and working in established mechanisms and clear understandings of roles and responsibilities. in 2016 no slight to the prior administration, it is just a matter of how things transpired and evolved. my team is the critical infrastructure lead. but we had no idea how elections worked. we didn't know there was an election assistance commission within the federal government that had primary liaison responsibilities. we had to figure that out on the fly and we built things that are sustainable and enduring here.

this community of practice that's working, you know, just one example. we have information sharing and analysis center dedicated to election infrastructure and that spun up over 2000 -- the bridge from '17 to '18. it has all 50 states and about 7,000 jurisdictions get some kind of benefit out of that partnership. the second piece, there's absolutely a night and day difference between the security awareness and posture of state and local election networks and the resilience measures that have been built in. so we have intrusion detection deployed across all 50 states and networks. in fact in some states we have them on all counties. florida because in elections, it's always florida. we've got our intrusion

detection systems on all counties down there. we can take signatures that we derive from classified signatures from the intelligence community, we can put them on the sensors. they can alert and investigate and respond. we've also as i mentioned worked on vulnerability -- transforming the vulnerability management processes of our election partners. just last week we released some guidance on how to set up a vulnerability disclosure program and have been working on that for about a year now. but we're seeing behaviors in prove. we've seen the patch times, the rate at which you're patching and we've -- the timeliness of it is cut in half. in this case being cut in half is a good thing. from 60 days to 30 days. we need to get better, of course, but absolutely. and then last thing is we've done a lot of work on -- two

more things. we've done a lot of work on really isolating where the risk is. the things that get kind of blown out of proportion are the voting machines that don't have paper records, direct recording equipment and how if connected they are susceptible to hacking. while true, there are some vulnerabilities in those systems, they are -- that's typically not an attack that's going to scale certainly in an undetected manner. that said, there are other machines that are centralized that are highly networked like voter registration database and election night reporting that could have a scaleable impact. still are very confident that we'd be able to detect any sort of manipulation at scale which is an important thing to point out. even in 2016 and through today, no evidence, no intelligence whatsoever that suggests a bad

guy was in a position to affect -- change a single vote or be in a position to do so. last thing on this front, in 2016, 80 to 82% of votes were cast with a paper ballot backup. i suspect we will exceed 92% with the increase of the absentee ballot voting that's happening across the country. so for us any time you get paper into the system, that's an -- that's an opportunity to audit. and auditing is a good thing. last piece that's changed so much, we have that interagency template, that playbook for how to work together seamlessly between the intelligence

community. the ics over there looking to detect bad guys that want to do bad things. the department of defense is over there looking to disrupt bad guys who are going to do bad things, the fbi is here looking to disrupt and prosecute and then we're helping protect. that's the name of the game right now and, again, i think we've made dramatic improvements and probably the game that will be played by our adversaries is going to be more in the hack and leak or disinfo space. >> wonderful. thank you. in addition to elections, which is an obviously an area that's been of great concern to many people watching the news and just in the country in general, there's another kind of area of risk that was really heightened in 2020 and it has to do with the pandemic and virtual systems. as you know here at the wilson center and everywhere in the united states there's a sudden rapid shift to virtual work relying on virtual

infrastructure and introducing entirely new sort of pathways for cyber vulnerabilities and attacks. can you talk a little bit about what cisa has been doing in this space around digital networks, digital vulnerability. it's an area where you didn't have several years to get your hands around the problem and get started. it hit rapidly in 2020 and at very large scale. can you talk us through some of your efforts in that space. >> yeah. three things happened -- or we were really focused on three things. first and foremost was really understanding the way the risk landscape has shifted due to the relative sponsor or criticality of a number of different performers. the risk formula is a combination of threat times consequence times vulnerability with a dash of likelihood on

top. what we saw more than anything was an increase in threat -- or at least focus on covid response, but a dramatic shift in the consequence variable. what i really mean is a year from now, if you lost a company like -- or even better, if you lost a hospital in new york city this time last year would not be the end of the world. and what i mean is you could shift patients or transfer them to other medical care facilities. but in the deepest darkest point of new york city's response, if you lost a hospital due to a ransomware attack or something like that, no joke, people would die. we spent a significant amount of time understanding the impacts to how -- you know, really what is the most critical infrastructure list, understanding that, and putting focus assets against that. but we also spend a lot of time

and i think you'll have daniel cruz talk about it on the next panel, thinking about, okay, supply chain, that second risk shift, how did supply chain impacts change the way that critical functions were performing here in the u.s., whether it was a disrupted widget that you expected coming in from somewhere in china, but do to a shut down of exports you lost and you couldn't move forward. first is understanding the risk shift and developing programs and protocols around improving the resilience. it takes me to my second piece of what i talked about with project taken and operation warp speed is supporting the national effort to develop vaccine and therapeutics, bring them onto our efforts, provide them services, including vulnerability scanning, testing, instant response, partnering

with the intelligence community. but not just as organizations. for the most part, these are large organizations with well capitalized defensive teams but also their supply chains and their supply chains are global in nature. so that requires us to go work with our partners in europe and asia to make sure that when we look at a supply chain from left to right, stem to stern, whatever you want to call it, whether we were doing it or our partners in the uk or the netherlands they understood what we were talking about and they would share their stuff with us and we would protect their stuff here. really, this would turn into a global effort to protect supply chains and, you know, for me another validation of liberal democracies coming together to protect what's necessary for, you know -- for just goofy way to say, but humans in general.

which then further underpins our election security efforts. last thing is that digital transformation shift. every single organization out there has gone to some kind of remote work or telework and in doing so they've invited a bunch of risk and that's why you go to the third risk shift of vulnerability management. if you're using a vpn, make sure you're patching it. if you're using a remote collaboration tool like this, make sure you've got it securely configured and you're using it in an appropriate way. we've set up a few things including a digital transformation and telework resource hub on cisa.gov that gives organizations guidance and tips on here's how you need to do this and here's what you need to think through as you continue that digital transformation.

