industrial states that are historically leery of trade deals and maybe ports cities like washington and oregon that are dependent on exports and trade. politics, butuch the geographic importance of those states. megan cassell, reporter for politico, thank you for being here. megan: iq. in the country have struck down a number of voter id laws. c-span's issue spotlight looks at voting rights and the impact on the 2016 election. we will feature part of the supreme court oral argument in shelby versus holder. plus, it is gauche and on whether the voting rights act is

necessary. here is what the presidential candidates have to say. mr. trump: all of this voter id -- a lot of places are not going to have voter id. what does that mean? you keep walking in and voting? happeningn: what is is a sweeping effort to disempower and disenfranchise people,f color, poor and young people from one end of our country to the other. issue spotlight on voting rights saturday at 8 p.m. eastern on c-span and c-span.org. >> after the recent hacking of e-mails at the dnc, bloomberg news writes another set of e-mails were compromised. this time for the democratic congressional campaign committee. 2.0eone called guccifer

released e-mails from staff. nancy pelosi sent a letter to members and their staff warning them of the situation. readsader -- the letter in part -- i have received scores of obscene and mostly sick calls. i enjoy my phone number and i advise you to do so as well. this is a sad course of events, not only for us, but more .mportant for our country the most recent hacking is under investigation by the fbi according to several news outlets. now, federal cyber security officials discussed their efforts to protect the federal i.t. infrastructure. a debbie system's spot -- adobe systems sponsored this. this is about an hour and 45 minutes.

>> all right. good morning. welcome youasure to to mission-critical, an update on cyber security produced by nextgov and underwritten by adobe. i want to point out something that you have under your chair also produced by nextgov, called fedstival. workforce,k at technology, and transition, and really just have a weeklong packed with events. stival.com. we hope you will join us for the event. a few housekeeping items.

take a few moments to silence yourself us. i the person who tells you to do this and then my phone rings, so i have artie done that. do not put your phones away. send your comments, your questions your suggestions via twitter at #ngcyber. this would not be possible without the support of our generous underwriter adobe. thrilled to partner with him again. thank you so much to our friends at adobe. we're thrilled to have trevor rudolph or dissipates in our opening keynote. he is in charge of omb felt tost-ever dedicated team cyber security through strategic policy implementation. trevor isle, responsible for advising the federal chief information

officer and white house leadership on federal cyber security policy, performance, and threats. trevor and his team led to a successful 30-day cyber security sprint. and they were the architects of the cyber security national action plan. please join me in welcoming trevor rudolph to the podium this morning. trevor. [applause] mr. rudolph: good morning, everyone. can you hear me in the back? carol, can you hear me? all right, all right. did morning it's a pleasure to be here. i want to thank first everybody in the audience for your attendance. adobe for sponsoring the event. i jumped at the opportunity to speak this morning as i do see

part of my role as being an advocate for cyber security iofessionals and telling what call the whole story, and what i mean by that is good news rarely makes headlines, as you all know. the opportunity encouragingt some developments. before we get started, the common question i get out in the community is we see the white house and omb are doing the right things, rights? but to what end, right? what is the actual strategy? there's a strategy. as folks remember, about over a year ago, we had a number of devastating cyber security incidents that impacted, frankly, millions of people. incidents, of those

our basic cyber hygiene was frankly nowhere where it needed to be. our focus really was target to shore upactions that hygiene as quickly as possible. just a couple highlights for you. wasscores went up, which unprecedented. incidents related to poor authentication down 21% since the sprint. pretty significant. critical vulnerabilities down 99%. and agencies reporting to omd -- to thethe time taking tech incidents cut in half. all good news. we move quickly into the cyber security strategy and and limitation plan.