i expect many organizations if you look at google saying they fully anticipate being in this posture until next summer, some folks might come out the other end of covid and say you know what, maybe i don't need all of that real estate and those big shiny office buildings and people can work from home. i think there would be a lot of people who would like that. this is a service area for us that's not going anywhere anytime soon. >> the last question that we have for you, moving away from some of this digital space into a more physical space. you mentioned supply chain management and supply chain risk. we also know in looking at the pandemic that there were many failures of the supply chain and many concerns whether it was what you needed to make a res pir rater or virals for saline and there were security concerns there. we know in the u.s. we can't produce everything we use domestically within our own

market across all ecosystems. can you give a us about what cisa is doing to understand supply chain risk and specifically how do you differentiate between something that is critical and something that is not. many of these things were considered critical prior to march and are now seen as much more critical. >> yeah. and this goes to, again, the second shift that four years ago -- look, supply chain risk management is nothing new. but the amount of focus we're putting on it right now, for a couple of reasons, it's becoming painfully obvious that some of our trade partners and our dependencies don't have our interests at heart and don't share similar values and could at the drop of a hat use that tension against us. i made it a top priority here when i came over to really put security -- our supply chain risk management at the top of

our priority list. we have five priorities here at cisa that don't speak, you know, ill of the other things that we do. you should aspire to be contributing to these five efforts. first the federal network security, election security, soft target security for the industrial control security and china supply chain and 5g. so just in general, we stood up, man, about two years ago now, i think daniel -- yeah, the national risk management center is the security and they're two years old effective saturday. happy birthday to the national risk management center in new york city. that's the home for our ictc task force.

the concept in part was there are organizations out there that do a very, very good job of risk management. the problem is, there's a high barrier entry to do it successfully elsewhere. what we wanted to do was democktize supply chain risk management and say, you do it well. how and why do you do it well. let's share that out along with some implementation guidance as far wide as we can. and part what that does is help -- it helps the organization to do it well by extending it down into their supply chain in a meaningful way. it identifies the areas where, hey, we don't do this part well. we have some challenges and this is the challenge. how do we overcome that? we can do that together including seek additional legislative authority for the

organization. so, you know, that has been brought into really, again, acute awareness over the last several months with covid. talked about some of the issues we've seen, whether it's the -- this widget or that widget, or even just a lack of workforce. but what we're undertaking right now within the ictc task force is, okay, right now with covid we understand a few things that have been teased out, lack of diversity for certain components, just in time delivery doesn't work when the global logistics chain is being disrupted. what are the critical infrastructures that need to overcome that, need to overcome the security threats and really, again, fourth shift become a more resilient and antifragile

organization. how do we overcome that? part of it could be through reshoring, part of it could be going to our other strategic allies and help them. but ultimately we just -- we really truly need a more diverse global marketplace for dependable components and 5g is the best example. on the china front, if 5g is the greatest technological development for critical infrastructure of the next decade, why on earth would we put the control plane for that infrastructure in the hands of an adversary that time and time again reminds us of who they are and what they think of liberal democracies. to me, it's a nonstarter. and one of the best ways we can overcome that is help lead and innovate on trusted alternatives for us and our partners across

the globe. hopefully that gives you a bit of a sense of where we sit just across the risk management spectrum and it's been a -- as i sit here, a good conversation, a good way to work through some of the things. >> thank you so much. please join me in thanking the director for giving us not only an update on the evolution on how cisa has thought about risk across five different categories, but an update on some of the current risk management or risk advisory challenges that cisa faces in terms of the pandemic and elections. we're going to go ahead and pivot to the panel section. thank you so much for joining us and overcoming our own digital infrastructure challenges at the start of the call. >> it's been great. have fun on the next one. bye, now. >> we are going to go ahead and pivot to our panel.

i'm joined by three experts that sit in different portions of the u.s. ecosystem. they can talk to us about risk management and critical infrastructure from very different vantages. before i introduce them, i do want to put a call out to the audience who is listening in from various parts of the u.s. that if you have questions that you would like to ask our panelists we will be sort of fielding some of those questions at the end. please go ahead and email them to our email address stip@wilsoncenter.org. if you have questions, please email those in and we'll field some of those at the end. the panelists have already been introduced by congresswoman harmon but i remind you on who they are. we are joined by cisa's

directodirecto director. thank you all three of you for joining us. to kick off the conversation today, one of the focuses we have for this conversation is not just where we've been sort of what has been the evolution of critical infrastructure protection to date, but where are we going, what's the future of critical infrastructure protection. so i had asked that all three of you reflect from your vantage, from where you sit in the ecosystem, on an area where you think the u.s. had made the most progress to date on critical infrastructure protection and an area where you think the biggest challenges still remain. we'll go ahead and kind of program order. we'll start with you, bob. >> sure. thanks for having me, melissa. good to be here. we've worked together closely from time to time. it's good to see them. i have the luxury of speaking

after my boss who is more eloquent about these things. more bosses are all more eloquent. i will reference chris's remarks. i think in terms of progress, the partnerships and the structure and the trust that's been built in terms of our ability to work together on challenging risk issues is in the consistency of sort of the framework and the authorities and how we know how to work together and the structures we've put in place and using them consistently over a period of time has built a lot of trust into the system. and, you know, we've lived through a lot of high-priority issue, whether it's an incident like the pandemic right now, dealing with hurricanes of the scale that thad had to deal with, deep water horizon, the things he's had to deal with and the emerging challenges. what we now have is a group of

people who know how to get together, share information, come up with solutions and go after problems. i would like to go after those problems before they become things on the front page, before they become incidences, but things that are going to make us more secure, systems, but sometimes it isn't until the incident happens. when i think about progress and the thing we're really proud of is the trust that's been built in and the collaboration and using that trust, you know, to make the country more secure around that. i start with that as something that i always highlight. there are times with the 2016 election where we didn't have those structures built in place but we use the same playbook to build the structures to work the state election directors and private vendors along the way and having the opportunity to build a subsector on the fly, it felt very similar to how he work with communication companies and

energy companies and banks, et cetera. the area where i think we need to continue to make more progress is, you know, actually continuing to blend those capabilities together to more quickly solve problems. we've got the sort of problem identification problem solution. but can we actually come together more quickly to field things that are going to make the country more secure, to pull on authorities to stimulate innovation, to allow industry into the conversation, into, hey, we can put these resources toward making infrastructure more resilient if we can share information and come up with solutions, let's give them the room and field solutions and i would like to talk a little bit more about that as we go forward. >> wonderful. thad, would you like to take it

away? >> thank you. i apologize. i'm in pennsylvania. i would like to expand on what bob said. i think he's on the right line of effort that we need to be dealing with. if you look at what's happening in the world today, we're dealing with greater levels of complexity, whether it's the scale or the scope or a novel virus that we haven't dealt with. i think it's important to understand it's becoming more well known to everybody and when i talk about complexity. i'm talking about complexity that starts to break down a legal frameworks, standard operating procedures, training, tactics, procedures, any structure that's been created to model how we're going to respond to these things, we're finding that they don't scale very well sometimes, we're dealing with a very large event. and that's been exacerbated by

the fact that technology is accelerating faster than we can keep up with it. just the inability to keep up with the international and national legal frameworks of cybersecurity and so forth are a testament to that. this notion that we have to address complexity as a risk aggravator, it will meet the expectations of the american public, they have to be coproduced and the only way you coproduce an outcome is through unity of effort. i think what bob was describing is a trend towards unity of effort regardless of the event that occurs. you have a model and a way to think about it and you have a previous encounters whether it's planning or exercises, table tops or just working a problem set allow you to address it. and i think whenever you talk about a big challenge to infrastructure, anything else in the country right now, you immediately have to think of coproducing outcomes and how do

you organization to coproduce outcomes and that's through unity of effort. one area i would like to throw out for a discussion a little later on that kind of connects back to what chris was talking about, we live in a digital world right now and we're all digital citizens. i'm not sure what the level of maturity is for our governments or citizens in operating in this environment. the one thing that connects all critical infrastructure together is the electro magnetic spectrum through which the wi-fi and signals passes. it's a new domain that touches everything and we're going to have to manage it as a domain. right now we handle spectrum through the federal communications commission. we have auctions. we deal with spectrum like it's property rights. but it connects all critical infrastructure together and i think we're going to have to get our arms around that if we're going to solve these problems because that's the connected

tissue that connects everything together. thanks. >> thank you. kathryn. >> well, one, thank you for inviting me. and i absolutely agree with bob. i agree with thad. let me give a slightly different dimension. we talked about process and being able to collaborate. i'm sort of at the point where the thing that i find -- where i believe the u.s. has done the most progress is going to take it down with some of the analytical thought. i think people sort of have a rough sense that, you know, things are critical and that we do rely on things. but i have to give chops to bob for actually sort of actually focusing on functions or services rather than things. post-9/11, it was like we have to put the gates around the building and that's not important. i'm not saying it's not. but it's actually in my mind an

academic reach that we're now starting to focus again on sort of the functions and the services because decoupling, if you will, whether it's not being able to decouple this is able to make us think differently about what is it we rely on. and whether or not, you know, we rely it or not, i think also helps us make the plans, make the arrangements so we know what you do need to focus on. now, i think that even in those environments where we have the guns, guards and gates, and let's take care of that thing, that building. even in those domains the interconnectedness of those capabilities and that manufacturing thing are going to rely on lots and lots and lots of other things and because -- if we really do focus on sort of this is the what's important at

that factory and that factory does need let's say the 5g spectrum which is then connected to the wire line spectrum which is supported by the power which comes from this company, you then start to unpack what is it that needs to be assured. i think going forward, the fact that we are moving in this direction is both the most progress and also going to be the most challenging. i think there is a knee-jerk reliance on, i need gas for my car. yeah, you need gas for your car if you're going to evacuate a hurricane. where did the gas come from? was there power at the gas station so you could get the gas? unpack all that is in many respects, you know, i think intuitively obvious but only once you stop to think about it. and i think the average person

doesn't and nor should they necessarily have to do so. during covid right now, i think people are thinking about their supply chain a lot differently because it became very, very personal. i view the efforts to focus on what are the most important function services and what supports that plus having to be able to unpack that so you can focus efforts on the resiliency is the most progress and the deepest challenge all in the same breath. >> thank you. i want to actually take a step back and hit on something that all three of you sort of referenced in your comments which is this question of what's critical. we have an entire panel and an entire two hours dedicated to critical infrastructure, critical functions, critical services and i don't think we're taking the time to think about what is critical, is it sort of just an energy sector the main providers or the downstream or upstream dependencies of the

providers. should it include things like cloud. i would like to hear from each of you in your mind when someone says critical, critical functioning, critical infrastructure, critical services, what are the types of things that come to your mind, have those evolved and are we still missing some of those critical pieces? whoever would like to take it first. >> this is bob. let me tack on what kathryn said and give you a little more background to answer your question. what we did last year working with industry across the government was define a set of 55 national critical functions and those are the function that is are so critical to national security, national economic security, competitiveness, community, well-being that if they break, we're in trouble. and, you know, the functions -- 55 is a long list. but why i know it's a good list, look at any one of those 55 and tell me if there's not a meeting

at the white house that day if it's not working at a national level. that's publicly available. it has things like generate electricity, maintain fuel reserves, run management services, communicate wirelessly, conduct elections, provide navigation timing services. those services are critical and what we're trying to assess is how those functions are produced, you know, is there geographic component. if you look at our 55 functions, some of them sort of exist virtually so there's really not geographic components. some of them you can point to, they get delivered through a data center complex that is here or that -- in houston, the houston shipping channel and some of them a -- like every area has a water system. you can look at how they're produced and look at how they flow, what they're interdependent in, what software

and hardware helps produce those and you see how they come together and you can start to evaluate that and say if this scenario happens, is there a potential that the function is going to potentially fail or be degraded at the national level or regional level and you can start to prioritize which companies contribute to the function, operational technology are important to a lot of functions, you mentioned open source software, enables a lot of the functions, cloud computing enables things to do that. what we're trying to build out, the functions that matter, the architecture of how they're created and whether there's a scenario by which somewhere in that architecture they can break and then cascade across the functions and you get to sort of systemic failure at those points. that's how we're thinking about it. it has, you know -- i make the comment that 55 seems more than 16 but it's actually kind of

narrowed the things that matter to us, this way of thinking. you know there are only a few geographic components of infrastructure around the country that really has a function to fail. there's only certain hardware component that is are so ewe bik with a 'tis. we look at covid. there aren't a lot of things that have caused infrastructure to be a significant risk because of covid. and that's how we're thinking about it and it allows us to propagate that analysis down to where you can actually manage risk. >> this is thad. i would like to add onto what bob said. when you're talking to the american public, they have a hard time understanding the interdependencies and all of this comes together because it's so very complex. if you add together the spectrum as we talked about earlier, it gets very, very complicated. when i think of critical

infrastructure, i think a better way to think about it is, what is the supply chain that produces an outcome that's critical to the national well-being? what we're finding out, it's not a set of sectors, as bob said. it's a chain of production that produces an outcome that benefits the general welfare and what we want to do is supply chain assurance for those outcomes. it could be health, it could be something else. but i think that's a better way to talk about it because what you're looking at is what actually enables human beings to walk around and function normally and not only in the united states but globally. so i would say when i think about critical functions i think about those functions which are critical to the well-being of citizens and how do you actually produce them. it gets back to my original comment about complexity. and when legal framework start breaking down or technology exceeds policies and laws and

stuff like that, how do you actually pull that supply chain back and make it work to produce the outcomes expected of the american people. for an example, and bob is really familiar with this, there's something we take for granted in this country all the time and it's included in the functions that bob talked about. and that's the provision of time, how we know what -- how do we synchronize time. how do we time financial transactions. how do we synchronize cell phone tower operations, how do we phase electrical production, power production and the fact of the matter is, the gps system for the united states provides position, where you're at, navigation, where you're going, and time, what time is. and time now is being parsed down to the nano seconds for the purpose of timing financial transactions and everything else and you would be amazed to understand what has to be synchronized in terms of time to make things work right in this

country which brings us to the vulnerability of gps and what would happen if we didn't have a an assured in position. i chair the timing advisory board to the executive committee that manages across government, just an example, the type of function generally recognized by the public that affects everything they've got, timing and gps chips are ubiquitous in personal items we have right now, industrial control systems and so forth. that would be an example of a service or a function that's critical, affects everything in the country and affects all of these outcomes and affects the general welfare. >> kathryn, would you like to weigh in? >> i think the original question was, you know, what counts critical and i'm all over the pnt.