idea there was to shore up our procedures within a 12 month time frame. we realized we did not have a lot of time left. dramaticallynot to change the face of cyber security, but instead to get our house in order. right? a majority of those tasks are on their way to full implementation. then, lastly here, and what we are focused on primarily today is the sevres security national action plan. so, the president announced his plan with the fy 17 budget last february, and it's a combination of a number of initiatives that we think and feel very strongly will help drive strategic change , not just in this administration, but the next administration. we will talk about the details there. what is folks ask me

this? if you go to the white house webpage, you will see a fact sheet where you will get a very high level overview. let's drive a little bit deeper here. billion cyber .ecurity proposal it is quite substantial. another thing i like to mention to anyone who will listen, frankly, is it is very serious because of a second bullet point. it is being tracked almost daily. what does that mean for people like me? a lot of great hair. a lot of gray hair. frequently glee -- brought indices, people who you may guess, so it's very important that we take this seriously and think all federal agencies need to take it seriously as well. thing i want to mention

it is tasked with looking across the country as to how we can improve cyber security practices, not just in our everyday life, but in the government, and we expect those recommendations to come late this fall. though -- there ine three systemic issues federal i.t. and specifically and federal cyber security. the first is the abundance of difficultis frankly to use, expensive to maintain, and very difficult to your. -- to secure. the second is the management and governance of i.t..

there are probably over one of the five total agencies when you consider small ones and independence in the executive branch alone. each of those agencies are making their own independent risk decisions of the headquarters level and at the bureau level they are making their own independent risk decisions, and no one really has the enterprisewide view in mind, with the exception of the folks who sit at the center of government, in even the folks at the center of government do not have the authority really to say, no, you actually can't make that risk decision. that's a big problem when he to think about is a community as we move into the next administration. and the last is the workforce alllenges that we have across i.t., whether it be federal or not.

andthen across the country worldwide, there's over 2 million. now is the time, apparently. to reflect. moment we want to take a moment to recognize a recent when we had within the white house -- a policy when -- and that is in of circularity 30 -- 130. who knows? it's actually the foundational policy document in the government for how we manage information resources. the reason this is significant is it addresses all of those issues, right? as well as the workforce issues.

this policy, given how central it is to have the government , frankly it was not updated or has not been updated .ince 2000 that is particularly troubling. we will get into it in a couple slides here -- when you see what the old version told agencies what they could do versus what the new version tells agencies they could do. the document is very, very long, but worth a read, i promise you. the first is the real-time knowledge of your environment, as opposed to assessing the status of your systems and network at a siegel point in time, let's say, once every three years. the idea is to have that continuous awareness. proactive risk management and shared responsibility, meaning is not just on the operators and the security operation centers, -- all of those can

including deputy secretaries to get this job done. when you read the document -- i know we have some folks in the vendor community here, you will see sections and the security appendix about supply chain threats and protecting against them, ensuring the terms in federal contracts actually address security, as well as personnel who are accountable for strong cyber security practices. let's talk about old versus new. a quote here from the old version. it says the system shall be reauthorized every three years. it says thou shalt create a three-ring binder, right? that cost millions, if not billions of tax dollars and frankly adds debatable value at best. so, good news -- good news. this is the update. reauthorized information systems

and common controls as needed on a time or event driven basis in accordance with agency risk tolerance. this is a move industry has done many, many years ago, and government was late to catch up and getting it published was more of a battle than it should have been. but i think we can say goodbye to be three-ring binders and the cottage industry we created. so, very good news on that front. assure eachll system appropriately uses cyber security techniques such as the proper use of passwords. think about that. my colleague michael daniel says kill the past were dead. how are you going to kill the past were dead when you're foundational policy document says something like that?

a move to multifactor or identification and encryption in place of those passwords. to ensure identity is protected and only the right folks are accessing the information they should be accessing. i would encourage you to go into more detail in the 130. we have the first 130 cake and the office. we ate it. it was delicious. a hell of a celebration. let's hope we do not go another 16 years before the next update, because it is so important we get this right. we probably should be updating this thing every four or five years as opposed to every 16. let's dive in deeper. what are we proposing to do about it. there's a lot of data. highlights.you