you know, you know my company, you know the sector is all over this. and i think your point is well, well made that does the average person realize that to be able to, i don't know, do his transactions at the grocery store, that there is actually a timing element of that debit card going into the con -- no. i think that's fair. but i do think the partnership that has evolved certainly with the critical infrastructure sectors and certainly dhs and other departments and agencies is sort of creating an environment where some of the thornier questions can start to be addressed. i think one of the things that ge gets teased out is what is essential and what is critical is in the eye of the beholder. and i think that point is well understood, the average consumer who is trying to get away from a hurricane just wants gas in his car so he can get out of danger. and so on a simple level, you know, that's sort of the service

that allows them to thrive. and certainly you could use the hierarchy of needs, do you have food, shelter, and water. and i think all those got mashed into the 55 critical functions. we shouldn't start to overstate it. i think one of the original questions was, is it core software things that are critical? is it cloud that's critical infrastructure? i think these are all amazing capabilities that help enable resilience and fragility, good services, the -- the national way. but i think it came down -- we saw this in covid. did i need transportation and logistics so that, you know, stuff could be -- somehow up at my house? yes, i did need that and i needed that critical function. did they use open source software? did they use clouding structure? undoubtedly. does that mean that all open

source critical infrastructure, not necessarily. does that mean all clouds are critical infrastructure. i think the capability is critical because it's used so broadly. but i think that for dhl, fedex, amazon, i think it would say it was their use of their cloud and their open source software that was critical, not the whole thing as a category. so once again as you start to unpack and unpeel what's critical, what's essential, i think it comes down to what is it that you're trying to do that's important and, you know, sort of on you to sort of unpack your own architecture so you can follow the string to better assuredness. >> i think this goes back to a point that was made earlier both by the director and also by all three of you, slightly different language, this whole of society, unity of effort. once you've identified what's critical whether it's a

function, an outcome or an infrastructure, there's this question of how do you protect it, how do you insurance resilience and one of the more challenging things about the u.s. is its size and a shared diversity of players that you'r. another challenge is that a lot of this is voluntary where in other countries that might be less the case, right, where there's a much more robust legal framework that requires certain things in the industry across the board. can you talk a little bit about from your vantage the sort of maturity of our whole of society or unity of effort in a particular sector in the maturity of that model and what are lessons you can pull from other areas to expand across the country more broadly? >> i'm sticking to the same order? >> yes. >> so --

>> creatures of habit. >> yeah. implicit in this sort of voluntary requirement distinction that you just made is the idea that somehow by placing requirements on things more will happen and will happen better. i want to push back on that a little bit. requirements only make sense if they're the right requirements, if they're smart, if they enable innovation and they don't get locked into the compliance culture. and the reason i was hoping catherine was going to go first is because the communication sector as much as anyone here has a history of grappling with the balance between voluntary and what needs to happen and the regular tear environment that stifled innovation that needs rules to come behind it to make sure innovation doesn't create too much risk. and i think there's a good dynamic tension in there what we're learning. again, i look at what we just lived through or what we're living through in the pandemic,

the communications backbone has withstood the challenges of the pandemic. i think the way that we shift, the way we're communicating, we're all on these devices consistently and we want certain precision and all that. so, i think there's some lessons there around it. and i don't want to suggest that what we need is more national security requirements on top of industry to do more than they would naturally do. but then there are areas where for whatever reason those additional requirements might make sense because it drives additional investment in things, it allows risks that's sort of outside the control of the firm to be managed around that. and what we're trying to do is identify the delta where our risk isn't being managed up to the level of national security and try to close that gap in partnership with industry and partnership across the sectors and not saying the way you do that is let me put a bunch of different rules on demands that don't make sense from a market

and innovation perspective. that's the sort of healthy tension of learning. but the reason i return to the beginning is trust. i think we can come up with source of risk gaps by working together and then talk through what's the best way to close these gaps rather than assuming that it's -- you know, what's the right government intervention to help close the gaps? it's not necessarily rules that could be getting out of the way. it could be clearing roles. it could be stimulating r&d, incentives, things like that. >> i'll add a little bit to that. thanks bob, i appreciate that. i'm currently working with business executives on national security. changes can be recommended near term. one of the interesting discussions i had with craig, the former fema director, there's this tension between in the supply chain, the more efficient you get the less resilient you are. so, there's going to be this trade off between efficient

supply chains and how resilient you want to be. there's a cost associated with that. and part of creating unity of effort -- actually unity of purpose and moving forward -- is to get a general agreement on what are the boundaries related between the trade offs between efficiency or redundancy, however you want to call it moving forward. just like it's been a long one, bob knows this well, everybody has spoken tanohs very well. it's been a long hard slog to get the c suite to understand they have a role in managing cyber security. so i think unity of effort ultimately is going to have to be based on public private conversation on the trade offs and how do you allocate those costs and who bears them. in some cases f it's critical enough, there will be a mandate by government and the cost will be passed on to consumers. after the exxon valdez recommended stand by response equipment, there were federal

regulations that sprung up in oil spill response industry that then was passed on to the price of goods to the consumer. so, there's a spectrum there. i think you've got to get in and talk bt it and try to find out what the most efficient allocation of capital is going to be moving forward. thanks. >> so, hi. communications sector here. i think it's fair to say that we do have a fairly long standing relationship certainly with the government dealing with security risk resilient kind of issues. i think it was understood decades, decades ago that you can't weather a storm if you can't communicate. you can't weather a storm if you don't have power. so, i think power and conflict have a deep, deep relationship. i think over the course of time we've ended up having sort of -- i'm going to call it three paths to progress. we have a path to progress that, in essence, says government comes to us and says, we think we have a big problem. maybe that's pnt issue.

and it's a big problem. it's not something that centurylink alone can fix, okay? and so you sort of take the big problem, you sort of do is it a problem, you do risk assessment and you figure out is there a way to mitigate the risk? is it something we all have to do? and hopefully over the course of time, you end up operationalizing whatever the risk mitigation is. usually the operation is part of the response recovery to whatever the threat was that we sort of work with government. so, that's one mechanism. and if that works well and if we figure out how we're going to address hurricanes or the disasters as usual, that's a big problem we all have to address. there's also the problem that sort of -- this is a very super hyperspecific problem. and we have found a separate model which sort of goes this is a super specific problem, and you know, it's going to take lots of thought. it's going to take lots of energy to kind of work through. and candidly, of the 15 to 3,000

internet service providers in the united states, there's logically two to five companies that have the resources to figure it out. so, once again, they approach the two to five who do put a lot of thought into it who then try to say what about is this a solution or that is a solution? then the two to five of them kind of compile a list. and if it sort of works, you copy/paste it into this worked for the big guys do, we need to adjust it for the little guys? do we need to adjust it so it ultimately trickles down to the small guys and become what's the best practice? i think this is the normal kind of play i think that we see. and i want to comment that bringing the problem to getting it to best practice, you know, if it's something that isp needs to do, is about a five-year span. it takes that long to sort of

assess the problem, measure the problem, come up with the solution, create a plan, test it, make sure it actually works, it's not irrational. but i think the two points that bob and thad make are really, really key. there are certain things that you can do as a critical structure operator that make sense. generally security or resilience or continue nyuity of your serv but there are certain requirement thars so far beyond what you can deliver as a business. but then you do have to have the discussion with your government partner, you know, we would love to do this for you. but then all oif a sudden internet service is going to jump by a factor of 12. we're happy to do it but are you

going to pay the delta. there's going to be some level of adjudication has to go on. what is good business practice? what's even maybe better than average business practice? and what's the delta from that. and know we think on behalf of the nation we need to be at a much, much higher level which is going to make you non-competitive. that ends up becoming a dialogue between government and industry and it ends up government having to at least partially if not completely foot the bill. t . >> i would like to comment. i should added at the end of what i was saying. i'm saying this as a recovering government official. kathryn will know what i mean here. the last thing you want to do to fix a problem in my view is government regular. it's not that government regulations are bad because they paid off in oil spill response for us for a long, long time. they've been very good since they passed the pollution act in

1990. it's almost impossible to write a regulation these days if you get it passed in the amount of time that makes it effective that is not over taken by changes in technology that make the issues you're dealing with moot. so, i think there's no choice to try to hammer these out through best practices and codify them so if you have to go to regulation or need a statute to do it, you're basically codifying what everybody has agreed is the best way to do it. thanks. >> we have two questions from the audience that kind of talk about this unity of effort, public private partnership, and comps on industry. i'm going to combine them. one question is anonymous, and the other is from scott david from the university of washington. and i'm combining them here. the first question is really asking about are there approaches being taken to incentivize private organizations to internalize costs when they're trying to derisk their supply chains. you talk about this cost to the industry. how do you incentivize them

taking on the cost. and the second question which is quite similar, are private organizations disincentivized to identify their assets as critical infrastructure since to do so could support arguments for higher and more costly duty of care and more liability in cases of failure? both of these are private sector kind of questions. >> so, sticking to the order, you know, the first question gives me thought on things like contract differentiation. so, to internalize cost and security we're doing this with us as the federal government and somebody that is a big procurare of services in hardware and software, the defense department doing this and the work they're doing. this becomes part of what is expected from you within a contract. kathryn and i are working on this private to private. so, you're internalize the securities as a necessary part of the way you're doing business because the person who is giving

you business is demanding it. there's costs, but it becomes part of doing business and frankly you can't do business without spending the money on security. so, i'm not the accounting expert, but at some point the security gets written into the overhead at some point and it's not just a one-time cost. it's just you've raised the baseline of security. so, that's an example of ways that, you know -- and to do that well, of course what we're trying to do as a federal government is help build out frameworks and work with industries so that it's easy to recognize it so that there's not a not of cost compliance or cost approve. they're going back to best practices and standards. there are ways to do that. and markets get established to certify and certifibility. but i think that's one example. to the the second one of do you want to be known as critical or not critical.

i think we've made the transition pretty effectively that the companies we regularly interact with see value in regularly interacting with the government to get information from the government to take advantage and help shape where innovation and r&d to give us advice to how to manage vulnerabilities. so, knowing that you are critical -- i make this joke about some companies who say they're not critical. you get to decide if you're critical by what business you enter. it's ultimately not the government's decision. if you've got 62% of the cloud computing market, chances are the government is going to eventually think you're pretty critical to national security around that. so, there's an element of that. but my job is to make sure that the equation of the things that are really critical, the companies see the value of working with the government and working collaboratively with other parts of critical industries to help them manage risks, reduce risk around that and not to feel like oh, now that we've identified that you are critical to us we're going to put a lot more burden on you

that isn't effective from a business context. >> let me add on to that. i guess two examples to maybe talk about. one of them is qualitative standards for cyber security. and the second is executive order recently issued by the white house regarding responsible use of position navigation and timing. each one of these efforts is a framework to try and come up with what could be the basis for best practice and that could be refined to a greater degree depending on the company that investments are willing to make. in my view, it started with these standards in cyber security. these things involve to care. so, what you're doing is having this negotiation, the resulting framework are a standard that becomes a rebuttal presumption on a standard of care. and i think that's a good evolution and the right way to do it right now. i would add one other thing, on the eo that required responsible

use of pnt, there are now going to be technical readiness standards and government contracting to demonstrate that the proper level of technologies security for the government is imbedded in that. as bob said, that results t in the cost being passed on. if you don't do that, it becomes external. ultimately there's not going to be economic incentive to continue to do that. >> i'm going to loop back to one of the questions of is there a disincentive to being critical. i think we slightly take a different view on this. if your customers rely on you, you're critical. are you big critical, are you huge critical, are you immense critical? we're seeing this play out right now. if you don't do your business well, if you don't think about your own continuity, about your own resiliency, whatever, you're letting your customers down. and if you let your customers

down and you let them down on a regular basis, you're facing an exponential threat as a business. so, do i want a big government to say you're critical. no, i think our customers consider us critical. whether you're the grocery store or the gas station, you are critical to them. you have the fiduciary responsibility to make sure you meet your customers' expectations. that's sort of general business and i think that's flatlined. i think in the particular sense, that's on the pnt space, what we're talking about doing is that when the situation shifts radically, and maybe covid is a shift. nobody -- we certainly did pandemic planning ten years ago, but we thought the planning was for 30% people would be home, you'll be home for, like, on and off for two months. it wasn't 100%. the point was that there was a plan, but there was a shift. so, what do you do to address