within the legacy i.t. problem, we did some math based on the i.t. data we had, and we found agencies were spending 71% of $36 billion managing legacy. pretty big. i.t. investments that were over 90% in the state, growing at an annual rate of 6% while investments that received a one-time infusion of developmental dollars declined in cost at 5%. so, what we are proposing here is a $3.1 billion fund to help address the systemic issue. we need help from the other branch of government to make this a reality. the $3.1stimate is one-time seed funding would help address at least $12

billion in modernization over 10 years, and i'm told that was calculated with some very fancy cash flow analysis. this may not ever be a reality. we have received a great deal of bipartisan support for this particular initiative and we are encouraged, but we got to keep up the momentum. if there's anything folks in this audience can do to be advocates as well, we will greatly appreciate it. away from legacy i.t., i mention the fragmented governance of i.t. what does that mean? in one context, what it means is as a government, we have not thought about our crown jewels as an inner rise. what does the adversary really want. why do they want it? that kicked off an effort called the high-value asset effort.

sll this is is really the asset the potential adversaries or known adversaries are federal or national critical infrastructure data, travel data. is outbout how much data there in terms of who flies, where they fly, who should not he flying. opme know from the incidents, background investigations are simply one of them. getting about somebody hold of that information is startling. and of course sensitive economic data that has catastrophic consequences on our economy if it were to be lost. the thing that is important to

note is that this is not a one-time effort. this is not the federal government saying we have 20 high-value assets across federal government, check, done. that is not what we are talking about. this is a continuous, potentially never ending, risk managing and governing process. that is what this is. the process is underway for identification and the independent verification of security for these assets and the real-time remediation of security around these assets. this process of identifying high-value assets, prioritizing them, independently verifying their security, and mediating end. will likely never what we will find in a lot of these cases is that the way to

secure these assets and systems is to modernize them. very good. will see theme you probably for the next couple of years from the white house on this front. so, you can't modernize legacy i.t. you can't identify and secure your high-value assets without what? people. people. go back to that 10,000 person gap. it is pretty startling. the good news is that for the first time ever, we have a work for strategy across the federal government. in that, we are targeting four areas. the first is identifying the need. that sounds basic, but actually much more difficult to do across

100 25 plus agencies, but until you actually know the full universe of your need, you can actually do anything about it. cyber security workforce education and training is a big component. recruiting the nations best for federal service. and maintaining the focus we have to develop them into the skilled professional. so what i would like to tell folks is that there is some good news on the horizon. in the first half of this fiscal year, we have hard 3000 professionals against that 10,000 number, and we will maintain that pace to the end of the fiscal year. i would say that we actually have to accelerate that pace substantially to actually get a of this systemic issue. withwe are trying to do the strategy and effort in federal government is to rethink the way we do recruitment and retention.

instead of a perspective cyber security professional going to 125 different websites to learn atut not just opportunities agencies, but to also learn about training, career paths in the federal government, what we want to do is create a one-stop shop in partnership with opm so candidates can see everything, the universe of what their careers could look like at the click of a mouse. you can't do that today, and that is what we are driving towards. tother thing we need reimagine is how we recruit as an enterprise. some of the folks in this room may have heard me talk about the fact that we have this scholarship for service program sponsored by the national science foundation and other federal partners. notice is that , not everyroom

single federal agency, but a dozen or so competing against one another for talent. that does not make a whole lot of sense. what we are doing is reimagining how we will recruit those folks. having 12 agencies compete against each other, they could get on a call before the career fair and say this is the x.ed we have a department as the other agency would say we have a surplus of that but need tomorrow, so they would be able to work together to fill the enterprise-wide need. thinking as a community is something we have not done in this space to the extent that we need to. if you have not read the

strategy, please read the intro and go to page 13, a detailed list of initiatives at the tactical level they give you a better sense of what we are doing here. it is frankly pretty exciting. , the nextwrap here slide, and then open up for questions on what the next couple of months will look like. unless you live under a rock, you know we have a presidential campaign going on, very exciting, very exciting. -- if youe have to do think about it, so much of the success we had over the last year has been because we had tha deputy secretary level retention. thisdon't pay attention to , we have all seen the hearings, nobody wants to be in that position. our challenge is really as we move forward over the next couple of months is prioritizing