that shift, and what are the learnings from that shift, and what are going to be the feature perceived obligations? i think that for instance the power of the government and frankly the power of large enterprises to not impose but to motivate or to incent higher levels of care through contracts is a standard success story that the u.s. government and all nation states have employed. and certainly the d.o.d., cyber security model certification program i think is going to do -- well, certainly going to get everybody excited. but if you want to do business with d.o.d., you're going to have to do that economic decision. does it make sense for me to be able to get certified that i've got the various things s. the value of the business i'm doing with d.o.d. worth what it's going take to be certified. that's going to be the enterprise's decision. maybe some people will no longer make pencils for d.o.d. because it's too much. other say no, the value with

this very important customer is enough that i'll do this. i think you see variations of this everywhere. so, through contractural relationships through the business idea, you do the business case which allows you to internalize the cost to make sure you're doing whatever they think you should be doing so that you could continue to be a vendor or a customer in this sort of chain. so, one, you know, if it's important to your customer, you are critical. if they view you as being critical, you're critical, so you have to do things to make sure that they can retain their trust in you and you remain in their value chain. and then for those who really need more, i think the first and best way that certainly the government has done it and other businesses have done it is to insent the behavior through writing a contract and getting a service level agreement. >> i would just add to what catherine said. i'm still a senior adviser. that is exactly the decision our firm took with regard to the

united states certification for responding. they're a main client of ours and we thought there was absolutely no choice other than to follow that line. just to foot stomp what you just said. >> i want to pull us up on this conversation specifically on industry incentives and the specific limitations and approaches that industry are taking and some of the legal quandaries, cost quandaries of that up into a critical infrastructure or critical ecosystem of 5g. before i do that, in case anyone has joined us late and has burning questions that they are struggling to communicate to us, please send your questions, any questions you have for our panelists stip @wilsoncenter.org, and i'll do my best to slip them into the conversation. moving on to 5g which is a bit of a test case. it's a critical infrastructure of the future, critical ecosystem may be more accurate of the future. it's also an area where u.s.

policy has taken some significant criticism, right, where there's a strong articulated criticism or concern that the current u.s. policy is just say no specifically to huawei and zte, chinese corporations and companies but without creating alternatives or supporting alternatives domestically to huawei and zte. so, it's just say no without a market-based response in terms of alternatives. can you talk a little bit about from your vantage if you think that's a fair criticism, first and foremost, and then building off of that, what are some of the tools the u.s. government has at its disposal to kind of encourage domestic injury to operate in some of these supply chain gaps that we're concerned about? >> yeah, i will defend the u.s. government policy because i don't necessarily agree with the characterization that you laid out. obviously policy is a mix between what we're trying to do as a suite of agencies as part

of the executive branch and laws the congress are passing, and there's a mix of policy setting here. we recognize that any judgment that a component part of the market is untrustworthy needs to come up with an alternative from a business perspective. and i'll start with the huawei zte conversation that china is subsidizing. let's just talk from a competitive landscape. from a competitive landscape, the u.s. government or western allies or trusted allies not just in the west, you know, if there's economic subsid zags elsewhere, we have to think about ways to enable other incumbents who can provide part of the 5g network, ericson and nokia who do significant business in the u.s. there's a lot of innovation around the idea of open radio access for networks. there are companies that we work with regularly who are getting into component pieces of the 5g

network. so, while this sort of core network, there are only a few players right now, there's a lot of innovation going on across the network. and i think the government sees -- and this is an area where we really have the national security and the economic parts of agency sitting next to each other to try to figure out the right mix so that we are not in a position where a subsidized player dominates a market particularly if that subsidized player has demonstrated their vulnerability management, some of their security practices, and some of how they're influenced by a foreign government are things that make them less trustworthy. so, we're trying to stimulate. we're stimulating r&d. we're doing it with the way we pilot things. we're trying to figure out ways we can enable a suite of like minded countries to enable innovation, scale around that. i think we have to do that. it's not -- this is opportunity

more than risk. let's take advantage of the opportunity while thinking about the risk that would be out there if it doesn't roll out in a way that we think will ultimately be secure. >> go ahead, kathryn. you looked like you had a burning topic you wanted to talk about. >> oh, well, 5g. i would just like to remind everybody that 5g is not just wireless speaking as a wireline company. but i think it's a point of departure for us to sort of think very, very, very broadly about the ecosystem. we're moving into an environment where the 5g will, in essence, change sort of the overarching architecture of all of the aspects. 5g is supposed to be access agnostic, whether it's the warless thing that everybody's excited about because it's exciting or it's the cable guys or wire line guys or the

satellite guys othe record broadcasters, everybody. all the segments we've been operating with in the traditional tell con stays is part of the 5g environment. a lot of activity is going on where people are moving towards software defined networking, network virtualization, core and its processing. to be able to put the proes sg capabilities that the business needs as close to where they need it so that they have faster response, if you will. i mean, if you will, we're sort of putting the processing closest -- so, instead of having to go to the data center in utah from the east coast and back to be able to process your weather data, you're going to do it where you're collecting the data. and whether or not you use it through the wireless or the local carrier r oyour cable guy or your wifi is not material. the materiality is how do you get the thing transported.

when i'm looking at the issue -- and centurylink is a global provider. we have customers in china. we don't operate in china. we're not the chinese people. we're not the china carrier. but we have customers, u.s.-based customers who operate in china. so, to take a sort of a choose a name of a country approach, we're not going there. we're not. so, in our mind what we're really looking for -- and the u.s. government is highly supportive of this and we are certainly supportive of the u.s. government in issues. but in our mind the key thing that really makes, if you will, the opportunity and the innovation possible is dropping back to standards because standards, especially open standards, where people -- not government-generated standards but industry-generated standards, there's a lot of visibility. there's a lot of yelling at each other about whether you're going to do that subpoint versus another. so, you get a huge amount of transparency. the other thing that we view as being key, key, key is the

interoperability. so, moving to network function virtualization is getting away from the hardware stack that says that if i'm using bob's box and i have to use bob's software and i have to use bob's peripherals -- no. you want to decouple those. so, the interoperability between the boxes, the interoperability between the protocols that can sort of manage those boxes, you know, we are definitely seeking sort of an interoperability on the standard side so that i can swap out bob's box for richard's software for jane's peripherals so that centurylink can make the decision was that the best box for this? was that the best software for that? was this the best peripheral? by having it being interoperable and becoming apis, that gives us the place to not only be competitive but to make sure we're building what we want for our customers. the most important point about these two aspects though is that