the work we are doing, codifying a lot of it. website will not suffice as far as having these initiatives survive into the next administration. my team is hyper focused on this codification piece. wins andome quick results to communicate to the next team so they understand initiatives of the past administration are worthwhile and should be continued into the next one. in that last these, communication, i would add another bullet, which is education. sitting down with that next round of deputy secretaries on two and giving t them a detailed threat brief. this is what i would do my playbook. giving them a threat brief of all the major actors out there and tying it to the initiative we pursue. then showing them where the gaps are, whether it be legal

authorities or actual policy gaps, so that they can put their stamp on it for the future. i think that will be critical if we can get these few steps right, i think we will be in a good position, but frankly we will have to rely on highly uslled career staff to carry through the transition. i see a lot of faces in this room of people who represent that highly skilled career staff , so we will be counting on you. i appreciate the time. thank you very much. i will pause here for any questions. go ahead. >> wait for the microphone, please. >> you mentioned three particular areas you are looking to address in terms of challenges, legacy i.t., fragment a government, and workforce challenges. do you see one issue as most acute, or to put it another way, what is the biggest threat? mr. rudolph: that is a great question.

i have a personal passion in the workforce area. not only am i somebody who comes in and gives talks to people like yourselves, but i actually have hiring responsibility myself. i build this team inside the white house to focus on federal cyber security, and i have gone to the day-to-day challenges of getting the position description posted on usa jobs. it can be a little frustrating. limit, youharacter can't put all the qualifications you want in the job description. thank you. i appreciate that. get the fundamentals right, how are we going to think about modernizing our legacy apps. ? how are we going to think about legislative proposals that would help the fragmentation issues we have across the federal government?

i would say frankly that is the most important. you need to people to do the work. that is a true story by the way on that decision description thing. >> mike nelson with cloud flair. cyber security 101, you learn about confidentiality, integrity, availability, but when you read news reports and government reports, all the focus is on confidentiality because all the whenncidents have been data is stolen. we have to worry about data being altered, attacks that make websites unavailable. in the last 24 hours, the austrian census bureau, its website was brought to its knees by an attack. you have a concern that we will see more and more attacks? and do you worry that some of the data sets we are trying to protect could be hacked from the

just a few numbers altered, but enough to compromise the integrity of that data and cause systems to lose faith in that data? what are we going to do about that threat? a hugeolph: it is concern of ours. i like the way you frame the question. if you read the news media, it appears the emphasis is on the c. we are worried about all of it. cases, we were concerned about all three, and concerned about all three in terms of major incidents across all government. i think what you will see, and i did not include this in prepared remarks, but you will see a movement that you have seen in private industry from the perimeter defense from the data level production. , you will see30

how we need to move in that direction. to thinkstarting through what that means from the tools and capabilities standpoint to make those capabilities available to agencies. as we expand into later phases , we are addressing data level production. you alluded to the insider threat, which is is an ever .resent concern it may be the most difficult threat to address, frankly, and one i don't think we have cracked, federal or nationwide, and we will have to dedicate a lot of time to that in the next administration as well. sir? >> good morning. thank you for coming in talking with us. you mention something that i think resonates, but in this particular case, supply chain. as you look at industry and government, both sectors are

under constant attack, but there seems to be a challenge between the need to know versus the need to share information so that you can actively mediate across those spectrums. how do you see industry partnering with federal government and vice a versa to , need to know, need to share, keeping confidentiality of course, but sharing best practices to fix this together? mr. rudolph: that is a tremendous question. it is one where i would admit gap we have not closed the in the way we need to over the last couple of years. you will see some guidance from omb that speaks to this issue. it has already been out for public comment. i can talk about it to a certain improvingt it is protections in federal acquisitions. we will talk about that partnership between industry and government in terms of what we

can share and what we can't. i think the controlled unclassified information rule will help a lot. level, i think it comes down to trust and relationships between industry and government, having a pre-existing working relationship could help with that trust, but having the policy framework in place to trust is thehat big missing piece of the puzzle. i hope we can fix it in the very near future. sir? the i.t.lked about modernization. you might comment on that versus the other legislation that is out, move i.t., that was introduced a couple of weeks ago, and where maybe your viewpoint is on that, your perspective, what is more viable? congress is still in recess for a while, so we won't know about

that. if i can steal a second question, which is that partnership you talked about cyber workforce issue, what might that look like going forward? you comment about the challenges of putting out a job description, so hiring 3000 plus people will be to off. mr. rudolph: the first question move i.t., i can't speak on that one because we have not had an opportunity to fully review the particulars of the legislation, so it would be premature to comment at this point in time. my only comment is legacy i.t. is bad. i hope that is helpful. the second one is you mention a partnership with opm as far as addressing workforce challenges come actually a much broader partnership, and so what we have done is stood up a bit of a steering committee or working group across all the cyber

security workforce practitioners , across homeland security, opm, others, to work collaboratively across the federal government to implement the strategy i referenced earlier, but to actually share basic best practices. one example is, and this is also public information, dhs has developed this tool to generate common position descriptions for cyber security professionals. , ais really, really powerful method or tool to use for federal agencies. not everybody knows about it. sharing that across federal agencies and getting broader adoption is going to be key. an opportunity with cyber security awareness and to work across federal agencies, but that the ticket are working group is

meeting pretty regularly. i am due to get a briefing on that next week, so i am very encouraged. that type of cross-agency cooperation -- and the folks at commerce, i forgot to mention them with the work with the framework -- but that type of cooperation is frankly what is needed to succeed in this area. i am very encouraged. another question? one more question. ma'am? >> thank you. you mentioned that one of your primary goals was to secure top talent in order to work in the federal government. int from being at schools the bay area area, it seems like people are going into the apples of the world and not exactly looking at federal government. do you have any suggestions on how to improve it or attract top talent? mr. rudolph: yes.

first answer is that all of these suggestions are in the strategy. we spent a lot of time on that over the last year and i am pleased where the strategy is. on a more basic level, i would say that as a government, we need to stop thinking about hiring cyber professionals as just people who work in the security operations center or who have a programming background, because it is broader than that. we need acquisition professionals, lawyers, leaders who actually understand cyber security as well. about hiringnk intellectual athletes, right? intellectual athletes, really good employees with intellectual curiosity and want to learn. we need to train them up in the space and make a long-term investment in them. i think we will have some

success and that area. weill also say finally that are actually making some inroads in terms of how we compete for young talent against the private sector and the silicon valley folks. the reason we are making progress is because i promise you this, no one really in the room has a better mission, a day-to-day mission, then the federal employees in this room. if you think about the assets we are protecting and who we are protecting them from, that's the kind of thing that gets me off the couch, you know what i mean? that is the pitch to these young mid career and senior employees out in the private sector and you're trying to get them in to government. a lot of success with the united states digital service group and other groups around the government, and i think if we keep pushing the mission message, we will be successful. all right? thank you guys for the time. i appreciate it. [applause]

constance: thank you so much for that great presentation, trevor. from thecited technical director of security solutions at adobe systems federal. he has more than 16 years of experience in information security. with adobe, he is responsible for managing security solutions in enterprise rights management and digital signatures, as well as the security of adobe acrobat, reader, and adobe cloud. he is responsible for security solutions across the public scepte sector. [applause] constance: the stairs are

treacherous. >> thank you. can you hear me ok? even if i come over here, can you hear me ok? ok. hairity is -- great is a badge of honor for security folks. i'm not going to talk about hacking. we're going to talk about defense. let's take a little walk down security lane and see which you remember on our stroll down security lane. 1995, who remembers cap'n crunch? the other gray hairs in the room, excellent. draper, not don draper from mad men, pulled a whistle out of