by having the standards and making interoperable makes things highly transparent on terms of, you know, so what is the standard? well, there it is. it also makes things super transparent because if it isn't interoperable when it's supposed to be, you know where to go look to see if there was a technical problem, a security problem, something wrong. there's nothing about interoperability to have things sort of all get aligned. so, i think it provides innovation. you can be the jane peripheral or the richard software or you can be the bob box. there's opportunity to sort of break it down to provide -- competition and that element and go from there. >> so, i think one of the things you both touched on that i would like us to explain in a little more detail in case some of our listeners are hearing these terms and thinking what does that mean? so, if we can go to open rans,

standard setting interoperability initiative. if we can talk about what is that when you say open r.a.n., what does that mean in practice? why is that something that gets us better security and more diversity of supply players, and finally why haven't we seen it in practice yet? what's holding us up from getting open r.a.n.? >> this is thad, i apologize. i dropped and had to come back on. my understanding on the o r.a.n. is that we don't have an industrial base in this country that's manufacturing equipment. a lot of that has been moved to nokia and other outside firms. we don't is are the base that can handle it. i'm not a technical expert and i hope kathryn will grade my paper here. i was trying to explain this to my wife the other day. what i said was the metaphor should be the universal service bus, the usb drives where it allows access between computers and peripherals except if you move that up to a systems level and how do you standardize this

so everybody can be compatible there's one framework in how you work in the middle. that's what we're going after. was that too simple kathryn? >> you are asking the person who works for a company who doesn't do 5g wireless, so maybe bob can bring it on through. >> yeah, i mean, the degree of interoperability standards matter and the fact that it allows for specialization and rather than be locked in with single providers and all that which allows for more diversity, more specialization, more entrance in the market and ultimately, again, specialization tends to lead toward innovation and more efficient allocation of resources. so, when open r.a.n. gets described to me, those would be outcomes we're trying to produce. what you're missing here is the technical expert to describe how it works. in terms of your question why it

hasn't happened, you asked, not quite enough certainty. there's market standards, it goes to that. so, companies are certainly eager to see where this progresses, but some element of investment depends on this certainty that the interoperability is going to be possible and the widget you're building to sell can interact with other things and there will be a market there. so, going back to where the government's responsibility here, what we can do as a government is help create more certainty that there won't be blocked market to entry to the open r.a.n. concept, proofs of concept that it works, and then, you know, watch as the market takes off. right now i think there's some barriers to entry. there's some, you know, as i said, some subsid zags going on elsewhere that we're not quite there that's certainly going to work. but i think the u.s. has a long history of stimulating this sort of stuff. >> yeah, and i will weigh in just a little bit on the open

r.a.n. there are enough major companies engaged in the o r.a.n. alliance, i think it is. i'm probably misquoting it and i apologize. i think there is enough body of weight to move this thing forward. i think the reason it's so so important. and this goes back to the interoperability, the exchangeability, the how do i create things. it's our world view that, you know, the actual major driver of really cool things happening throughout 5g whether it's through the wireless networks or the cable is going to be the enterprises t. enterprises are going to be the big thing there. if i'm a manufacturing company and i want to be able to use certain kind of key processing capabilitys in my factory to do really cool things, i'm going to want to be able to know that i can write my application for my factory which is sort of -- whatever it is you're doing. and i'm going to want to know that i can tap into the radio

acts of the network. and if that for whatever reason, i don't know, you want to know that you can api into that. you want to be able to api into the local cable company. you're going to want to be able to use that application and go get centurylink's edge processing. you're going to be able to use at&t's radio network. you're going to be able to use something else for something else. the point is they want an varmt so that the process and the innovation they're trying to do for their factory has the transport that they want to be able to do what they need to do and to have an open standard on the radio side as well as other sides is going to be a huge enabler for the innovation that's going to happen at the enterprise. so, you know, i don't -- i don't perceive it as being things are not happening fast enough or i just think this is the stage it's at so that innovation can explode.

>> you've hinted at this throughout the two hours of the conversation. you've had a very u.s.-dominant conversation. what's u.s. policy, what's american infrastructure, how can we grow in american market. we've also heard kathryn talking about you have chinese customers. i pick up the phone and call a friend in israel, i hope they pick up and there's going to be handshakes across networks, right? we've also heard about technology companies of nokia, the swedish and finnish telecommunications companies. we have a question from the audience that pulls us from the american only focus. they're just not solely within the u.s. system and never touch anything if it ever leaves the u.s. system. and the question is how should private companies that operate international networks identify which national authorities to inform system building directions when it comes to

protection and security? >> oh, since i'm centurylink, i guess i'll go first, bob. so, we do operate globally. there is a lot to consider. there are a lot of -- it's not so much building rules, but we have to factor in privacy rules, security rules, how do you treat data at rest, data in transit, blah, blah. and, you know, on some level, to the extent that you can -- there are certain aspects of how we do business that you can kind of segment in small amounts geographically. you can do that. in general -- in general -- we're striving to do things the same way everywhere because if we do the same things everywhere, we can better assure our own availability, confidentiality, integrity. okay. this allows us to better protect

and better assure and have higher resilience of our networks. this also ultimately also gives the end user, whether it's, you know, a multinational firm who happens to be operating in 15 different countries that i'm dumping their traffic back and forth to, gives them a consistent approach as well. so, there is an element of parsing out certain aspects that because of specific regional differences you do have to handle separately, okay? but we try to keep it really, really, really contained. in general though, we're trying to move forward as consistent as possible which means that if y do have the most rigorous one, you're going to tend to move towards the more rigorous of the standards because that keeps everybody happy. so, this is a key reason we spend a lot of time certainly with the u.s. government as well as other nation states and other countries that we operate in to try and get some sort of sense of alignment because, you know, those colons and semicolons and

rules do really have a difference in terms of how you build a service, network a service, deliver a service, and communicate that service to the end can you say mefrmt i think for us, any kind of activity that really starts to have significantly different feel to it puts an unfair burden ultimately on the customer to know that, okay, i operate in 15 countries. but if i'm in this country, my data is like this but if i'm in that country, my data is like that. we strive for the global norm so there's a coistent experience, and clear expectations on what they can expect. >> maybe bob and thad if you can weigh in a little bit on some of the international cooperation aspects of protecting america's critical infrastructure. >> sure. so, you know, going back to what kathryn just said, i keep hearing the word harmonization

and trying to, as we work with our allies, we're trying to -- the outcomes we're trying to produce are generally the same to the extent we can harmonize approaches to demonstrate that risk is not being taken or rules are being followed or norms are being followed. we spend a decent amount of times having those conversations then recognizing there are times when the citizenry are different. but as much as can be harmonized. from a structural perspective, we spend a lot of times with our allies. we spend a lot of time with europe, increasingly with some of the asian countries to share practices to, share information, to talk about regulatory regime-type things, to try to harmonize as much as possible. you know, i think one of the enablers of american companies

to american critical infrastructure companies and the ability to reduce cost is do business internationally and advocacy to share approaches is an appropriate thing in sharing information around risk. >> i can give you a couple of examples of what's going on right now. maybe we can talk about what might be in the future. some of the more successful international regimes that helped manage all this, the one that i was intimately involved with was international maritime organization which is a subset of the united nations that basically manages international maritime traffic. for aviation, it's international civil aviation organization. then there's the itu. there are bodies out there who through treaty and organization you come up with global standards. that's a long way to help standardized global systems. and they become regulatory regimes because if you're signatory to the treaties, you

can enforce the positions of the treaties when it involves your country. if there's a foreign flag vessel calling it the united states, even though it's not carrying the u.s. flag, we have the rules and regulations regarding the safety of life at sea and so forth. i think if you look at what the aviation community has done, there's probably room to expand some of the issues that we've talked about here today into those regimes. but added to the complexity of that, at least i know in the p&t world is there are other global navigation satellite systems being developed in europe and in china, russia and in india and now japan that call for international standards. so, this is emerging technology where you need to have that common framework. i think if there's a way to think about it, it's ultimately going to have to be multilateral. and i realize there are a lot of populist movements around the world but these things are going to have to be solved through international regimes.

>> thank you. so, our last final minute i'm going to pull us up from the weeds we've delved into from everything from technical standards to business interests to open radio access networks, foreign cop tigs to kind of norms and laws and legal regulations. pull us more broadly into looking toward the future. to tail the hanging rind at the end of this panel description is on being equipped to tackle the concerns, the threats toward american infrastructure in the future. so, if each of you can sort of wave a magic wand or snap your finger -- i know policy is complicated, technological evolution is complicated. but if there's one technoji change or priority you could snap your fingers and get us done on now, what would you pick to put us in the best position possible to address these threats in the future? what's your wish list item?

>> i'll stick with it. you know, so, one of the things that i think we want to make progress oncoming forward is the better understanding information -- inaccurate information, information warfare as a way to go at infrastructure challenges, bad information that is then pushed by other folks, creation of fake information, that sort of stuff. we call it counterinfluence in the government. but it does concern me that our adversaries are seen taking advantage of sort of our current chaotic information environment and throwing more bad information into that which is just making it harder to effectively communicate and manage risk to infrastructure.

so, you know, in the area very top of mind right now is it is going to be in the national interest that once we have a vaccine that is safe and effective, let's get out and let's have as many people as possible get the vaccine as quickly as possible and let's have accurate information about the health effects and how to take a vaccine and how to get it and how to trust in the vaccine. that's very much in our national interest. our adversaries are going to screw with that message, make it harder for us to push out that message, that's just an example of something that means we are not going to be able to take advantage of risk strategy as quickly as possible and how do you think about that in the frame of risk reduction we're talking about and something we're spending a lot of times having conversations about. >> i think bob's on to it there. if you look at where the

malleuses of ai, deep fakes, and things like that, what we've got is largely ungoverned sphere. and i mentioned earlier we're trying to become digital citizens and we're pretty much influencing that right now and so are the governing structures that allow us to do that. and it inhibits the public's ability from understanding what is facts and what are not facts. it's almost like the social equivalent of wet markets where you can get these social viruses started and they go in control around the world. and i think if i can do something immediately it would be some way to put a control system on where these things could be identified more rapidly and have honesty of how they're presented to the public. >> i hate to be so boring, but, you know, if i really had my -- it's not even a technology issue. it's not something really innovative. i really wish there was sort of a culture where it was just as exciting to do the maintenance

as it was to, you know, build the new bridge and cut the ribbon on the bridge. i wish through policy or culture where it was just of course we're going to maintain everything. you know, whether it's from, you know, the transfers say where the culture of maintenance and keeping up things, whether it's patching or -- patching the concrete or patching your systems. you know, if that was the culture of maintaining, taking care of, making sure it's taken care of getting the full life out of it, one, i think our investments, whatever they are, would last longer because when you haven't changed the carpet in three years, generally cars don't last as long. if you do it every 30,000 miles, they do. they last a long time. i think that culture i think we kind of lost. because politically, it's not as sexy. it's hard to get that into budget of both enterprises as well as, you know, financial

allocations or whatever. so, if i could have, you know, the genie in the bucket, i would go go maintenance. >> excellent. so, if there's any genies listening, we have our three wishing going forward. thank you everyone in the audience for listening. with we hope at the end of this two hours everyone walks away with better understanding of how u.s. understanding in this space and u.s. capability in this space has evolved but also where the gaps and challenges remain and some of our hopes and priorities heading forward. there's obviously also a lot of kind of things that came up today or stuff i'm sure many of the people in the audience are working on. we're hoping you take those and champion them moving forward and push us into a more robust position for the future. so, i want to conclude by thanking congresswoman harmon for kicking us off and of course for asking the first question, director krebs for giving us a

very good overview of shifting understandings of risk in the u.s. ecosystem and our three panelists today for kind of digging in the weeds on a wide variety of topics. and then finally, thank you to the wilson center team and the science technology and innovation program that have been the entire, speaking of critical, the critical infrastructure supporting this entire event. thank you and we wish you a good rest of your day. >> thanks. >> thanks. weeknights this month, we're featuring american history tv programs as a preview of what's available every weekend on c-span3. tonight at 8:00 eastern, a look at the end of world war ii. august 6th marks the 75th anniversary of the u.s. bombing of hiroshima, japan. that was followed by a second atomic bomb dropped on nagasaki three days later. watch a special edition of

american history tv and washington journal's coproduction of the hiroshima anniversary. we'll look at the strategic situation in the pacific theater leading up to the bombings, president harry truman's decision to use the new weapon, and the legacy of these atomic attacks. enjoy american history tv this week and every weekend on c-span3. next, a look into election security and voting during the coronavirus pandemic. the brookings institution hosted this discussion. >> hello everybody. welcome to the brookings event on election integrity and security in the era of covid-19. i'm fiona hill, senior fellow at the brookings institution. and i'm delighted today to have several colleagues join me for an in depth discussion of this topic. we're g