a box of cap'n crunch, gives him long distance access to the phone network. awesome. pretty cool. replicatingrm, self malware occurred back then. backforward to 2000, orifice. not back office, hackers have a strange sense of humor. turn on your system, microphone, camera, spy on you. how much fun can that be? , love you, three little words it looks like a text file. replicatesn it, self , you end up e-mailing your friends i love you and it goes on and on. it was a big disaster on our internet at the time. what kills me, and this is where education is key, is that only a few weeks later we remember --

basically the same model, it promised it picture of anna kournikova naked. as security professionals, we have to be good at saying, really? [laughter] so when somebody says yes, i will help that prints from nigeria. he has to get his money over here somehow. you can say, really? really? the bill gates decree, 2005, a really interesting time. he said, you know what? no more. we are focusing on security. stop everything else. that is pretty cool. i think that was a pretty cool time. paris hilton got hacked. celebrity hacking comes into play. 2010, we see nationstates rearing their heads, operation , things of this

nature. acrobatsing over the accor back adobe stuff. i must i would put on my evangelist hat. , lying steve. there is a -- that happen in 2015. it was really popular this year in case you are black hat folks. the interesting one i want to talk about is some thing called hack.kettle look at that, a bright young student in the room. kettle that you can put on your wireless network to remote control your kettle. what's interesting about the

hack, i don't want to make fun for people who want to remotely control their kettle. if you scan it, and send a command to it, you can get it to cough up the wireless lan password. so now the hacker has access to your wireless lan. what is the point of all this? , and mitigation evolves, and they are going to get on our networks, and we are going to try to keep them out, right? so we do. we started with firewalls to keep them out of the network. aboutecently we talked assuming the breach, meaning they will get in our networks, so we have fallen back to the devices. we all have our personal firewalls now, for instance. talk about the data layer, protecting the data-centric

security solutions. i want to talk about three solutions today. drm, probably the worst name ever given to a technology, because it had a lot of bad baggage with it in the consumer side with music and such. i think there are three important points to get across as you look at drm solutions today in the market. the first thing to realize is that it is operating at the data layer. encrypting the document, ok? so when you see that pdf sitting on your desktop that has been encrypted with something like encrypted block. you open it up, and it is scrambled eggs. it is protected with a metric he, typically 256, using

something like aes. there is no brute force attack on that file. -- wrapt thing to get your head around, that file stays encrypted no matter where you go, put it in your e-mail here it we don't care. -- e-mail. we don't care. it is a scrambled back of bits. that means the client who wants to double-click on it have to figure out how to get a decryption key. drm systems authenticate themselves against the server to see if they can get the key or not. which you get from that by a drm solution against a server like this is you get a dynamic capability out of your documents, which is very powerful. i could view it today, but maybe i'm not allowed to view it tomorrow, and i can change permission real time.

so that is very powerful. also, because you are tethering , it is veryserver much about continuous monitoring today. we see that in a lot of frameworks. not only should we be continuously monitoring our .etworks, but our documents what is happening with those documents? who is opening them? when are they opening them? from what ip address are they opening them? those are the key factors in the drm solution i would say to look for. is it perfect? .o, nothing is perfect really? no, nothing is perfect. we have encrypted something with algorithm, ayption

brute force attack will not happen in our lifetime, or until computers get great enough to go after them. what they will attack are things like authentication, passwords. if somebody is sharing a password, they could be a problem, right? that is where smartcards are nice with a pin or other the factor. so what can we do? -- or other multifactor. so what can we do? as they come back, we can do some analytics on those document interaction events. what would be interesting to look for? in thet open a document washington, d.c. area, and a minute later open the same document or another document in eastern europe.

that seems interesting. maybe we maybe we'll revoke that document. you can't access that document until we figure out what's gone on with your account. because somebody's probably stolen your credentials. maybe steve tends to print 10 documents a week or maybe in a shorter time span and all of a sudden he printed 20, 30, 40, 50 documents. that might be interesting. send an alert to a security admin. let's check it out and see what's going on. did my friend from cloudflair already disappear? oh, you're back there. you're moving around. i liked your question. i've been talking about confidentiality. i've been talking about find those high value assets in your organizations and encrypt them at the data level